Technical Articles
Using a Wild Card SSL Certificate with the SAP Cloud Connector
** Updated 19th December 2022 **
The steps from the original blog are mostly not required, but I have kept the details as it may help in speicific circumstances. From Cloud Connector version 2.13 there is now the possibility to upload a P12 certificate. The P12 is an all in one certificate that contains the public, private and certificate chain.
I created my P12 with the following command.
openssl pkcs12 -export -inkey key.pem -in newcombined.crt -out server-combined.p12This can then be directly uploaded from the Cloud Connector interface.
If however you do experience any issue with the certificate being accepted then you should monitor the Cloud Connector log file, using a command such as below
tail -n50 -f /opt/sap/scc/log/ljs_trace.log** Previous blog below **
You may already be using the cloud connector and now you wish to secure it. Depending upon your server setup and organisation’s policies this can be straight forward or more involved.
For most vanilla setups, we can generate a Certificate Signing Request (CSR) from the SAP Cloud Connector’s user interface and then upload the signed certificate response. There’s a great tutorial here https://developers.sap.com/tutorials/cp-connectivity-install-cloud-connector.html
If however you have an existing wild card certificate to use there are some additional steps, those are captured in this blog post.
- Retrieve Keystore Password
- Convert existing private key and existing certificate into p12
- Update Keystore with Wildcard Certificate
Pre-requisites
- Root access to linux installation of SCC
- Private Key used to generate wildcard certificate, usually .pem
- Wildcard public certificate, usually .crt
Background
The SAP Cloud Connector (SCC) uses tomcat and a java keystore under the covers. The keystore used by Tomcat hold the SSL certificates. Typically you interact with the java keystore with the keytool command. Keytool does not support importing private keys. We therefore need to replace the existing keystore certificate.
1. Retrieve Keystore Password
The keystore used by the SCC is password protected. This password is generated during install, but it is not displayed. We can retrieve the password with the following command.
This command should be executed as root.
## Retrieve existing keystore password
java -cp /opt/sap/scc/plugins/com.sap.scc.rt*.jar \
-Djava.library.path=/opt/sap/scc/auditor \
com.sap.scc.jni.SecStoreAccess \
-path /opt/sap/scc/scc_config -p
## Verify access to SAP Cloud Connector keystore
ls -l /opt/sap/scc/config/ks.storeUsing the password retrieved we can confirm it is valid and view the contents of our existing keystore (ks.store).
## List existing certificates
keytool -list -keystore /opt/sap/scc/config/ks.store 
The output from keytool shows the alias used for the SCC certificate is tomcat. We need to replace the tomcat entry with our own certificate.
2. Convert existing private key and existing certificate into p12
The keytool requires a pkcs12 format certificate, we can generate that with the private key (pem) and certificate (crt) file.
We can inspect our 2 files to confirm they have the expected contents.
We should see
—–BEGIN PRIVATE KEY—– in the .pem file
—–BEGIN CERTIFICATE—– in the .crt file
## Convert .pem and .crt into .p12 for keytool
openssl pkcs12 -export \
-name tomcat \
-inkey private.pem \
-in cert-x509.crt \
-out server.p12Let’s understand this command with some placeholders, the name tomcat is the default certificate alias the SCC uses.
openssl pkcs12 -export \
-name [tomcat is the certificatet name the SCC wants] \
-inkey [your private.pem] \
-in [your signed certificate.crt] \
-out [export file to be generated.p12] 
3. Update Keystore with Wildcard Certificate
With the commands below we can update the keystore with our converted (.p12) certificate.
## Backup existing keystore
cp /opt/sap/scc/config/ks.store /opt/sap/scc/config/ks.bak
## Replace existing tomcat alias with our certificate
keytool -importkeystore -deststorepass hM1e3nnT64areVVV -destkeypass hM1e3nnT64areVVV \
-destkeystore /opt/sap/scc/config/ks.store -srckeystore /hana/cloud-connector/certificates/server.p12 \
-srcstoretype PKCS12 -srcstorepass topsecret -alias tomcat
## Set file permissions correctly
chown sccadmin:sccgroup /opt/sap/scc/config/ks.store
## Restart the cloud connector
systemctl restart scc_daemon
To understand the keytool command I have added some placeholders.
## Java keytool command
keytool -importkeystore -deststorepass [SCC password from step 1] \
-destkeypass [SCC password from step 1] \
-destkeystore /opt/sap/scc/config/ks.store ## This is the default scc keystore path \
-srckeystore [path to certificated exported by openssl command above] \
-srcstoretype PKCS12 ## This is the format we exported from openssl \
-srcstorepass [password input into openssl command] \
-alias tomcat ## tomcat is the alias we need to use for the SCC to find our certificate
All being well we should now see the secure padlock in our browser be able to load the SAP Cloud Connector interface without any security warnings.
Troubleshooting
Errors are usually reported in the SCC log found here
## Check the SCC log file for errors
tail /opt/sap/scc/log/ljs_trace.logThe Java version is important, as the SCC and Tomcat rely upon java, using a current java version provides maximum compatibility. If you see errors such as these below
- Not Secure
- This site uses an outdated security configuration
- Site Is Using Outdated Security Settings
- Connection Not Secure
- This page uses weak encryption
- Your connection to this site is not fully secure
This can can be caused the installer picking an old java version. The SCC is then not able to use modern encryption algorithms. To fix this, update your $JAVA_HOME and re-install the same scc version with the –force and -U options.
rpm --force -U ./com.sap.scc-ui-2.12.3-8.x86_64.rpmConclusion
With a few steps we can secure the cloud connector with a wild card certificate. The SAP Cloud Connector is built on open standards that allows it to be configured to meet your organisations needs.
I ran the exact steps and got this error "keytool error: java.lang.Exception: Alias <tomcat> does not exist" even though it asked for overwrite the existing tomcat one.
I ended run the command without 'alias' parmeter and have it imported into a different alias. After that I edit tomcat config so SCC https can point to that alias on /opt/sap/scc/config_master/org.eclipse.gemini.web.tomcat/default-server.xml
THANK YOU
Ian, Nice blog.
We are running the SCC on Windows OS. I have two questions.
I have converted the existing Wildcard.pfx to Wildcard.p12 using Fire Fox Certificate Manager utility.
In addition I have both intermediate server certificate and Root certificates separately.
Then I am tried to import the same. During the import of the Wildcard Certificate (Wildcard.p12) I am getting an error.
C:\SAP\scc20\config>keytool -importkeystore -deststorepass xxxxxpassowrdxxxx -destkeypass xxxxxpassowrdxxxx -destkeystore C:\SAP\scc20\config\ks.store -srckeystore C:\SAP\Wildcard.p12 -srcstoretype PKCS12 -srcstorepass topsecret -alias tomcat
Importing keystore C:\SAP\Wildcard.p12 to C:\SAP\scc20\config\ks.store...
keytool error: java.io.IOException: keystore password was incorrect
2. How do I import the intermediate server certificate and Root certificates?
Thanks
-Prasad
Hi,
starting with 2.13 it is possible to import a P12 for the UI certificate. Hence, this complicated procedure is no longer necessary.
Best regards,
Markus
Fantastic for me!
I had a letsencrypt certificate installed successfully for my GCP server jncsap.de
Using your steps could insert a new certificate into ks.store
Then when I restarted rcscc_daemon the lock appeared!
Thanks a million!
Regards
Jayanta@Kolkata
Hello Ian Henry ,
I have a question, since we can use the wildcard certificate for the cloud connector, can we use the same certificate for the CA certificate for Principal Propagation?
Cheers,
Fatah
Hi Fatah,
I haven't looked into that. This type of question is better posted at the answers site - https://answers.sap.com/index.html
Cheers, Ian.