Get an A rating from SSL labs

You should secure your web site using TLS. No, that`s not a typo, it`s TLS and not SSL. SSL is dead and should not be used anymore. Praise TLS. This may sound complicated at first, but it`s not. First step is to deactivate HTTP and activate HTTPS. How to do this depends on your web server. Luckily, there are a lot of good documentations on this available. For free. Thanks Internet. To help you evaluate your setup, there is an online service available that tests your HTTPS setup: ssllabs.com. Just enter your server name and you get a result: A to F. You have a secure site when you get an A. Problem with this documentation is that is shows you how to activate TLS, but not how to get to a setup secure enough to earn you an A rating from SSL labs. Now, what is a secure setup for TLS? You can argue here for eternity. So (too?) many parameters available. Let me try to show you what I did to get an A rating.

First, let`s take a look at the SSL labs service and check some sites to get an understanding of how the service works. SAP`s site (sap.com) get`s an A rating:

If something is wrong, the rating is downgraded and a justification of the rating is given. For instance, if you run a check against service.sap,com (155.56.89.225), you get a C rating.

The problems that caused the C rating are all related to protocol support. Don`t worry, service.sap.com is the old support site, support.sap.com get an A rating. Only showing this here to demonstrate the impact the supported protocols have on the rating. The other 3 criteria were rated equally. Some sites can get an even worse result (that site is not related to SAP).

While it is nice to know that an A rating is possible, how to get one for your own server? Let me show this using my very own web server as an example: https://www.itsfullofstars.de:8081

Request certificate

First step is to get a valid certificate. This is done by creating a CSR and send it to a CA. To create the CSR, you can use openssl.

openssl req -new -newkey rsa:4096 -nodes -keyout itsfullofstars.de.key -out itsfullofstars.de.csr -sha256

The output is a key file and a CSR file. The certificate is of 4096 bit strength and uses SHA-256 as signature. Send the CSR to your CA (I use StartSSL) and you get back the certificate (CRT), and normally also the intermediate certificate.

The server certificate is the CRT file. It is already in PEM format. To make this clear, I renamed it to .PEM. Uploading the certificate to the web server and activating it in the Apache configuration for HTTPS.

Base Apache configuration

SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLCipherSuite HIGH:MEDIUM:-RC4:-EXP:!kEDH:!aNULL
SSLCertificateFile /etc/ssl/certs/www.itsfullofstars.de.2016.pem
SSLCertificateKeyFile /etc/ssl/private/itsfullofstars.de.2016.key

Running SSL Labs test gives now a B rating.

Certificate chain

The rating is capped to B because of an incomplete certificate chain. Remember the 1_root_bundle.crt file delivered by the CA? That`s the intermediate CA certificate. That`s the certificate the web server is not providing, but should. Add the parameter SSLCertificateChainFile to Apache`s conf file.

SSLCertificateChainFile /etc/ssl/1_root_bundle.crt

Running SSL Labs test gives now an A- rating.

Already A- for just fixing the certificate chain problem. The report shows that I do get an A- and not better because the web server is not supporting forward secrecy (PFS). It’s not like I`ll need to have forward secrecy. I do not run an e-commerce site or let people log on.

What is PFS? It protects your users as it makes it really hard to decrypt the traffic. To decrypt the session, the session key must be known. In case the session key was created using a weak algorithm (e.g. RC4, RSA), all it takes is the server’s private key. If someone gets access to my server private key, an attacker can decrypt all traffic (even recorded one). Changing the algorithm to ephemeral Diffie Hellman makes this more secure, as the attacker needs to crack the session key. In my case the session key is exchanged with a 4096 bit certificate, should take them some time. As the session key is unique per session, the attacker will have to decrypt the key for each session. Just having the server’s private key is not enough.

Forward secrecy

While forward secrecy is a little bit of an overkill for my site, it`s possible to do and “it`s too much” does not count in regards to security. Therefore, I will activate forward secrecy on my server. Basically, PFS is done by activating the correct cipher suites and instruct the web server to ignore what the browser wants to do. This enforces the browser to use the ephemeral DH ciphers send by the server and those allow PSF.

SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
SSLCertificateFile /etc/ssl/certs/www.itsfullofstars.de.2016.pem
SSLCertificateKeyFile /etc/ssl/private/itsfullofstars.de.2016.key
SSLCertificateChainFile /etc/ssl/1_root_bundle.crt
 

Running SSL Labs test gives now an A rating.

Mission accomplished, my web site is now rated A by SSL labs.

 

 

 

Some resources

https://support.microsoft.com/en-us/kb/257591

https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm

https://blog.qualys.com/ssllabs/2013/06/25/ssl-labs-deploying-forward-secrecy

http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1932806.html

https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

https://scotthelme.co.uk/perfect-forward-secrecy/

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.6 Import CA certificate into SAP NetWeaver ABAP PSE

In case your ICF will serve only as a HTTPS server, you do not need to do this. In case you want your ABAP server to connect to another web server, this may be of interest. In that case, your ABAP server acts as a client and will receive a server certificate, just like your browser does. While a browser comes with a pre-installed list of CAs, the PSE does not have this. Therefore, ABAP will reject the server certificate received when opening a TLS connection. To make ABAP accept the certificate, either the server certificate must be imported or the CA certificate. Importing each server certificate is not the best approach (number of servers, lifetime, management), importing the CA certificate will make ABAP accept connects too, as long as the received server certificate was issued by this CA.

Transaction: STRUST

Open the SSL server standard PSE and switch to edit mode. Click on import certificate

Select the tab File and give the path to the CA certificate.

Check the information of the certificate.

If everything is OK, add the certificate to the certificate list.

Click save

Result

CA certificate is imported into the PSE. With this, the PSE can validate successfully each certificate received and that is signed by the CA.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.5 Test the new server certificate

After the server certificate is installed, ICM should automatically make use of it. To see if SSL/TLS connections are now working, two tests should be executed:

  1. Check SSL port setup
  2. Access service using TLS

1. Making Sure the SSL Port is set up correctly

This step checks that ICM is configured to accept TLS connections. SAP Help

Transaction: SMICM

Select: Goto from the menu and then Services.

Check that HTTPS is listed and note the port number. Here: 8100.

2. Testing the Connection for SSL Server Authentication

With ICM configured to accept TLS connections on port 8100, the last test is to check if it works with a browser. SAP Help. Open a service in your web browser. To check that the service Works, open it first in normal HTTP.

Example: http://nwgw74.tobias.de:8000/sap/opu/odata/iwfnd/rmtsampleflight/

If the worked, open the URL as HTTPS.

Example: https://nwgw74.tobias.de:8100/sap/opu/odata/iwfnd/rmtsampleflight/

Check the certificate used by ICM.

Result

The server certificate is issued by ca.tobias.de to nwgw74.tobias.de. This shows that the SSL certificate of the right PSE is being used by ICM.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.4 Import the certificate response from CA

After the CA issued the certificate, it must be imported into the PSE that issued the CSR. During the import step a verification of the private / public key will happen. This ensures that you import the right public key into the PSE. This also means that you cannot use another PSE for the CSR, as the private key would be different. SAP Help

Transaction: STRUST

Switch on edit mode and select import certificate.

Inform the path to the CRT.

Select load as local file. If the CA exported the certificate as P7B, the content is in Base64 format. If the CA gave you another format, you`ll have to transform the certificate first to Base64. Would be nice if the import wizard of STRUST would do all that work for you, but somehow Basis guys must also defend their working time …

Confirm the import. To see if the certificate was imported, double click on Subject

This shows the certificate information in the certificate section.

Save.

Result

The PSE contains now a private key and a valid public key, signed by a CA. Now ICF can use this certificate without having browsers complain about the certificate.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.3 Submiting the certificate requests to a CA

The certificate request created in the previous step must be send to a CA. The CA is responsible to create a valid server certificate based on the information provided by the CSR.

Important: the certificate emitted by the CA must follow the PKCS#7 certificate chain format. The response file must contain the public key certificate of the ABAP server as well as the CA’s root certificate. SAP Help

The following screenshots are taking from my own CA.
Add an end entity for the server.
Submit CSR
Download certificate
Save as p12 (PKCS#7)

Result

You now have a P7B file that contains the signed certificate for the server in Baes64 format.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.2 Generate a certificate request for each SSL server PSE

In the previous step a new PSE for SSL server was created, but the containing server certificate is self-signed. This means that no sane web browser will accept your certificate without showing a warning message to the user. To have a valid server certificate, it must be signed by a CA. To do so, a certificate request must be created. SAP Help

Transaction: STRUST

Open SSL Server Standard node and select server

Create a certificate request.

Copy content to a file (via clipboard) and send it to your CA.

Result

You now have the CSR file for the server PSE that can be submitted to a CA.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 3.1 Create a SSL/TLS Server PSE

SAP stores certificates in PSE files (for the Java guys: JKS). By default, there are several PSEs available, one for each use case (system, SSL, web service, etc). A PSE has a subject which stands for the name of the server. Changes are good that the subject value created by SAP does not match your reality. The following steps show how to create a PSE for your SSL server. SAP Help

Transaction: STRUST

Change into edit mode:

Select the SSL Server PSE:

Right click to open the context menu and select replace

Give information about the new PSE. This creates a private and public key for the server CN informed for this PSE. The key will be automatically self-signed, but as the PSE contains the private key, it is no problem to create a certificate request and get the certificate signed by a CA.

The data informed here MUST match the data of the HTTPS server. The name field is the CN of the certificate; therefore this field MUST be the same as the FQDN of the server. That is, when the server is accessed by browsers as https://nwgw74.tobias.de, the field MUST be nwgw74.tobias.de.

Click OK

Confirm the information. Make sure the CN name is correct. This changes the PSE for SSL Server.

You now have a PSE with a private and public key for the CN nwgw74.tobias.de. This certificate is self-signed. While you can now access ICF via HTTPS, each and every browser will give you a warning message that the certificate used is not trustworthy. To change that, a CSR must be created and signed by a CA.

Result

You now have a PSE for the server nwgw74.tobias.de with a private key and a self-signed certificate.

Let the world know

Install a server certificate in SAP NetWeaver ABAP – 2 Set profile parameters

For ICM to work with SSL, some parameters must be set in the profile. These parameters define which PSE and algorithms to use. Normally these parameters are already set to default values. To see if these are acceptable to you and match the location of your CommonCryptoLib 8 installation, you can use transaction RZ11. SAP Help, Central note for CommonCryptoLib.

Transaction RZ11

Here you can enter the name of a parameter and see the currently configured value of it.

List of parameters and their values
Parameter: ssl/ssl_lib
Parameter: sec/libsapsecu
Parameter: ssf/ssfapi_lib
Parameter: ssf/name
Parameter: ssl/ciphersuites
Let the world know

Enable TLS in SMP3

SSL is out, TLS is the new kid in town (although already pretty old) and to keep security high on your SMP3 server, a question remains: how to enable TLS on SMP3? Easy: it is already configured!

By default, SMP3 comes with TLS enabled. The trick is to configure it how you want it to be. For once, there are the ciphers (not part of this blog) and the protocol. The protocol defines if a browser can use TLS v1, v1.1 or v1.2. The configuration is done on the server side, in the default-server.xml file located at:

/<SMP3 installation directory>/Server/config_master/org.eclipse.gemini.web.tomcat/default-server.xml

As SMP3 is using Tomcat as its web server, the usual Tomcat configuration parameters apply. To have a HTTPS connection on port 8081, the XML looks like this:

<Connector SSLEnabled=”true” ciphers=”TLS_RSA_WITH_AES_128_CBC_SHA” clientAuth=”false” keyAlias=”smp3″ maxThreads=”200″ port=”8081″ protocol=”com.sap.mobile.platform.coyote.http11.SapHttp11Protocol” scheme=”https” secure=”true” smpConnectorName=”oneWaySSL” sslEnabledProtocols=”TLSv1″ sslProtocol=”TLS”/>

Parameters

  • Port: defines the port Tomcat will listen on. Here it is 8081
  • sslEnabledProtocols: “The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled.” [1]
  • sslProtocol: “The SSL protocol(s) to use (a single value may enable multiple protocols – see the JVM documentation for details). If not specified, the default is TLS” [1]

Connecting to the port results in a TLSv1 connection:

The parameters that define which protocol can be used are sslEnabledProtocols and sslProtocol. Now, which one does what? I found [2] and [3] explaining this:

  1. setProtocol=”TLS” will enable SSLv3 and TLSv1
  2. setProtocol=”TLSv1.2″ will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
  3. setProtocol=”TLSv1.1″ will enable SSLv3, TLSv1, and TLSv1.1
  4. setProtocol=”TLSv1″ will enable SSLv3 and TLSv1

In the above example, sslProtocol = TLS, therefore TLSv1 and SSLv3 is available. To limit the connection to TLSv1, sslEnabledProtocol must be set to TLSv1. To have a connection that allows for TLSv1, TLSv1.1 and TLSv1.2 (and let the browser decide which one to use), set sslEnabledProtocols to TLSv1,TLSv1.1,TLSv1.2.

Example

<Connector SSLEnabled=”true” ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA” clientAuth=”false” keyAlias=”tobias” maxThreads=”200″ port=”8081″ protocol=”com.sap.mobile.platform.coyote.http11.SapHttp11Protocol” scheme=”https” secure=”true” smpConnectorName=”oneWaySSL” sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″ sslProtocol=”TLS”/>

If I now connect on port 8081, my browser should use the highest protocol available.

[1] https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

[2] http://mail-archives.apache.org/mod_mbox/tomcat-users/201303.mbox/%3C13A085B2E018374C813676301AED0EE412D87457C3@BLR0EXC00.us.sonicwall.com%3E

[3] http://wiki.apache.org/tomcat/Security/POODLE

Let the world know

SAP Web Dispatcher as reverse proxy for SMP3

As of SMP3 SP07 you can use SAP Web Dispatcher as a reverse proxy for SMP3. Depending on your landscape, this simplifies A LOT your architecture. And you can reuse your WD knowledge and gain support from SAP. Installing the WD is done as usual, with one caveat: you have to inform the commonlib which TLS to use:

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

With this, WD can connect to SMP3 using TLS. While this may look strange, it actually is necessary as SMP3 uses some high TLS security.

To understand better what these two parameters do, take a look at the Commonlib + WD SAP Note: 510007


A complete sample profile from a WD running on Windows

SAPSYSTEMNAME = WDP

SAPSYSTEM = 00

DIR_INSTANCE = C:\<dir>\SAPWDSMP3

DIR_EXECUTABLE = $(DIR_INSTANCE)

DIR_PROFILE = $(DIR_INSTANCE)

DIR_HOME = $(DIR_INSTANCE)

Autostart = 1

Restart_Program_00 = local $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) pf=$(DIR_PROFILE)/sapwebdisp.pfl

wdisp/ssl_auth=0

wdisp/system_0 = SID=SMP, SSL_ENCRYPT=0, EXTSRV=http://smp3.tobias.de:8080, SRCSRV=*:9080, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=https://smp3.tobias.de:8081, SRCSRV=*:9081, SRCURL=/, STICKY=true

wdisp/system_1 = SID=SEC, SSL_ENCRYPT=1, EXTSRV=http://smp3.tobias.de:8082, SRCSRV=*:9082, SRCURL=/, STICKY=true

icm/server_port_0 = PROT=HTTP,PORT=9080

icm/server_port_1 = PROT=HTTPS,PORT=9081

icm/server_port_2 = PROT=HTTPS,PORT=9082,VCLIENT=2

ssl/ciphersuites = 896:HIGH

ssl/client_ciphersuites =896:HIGH

icm/max_conn = 2000

icm/max_sockets = ($(icm/max_conn) * 2)

icm/req_queue_len = 6000

icm/min_threads = 10

icm/max_threads = 500

mpi/total_size_MB = (min(0.06 * $(icm/max_conn) + 50, 2000))

mpi/max_pipes = ($(icm/max_conn))

wdisp/HTTP/max_pooled_con = ($(icm/max_conn))

wdisp/HTTPS/max_pooled_con = ($(icm/max_conn))

icm/server_port_3 = PROT=HTTPS,PORT=4300

icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,PORT=4300,DOCROOT=./admin,AUTHFILE=icmauth.txt

Let the world know