This section exemplarily describes SSL configuration for the SAP Host Agent on UNIX.
You are logged on as a user with root authorization.
In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent ( host_profile):
ssl/server_pse= <Path to Server PSE>
The server PSE contains the server certificate that is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.
Proceed as follows:
Alternatively, you can also use another directory, but then you have to specify the location of the PSE file using the parameter ssl/server_pse as described above. In the following steps we always refer to the sec directory for the sake of simplicity.
On Linux and Solaris, the required commands are as follows:
On HP-UX, the required commands are as follows:
On AIX , the required commands are as follows:
Set up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x <password> -r /tmp/myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"
This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE file is protected with a password. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a web formular.
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x <password> -O sapadm
Send the certificate signing request to an appropriate CA.
Assuming that the CA replies to the request file with a CA-response-file which contains the signed certificate in the PKCS#7 format, you can use this file as an input for importing the signed certificate into the server PSE.
If the used format is PKCS#7, the text file could be named myhost.p7b. We use this file name in the following examples.
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x <password> -c /tmp/myhost.p7b
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x <password> -v
The client PSE contains the client certificate that is sent to SAP Host Agent when the SSL connection is established, and the names and public keys of the trusted certificates from CA.
The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.
Examples for possible clients are the SAP Management Console (SAP MC), the SAP Solution Manager Diagnostics Agent, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).
If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.