Skip to Content
Technical Articles

SCC – How to configure LDAPS (internally signed) to SAP Cloud Connector

Just providing another configuration example for connecting an internally signed corporate LDAPS server for authentication of Cloud Connector administrators.

 

Example Note:

  • This task will restart the Cloud Connector
  • LDAPS certificate signed by an internal CA. The current LDAPS server corp-ldap.myDomain.com:636 have this trust chain

  • load only the RootCA and IntermediateCA certificates to the Java Keystore
  • Export the RootCA and the IntermediateCA certs into .PEM files.

 

Steps:

  1. Make a backup of the SCC settings file first before starting. The file is /opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml
  1. Request a LDAP user created from your corporate LDAP admins. This is so that the SCC can login to ldap.
    In this example, the user create is ldapuser

           cn=ldapuser,dc=myDomain,dc=com

 

  1. Request a LDAP group sccadmin for SAP Cloud Connector in corporate LDAP and assigned the Administrator users.

           In this example the group created:

           cn=sccadmin,ou=Groups,dc=myDomain,dc=com

 

  1. Logon to SCC and click About to find where is the JRE. In this example, it is in /USR/SAP/sap_jvm_7.1.042/jre

         

  1. Login to the SCC operating system with an id with sudo access

 

  1. Switch to su

          sudo su –

 

  1. go to the location of the cacert file :

          cd /usr/java/sapjvm_7.1.042/jre/lib/security

 

  1. backup the cacert file

          cp cacerts cacerts.bak

 

  1. Import the certificates with these commands. Change the alias for each file.

         Eg:

         Adding RootCA

/usr/java/sapjvm_7.1.042/jre/bin/keytool -importcert -alias RootCA -keystore /usr/java/sapjvm_7.1.042/jre/lib/security/cacerts  -storepass "changeit" -file <certificateRootfile>

 

Adding Intermediate CA
         

/usr/java/sapjvm_7.1.042/jre/bin/keytool -importcert -alias IntermediateCA -keystore /usr/java/ sapjvm_7.1.042/jre/lib/security/cacerts  -storepass "changeit" -file <certificateIntermediatefile> 

 

  1. Restart SCC to load the cacerts (this will disconnect SCC)

          service scc_daemon restart

 

  1. Login to the SCC admin page and go to

         

  1. Click Authentication and check LDAP enter the following info and click save.

         Host:                  corp-ldap.myDomain.com:636      (ldap hostname and LDAPS port)

         Check the Secure button next to the host field to enable LDAPS.

         User Name:        cn=ldapuser,dc=myDomain,dc=com

         Password:           xxxxx

         Configuration:     roleBase=”ou=Groups,dc=myDomain,dc=com” roleName=”cn”

          roleSearch=”(uniqueMember={0})”

          userPattern=”uid={0},ou=Internal,ou=Users,dc=myDomain,dc=com”

 

         

        Make sure you enter the ldapuser  password too.

 

Notes about configuration section:

       You need to know how your ldap attributes are setup for your sccadmin role and your user

       attributes. You can find out using ldp query or other ldap query tools or check with your ldap       

       administrator since each setup my be different from the example above.

eg: my ldap group and it’s unique members (USERA,USERB,USERC):   

     

       roleBase = “ou=Groups,dc=myDomain,dc=com”

       roleName = “cn” (because it’s looking for a match for value = sccadmin)

       roleSearch = “uniqueMember={0}”

      This may be unique based on your ldap attributes, mine is uniqueMember but yours might be            MemberUID or members or etc. You need to validate your ldap attributes for the members in the        group. This is to search for the ldap user id who is logging into the system from the role.

 

      userPattern=”uid={0},ou=Internal,ou=Users,dc=myDomain,dc=com”

     This matches the pattern for my user eg:                                                                                           

      “uid=USERA,ou=Internal,ou=Users,dc=myDomain,dc=com”

 

     If you are using custom role instead of sccadmin, you need to make sure your roleBase is             

     matches your custom role, then add the new role name to the custom role section.  

     eg: if your new custom role is cn=scccustom,ou=newGroups,dc=myDomain,dc=com

    Then it would be

    roleBase = “ou=newGroups,dc=myDomain,dc=com”

    roleName = “cn”

    And enter “scccustom” in Administer Role field.

   

 

Please see below for more info on custom role

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588a7a3d.html

  1. Click ok when prompted this.

         

  1. Validate by logging in to Sap Cloud Connector with the user id that’s in the sccadmin group.

Troubleshooting

 

To check the logs for errors, for example, SSL certs errors. Login to SCC and go to logs and select ljs_trace.log in the view.

Example trace of trust chain error:

Switching Cloud Connector Back to File-Based User Store without Administration UI

Reference:

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588a7a3d.html

 

In case the LDAP settings do not work as expected, you can revert back the settings.  To activate the file based user store, you’ll need to restart the cloud connector after changing the file.

Make a backup of the file first then manually edit the default-server.xml configuration file located at

/opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml

 

To revert to file-based user management, replace the file

/opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml with the one that was backed up previously.

 

If no backup then edit the file and  replace the Realmsection with the following:

<Realm className=”org.apache.catalina.realm.LockOutRealm”>  <Realm className=”org.apache.catalina.realm.CombinedRealm”>    <Realm X509UsernameRetrieverClassName=”com.sap.scc.tomcat.utils.SccX509SubjectDnRetriever” className=”org.apache.catalina.realm.UserDatabaseRealm” digest=”SHA-256″ resourceName=”UserDatabase”/>    <Realm X509UsernameRetrieverClassName=”com.sap.scc.tomcat.utils.SccX509SubjectDnRetriever” className=”org.apache.catalina.realm.UserDatabaseRealm” digest=”SHA-1″ resourceName=”UserDatabase”/>   </Realm></Realm>

 

Restart the cloud connectorservice,

Execute command: service scc_daemon restart

 

 

Reference

Cloud Connector help:

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588a7a3d.html

Frank Schuler have good blog on this:

https://blogs.sap.com/2016/08/19/secure-your-hana-cloud-connector-with-openssl-certificates-part-2/

https://blogs.sap.com/2017/03/12/use-ldap-for-your-sap-cloud-connector-authentication/

 

 

 

2 Comments
You must be Logged on to comment or reply to a post.