Securing the transport layer between SAP IDM and LDAP
Now, you have got SAP NetWeaver Identity Management working or in the process of getting your landscape setup to fully use the power of IdM. You would like to secure the communication protocol between your LDAP and IdM so that you could meet today requirement for your company policy or other regulations such as Sarbanes-Oxley. Within SAP IdM, this can be done easily without much effort and only requires a few steps to complete this. What you will need are the following:
- Access SAP NetWeaver Identity Management – you will use the console to import the certificate
- Access to one of the LDAP server – you will use this to establish the communication link to SAP IdM
- A X509 certificate for the LDAP – you will use this to secure the tunnel
In this example, I will be using SunOne LDAP but you can use any other LDAP software that you have but you will need to follow their guideline on how to setup the secure communication port. Also, it is important to follow the latest SAP NetWeaver Identity Management Security Guide on how to implement the SAP side of this setup. So now let’s get start on the setup of securing the transport layer between SAP IdM & LDAP.
- First thing we will need to do is to check to ensure that the LDAP certificate is setup correctly for the LDAP. In this case, I am using SunOne LDAP so the result will look like this.
- Ensure to enable the SSL for the server.
- Check to see what the new secure port for the incoming request is.
- After all the setting have been updated or entered, the application will need a restart to take effect.
- The next thing we will need is to have a X509 certificate for this server. You should have this already before the 1st step of this blog but you can always refer to the SSL port to retrieve the certificate. This can be done while pointing your browser to the LDAP SSL port then view the content & export the certificate to “DER encoded binary X.509 (.CER)” format.
- Copy this certificate file over to the SAP IdM server.
- You would need to import the certificate before you could access the secure LDAP port.
- Execute the following command from the “keystore” location directory and follow the instruction on the screen:
o keytool -import -alias -keystore cacerts -file -storepass
• keystore – the default location for the certificate store is at “C:\program files\SAP\idm\sapjvm_5\jse\lib\security\cacerts” which should already have some root CA information in it.
• “keytool” – can be found within the SAP JVM executable directory. The default directory for this tool is at “C:\program files\SAP\idm\sapjvm_5\bin\keytool”. The “keytool” command will create a “keystore” file wherever it is executed from so you should really need to change the working directory to the “keystore” location before executing the command. This will ensure that the new certificate will be imported to the existing “keystore” file instead of creating a new one.
• storepass – this is an optional parameter at the command line but it is required to import anything to the keystore. The default out of the box password for this is “changeit”.
- You really should change the default password for the “keystore”. This can be done by executing the following command and follow the instruction on the screen: keytool -storepasswd -keystore cacerts
- Once the certificate has been imported, all you really need to do is to configure the “From-pass” within SAP IdM to use the secure port. Just open the job pass and enable the following option:
- That pretty much completes the setup of securing the communication layer between SAP IdM & the LDAP.
- If for some reasons you encounter some issues with the running the job in secure mode but the job run fine in non-secure then I would suggest you to enable more logging for the job so that you can see job in more detail. Example:
o An example of the log files for the job.