How-to Guide SAP NetWeaver 04

How To Enable Secure Synchronization with the ABAP Synchronization Service

Version 1.00 December 2006 Applicable Releases: SAP NetWeaver 04 SP18 or higher

 Copyright 2006 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C , World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data

contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. These materials are provided as is without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages. SAP NetWeaver How-to Guides are intended to simplify the product implementation. While specific product features and procedures typically are explained in a practical business context, it is not implied that those features and procedures are the only approach in solving a specific business problem using SAP NetWeaver. Should you wish to receive additional information, clarification or support, please refer to SAP Consulting. Any software coding and/or code lines / strings (Code) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

1 Content
1 2 3 4 Content..................................................................................................................................... 1 Scenario ................................................................................................................................... 2 Introduction .............................................................................................................................. 2 The Step By Step Solution....................................................................................................... 3 4.1 Enable HTTPS Port in the ABAP Stack of your Web AS................................................ 3 4.2 Generate the Server Certificate ...................................................................................... 4 4.3 Export the Server Certificate ........................................................................................... 5 4.4 Adjust MobileEngine.config............................................................................................. 6 4.5 Import the Server Certificate into the clients truststore file............................................. 6 5 Appendix .................................................................................................................................. 7 5.1 Certificate of a Certification Authority.............................................................................. 7

2 Scenario
You run SAP Mobile Infrastructure 2.5 SP18 or higher. ABAP Synchronization Service is used to synchronize data from and to mobile devices. This data exchange should be performed in a secure and encrypted way.

3 Introduction
SAP Mobile Infrastructure uses per default the HTTP protocol for data transfer between client and server. If you transfer business sensitive data via public networks HTTP may not meets your security requirements, as the data is transferred as a plain data stream which could be intercepted by unauthorized parties. SAP Mobile Infrastructure offers the opportunity to switch to the SSL based HTTPS protocol, which offers authentication based on certificates as well as encrypted data transfer. If you want to read more about Transport Layer Security refer to http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/ frameset.htm Upcoming in this document the necessary steps are outlined to enable HTTPS for MI with the ABAP Synchronization service.

4 The Step By Step Solution

4.1 Enable HTTPS Port in the ABAP Stack of your Web AS

If the HTTPS protocol is already activated in your ABAP Stack you can skip this part and continue with 3.2. 1. In order to activate HTTPS communication with your ABAP Sync Service you need to deploy the SAP Cryptographic Library. Download the SAP Cryptographic Library from http://service.sap.com/swdc --> download --> SAP Cryptographic Software To install the SAP Cryptographic Library the follow http://help.sap.com/saphelp_nw04/h elpdata/en/96/709b3ad94e8a3de100 00000a11402f/frameset.htm 2. Set the profile parameters following SAP Help entry http://help.sap.com/saphelp_nw04/h elpdata/en/85/46453c3ff4110ee1000 0000a11405a/frameset.htm Restart the System.

3. Call transaction SMICM, choose GOTO SERVICES from the menubar. You should see the available ICM Services. If the service for protocol HTTPS is not active, mark it and choose SERVICE ACTIVATE from the menubar to activate the service.

4.2

Generate the Server Certificate

SAP recommends for productive usage the purchase a certificate from a certification authority like VeriSign, Thawte, TrustCenter or others. For test environments self-signed certificates could be used. The following steps describe the usage of self-signed certificates for test purposes. 1. Call transaction STRUSTSSO2. If the entry SSL Server is marked with a red cross, click the entry with the right mouse button and choose Create to create the SSL Server certificate. If the entry is marked with a folderlike symbol open the folder and check that it contains a greenmarked entry. If so go on with chapter 3.3.

2. Enter the full qualified ABAP host in the field Name. It is important that this entry matches exactly the host name you will synchronize against with your mobile clients. You can also use a wild card entry (e.g. *.wdf.sap.corp). For more info please refer to SAP Help entry http://help.sap.com/saphelp_nw04/h elpdata/en/20/37c33ae8361838e100 00000a11402f/frameset.htm If the Name field value differs from the clients synchronization host name you cannot use the HostNameVerifying functionality within your mobile client, which protects against Man-in-the-Middle attacks.

3. You have created the SSL Server certificate.

4.3

Export the Server Certificate

1. Double-click on the green-marked entry below the SSL Server node. The certificate will be displayed in the upper right area of the screen. Double-click the certificate (marked with the red ellipse). In the lower right area the certificate details will appear (marked with the white ellipse).

2. Choose Certificate Export to export the certificate to a local file. Enter a local path and file name and choose Enter.

4.4

Adjust MobileEngine.config

1. Enable SSL on the mobile client by adjusting the MobileEngine.config file according to the following guideline: http://help.sap.com/saphelp_nw04/h elpdata/en/1c/7bef3d5e10af5ee1000 0000a114084/frameset.htm If the CN (common name) of the certificate differs from the synchronization host of your client you have to set the option MobileEngine.Security.HostnameVer ifying to false. It is strongly recommended that the host name verifying functionality is NOT switched off, thus the CN of the certificate and the synchronization host have to be equal! 2. Check SAP Note 580497 if depending on your Java version additional client libraries need to be deployed as well to the mobile client.

4.5

Import the Server Certificate into the clients truststore file

3. You use the keytool delivered from SUN to import the Server SSL certificate into the truststore file of your mobile client. You can find the truststore file in <MI_HOME>\settings folder. To do so follow the following guideline: http://help.sap.com/saphelp_nw04/h elpdata/en/0f/8d80f68eace441b3d1e bdc4b2f2c81/frameset.htm

5 Appendix
5.1 Certificate of a Certification Authority

You want use a certificate issued or signed by a CA. Follow SAP Help entries http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/fr ameset.htm, http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/f rameset.htm and http://help.sap.com/saphelp_nw04/helpdata/en/0d/a22640632cec01e10000000a155106/ frameset.htm in order to issue a certificate request to a CA, to import the response into your NetWeaver AS and finalize the SSL setup steps.

http://service.sap.com/nw-howtoguides