SAP Secure Login Server – your own CA on Hand …

Last Changed: 16th of November 2020

Motivation and Overview

After some time, I thought it is time to update the Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud especially the topics for SAP Analytics Cloud and the SAP Analytic Cloud Connector which is necessary to overcome the Firewall Issues.

While I was configuring the SAP Cloud Connector (again on Azure Hyperscaler) there is a task – Configure a CA Certificate for Principal Propagation which I came to a interesting Side Note:

So: what is the (SAP) Secure Login Server (3.0) and what can it do for me?

Since I’m working since several Years with Azure Hyperscaler, my biggest Challenge was always to get a CA response for the server with the DNS *.azure.com. For SAP System which belongs to the *.sap.corp DNS we can create an own CA for these systems.

So I was trying to find a “transparent Solution” for this annoying issue and “Self-Signed” Certificates is not an Option for me at all, and that is the only suggestion you will get from SAP on many, many SAP Help Documentation.

In the End, I always ended by a Community Colleague Gregor Wolf (GitHub, Paasport – Gregor Wolf) who is one of the “real SAP Mentors” outside SAP. He let his mojo play on the systems and created the CA response based on let’s encrypt (honestly I never got the whole story so far … ;-))

source%20-%20lets%20encrypt

source – let’s encrypt

Here we can see, what the SAP Secure Server can do for me – Out-of-the-Box PKI Login Server and PKI Integration.

source%20-%20SAP%20Help

source – SAP Help

SAP Help – SAP Cloud Platform Connectivity – Recommendations for Secure Setup

Implementation of the Secure Login Server 3.0

Nevertheless the SAP Help says using SWPM to install, you can also use the SUM to apply the necessary *.SCA files to a new or existing SAP 7.50 Java Application Server.

SAP Help – Installation and Installation File Names

Don’t be surprised that you will not find a lot Blogs or additional Articles in the SAP Community. It seems we find again a hidden treasure here.

Components%20of%20the%20SAP%20Secure%20Server

Components of the “SAP Secure Server”

Don’t be to astonished about the latest updates of the files. It seems especially here, you will see where SAP is shifted there invests: everything goes Cloud.

necessary%20SCA%20components%20in%20addition

necessary SCA components in addition

SAP%20NetWeaver%20Administrator%20-%20list%20of%20the%20components

SAP NetWeaver Administrator – list of the components

Even there are only a few SCA files has to be applied, you might pick into a wasp nest, jumping from one problem to another, so I list some SAP Notes to read before you apply the SCA files.

pick only SECURE_LOGON_SERVER, SSOAUTHLIB and SSPEXTLIB SCA to avoid that the SUM process fails due to the already applied versions
always finish a SUM update process properly, otherwise “reverting the system” might get complicated (no restore necessary)
apply SAP JVM and UDDI patches first if needed.
add the role SLAC_SUPERADMIN to your user.

Note 2373829 – Deployment error : Deployment of archive xxx for component xxx is rejected because it is already deployed
Note 2444424 – Release Note SAP Single Sign-On 3.0 SP02
Note 2569954 – “Some SSO inconsistencies have been found” message in Trusted Systems configuration
Note 2730532 – SAP SSO Fixes for Secure Login Server 3.0 SP 02 Patch 10
Note 2780347 – Update the JAVA patches during updating system
Note 2845709 – Error during Solution Manager Upgrade 7.1 -> 7.2 SPS09
Note 2856691 – SAP Single Sign-On SCAs were unsigned
Note 2951691 – Upgrade of SAPJVM to SAP JVM(8.1.064) fails / Installation of “Application Server Java” based on SAP JVM(8.1.064) fails
Note 2953651 – Deployment of UDDI component fails during SUM upgrade – SOLMAN – AS JAVA