This section exemplarily describes SSL configuration for the SAP Host Agent on IBM i.
You must be logged on as a user profile with special authorities *SECADM and *ALLOBJ, for example as user profile QSECOFR.
In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent ( host_profile):
ssl/server_pse= <Path to Server PSE>
The server PSE contains the server certificate, which is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.
Alternatively, you can also use another directory, but then you must specify the location of the PSE file using the parameter ssl/server_pse as described above. In the following steps we always refer to the sec directory for the sake of simplicity.
QSYS/CHGOWN OBJ('/usr/sap/hostctrl/exe/sec') NEWOWN(SAPADM)
QSYS/CHGPGP OBJ('/usr/sap/hostctrl/exe/sec') NEWPGP(R3GROUP) DTAAUT(*RWX)
The required commands are as follows:
Set up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.
. ./sapgenpse gen_pse -p SAPSSLS.pse -x <PASSWORD>-r <PKCS#10 requestfile> <DISTINGUISHED NAME>
This command creates the PSE file /usr/sap/hostctrl/exe/sec/SAPSSLS.pse (the name is fixed), which can be used to authenticate the host described by <DISTINGUISHED NAME> for incoming SSL connections. Access to the PSE file is protected with password <PASSWORD> .
The CSR is written into the stream file <PKCS#10 requestfile> . You can ignore the warning sapgenpse WARNING: Environment variable "USER" not defined!
./sapgenpse gen_pse -p SAPSSLS.pse -x pass -r /tmp/myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"
This command creates the PSE file /usr/sap/hostctrl/exe/sec/SAPSSLS.pse, which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. Access to the PSE file is protected with the password pass. The CSR is written into the stream file /tmp/myhost-csr.p10.
./sapgenpse seclogin -p SAPSSLS.pse -x <PASSWORD>-O sapadm
./sapgenpse seclogin -p SAPSSLS.pse -x pass -O sapadm
Transfer the stream file containing the CSR (certificate signing request) to a PC and send it to the Certification Authority (CA) you are using.
Assuming that the CA replies to the request file with a CA-response-file which contains the signed certificate in the PKCS#7 format, you can use this file as an input for importing the signed certificate into the server PSE. Transfer this text file to a stream file on your IBM i.
The text file could be named myhost.p7b and transferred to the stream file /tmp/myhost.p7b. We use this file name in the following examples.
./sapgenpse import_own_cert -p SAPSSLS.pse -x <PASSWORD>-c <CA-response-file>
./sapgenpse import_own_cert -p SAPSSLS.pse -x pass -c /tmp/myhost.p7b
./sapgenpse get_my_name -p SAPSSLS.pse -x <PASSWORD>-v
./sapgenpse get_my_name -p SAPSSLS.pse -x pass -v
The client PSE contains the client certificate, which is sent to SAP Host Agent when the SSL connection is established, and the names and public keys of the trusted certificates from CA.
The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.
Examples for possible clients are the SAP Management Console (SAP MC), the Diagnostics Agent in SAP Solution Manager, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).
If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.