cancel
Showing results for 
Search instead for 
Did you mean: 

SAB B1 SSL Certificate - Issue with Backup via SLD

sarumanb1
Explorer
0 Kudos

Hello,

I am experiencing an issue with SSL Certificate and SAP B1.

During setup / reconfigure I have selected to use a certificate for the SLD. Certificate is signed by the Domain Certificate Authority (Windows Active Directory Certificate Services).

Once the reconfiguration is complete the SLD Control Center can be accessed via browser and because the CA is trusted domain wide there are no issues with the certificate. All checks pass.

However once in the SLD in the first Tab under "DB Instances and Companies", once you click on the server in the "DB Instances" table, the "Back UP", "Delete Older backups" and "Show Backup Log" are grayed out.

After some troubleshooting it was confirmed that this is definitely caused by the certificate installation. If i reconfigure again and select the self signed certificate, the options are available again.

I did review the section 10.8 in the Administration Manual, however these re references for enabling SSL between the HANA and the services. I believe the issue at hand is that the BackupService is not liking the CA that is signing the certificate and therefore not allowing for backups to be done via SLD.

Note that the backup jobs are failing also if initiated via remote support platform.

Does anyone have any suggestions ? Which keystore fro trusted CAs is the backup service looking at ?

I have also added the root ca to /etc/pki/trust/anchors and ran the update-ca-certificates, however if backup service is looking at java based keystroke this does not help me 🙂

Thank you in advance

Accepted Solutions (0)

Answers (1)

Answers (1)

sarumanb1
Explorer
0 Kudos

SOLUTION:

I have managed to find a way to resolve this. For future reference in case someone stumbles upon this.

My thought s here are that the Backup Services are not trusting the enterprise CA. the certificate with root ca was imported into sap during reconfiguration. However, even though the browsers were now trusting the SLD, web client etc, (due to the enterprise trust published by the AD policy), the services were not trusting each other.

After investigation i found:

sapb1servertools.service is started with environment settings from

/usr/sap/SAPBusinessOne/Common/tomcat/service/control.env

control.env specifies

JAVA_HOME='/usr/sap/SAPBusinessOne/Common/sapjvm_8/jre'
JRE_HOME='/usr/sap/SAPBusinessOne/Common/sapjvm_8/jre'

That means that any program running within this JVM will ingerit the JVM trust from the cacerts in that JRE environment.

We need to establish CA trust in the JRE so we import CA into the cacerts

cd /usr/sap/SAPBusinessOne/Common/sapjvm_8/jre/lib/security

../../bin/keytool -import -trustcacerts -alias Friendly-Name-Of-Enterprise-CA -file /usr/sap/SAPBusinessOne/B1_SHF/Ent-CA.cer -keystore cacerts


The import will prompt for the password to the keystore. The default password for Java Keystore is changeit

Once this is done , restart all services.

I did not see this in the Administration Documentation at all.

However, the reverse proxy hint on page 74 gave me an idea to do the above.

"To use a reverse proxy to handle incoming external requests, you need to:
Import a trusted root certificate for all SAP Business One services during the installation."