Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to configure X.509 client certificate authentication for SAP host agents in LVM

benny_maercz
Participant
‎07-15-2016 1:55 PM


After I spent a lot of time and used the SCN community support to find out how to configure HTTPS/SSL with client certificate authentication between LVM and the SAP host agents, I would like to share my documentation with the community. In this blog article you can read how to configure the SSL client part in LVM as well as the SSL server part on the SAP host agents. Hope this blog article is helpful for you.

Please let me know if you think something should be corrected or improved. I'd also appreciate your feedback if the documentation is helpful for you.

Related information:


Create Client PSE

Configure SSL for SAP host agent on UNIX

How to configure X.509 client certificate authentication for SAP host agent in LVM


Unfortunately the documentation on this topic is not very detailed! 😞

In this article I try to explain the SSL configuration step by step, so that it should be understandable what's required for the different SSL security levels you might want to implement. My goal was to:

  • Enable secure communication (HTTPS) between LVM and the SAP host agents (works with self-signed certificates on the host agent side)

  • Make LVM verify the validity of the SAP host agent certificates (works with signed certificates on the host agent side)

  • Allow LVM to authenticate against SAP host agents by a client certificate (works with a signed client certificate on the LVM server side)


Now let's go into the gory details:

How to configure SSL Client PSE on LVM Systems


For the How-to, I assume that the host agent was already setup correctly! Check section "How to configure SSL Server PSE on the host agents" for correct setup!

 

As LVM is contacting the host agents, LVM acts as SSL client when using secure communication. As long as only encrypted communication is required, no SSL client PSE is reguired on the LVM system. The client PSE is only required on the LVM server to be able to use Client Certificate authorization!

By default, LVM does not check the validity of the host agent SSL server certificates:

LVM -> Setup -> Settings -> Engine



With "Ignore SSL Server Certificates for Host Agents" activated, you can just turn on secure communication for the host agent:



The connection test should work immediately! You now have encrypted communication, but LVM does not check if the host agent provides a valid certificate. This works even with self-signed certificates.

Now we go one step further: We want LVM to verify the validity of the host agent certificates. So we deactivate the  "Ignore SSL Server Certificates for Host Agents" function in the LVM engine settings:

LVM -> Setup -> Settings -> Engine



After we activated this setting, a host agent connection test using SSL fails with the following message:



Why? LVM does not have a valid certificate chain to verify the certificate presented by the host agent (I assume that the host agent already has a signed certificate (from your CA). To provide the certivicate chain, the certificates of your CA have to be imported into the LVMView in the NWA Key Storage of the LVM system:

NWA->Configuration->Certificates and Keys->LVMView:



Import your CA certificates into this view using the "Import Entry" button:



You might have to repeat this step if you use also use an intermediat- or sub-CA! Afterwards the LVMView should now look like this:

NWA->Configuration->Certificates and Keys->LVMView:



Now the connection test works again. We now have encrypted communication, and LVM checks if the host agent provides a valid and signed certificate from your CA.

Until this point, no SSL client PSE is required. Now we want to switch on X.509 Client Certificate authentication. Before we can activate it, we have to create the client PSE and import the private key into the Key Storage (LVMView).

Login as <sid>adm user on the LVM system to create the SSL client PSE:
setenv SECUDIR /usr/sap/<SID>/<INSTANCENAME>/sec

cd $SECUDIR

Create a new client-PSE and certificate signing request for the LVM system:
/usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLC.pse -r /<path>/<to>/saplvm-client.csr -a RSA:4096:SHA256 -x "" -k GN-dNSName:<hostname>.<domain>.<TL-domain> "CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>"

You might need to specify additional DNS names as "-k" parameters if you want to be able to use the certificate for additional adresses!

 

Use the certificate signing request under /<path>/<to>/saplvm-client.csr to request a signed certificate from your CA. Make sure that you request a client certificate wich includes "Extended Key Usage: ClientAuthentication". After you received the client certificate, import it into the client PSE on your LVM system:
/usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLC.pse -x "" -c /<path>/<to>/saplvm-client.cer -r /<path>/<to>/<CA-certificate.cer -v

You might need to specify additional "-r" parameters if you use intermediate- or sub-CAs!

To verify the certificate list:
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse -x "" -v

To check the Extended Key Usage:
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse

No SSO for USER "<sid>adm"

with PSE file "/usr/sap/<SID>/<INSTANCE>/sec/SAPSSLC.pse"

Subject               :   CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>"

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:0F:F6:C4:48:0A:6F:9C:C2:BE:00:00:00:00:05:0F

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Tue Jul 12 13:05:29 2016 (160712120529Z)

NotAfter :   Fri Jul 12 13:05:29 2019 (190712120529Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:<FQDN> GN-dNSName:<FQDN> GN-dNSName:<FQDN>

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

Now we export the private key from the PSE to import it into the Key Storage (LVMView). Remember the encryption password, as we will need it to import the key into LVM:
/usr/sap/hostctrl/exe/sapgenpse export_p12 -p SAPSSLC.pse /<path>/<to>/saplvm-client.p12

Please enter PKCS#8 encryption password: ****

For verification, please reenter password: ****

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase

!!! WARNING: which is at least 8 characters long and contains characters in

!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

Now we import the private key from /<path>/<to>/saplvm-client.p12 into the key storage:

NWA->Configuration->Certificates and Keys->LVMView:





Now we can switch the authentication type of the host agent to "X.509 Client Certificate" and select the just imported private key:



Afterwards the connection test will work with client certificate authentication.

We now have encrypted communication, LVM checks if the host agent provides a valid and signed certificate from your CA and the host agent checks if LVM provides a valid signed client certificate from your CA to allow access to the host agent web services as user sapadm.

If X.509 client certificate authentication is still not working, probably the SSL server configuration on the host agent server is buggy. Read the next section how to set this up!


How to configure SSL Server PSE on the host agents


For the How-to, I assume that the LVM system was already setup correctly! Check section "How to configure SSL Client PSE on LVM Systems" for correct setup!

When trying to connect from LVM to host agent using SSL, you get the following error:





The error message pops up because SAP host agent does not listen on HTTPS port 1129. To make it listen to this port, we have to create the SSL Server PSE for the host agent. Login as sapadm user on the LVM system to create it:
mkdir /usr/sap/hostctrl/exe/sec

chown sapadm:sapsys /usr/sap/hostctrl/exe/sec

setenv SECUDIR /usr/sap/hostctrl/exe/sec

setenv LD_LIBRARY_PATH /usr/sap/hostctrl/exe

cd $SECUDIR

Now create a new Server-PSE and certificate signing request for the host agent:
/usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -r /<path>/<to>/`hostname -s`.csr -a RSA:4096:SHA256 -x "" -k GN-dNSName:`hostname -s` -k GN-dNSName:`hostname -s`.<optional>.<additional>.<domain> "CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>"

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase

!!! WARNING: which is at least 8 characters long and contains characters in

!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

Certificate Request

Signed Part

Subject                     :CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Key

Key type                   :rsaEncryption (1.2.840.113549.1.1.1)

Key size                   :4096

Attributes

Element #1

Type                      :extensionRequest (1.2.840.113549.1.9.14)

Value #1

Alternative names

Significance            :Non critical

Value

Element #1

GeneralName           :GN-dNSName:<hostname>

Element #2

GeneralName           :GN-dNSName:<hostname>

Element #3

GeneralName           :GN-dNSName:<hostname>

Signature

Signature algorithm         :sha256WithRsaEncryption (1.2.840.113549.1.1.11)

Signature (size="4096")     :<Not displayed>

You might want to specify optional additional domain names as "-k" parameters.

With the next step I'm still not sure why this is required. SAP documentation just states "Allow host agent to access the PSE". On my system, I did not execute this command, as I am not sure about the reason behind it. It seems not to be required to make HTTPS and client certificate authentication work. Maybe somebody can comment what this is for.
/usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x "" -O sapadm

running seclogin with USER="sapadm"

creating credentials for yourself (USER="sapadm")...

Added SSO-credentials for PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"

Now the SAP host agent needs to be restarted, so that it uses the newly created PSE:
/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

saphostexec is already running (pid=6105). Stopping...-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

/usr/sap/hostctrl/work/sapstartsrv.log should show the following messages now:
Initializing SAPHostControl Webservice

[Thr 139907077076832] =================================================

[Thr 139907077076832] = SSL Initialization    platform tag=(linuxx86_64_gcc41)

[Thr 139907077076832] =   (721_REL,Apr  2 2016,mt,ascii,SAP_UC/size_t/void* = 8/64/64)

[Thr 139907077076832]   profile param "ssl/ssl_lib" = "/usr/sap/hostctrl/exe/libsapcrypto.so"

[Thr 139907077076832]            resulting Filename = "/usr/sap/hostctrl/exe/libsapcrypto.so"

[Thr 139907077076832] =   disabled FIPS 140-2 crypto kernel

[Thr 139907077076832] =   found CommonCryptoLib 8.4.49 (Mar  4 2016) [AES-NI,CLMUL,SSE3,SSSE3]

[Thr 139907077076832] =   current UserID: "sapadm",  env-var USER="sapadm"

[Thr 139907077076832] =   using SECUDIR=/usr/sap/hostctrl/exe/sec

[Thr 139907077076832] =  secudessl_Create_SSL_CTX():  PSE "/usr/sap/hostctrl/exe/sec/SAPSSLC.pse" not found,

[Thr 139907077076832] =      using PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" as fallback

[Thr 139907077076832] =  secudessl_Create_SSL_CTX():  PSE "/usr/sap/hostctrl/exe/sec/SAPSSLA.pse" not found,

[Thr 139907077076832] =      using PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" as fallback

[Thr 139907077076832] ******** Warning ********

[Thr 139907077076832] *** No SSL-client PSE "SAPSSLC.pse" available

[Thr 139907077076832] *** -- this might limit SSL-client side connectivity

[Thr 139907077076832] ********

[Thr 139907077076832] = Success -- SapCryptoLib SSL ready!

[Thr 139907077076832] =================================================

[Thr 139907077076832]

Starting WebService SSL thread

Starting WebService thread

Webservice thread started, listening on port 1128

Trusted http connect via Unix domain socket '/tmp/.sapstream1128' enabled.

Webservice SSL thread started, listening on port 1129

Trusted https connect via Unix domain socket '/tmp/.sapstream1129' enabled.

Now LVM can communicate by SSL/HTTPS with the hostagent and the communication is encrypted.



But:

  - The host agent PSE contains a self-signed certificate

  - There is no trust-relationship between LVM and the host agent

  - This works only as long as LVM does not verify the certificate

LVM -> Setup -> Settings -> Engine



If the "Ignore SSL Server Certificates for Host Agents" option is turned off, you will get the following error message during a connection test:



To enable LVM to verify the identity of the host agent, the host agents certificate has to be signed by your CA.

Use the certificate signing request under /<path>/<to>/`hostname -s`.csr to request a signed certificate from your CA. For the host agent, a server certificate (Extended Key Usage: ServerAuthentication) is sufficient. After you received the client certificate, import it into the server PSE on your SAP host agent (login as sapadm):
setenv SECUDIR /usr/sap/hostctrl/exe/sec

setenv LD_LIBRARY_PATH /usr/sap/hostctrl/exe

cd $SECUDIR

/usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x "" -c /<path>/<to>/`hostname -s`.cer -r /<path>/<to>/<CA-certificate>.cer

Opening PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"...

No SSO credentials found for this PSE.

PSE (v2) open ok.

Trying to import Certification Response...

Found PEM-framed base64-encoded ASN.1 Certificate

----------------------------------------------------------------------------

Subject               :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Thu Jul 14 07:27:55 2016 (160714062755Z)

NotAfter:   Sun Jul 14 07:27:55 2019 (190714062755Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication

SubjectAltName        :   GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>

----------------------------------------------------------------------------

Found PEM-framed base64-encoded ASN.1 Certificate

----------------------------------------------------------------------------

Subject               :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Thu Jul 30 09:34:02 2015 (150730083402Z)

NotAfter:   Sat Jul 27 09:34:02 2024 (240727083402Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

----------------------------------------------------------------------------

Found PEM-framed base64-encoded ASN.1 Certificate

----------------------------------------------------------------------------

Subject               :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   5F:02:02:2D:F0:46:A8:97:4A:D0:92:0B:27:8D:DE:1D

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Tue Jul 28 10:05:43 2015 (150728090543Z)

NotAfter:   Thu Jul 28 10:14:20 2033 (330728091420Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

----------------------------------------------------------------------------

(Old) Certificate in PSE:

----------------------------------------------------------------------------

Subject               :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Serialno              :   0A:20:16:07:12:11:29:35

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Tue Jul 12 12:29:35 2016 (160712112935Z)

NotAfter:   Fri Jan  1 01:00:01 2038 (380101000001Z)

KeyUsage              :   none

ExtKeyUsage           :   none

SubjectAltName        :   none

----------------------------------------------------------------------------

Trying the following User Certificate and Chain:

----------------------------------------------------------------------------

Subject               :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Thu Jul 14 07:27:55 2016 (160714062755Z)

NotAfter:   Sun Jul 14 07:27:55 2019 (190714062755Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication

SubjectAltName        :   GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>

----------------------------------------------------------------------------

Subject               :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Thu Jul 30 09:34:02 2015 (150730083402Z)

NotAfter:   Sat Jul 27 09:34:02 2024 (240727083402Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

ok.

CA-Response successfully imported into PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"

You might need to specify additional "-r" parameters if you use intermediate- or sub-CAs!

 

To verify the certificate list:
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x "" -v

Opening PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"...

No SSO credentials found for this PSE.

PSE (v2) open ok.

Retrieving my certificate... ok.

Getting requested information... ok.

No SSO for USER "sapadm"

with PSE file "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"

MY Certificate:

----------------------------------------------------------------------------

Subject               :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Thu Jul 14 07:27:55 2016 (160714062755Z)

NotAfter:   Sun Jul 14 07:27:55 2019 (190714062755Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication

SubjectAltName        :   GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>

----------------------------------------------------------------------------

FCPath certificate level #1:

----------------------------------------------------------------------------

Subject               :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Thu Jul 30 09:34:02 2015 (150730083402Z)

NotAfter:   Sat Jul 27 09:34:02 2024 (240727083402Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

----------------------------------------------------------------------------

Root Certificate:

----------------------------------------------------------------------------

Subject               :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   5F:02:02:2D:F0:46:A8:97:4A:D0:92:0B:27:8D:DE:1D

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Tue Jul 28 10:05:43 2015 (150728090543Z)

NotAfter:   Thu Jul 28 10:14:20 2033 (330728091420Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

----------------------------------------------------------------------------

Now restart host agent again to make it use the updated PSE:
/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

saphostexec is already running (pid=6105). Stopping...-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

Now LVM can communicate by SSL with the hostagent, the communication is encrypted and LVM can verify the correctness of the SAP host agents certificate:

Now the "Ignore SSL Server Certificates for Host Agents" option can safely be turned off:

LVM -> Setup -> Settings -> Engine



But:

  - The host agent is still not trusting the SSL client certificate of the LVM system

  - This does still not allow client certificate authentication





To allow client certificate authentication, the parameter service/sso_admin_user_0 has to be set according to the client certificate.

Make sure that you use the correct subject name as defined in the client certificate. Even differences in blanks are relevant! Use the following procedure on client server (LVM system) to get the correct string:

On LVM System! (SSL client)

Login as <sid>adm
setenv SECUDIR /usr/sap/<SID>/<INSTANCE>/sec

cd $SECUDIR

/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse

No SSO for USER "<sid>adm"

with PSE file "/usr/sap/<SID>/<INSTANCE>/sec/SAPSSLC.pse"

Subject               :  CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:0F:F6:C4:48:0A:6F:9C:C2:BE:00:00:00:00:05:0F

KeyInfo               :   RSA, 4096-bit

Validity  -  NotBefore:   Tue Jul 12 13:05:29 2016 (160712120529Z)

NotAfter :   Fri Jul 12 13:05:29 2019 (190712120529Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:<FQDN> GN-dNSName:<FQDN> GN-dNSName:<FQDN>

Now back on the host agent (SSL server) system!
vi /usr/sap/hostctrl/exe/host_profile



#Test x.509 authentication for sap host agent (Benny Maercz, 5.7.2016)

service/sso_admin_user_0 = CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>


Afterwards the host agent needs to be restarted to use the new parameter:
/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

saphostexec is already running (pid=6105). Stopping...-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

Afterwards the connection test will work with client certificate authentication.


We now have encrypted communication, LVM checks if the host agent provides a valid and signed certificate from your CA and the host agent checks if LVM provides a valid signed client certificate from your CA to allow access to the host agent web services as user sapadm.


If X.509 client certificate authentication is still not working, probably the SSL client configuration on the LVM server is buggy. Check How to configure SSL Client PSE on LVM Systems for correct setup!

14 Comments
Labels in this area
Popular Blog Posts