SAP Host Agent x509 authentication
•
0 j'aime•710 vues
See how to setup SSL authentication from SAP Landscape Virtualisation Management to SAP Host Agent.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à SAP Host Agent x509 authentication
Similaire à SAP Host Agent x509 authentication (20)
Plus de Gary Jackson MBCS
Plus de Gary Jackson MBCS (20)
Dernier
Dernier (20)
SAP Host Agent x509 authentication
- 1. SAP Host Agent x509 Authentication
- 2. • This document provides a quick overview of how to setup SSL connectivity from SAP LVM to the SAP Host Agent • The SAP Host Agent is installed on every system hosting an SAP instance and must be connected to LVM to make use of its functionality • This document describes how the SSL setup can be achieved in a UNIX environment but it can be easily adapted for the Windows platform • The document is aimed at system administrators familiar with the SAP Host Agent who wish to connect SAP LVM to the Host Agent without the need for user/password authentication Introduction
- 3. Diagrammatic Overview Certificate Chain Server ALVM Server (lvm01.com ) Hostagent PSE /usr/sap/hostctrl/exe/sec/SAPSSLS.pse Port 1128 (HTTP) Port 1129 (HTTPS) ICA certificate CA certificate CN=lvm01.com (signed by CA) host_profile /usr/sap/hostctrl/exe/host_proflie LVMView Keystore service/sso_admin_user_0 = CN=lvm01.com, OU=*, C=GB HTTP with BASIC (username/password) HTTPS with X.509 (client certificate) Validate against CA & ICA in PSE Added to PSE Added to keystore view CSR 3rd Party Certificate Authority #1 #2 #3 #4 #5 HTTP Client HTTP Server $$$
- 4. • Generate a Certificate Signing Request (CSR) from “LVMView” key store view in NetWeaver Administrator • The CN should be the server name (in lowercase) (same as an SSL certificate at this point) • Upload to your favourite 3rd Party Certificate Signing Authority 1 2 3 4 5
- 5. • You must get a signed certificate from a 3rd Party CA • You can not use a self-‐signed certificate (Since LVM 2.0 sp3 -‐ SAP Note: 1878159) • The certificate must have “Enhanced Key Usage” with “Client Authentication”: 1 2 3 4 5
- 6. • Download your signed certificate • Also download the Certificate Authority (CA) and Intermediate Certificate Authority (ICA) certificates • Upload the certificates into the “LVMView” key store view • You should have 1 x private key + n x certificates in “LVMView” 1 2 3 4 5
- 7. • Create a PSE for the SAP host agent (if not existing) • The PSE can be self-‐signed, you don’t need a signed certificate here • Add *only* the CA and ICA certificates to the PSE 1 2 3 4 5
- 8. • Add the parameter “service/sso_admin_user_0” to the host_profileof the host agent • Restart the host agent • Check sapstartsrv.log (in the host agent work directory) for confirmation that it’s listening on port 1129 1 2 3 4 5
- 9. • You can now edit the hosts in LVM and choose X.509 as the host agent authentication mechanism • In the drop-‐down you should see the private key you uploaded into the “LVMView” key store • Make sure you *test* the connection Round Up
- 10. • SAP Note: 1907566 -‐ “Obtaining the Latest SAP Host Agent Documentation” (see PDF attached to note) • SAP Note: 1439348 -‐ “Extended security settings for sapstartsrv” • help.sap.com: Configuring SSL for SAP Host Agent on UNIX • SCN: http://scn.sap.com/message/16839422 Resources
- 11. Thank-‐you