Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring SSL for SAP Lumira, Edge Server

vani_valasangad
Employee
Employee
‎02-23-2015 9:21 AM
0 Kudos

Enabling the HTTPS Service in SAP Lumira, Edge edition

Secure Socket Layer (SSL) / HTTP Secure (HTTPS) encrypts network traffic and provides improved security. It is always recommended that a customer enables it if the accesses to the resources are through an open or untrusted network. Once enabled, HTTPS will ensure that all traffic between the client and the server is encrypted.

There are two layers of HTTPS Service, one that forces all connections to the server to go through HTTPS, and one that allows only trusted clients to connect to the server.

Edge Server Supports two protocols, the standard SSL and an improved version of it called the TLS.

Edge Server also supports two different types of certificate stores: the Java Keystore (JKS) or the Public Key Cryptography Standards 12 (PKCS12). It is recommended to use PKCS12 as it is language neutral, and will provide easier portability.

We will go over the following steps:

  1. Keep your Server and Client certificates ready to configure.
  2. Configuring SAP Lumira Edge edition to force all requests to go through HTTPs
  3. Configuring HTTPs service to enable Client Authentication
  4. Configuring SSL for Lumira Desktop


Configuring SAP Lumira Edge edition to force all requests to go through HTTPs


Launch and Login to SAP Lumira Edge Server as an Administrator.

Copy the certificates created to the folder in to SAP Lumira Edge Server installed machine.


Procedure

  1. Select Maintenance from the left-hand panel under Administration.
  2. Choose HTTPS Settings.
  3. The HTTPS Settings dialog box opens. Choose Enable HTTPS configuration.
  4. In the Bind to Hostname or IP Address field, specify the hostname that the certificates were issued for and that SAP Lumira, Edge edition will bind to.  HTTPS services will be provided through the IP address that you specify.
  5. In the HTTPS Port field, specify a port number for SAP Lumira, Edge edition to provide the HTTPS service. You have to make sure that this port is free. If you plan to allow users to connect to SAP Lumira, Edge edition from outside a firewall, you also have to make sure that this port is open on the firewall.
  6. In the Certificate Store File Location field, specify the path where you copied or moved the certificate file store or Java keystore file to.
  7. In the Private Key Access Password field, specify the password.
  8. You have to specify the alias for the certificate in the Certificate Alias field.
  9. Click on Create

Configuring HTTPs service to enable Client Authentication


Client authentication enables a server to check if a client has a certificate before replying to any requests. We have two parts to the client authentication: the server key store and the client certificate.
The client must have any one of the certificates trusted by the server and stored in the keystore, i.e the Certificate Trust List or (CTL hereon in).


Prerequisites


Create a key that can be easily be imported to the browser. The below command will create a .p12 file that can be clicked to install.

Navigate to the directory where keytool.exe is located and execute the below command (usually where the JRE is located, e.g. c:\Program Files\Java\jre6\bin on Windows machines).

keytool -importkeystore -srckeystore <Client Cert name> -srcstorepass password -srcalias <Client Alias> -destkeystore client.p12 -deststoretype PKCS12 -deststorepass password -destalias clientkey -noprompt


keytool -v -list -keystore client.p12 -storetype pkcs12 -storepass password

Then copy the certificate client.p12 to the client machine where you install.

Install the certificate by clicking on it.

Procedure


  1. Copy the certificates into the SAP Lumira Edge Server machine
  2. Launch SAP Lumira Edge Server and login as Administrator.
  3. Select Maintenance from the left-hand panel under Administration.
  4. Choose HTTPS Settings.
  5. The HTTPS Settings dialog box opens. Choose Enable Client Authentication configuration.
  6. In the Certificate Trust List File Location, specify the location of JKS keystore that contains the trust list file.
  7. In the Password field, type the password that protects access to the private keys in the Certificate Trust List file.
  8. In the Maximum HTTP header size field, default value of 32768 is already mentioned.
  9. Choose Create

Configuring SSL for Lumira Desktop


To work with a certificate, you need to install the certificate to the SAP Lumira JRE keystore. After adding the certificate to the JRE keystore, you can create a connection.


Prerequisites

  • Make sure that SAP Lumira is not running.

  • Obtain your certificate information from the browser while connected to the SAP Lumira, Edge edition web application.

  • When installing the certificate, place it in the Trusted Root Certification Authorities store.

  • Ensure you have access to keytool.exe that is included with the Java Development Kit (JDK).

Procedure

These are the steps to be followed to configure a self-signed certificate with Lumira Desktop for HTTPs connection to SAP Lumira Edge Server:

  1. Obtain the certificate created for enabling HTTPs for Lumira Edge server in the Lumira Desktop machine. Launch https://<hostname_server>/sap/Login.html in the browser
  2. Right click on the lock icon, click “Connection” tab, and click the Certification Information link. Click the Details tab on top and click the “Copy to File…” button and follow the instructions.
  3. Get the executables keytools.exe and java.exe and place into Lumira Desktop jre folder (Can be found in SAP Lumira, Edge Server Installation).
  4. Copy cacerts file from security folder to bin folder in Lumira Desktop.

         

Open the command prompt in Administrator mode, Navigate to the cacerts folder of Lumira Desktop. Execute the following command

"C:\Program Files\SAP Lumira\Desktop\jre\bin\keytool" -import -file mycert.cer -keystore ".\cacerts" -alias myappcert

Password: changeit.


     e. Download the InstallCert program and copy its contents to Lumira Desktop  jre/bin/InstallCert (create InstallCert sub-folder manually).

                   

     f.  In command prompt,navigate to that folder and execute the following command:

          ..\java -cp . InstallCert <WACS hostname>:<WACS SSL port>

     g. The WACS port is the default port (443) and does not have to be specified.

     h. Start SAP Lumira desktop, Navigate to File->Preferences->Network Settings

     i.  In the SAP Lumira Edge section, use HTTPS and the appropriate port number in the URL,

          and then click OK.

            https://<Lumira Edge server hostname or IP Address>/biprws




3 Comments
Labels in this area
Popular Blog Posts