This document provides instructions for setting up SSL connectivity between SAP LVM and the SAP Host Agent using x509 certificate authentication. It involves generating a certificate signing request for the LVM server, having it signed by a certificate authority, importing the signed certificate and CA/intermediate certificates into the LVM keystore. It also describes adding the CA/intermediate certificates to the Host Agent's PSE, configuring the host profile, and testing the SSL connection. The aim is to connect LVM and the Host Agent without username/password authentication.
2. • This
document
provides
a
quick
overview
of
how
to
setup
SSL
connectivity
from
SAP
LVM
to
the
SAP
Host
Agent
• The
SAP
Host
Agent
is
installed
on
every
system
hosting
an
SAP
instance
and
must
be
connected
to
LVM
to
make
use
of
its
functionality
• This
document
describes
how
the
SSL
setup
can
be
achieved
in
a
UNIX
environment
but
it
can
be
easily
adapted
for
the
Windows
platform
• The
document
is
aimed
at
system
administrators
familiar
with
the
SAP
Host
Agent
who
wish
to
connect
SAP
LVM
to
the
Host
Agent
without
the
need
for
user/password
authentication
Introduction
3. Diagrammatic
Overview
Certificate
Chain
Server
ALVM
Server
(lvm01.com
)
Hostagent
PSE /usr/sap/hostctrl/exe/sec/SAPSSLS.pse
Port
1128
(HTTP)
Port
1129
(HTTPS)
ICA
certificate
CA
certificate
CN=lvm01.com
(signed
by
CA)
host_profile /usr/sap/hostctrl/exe/host_proflie
LVMView
Keystore
service/sso_admin_user_0
=
CN=lvm01.com,
OU=*,
C=GB
HTTP
with
BASIC
(username/password)
HTTPS
with
X.509
(client
certificate)
Validate
against
CA
&
ICA
in
PSE
Added
to
PSE
Added
to
keystore view
CSR
3rd Party
Certificate
Authority
#1
#2
#3
#4
#5
HTTP
Client HTTP
Server
$$$
4. • Generate
a
Certificate
Signing
Request
(CSR)
from
“LVMView”
key
store
view
in
NetWeaver
Administrator
• The
CN
should
be
the
server
name
(in
lowercase)
(same
as
an
SSL
certificate
at
this
point)
• Upload
to
your
favourite
3rd
Party
Certificate
Signing
Authority
1 2 3 4 5
5. • You
must get
a
signed
certificate
from
a
3rd Party
CA
• You
can
not use
a
self-‐signed certificate
(Since
LVM
2.0
sp3
-‐ SAP
Note:
1878159)
• The
certificate
must have
“Enhanced
Key
Usage”
with
“Client
Authentication”:
1 2 3 4 5
6. • Download
your
signed
certificate
• Also
download
the
Certificate
Authority
(CA)
and
Intermediate
Certificate
Authority
(ICA)
certificates
• Upload
the
certificates
into
the
“LVMView”
key
store
view
• You
should
have
1
x
private
key
+
n
x
certificates
in
“LVMView”
1 2 3 4 5
7. • Create
a
PSE
for
the
SAP
host
agent
(if
not
existing)
• The
PSE
can
be
self-‐signed,
you
don’t need
a
signed
certificate
here
• Add
*only*
the
CA
and
ICA
certificates
to
the
PSE
1 2 3 4 5
8. • Add
the
parameter
“service/sso_admin_user_0”
to
the
host_profileof
the
host
agent
• Restart
the
host
agent
• Check
sapstartsrv.log
(in
the
host
agent
work
directory)
for
confirmation
that
it’s
listening
on
port
1129
1 2 3 4 5
9. • You
can
now
edit
the
hosts
in
LVM
and
choose
X.509
as
the
host
agent
authentication
mechanism
• In
the
drop-‐down
you
should
see
the
private
key
you
uploaded
into
the
“LVMView”
key
store
• Make
sure
you
*test*
the
connection
Round
Up
10. • SAP
Note:
1907566
-‐ “Obtaining
the
Latest
SAP
Host
Agent
Documentation”
(see
PDF
attached
to
note)
• SAP
Note:
1439348
-‐ “Extended
security
settings
for
sapstartsrv”
• help.sap.com:
Configuring
SSL
for
SAP
Host
Agent
on
UNIX
• SCN:
http://scn.sap.com/message/16839422
Resources