Skip to Content

1.  Prerequisite

2.  Configure an SAP JCO Connection to a SAP EIS

Log on SCC, Go to Connection on the domain you want to configure:

/wp-content/uploads/2013/08/image001_259761.jpg

New

/wp-content/uploads/2013/08/image002_259762.jpg

TESTSMP/POCSMP22.

3.  Generating a X509 certificate for SUP server

  • Generate certificate request :

sapgenpse.exe get_pse  -p SNCTEST.pse –r abc.req –x abcpin “CN=hostname_supserver,OU=org,C=FR”

/wp-content/uploads/2013/08/image003_259790.jpg

  • Get certificate sign by CA:

/wp-content/uploads/2013/08/image004_259791.jpg

/wp-content/uploads/2013/08/image005_259792.jpg

/wp-content/uploads/2013/08/image006_259793.jpg

/wp-content/uploads/2013/08/image007_259794.jpg

/wp-content/uploads/2013/08/image008_259795.jpg

/wp-content/uploads/2013/08/image009_259796.jpg

/wp-content/uploads/2013/08/image010_259797.jpg

/wp-content/uploads/2013/08/image1_273748.png

  • Generate credential file  to initialize a new keystore for usage :

Sapgenpse seclogin –p SNCTEST.pse –O USERname –x Password03

  • Import the SUP certificate into the SUP server keystore:

keytool -import -keystore c:\Sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Security\keystore.jks -alias SUP22 -file  certnew.cer

/wp-content/uploads/2013/08/image012_259799.jpg

4.  Import sup certificate into SAP EIS

Transaction STRUST:

/wp-content/uploads/2013/08/image1_273748.png

/wp-content/uploads/2013/08/image1_273748.png

/wp-content/uploads/2013/08/image1_273748.png

Add to Certificate List and SAVE.

5.  Obtain SAP EIS P12

Transaction STRUST :

Deploy  SSL server standard, and select the node and click on /wp-content/uploads/2013/08/image016_259803.jpg create Certification request :

/wp-content/uploads/2013/08/image017_259804.jpg

Copy it in file my.key

/wp-content/uploads/2013/08/image018_259805.jpg

/wp-content/uploads/2013/08/image019_259808.jpg

.

/wp-content/uploads/2013/08/image020_259806.jpg

/wp-content/uploads/2013/08/image021_259809.jpg

/wp-content/uploads/2013/08/image022_259810.jpg

/wp-content/uploads/2013/08/image023_259811.jpg

/wp-content/uploads/2013/08/image024_259812.jpg

Wrong screen shot export it as Base 64 :

/wp-content/uploads/2013/08/image025_259813.jpg

Rename it as SAP_T2J.pem

/wp-content/uploads/2013/08/image026_259814.jpg

/wp-content/uploads/2013/08/image027_259815.jpg

Download CA certificate named rootca.pem

Generate private key from certificate :

[root@sapT2J]#  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out SAP_T2J.pem

Generating a 2048 bit RSA private key

……………………..+++

………..+++

writing new private key to ‘privateKey.key’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [XX]:pays

State or Province Name (full name) []:dep

Locality Name (eg, city) [Default City]:city

Organization Name (eg, company) [Default Company Ltd]:mycompany

Organizational Unit Name (eg, section) []:org

Common Name (eg, your name or your server’s hostname) []:sapt2j

Email Address []:mathieu.gravil@toto.fr

[root@sapT2J]# ls

cert_T2J.cer  privateKey.key  rootca.pem SAP_T2J.pem 

Use changeit as password :

[root@sapT2J]# openssl pkcs12 -export -out SAP_T2J.pfx -inkey privateKey.key -in SAP_T2J.pem -certfile rootca.pem

Enter Export Password:

Verifying – Enter Export Password:

[root@sapT2J]# ls

cert_T2J.cer  my_key.pem privateKey.key  rootca.cer  rootca.pem SAP_T2J.pem  SAP_T2J.pfx

6.  Import Root CA in SAP EIS

Follow the steps to import the CA to Database

In the Trust Manager double click on your SSL server node. In the middle part, Certificate, click on the import certificate button, choose file format as Base64 (Change according to your scenario) and choose the Root CA exported to your local directory ( or downloaded ) and Enter

/wp-content/uploads/2013/08/image1_273748.png

/wp-content/uploads/2013/08/image029_259817.jpg

Now you will be able to see that certificate in the certificate maintenance part of your SSL server PSE:

/wp-content/uploads/2013/08/image030_259818.jpg

Click on the export certificate  and on the next screen choose the Database tab

Create an entry for your new root certificate. Naming conventions apply.  In the Trust Center filed enter a name starting with ZZ or YY ( ALL CAPS). Enter the category as Root CA and enter a description and enter:

/wp-content/uploads/2013/08/image032_259819.jpg

Your root CA is now in your certificate database. You can verify the root CA by clicking on the database tab.


7.  Keystore: Importing a X509 Certificate and Private Key for SAP.

Copy file SAP_T2J.pfx obtain  in c:\sapcryptolib.

keytool -v –importkeystore -srckeystore  SAP_T2J.pfx -srcstoretype PKCS12 -destkeystore    c:\Sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Security\keystore.jks -deststoretype JKS 

/wp-content/uploads/2013/08/image034_259821.jpg

Truststore: Installing and CONFIGURING CERTIFICATES on SUP serverImport the SAP system’s certificate into the Unwires Server truststore :

keytool -v –importcert -keystore c:\Sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Security\truststore.jks  -file C:\sapcryptolib\SAP_T2J.pem

/wp-content/uploads/2013/08/image035_259876.jpg

8.  Creating and Assigning a Security Configuration That Uses X.509 Credentials

Log on scc , go to Security and on tab General click on New :

/wp-content/uploads/2013/08/image036_259919.jpg

Enter name and OK

Go to the new entry on left pat and in tab authentication (right part), click on new to create a com.sybase.security.core.CertifacteAuthenticationLoginModule  provider:

/wp-content/uploads/2013/08/image037_259920.jpg

OK.

Then Delete NoSecLoginModule :

/wp-content/uploads/2013/08/image038_259922.jpg

/wp-content/uploads/2013/08/image039_259923.jpg

OK

Go to General tab and validate and apply if everything is ok.

Assign

/wp-content/uploads/2013/08/image040_259924.jpg

/wp-content/uploads/2013/08/image041_259925.jpg

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Frantisek Miksicek PTS

    I am not sure I understand the bit where you “Generate private key from certificate “.

    Doesn’t the command “openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out SAP_T2J.pem” generate a new key and new self-signed certificate? Why would we do that? Don’t we want to use the certificate we just got signed by the CA to import into SMP?

    Thanks,

    Frank

    (0) 

Leave a Reply