Use a Let’s Encrypt certificate for SAP HANA or SAP NetWeaver AS ABAP
You’re running SAP HANA Express Edition in one of the cloud providers like AWS, Azure or Google Cloud Platform? Or you run an NetWeaver AS ABAP Developer Edition or a SAP Cloud Appliance Library instance? Then I think you’re familiar with this warning message of your browser:
I want to show you how you can get rid of this security warning. Below you will find how you can use a free Let’s Encrypt certificate for your SAP HANA or SAP NetWeaver Applicaiton Server ABAP. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). And not only it is free, it is trusted in all current Browsers.
These are the basic steps to use a Let’s Encrypt certificate:
- Make sure your server is accessible with a public DNS entry
- Check firewall settings and open port 80 (http) from external
- Create certificate signing request (CSR) in SAP HANA or AS ABAP
- Install letsencrypt-nosudo using git or copy via scp
- Run letsencrypt-nosudo to get the CSR signed
- Import the certificate in SAP HANA or AS ABAP
Public DNS entry for your system
When you’re on Microsoft Azure you can very easily get a DNS entry when you open the Public IP address configuration of your machine. There you can set a DNS name label which will then be the systems hostname. The fully qualified domain name (FQDN) consists of the DNS name label and the long name below ending with .cloudapp.azure.com:
Open firewall on port 80
As the Let’s Encrypt domain validation will be done via a http request on port 80 you have to open this port on the firewall.
Update 2020-11-11: The project isn’t maintained anymore and the V1 version that is support doesn’t create new certificates.
Login to your server and clone the letsencrypt-nosudo repository with the following command:
git clone https://github.com/diafygi/acme-nosudo.git
after the repository is cloned switch into the subfolder that was created:
Follow the the installation instructions for acme.sh.
Create certificate signing request (CSR)
For HANA and ABAP you have store the CSR as domain.csr in the acme-nosudo folder on the server where you’ve installed letsencrypt-nosudo.
Follow the description Configure HTTPS (SSL) for Client Application Access.
Please follow the detailed description at Enabling SSL (HTTPS) on SAP Gateway.
Run letsencrypt-nosudo to get the CSR signed
Please follow the detailed description at How to use the signing script to get the CSR signed.
Run a webserver on port 80
To get your CSR singed, the ACME protocol needs to access a specific file via a web server running on the hostname requesting the certificate. Please find out where the document root of this webserver is located. On the SUSE Linux system where I’ve tested it was
Follow the instructions Issue a cert from existing CSR and provide via the -w parameter the document root from the previous step.
Import the certificate in SAP HANA or AS ABAP
As the final step follow the instructions linked above for the CSR creation to import the certificate that you’ve got from Let’s Encrypt. Before you can import your own certificate you need to import the Let’s Encrypt signing certificate and the ISRG Root OCSP X1 root certificate that you can download from https://letsencrypt.org/certificates/. In ABAP you can import them starting with the root certificate in transaction STRUST. For HANA the best way is to copy all certificates into one text file that you import in one go.
Have you already tried to create an ABAP report to automate the process of loading the generated letsencrypt cert chain into strust to fully automate the process?
Fist I've checked if it would be possible to implement an ACME client in ABAP. But as the challenges must be placed directly under the server root that wasn't an option. I've tried also modifying the PSE for the SSL server directly. But that results in an inconsistency with the PSE in STRUST that is stored in the DB. I think the approach by Jakub Filak in his python script sap_add_trusted_server_cert might be a good start to automate it. Maybe you can give it a try.
Thanks Gregor. Will look into it.
thisnis great. Do you have and experience with Setting this up under as Java (sap PI)!?
should be basically the same. Check out the help / wiki pages on how to configure SSL for AS Java. There will be a step where you create the certificate signing request. Insert that in the step for the CSR and get then the certificate.