Enabling the HTTPS Service in SAP Lumira, Edge edition

Secure Socket Layer (SSL) / HTTP Secure (HTTPS) encrypts network traffic and provides improved security. It is always recommended that a customer enables it if the accesses to the resources are through an open or untrusted network. Once enabled, HTTPS will ensure that all traffic between the client and the server is encrypted.

There are two layers of HTTPS Service, one that forces all connections to the server to go through HTTPS, and one that allows only trusted clients to connect to the server.

Edge Server Supports two protocols, the standard SSL and an improved version of it called the TLS.

Edge Server also supports two different types of certificate stores: the Java Keystore (JKS) or the Public Key Cryptography Standards 12 (PKCS12). It is recommended to use PKCS12 as it is language neutral, and will provide easier portability.

We will go over the following steps:

  1. Keep your Server and Client certificates ready to configure.
  2. Configuring SAP Lumira Edge edition to force all requests to go through HTTPs
  3. Configuring HTTPs service to enable Client Authentication
  4. Configuring SSL for Lumira Desktop


Configuring SAP Lumira Edge edition to force all requests to go through HTTPs


Launch and Login to SAP Lumira Edge Server as an Administrator.

Copy the certificates created to the folder in to SAP Lumira Edge Server installed machine.


Procedure

  1. Select Maintenance from the left-hand panel under Administration.
  2. Choose HTTPS Settings.
  3. The HTTPS Settings dialog box opens. Choose Enable HTTPS configuration.
  4. In the Bind to Hostname or IP Address field, specify the hostname that the certificates were issued for and that SAP Lumira, Edge edition will bind to.  HTTPS services will be provided through the IP address that you specify.
  5. In the HTTPS Port field, specify a port number for SAP Lumira, Edge edition to provide the HTTPS service. You have to make sure that this port is free. If you plan to allow users to connect to SAP Lumira, Edge edition from outside a firewall, you also have to make sure that this port is open on the firewall.
  6. In the Certificate Store File Location field, specify the path where you copied or moved the certificate file store or Java keystore file to.
  7. In the Private Key Access Password field, specify the password.
  8. You have to specify the alias for the certificate in the Certificate Alias field.
  9. Click on Create
  10. Server_Auth.jpg

Configuring HTTPs service to enable Client Authentication


Client authentication enables a server to check if a client has a certificate before replying to any requests. We have two parts to the client authentication: the server key store and the client certificate.
The client must have any one of the certificates trusted by the server and stored in the keystore, i.e the Certificate Trust List or (CTL hereon in).


Prerequisites


Create a key that can be easily be imported to the browser. The below command will create a .p12 file that can be clicked to install.

Navigate to the directory where keytool.exe is located and execute the below command (usually where the JRE is located, e.g. c:\Program Files\Java\jre6\bin on Windows machines).

keytool -importkeystore -srckeystore <Client Cert name> -srcstorepass password -srcalias <Client Alias> -destkeystore client.p12 -deststoretype PKCS12 -deststorepass password -destalias clientkey -noprompt


keytool -v -list -keystore client.p12 -storetype pkcs12 -storepass password

Then copy the certificate client.p12 to the client machine where you install.

Install the certificate by clicking on it.

Procedure


  1. Copy the certificates into the SAP Lumira Edge Server machine
  2. Launch SAP Lumira Edge Server and login as Administrator.
  3. Select Maintenance from the left-hand panel under Administration.
  4. Choose HTTPS Settings.
  5. The HTTPS Settings dialog box opens. Choose Enable Client Authentication configuration.
  6. In the Certificate Trust List File Location, specify the location of JKS keystore that contains the trust list file.
  7. In the Password field, type the password that protects access to the private keys in the Certificate Trust List file.
  8. In the Maximum HTTP header size field, default value of 32768 is already mentioned.
  9. Choose Create

Client_Auth.jpg

Configuring SSL for Lumira Desktop


To work with a certificate, you need to install the certificate to the SAP Lumira JRE keystore. After adding the certificate to the JRE keystore, you can create a connection.


Prerequisites

  • Make sure that SAP Lumira is not running.

  • Obtain your certificate information from the browser while connected to the SAP Lumira, Edge edition web application.

  • When installing the certificate, place it in the Trusted Root Certification Authorities store.

  • Ensure you have access to keytool.exe that is included with the Java Development Kit (JDK).

Procedure

These are the steps to be followed to configure a self-signed certificate with Lumira Desktop for HTTPs connection to SAP Lumira Edge Server:

  1. Obtain the certificate created for enabling HTTPs for Lumira Edge server in the Lumira Desktop machine. Launch https://<hostname_server>/sap/Login.html in the browser
  2. Right click on the lock icon, click “Connection” tab, and click the Certification Information link. Click the Details tab on top and click the “Copy to File…” button and follow the instructions.
  3. Get the executables keytools.exe and java.exe and place into Lumira Desktop jre folder (Can be found in SAP Lumira, Edge Server Installation).
  4. Copy cacerts file from security folder to bin folder in Lumira Desktop.

         

Open the command prompt in Administrator mode, Navigate to the cacerts folder of Lumira Desktop. Execute the following command

“C:\Program Files\SAP Lumira\Desktop\jre\bin\keytool” -import -file mycert.cer -keystore “.\cacerts” -alias myappcert

Password: changeit.


     e. Download the InstallCert program and copy its contents to Lumira Desktop  jre/bin/InstallCert (create InstallCert sub-folder manually).

          Folder_Struct.jpg         

     f.  In command prompt,navigate to that folder and execute the following command:

          ..\java -cp . InstallCert <WACS hostname>:<WACS SSL port>

     g. The WACS port is the default port (443) and does not have to be specified.

     h. Start SAP Lumira desktop, Navigate to File->Preferences->Network Settings

     i.  In the SAP Lumira Edge section, use HTTPS and the appropriate port number in the URL,

          and then click OK.

            https://<Lumira Edge server hostname or IP Address>/biprws




To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Frank Koehntopp

    Please – for the love of god – STOP telling people to install self-signed certificates into their trust stores!!

    If you want to use SSL for your server, get a properly signed certificate. Messing with the root certificate store WILL come back to bite you. This is a critical piece of security infrastructure that should not be messed with.

    Here’s a list of places to get those (you might want to not use Comodo for reasons outlined below):

    http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm

    The SSL system was massively compromised last week, read this for background:

    https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html

    (0) 
    1. Vani Valasangad Post author

      Hi ,

      We did not mean to recommend user to install self-signed certificates in their trust stores.

      I too agree with you that it may cause damage to the system.

      We had given a reference in the blog if user want to try SSL for SAP Lumira Edge Server without using his original certificates just to understand and feel how it works.

      This blog has been edited accordingly.

      (0) 
      1. Frank Koehntopp

        Thank you.

        I appreciate you sharing your expertise very much, but other readers do take these blogs literally and implement them in their own landscapes, which is why I try to catch stuff like this.

        (0) 

Comments are closed.