This blog post is for setting up SSL for Application server S/4HANA for successful connection with SAC (SAP Analytics Cloud).
Background -
When we are connecting SAC (SAP Analytics Cloud) to SAP S/4HANA system with direct live connection, we need to make trusted connection.
Else error can be seen as -
Setting Up SSL
Check CommonCryptoLib version
Login into <Applicaion Server Host> as <sid>adm
server: <sid>adm > cdexe
server: <sid>adm > pwd
/sapmnt/<SID>/exe/uc/linuxx86_64
server: <sid>adm > sapgenpse -l /sapmnt/<SID>/exe/uc/linuxx86_64/libsapcrypto.s
.
.
.
Using -l parameter to load CommonCryptoLib
-l "/sapmnt/<SID>/exe/uc/linuxx86_64/libsapcrypto.so"
Platform: linux-gcc-4.3-x86-64 (linux-gcc-4.3-x86-64)
Versions: SAPGENPSE 8.5.28 (May 8 2019)
CommonCryptoLib 8.5.28 (May 8 2019) [AES-NI,CLMUL,SSE3,SSSE3]
Build change list: 238087
USER="<sid>adm"
Environment variable $SECUDIR is defined:
"/usr/sap/<SID>/DVEBMGS00/sec"
Update SAP Crypto library
- Download latest crypto library from SAP market place:
SAPDownload à Support Packages & Patches à By Category à SAP CRYPTOGRAPHIC SOFTWARE à SAPCRYPTOLIB à COMMONCRYPTOLIB 8 à <Select appropriate OS version> à Download latest SAR file
SAPCRYPTOLIBP_8528-20011697.SAR ---- for Linux X86_64
- Move SAR file from download basket to application server
Use winscp to move to application server
- UNCAR SAR file : (login with <SID>adm into application server
SAPCAR -xvf SAPCRYPTOLIBP_8528-20011697.SAR
- Move uncared all content to Kernel
mv * /sapmnt/<SID>/exe/uc/linuxx86_64
Profile Parameters
Login into <Applicaion Server Host> as <sid>adm and remove below profile parameter
ssf/name
ssf/ssfapi_lib
sec/libsapsecu
ssl/ssl_lib
Define Https parameter
Add below entry into Instance profile
icm/server_port_1 = PROT=HTTPS,PORT=52$$,TIMEOUT=30,PROCTIMEOUT=60
and restart the application server
Generate Certificate
- Transaction Code - /nstrust and click on edit.
2. Right click on
SSL Server Standard and Select
Create
3. Click on OK
4. Update entry as mentioned in the screenshot
5. Make sure Algorithm Overview as below -
6. Once you click on OK, you can see entry has been created.
7. Now, Create Certificate Request by clicking on button
8. Select algorithm as SHA256
And click on OK
9. Download certificate locally.
10. Save to your local machine.
Sign certificate from CA
Get your public key certificates signed by a CA.
Here we have used local internal WINDOWS server as certificate authority.
You can refer below blog to setup windows server as CA
(Reference from Virtuallythere “SSL : Part 1 : Building a Microsoft Certificate Authority for your lab”)
https://virtuallythere.blog/2018/04/24/making-things-a-bit-more-secure-part-1/
(Reference from Virtuallythere “SSL : Part 2 : Signing a CSR with your Microsoft Certificate Authority”)
Once you have setup windows server as CA then you can sign your CSR.
- Copy csr from local machine to windows server.
2. Open Server Manager --> Tools --> Certificate Authority
3. You can see pop-up like below -
4. Click on
Submit new request
5. Browse the certificate from Server
6. Now you can see certificate in Pending Requests
7. Approve the certificate request (Click on
All Tasks -->
Issue)
8. After that, you can see certificate in the list of Issued certificate.
9. Right click and
Open
10. Click on open > Details > Copy to File
11. Click on
Next >Select
PKCS#7 > Check mark for
INCLUDE… > Click on
Browse
12. Give name and click on
SAVE > Verify location and click on
Next > Click on
Finish > Click on
OK
Please note - you are saving file on windows server
13. Copy response file from Windows server to local machine.
Import Signed Response Certificate
1. Now back to SAP logon.
Double click on
SSL server Standard entry
2. Click on
Import Certificate Response
3.Click on
Import > Select the response file and click on
Open
4. You can see screen as below and then click on
OK.
5. Click on
SAVE
Finally cross check SSL configurationwith URL
https://<ABAP application Server host>:<https port>/sap/bc/gui/sap/its/webgui?sap-client=<client no....
Conclusion
You can make secure connection with SAP Analytics Cloud.