Believe it or not, SSL Enabling for your PI 7.31 EHP1(Java only) is a cake walk now.
As we all know, by default, PI 7.31 EHP1 (Java only) is not SSL enabled. But, most of our scenarios deal with HTTPS. And now, gone are those days where we use to get this enabled by manual activities. In just, few simple steps, we can get our PI instance SSL enabled. Let’s check out how?
We should have the cryptographic library (SAPCRYPTOLIB_32-10010888.SAR) file handy.
Go to NWA, Configuration -> Security -> SSL. By default, it says that the PI instance is not SSL enabled. Click on Edit and click on Choose file under the column Ticket File and select the cryptographic library in the popup and save it. After the successful save, you will find the SSL status as green.
Though the SSL status is green, the SSL port is not yet configured. This means, you can’t access it through HTTPS. Click on Add button under the SSL Access Points. You can specify the SSL port, Protocol, Client Authentication Mode. You can choose any of the available options in each of the column.
Once you save it, you will see everything in green. Leave the other entries (Server Identity, Trusted CAs etc.) as is since, these deal with how the SSL communication should happen between the server and the client (out of scope at the moment).
Now, try accessing your PI home page using the https protocol. You will be prompted for the site’s security certificate as below (this happens in chrome).
Hit proceed anyway and you will end up at the home page of your PI instance. The protocol is HTTPS now.
Good one Anil. Thanks for sharing....
Regards
Rakesh
Hi Anil,
thank you very much for sharing the setup steps so clearly!
As an aside, if a customer does not already have a "star" SSL certificate from a trusted Certificate Authority which is trusted by browsers (i.e. no red "warning" signs), then I can recommend Start SSL. They provide SSL certificates with a 1-year validity which are trusted by all major browsers for free. I've used them in the past and have been very happy.
Sascha
Hi Anil...another good blog..clear steps wid screen shot...can u please share whch scenario will need this https??? e.g. file to mail etc...can u put here sme example of scenarios??
Regards,
Rashmi
Hi Anil,
When I try this I get:
Did you as well. I guess I need to restart but it appears my BASIS team has the permissions for that.
Jody
Hi Anil,
the steps are very clear, just add a few clarifications that caused me problems
in step SSL Access Points , set it to "Port-Specific" and
in create Server Identity step 3 "sign with key pair" should be clicked on "select key Pair" and choose in "select view name" service_ssl
.
VERY IMPORTANT the restart of ICM is not enough, I had to Restart the instance
Questions:
What to put in parameter "commonName"?
Thank again
Miguel Bravo
good one Anil..
Thanks Anil so much. It is clearly documentation.
End to end PI HTTPS configuration is required to be called is true https.... accessing /dir page of PI with https is not full configuration. There are so many moving parts to configure PI as HTTPS.
-Yogesh