sap host agent x509 authentication
TRANSCRIPT
SAP Host Agent x509 Authentication
• This document provides a quick overview of how to setup SSL connectivity from SAP LVM to the SAP Host Agent
• The SAP Host Agent is installed on every system hosting an SAP instance and must be connected to LVM to make use of its functionality
• This document describes how the SSL setup can be achieved in a UNIX environment but it can be easily adapted for the Windows platform
• The document is aimed at system administrators familiar with the SAP Host Agent who wish to connect SAP LVM to the Host Agent without the need for user/password authentication
Introduction
Diagrammatic Overview
Certificate Chain
Server ALVM Server(lvm01.com
)Hostagent
PSE /usr/sap/hostctrl/exe/sec/SAPSSLS.pse
Port 1128 (HTTP)Port 1129 (HTTPS)
ICA certificate
CA certificate
CN=lvm01.com (signed by CA)
host_profile /usr/sap/hostctrl/exe/host_proflie
LVMViewKeystore
service/sso_admin_user_0 = CN=lvm01.com, OU=*, C=GB
HTTP with BASIC (username/password)
HTTPS with X.509 (client certificate)
Validate against CA & ICA in PSE
Added to PSE
Added to keystore view
CSR
3rd Party Certificate Authority
#1
#2
#3#4
#5
HTTP Client HTTP Server
$$$
• Generate a Certificate Signing Request (CSR) from “LVMView” key store view in NetWeaver Administrator
• The CN should be the server name (in lowercase)(same as an SSL certificate at this point)
• Upload to your favourite 3rd Party Certificate Signing Authority
1 2 3 4 5
• You must get a signed certificate from a 3rd Party CA
• You can not use a self-‐signed certificate
(Since LVM 2.0 sp3 -‐ SAP Note: 1878159)
• The certificate must have
“Enhanced Key Usage”
with “Client Authentication”:
1 2 3 4 5
• Download your signed certificate
• Also download the Certificate Authority (CA) and
Intermediate Certificate Authority (ICA) certificates
• Upload the certificates into the “LVMView” key store view
• You should have 1 x private key + n x certificates in
“LVMView”
1 2 3 4 5
• Create a PSE for the SAP host agent (if not existing)
• The PSE can be self-‐signed, you don’t need a signed certificate
here
• Add *only* the CA and ICA certificates to the PSE
1 2 3 4 5
• Add the parameter “service/sso_admin_user_0” to the
host_profileof the host agent
• Restart the host agent
• Check sapstartsrv.log (in the host agent work directory) for
confirmation that it’s listening on port 1129
1 2 3 4 5
• You can now edit the hosts in LVM and choose X.509 as the host
agent authentication mechanism
• In the drop-‐down you should see the private key you uploaded
into the “LVMView” key store
• Make sure you *test* the connection
Round Up
• SAP Note: 1907566 -‐ “Obtaining the Latest SAP Host Agent Documentation”
(see PDF attached to note)
• SAP Note: 1439348 -‐ “Extended security settings for sapstartsrv”
• help.sap.com: Configuring SSL for SAP Host Agent on UNIX
• SCN: http://scn.sap.com/message/16839422
Resources
Thank-‐you