Skip to Content

Applies to:

As of release SAP NetWeaver PI 7.10.

Summary

This document will guide you to setup Secure Socket Layer (SSL) configuration, nothing but enabling secure data transfer (through HTTPS) between server and client in PI systems as of release 7.10.

In earlier SAP PI versions, there are some methods to configure SSL. One was in ABAP stack and the other one was in J2EE stack. As of PI 7.10 all configuration is made in the ICM component and NetWeaver Administrator.

Author(s):    Siva Kumar Arivinti

Company:    Deloitte Consulting India Pvt Ltd.

Created on:  31 March 2012

Author Bio

Siva Kumar Arivinti is currently working with Deloitte Consulting India Pvt Ltd., as Consultant in AMS service line.

SAP NetWeaver Consultant with around 5 years of experience in SAP Basis and DB2 DBA Administration.

Expertise in Production support, Installations and Software Life Cycle Management including EHP/Release Upgrades.

Benefits

It allows the exchange of encrypted information through SAP PI via Secure Socket Layer (SSL). SSL use asymmetric method for interchange the secret key, this method use a private key and public key. The private key is in server side and the public key is used by client for encrypt or decrypt the messages.

HTTPS redirect configuration is also covered in this document.

Pre-requisites

  1. Update the instance profile with the following parameters.

Parameter Name

Value

ssf/name

SAPSECULIB

ssl/ssl_lib

/usr/sap/<SID>/SYS/exe/run/libsapcrypto.o

sec/libsapsecu

/usr/sap/<SID>/SYS/exe/run/libsapcrypto.o

ssf/ssfapi_lib

/usr/sap/<SID>/SYS/exe/run/libsapcrypto.o

icm/HTTPS/verify_client

0 (zero)

icm/server_port_<x>

PROT=HTTPS,PORT=84$$,TIMEOUT=900,PROCTIMEOUT=600

Note: PORT value is a unique number. It means HTTPS, SMTP and HTTP port numbers should not be same.

2. Create directory sec under /usr/sap/<SID>/<Instance> and update SAP environment variable .sapenv_<hostname>.sh (or .sapenv_<hostname>.sh) with the following value with user SIDADM.

SECUDIR=/usr/sap/<SID>/<Instance>/sec; export SECUDIR

Installation


I. Create Private key and Certificates and generate CSR certificate

1.  Open NetWeaver Administrator (http://<FQDN>:5<XX>00/nwa)

    

2. Go to Configuration Management –> Certificates and Keys

   

3. Select ICM_SSL_<ID> and you will find the default Private key and Certificate when SSL has not yet been configured.

    

4. Rename or delete the old/obsolete certificates.

    

    

    

5. Create new Private Key (ssl-credentials) as shown in the below screenshots.

         

     Note: Certificate (ssl-credentials-cert) will be generated automatically when we choose ‘Store Certificate’ in the above screenshot.

         

     Country Name and Common Name (CN) are mandatory fields.

     Just click NEXT

    

     Click Finish

    

6. Now you should be able to see Subject name and Issuer name as CN=<Fully qualified name>, L= <Locality Name>, O=<Organization Name>,           ST=<State or Province>, C=<Country Name>.

7. Select ssl-credentials and click on ‘Generate CSR Response

         

8. Click Download and save the CSR certificate in text format with .csr extension and send it to Certificate Authority for entrust certificates.

    

         

II. Import entrust certificates.

1. Go to NWA–>Configuration Management –> Certificates and Keys and select ICM_SSL_<ID>.

    Click on ‘Import CSR response

    

     Note: We will get 3 certificates from CA, Web Server, Entrust cross and Entrust root. Import them in the same order.

     Once all 3 certificates are added, and then only click on ‘Import’ button.

    

    

    

    

2. Now you should be able to see chain certificates Certificate[0], Certificate[1] and Certificate[2] and Issuer name as ‘Entrust Certification Authority’.

         

    

3. We should do Export View to PSE after steps 1 and 2 are completed successfully.

    

     You should be able to see successful message at the top left screen.

    

4. Restart SSL Provider service.

    

    

5. Restart ICM from transaction SMICM.

    Administration –> ICM –> Exit Hard –> Global

6. Double click on lock symbol at the bottom of the browser and now you should be able to see Issued by: <Certificate Authority>.

   

III. Setup HTTPS auto redirect, if necessary.

1. Open NWA–>Configuration Management –> Infrastructure –> Java System Properties

   

2. Select HTTP Provider service and update Proxy Mappings field.

    

     ProxyMappings 5<XX>00=(Host:<FQDN>,Port:84<XX>,Scheme:https,Override:true)

   

3. Click SAVE AS to save the settings.

     Now when you give http://<FQDN>:5<XX>10, it should redirect to https://<FQDN>:84<XX> (https).

Related Content

http://help.sap.com/saphelp_nwpi71/helpdata/EN/f7/c2953fc405330ee10000000a114084/frameset.htm

http://help.sap.com/saphelp_nwpi71/helpdata/EN/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66?QuickLink=index&overridelayout=true

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Jinesh Jayan

    Dear Siva,

    Really good post. Keep up the good work.

    But when i try to create the ssl- credentials certificate it is getting created as RSA with sha1encryption..I need sha256 encryption..How do i do that?

    Regards,

    Jinesh

    (0) 
  2. PRABHAT MISHRA

    Shiva,

    fter renaming old certificate , and created new key pair. After that when tried to  ‘export to pse’ giving  error “Only one RSA private key is allowed” .

    We want to place certificate in advance , but enable at due time.

    What is the correct steps to renew certificate in PI without impacting running operation and get certificate ready in advance ?

    (0) 
  3. Omkar Nakhate

    Hi Shiva..

    This is an excellent blog…Thanks for the knowledge.

    I just have a confusion…So this process will work when PI is hosting the service or will it work either ways ( PI Consuming or Publishing service )?

    One more thing..suppose I do not want to send my certificate to CA and directly generate and use it with third party which I trust, will it work fine ? In that case, what exactly should I share with them ?

    Thanks..

    regards,

    Omkar.

    (0) 

Leave a Reply