SMP 3 – Configuring Strong Encryption for JVM Security

Published by Tobias Hofmann on

2 min read

SMP 3 is a Java application running inside Virgo. To not have to worry about Java versions and installation, the installer even installs SAP JVM together with the server. So you have a SMP 3 installation and a Java installation at hand. This means that you get automatically Java security features … and some legacy problems that come from the dark ages of Internet. One is that you have to enable Strong encryption for SMP3’s Java. This is needed at least when you are going to use SAML2 with ADFS as authentication provider. SAML 2 allows the IdP to encrypt the SAML response to make sure only the SP can decrypt it. The encryption algorithm used there is using Strong encryption methods. These are not available by default to Java. They need to be activated manually.

Procedure

The procedure for how to do this can be found at SAP Help. To enable Strong encryption, a policy file must be downloaded from Oracle and placed into a Java folder.

  1. Download policy file.

    URL: http://help.sap.com/disclaimer?site=http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

  2. Click on accept to enable the download link.

  3. Click on the link: UnlimitedJCEPolicyJDK7.zip. This will download a ZIP file. The content of the ZIP file are 2 JAR files. These 2 files must be copied to the SMP 3 Java JVM.

  4. Stop SMP 3 server.
  5. Copy the 2 JAR files to:

    Folder: <SMP3 installation dir>/sapjvm_7/jre/lib/security

  6. The installation path is outlined in the Readme that is part of the downloaded policy file:

    3) Install the unlimited strength policy JAR files.

     

    In case you later decide to revert to the original “strong” but

    limited policy versions, first make a copy of the original JCE

    policy files (US_export_policy.jar and local_policy.jar). Then

    replace the strong policy files with the unlimited strength

    versions extracted in the previous step.

     

    The standard place for JCE jurisdiction policy JAR files is:

     

    <java-home>/lib/security [Unix]

    <java-home>\lib\security [Windows]

  7. Restart SMP 3

    Command: go.bat

     

Result

After installing the pocliy file, Java JVM has strong encryption enabled.

Test

If you want to test if it worked: there is a code snippet available on SO.

Just run it as a Java program.

  • Compile: /sap/MobilePlatform3/sapjvm_7/bin/javac TestUCE.java
  • Run: /sap/MobilePlatform3/sapjvm_7/bin/java TestUCE
  • Result:

     

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.