Skip to Content

Configuring listener service in PI

Below configuration steps helps in configuring listener service in PI to allow automatic updates to External Cloud System seamlessly

Installing SAP Crypto library files

Set the system environment variable

SECUDIR = <drive letter>:\usr\sap\<SID>\DVEBMGS00\sec

/wp-content/uploads/2012/09/1_141342.png

Download the respective SAP Crypto library from Service Market Place using the below URL

https://websmp201.sap-ag.de/~form/handler?_APP=00200682500000000917&_EVENT=DISPLAY

Select the crypto file based on the OS and uncar the file

Example:  For Windows x64 bit system, download the CAR file shown below

/wp-content/uploads/2012/09/2_141343.png

UNCAR the file and copy the sapcrypto.dll, sapcrypto.lst and sapgenpse.exe files to the DIR_RUN directory.

Copy the file “ticket” to the path set for the system environment variable SECUDIR

Changing PSE Provider

In PI, if we are establishing the HTTPS communication for SOAP adapter, the PSE provider should be changed from ABAP to JAVA

To change the PSE provider, modify the parameter and set the value as below

ssl/pse_provider = JAVA

By changing the SSL Provide to JAVA, the below keys will be automatically created in the J2EE engine Key storage, after the restart

/wp-content/uploads/2012/09/3_141380.png

Required Profile parameters

Set the values for the parameters as shown below

Parameter Name

Parameter Value

icm/server_port_5

PROT=HTTPS,PORT=50001,VCLIENT=0,TIMEOUT=1800,PROCTIMEOUT=600

login/accept_sso2_ticket

1

login/create_sso2_ticket

2

ssf/name

SAPSECULIB

ssf/ssfapi_lib

<drive letter>:\usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapcrypto.dll

sec/libsapsecu

<drive letter>:\usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapcrypto.dll

ssl/ssl_lib

<drive letter>:\usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapcrypto.dll

Restart the SAP system after making all the above changes are made

Creating the SAP Cryptolib PSE

Login to the ABAP stack and call transaction STRUST. Create the PSE for SAP Cryptolib

/wp-content/uploads/2012/09/4_141381.png

/wp-content/uploads/2012/09/5_141382.png

/wp-content/uploads/2012/09/6_141383.png

Installing CA Signed certificate on the JAVA stack

Generating the CSR

Login to the NWA and navigate to the below path. Click on Certificates and Keys

/wp-content/uploads/2012/09/7_141384.png

Click on the ICM_SSL_<ID> view and delete all the certificates under it

/wp-content/uploads/2012/09/8_141385.png

Create an entry under the ICM_SSL_<ID> key store

/wp-content/uploads/2012/09/9_141392.png

In the Entry name, enter the name of the SSL key and select the check box “Store certificate”

/wp-content/uploads/2012/09/10_141393.png

In the below screen, fill in all the details

Note: The State/Province name should not be a short name. Complete name of the State or Province should be specified. For example, for California State, enter the State/Province name as “California” and NOT as “CA”

The Common Name is the host name. All communications are based on the CN name. If the system is allowed for external access, the system should have a public IP address and the host name should be maintained at the external DNS. This is required for the hostname and IP resolution.

If the actual host name of the server and the external address are different, then make sure the request to the external address is routing to the actual host name of the server.  From the SAP Server, ping the public IP, to see if the hostname and IP resolution is happening

/wp-content/uploads/2012/09/11_141394.png

Public and private keys are created

/wp-content/uploads/2012/09/12_141398.png

Once the keys are created, export the SSL view to PSE

/wp-content/uploads/2012/09/13_141399.png

To generate the CSR (Certificate sign request), Under the ICM_SSL_<ID> Key store, select the private key and click on the “Generate CSR Request”

/wp-content/uploads/2012/09/14_141400.png

Download the CSR and send the CSR to the CA signed authority

After receiving the signed certificate from the CA, select the ICM_SSL key and select the ssl certificate private key and click on Import CSR Response

/wp-content/uploads/2012/09/15_141401.png

Import the certificate response sent by CA by browse the certificate.

/wp-content/uploads/2012/09/16_141402.png

Export the View to PSE after importing the singed CA response.

Enabling certificate based authentication

Launch NWA, got to Configuration Management tab and click on Authentication. Go to properties, select the check box to enabling certificate logon

/wp-content/uploads/2012/09/17_141403.png

Under Configuration Management tab and click on Login Modules, search for “sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter”

Add “Client certificate” login module with value “Rule1.getUserForm = wholeCert” (Value is case sensitive). Move client certificate login module to top

/wp-content/uploads/2012/09/18_141407.png

Create a service user id in PI. Eg: pisrvuser

Upload the client certificate (cloud system certificate) to the user from User Management in NWA

Upload the same client certificate (used above), along with the root certificates, to certificate store in NWA

/wp-content/uploads/2012/09/19_141408.png

Restart PI System if certificate authentication is not working after the configuration as few changes to UME would require J2EE engine restart.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply