Show TOC

Procedure documentationConfiguring SSL for SAP Host Agent on UNIX Locate this document in the navigation structure

 

In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent (host_profile):

ssl/server_pse= <Path to Server PSE>

You can find the host_profile file in $DIR_EXECUTABLE, where $DIR_EXECUTABLE the path to the directory where the executables saphostcontrol and saphostexec of SAP Host Agent are located: /usr/sap/hostctrl/exe

Prerequisites

You are logged on as a user with root authorization.

Procedure

  1. Prepare the Personal Security Environment (PSE) for the server:

    The server PSE contains the server certificate that is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.

    Proceed as follows:

    1. Create a directory /usr/sap/hostctrl/exe/sec using the mkdir command.

      Note Note

      Alternatively, you can also use another directory, but then you have to specify the location of the PSE file using the parameter ssl/server_pse as described above. In the following steps we always refer to the sec directory for the sake of simplicity.

      End of the note.

    2. Assign the ownership for the sec directory to sapadm:sapsys.

    3. Set up the shared library search path (LD_LIBRARY_PATH, LIBPATH or SHLIB_PATH) and SECUDIR environment variables, and change to the exe directory of SAP Host Agent.

      Example Example

      • On Linux and Solaris, the required commands are as follows:

        export LD_LIBRARY_PATH=/usr/sap/hostctrl/exe/

        export SECUDIR=/usr/sap/hostctrl/exe/sec

        cd /usr/sap/hostctrl/exe

      • On HP-UX, the required commands are as follows:

        export SHLIB_PATH=/usr/sap/hostctrl/exe/

        export SECUDIR=/usr/sap/hostctrl/exe/sec

        cd /usr/sap/hostctrl/exe

      • On AIX , the required commands are as follows:

        export LIBPATH=/usr/sap/hostctrl/exe

        export SECUDIR=/usr/sap/hostctrl/exe/sec

        cd /usr/sap/hostctrl/exe

      End of the example.

      Recommendation Recommendation

      Set up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.

      End of the recommendation.

    4. Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR).

      Run the command as user sapadm so that the created files are owned by this user.

      Example Example

      sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec sapgenpse gen_pse -p SAPSSLS.pse -x password -r /tmp/myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"

      This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE file is protected with a password. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a web formular.

      End of the example.

    5. Grant SAP Host Agent access to the server PSE.

      Example Example

      sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec sapgenpse seclogin -p SAPSSLS.pse -x password -O sapadm

      End of the example.

    6. Get the certificate as follows:

      1. Send the certificate signing request to an appropriate CA.

      2. Copy the signed certificate — including the "---- BEGIN CERTIFICATE ----" and "---- END CERTIFICATE ----" lines — and paste it into a text file.

        Example Example

        If the used format is PKCS#7, the text file could be named myhost.p7b. We use this file name in the following examples.

        End of the example.

    7. Import the signed certificate into the server PSE.

      Example Example

      sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec sapgenpse import_own_cert -p SAPSSLS.pse -x password -c /tmp/myhost.p7b

      End of the example.

    8. Verify the server certificate chain.

      Example Example

      sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec sapgenpse get_my_name -p SAPSSLS.pse -x passwd -v

      End of the example.

  2. Restart SAP Host Agent.

  3. Prepare the client PSE.

    The client PSE contains the client certificate that is sent to SAP Host Agent when the SSL connection is established, and the names and public keys of the trusted certificates from CA.

    The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.

    Examples for possible clients are the SAP Management Console (SAP MC), the Diagnostics Agent in SAP Solution Manager, or the SAP NetWeaver Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).

Result

Recommendation Recommendation

If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.

End of the recommendation.