Avalados por :
Reemplazo de SAPCRYPTOLIB por CommonCryptoLib (CCL) y su integración en SAP: Todo lo que necesitas saber
- Creado 01/03/2024
- Modificado 01/03/2024
- 4 Vistas
0
Loading...
Many years ago SAP deprecated the SAPCRYPTOLIB and introduced the CommonCryptoLib (CCL) as its successor. The CCL is not only a replacement for its predecessor but also for OpenSSL, which was used for example by SAP HANA in its early days (and up to SAP HANA 2.0 SPS01 for LDAP).
In the meantime the CCL is available in its latest version 8.5.x and is used by many SAP components. Some examples are:
All of these components have one thing in common: They make use of one or more communication protocols (e.g., HTTP, P4, IIOP, JDBC, LDAP) which nowadays should be secured using TLS (Transport Layer Security).
Please also read the other blogposts of this series:
CommonCryptoLib: TLS protocol versions and cipher suites
CommonCryptoLib: SNC protocol versions and cipher suites
CommonCryptoLib: Manage PSE files and SSO Credentials (cred_v2)
CommonCryptoLib: Certificate Revocation List validation
2022-09-16: Added info about changes to TLS_FALLBACK_SCSV.
Since the main browser vendors decided to no longer support some TLS versions, every admin dealing with web applications had to learn at least in the recent months about the different TLS versions out there.
Some of the TLS versions are existing for more than 20 years and can be considered as weak. For example TLS 1.0 and TLS 1.1 have finally been flagged as deprecated by IETF (see rfc8996, which took them btw more than two and a half years (see https://datatracker.ietf.org/doc/rfc8996/history/).
And others are the new kids on the block like TLS 1.3 and ETS (formerly known as eTLS). They are so "fresh" that they aren't supported in all products, yet.
Today, the version which can be considered as widely supported is TLS 1.2.
Cipher suites define a set of algorithms that usually contain a key exchange algorithm, a Signature, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.
Not every cipher suites can be combined with every TLS protocol version.
And to cause even more confusion there are different notations on cipher suites: IANA naming vs. OpenSSL naming.
SapSSL is the high-level protocol handler of the SAP Kernel and its components. Whenever cryptography for TLS is needed SapSSL addresses a cryptographic library.
The to-be-used library is configured by the profile parameter
The CCL has a built-in default configuration which serves maximum compatibility but offers very weak security and therefore should no longer be used nowadays. To overwrite this default configuration most components read profile parameters and pass them through SapSSL to the CCL.
As some components do not read from profile parameters the CCL reads also from environment variables as a fallback. This allows a secure custom configuration to be used by these components.
SAP HANA (Database (incl. XS Classic) and XSA) integrate the CCL by other means. The CCLs' configuration is stored in the configuration .ini files.
Some components act only as clients (for example sapcontrol), some act only as server (for example sapstartsrv) and some act as both (for example the ICM
In the meantime the CCL is available in its latest version 8.5.x and is used by many SAP components. Some examples are:
- SAP Host Agent,
- SAP Instance Agent,
- SAP NetWeaver AS ABAP,
- SAP NetWeaver AS Java,
- SAP HANA,
- SAP Web Dispatcher,
- various Kernel Tools (saphttp, sldreg, sapkprotp, sapcontrol, saphostcontrol, etc.)
- SAP Java Connector (SAP JCo)
- SAP Connector for Microsoft .NET 3.0 (SAP NCo)
All of these components have one thing in common: They make use of one or more communication protocols (e.g., HTTP, P4, IIOP, JDBC, LDAP) which nowadays should be secured using TLS (Transport Layer Security).
Please also read the other blogposts of this series:
CommonCryptoLib: TLS protocol versions and cipher suites
CommonCryptoLib: SNC protocol versions and cipher suites
CommonCryptoLib: Manage PSE files and SSO Credentials (cred_v2)
CommonCryptoLib: Certificate Revocation List validation
Updates:
2022-09-16: Added info about changes to TLS_FALLBACK_SCSV.
2022-03-21: Added info about changes to cipher suites and group assignment.
2022-02-25: Updated recommendation regarding "Allow blind sending of a client certificate".
2021-11-05: Linked other blogposts of this series. Added section on how to update the CCL.
Protocol versions
Since the main browser vendors decided to no longer support some TLS versions, every admin dealing with web applications had to learn at least in the recent months about the different TLS versions out there.
Some of the TLS versions are existing for more than 20 years and can be considered as weak. For example TLS 1.0 and TLS 1.1 have finally been flagged as deprecated by IETF (see rfc8996, which took them btw more than two and a half years (see https://datatracker.ietf.org/doc/rfc8996/history/).
And others are the new kids on the block like TLS 1.3 and ETS (formerly known as eTLS). They are so "fresh" that they aren't supported in all products, yet.
Please note: As of SAP notes 2765639 in AS ABAP,SAP note 2834475 in AS Java andSAP note 2939945 in SAP BusinessObjects BI Platform 4.x TLS 1.3 is currently not supported.
Today, the version which can be considered as widely supported is TLS 1.2.
Cipher suites
Cipher suites define a set of algorithms that usually contain a key exchange algorithm, a Signature, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.
Not every cipher suites can be combined with every TLS protocol version.
And to cause even more confusion there are different notations on cipher suites: IANA naming vs. OpenSSL naming.
Please note: A comprehensive overview about all available cipher suites, TLS version support and a security classification can be found athttps://ciphersuite.info/cs/.
Technical background on the CCL integration
SapSSL is the high-level protocol handler of the SAP Kernel and its components. Whenever cryptography for TLS is needed SapSSL addresses a cryptographic library.
The to-be-used library is configured by the profile parameter
ssl/ssl_lib.The CCL has a built-in default configuration which serves maximum compatibility but offers very weak security and therefore should no longer be used nowadays. To overwrite this default configuration most components read profile parameters and pass them through SapSSL to the CCL.
As some components do not read from profile parameters the CCL reads also from environment variables as a fallback. This allows a secure custom configuration to be used by these components.
SAP HANA (Database (incl. XS Classic) and XSA) integrate the CCL by other means. The CCLs' configuration is stored in the configuration .ini files.
Some components act only as clients (for example sapcontrol), some act only as server (for example sapstartsrv) and some act as both (for example the ICM
Pedro Pascal
Se unió el 07/03/2018
Facebook
Twitter
Pinterest
Telegram
Linkedin
Whatsapp
Sin respuestas
No hay respuestas para mostrar
Se el primero en responder
contacto@primeinstitute.com
(+51) 1641 9379
(+57) 1489 6964
© 2024 Copyright. Todos los derechos reservados.
Desarrollado por Prime Institute
Hola ¿Puedo ayudarte?