setenv SECUDIR /usr/sap/<SID>/<INSTANCENAME>/sec
cd $SECUDIR
/usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLC.pse -r /<path>/<to>/saplvm-client.csr -a RSA:4096:SHA256 -x "" -k GN-dNSName:<hostname>.<domain>.<TL-domain> "CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>"
/usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLC.pse -x "" -c /<path>/<to>/saplvm-client.cer -r /<path>/<to>/<CA-certificate.cer -v
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse -x "" -v
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse
No SSO for USER "<sid>adm"
with PSE file "/usr/sap/<SID>/<INSTANCE>/sec/SAPSSLC.pse"
Subject : CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>"
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:0F:F6:C4:48:0A:6F:9C:C2:BE:00:00:00:00:05:0F
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Tue Jul 12 13:05:29 2016 (160712120529Z)
NotAfter : Fri Jul 12 13:05:29 2019 (190712120529Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication ClientAuthentication
SubjectAltName : GN-dNSName:<FQDN> GN-dNSName:<FQDN> GN-dNSName:<FQDN>
ExtKeyUsage : ServerAuthentication ClientAuthentication
/usr/sap/hostctrl/exe/sapgenpse export_p12 -p SAPSSLC.pse /<path>/<to>/saplvm-client.p12
Please enter PKCS#8 encryption password: ****
For verification, please reenter password: ****
!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.
mkdir /usr/sap/hostctrl/exe/sec
chown sapadm:sapsys /usr/sap/hostctrl/exe/sec
setenv SECUDIR /usr/sap/hostctrl/exe/sec
setenv LD_LIBRARY_PATH /usr/sap/hostctrl/exe
cd $SECUDIR
/usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -r /<path>/<to>/`hostname -s`.csr -a RSA:4096:SHA256 -x "" -k GN-dNSName:`hostname -s` -k GN-dNSName:`hostname -s`.<optional>.<additional>.<domain> "CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>"
!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.
Certificate Request
Signed Part
Subject :CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Key
Key type :rsaEncryption (1.2.840.113549.1.1.1)
Key size :4096
Attributes
Element #1
Type :extensionRequest (1.2.840.113549.1.9.14)
Value #1
Alternative names
Significance :Non critical
Value
Element #1
GeneralName :GN-dNSName:<hostname>
Element #2
GeneralName :GN-dNSName:<hostname>
Element #3
GeneralName :GN-dNSName:<hostname>
Signature
Signature algorithm :sha256WithRsaEncryption (1.2.840.113549.1.1.11)
Signature (size="4096") :<Not displayed>
/usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x "" -O sapadm
running seclogin with USER="sapadm"
creating credentials for yourself (USER="sapadm")...
Added SSO-credentials for PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"
/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
saphostexec is already running (pid=6105). Stopping...-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
Initializing SAPHostControl Webservice
[Thr 139907077076832] =================================================
[Thr 139907077076832] = SSL Initialization platform tag=(linuxx86_64_gcc41)
[Thr 139907077076832] = (721_REL,Apr 2 2016,mt,ascii,SAP_UC/size_t/void* = 8/64/64)
[Thr 139907077076832] profile param "ssl/ssl_lib" = "/usr/sap/hostctrl/exe/libsapcrypto.so"
[Thr 139907077076832] resulting Filename = "/usr/sap/hostctrl/exe/libsapcrypto.so"
[Thr 139907077076832] = disabled FIPS 140-2 crypto kernel
[Thr 139907077076832] = found CommonCryptoLib 8.4.49 (Mar 4 2016) [AES-NI,CLMUL,SSE3,SSSE3]
[Thr 139907077076832] = current UserID: "sapadm", env-var USER="sapadm"
[Thr 139907077076832] = using SECUDIR=/usr/sap/hostctrl/exe/sec
[Thr 139907077076832] = secudessl_Create_SSL_CTX(): PSE "/usr/sap/hostctrl/exe/sec/SAPSSLC.pse" not found,
[Thr 139907077076832] = using PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" as fallback
[Thr 139907077076832] = secudessl_Create_SSL_CTX(): PSE "/usr/sap/hostctrl/exe/sec/SAPSSLA.pse" not found,
[Thr 139907077076832] = using PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" as fallback
[Thr 139907077076832] ******** Warning ********
[Thr 139907077076832] *** No SSL-client PSE "SAPSSLC.pse" available
[Thr 139907077076832] *** -- this might limit SSL-client side connectivity
[Thr 139907077076832] ********
[Thr 139907077076832] = Success -- SapCryptoLib SSL ready!
[Thr 139907077076832] =================================================
[Thr 139907077076832]
Starting WebService SSL thread
Starting WebService thread
Webservice thread started, listening on port 1128
Trusted http connect via Unix domain socket '/tmp/.sapstream1128' enabled.
Webservice SSL thread started, listening on port 1129
Trusted https connect via Unix domain socket '/tmp/.sapstream1129' enabled.
setenv SECUDIR /usr/sap/hostctrl/exe/sec
setenv LD_LIBRARY_PATH /usr/sap/hostctrl/exe
cd $SECUDIR
/usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x "" -c /<path>/<to>/`hostname -s`.cer -r /<path>/<to>/<CA-certificate>.cer
Opening PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"...
No SSO credentials found for this PSE.
PSE (v2) open ok.
Trying to import Certification Response...
Found PEM-framed base64-encoded ASN.1 Certificate
----------------------------------------------------------------------------
Subject : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Thu Jul 14 07:27:55 2016 (160714062755Z)
NotAfter: Sun Jul 14 07:27:55 2019 (190714062755Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication
SubjectAltName : GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>
----------------------------------------------------------------------------
Found PEM-framed base64-encoded ASN.1 Certificate
----------------------------------------------------------------------------
Subject : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Thu Jul 30 09:34:02 2015 (150730083402Z)
NotAfter: Sat Jul 27 09:34:02 2024 (240727083402Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
----------------------------------------------------------------------------
Found PEM-framed base64-encoded ASN.1 Certificate
----------------------------------------------------------------------------
Subject : CN=A COMP Root CA 2033, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 5F:02:02:2D:F0:46:A8:97:4A:D0:92:0B:27:8D:DE:1D
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Tue Jul 28 10:05:43 2015 (150728090543Z)
NotAfter: Thu Jul 28 10:14:20 2033 (330728091420Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
----------------------------------------------------------------------------
(Old) Certificate in PSE:
----------------------------------------------------------------------------
Subject : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Serialno : 0A:20:16:07:12:11:29:35
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Tue Jul 12 12:29:35 2016 (160712112935Z)
NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z)
KeyUsage : none
ExtKeyUsage : none
SubjectAltName : none
----------------------------------------------------------------------------
Trying the following User Certificate and Chain:
----------------------------------------------------------------------------
Subject : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Thu Jul 14 07:27:55 2016 (160714062755Z)
NotAfter: Sun Jul 14 07:27:55 2019 (190714062755Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication
SubjectAltName : GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>
----------------------------------------------------------------------------
Subject : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Thu Jul 30 09:34:02 2015 (150730083402Z)
NotAfter: Sat Jul 27 09:34:02 2024 (240727083402Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
ok.
CA-Response successfully imported into PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x "" -v
Opening PSE "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"...
No SSO credentials found for this PSE.
PSE (v2) open ok.
Retrieving my certificate... ok.
Getting requested information... ok.
No SSO for USER "sapadm"
with PSE file "/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"
MY Certificate:
----------------------------------------------------------------------------
Subject : CN=`hostname -s`.<domain>.<TL-domain>, OU=SAP Host Agent `hostname -s`, OU=SAP, O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:13:C7:88:D6:F6:9B:DC:1E:77:00:00:00:00:05:13
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Thu Jul 14 07:27:55 2016 (160714062755Z)
NotAfter: Sun Jul 14 07:27:55 2019 (190714062755Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication
SubjectAltName : GN-dNSName:<hostname> GN-dNSName:<hostname> GN-dNSName:<hostname>
----------------------------------------------------------------------------
FCPath certificate level #1:
----------------------------------------------------------------------------
Subject : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 4D:00:00:00:03:34:78:9F:F9:C9:EF:8A:22:00:00:00:00:00:03
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Thu Jul 30 09:34:02 2015 (150730083402Z)
NotAfter: Sat Jul 27 09:34:02 2024 (240727083402Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
----------------------------------------------------------------------------
Root Certificate:
----------------------------------------------------------------------------
Subject : CN=A COMP Root CA 2033, DC=ead, DC=dom
Issuer : CN=A COMP Root CA 2033, DC=ead, DC=dom
Serialno : 5F:02:02:2D:F0:46:A8:97:4A:D0:92:0B:27:8D:DE:1D
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Tue Jul 28 10:05:43 2015 (150728090543Z)
NotAfter: Thu Jul 28 10:14:20 2033 (330728091420Z)
KeyUsage : digitalSignature keyCertSign cRLSign
ExtKeyUsage : none
SubjectAltName : none
----------------------------------------------------------------------------
/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
saphostexec is already running (pid=6105). Stopping...-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
setenv SECUDIR /usr/sap/<SID>/<INSTANCE>/sec
cd $SECUDIR
/usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLC.pse
No SSO for USER "<sid>adm"
with PSE file "/usr/sap/<SID>/<INSTANCE>/sec/SAPSSLC.pse"
Subject : CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>
Issuer : CN=A COMP Standard Sub CA 2024, DC=ead, DC=dom
Serialno : 18:00:00:05:0F:F6:C4:48:0A:6F:9C:C2:BE:00:00:00:00:05:0F
KeyInfo : RSA, 4096-bit
Validity - NotBefore: Tue Jul 12 13:05:29 2016 (160712120529Z)
NotAfter : Fri Jul 12 13:05:29 2019 (190712120529Z)
KeyUsage : digitalSignature keyEncipherment
ExtKeyUsage : ServerAuthentication ClientAuthentication
SubjectAltName : GN-dNSName:<FQDN> GN-dNSName:<FQDN> GN-dNSName:<FQDN>
vi /usr/sap/hostctrl/exe/host_profile
…
#Test x.509 authentication for sap host agent (Benny Maercz, 5.7.2016)
service/sso_admin_user_0 = CN=<hostname>.<domain>.<TL-domain>, OU=SAP O=<Your Company>, L=<Your location>, C=<countrycode>
…
/usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile -restart
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
saphostexec is already running (pid=6105). Stopping...-> Start /usr/sap/hostctrl/exe/saphostexec pf=/usr/sap/hostctrl/exe/host_profile <-
start hostcontrol using profile /usr/sap/hostctrl/exe/host_profile
Afterwards the connection test will work with client certificate authentication.
We now have encrypted communication, LVM checks if the host agent provides a valid and signed certificate from your CA and the host agent checks if LVM provides a valid signed client certificate from your CA to allow access to the host agent web services as user sapadm.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 |