DevOps and System Administration Discussions
Dive into SAP DevOps and system administration. Join discussions to collaborate on optimizing workflows, share knowledge, and leverage resources effectively.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Host Agent SSL config cannot import self signed cert

0 Kudos
1,068

Hello experts,

I have installed the latest SAP Host Agent 7.21 SP48 (SAPHOSTAGENT48_48-20009417.SAR). I am now going to configure SSL on it based on the below information:

https://help.sap.com/viewer/host_agent/f950aeeb64604e818b24626d287b63b0.html

https://wiki.scn.sap.com/wiki/display/BOBJ/Enabling+Host+Agent+SSL
https://wiki.scn.sap.com/wiki/display/BOBJ/Creating+a+Self-Signed+Certificate+Authority+Key+Pair+and...

I am using the self signed cert approach. However when I import the self signed cert made by Keytool (as mentioned in the 3rd link above), there is an error showing "self signed cert not supported". How can I troubleshoot this case and fix this problems so that I can configure SSL on SAP Host Agent successfully?

This is the log when I tried to import the self signed cert (Some modification is done to change the password and relevant names and codes of course):

C:\Program Files\SAP\hostctrl\exe>sapgenpse import_own_cert -p SAPSSLS.pse -x whatever -c "SID.pem" -r "cacert_sid.pem" -v

Opening PSE "C:\Program Files\SAP\hostctrl\exe\sec\SAPSSLS.pse"...

No SSO credentials found for this PSE.

PSE (v2) open ok.

Trying to import Certification Response...

Found binary ASN.1 Certificate

----------------------------------------------------------------------------

Subject : CN=systemhostname.myorganization, O=MyOrg, C=MO

Issuer : CN=systemhostname.myorganization, O=MyOrg, C=MO

Serialno : 11:22:33:44

KeyInfo : RSA, 2048-bit

Validity - NotBefore: Wed Aug 5 17:27:50 2020 (200805092750Z)

NotAfter: Sat Aug 3 17:27:50 2030 (300803092750Z)

KeyUsage : none

ExtKeyUsage : none

SubjectAltName : none

----------------------------------------------------------------------------

Found PEM-framed base64-encoded ASN.1 Certificate

----------------------------------------------------------------------------

Subject : CN=systemhostname.myorganization, O=MyOrg, C=MO

Issuer : CN=systemhostname.myorganization, O=MyOrg, C=MO

Serialno : 22:33:44:55

KeyInfo : RSA, 2048-bit

Validity - NotBefore: Wed Aug 5 17:18:31 2020 (200805091831Z)

NotAfter: Sat Aug 3 17:18:31 2030 (300803091831Z)

KeyUsage : none

ExtKeyUsage : none

SubjectAltName : none

----------------------------------------------------------------------------

(Old) Certificate in PSE:

----------------------------------------------------------------------------

Subject : CN=systemhostname.myorganization, O=MyOrg, C=MO

Issuer : CN=systemhostname.myorganization, O=MyOrg, C=MO

Serialno : AA:BB:CC:DD:EE:FF:11:22

KeyInfo : RSA, 2048-bit

Validity - NotBefore: Mon Aug 3 18:27:02 2020 (200803102702Z)

NotAfter: Fri Jan 1 08:00:01 2038 (380101000001Z)

KeyUsage : none

ExtKeyUsage : none

SubjectAltName : none

----------------------------------------------------------------------------

Import self-signed certs not supported

import_own_cert: Incomplete certificate path

import_own_cert: Installation of certificate failed

I am very new to this stuff. Any advice would be appreciated.

Thank you.

Brian Hui

5 REPLIES 5

S_Sriram
Active Contributor
0 Kudos
545

Hi Brian,

Have you followed the SAP link to import the SSL in hostagent

https://help.sap.com/viewer/e66c399612e84a83a8abe97c0eeb443a/2.3.latest/en-US/b142ba8699e64bf187eb7a...

Regards

SS

0 Kudos
545

Hi Sriram,

Thanks for your reply. I checked the link and the platform is in UNIX. But I am working on a Windows platform. How to convert PEM to PKCS#12 from Windows? Please advise.

Regards,

Brian Hui

cris_hansen
Product and Topic Expert
Product and Topic Expert
0 Kudos
545

Hi Brian,

Do you really need the PSE to be signed? If yes, then why you don't use an internal or test CA (using, e.g. openssl) to sign the request? You can then import the signed certificate.

In the SAP Help Sriram shared, if you have a PKCS#12 package (i.e. you already have a signed certificate), then you can convert this package to PSE format, not needing to sign it.

Regards,

Cris

0 Kudos
545

Hi Cristiano,

My goal is to configure SSL successfully for SAP Host Agent. Therefore I followed the steps provided by SAP. There is a step which I need to import a cert to the PSE. I tried the self signed cert approach but I got an error which I don't know how to solve it.

I followed the 3 links above for the steps and I found nothing mentioned about PKCS#12 and so I don't know what you said is applicable to my case.

For OpenSSL, it seems that one is too challenging for me. I will need to download its source code and use a compiler tool to compile it, right? I haven't touched those things for more than 20 years....besides the fact that I don't think I have the right tool.

Thanks

Brian Hui

cris_hansen
Product and Topic Expert
Product and Topic Expert
0 Kudos
545

Hi Brian,

For OpenSSL, there are compiled versions available, so the effort should not be high.

Regards,

Cris