Show TOC

Configuring SSL for SAP Host Agent on WindowsLocate this document in the navigation structure

This section exemplarily describes SSL configuration for the SAP Host Agent on Windows.


You must be logged on as a member of the local Administrators group.


In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent ( host_profile):

ssl/server_pse= <Path to Server PSE>


  1. Prepare the environment for SAP Cryptographic Library:
    1. Open a command line prompt and change to the %PROGRAMFILES%\SAP\hostctrl\exe directory.
    2. Create a subdirectory named sec and set the SECUDIR environment variable to refer to the new directory using the following commands:

      %PROGRAMFILES%\SAP\hostctrl\exe> mkdir sec

      %PROGRAMFILES%\SAP\hostctrl\exe> set SECUDIR=%PROGRAMFILES%\SAP\hostctrl\exe\sec


      Alternatively, you can also use another directory, but then you have to specify the location of the PSE file using the parameter ssl/server_pse as described above.


      Set up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.

    3. Make sure that the files are readable and executable by user sapadm.
  2. Prepare the Personal Security Environment (PSE) for the server:

    The server PSE contains the server certificate, which is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.

    1. Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR) .

      %PROGRAMFILES%\SAP\hostctrl\exe> sapgenpse gen_pse -p SAPSSLS.pse -x passwd1 -r myhost-csr.p10 ", O=SAP AG, C=DE"

      This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate for incoming SSL connections. The access to the PSE file is protected with passwd1. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a Web form.

    2. Grant the SAP Host Agent access to the server PSE.

      %PROGRAMFILES%\SAP\hostctrl\exe> sapgenpse seclogin -p SAPSSLS.pse -x passwd1 -O sapadm

    3. Get the certificate as follows:
      1. If you do not use individually trusted certificates, send the certificate signing request to an appropriate CA.

      2. Copy the signed certificate from the output area - including the "---- BEGIN CERTIFICATE ----" and "---- END CERTIFICATE ----" lines - and paste it into a text file, for example myhost.p7b.

    4. Import the signed certificate into the server PSE.

      %PROGRAMFILES%\SAP\hostctrl\exe> sapgenpse import_own_cert -p SAPSSLS.pse -x passwd1 -c myhost.p7b (if the used format is PKCS#7).

    5. Verify the server certificate chain.

      %PROGRAMFILES%\SAP\hostctrl\exe> sapgenpse get_my_name -p SAPSSLS.pse -x passwd1 -v

  3. Restart SAP Host Agent.
  4. Prepare the Personal Security Environment (PSE) for the client:

    The client PSE contains the client certificate that is sent to SAP Host Agent when establishing the SSL connection, and the names and public keys of the trusted certificates. For the client, trusted certificates can only be certificates that are issued by a Certification Authority (CA).

    The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.

    Examples for possible clients are the SAP Management Console (SAP MC), the Diagnostics Agent in SAP Solution Manager, or the SAP NetWeaver Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).



If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.