Configure SMP with X509
1. Prerequisite
- Sapcryptolib is installed on SUP server.
- Documentation : http://scn.sap.com/docs/DOC-28899
2. Configure an SAP JCO Connection to a SAP EIS
Log on SCC, Go to Connection on the domain you want to configure:
New
TESTSMP/POCSMP22.
3. Generating a X509 certificate for SUP server
- Generate certificate request :
sapgenpse.exe get_pse -p SNCTEST.pse –r abc.req –x abcpin “CN=hostname_supserver,OU=org,C=FR”
- Get certificate sign by CA:
- Generate credential file to initialize a new keystore for usage :
Sapgenpse seclogin –p SNCTEST.pse –O USERname –x Password03
- Import the SUP certificate into the SUP server keystore:
keytool -import -keystore c:\Sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Security\keystore.jks -alias SUP22 -file certnew.cer
4. Import sup certificate into SAP EIS
Transaction STRUST:
Add to Certificate List and SAVE.
5. Obtain SAP EIS P12
Transaction STRUST :
Deploy SSL server standard, and select the node and click on 
create Certification request :
Copy it in file my.key
.
Wrong screen shot export it as Base 64 :
Rename it as SAP_T2J.pem
Download CA certificate named rootca.pem
Generate private key from certificate :
|
[root@sapT2J]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out SAP_T2J.pem Generating a 2048 bit RSA private key ……………………..+++ ………..+++ writing new private key to ‘privateKey.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [XX]:pays State or Province Name (full name) []:dep Locality Name (eg, city) [Default City]:city Organization Name (eg, company) [Default Company Ltd]:mycompany Organizational Unit Name (eg, section) []:org Common Name (eg, your name or your server’s hostname) []:sapt2j Email Address []:mathieu.gravil@toto.fr [root@sapT2J]# ls cert_T2J.cer privateKey.key rootca.pem SAP_T2J.pem |
Use changeit as password :
|
[root@sapT2J]# openssl pkcs12 -export -out SAP_T2J.pfx -inkey privateKey.key -in SAP_T2J.pem -certfile rootca.pem Enter Export Password: Verifying – Enter Export Password: [root@sapT2J]# ls cert_T2J.cer my_key.pem privateKey.key rootca.cer rootca.pem SAP_T2J.pem SAP_T2J.pfx |
6. Import Root CA in SAP EIS
Follow the steps to import the CA to Database
In the Trust Manager double click on your SSL server node. In the middle part, Certificate, click on the import certificate button, choose file format as Base64 (Change according to your scenario) and choose the Root CA exported to your local directory ( or downloaded ) and Enter
Now you will be able to see that certificate in the certificate maintenance part of your SSL server PSE:
Click on the export certificate and on the next screen choose the Database tab
Create an entry for your new root certificate. Naming conventions apply. In the Trust Center filed enter a name starting with ZZ or YY ( ALL CAPS). Enter the category as Root CA and enter a description and enter:
Your root CA is now in your certificate database. You can verify the root CA by clicking on the database tab.
7. Keystore: Importing a X509 Certificate and Private Key for SAP.
Copy file SAP_T2J.pfx obtain in c:\sapcryptolib.
keytool -v –importkeystore -srckeystore SAP_T2J.pfx -srcstoretype PKCS12 -destkeystore c:\Sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Security\keystore.jks -deststoretype JKS
Truststore: Installing and CONFIGURING CERTIFICATES on SUP serverImport the SAP system’s certificate into the Unwires Server truststore :
keytool -v –importcert -keystore c:\Sybase\UnwiredPlatform\Servers\UnwiredServer\Repository\Security\truststore.jks -file C:\sapcryptolib\SAP_T2J.pem
8. Creating and Assigning a Security Configuration That Uses X.509 Credentials
Log on scc , go to Security and on tab General click on New :
Enter name and OK
Go to the new entry on left pat and in tab authentication (right part), click on new to create a com.sybase.security.core.CertifacteAuthenticationLoginModule provider:
OK.
Then Delete NoSecLoginModule :
OK
Go to General tab and validate and apply if everything is ok.
Assign
Thanks for the valuable information. Keep it up.
- Midhun VP
I am not sure I understand the bit where you "Generate private key from certificate ".
Doesn't the command "openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out SAP_T2J.pem" generate a new key and new self-signed certificate? Why would we do that? Don't we want to use the certificate we just got signed by the CA to import into SMP?
Thanks,
Frank