Setting up SSL on Application Server S/4HANA
This blog post is for setting up SSL for Application server S/4HANA for successful connection with SAC (SAP Analytics Cloud).
When we are connecting SAC (SAP Analytics Cloud) to SAP S/4HANA system with direct live connection, we need to make trusted connection.
Else error can be seen as –
Setting Up SSL
Check CommonCryptoLib version
Login into <Applicaion Server Host> as <sid>adm
server: <sid>adm > cdexe server: <sid>adm > pwd /sapmnt/<SID>/exe/uc/linuxx86_64 server: <sid>adm > sapgenpse -l /sapmnt/<SID>/exe/uc/linuxx86_64/libsapcrypto.s . . . Using -l parameter to load CommonCryptoLib -l "/sapmnt/<SID>/exe/uc/linuxx86_64/libsapcrypto.so" Platform: linux-gcc-4.3-x86-64 (linux-gcc-4.3-x86-64) Versions: SAPGENPSE 8.5.28 (May 8 2019) CommonCryptoLib 8.5.28 (May 8 2019) [AES-NI,CLMUL,SSE3,SSSE3] Build change list: 238087 USER="<sid>adm" Environment variable $SECUDIR is defined: "/usr/sap/<SID>/DVEBMGS00/sec"
Update SAP Crypto library
- Download latest crypto library from SAP market place:
SAPDownload à Support Packages & Patches à By Category à SAP CRYPTOGRAPHIC SOFTWARE à SAPCRYPTOLIB à COMMONCRYPTOLIB 8 à <Select appropriate OS version> à Download latest SAR file
SAPCRYPTOLIBP_8528-20011697.SAR —- for Linux X86_64
- Move SAR file from download basket to application server
Use winscp to move to application server
- UNCAR SAR file : (login with <SID>adm into application server
SAPCAR -xvf SAPCRYPTOLIBP_8528-20011697.SAR
- Move uncared all content to Kernel
mv * /sapmnt/<SID>/exe/uc/linuxx86_64
Login into <Applicaion Server Host> as <sid>adm and remove below profile parameter
Define Https parameter
Add below entry into Instance profile
icm/server_port_1 = PROT=HTTPS,PORT=52$$,TIMEOUT=30,PROCTIMEOUT=60
and restart the application server
- Transaction Code – /nstrust and click on edit.
2. Right click on SSL Server Standard and Select Create
3. Click on OK
4. Update entry as mentioned in the screenshot
5. Make sure Algorithm Overview as below –
6. Once you click on OK, you can see entry has been created.
7. Now, Create Certificate Request by clicking on button
8. Select algorithm as SHA256
And click on OK
9. Download certificate locally.
10. Save to your local machine.
Sign certificate from CA
Get your public key certificates signed by a CA.
Here we have used local internal WINDOWS server as certificate authority.
You can refer below blog to setup windows server as CA
(Reference from Virtuallythere “SSL : Part 1 : Building a Microsoft Certificate Authority for your lab”)
(Reference from Virtuallythere “SSL : Part 2 : Signing a CSR with your Microsoft Certificate Authority”)
Once you have setup windows server as CA then you can sign your CSR.
- Copy csr from local machine to windows server.
2. Open Server Manager –> Tools –> Certificate Authority
3. You can see pop-up like below –
4. Click on Submit new request
5. Browse the certificate from Server
6. Now you can see certificate in Pending Requests
7. Approve the certificate request (Click on All Tasks –> Issue)
8. After that, you can see certificate in the list of Issued certificate.
9. Right click and Open
10. Click on open > Details > Copy to File
11. Click on Next >Select PKCS#7 > Check mark for INCLUDE… > Click on Browse
12. Give name and click on SAVE > Verify location and click on Next > Click on Finish > Click on OK
Please note – you are saving file on windows server
13. Copy response file from Windows server to local machine.
Import Signed Response Certificate
1. Now back to SAP logon.
Double click on SSL server Standard entry
2. Click on Import Certificate Response
3.Click on Import > Select the response file and click on Open
4. You can see screen as below and then click on OK.
5. Click on SAVE
Finally cross check SSL configurationwith URL
https://<ABAP application Server host>:<https port>/sap/bc/gui/sap/its/webgui?sap-client=<client no.>&sap-language=EN#…
You can make secure connection with SAP Analytics Cloud.
excellent! thank you!
Really helpful.. Thank a lot!!