2020 Aug 07 9:26 AM
Hello experts,
I have installed the latest SAP Host Agent 7.21 SP48 (SAPHOSTAGENT48_48-20009417.SAR). I am now going to configure SSL on it based on the below information:
https://help.sap.com/viewer/host_agent/f950aeeb64604e818b24626d287b63b0.htmlhttps://wiki.scn.sap.com/wiki/display/BOBJ/Enabling+Host+Agent+SSL
https://wiki.scn.sap.com/wiki/display/BOBJ/Creating+a+Self-Signed+Certificate+Authority+Key+Pair+and...
I am using the self signed cert approach. However when I import the self signed cert made by Keytool (as mentioned in the 3rd link above), there is an error showing "self signed cert not supported". How can I troubleshoot this case and fix this problems so that I can configure SSL on SAP Host Agent successfully?
This is the log when I tried to import the self signed cert (Some modification is done to change the password and relevant names and codes of course):
C:\Program Files\SAP\hostctrl\exe>sapgenpse import_own_cert -p SAPSSLS.pse -x whatever -c "SID.pem" -r "cacert_sid.pem" -v
Opening PSE "C:\Program Files\SAP\hostctrl\exe\sec\SAPSSLS.pse"...
No SSO credentials found for this PSE.
PSE (v2) open ok.
Trying to import Certification Response...
Found binary ASN.1 Certificate
----------------------------------------------------------------------------
Subject : CN=systemhostname.myorganization, O=MyOrg, C=MO
Issuer : CN=systemhostname.myorganization, O=MyOrg, C=MO
Serialno : 11:22:33:44
KeyInfo : RSA, 2048-bit
Validity - NotBefore: Wed Aug 5 17:27:50 2020 (200805092750Z)
NotAfter: Sat Aug 3 17:27:50 2030 (300803092750Z)
KeyUsage : none
ExtKeyUsage : none
SubjectAltName : none
----------------------------------------------------------------------------
Found PEM-framed base64-encoded ASN.1 Certificate
----------------------------------------------------------------------------
Subject : CN=systemhostname.myorganization, O=MyOrg, C=MO
Issuer : CN=systemhostname.myorganization, O=MyOrg, C=MO
Serialno : 22:33:44:55
KeyInfo : RSA, 2048-bit
Validity - NotBefore: Wed Aug 5 17:18:31 2020 (200805091831Z)
NotAfter: Sat Aug 3 17:18:31 2030 (300803091831Z)
KeyUsage : none
ExtKeyUsage : none
SubjectAltName : none
----------------------------------------------------------------------------
(Old) Certificate in PSE:
----------------------------------------------------------------------------
Subject : CN=systemhostname.myorganization, O=MyOrg, C=MO
Issuer : CN=systemhostname.myorganization, O=MyOrg, C=MO
Serialno : AA:BB:CC:DD:EE:FF:11:22
KeyInfo : RSA, 2048-bit
Validity - NotBefore: Mon Aug 3 18:27:02 2020 (200803102702Z)
NotAfter: Fri Jan 1 08:00:01 2038 (380101000001Z)
KeyUsage : none
ExtKeyUsage : none
SubjectAltName : none
----------------------------------------------------------------------------
Import self-signed certs not supported
import_own_cert: Incomplete certificate path
import_own_cert: Installation of certificate failed
I am very new to this stuff. Any advice would be appreciated.
Thank you.
Brian Hui
2020 Aug 07 11:33 AM
Hi Brian,
Have you followed the SAP link to import the SSL in hostagent
Regards
SS
2020 Aug 07 11:52 AM
Hi Sriram,
Thanks for your reply. I checked the link and the platform is in UNIX. But I am working on a Windows platform. How to convert PEM to PKCS#12 from Windows? Please advise.
Regards,
Brian Hui
2020 Aug 07 1:47 PM
Hi Brian,
Do you really need the PSE to be signed? If yes, then why you don't use an internal or test CA (using, e.g. openssl) to sign the request? You can then import the signed certificate.
In the SAP Help Sriram shared, if you have a PKCS#12 package (i.e. you already have a signed certificate), then you can convert this package to PSE format, not needing to sign it.
Regards,
Cris
2020 Aug 10 2:20 AM
Hi Cristiano,
My goal is to configure SSL successfully for SAP Host Agent. Therefore I followed the steps provided by SAP. There is a step which I need to import a cert to the PSE. I tried the self signed cert approach but I got an error which I don't know how to solve it.
I followed the 3 links above for the steps and I found nothing mentioned about PKCS#12 and so I don't know what you said is applicable to my case.
For OpenSSL, it seems that one is too challenging for me. I will need to download its source code and use a compiler tool to compile it, right? I haven't touched those things for more than 20 years....besides the fact that I don't think I have the right tool.
Thanks
Brian Hui
2020 Aug 10 3:18 PM
Hi Brian,
For OpenSSL, there are compiled versions available, so the effort should not be high.
Regards,
Cris