ABAP

Home

What’s New

SAP on Azure

why-sap.png

Writing Testable Code for ABAP

This openSAP course creates ripples in SAP community!

ABAP in the Cloud

The SAP community is looking forward to see ABAP in the cloud platform and its benefits.

New ABAP Programming Model

ABAP app goes web-based with OData and Hana.

Interesting Videos

Title

Author

Publisher

ABAP to the Future

Paul Hardy

Rheinwerk Publishing / SAP Press

Design Patterns in ABAP Objects

Kerem Koseoglu

Rheinwerk Publishing / SAP Press

ABAP Unit: Writing and Executing Unit Tests

James Wood, Joseph Rupert

Rheinwerk Publishing / SAP Press

Official ABAP Programming Guidelines

Horst Keller, Wolf Hagen Thümmel

Rheinwerk Publishing / SAP Press

SAP in General

ABAP Language Reference

New ABAP Syntax

Open Source

ABAP in Eclipse

API Development

Application Log

Static Code Inspector (SCI)

Best Practices

Test Automation

Continuous Integration

SAP Cloud Platform

Object-oriented Programming

Unit Testing

Microservices Architecture

Debugging

Useful Tools

Connectivity From Third-Party

Cloud Platform

SAP UI5

OAuth

IoT

ABAP Developer Edition

How to Enable SSL on NetWeaver Application Server

1. Install Client Certificates

1) Open website you want to connect to e.g. github.com with your browser

2) Export all client certificates in the chain with your browser

3) Go to transaction STRUST

4) Double click node SSL Client (Anonymous)

5) Import certificate exported from 2)

6) Add to Certificate List

7) Repeat until all certificates are added

8) Save

2. Test SSL Connection

1) Create a new ABAP program ZABAPGIT_TEST_SSL and copy source code from here

2) Run the program and try to connect

3) If you see Success, it works then you’re good.

If you see error something like below, please see the next section.

SSL handshake with github.com:443 failed: SSSLERR_SSL_READ (-58)
SAPCRYPTO:SSL_read() failed
SapSSLSessionStartNB()==SSSLERR_SSL_READ
SSL:SSL_read() failed (536875120/0x20001070)
=> "received a fatal TLS1.0 protocol version alert message from the peer"
SSL:SSL_get_state()==0x2120 "TLS read server hello A"
SSL NI-hdl 99: local=10.0.0.59:15728 peer=192.30.253.113:443
cli SSL session PSE "/usr/sap/NPL/D00/sec/SAPSSLA.pse"
session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
Client SSL_CTX 7f26940019d0 pvflags=128 (TLSv1.0)
Target Hostname="github.com"
>> SecuSSL ErrStack:
0x20001070 SAPCRYPTOLIB SSL_read
SSL API error
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278 SSL ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278 SSL ssl3_connect
received a fatal TLS1.0 protocol version alert message from the peer
0xa0600278 SSL ssl3_read_bytes
received a fatal TLS1.0 protocol version alert message from the peer
<<
Also check transaction SMICM -> Goto -> Trace File -> Display End

3. Check Trace File

1) Go to transaction SMICM

2) Go to menu Goto -> Trace File -> Display End

3) If you see message complaining about TLS version then proceed the next section

[Thr 139804692911872]   Target Hostname="github.com"
[Thr 139804692911872]   SSL NI-hdl 99: local=10.0.0.59:15728  peer=192.30.253.113:443
[Thr 139804692911872] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7f2694001670)==SSSLERR_SSL_READ
[Thr 139804692911872] *** ERROR => SSL handshake with github.com:443 failed: SSSLERR_SSL_READ (-58)
[Thr 139804692911872] SAPCRYPTO:SSL_read() failed
[Thr 139804692911872]
[Thr 139804692911872] SapSSLSessionStartNB()==SSSLERR_SSL_READ
[Thr 139804692911872]   SSL:SSL_read() failed  (536875120/0x20001070)
[Thr 139804692911872]   => "received a fatal TLS1.0 protocol version alert message from the peer"
[Thr 139804692911872]   SSL:SSL_get_state()==0x2120 "TLS read server hello A"
[Thr 139804692911872]   SSL NI-hdl 99: local=10.0.0.59:15728  peer=192.30.253.113:443
[Thr 139804692911872]   cli SSL session PSE "/usr/sap/NPL/D00/sec/SAPSSLA.pse"
[Thr 139804692911872]   session ciphersuites=HIGH:MEDIUM:+e3DES:!aNULL
[Thr 139804692911872]   Client SSL_CTX 7f26940019d0 pvflags=128 (TLSv1.0)
[Thr 139804692911872]   Target Hostname="github.com"
[Thr 139804692911872] >>      SecuSSL ErrStack:
[Thr 139804692911872] 0x20001070   SAPCRYPTOLIB   SSL_read
[Thr 139804692911872] SSL API error
[Thr 139804692911872] received a fatal TLS1.0 protocol version alert message from the peer
[Thr 139804692911872] 0xa0600278   SSL   ssl3_read_bytes
[Thr 139804692911872] received a fatal TLS1.0 protocol version alert message from the peer
[Thr 139804692911872] 0xa0600278   SSL   ssl3_connect
[Thr 139804692911872] received a fatal TLS1.0 protocol version alert message from the peer
[Thr 139804692911872] 0xa0600278   SSL   ssl3_read_bytes
[Thr 139804692911872] received a fatal TLS1.0 protocol version alert message from the peer
[Thr 139804692911872] <<
[Thr 139804692911872]
[Thr 139804692911872]  {00000109} {root-id=000D3A282AC01EE899FB2148C2A4B9FE} [icxxconn.c 2423]
[Thr 139804692911872]              GUI T12_U2540_M0, 001, DEVELOPER, CX360WINSG, time=09:24:28, W1, program=ZABAPGIT_TEST_SSL, high priority, memory=0, tasks=1, appl info=, tcode=SADT_START
[Thr 139804692911872]              role: Client, protocol: HTTPS, local: 10.0.0.59:15728, peer: 192.30.253.113:443

4. Enable TLS v1.2

1) Go to transaction RZ10

2) Open DEFAULT profile, select Extended maintenance and click Change

rz10_edit_profile.png

3) Add these two parameters:

Over the course of year 2016, a growing number of TLS servers were reconfigured to abort/reject TLSv1.0 handshakes, or they are requring forward secrecy (PFS) cipher suites for access. The currently recommended settings for TLSv1.2 interoperability are (requiring at least CommonCryptoLib 8.4.38, recommending at least 8.4.49):

        ssl/ciphersuites           =  135:PFS:HIGH::EC_P256:EC_HIGH
 
        ssl/client_ciphersuites  =  150:PFS:HIGH::EC_P256:EC_HIGH
 
For a SAP Solution Manager System 7.[012], please use the following value for ssl/client_ciphersuites instead:

        ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH

Source: SAP Note 510007

rz10_maintain_profile_addssl.png

4) Click Copy and Save (There might be a warning, proceed saving anyway.)

rz10_profile_saved_activated.png

5) Restart server

rz10_restart_server.png

$ su -l npladm
$ stopsap
$ startsap
$ sapcontrol -nr 00 -function GetProcessList

6) Go back SMICM and see trace file again. If you see two new parameters then they are configured properly.

[Thr 139810885523200] =================================================
[Thr 139810885523200] = SSL Initialization    platform tag=(linuxx86_64_gcc43)
[Thr 139810885523200] =   (753_REL,Aug 18 2017,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
[Thr 139810885523200] =       resulting Filename = "/usr/sap/NPL/D00/exe/libsapcrypto.so"
[Thr 139810885523200] =   disabled FIPS 140-2 crypto kernel
[Thr 139810885523200] =   found CommonCryptoLib 8.5.14 (Jul 27 2017) [AES-NI,CLMUL,SSE3,SSSE3]
[Thr 139810885523200] =   current UserID: "npladm",  env-var USER="npladm"
[Thr 139810885523200] =   found SECUDIR environment variable
[Thr 139810885523200] =   using SECUDIR=/usr/sap/NPL/D00/sec
[Thr 139810885523200] = [dpf] ssl/ciphersuites=135:PFS:HIGH::EC_P256:EC_HIGH
[Thr 139810885523200] =   NOT creating Envvar SAPSSL_CIPHERSUITES=135:PFS:HIGH::EC_P256:EC_HIGH
[Thr 139810885523200] = [dpf] ssl/client_ciphersuites=150:PFS:HIGH::EC_P256:EC_HIGH
[Thr 139810885523200] =   NOT creating Envvar SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
[Thr 139810885523200] = Success    SapCryptoLib SSL ready!
[Thr 139810885523200] =================================================

7) Test SSL connection again and it should be okay now

References

Writing Testable Code for ABAP - openSAP

Writing Testable Code for ABAP - openSAP

Week 1 - Introduction to ABAP Unit Testing

Tests vs. Testable Codes