03-28-2014 5:58 AM
Dear All,
Our Internal security audit suggests to avoid the use of Week SSL ciphers for our SAP PI 7.0 servers.
We have followed the SAP note 510007 - Setting up SSL on Web Application Server ABAP
as mentioned in the point 6 we have added below parameter in the instance profile of application server and restarted our server but still the issue is not resoved.
ssl/ciphersuites=MEDIUM:HIGH:EXPORT:!LOW:!eNULL
Clients are accessing our PI server through SAP Web dispatcher.
Kindly suggest the action to be taken to resolve the issue.
Please find the below comment from Audit.
-----------------------------------------------------------------------------------------------------------------------
The remote host supports the use of SSL ciphers that offer weak encryption.
Note: This is considerably easier to exploit if the attacker is on the same physical network
-----------------------------------------------------------------------------------------------------------------------
Regards,
Lalitha.
03-28-2014 7:10 AM
Hi Lalitha,
as suggested in the note, one proposal could be to configure SSL like this:
ssl/ciphersuites=HIGH:MEDIUM:!mMD5
If this does not fit your needs, you need to be more specific about your requirements.
Regards,
Patrick
03-28-2014 7:14 AM
Hi Patrick,
Thanks for the reply.
Do we need to keep the parameter in SAP web dispatcher profile or in the Application server profile.
Currently we are keeping this parameter in SAP PI Application server.
Regards,
Lalitha.
03-28-2014 7:32 AM
Hi,
it depends on how is your web dispatcher configured. If it drops SSL connections and creates new one to application server then client connects to web dispatcher only. IF web dispatcher just routes SSL connection to application server then only application server is involved in SSL. Anyway. it's probably good idea to avoid weak cipher suits on all systems including web dispatcher and application servers.
Cheers
04-03-2014 10:01 AM
Dear Martin,
As advised we have maintained the parameter in both the servers (Web dispatcher and SAP application server) still the issue is not resolved.
Kindly help us in resolving this issue.
Regards,
Lalitha
04-03-2014 11:45 AM
Hi Lalitha,
Did you check, that the parameters are active (RZ11)?
What are the current active ciphers?
Do you use icm/ssl_config_<xx> to specify port specific ssl parameters?
04-03-2014 11:52 AM
Hi,
so it seems like restricting cipher suites in category LOW is not enough. I did a quick search and I found note 510007. According to this note the category MEDIUM contains
Nowadays anything using MD5 will be classified as weak. Hence I would suggest to use some tool that gives you a list of cipher suits that are offered by your systems (e.g. script from this thread). When you have that list you can go back to your security vendor and ask them which cipher suits need to be disabled. I am pretty sure that anything with MD5 will be on blacklist but there might some other cipher suites. That OSS note actually mentions how to disable MD5. It's by adding !mMD5
Cheers
04-03-2014 12:00 PM
Hi Martin,
this is exactly the ciphersuite I initially did suggest 😉
There are some more tools available to check the active cyphersuites of a server. For details you may for instance have a look at the OWASP pages on SSL/TLS testing.
regards,
Patrick
04-03-2014 8:18 PM
HI Patrick,
you are right. I completely missed that you suggested excluding MD5. Sorry about that. I guess we agree that Lalitha needs to get an actual list of cipher suites and compare it with list of "allowed" ciphers from their security vendor.
Cheers
04-10-2014 10:12 AM
Hi Patrick and Martin,
Thanks for the reply.
As per your suggestion we have maintained the parameter
in the profile parameters of both SAP application server and web dispatcher and asked the security team to check the result.but still the issue persists.
Please find the attached for list of "allowed" ciphers from their security team.
Regards,
Lalitha
04-10-2014 11:08 AM
Hi,
based on that screen shot it looks like anything that is using DES or RC4 for encryption is classified as weak. That makes sense because both ciphers are quite old with some problems. So you really need to allow only ciphersuites from class HIGH ssl/ciphersuites=HIGH. This class contains 3DES which they might not like. Hence you might actually need to use ssl/ciphersuites=HIGH:-e3DES.
Cheers
04-10-2014 1:13 PM
Hi,
according to the note, the following ciphers are related to the different levels:
Category Position Name of SSL
ciphersuite
-----------------------------------------------------------
HIGH 1. TLS_RSA_WITH_AES128_CBC_SHA
HIGH 2. TLS_RSA_WITH_AES256_CBC_SHA
MEDIUM 3. SSL_RSA_WITH_RC4_128_SHA
MEDIUM 4. SSL_RSA_WITH_RC4_128_MD5
HIGH 5. SSL_RSA_WITH_3DES_EDE_CBC_SHA
LOW 6. SSL_RSA_WITH_DES_CBC_SHA
EXPORT 7. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
EXPORT 8. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
EXPORT 9. SSL_RSA_EXPORT_WITH_RC4_40_MD5
Using
ssl/ciphersuites=HIGH:MEDIUM:!mMD5.
only ciphers 1,2,5 and 3 (in that order) should be active.
For instance based on the configuration, all usage of MD5 should be disabled. According to the screenshot, MD5 is still active. This is more than weird.
There is either something wrong with the connectivity (are you sure, they do test the right system and not some proxy?) or the configuration of the system. What is the patchlevel of the sapcryptolib?
As stated above, please check, that the parameters are active (RZ11).
Do you use icm/ssl_config_<xx> to specify port specific ssl parameters? if yes, what did you specify.
Regards,
Patrick
04-11-2014 2:36 PM
Dear Patrick,
We are sure the testing in happening on the right system.
we are not using the parameter icm/ssl_config_* parameter in our system
Please find the below out put of the report SSF01 in SE38.
SSF Test Program
Version (on application server)
Result: SSF_API_OK
Version information: 255
SSFLIBSO Version 1.555.18 ; SECUDE(tm) Version 5.4.28M-5 Copyright (c) SECUDE GmbH 1990-2007\nSAPSECULIB - digital signature / without encryption#installed with sapseculib relea
Regards,
Lalitha
04-11-2014 3:03 PM
Hi Lalitha,
to determine the patchlevel of SAPCryptolib, please use the program SSF02 (not SSF01):
SE38 -> SSF02 -> Determine Version
You then should see somthing like:
SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.15 (+MT) #Copyright (c) SAP AG, 2011-2014#compiled for linux-gcc-4.3-x86-64#
The version you did determine was the version of the SAPSECULIB, which is used for signature processing.
The patchlevel in this case is the last two digits after SSFLIB, in this case it is 40.
If you have anything below 38, I would recommend to check whether you can go to a later release first.
Regards,
Patrick
04-15-2014 5:55 AM
Dear Patrick,
As suggested we have executed the report SSF02 in SE38 and received the same out put as SSF01.
Please suggest how to update the SAPSECULIB.
Regards,
Lalitha
04-15-2014 7:30 AM
Dear Lalitha,
SAP software can be downloaded from the SAP service market place. The SAP Cryptolib for instance can be downloaded at:
-> Support Packages and Patches
-> Browse Download Catalog
-> SAP Cryptographic Software
-> SAPCRYPTOLIB
For your convinience, SAP also provides this software at the SAP Trust Center Services website under
-> Download Area
-> SAP Cryptographic Software
This information is also documented on the help portal and in varios notes, like note 455033.
Please check note 1375378 in case you have questions which library to use.
The installation itself is documented in the help portal as well.
Regards,
Patrick
04-28-2014 6:06 AM
Dear Patrick,
Sorry for late reply
We have upgrade the entire kernel and executed the report and received the below output.
SE38 -> SSF02 -> Determine Version
Result: SSF_API_OK
Version information: 145
SSFLIB Version 1.840.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.15 (+MT) #Copyright (c) SAP AG, 2011-2014#compiled for linux-gcc-4.1-x86-64#
Still the issue is not resolved.
Regards
Lalitha.
04-28-2014 9:48 AM
Hi Lalitha,
in this case I would suggest to open a message with support.
Kinde regards,
Patrick
04-28-2014 10:14 AM
Hi,
About the following comment:
-----------------------------------------------------------------------------------------------------------------------
The remote host supports the use of SSL ciphers that offer weak encryption.
Note: This is considerably easier to exploit if the attacker is on the same physical network
-----------------------------------------------------------------------------------------------------------------------
What is the remote host? SAP Web dispatcher or PI Servers?
Please also attach profiles of SAP web dispatcher or PI Servers for analysis.
Thanks.
Jim
04-28-2014 10:50 AM
Hi Jim,
The remote host is the PI(7.0) server.
PI server profile
-------------------------------------------------------------------------------------------------------------------------------------
FN_JSTART = jcontrol$(FT_EXE)
ssl/ciphersuites = HIGH:MEDIUM:!mMD5
jstartup/recorder = java -classpath ../j2ee/cluster/bootstrap/launcher.jar com.sap.engine.offline.OfflineToolStart com.sap.engine.flightrecorder.core.Collector ../j2ee/
cluster/bootstrap -node %nodeID% %startTime% -bz $(DIR_GLOBAL) âexitcode %exitcode%
login/accept_sso2_ticket = 1
SAPSYSTEMNAME = APQ
SAPSYSTEM = 00
INSTANCE_NAME = DVEBMGS00
DIR_CT_RUN = $(DIR_EXE_ROOT)/run
DIR_EXECUTABLE = $(DIR_INSTANCE)/exe
jstartup/trimming_properties = off
jstartup/protocol = on
jstartup/vm/home = /opt/IBMJava2-amd64-142
jstartup/max_caches = 500
jstartup/release = 700
jstartup/instance_properties = $(jstartup/j2ee_properties):$(jstartup/sdm_properties)
j2ee/dbdriver = /oracle/client/10x_64/instantclient/ojdbc14.jar
PHYS_MEMSIZE = 512
exe/saposcol = $(DIR_CT_RUN)/saposcol
rdisp/wp_no_dia = 10
rdisp/wp_no_btc = 3
exe/icmbnd = $(DIR_CT_RUN)/icmbnd
rdisp/j2ee_start_control = 1
rdisp/j2ee_start = 1
rdisp/j2ee_libpath = $(DIR_EXECUTABLE)
exe/j2ee = $(DIR_EXECUTABLE)/jcontrol$(FT_EXE)
rdisp/j2ee_timeout = 1800
rdisp/frfc_fallback = on
icm/HTTP/j2ee_0 = PREFIX=/,HOST=localhost,CONN=0-500,PORT=5$$00
icm/server_port_0 = PROT=HTTP,PORT=80$$
#-----------------------------------------------------------------------
# SAP Messaging Service parameters are set in the DEFAULT.PFL
#-----------------------------------------------------------------------
ms/server_port_0 = PROT=HTTP,PORT=81$$
rdisp/wp_no_enq = 1
rdisp/wp_no_vb = 1
rdisp/wp_no_vb2 = 1
rdisp/wp_no_spo = 1
#------------------------------------------------------------
# Jcontrol: Migrated Profile Parameter
# create at Wed Mar 25 20:20:02 2009
#------------------------------------------------------------
j2ee/instance_id = ID0079698
#------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------
Web dispatcher profile
SAPSYSTEMNAME = WD0
SAPSYSTEM = 00
INSTANCE_NAME = W00
DIR_CT_RUN = $(DIR_EXE_ROOT)/run
DIR_EXECUTABLE = $(DIR_CT_RUN)
wdisp/shm_attach_mode = 6
#-----------------------------------------------------------------------
# Accesssability of Message Server
#-----------------------------------------------------------------------
#rdisp/mshost = asapq00.b.com
#ms/http_port = 8100
#ms/https_port = 8101
wdisp/system_0 = MSHOST=asapq00.b.com, MSPORT=8100, SID=APQ
#-----------------------------------------------------------------------
# Configuration for medium scenario
#-----------------------------------------------------------------------
icm/max_conn = 16350
icm/max_sockets = 32768
wdisp/HTTPS/max_pooled_con = 16350
icm/req_queue_len = 8000
icm/min_threads = 100
icm/max_threads = 500
mpi/total_size_MB = 700
mpi/buffer_size = 32768
mpi/max_pipes = 21000
wdisp/HTTP/max_pooled_con = 8192
wdisp/HTTPS/max_pooled_con = 8192
#-----------------------------------------------------------------------
# SAP Web Dispatcher Ports
#-----------------------------------------------------------------------
icm/server_port_0 = PROT=HTTP,PORT=80,EXTBIND=1
icm/server_port_1 = PROT=ROUTER,PORT=443,EXTBIND=1
#icm/host_name_full= asapq00.b.com
icm/host_name_full= qtyh2h.k.co.in
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin,AUTHFILE=/sapmnt/WD0/global/security/data/icmauth.txt
ssl/ssl_lib=/usr/sap/WD0/W00/sec/libsapcrypto.so
wdisp/HTTPS/dest_logon_group = PUBLIC
wdisp/HTTPS/max_client_ip_entries = 100000
wdisp/HTTPS/sticky_mask = 255.255.255.0
#-----------------------------------------------------------------------
#Additional Parameters
#-----------------------------------------------------------------------
wdisp/add_client_protocol_header = true
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/handle_webdisp_ap_header = 1
#-----------------------------------------------------------------------
#Registering SAP Web Dispatcher in the SLD
#----------------------------------------------------------------------
#wdisp/system_0 = HOST=asapq00.b.com, PORT=8100, SID=APQ, NR=00
#----------------------------------------------------------------
#Parameter to avoid week SSL ciphers
#--------------------------------------------------------------
ssl/ciphersuites=HIGH:MEDIUM:!mMD5
Regards,
Lalitha
04-29-2014 2:14 AM
Hi,
In profile of the PI Server, you don't have parameters as described in note 510007:
ssf/name = SAPSECULIB
ssf/ssfapi_lib = <Path and file name of the SAPCRYPTOLIB>
sec/libsapsecu = <Path and file name of the SAPCRYPTOLIB>
ssl/ssl_lib = <Path and file name of the SAPCRYPTOLIB>
icm/server_port_X = PROT=HTTPS,PORT=<TCP port number for HTTPS>
Have you maintained them in default profile?
Thanks.
Jim