After I spent a lot of time and used the SCN community support to find out how to configure HTTPS/SSL with client certificate authentication between LVM and the SAP host agents, I would like to share my documentation with the community. In this blog article you can read how to configure the SSL client part in LVM as well as the SSL server part on the SAP host agents. Hope this blog article is helpful for you.

Please let me know if you think something should be corrected or improved. I’d also appreciate your feedback if the documentation is helpful for you.

Related information:

Create Client PSE

Configure SSL for SAP host agent on UNIX

How to configure X.509 client certificate authentication for SAP host agent in LVM

Unfortunately the documentation on this topic is not very detailed! 🙁

In this article I try to explain the SSL configuration step by step, so that it should be understandable what’s required for the different SSL security levels you might want to implement. My goal was to:

  • Enable secure communication (HTTPS) between LVM and the SAP host agents (works with self-signed certificates on the host agent side)
  • Make LVM verify the validity of the SAP host agent certificates (works with signed certificates on the host agent side)
  • Allow LVM to authenticate against SAP host agents by a client certificate (works with a signed client certificate on the LVM server side)

Now let’s go into the gory details:

How to configure SSL Client PSE on LVM Systems

For the How-to, I assume that the host agent was already setup correctly! Check section “How to configure SSL Server PSE on the host agents” for correct setup!


As LVM is contacting the host agents, LVM acts as SSL client when using secure communication. As long as only encrypted communication is required, no SSL client PSE is reguired on the LVM system. The client PSE is only required on the LVM server to be able to use Client Certificate authorization!

By default, LVM does not check the validity of the host agent SSL server certificates:

LVM -> Setup -> Settings -> Engine

/wp-content/uploads/2016/07/snap001_996122.png

With “Ignore SSL Server Certificates for Host Agents” activated, you can just turn on secure communication for the host agent:

/wp-content/uploads/2016/07/snap002_996123.png

The connection test should work immediately! You now have encrypted communication, but LVM does not check if the host agent provides a valid certificate. This works even with self-signed certificates.

Now we go one step further: We want LVM to verify the validity of the host agent certificates. So we deactivate the  “Ignore SSL Server Certificates for Host Agents” function in the LVM engine settings:

LVM -> Setup -> Settings -> Engine

/wp-content/uploads/2016/07/snap003_996124.png

After we activated this setting, a host agent connection test using SSL fails with the following message:

/wp-content/uploads/2016/07/snap004_996128.png

Why? LVM does not have a valid certificate chain to verify the certificate presented by the host agent (I assume that the host agent already has a signed certificate (from your CA). To provide the certivicate chain, the certificates of your CA have to be imported into the LVMView in the NWA Key Storage of the LVM system:

NWA->Configuration->Certificates and Keys->LVMView:

/wp-content/uploads/2016/07/snap005_996129.png

Import your CA certificates into this view using the “Import Entry” button:

/wp-content/uploads/2016/07/snap006_996130.png

You might have to repeat this step if you use also use an intermediat- or sub-CA! Afterwards the LVMView should now look like this:

NWA->Configuration->Certificates and Keys->LVMView:

/wp-content/uploads/2016/07/snap007_996132.png

Now the connection test works again. We now have encrypted communication, and LVM checks if the host agent provides a valid and signed certificate from your CA.

Until this point, no SSL client PSE is required. Now we want to switch on X.509 Client Certificate authentication. Before we can activate it, we have to create the client PSE and import the private key into the Key Storage (LVMView).

Login as <sid>adm user on the LVM system to create the SSL client PSE:

setenv SECUDIR /usr/sap/<SID>/<INSTANCENAME>/sec

cd $SECUDIR

Create a new client-PSE and certificate signing request for the LVM system:

/usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLC.pse -r /<path>/<to>/saplvm-client.csr -a RSA:4096:SHA256 -x “” -k GN-dNSName:<hostname>.<domain>.<TL-domain> “CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>”

You might need to specify additional DNS names as “-k” parameters if you want to be able to use the certificate for additional adresses!


Use the certificate signing request under /<path>/<to>/saplvm-client.csr to request a signed certificate from your CA. Make sure that you request a client certificate wich includes “Extended Key Usage: ClientAuthentication”. After you received the client certificate, import it into the client PSE on your LVM system:

/usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLC.pse -x “” -c /<path>/<to>/saplvm-client.cer -r /<path>/<to>/<CA-certificate.cer -v

You might need to specify additional “-r” parameters if you use intermediate- or sub-CAs!

To verify the certificate list:

/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse -x “” -v

To check the Extended Key Usage:

/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse

No SSO for USER “<sid>adm”

  with PSE file “/usr/sap/<SID>/<INSTANCE>/sec/SAPSSLC.pse”

Subject               :   CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>”

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:0F:F6:C4:48:0A:6F:9C:C2:BE:00:00:00:00:05:0F

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Tue Jul 12 13:05:29 2016 (160712120529Z)

             NotAfter :   Fri Jul 12 13:05:29 2019 (190712120529Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:<FQDN> GN-dNSName:<FQDN> GN-dNSName:<FQDN>

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

Now we export the private key from the PSE to import it into the Key Storage (LVMView). Remember the encryption password, as we will need it to import the key into LVM:

/usr/sap/hostctrl/exe/sapgenpse export_p12 -p SAPSSLC.pse /<path>/<to>/saplvm-client.p12

Please enter PKCS#8 encryption password: ****

For verification, please reenter password: ****

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase

!!! WARNING: which is at least 8 characters long and contains characters in

!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

Now we import the private key from /<path>/<to>/saplvm-client.p12 into the key storage:

NWA->Configuration->Certificates and Keys->LVMView:

/wp-content/uploads/2016/07/snap008_996168.png

/wp-content/uploads/2016/07/snap009_996169.png

Now we can switch the authentication type of the host agent to “X.509 Client Certificate” and select the just imported private key:

/wp-content/uploads/2016/07/snap010_996171.png

Afterwards the connection test will work with client certificate authentication.

We now have encrypted communication, LVM checks if the host agent provides a valid and signed certificate from your CA and the host agent checks if LVM provides a valid signed client certificate from your CA to allow access to the host agent web services as user sapadm.

If X.509 client certificate authentication is still not working, probably the SSL server configuration on the host agent server is buggy. Read the next section how to set this up!

How to configure SSL Server PSE on the host agents

For the How-to, I assume that the LVM system was already setup correctly! Check section “How to configure SSL Client PSE on LVM Systems” for correct setup!

When trying to connect from LVM to host agent using SSL, you get the following error:

/wp-content/uploads/2016/07/snap011_996185.png

/wp-content/uploads/2016/07/snap012_996186.png

The error message pops up because SAP host agent does not listen on HTTPS port 1129. To make it listen to this port, we have to create the SSL Server PSE for the host agent. Login as sapadm user on the LVM system to create it:

mkdir /usr/sap/hostctrl/exe/sec

chown sapadm:sapsys /usr/sap/hostctrl/exe/sec

setenv SECUDIR /usr/sap/hostctrl/exe/sec

setenv LD_LIBRARY_PATH /usr/sap/hostctrl/exe

cd $SECUDIR

Now create a new Server-PSE and certificate signing request for the host agent:

/usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -r /<path>/<to>/`hostname -s`.csr -a RSA:4096:SHA256 -x “” -k GN-dNSName:`hostname -s` -k GN-dNSName:`hostname -s`.<optional>.<additional>.<domain> “CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase

!!! WARNING: which is at least 8 characters long and contains characters in

!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

Certificate Request

Signed Part

  Subject                     :CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

  Key

   Key type                   :rsaEncryption (1.2.840.113549.1.1.1)

   Key size                   :4096

  Attributes

   Element #1

    Type                      :extensionRequest (1.2.840.113549.1.9.14)

    Value #1

     Alternative names

      Significance            :Non critical

      Value

       Element #1

        GeneralName           :GN-dNSName:<hostname>

       Element #2

        GeneralName           :GN-dNSName:<hostname>

       Element #3

        GeneralName           :GN-dNSName:<hostname>

Signature

  Signature algorithm         :sha256WithRsaEncryption (1.2.840.113549.1.1.11)

  Signature (size=”4096″)     :<Not displayed>

You might want to specify optional additional domain names as “-k” parameters.

With the next step I’m still not sure why this is required. SAP documentation just states “Allow host agent to access the PSE”. On my system, I did not execute this command, as I am not sure about the reason behind it. It seems not to be required to make HTTPS and client certificate authentication work. Maybe somebody can comment what this is for.

/usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x “” -O sapadm

running seclogin with USER=”sapadm”

creating credentials for yourself (USER=”sapadm”)…

Added SSO-credentials for PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”

Now the SAP host agent needs to be restarted, so that it uses the newly created PSE:

/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

saphostexec is already running (pid=6105). Stopping…-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

/usr/sap/hostctrl/work/sapstartsrv.log should show the following messages now:

Initializing SAPHostControl Webservice

[Thr 139907077076832] =================================================

[Thr 139907077076832] = SSL Initialization    platform tag=(linuxx86_64_gcc41)

[Thr 139907077076832] =   (721_REL,Apr  2 2016,mt,ascii,SAP_UC/size_t/void* = 8/64/64)

[Thr 139907077076832]   profile param “ssl/ssl_lib” = “/usr/sap/hostctrl/exe/libsapcrypto.so”

[Thr 139907077076832]            resulting Filename = “/usr/sap/hostctrl/exe/libsapcrypto.so”

[Thr 139907077076832] =   disabled FIPS 140-2 crypto kernel

[Thr 139907077076832] =   found CommonCryptoLib 8.4.49 (Mar  4 2016) [AES-NI,CLMUL,SSE3,SSSE3]

[Thr 139907077076832] =   current UserID: “sapadm”,  env-var USER=”sapadm”

[Thr 139907077076832] =   using SECUDIR=/usr/sap/hostctrl/exe/sec

[Thr 139907077076832] =  secudessl_Create_SSL_CTX():  PSE “/usr/sap/hostctrl/exe/sec/SAPSSLC.pse” not found,

[Thr 139907077076832] =      using PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse” as fallback

[Thr 139907077076832] =  secudessl_Create_SSL_CTX():  PSE “/usr/sap/hostctrl/exe/sec/SAPSSLA.pse” not found,

[Thr 139907077076832] =      using PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse” as fallback

[Thr 139907077076832] ******** Warning ********

[Thr 139907077076832] *** No SSL-client PSE “SAPSSLC.pse” available

[Thr 139907077076832] *** — this might limit SSL-client side connectivity

[Thr 139907077076832] ********

[Thr 139907077076832] = Success — SapCryptoLib SSL ready!

[Thr 139907077076832] =================================================

[Thr 139907077076832]

Starting WebService SSL thread

Starting WebService thread

Webservice thread started, listening on port 1128

Trusted http connect via Unix domain socket ‘/tmp/.sapstream1128’ enabled.

Webservice SSL thread started, listening on port 1129

Trusted https connect via Unix domain socket ‘/tmp/.sapstream1129’ enabled.

Now LVM can communicate by SSL/HTTPS with the hostagent and the communication is encrypted.

/wp-content/uploads/2016/07/snap013_996203.png

But:

  – The host agent PSE contains a self-signed certificate

  – There is no trust-relationship between LVM and the host agent

  – This works only as long as LVM does not verify the certificate

LVM -> Setup -> Settings -> Engine

/wp-content/uploads/2016/07/snap014_996204.png

If the “Ignore SSL Server Certificates for Host Agents” option is turned off, you will get the following error message during a connection test:

/wp-content/uploads/2016/07/snap015_996205.png

To enable LVM to verify the identity of the host agent, the host agents certificate has to be signed by your CA.

Use the certificate signing request under /<path>/<to>/`hostname -s`.csr to request a signed certificate from your CA. For the host agent, a server certificate (Extended Key Usage: ServerAuthentication) is sufficient. After you received the client certificate, import it into the server PSE on your SAP host agent (login as sapadm):

setenv SECUDIR /usr/sap/hostctrl/exe/sec

setenv LD_LIBRARY_PATH /usr/sap/hostctrl/exe

cd $SECUDIR

/usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x “” -c /<path>/<to>/`hostname -s`.cer -r /<path>/<to>/<CA-certificate>.cer

Opening PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”…

No SSO credentials found for this PSE.

PSE (v2) open ok.

Trying to import Certification Response…

Found PEM-framed base64-encoded ASN.1 Certificate

—————————————————————————-

Subject               :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Thu Jul 14 07:27:55 2016 (160714062755Z)

              NotAfter:   Sun Jul 14 07:27:55 2019 (190714062755Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication

SubjectAltName        :   GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>

—————————————————————————-

Found PEM-framed base64-encoded ASN.1 Certificate

—————————————————————————-

Subject               :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Thu Jul 30 09:34:02 2015 (150730083402Z)

              NotAfter:   Sat Jul 27 09:34:02 2024 (240727083402Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

—————————————————————————-

Found PEM-framed base64-encoded ASN.1 Certificate

—————————————————————————-

Subject               :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   5F:02:02:2D:F0:46:A8:97:4A:D0:92:0B:27:8D:DE:1D

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Tue Jul 28 10:05:43 2015 (150728090543Z)

              NotAfter:   Thu Jul 28 10:14:20 2033 (330728091420Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

—————————————————————————-

(Old) Certificate in PSE:

—————————————————————————-

Subject               :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Serialno              :   0A:20:16:07:12:11:29:35

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Tue Jul 12 12:29:35 2016 (160712112935Z)

              NotAfter:   Fri Jan  1 01:00:01 2038 (380101000001Z)

KeyUsage              :   none

ExtKeyUsage           :   none

SubjectAltName        :   none

—————————————————————————-

Trying the following User Certificate and Chain:

—————————————————————————-

Subject               :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Thu Jul 14 07:27:55 2016 (160714062755Z)

              NotAfter:   Sun Jul 14 07:27:55 2019 (190714062755Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication

SubjectAltName        :   GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>

—————————————————————————-

Subject               :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Thu Jul 30 09:34:02 2015 (150730083402Z)

              NotAfter:   Sat Jul 27 09:34:02 2024 (240727083402Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

ok.

CA-Response successfully imported into PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”

You might need to specify additional “-r” parameters if you use intermediate- or sub-CAs!


To verify the certificate list:

/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x “” -v

Opening PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”…

No SSO credentials found for this PSE.

PSE (v2) open ok.

Retrieving my certificate… ok.

Getting requested information… ok.

No SSO for USER “sapadm”

  with PSE file “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”

MY Certificate:

—————————————————————————-

Subject               :   CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Thu Jul 14 07:27:55 2016 (160714062755Z)

              NotAfter:   Sun Jul 14 07:27:55 2019 (190714062755Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication

SubjectAltName        :   GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>

—————————————————————————-

FCPath certificate level #1:

—————————————————————————-

Subject               :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Thu Jul 30 09:34:02 2015 (150730083402Z)

              NotAfter:   Sat Jul 27 09:34:02 2024 (240727083402Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

—————————————————————————-

Root Certificate:

—————————————————————————-

Subject               :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Issuer                :   CN=A COMP Root CA 2033, DC=ead, DC=dom

Serialno              :   5F:02:02:2D:F0:46:A8:97:4A:D0:92:0B:27:8D:DE:1D

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Tue Jul 28 10:05:43 2015 (150728090543Z)

              NotAfter:   Thu Jul 28 10:14:20 2033 (330728091420Z)

KeyUsage              :   digitalSignature keyCertSign cRLSign

ExtKeyUsage           :   none

SubjectAltName        :   none

—————————————————————————-

Now restart host agent again to make it use the updated PSE:

/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

saphostexec is already running (pid=6105). Stopping…-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

Now LVM can communicate by SSL with the hostagent, the communication is encrypted and LVM can verify the correctness of the SAP host agents certificate:

Now the “Ignore SSL Server Certificates for Host Agents” option can safely be turned off:

LVM -> Setup -> Settings -> Engine

/wp-content/uploads/2016/07/snap016_996227.png

But:

  – The host agent is still not trusting the SSL client certificate of the LVM system

  – This does still not allow client certificate authentication

/wp-content/uploads/2016/07/snap017_996228.png

/wp-content/uploads/2016/07/snap018_996229.png

To allow client certificate authentication, the parameter service/sso_admin_user_0 has to be set according to the client certificate.

Make sure that you use the correct subject name as defined in the client certificate. Even differences in blanks are relevant! Use the following procedure on client server (LVM system) to get the correct string:

On LVM System! (SSL client)

Login as <sid>adm

setenv SECUDIR /usr/sap/<SID>/<INSTANCE>/sec

cd $SECUDIR

/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse

No SSO for USER “<sid>adm”

  with PSE file “/usr/sap/<SID>/<INSTANCE>/sec/SAPSSLC.pse”

Subject               :  CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>

Issuer                :   CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom

Serialno              :   18:00:00:05:0F:F6:C4:48:0A:6F:9C:C2:BE:00:00:00:00:05:0F

KeyInfo               :   RSA, 4096-bit

Validity  –  NotBefore:   Tue Jul 12 13:05:29 2016 (160712120529Z)

             NotAfter :   Fri Jul 12 13:05:29 2019 (190712120529Z)

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:<FQDN> GN-dNSName:<FQDN> GN-dNSName:<FQDN>

Now back on the host agent (SSL server) system!

vi /usr/sap/hostctrl/exe/host_profile

#Test x.509 authentication for sap host agent (Benny Maercz, 5.7.2016)

service/sso_admin_user_0 = CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>

Afterwards the host agent needs to be restarted to use the new parameter:

/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

saphostexec is already running (pid=6105). Stopping…-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-

start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile

Afterwards the connection test will work with client certificate authentication.

We now have encrypted communication, LVM checks if the host agent provides a valid and signed certificate from your CA and the host agent checks if LVM provides a valid signed client certificate from your CA to allow access to the host agent web services as user sapadm.

If X.509 client certificate authentication is still not working, probably the SSL client configuration on the LVM server is buggy. Check How to configure SSL Client PSE on LVM Systems for correct setup!

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Antonietta D'Addario

    Hello Märcz,

    I really appreciate your effort , but this blog confuses me more than I was already .
    In the configuration I had done, the mistake was :


    WebMethods GetComputerSystem failed:
    Unauthorized : User authentication required .

    I tried with all parameters :

    service / protectedwebmethods = NONE
    service / protectedwebmethods = DEFAULT
    service / protectedwebmethods = SDEFAULT


    you have no idea what can be ?

    (0) 
    1. Benny Märcz Post author

      Hi Antonietta,

      If I understood you correctly, it seems that the host agent fails to authenticate your user. Did you specify the “service/sso_admin_user_0” parameter in the host agent profile? And did you restart the host agent after you added this parameter?

      Kind regards

      Benny

      (0) 
      1. Antonietta D'Addario

        Hello Benny,

        I’m starting over again the configuration.

        Now I have to create the client PSE and import the private key into the Key Storage (LVMView).

        You suggest: “Login as <sid>adm user on the LVM . ” Unfortunately I have not the <sid>adm . Can I use sapadm user for our purpose ?

        thanks and best regards,

        Antonietta



        (0) 
        1. Benny Märcz Post author

          Hi Antonietta,

          no, this will probably not work. LVM is running as <sid>adm user and will need to read $SECUDIR which points to the instance directory /usr/sap/<SID>/<INSTANCENAME>/sec. I would expect that sapadm does not have the permissions to read from or write to this directory.

          Kind regards

          Benny

          (0) 
          1. Antonietta D'Addario

            Hello Benny,

            fortunately user sapadm had the proper permits and are able to configure the X.509 certificate. But whatever I do the error remains the same :

            in /usr/sap/hostctrl/work/sapstartsrv.log

            [Thr 2347] <<- SapSSLGetPeerInfo(sssl_hdl=112a82f10)==SAP_O_K

            [Thr 2347]     out: subject  = “CN=XXX, OU=SAP, O=ABB, L=Dalmine, C=IT”

            [Thr 2347]     out: issuer   = “EMAIL=XXX CN=XXX, OU=XX, O=XX, L=XX, SP=Italy, C=IT

            [Thr 2347]     out: cert_len = 1183

            [Thr 2347]     out: cipher   = “TLS_RSA_WITH_AES128_CBC_SHA”

            [Thr 2347] Unauthorized (user authentication required)

            [Thr 2347] *** ERROR => Webmethod GetComputerSystem failed: Unauthorized: User authentication required [saphostcontr 1654]

            [Thr 2347] <<- SapSSLWrite(sssl_hdl=112a82f10)==SAP_O_K


            in host_profile


            service/sso_admin_user_0 = CN=XXX,OU=SAP,O=ABB,L=Dalmine,C=IT

            service/protectedwebmethods = DEFAULT


            Why the method is still Unauthorized?


            Best regards,

            Antonietta

            (0) 
            1. Benny Märcz Post author

              Hi Antonietta,

              I’m sorry, I’m out of ideas at the moment. If your server certificates (on the host agents) and your client certificate (in LVM) are signed by the same CA and you configured your LVM to trust this CA, I don’t see why the user authentication does not work. Maybe there is another issue with your system. Maybe it would be good to open an SAP call for the issue.

              Kind regards

              Benny

              (0) 
              1. Antonietta D'Addario

                Are your server certificates (on the host agents) and your client certificate (in LVM) signed by the same CA ? YES

                Do you configured your LVM to trust this CA ? YES

                Do you open a OSS Message ? YES !


                🙁


                I’m waiting for LAMA … May be It will be more simple !


                Thanks and best regards

                Antonietta

                (0) 
  2. Victor Orozco

    Thanks for the detailed instructions Benny.  The procedure would have been much more difficult without your instructions.  The procedure works well with a small set of host agents.  Unfortunately, for larger landscapes, it is very labor intensive to configure each host agent with a certificate.  What are your thoughts about wildcarding the CN in order to reduce the certificate footprint?

     

    (0) 

Leave a Reply