How to configure X.509 client certificate authentication for SAP host agents in LVM
After I spent a lot of time and used the SCN community support to find out how to configure HTTPS/SSL with client certificate authentication between LVM and the SAP host agents, I would like to share my documentation with the community. In this blog article you can read how to configure the SSL client part in LVM as well as the SSL server part on the SAP host agents. Hope this blog article is helpful for you.
Please let me know if you think something should be corrected or improved. I’d also appreciate your feedback if the documentation is helpful for you.
Related information:
Configure SSL for SAP host agent on UNIX
How to configure X.509 client certificate authentication for SAP host agent in LVM
Unfortunately the documentation on this topic is not very detailed! 🙁
In this article I try to explain the SSL configuration step by step, so that it should be understandable what’s required for the different SSL security levels you might want to implement. My goal was to:
- Enable secure communication (HTTPS) between LVM and the SAP host agents (works with self-signed certificates on the host agent side)
- Make LVM verify the validity of the SAP host agent certificates (works with signed certificates on the host agent side)
- Allow LVM to authenticate against SAP host agents by a client certificate (works with a signed client certificate on the LVM server side)
Now let’s go into the gory details:
How to configure SSL Client PSE on LVM Systems
For the How-to, I assume that the host agent was already setup correctly! Check section “How to configure SSL Server PSE on the host agents” for correct setup!
As LVM is contacting the host agents, LVM acts as SSL client when using secure communication. As long as only encrypted communication is required, no SSL client PSE is reguired on the LVM system. The client PSE is only required on the LVM server to be able to use Client Certificate authorization!
By default, LVM does not check the validity of the host agent SSL server certificates:
LVM -> Setup -> Settings -> Engine
With “Ignore SSL Server Certificates for Host Agents” activated, you can just turn on secure communication for the host agent:
The connection test should work immediately! You now have encrypted communication, but LVM does not check if the host agent provides a valid certificate. This works even with self-signed certificates.
Now we go one step further: We want LVM to verify the validity of the host agent certificates. So we deactivate the “Ignore SSL Server Certificates for Host Agents” function in the LVM engine settings:
LVM -> Setup -> Settings -> Engine
After we activated this setting, a host agent connection test using SSL fails with the following message:
Why? LVM does not have a valid certificate chain to verify the certificate presented by the host agent (I assume that the host agent already has a signed certificate (from your CA). To provide the certivicate chain, the certificates of your CA have to be imported into the LVMView in the NWA Key Storage of the LVM system:
NWA->Configuration->Certificates and Keys->LVMView:
Import your CA certificates into this view using the “Import Entry” button:
You might have to repeat this step if you use also use an intermediat- or sub-CA! Afterwards the LVMView should now look like this:
NWA->Configuration->Certificates and Keys->LVMView:
Now the connection test works again. We now have encrypted communication, and LVM checks if the host agent provides a valid and signed certificate from your CA.
Until this point, no SSL client PSE is required. Now we want to switch on X.509 Client Certificate authentication. Before we can activate it, we have to create the client PSE and import the private key into the Key Storage (LVMView).
Login as <sid>adm user on the LVM system to create the SSL client PSE:
setenv SECUDIR /usr/sap/<SID>/<INSTANCENAME>/sec
cd $SECUDIR
Create a new client-PSE and certificate signing request for the LVM system:
/usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLC.pse -r /<path>/<to>/saplvm-client.csr -a RSA:4096:SHA256 -x “” -k GN-dNSName:<hostname>.<domain>.<TL-domain> “CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>”
You might need to specify additional DNS names as “-k” parameters if you want to be able to use the certificate for additional adresses!
Use the certificate signing request under /<path>/<to>/saplvm-client.csr to request a signed certificate from your CA. Make sure that you request a client certificate wich includes “Extended Key Usage: ClientAuthentication”. After you received the client certificate, import it into the client PSE on your LVM system:
/usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLC.pse -x “” -c /<path>/<to>/saplvm-client.cer -r /<path>/<to>/<CA-certificate.cer -v
You might need to specify additional “-r” parameters if you use intermediate- or sub-CAs!
To verify the certificate list:
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse -x “” -v
To check the Extended Key Usage:
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse
No SSO for USER “<sid>adm”
with PSE file “/usr/sap/<SID>/<INSTANCE>/sec/SAPSSLC.pse”
Subject : CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>”
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:0F:F6:C4:48:0A:6F:9C:C2:BE:00:00:00:00:05:0F
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Tue Jul 12 13:05:29 2016 (160712120529Z)
NotAfter : Fri Jul 12 13:05:29 2019 (190712120529Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication ClientAuthentication
SubjectAltName : GN-dNSName:<FQDN> GN-dNSName:<FQDN> GN-dNSName:<FQDN>
ExtKeyUsage : ServerAuthentication ClientAuthentication
Now we export the private key from the PSE to import it into the Key Storage (LVMView). Remember the encryption password, as we will need it to import the key into LVM:
/usr/sap/hostctrl/exe/sapgenpse export_p12 -p SAPSSLC.pse /<path>/<to>/saplvm-client.p12
Please enter PKCS#8 encryption password: ****
For verification, please reenter password: ****
!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.
Now we import the private key from /<path>/<to>/saplvm-client.p12 into the key storage:
NWA->Configuration->Certificates and Keys->LVMView:
Now we can switch the authentication type of the host agent to “X.509 Client Certificate” and select the just imported private key:
Afterwards the connection test will work with client certificate authentication.
We now have encrypted communication, LVM checks if the host agent provides a valid and signed certificate from your CA and the host agent checks if LVM provides a valid signed client certificate from your CA to allow access to the host agent web services as user sapadm.
If X.509 client certificate authentication is still not working, probably the SSL server configuration on the host agent server is buggy. Read the next section how to set this up!
How to configure SSL Server PSE on the host agents
For the How-to, I assume that the LVM system was already setup correctly! Check section “How to configure SSL Client PSE on LVM Systems” for correct setup!
When trying to connect from LVM to host agent using SSL, you get the following error:
The error message pops up because SAP host agent does not listen on HTTPS port 1129. To make it listen to this port, we have to create the SSL Server PSE for the host agent. Login as sapadm user on the LVM system to create it:
mkdir /usr/sap/hostctrl/exe/sec
chown sapadm:sapsys /usr/sap/hostctrl/exe/sec
setenv SECUDIR /usr/sap/hostctrl/exe/sec
setenv LD_LIBRARY_PATH /usr/sap/hostctrl/exe
cd $SECUDIR
Now create a new Server-PSE and certificate signing request for the host agent:
/usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -r /<path>/<to>/`hostname -s`.csr -a RSA:4096:SHA256 -x “” -k GN-dNSName:`hostname -s` -k GN-dNSName:`hostname -s`.<optional>.<additional>.<domain> “CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>“
!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.
Certificate Request
Signed Part
Subject :CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Key
Key type :rsaEncryption (1.2.840.113549.1.1.1)
Key size :4096
Attributes
Element #1
Type :extensionRequest (1.2.840.113549.1.9.14)
Value #1
Alternative names
Significance :Non critical
Value
Element #1
GeneralName :GN-dNSName:<hostname>
Element #2
GeneralName :GN-dNSName:<hostname>
Element #3
GeneralName :GN-dNSName:<hostname>
Signature
Signature algorithm :sha256WithRsaEncryption (1.2.840.113549.1.1.11)
Signature (size=”4096″) :<Not displayed>
You might want to specify optional additional domain names as “-k” parameters.
With the next step I’m still not sure why this is required. SAP documentation just states “Allow host agent to access the PSE”. On my system, I did not execute this command, as I am not sure about the reason behind it. It seems not to be required to make HTTPS and client certificate authentication work. Maybe somebody can comment what this is for.
/usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x “” -O sapadm
running seclogin with USER=”sapadm”
creating credentials for yourself (USER=”sapadm”)…
Added SSO-credentials for PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”
Now the SAP host agent needs to be restarted, so that it uses the newly created PSE:
/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
saphostexec is already running (pid=6105). Stopping…-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
/usr/sap/hostctrl/work/sapstartsrv.log should show the following messages now:
Initializing SAPHostControl Webservice
[Thr 139907077076832] =================================================
[Thr 139907077076832] = SSL Initialization platform tag=(linuxx86_64_gcc41)
[Thr 139907077076832] = (721_REL,Apr 2 2016,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 139907077076832] profile param “ssl/ssl_lib” = “/usr/sap/hostctrl/exe/libsapcrypto.so”
[Thr 139907077076832] resulting Filename = “/usr/sap/hostctrl/exe/libsapcrypto.so”
[Thr 139907077076832] = disabled FIPS 140-2 crypto kernel
[Thr 139907077076832] = found CommonCryptoLib 8.4.49 (Mar 4 2016) [AES-NI,CLMUL,SSE3,SSSE3]
[Thr 139907077076832] = current UserID: “sapadm”, env-var USER=”sapadm”
[Thr 139907077076832] = using SECUDIR=/usr/sap/hostctrl/exe/sec
[Thr 139907077076832] = secudessl_Create_SSL_CTX(): PSE “/usr/sap/hostctrl/exe/sec/SAPSSLC.pse” not found,
[Thr 139907077076832] = using PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse” as fallback
[Thr 139907077076832] = secudessl_Create_SSL_CTX(): PSE “/usr/sap/hostctrl/exe/sec/SAPSSLA.pse” not found,
[Thr 139907077076832] = using PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse” as fallback
[Thr 139907077076832] ******** Warning ********
[Thr 139907077076832] *** No SSL-client PSE “SAPSSLC.pse” available
[Thr 139907077076832] *** — this might limit SSL-client side connectivity
[Thr 139907077076832] ********
[Thr 139907077076832] = Success — SapCryptoLib SSL ready!
[Thr 139907077076832] =================================================
[Thr 139907077076832]
Starting WebService SSL thread
Starting WebService thread
Webservice thread started, listening on port 1128
Trusted http connect via Unix domain socket ‘/tmp/.sapstream1128’ enabled.
Webservice SSL thread started, listening on port 1129
Trusted https connect via Unix domain socket ‘/tmp/.sapstream1129’ enabled.
Now LVM can communicate by SSL/HTTPS with the hostagent and the communication is encrypted.
But:
– The host agent PSE contains a self-signed certificate
– There is no trust-relationship between LVM and the host agent
– This works only as long as LVM does not verify the certificate
LVM -> Setup -> Settings -> Engine
If the “Ignore SSL Server Certificates for Host Agents” option is turned off, you will get the following error message during a connection test:
To enable LVM to verify the identity of the host agent, the host agents certificate has to be signed by your CA.
Use the certificate signing request under /<path>/<to>/`hostname -s`.csr to request a signed certificate from your CA. For the host agent, a server certificate (Extended Key Usage: ServerAuthentication) is sufficient. After you received the client certificate, import it into the server PSE on your SAP host agent (login as sapadm):
setenv SECUDIR /usr/sap/hostctrl/exe/sec
setenv LD_LIBRARY_PATH /usr/sap/hostctrl/exe
cd $SECUDIR
/usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x “” -c /<path>/<to>/`hostname -s`.cer -r /<path>/<to>/<CA-certificate>.cer
Opening PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”…
No SSO credentials found for this PSE.
PSE (v2) open ok.
Trying to import Certification Response…
Found PEM-framed base64-encoded ASN.1 Certificate
—————————————————————————-
Subject : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Thu Jul 14 07:27:55 2016 (160714062755Z)
NotAfter: Sun Jul 14 07:27:55 2019 (190714062755Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication
SubjectAltName : GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>
—————————————————————————-
Found PEM-framed base64-encoded ASN.1 Certificate
—————————————————————————-
Subject : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Thu Jul 30 09:34:02 2015 (150730083402Z)
NotAfter: Sat Jul 27 09:34:02 2024 (240727083402Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
—————————————————————————-
Found PEM-framed base64-encoded ASN.1 Certificate
—————————————————————————-
Subject : CN=A COMP Root CA 2033, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 5F:02:02:2D:F0:46:A8:97:4A:D0:92:0B:27:8D:DE:1D
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Tue Jul 28 10:05:43 2015 (150728090543Z)
NotAfter: Thu Jul 28 10:14:20 2033 (330728091420Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
—————————————————————————-
(Old) Certificate in PSE:
—————————————————————————-
Subject : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Serialno : 0A:20:16:07:12:11:29:35
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Tue Jul 12 12:29:35 2016 (160712112935Z)
NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z)
KeyUsage : none
ExtKeyUsage : none
SubjectAltName : none
—————————————————————————-
Trying the following User Certificate and Chain:
—————————————————————————-
Subject : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Thu Jul 14 07:27:55 2016 (160714062755Z)
NotAfter: Sun Jul 14 07:27:55 2019 (190714062755Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication
SubjectAltName : GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>
—————————————————————————-
Subject : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Thu Jul 30 09:34:02 2015 (150730083402Z)
NotAfter: Sat Jul 27 09:34:02 2024 (240727083402Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
ok.
CA-Response successfully imported into PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”
You might need to specify additional “-r” parameters if you use intermediate- or sub-CAs!
To verify the certificate list:
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x “” -v
Opening PSE “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”…
No SSO credentials found for this PSE.
PSE (v2) open ok.
Retrieving my certificate… ok.
Getting requested information… ok.
No SSO for USER “sapadm”
with PSE file “/usr/sap/hostctrl/exe/sec/SAPSSLS.pse”
MY Certificate:
—————————————————————————-
Subject : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Thu Jul 14 07:27:55 2016 (160714062755Z)
NotAfter: Sun Jul 14 07:27:55 2019 (190714062755Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication
SubjectAltName : GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>
—————————————————————————-
FCPath certificate level #1:
—————————————————————————-
Subject : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Thu Jul 30 09:34:02 2015 (150730083402Z)
NotAfter: Sat Jul 27 09:34:02 2024 (240727083402Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
—————————————————————————-
Root Certificate:
—————————————————————————-
Subject : CN=A COMP Root CA 2033, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 5F:02:02:2D:F0:46:A8:97:4A:D0:92:0B:27:8D:DE:1D
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Tue Jul 28 10:05:43 2015 (150728090543Z)
NotAfter: Thu Jul 28 10:14:20 2033 (330728091420Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
—————————————————————————-
Now restart host agent again to make it use the updated PSE:
/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
saphostexec is already running (pid=6105). Stopping…-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
Now LVM can communicate by SSL with the hostagent, the communication is encrypted and LVM can verify the correctness of the SAP host agents certificate:
Now the “Ignore SSL Server Certificates for Host Agents” option can safely be turned off:
LVM -> Setup -> Settings -> Engine
But:
– The host agent is still not trusting the SSL client certificate of the LVM system
– This does still not allow client certificate authentication
To allow client certificate authentication, the parameter service/sso_admin_user_0 has to be set according to the client certificate.
Make sure that you use the correct subject name as defined in the client certificate. Even differences in blanks are relevant! Use the following procedure on client server (LVM system) to get the correct string:
On LVM System! (SSL client)
Login as <sid>adm
setenv SECUDIR /usr/sap/<SID>/<INSTANCE>/sec
cd $SECUDIR
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse
No SSO for USER “<sid>adm”
with PSE file “/usr/sap/<SID>/<INSTANCE>/sec/SAPSSLC.pse”
Subject : CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:0F:F6:C4:48:0A:6F:9C:C2:BE:00:00:00:00:05:0F
KeyInfo : RSA, 4096-bit
Validity – NotBefore: Tue Jul 12 13:05:29 2016 (160712120529Z)
NotAfter : Fri Jul 12 13:05:29 2019 (190712120529Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication ClientAuthentication
SubjectAltName : GN-dNSName:<FQDN> GN-dNSName:<FQDN> GN-dNSName:<FQDN>
Now back on the host agent (SSL server) system!
vi /usr/sap/hostctrl/exe/host_profile
…
#Test x.509 authentication for sap host agent (Benny Maercz, 5.7.2016)
service/sso_admin_user_0 = CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>
…
Afterwards the host agent needs to be restarted to use the new parameter:
/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
saphostexec is already running (pid=6105). Stopping…-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
Afterwards the connection test will work with client certificate authentication.
We now have encrypted communication, LVM checks if the host agent provides a valid and signed certificate from your CA and the host agent checks if LVM provides a valid signed client certificate from your CA to allow access to the host agent web services as user sapadm.
If X.509 client certificate authentication is still not working, probably the SSL client configuration on the LVM server is buggy. Check How to configure SSL Client PSE on LVM Systems for correct setup!
Hello Märcz,
I really appreciate your effort , but this blog confuses me more than I was already .
In the configuration I had done, the mistake was :
WebMethods GetComputerSystem failed:
Unauthorized : User authentication required .
I tried with all parameters :
service / protectedwebmethods = NONE
service / protectedwebmethods = DEFAULT
service / protectedwebmethods = SDEFAULT
you have no idea what can be ?
Hi Antonietta,
If I understood you correctly, it seems that the host agent fails to authenticate your user. Did you specify the "service/sso_admin_user_0" parameter in the host agent profile? And did you restart the host agent after you added this parameter?
Kind regards
Benny
Hello Benny
service/sso_admin_user_1 = CN=lvmAdmin, C=IT
service/sso_admin_user_0 = CN=lvmrootCA, OU=ISS, L=Dalmine, O=ABB, SP=Bergamo, C=IT
Hello Benny,
I'm starting over again the configuration.
Now I have to create the client PSE and import the private key into the Key Storage (LVMView).
You suggest: "Login as <sid>adm user on the LVM . " Unfortunately I have not the <sid>adm . Can I use sapadm user for our purpose ?
thanks and best regards,
Antonietta
Hi Antonietta,
no, this will probably not work. LVM is running as <sid>adm user and will need to read $SECUDIR which points to the instance directory /usr/sap/<SID>/<INSTANCENAME>/sec. I would expect that sapadm does not have the permissions to read from or write to this directory.
Kind regards
Benny
Hello Benny,
fortunately user sapadm had the proper permits and are able to configure the X.509 certificate. But whatever I do the error remains the same :
in /usr/sap/hostctrl/work/sapstartsrv.log
[Thr 2347] <<- SapSSLGetPeerInfo(sssl_hdl=112a82f10)==SAP_O_K
[Thr 2347] out: subject = "CN=XXX, OU=SAP, O=ABB, L=Dalmine, C=IT"
[Thr 2347] out: issuer = "EMAIL=XXX CN=XXX, OU=XX, O=XX, L=XX, SP=Italy, C=IT"
[Thr 2347] out: cert_len = 1183
[Thr 2347] out: cipher = "TLS_RSA_WITH_AES128_CBC_SHA"
[Thr 2347] Unauthorized (user authentication required)
[Thr 2347] *** ERROR => Webmethod GetComputerSystem failed: Unauthorized: User authentication required [saphostcontr 1654]
[Thr 2347] <<- SapSSLWrite(sssl_hdl=112a82f10)==SAP_O_K
in host_profile
service/sso_admin_user_0 = CN=XXX,OU=SAP,O=ABB,L=Dalmine,C=IT
service/protectedwebmethods = DEFAULT
Why the method is still Unauthorized?
Best regards,
Antonietta
Hi Antonietta,
I'm sorry, I'm out of ideas at the moment. If your server certificates (on the host agents) and your client certificate (in LVM) are signed by the same CA and you configured your LVM to trust this CA, I don't see why the user authentication does not work. Maybe there is another issue with your system. Maybe it would be good to open an SAP call for the issue.
Kind regards
Benny
Are your server certificates (on the host agents) and your client certificate (in LVM) signed by the same CA ? YES
Do you configured your LVM to trust this CA ? YES
Do you open a OSS Message ? YES !
🙁
I'm waiting for LAMA ... May be It will be more simple !
Thanks and best regards
Antonietta
Hi , will you able to fix the issue ?
Thanks for the detailed instructions Benny. The procedure would have been much more difficult without your instructions. The procedure works well with a small set of host agents. Unfortunately, for larger landscapes, it is very labor intensive to configure each host agent with a certificate. What are your thoughts about wildcarding the CN in order to reduce the certificate footprint?
Hi Victor,
that might be an option. I haven't tried this. I created scripts to create the necessary certificate requests and to install them on each host agent. These scripts can be executed as mass operation in LAMA, so that it's only a small effort for me to install certificates on each host agent.
Kind regards
Benny
Hello Benny,
Thanks a ton for writing this up. This is a very informative article.
I'm writing in to request you if you could share the scripts that can help ease out the X.509 cert based authentication and encryption in a bigger landscape. Thanks in advance!!
Hello Benny
I have some of my powershell scripts having double hop issue.I dont want to enable credssp to address the problem.By enabling SSL between host agent and SAP LAMA-does this reduce one additonal hop?We are using basic authentication type.
Thanks
Hello Benny ,
we are certifying the LVM host agent, now how LVM using this certificate will connect the backend system. do we need to copy any certificate into Target system ? can you please suggest the what are next steps