User Accounts

Generic name

Operating system account with login
(for Unix  “su” command functionality)

unixacc

Operating system account with root / admin privileges UNIX : without login

saproot

SAP admin account :

sidadm

SAP Administrator account :

Administrator

SAP Central Services hostname

hostname1

SAP Dispatcher hostname

hostname2

1

Prepare crypto tools

1. K unixacc

cd /tmp;mkdir crypto;cd crypto

SAPCAR -xvf /download/90000104.SAR

cdexe

cp /tmp/crypto/aix-6.1.0-64/sapgenpse .

cp /tmp/crypto/aix-6.1.0-64/libsapcrypto.o .

cp /tmp/crypto/ticket /usr/sap/SID/SCS00/sec/

cp /tmp/crypto/ticket /usr/sap/SID/J00/sec/

vi scs.lst

Add an entry : libsapcrypto.o

2

Maintain SAP parameters

1. K unixacc

cdpro

vi SID_SCS00_hostname1

Add lines :

ssl/ssl_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)

sec/libsapsecu = $(ssl/ssl_lib)

ssf/ssfapi_lib = $(ssl/ssl_lib)

ms/server_port_1 = PROT=HTTPS,PORT=95$$

vi SID_J00_hostname1

Add lines :

icm/server_port_0 = PROT=IIOP, PORT=51007

icm/server_port_1 = PROT=TELNET, PORT=51008, HOST=localhost

icm/server_port_2 = PROT=P4, PORT=51004

icm/server_port_3 = PROT=HTTP, PORT=51000, TIMEOUT=60, PROCTIMEOUT=600

icm/server_port_4 = PROT=HTTPS, PORT=51001, SSLCONFIG=ssl_config_4

icm/ssl_config_4 = VCLIENT=0, CRED=/usr/sap/SID/J00/sec/SAPSSLS.pse

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, FOR= hostname1:51000, PROT=https, HOST=hostname1, PORT=51001

icm/HTTP/redirect_1 = PREFIX=/, FROM=*, FROMPROT=http, FOR= hostname2:51000, PROT=https, HOST=hostname2, PORT=51001

icm/add_client_protocol_header = true

icm/HTTP/esid_support = true

icm/handle_webdisp_ap_header = 1

3

Create PSE certificate request for message server

1. K unixacc

cd /usr/sap/SID/SCS00/sec

setenv SECUDIR /usr/sap/SID/SCS00/sec

sapgenpse get_pse -p SAPSSLS.pse -a RSA -s 1024 cn=name as standard to the company

Do not enter a password

Create the response certificate file :

cd $SECUDIR

vi response_hostname1.cer

In this file copy the certificate response provided in the above step and also the Base-64 encode X-509 certificate

Import the certificate response file in the PSE :

sapgenpse import_own_cert -c response_hostname1.cer -p SAPSSLS.pse

4

Create PSE certificate request for dispatcher server

1. K unixacc

cd /usr/sap/SID/J00/sec

setenv SECUDIR /usr/sap/SID/J00/sec

sapgenpse get_pse -p SAPSSLS.pse -a RSA -s 1024 cn=name as standard to the company

Do not enter a password

Create the response certificate file :

cd $SECUDIR

vi response_hostname2.cer

In this file copy the certificate response provided in the above step and also the Base-64 encode X-509 certificate

Import the certificate response file in the PSE :

sapgenpse import_own_cert -c response_hostname2.cer -p SAPSSLS.pse

5

Export P12 certificate for J00 instance

1. K unixacc

setenv SECUDIR /usr/sap/SID/J00/sec

cd $SECUDIR

sapgenpse export_p12 -p SAPSSLS.pse $HOME/SSL_pki_SID_hostname2.p12

enter the password

6

Import the private key in NWA

1.      Logon to the Netweaver Administrator http://<hostname2>:<port>/NWA

2.      Navigate to: Configuration Management > System > Certificate and Keys.

3.      From the list of Keystore Views, select the ICM_SSL_<instance_ID>

              The contents of the selected keystore view appear.

4.      Navigate to Configuration à Certificates and Keys à Click Keystore View Name (from Above step) à In Details of the view “Import Entry”

select Files of Type : PKCS#12 Key

select the file P12 files exported in the previous steps :

1. Import SSL_pki_SID_hostname2.p12and also provide the password in order to import à Entry imported
2. Navigate to Configuration à SSL à Edit à Give Port and Protocol for https à Save
3. ICM Restart pop-up à Close

7

Restart ICM for activating SSL

1. K unixacc

cdpro

jsmon pf=SID_J00_hostname1

Restart ICM

8

Test SSL for application servers

In Internet browser browser call URL :

https://hostname1:9500/msgserver/

https://hostname1:50001/index.html

https://hostname2:50001/index.html