topic Re: SAP Host Agent SSL config cannot import self signed cert in DevOps and System Administration Forum

SAP Host Agent SSL config cannot import self signed cert

former_member396266 — Fri, 07 Aug 2020 08:26:33 GMT

Hello experts,

I have installed the latest SAP Host Agent 7.21 SP48 (SAPHOSTAGENT48_48-20009417.SAR). I am now going to configure SSL on it based on the below information:

https://help.sap.com/viewer/host_agent/f950aeeb64604e818b24626d287b63b0.html

https://wiki.scn.sap.com/wiki/display/BOBJ/Enabling+Host+Agent+SSL
https://wiki.scn.sap.com/wiki/display/BOBJ/Creating+a+Self-Signed+Certificate+Authority+Key+Pair+and+Certificates

I am using the self signed cert approach. However when I import the self signed cert made by Keytool (as mentioned in the 3rd link above), there is an error showing "self signed cert not supported". How can I troubleshoot this case and fix this problems so that I can configure SSL on SAP Host Agent successfully?

This is the log when I tried to import the self signed cert (Some modification is done to change the password and relevant names and codes of course):

C:\Program Files\SAP\hostctrl\exe>sapgenpse import_own_cert -p SAPSSLS.pse -x whatever -c "SID.pem" -r "cacert_sid.pem" -v

Opening PSE "C:\Program Files\SAP\hostctrl\exe\sec\SAPSSLS.pse"...

No SSO credentials found for this PSE.

PSE (v2) open ok.

Trying to import Certification Response...

Found binary ASN.1 Certificate

----------------------------------------------------------------------------

Subject : CN=systemhostname.myorganization, O=MyOrg, C=MO

Issuer : CN=systemhostname.myorganization, O=MyOrg, C=MO

Serialno : 11:22:33:44

KeyInfo : RSA, 2048-bit

Validity - NotBefore: Wed Aug 5 17:27:50 2020 (200805092750Z)

NotAfter: Sat Aug 3 17:27:50 2030 (300803092750Z)

KeyUsage : none

ExtKeyUsage : none

SubjectAltName : none

----------------------------------------------------------------------------

Found PEM-framed base64-encoded ASN.1 Certificate

----------------------------------------------------------------------------

Subject : CN=systemhostname.myorganization, O=MyOrg, C=MO

Issuer : CN=systemhostname.myorganization, O=MyOrg, C=MO

Serialno : 22:33:44:55

KeyInfo : RSA, 2048-bit

Validity - NotBefore: Wed Aug 5 17:18:31 2020 (200805091831Z)

NotAfter: Sat Aug 3 17:18:31 2030 (300803091831Z)

KeyUsage : none

ExtKeyUsage : none

SubjectAltName : none

----------------------------------------------------------------------------

(Old) Certificate in PSE:

----------------------------------------------------------------------------

Subject : CN=systemhostname.myorganization, O=MyOrg, C=MO

Issuer : CN=systemhostname.myorganization, O=MyOrg, C=MO

Serialno : AA:BB:CC:DD:EE:FF:11:22

KeyInfo : RSA, 2048-bit

Validity - NotBefore: Mon Aug 3 18:27:02 2020 (200803102702Z)

NotAfter: Fri Jan 1 08:00:01 2038 (380101000001Z)

KeyUsage : none

ExtKeyUsage : none

SubjectAltName : none

----------------------------------------------------------------------------

Import self-signed certs not supported

import_own_cert: Incomplete certificate path

import_own_cert: Installation of certificate failed

I am very new to this stuff. Any advice would be appreciated.

Thank you.

Brian Hui

Re: SAP Host Agent SSL config cannot import self signed cert

S_Sriram — Fri, 07 Aug 2020 10:33:42 GMT

Hi Brian,

Have you followed the SAP link to import the SSL in hostagent

https://help.sap.com/viewer/e66c399612e84a83a8abe97c0eeb443a/2.3.latest/en-US/b142ba8699e64bf187eb7a5ed3ea2507.html

Regards

Re: SAP Host Agent SSL config cannot import self signed cert

former_member396266 — Fri, 07 Aug 2020 10:52:20 GMT

Hi Sriram,

Thanks for your reply. I checked the link and the platform is in UNIX. But I am working on a Windows platform. How to convert PEM to PKCS#12 from Windows? Please advise.

Regards,

Brian Hui

Re: SAP Host Agent SSL config cannot import self signed cert

cris_hansen — Fri, 07 Aug 2020 12:47:28 GMT

Hi Brian,

Do you really need the PSE to be signed? If yes, then why you don't use an internal or test CA (using, e.g. openssl) to sign the request? You can then import the signed certificate.

In the SAP Help Sriram shared, if you have a PKCS#12 package (i.e. you already have a signed certificate), then you can convert this package to PSE format, not needing to sign it.

Regards,

Cris

Re: SAP Host Agent SSL config cannot import self signed cert

former_member396266 — Mon, 10 Aug 2020 01:20:29 GMT

Hi Cristiano,

My goal is to configure SSL successfully for SAP Host Agent. Therefore I followed the steps provided by SAP. There is a step which I need to import a cert to the PSE. I tried the self signed cert approach but I got an error which I don't know how to solve it.

I followed the 3 links above for the steps and I found nothing mentioned about PKCS#12 and so I don't know what you said is applicable to my case.

For OpenSSL, it seems that one is too challenging for me. I will need to download its source code and use a compiler tool to compile it, right? I haven't touched those things for more than 20 years....besides the fact that I don't think I have the right tool.

Thanks

Brian Hui

Re: SAP Host Agent SSL config cannot import self signed cert

cris_hansen — Mon, 10 Aug 2020 14:18:58 GMT

Hi Brian,

For OpenSSL, there are compiled versions available, so the effort should not be high.

Regards,

Cris