- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Encryption Type AES-256-CTS-HMAC-SHA1-96 not worki...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Encryption Type AES-256-CTS-HMAC-SHA1-96 not working with SAP Webdispatcher
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2014 8:25 AM
Hi,
We have set up an SSO solution with SPNEGO and it workes fine internaly. Now we have published it to the internet via a SAP Webdispatcher and the KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 is no longer found valid.
I have found out that the KerbTicket Encryption Type: RSADSI RC4-HMAC works with the webdispatcher.
Can anyone explain why we cant get Kerberos Ticket Encryption Type: AES-256-CTS-HMAC-SHA1-96 to work with SAP Web Dispatcher 7.31?
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2014 5:16 PM
I agree with Patrick, I think CommonCryptoLib is required for AES256-CTS-HMAC-SHA1-96 support, see SAP note 2004653 for details. Maybe you have downloaded and installed SAP Cryptographic Library on the Web Dispatcher which doesn't have support for the algorithm. You can increase the trace level, the library will spew out all the supported algorithms on start up. The information might be visible also in the Web Administration of Web Dispatcher, for example when creating a new PSE.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2014 3:06 PM
Hi Torben,
just guessing here, but did you compare the crypto libs on the different systems?
Regards,
Patrick
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2014 5:16 PM
I agree with Patrick, I think CommonCryptoLib is required for AES256-CTS-HMAC-SHA1-96 support, see SAP note 2004653 for details. Maybe you have downloaded and installed SAP Cryptographic Library on the Web Dispatcher which doesn't have support for the algorithm. You can increase the trace level, the library will spew out all the supported algorithms on start up. The information might be visible also in the Web Administration of Web Dispatcher, for example when creating a new PSE.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2014 6:54 AM
and last but not least, you can use sapgenpse to check for the version information 😉
kind regards,
Patrick
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2014 12:04 PM
Thanks for the input.
I have checked the versions og SAPCryptolib and all are 5.5.5 sp34.
I am not shure how to increase the trace level on the webdisp.
The funny thing is that the current versions are the same.
I checked the sapnote and I will try to update to 1848999 - Central Note for CommonCryptoLib 8 (replacing SAPCRYPTOLIB)
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2014 2:31 PM
Yes, you should try with CommonCryptoLib. Have you set the ciphersuites on Web Dispatcher using the ICM parameter ssl/ciphersuites? Even if this parameter is not present in the backend system, it might be defaulted.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2014 5:11 PM
Now that I stopped to think about this, I think I'm missing the big picture. As I understand it you are trying to configure Kerberos SSO to the SAP backend system going through Web Dispatcher. As far as I'm aware AES256-CTS-HMAC-SHA1-96 is used only for Kerberos. SPNEGO, which is the Kerberos implementation of NetWeaver Application Server, uses the cipher if it is available and configured. In case you are using Web Dispatcher to access your SAP backend system, the SPNEGO implementation in the NetWeaver Application Server is still used meaning that Web Dispatcher is only forwarding the requests/responses to/from the NetWeaver Application Server. How did you determine that AES256-CTS-HMAC-SHA1-96 isn't used in case you go through the Web Dispatcher? Regardless, a suitable cipher that is capable of SSL/TLS needs to be selected for Web Dispatcher assuming you have configured SSL in Web Dispatcher. I haven't configured SPNEGO in a landscape where Web Dispatcher is used so I'm not exactly sure what steps are required. I know for a fact that the Web Dispatcher DNS alias needs to be added as SPN for the service account that is used by SPNEGO. As far as I know the way it works is that if SPNEGO is enabled, the SAP backend system requests authentication from the client, e.g. the browser. The client then provides the Kerberos token which is then verified by the SAP backend system. I really don't see how the cipher used on the Web Dispatcher would make any difference, maybe others know better. How have you configured the Web Dispatcher? Is SSL terminated, is it using End-to-End SSL or is SSL re-encrypted by Web Dispatcher? Have you tried the ROUTER protocol in the Web Dispatcher, does it make a difference? I'm not saying you should use the ROUTER protocol since it has considerable limitations but in order to figure out what is going on.
- SAP Managed Tags:
- Security
