Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Enable Now/Companion Server Certificate Renewal from Basis End #ATR

AJAYTR
Participant
‎2024 Jul 19 10:33 AM
0 Likes
2,123

#ATR (21)

Informative Note:

  • Created this blog to provide information on how to renew/apply SAP Enable Now Certificate from Basis End.
  • SAP Enable now (Author/Consumption) Edition / Companion will be used/connected usually in S/4 HANA Systems where business users use and create own contents/Edit SAP Standard Contents.

AJAYTR_ATR66_0-1721380891834.png

AJAYTR_ATR66_1-1721380891846.png

  • If SAP Enable now Manager/WorkArea Connected to SAP System, Both SAP System and Enable now should have Valid Certificate to secure HTTPS SSL Say Fiori Launchpad.
  • If SAP Enable now certificate expired, it will show “Not Secure – SSL” link even though SAP System certificate valid/Ignore to connect Enable Now WorkArea.
  • It will also lead to multiple unnecessary logons/improper updates/SSL Connection issues if SAP System runs with SSL.

AJAYTR_ATR66_2-1721380891852.png

AJAYTR_ATR66_3-1721380891855.png

  • In SAP System, it will be SAPSSL*.PSE file generation. We will use import command and create/generate PSE files with our Trusted CA Certificates itself which created and downloaded from SAP MMC.
  • For Enable Now, we can directly use PFX/P12 Certificate itself for SSL Connection.

Usual Procedure:

  • Using Keytool, we can able to create keystore (JKS) with own private key/alias which asks to fill information while creating keystore.
  • You can also convert JKS to P12 (Optional)
  • Once Java keystore private key created, we can generate Certificate Signing request for that private key and get CA response (Certificate root, server, intermediate signed by CA)
  • Once CA approved certificate received, we can renew/apply/overwrite certificate to our Keystore.
  • You can ignore this blog if you are seeking usual procedure - CSR request method.
  • Usually, it won’t be allowed in most of the Organizations to approve own certificate.
  • Valid Server Certificate (Matching CN as Server Name – PCKS12 – PFX/P12) should be issued by Security Team/Generate manually from SAP MMC.
  • We need to use the same and make Enable now to pick Keystore certificate for SSL like SAP.

SAP MMC Certificate Renewal Steps:

  • Request a new certificate in SAP MMC and download PFX File.
  • Unlike SAP, we don’t need separate server, root and intermediate certificate itself if you have PFX file.
  • Tomcat supports PFX/P12 Extensions. We can use our PFX File directly. SAP Enable Now will pick the same for SSL Connections.

AJAYTR_ATR66_4-1721380891861.png

AJAYTR_ATR66_5-1721380891864.png

AJAYTR_ATR66_6-1721380891872.png

AJAYTR_ATR66_7-1721380891877.png

AJAYTR_ATR66_8-1721380891879.png

AJAYTR_ATR66_9-1721380891882.png

AJAYTR_ATR66_10-1721380891891.png

AJAYTR_ATR66_11-1721380891901.png

AJAYTR_ATR66_12-1721380891903.png

  • Downloaded as “EnableNowCertificatePFX.pfx”.

With Private Key and Certificates:

  • In case if you have received Signed Server Certificate and Private Key separately from Security team (Base-64 Encoded Format X.509 CER – Readable Format/PEM), You can use OpenSSL and create P12/PFX file by using it.

AJAYTR_ATR66_13-1721380891905.png

  • OpenSSL will be open-source software. You can surf in web and download.
  • Create Single text file by placing certificates in order Server -> Issuer -> Root Certificates.

AJAYTR_ATR66_14-1721380891950.png

  • Command: openssl pkcs12 -export -in Certificate.txt -inkey PrivateKeyFile.key -name EnableNowCertificate -out EnableNowCert.p12
  • It will generate an EnableNowCert.P12 Keystore file which will have Private entry and Certificates under alias EnableNowCertificate.

AJAYTR_ATR66_15-1721380891952.png

AJAYTR_ATR66_16-1721380891955.png

  • Check Keystore certificate list via Java Keytool.
  • You can use any Java versions - JRE/JDK/SAPJVM since we are going to check certificate list only.

AJAYTR_ATR66_17-1721380891965.png

  • Private Key with Certificates exist in Keystore as expected.

AJAYTR_ATR66_18-1721380891966.png

AJAYTR_ATR66_19-1721380891967.png

  • We can use our created P12 Keystore for Tomcat – Enable Now SSL Connection.

AJAYTR_ATR66_20-1721380891967.png

Tomcat: Making PFX/P12 Keystore file for SAP Enable Now SSL Connection

  • You can paste our downloaded PFX/P12 file in any path whichever tomcat access available.
  • Mine -> C:\Program Files\Java\jre1.8.0_311\bin

AJAYTR_ATR66_21-1721380891968.png

  • Now, Edit server file and make tomcat to choose our created keystore for certificate authentication. It will be used automatically for Enable Now as well.
  • No need to use any predefined protocols APJ APR.
  • Simply added below entries after HTTP and it will work fine. Make sure you are giving right keystore file and password.
  • C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf/server.xml
  • I have crosschecked with both certificates.

AJAYTR_ATR66_22-1721380891972.png

AJAYTR_ATR66_23-1721380891976.png

*Restart Tomcat to take effect*

 AJAYTR_ATR66_24-1721380891982.png

Check SSL Connection – SAP Enable Now:

  •  SSL Connection fine now.

 AJAYTR_ATR66_25-1721380891985.png

  • With EnableNowCert.p12 -> July 17, 2024 – August 16, 2025

 AJAYTR_ATR66_26-1721380891988.png

  • With EnableNowCertificatePFX.pfx -> July 19, 2024 – August 18, 2025

 AJAYTR_ATR66_27-1721380891991.png

Check SAP System Fiori Launchpad:

  • Connecting to SAP Enable Now

AJAYTR_ATR66_28-1721380891994.png

  • Connection is secure now.

AJAYTR_ATR66_29-1721380892009.png

AJAYTR_ATR66_30-1721380892012.png

 

  • We have successfully renewed SAP Enable Now Certificate.

 

WANNA KNOW MORE ABOUT SSL CONFIGURATION ON ABAP AND HANA?

PLEASE REFER BELOW BLOG

MANUAL SAP SSL CONFIGURATION FOR S/4 HANA (ABAP AND HANA) SYSTEM from OS_LEVEL #ATR

Thanks for Visiting!