Skip to Content
Technical Articles
Author's profile photo Kundan Gandhi
Kundan Gandhi
June 25, 2019 4 minute read

Setting up SSL on Application Server S/4HANA

This blog post is for setting up SSL for Application server S/4HANA for successful connection with SAC (SAP Analytics Cloud).

Background –

When we are connecting SAC (SAP Analytics Cloud) to SAP S/4HANA system with direct live connection, we need to make trusted connection.

Else error can be seen as –

Setting Up SSL

Check CommonCryptoLib version

 

Login into <Applicaion Server Host> as <sid>adm

 

server: <sid>adm > cdexe

server: <sid>adm > pwd

/sapmnt/<SID>/exe/uc/linuxx86_64

server: <sid>adm > sapgenpse -l /sapmnt/<SID>/exe/uc/linuxx86_64/libsapcrypto.s

.

.

.

Using -l parameter to load CommonCryptoLib

   -l "/sapmnt/<SID>/exe/uc/linuxx86_64/libsapcrypto.so"




  Platform:   linux-gcc-4.3-x86-64   (linux-gcc-4.3-x86-64)

  Versions:   SAPGENPSE       8.5.28 (May  8 2019)

              CommonCryptoLib 8.5.28 (May  8 2019) [AES-NI,CLMUL,SSE3,SSSE3]

                Build change list: 238087




  USER="<sid>adm"




  Environment variable $SECUDIR is defined:

  "/usr/sap/<SID>/DVEBMGS00/sec"

 

Update  SAP Crypto library

 

  1. Download latest crypto library from SAP market place:

SAPDownload à Support Packages & Patches à By Category à SAP CRYPTOGRAPHIC SOFTWARE à SAPCRYPTOLIB à COMMONCRYPTOLIB 8 à <Select appropriate OS version> à Download latest SAR file

SAPCRYPTOLIBP_8528-20011697.SAR —- for Linux X86_64

 

  1. Move SAR file from download basket to application server

Use winscp to move to application server

 

  1. UNCAR SAR file : (login with <SID>adm into application server
SAPCAR -xvf SAPCRYPTOLIBP_8528-20011697.SAR

 

  1. Move uncared all content to Kernel
mv * /sapmnt/<SID>/exe/uc/linuxx86_64

Profile Parameters

 

Login into <Applicaion Server Host> as <sid>adm and remove below profile parameter

 

ssf/name

ssf/ssfapi_lib

sec/libsapsecu

ssl/ssl_lib

 

Define Https parameter 

 

Add below entry into Instance profile

 

icm/server_port_1 = PROT=HTTPS,PORT=52$$,TIMEOUT=30,PROCTIMEOUT=60

 

and restart the application server

 

Generate Certificate

 

  1. Transaction Code – /nstrust and click on edit.

2. Right click on SSL Server Standard and Select Create

 

 

3. Click on OK

4. Update entry as mentioned in the screenshot

 

5. Make sure Algorithm Overview as below –

6. Once you click on OK, you can see entry has been created.

7. Now, Create Certificate Request by clicking on button

 

8. Select algorithm as SHA256

And click on OK

9. Download certificate locally.

10. Save to your local machine.

 

Sign certificate from CA

Get your public key certificates signed by a CA.

 

Here we have used local internal WINDOWS server as certificate authority.

You can refer below blog to setup windows server as CA

(Reference from Virtuallythere “SSL : Part 1 : Building a Microsoft Certificate Authority for your lab”)

https://virtuallythere.blog/2018/04/24/making-things-a-bit-more-secure-part-1/

(Reference from Virtuallythere “SSL : Part 2 : Signing a CSR with your Microsoft Certificate Authority”)

Once you have setup windows server as CA then you can sign your CSR.

 

  1. Copy csr from local machine to windows server.

 

 

2. Open Server Manager –> Tools –> Certificate Authority

 

 

3. You can see pop-up like below –

 

4. Click on Submit new request

 

5. Browse the certificate from Server

 

6. Now you can see certificate in Pending Requests

7. Approve the certificate request (Click on All Tasks –> Issue)

 

8. After that, you can see certificate in the list of Issued certificate.

 

9. Right click and Open

 

10. Click on open > Details > Copy to File

 

11. Click on Next >Select PKCS#7 > Check mark for INCLUDE… > Click on Browse

 

12. Give name and click on SAVE > Verify location and click on Next > Click on Finish > Click on OK

Please note – you are saving file on windows server

 

 

13. Copy response file from Windows server to local machine.

Import Signed Response Certificate

1. Now back to SAP logon.

Double click on SSL server Standard entry

 

2. Click on Import Certificate Response 

 

3.Click on Import > Select the response file and click on Open  

 

4. You can see screen as below and then click on OK.

5. Click on SAVE

 

Finally cross check SSL configurationwith URL

https://<ABAP application Server host>:<https port>/sap/bc/gui/sap/its/webgui?sap-client=<client no.>&sap-language=EN#…

 

Conclusion

You can make secure connection with SAP Analytics Cloud.

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Henry Banks
      Henry Banks

      excellent! thank you!

      Author's profile photo Sandeep Roy
      Sandeep Roy

      Really helpful.. Thank a lot!!