Preparing Customer Networks for Certificate-Based Authentication

Since SAP Focused Run 3.0 FP 02, you can set up certificate-based communication for your customer networks.

Please note: If you operate an older SAP Focused Run system (Release 3.0 FP 02 and lower), follow the instructions in SAP Note 3138250 and cross-check that all Simple Diagnostics Agents have at least SP 58.

In Global Settings & Network Configuration, you can now set up “HTTPS / Certificate-based Authentication”. You can either select this setting globally on the "Global Settings" page or you can change the setting for single networks.
 
If you want to change the settings for a single network:
  1. Navigate to the network you want to change
  2. Navigate to 'Agent Settings'
  3. Select 'Override Global TLS/SSL Settings'
  4. Select 'SAP Host Agent Communication via TLS/SSL'


Preliminary Information

The prerequisite for this is a successful preparation of the infrastructure, to achieve secure communication. This is a customer responsibility. The product SAP Focused Run does not offer mechanisms to manage or distribute certificates.

Fundamentally, this setup requires a sound knowledge of certificate handling and SSL encryption at customer side.

This documentation introduces the topic based on SAP products e.g., SAP Web Dispatcher. It is possible to use other tools, the parameterization will be slightly different. The overall concept stays valid.

Fundamentals

To realize a certificate-based communication, the SAP NetWeaver ABAP functionality certrule is used. Links to the documentation can be found in the last section “Links and Help”.

There are three areas, that can be considered for certificate-based communication. It is possible to use certificate-based communication only partly.

  1. Simple Diagnostics Agent as central data provider for all SAP Focused Fun applications.
  2. Landscape discovery for modelling technical systems in LMDB of SAP Focused Run.
  3. EarlyWatchAlert data transfer from connected ABAP systems to SAP Focused Run.

Technical Overview

For a general understanding it may be helpful to roughly outline the communication flow:

  1. The Simple Diagnostics Agent (here client) connects to the Reverse Proxy (here server) via the SAPSSLC.PSE of the SAP Host Agent.
  2. The Reverse Proxy accepts the SAPSSLC.PSE and is instructed via the parameter "icm/HTTPS/forward_ccert_as_header" to include this client certificate in the header of the http request.
  3. The Reverse Proxy sends the request to the maintained SAP Focused Run system.
  4. The ICM of the SAP Focused Run system receives the http request of the Reverse Proxy with the client certificate information from (1.) in the header. The request will be accepted, due to the parameter “icm/trusted_reverse_proxy_0”.
  5. In the SAP Focused Run system, the certrule mapping is active, due to the parameter “login/certificate_mapping_rulebased”. Forwarded client certificate from request header is used for certrule mapping.
  6. The central user in SAP Focused Run system has the necessary permissions to perform the respective actions.

CERTRULE Mapping

Detailed documentation for certrule is provided in last chapter “Links and Help”.

Certrule application will be called by transaction certrule.

The various applications in SAP Focused Run use their own technical users, which are created automatically during the initial setup of a customer network.

During Simple System Integration of a technical system, this user data are transferred to the Simple Diagnostics Agent and are used for data transfer to the SAP Focused Run system.

The certrule application offers the option to map a certificate to one specific user in the ABAP system. Therefore, a central technical user must be set up, which combines all the necessary roles of the SAP Focused Run applications.

This is done as part of the customer network creation if the option “HTTPS / Certificate-based Authentication” is selected. Per default a technical user FRN_CRT_<CID> will be created. This user can be used directly for certrule mapping, or as a template for a copy.

The certrule mapping is carried out by the Reverse Proxy based on the incoming/forwarded client certificate. There are 2 possibilities for setup, rule-based or explicit.

With explicit mapping a 1-to-1 relationship is established between the certificate and a user. A separate mapping must be set up for different certificates.

With rule-based mapping a certificate attribute is interpreted as an existing username in the SAP Focused Run system. It is possible to use a pattern from Subject or Subject Alternative Name. This means, depending on the pattern selected, a user with the same name must exist in the SAP Focused Run system. This user needs all necessary roles assigned.

The password of this user can be deactivated to make it impossible to log in without a certificate.

In the example below, the certificate attribute “OU=VALFRUN” in the Subject line is used for a rule. A user VALFRUN is present in SAP Focused Run system, therefore the rule matches:

Parameterization

To use the certificate-based communication including mapping via certrule, the below listed parameters must be maintained. An already prepared SAP Focused Run system to handle HTTPS and SSL is considered as already parameterized.

More details are provided in Webdispatcher documentation (last section “Links and Help”)

In SAP Focused Run system – DEFAULT profile:

  • login/certificate_mapping_rulebased = 1
    (activates the usage of application certrule)
  • icm/trusted_reverse_proxy_0 = SUBJECT="<value>", ISSUER="<value>"
    (Establishes the trusted relationship to a Reverse Proxy, based on client certificate information)
  • icm/HTTPS/verify_client = <value>
    (specifies, if a client must provide a certificate, 0=off, 1=optional, 2=mandatory)

On Webdispatcher (Reverse Proxy) – Instance profile:

  • wdisp/system_conflict_resolution = 1
    (to avoid URL resolution conflicts by avoiding first match semantics)
  • icm/HTTPS/forward_ccert_as_header = true
    (incoming client certificate forwarding in header)
  • ReverseProxy port and forwarding settings including certificate handling:
    • icm/server_port_# = PROT=HTTPS,PORT=<reverse_proxy_port>,VCLIENT=2
      (similar to icm/HTTPS/verify_client on ABAP level to control the certificate handling)
    • wdisp/system_# = SID=<FRUN>, EXTSRV=https://<frun_host>:<frun_port>, SSL_ENCRYPT=1, SRCURL=/, CLIENT=<frun_client>, SRCSRV=*:<reverse_proxy_port>
  • Optional for troubleshooting:
    • rdisp/TRACE=2 (ICM and http trace active)
    • icm/HTTP/trace_info=TRUE


Usecase - Simple Diagnostics Agent

The Simple Diagnostics Agent uses the SAP Host Agent PSE files in /usr/sap/hostctrl/exe/sec. The SAP Host Agent must be prepared to have a valid SAPSSLC.PSE, that is accepted at the Reverse Proxy and meets the certrule mapping in the SAP Focused Run system.

Details on the SSL preparation of the SAP Host Agent can be found in the last chapter "Links and Help".


Usecase - SAP EarlyWatch Alert

The SAP EarlyWatch Alert has an independent data transfer from SAP NetWeaver ABAP systems to SAP Focused Run. For this purpose, an RFC is set up in the connected ABAP system back to the SAP Focused Run to send the collected data. This RFC can be changed to certificate-based communication and assigned to a separate user or to the central user via the certrule mapping mechanism described in chapter “CERTRULE Mapping”. The existing role with SAP EarlyWatch Alert relevant permissions must be assigned or is available with the centrally created user.

The used client certificate in managed SAP NetWeaver ABAP system must be accepted on Reverse Proxy and met the certrule mapping.
 

Usecase Landscape Discovery – SLD Datasupplier – LMDB

The various SLD data supplier can be switched to certificate-based communication. Here, too, a client certificate is required, which is accepted on Reverse Proxy and match certrule settings (see chapter “CERTRULE Mapping”).

  • Outside Discovery - uses the SAPSSLC.PSE of the SAP Host Agent under /usr/sap/hostctrl/exe/sec

-> Activation via the parameters -sldusessl -sldusecertauth

(e.g., saphostctrl -function ConfigureOutsideDiscovery -enable -sldhost <ReverseProxyHost> -sldport <ReverseProxyPort> -sldusessl -sldusecertauth)

  • RZ70 - uses the SAPSSLC.PSE of the SAP NetWeaver ABAP system

-> The RFC destination SLD_DS_<custom_description> has to be adapted for certificate based authentication

  • SLDREG - uses the SAPSSLC.PSE of the Technical System

-> Activation via the parameters -sldusessl -sslcertauth

(e.g.: sldreg -configure /usr/sap/<SID>/SYS/global/slddest.cfg -usekeyfile -host <Reverse_Proxy_Host> -port <Reverse_Proxy_Port> -sldusessl -sslcertauth -noninteractive)

  • SAP HANA - uses the SAPSSLC.PSE of the SAP HANA system

-> Activation same as sldreg, because with hdblcm it is not possible to set certificate based authentication

  • SAP NetWeaver JAVA - uses the SAPSSLC.PSE of the SAP NetWeaver JAVA system

-> in SAP NetWeaver Administrator it is possible to setup the SLD_DataSupplier to use the SAPSSLC.PSE client certificate.

Troubleshooting

Is certrule active?

  • parameterlogin/certificate_mapping_rulebased = 1

2  Test certrule mappings:

  • Export certificate of SAPSSLC.PSE into file (strust or sapgenpse export_own_cert)
  • Upload certificate file in transaction certrule, matching check for existing mappings   immediately executed


3  Requests are arriving and accepted in SAP Focused Run ICM?

  • Transaction SMICM -> http trace on, trace level = 2
  • Trigger of data transfer (RZ70, Outside Discovery, …)
  • Search in SMICM trace for "Client certificate info:
  • Client certificate info: subject="CN=<values>” -> contains information about the client certificate of the Reverse Proxy (should be accepted, due to parameter icm/trusted_reverse_proxy_0)
  • Forwarded Client certificate: subject="CN=<value>" -> contains information about the original client certificate, which was added to the header of the Reverse Proxy request
  • HTTP request [#] Accept trusted forwarded certificate (received via HTTPS with trusted certificate): subject="value" -> “value” should include same information like "Forwarded Client certificate" and should be accepted.

If there is an error in the log or nothing visible, the certificate chain has to be checked.

4  Webdispatcher Administration UI

For analysis and PSE maintenance on the Webdispatcher (Reverse Proxy), it is recommended to activate the Webdispatcher Administration UI via the parameter icm/HTTP/admin_0.

Links and Help

SLDREG

SAP Note 2807522 - SLDREG configuration for HTTPS

SAP Note 2765539 - Transferring SLD Data From a SAP HANA DB to a SLD Systems Using HTTPS Looks up the Wrong Directory for the .PSE Files

 

Prepare SAP Host Agent for https

https://help.sap.com/viewer/3ce0859db2164fe19541dda577d29020/LATEST/en-US/6aac42c2e742413da050eaecd57f785d.html

 

Certrule Mapping Documentation

https://help.sap.com/viewer/d528eef3dca14679bcb47b069aa17a9d/LATEST/en-US/c830fd902dc8473b9e59db1576cc784b.html

 

Webdispatcher SSL Preparation

https://wiki.scn.sap.com/wiki/display/SI/How+to+Configure+SAP+Web+Dispatcher+to+Trust+Backend+System+SSL+Certificate#content

 

Parameter Documentation

  • icm/trusted_reverse_proxy_<x>

https://help.sap.com/viewer/bd78479f4da741a59f5e2a418bd37908/LATEST/en-US/3bea0adde9a54db5843be8f7bf01fefa.html

SAP Note 2052899 - ICM - Multiple Trusted Reverse Proxies

  • icm/HTTPS/forward_ccert_as_header

https://help.sap.com/viewer/683d6a1797a34730a6e005d1e8de6f22/LATEST/en-US/b8921a52f17b43caa2fa719add56952b.html