Skip to Content
技术文章
Author's profile photo Johannes Goerlich

CommonCryptoLib: SNC protocol versions and cipher suites

许多年前,SAP弃用了Sapcryptolib,并引入了CommonCryptolib(CCL)作为其继任者。CCL不仅是其前身的替代品,而且是GSSKRB5.DLL,GI64KRB5.DLL和GX64KRB5.DLL,它仍然可以用作Microsoft Kerberos安全服务提供商(SAP Note 352295) and gssntlm.dll, gI64ntlm.dll, and gx64ntlm.dll, which are hopefully no longer as Microsoft NTLM Security Service Provider, as NTLM must be considered as broken (Pass the Hash, PtH).

In the meantime the CCL is available in its latest version 8.5.x and is used by the SAP NetWeaver AS ABAP, ABAP Platform, SAP Java Connector, SAP .Net Connector, as well as by SAP NetWeaver AS Java (when acting as server) amongst others for encrypting communication usingSNC.

Please also read the other blogposts of this series:

CommonCryptolib:TLS协议版本和密码套件
CommonCryptoLib: SNC protocol versions and cipher suites
CommonCryptoLib: Manage PSE files and SSO Credentials (cred_v2)
COMMONCRYPTOLIB:证书撤销清单验证

Updates:

CCL集成

每当需要SNC SAP ke密码学rnel addresses a cryptographic library through the BC-SNC interface which is based on the GSS-API v2 interface. As already stated typically the CommonCryptoLib is used as cryptographic library, but there may also be implementations out there, for example, using the wrapper libraries for kerberos from SAP. Namely, gsskrb5.dll, gI64krb5.dll, and gx64krb5.dll.

对于SAP ABAP和Java,待办词库由配置文件参数配置snc/gssapi_lib.
For SAP JCo this is configured in the SAP SNC property or destination file in the parameterjco.client.snc_lib或在环境变量中snc_lib或者snc_lib_64(SAP Note 2642538提供了一个很好的操作方法)。
对于SAP NCO,这是在参数中的目标中配置的snc_lib或在环境变量中snc_lib或者snc_lib_64.
Others may integrate the CCL by other means, for example,by reading the path to the library from the environment variablesSAPCRYPTOLIB,snc_lib,snc_lib_32,snc_lib_64,snc_lib_2, orsnc_lib_64_2.

While using the CCL in default configuration serves maximum compatibility, it offers weak security and therefore should no longer be used nowadays.

During the SNC handshake the server and the client are negotiating the SNC protocol version and the cipher suites. Each side typically support more than one cipher suite to offer higher compatibility. Each party asks for acknowledgement on the SNC version and the cipher suites in a given order until they come to an agreement. If no matching SNC version or cipher suite could be negotiated the handshake will fail.

Protocol versions

SNC协议多年来演变,今天有三个版本:

1993,2010_1_0, 和2010_1_1.

密码套件

Similar as we know it from TLS also SNC makes use of cipher suites which define a set of algorithms that usually contain a钥匙交换算法,签名,一个bulk encryption algorithm,a消息身份验证代码(MAC)算法.

并非每个密码套件都可以与每个SNC协议版本结合使用。运行命令sapgenpse sncinfo -v ALLto display a mapping:

How to securely configure the protocols and cipher suites supported by the CCL?

Where to set the CCL parameters?

为了确保所有应用程序服务器 /节点都使用相同的配置,应将CCL参数添加到默认值.pfl。和环境变量CCL_PROFILEshould point to the same.

Please note:You may have recognized that i used the term “CCL parameter”. This is due to even if these parameter look like SAP Kernel parameters, they are not known by the SAP Kernel. Maintaining those parameters using RZ11 is not possible, but with the environment variable mentioned above they can be maintained in RZ10 in the DEFAULT.PFL and as soon as the changes are activated, meaning are written to the file system, the CCL takes advantage of the new settings.

Protocol Configuration

The following CCL parameters allow to configure the supported SNC protocol versions:

协议19932010_1_0can be considered as weak (at most because they do not support strong cipher suites) and should no longer be used. Today, only the version2010_1_1should be offered, which can be achieved with the CCL parameters

充当服务器时:ccl/snc/server_protocol = 2010_1_1
充当客户时:ccl/snc/client_protocol = 2010_1_1

Cipher Suite Configuration

CommonCryptolib将SNC密码套件的一组分配给课程。可以通过发出命令来使用sapgenpse显示可用的类
sapgenpse sncinfo -h

这些类是由SAP定义的。在写作时,存在以下类:
“高”:高安全密码套件(PFS除外)
“中”:中型安全密码套件

由于这些类是由SAP定义的,因此他们不介绍共同的理解。SAP不时对这些课程进行调整,并通过SAP Note 2004653(值得订阅此注释以跟踪更改)。这些课程几乎所有建议中都接力了。然而,由于在高安全区域中所需的,他们并未完全控制受支持的密码套件的控制权。

知道这一点,应直接配置所提供的密码套件。只能提供提供完美前向保密(PFS)的密码套件,可以使用CCL参数来实现

充当服务器时:ccl/snc/server_protocol = snc_ecdhe_p256_aes256_sha256:snc_ecdhe_p384_aes256_sha512:snc_ecdhe_p521_aes256_sha512
充当客户时:ccl/snc/client_protocol = SNC_ECDHE_P256_AES256_SHA256:SNC_ECDHE_P384_AES256_SHA512:SNC_ECDHE_P521_AES256_SHA512

签名算法配置

When using X.509 certificates for the authentication in an SNC handshake, the server is signing the handshake. When using an ECDHE cipher suite (PFS) also the client is using a signature algorithm for the authentication.

为此,我们不想允许像SHA1_DSA,SHA224_DSA,PKCS_BT_01_SHA1_RSA或者PKCS_BT_01_RIPEMD160_RSA要使用的。此考虑将导致CCL参数

充当服务器时:ccl/snc/server_accepted_signature_algorithms = sha256_dsa:pkcs_bt_01_sha256_rsa:pkcs_bt_01_sha512_rsa:sha256_ecdsa:sha512_ecdsa:sha512_ecdsa:sha512_ecdsa:sha3884_ecsa
充当客户时:ccl/snc/client_accepted_signature_algorithms = sha256_dsa:pkcs_bt_01_sha256_rsa:pkcs_bt_01_sha512_rsa:sha256_ecdsa:sha512_ecdsa:sha512_ecdsa:sha512_ecdsa:sha3884_ecsa

Server Session Key Mode

对于最终用户系统(SAP安全登录客户端,SLC)和AS AS AS AS AS Server Session键模式之间的SNC的身份验证。
When server session key mode is activated the client generates and signs a temporary key which is used for authentication in multiple sessions.
这可以通过CCL参数启用ccl/snc/server_session_key_mode.

服务器会话密钥类型

对于服务器会话密钥模式中的临时密钥,可以指定服务器接受的密钥类型。
The key typeRSA_1024must be considered as weak and should no longer be offered, which can be achieved with the CCL parameter

ccl/snc/server_session_key_types = ecdsa_p256:ecdsa_p384:ecdsa_p521

Server Session Authentication Mode

For authentications in SNC between an end user system and an AS ABAP the encryption only mode is available and can be configured in profile parameterccl/snc/server_partner_auth_mode.

设定值2执行SSO或1if the emergency mode of SAP Secure Login Client (SLC) shall be supported which allows password based logon over an encrypted communication channel.


< - 抢劫

Next –>

分配的标签

      2 Comments
      You must beLogged on评论或回复帖子。
      Author's profile photo Claire Beaubaton
      Claire Beaubaton

      非常感谢约翰内斯的这些关于CommonCryptolib的惊人文章

      我有一个关于CommonCryptolib的一般问题。

      Recently there is a security issue and we need to check if we have >=8.5.39 on our Unix servers.(More info 3051787)

      CommonCryptoLib is used in SAP Host Agent, SAP HANA Server & Client, SAP XSA, SAP Webdispatcher, SAP ABAP, SAP JAVA, Content Server, SSO and i would like to know if you have a quick method to identify quickly the version of CommonCryptoLib on my server for all the possible paths ?

      我努力了 :

      sapgenpse cryptinfo |格雷普'^VERSION'

      sapgenpse cryptinfo |格雷普 '^二进制文件'
      查找 / -Name 'libsapcrypto.so' |Xargs字符串|格雷普 '^commonCryptolib 8'
      strings /hana/shared/HDB/global/hdb/saphostagent_setup/libsapcrypto.so | grep '^commonCryptolib 8' |排序-r |尾巴 - 1
      Any ideas to retrieve quickly the path and the version of SAP CommonCryptoLib ?
      谢谢
      Author's profile photo Johannes Goerlich
      约翰内斯·戈里希(Johannes Goerlich)
      博客文章作者

      你好克莱尔,

      thanks for your comment!

      可悲的是,恕我直言,没有快速解决方案来确定景观中的所有CCL版本(包括接口合作伙伴系统)。

      请记住sapgenpse将使用当前用户的环境变量snc_lib或存储在同一目录中的环境变量snc_lib中定义的加密libsapgenpse本身如果未设置env。sapgenpse显示当前用户使用的LIB,因此您必须至少以 ADM和SAPADM运行。

      CCL ABAP你能找到的版本还在CCDB config store CRYPTOLIB of SolMan or FRUN.

      对于SAP HANA数据库和XSA,无法单独修补CCL。因此,检查修订或补丁级别应该足够。

      btw. for security reasons, there is no possibility to log or trace for incoming connections which CCL version is used by an interface partner system.

      br

      Baidu