Skip to Content

Just providing another configuration example for connecting an internally signed corporate LDAPS server for authentication of Cloud Connector administrators.

 

Example Note:

  • This task will restart the Cloud Connector
  • LDAPS certificate signed by an internal CA. The current LDAPS server corp-ldap.myDomain.com:636 have this trust chain

  • load only the RootCA and IntermediateCA certificates to the Java Keystore
  • Export the RootCA and the IntermediateCA certs into .PEM files.

 

Steps:

  1. Make a backup of the SCC settings file first before starting. The file is /opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml
  1. Request a LDAP user created from your corporate LDAP admins. This is so that the SCC can login to ldap.
    In this example, the user create is ldapuser

           cn=ldapuser,dc=myDomain,dc=com

 

  1. Request a LDAP group sccadmin for SAP Cloud Connector in corporate LDAP and assigned the Administrator users.

           In this example the group created:

           cn=sccadmin,ou=Groups,dc=myDomain,dc=com

 

  1. Logon to SCC and click About to find where is the JRE. In this example, it is in /USR/SAP/sap_jvm_7.1.042/jre

         

  1. Login to the SCC operating system with an id with sudo access

 

  1. Switch to su

          sudo su –

 

  1. go to the location of the cacert file :

          cd /usr/java/sapjvm_7.1.042/jre/lib/security

 

  1. backup the cacert file

          cp cacerts cacerts.bak

 

  1. Import the certificates with these commands. Change the alias for each file.

         Eg:

         Adding RootCA

/usr/java/sapjvm_7.1.042/jre/bin/keytool -importcert -alias RootCA -keystore /usr/java/sapjvm_7.1.042/jre/lib/security/cacerts  -storepass "changeit" -file <certificateRootfile>

 

Adding Intermediate CA
         

/usr/java/sapjvm_7.1.042/jre/bin/keytool -importcert -alias IntermediateCA -keystore /usr/java/ sapjvm_7.1.042/jre/lib/security/cacerts  -storepass "changeit" -file <certificateIntermediatefile> 

 

  1. Restart SCC to load the cacerts (this will disconnect SCC)

          service scc_daemon restart

 

  1. Login to the SCC admin page and go to

         

  1. Click Authentication and check LDAP enter the following info and click save.

         Host:                  corp-ldap.myDomain.com:636      (ldap hostname and LDAPS port)

         Check the Secure button next to the host field to enable LDAPS.

         User Name:        cn=ldapuser,dc=myDomain,dc=com

         Password:           xxxxx

         Configuration:     roleBase=”ou=Groups,dc=myDomain,dc=com” roleName=”cn”

          roleSearch=”(uniqueMember={0})”

          userPattern=”uid={0},ou=Internal,ou=Users,dc=myDomain,dc=com”

 

         

         Make sure you enter the ldapuser  password too.

  1. Click ok when prompted this.

         

  1. Validate by logging in to Sap Cloud Connector with the user id that’s in the sccadmin group.

Troubleshooting

 

To check the logs for errors, for example, SSL certs errors. Login to SCC and go to logs and select ljs_trace.log in the view.

Example trace of trust chain error:

Switching Cloud Connector Back to File-Based User Store without Administration UI

Reference:

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588a7a3d.html

 

In case the LDAP settings do not work as expected, you can revert back the settings.  To activate the file based user store, you’ll need to restart the cloud connector after changing the file.

Make a backup of the file first then manually edit the default-server.xml configuration file located at

/opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml

 

To revert to file-based user management, replace the file

/opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml with the one that was backed up previously.

 

If no backup then edit the file and  replace the Realmsection with the following:

<Realm className=”org.apache.catalina.realm.LockOutRealm”>  <Realm className=”org.apache.catalina.realm.CombinedRealm”>    <Realm X509UsernameRetrieverClassName=”com.sap.scc.tomcat.utils.SccX509SubjectDnRetriever” className=”org.apache.catalina.realm.UserDatabaseRealm” digest=”SHA-256″ resourceName=”UserDatabase”/>    <Realm X509UsernameRetrieverClassName=”com.sap.scc.tomcat.utils.SccX509SubjectDnRetriever” className=”org.apache.catalina.realm.UserDatabaseRealm” digest=”SHA-1″ resourceName=”UserDatabase”/>   </Realm></Realm>

 

Restart the cloud connectorservice,

Execute command: service scc_daemon restart

 

 

Reference

Cloud Connector help:

https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/120ceecfd84145a181ac160d588a7a3d.html

Frank Schuler have good blog on this:

https://blogs.sap.com/2016/08/19/secure-your-hana-cloud-connector-with-openssl-certificates-part-2/

https://blogs.sap.com/2017/03/12/use-ldap-for-your-sap-cloud-connector-authentication/

 

 

 

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply