Certificate Lifecycle Management using SLS3.0 Command Line Tool
I have more than 15 years of experience in SAP Basis and HANA administration. I have worked on multiple implementations, Migration (SAP systems and datacenter), Upgradations. I have recently implemented Certificate Life Cycle Management through SLS 3.0 in one of my assignment. I found many good tutorials on ABAP and JAVA system certificate life cycle management but didn’t find more information on SLS command line tool “sapslscli” for HANA DB and WD so I decided to write this blog post on sapslscli usage.
In this blog post I will explain to renew SSL certificate of non-ABAP and non-JAVA systems like SAP Web dispatcher and HANA DB through SLS 3.0 command line tool.
- Secure Login Server 3.0
- SLLIBRARY02 (This is delivered with SLS software and also can be downloaded from https://launchpad.support.sap.com/#/softwarecenter
Secure login server should be setup and configured as per the steps given in SPS SLS 3.0 implementations guide.
You can also get good information on SLS 3.0 configuration for ABAP/JAVA on below blog post.
Check validity of existing pse file using sapgenpse or HANA integrated WD.
Now Enroll the certificates with SLS server using command line tool sapslscli. We need admin user of SLS server with access of role SLAC_CERT_ADMIN.
Enroll Command syntax is “sapslscli enroll -r <ra_pse> -u <username> -x <password> -e <enroll_url>”
Now Renew certificate using sapslscli (use respective certificate profile). Please check Secure Login Server console to find respective certificate profile.
Renew Command Syntax “sapslscli renew -r <ra_pse> -p <pse> -e <enroll_url>”
As we can see certificate of SAPSSL.pse has been renewed and now we can verify the the certificate using sapgenpse tool.
We can create a single line script with option g (grace period) like below
sapslscli renew -r <ra_pse> -p <pse> -g<N> -e <enroll_url>
-g<N> don’t renew if certificate is still <N> days valid
We use background job in SAP ABAP and Job Scheduler in SAP JAVA system. In case of non-ABAP non-JAVA systems we can use LAMA or OS tool like Cron jobs or windows batch scheduler to execute this script on daily basis.
Now all certificates can be renewed automatically using command line tool of SLS server and it will save manual efforts by enabling automation using SLS certificate life cycle management functionality.