The Full Monty – Part 5 – HTTPS & Sapcrypto
Previous blog, The Full Monty – Part 4 – Transport System
I have tried, on numerous occasions, to configure the NSP for HTTPS use using the sapcrypto security mechanism, but alas, to no avail. Only due to my “The Full Monty” blog series, am I determined to get it right, once and for all.
Yesterday, I gave it another bash, and found a few interesting issues, and most importantly, two excellent blogs from Gregor Wolf
It will be the first of these two, that I am going to follow, for my efforts, and along the way, I will point out some findings. I suggest you read this, as you follow Mr Wolf’s blog.
First, the NSP installation, has a directory “C:usrsapNSPDVEBMGS00sec”. In here, there are three files, LASVerify.pse, ticket, and SAPSYS.pse.
Unpack and install SAP Cryptolib
Do not perform the last line, the “copy” command. Make note where the files are unpacked, and just copy the sapcrypto.dll, and the sapgenpse.exe to “C:usrsapNSPDVEBMGS00sec”.
Replace “…Start -> Control Panel -> System -> Extended -> Environment Variables…” with “…Start -> Control Panel -> System -> Advanced system settings-> Environment Variables…”
Where he suggest to edit the NSP_DVEBMGS00_PC profile file, I would prefer to do this in RZ10. Reason being, as I said before, it leaves a good audit trail when you stuff it up, as I did yesterday. I could not start the NSP from the MMC, so I had to manually modify the file with notepad, see what entries I buggered up, and was able to remove them, enabling me to start the NSP once again.
I had to adjust some of the setting values to my target of the sapcrypto.dll to suit “C:usrsapNSPDVEBMGS00secsapcrypto.dll”
When I went to add the parameter “icm/server_port_1” it displayed, what looked like, parameter replacement information.
I looked in all my profiles, but could not find the entry. I know, if I simply replaced the values, I will loose my SMTP service. Look at the ICM services BEFORE you make the change – transaction SMICM->Goto->Services
So, I chose the next server port 2 – “icm/server_port_2”, and used that as my “https” entry.
see my profile setting values
So after I restarted the server, it fell into a yellow status, for a short while after going green, but, soon came back to green. I logged in as bcuser again, and and looked at the ICM.
I can now see the HTTPS service, but it is yellow, due to it being inactive. This is not good. I must figure out why it has not become active, like the previous two services.
Ok, this is weird, but it worked. In SMICM->Goto->Trace File->Display All, and I found this.
It looks like it cannot see the sapcrpto.dll. But I have followed, or at least thought I had, Mr Wolfs, explict directions. I check, and double checked, and all seemed fine. Then I found this, SMICM->Goto->Parameters->Display
Notice the last entry here “ssl/ssl_lib” is blank. I have not seen this entry anywhere, in the procedures, so I do not think I missed it.
I added this in the Instance Profile, and set the value as “c:usrsapNSPDVEBMGS00secsapcrypto.dll”. To my surprise, I received a “Parameter name is not known” message. Nonetheless, I saved, activated the profile, and restarted the NSP.
I checked in SMICM->Goto->Services
It all worked.
Now what is really strange is, I have performed these steps on another machine, and did not have to do this. So just be aware of this possibility.
Needlesstosay, you need the HTTPS service running. On to the next tasks.
Clean NSP install presented STRUSTSSO2 as
I believe the System PSE->pc_NSP_00 contains a green node, due to the existing SAPSYS.pse installed by the NSP. Just my thoughts.
After making all parameter changes, then executing STRUSTSSO2, I saw a slightly different screen than Mr.Wolf. Mine looked like this.
I executed a right click on “SSL server Standard”.
My next screen looked slightly different too. I kept the defaults.
My entry ended up as this
So, after restarting the NSP once again, and running STRUSTSSO2, I notice the following message.
Just to be on the safe side, I logged out of client 001, and into 000, still using the BCUSER user.
Next, I thought I would jump past the remaining certificate steps, straight to Start SSL Server. All went well there. Under the Test section, I pulled up the command box in windows via Start->Run, then entered “cmd”, and up came the DOS box, in which I typed “netstat -an”, and from the near 100 results, I found the one stated, towards the top.
Then I performed the steps in Start BSP Application which need HTTPS. This is were I need to intervene, or else you will get the following message.
So, before you actually run the suggested BSP Application, you will need to make sure you have the services activated.
To activate the necessary services, run transaction SICF, and execute using the standard selection, as below.
First, navigate to “default_host->sap->bc->bsp”
Right click the “bsp” service, and choose “Activate Service”.
For confirmation make sure you choose the “Yes” with a little icon next to it.
If you find the “Activate service” option greyed out, it means that the Service is already Active. To be sure we activate the necessary Services, simply “Deactivate Service” then, “Activate Service” making sure you choose the second “Yes” option.
Second, do the same with the Public Services. This time under “default_host->sap>public->bsp”.
Third, the same with “default_host->sap->public->bc”
Now we should be ready to run the suggested BSP Application, so return to Start BSP Application which needs HTTPS. Don’t forget to double click the Object Name “HTMLB_samples” to display the Application on the right hand side of SE80. Then you can press the F8 key to start it.
If alls well and good, you should get the Certificate Security message.
Choose the “Continue to this website (not recommended)”, and logon on with your usual BCUSER and password,
Finally, you should see something like this
Notice the URL using the secure port 8443
Now I am happy with the setup, I will try to fix the Certifcate Security message encountered, by visiting the steps I jumped over.
Well Mr Wolf, says that you must copy the certificate “… into the Text field …”, but via his link, there is a button “Test it Now!”, which you must press to get to the Text field, and perform his next tasks.
The “… download Area of the SAP Trust Centre…” is under the “Root Certificates” node. There you will see the two certificates he is talking about, to download. I downloaded mine to “C:usrsapNSPDVEBMGS00sec”.
I found importing the certificates is a little user unfriendly, but in the end, it worked, and my “Certificate List” looked like this. Don’t for get to “Save” them.
(if you do this next bit now, you will have to remove the certificates later, so just hold off for now)
Then, to add them into Windows, I followed “…add these Certificates…”, but by double clicking, it took me to an Install wizard, of which I just accepted the various defaults, as it installed the certificates to where it chose.
(carry on from here, if you left out the bit above)
So I went back to SE80 and ran the “HTMLB_samples” BSP, and was thinking the certification error would be no longer, however, it was not the case. So after poking around, I did this.
I pressed the “Certificate Error” message, towards the right of the URL of IE8
then selected, “View certificates”
then selected “Install Certificate…”
The Certificate Wizard began, and “holds your hand” through the process. Where I got to choose the certificate store/location, I chose “Trusted Root Certificaton Authorities”
I continued through the wizard, accepting & confirming, until the end.
I returned to SE80 and run the “HTMLP_sample” BSP Application, once again, and “hey presto!”, no Certificate Security message, just the logon prompt.
To be honest, I did originally leave the location to “Automatically select the certificate store based on the type of certificate” option. But the BSP app still prompted the Security message, so I deleted it, and decided to put it under the “Trusted Root Certificate Authorities” location, because it sounded like the right place. Because this worked, I removed the SAP certificates from the defaulted store, and installed them under the same “Trusted Root Cerfification Authorities” store. You can play around where you wish to store Certificates under IE8 at, Tools->Internet Options->Content->Certificates. Just poke about like I did, and it should soon make sense.
Anyway, that’s it for here. All SSL/HTTPS & Sapcrypto’d. JDP !
Continue to my next blog…