Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
AJAYTR_ATR66
Participant
1,444

#ATR (23) Informative

  • Created this blog to provide information on how to renew SAP SSL Certificates – An Alternative Way.
  • LINKED BLOG - MANUAL SAP SSL CONFIGURATION FOR S/4 HANA (ABAP AND HANA) SYSTEM from OS_LEVEL #ATR
  • We can consider any one of the method (blog) to renew SAP SSL whichever suitable w.r.t SAP System Compliance.
  • Usually, SAP System (SSL Enabled) will go down if SSL Certificate expired/Invalid – resulting in “Server Resource Exhaust” error with WP_KILL status.

AJAYTR_ATR66_0-1723540103907.png

  • Check – sapcontrol -nr instno -function GetProcessList  || Get SystemInstanceList

AJAYTR_ATR66_1-1723540103910.png

  • All WPs will stuck in “KILLING” status – dpmon pf=profilename -> “p” Wp menu.

AJAYTR_ATR66_2-1723540103915.png

  • R3trans and WP logs – /usr/sap/SID/DINST/work

AJAYTR_ATR66_3-1723540103915.png

  • Usually, Prefer dev_w0 first rather than other logs. SAP System start all WPs in ascending order which dev_w0 will be the first one to start and have exact WP issue logs.

AJAYTR_ATR66_4-1723540103918.png

AJAYTR_ATR66_5-1723540103919.png

  • In my scenario, SAP System configured to run with SSL – ABAP (SAPSSLS) and HANA DB (SAPSRV) and its certificate expired.

AJAYTR_ATR66_6-1723540103920.png

AJAYTR_ATR66_7-1723540103921.png

AJAYTR_ATR66_8-1723540103921.png

SOLUTION:

  • METHOD 1: Either disable SSL as of now, Restart SAP System -> Renew Certificates in STRUST -> Add Renewed Certificate in Database SAPSRV PSE as well (To make ABAP trust DB and vice versa).

         [OR]

  • METHOD 2: Renew SAP SSL Manually by regenerating PSE File (SAPSSL*) with sapgenpse method. Please refer my blog – MANUAL SAP SSL CONFIGURATION FOR S/4 HANA (ABAP AND HANA) SYSTEM from OS_LEVEL #ATR
  • As we already seen how to renew SSL manually via OS level (sapgenpse), We are going to proceed with METHOD 1 Solution.
  • No need to touch ABAP profile(icm) since we just need to start system without SSL and enable SSL post renewing certificates via STRUST.
  • To connect WPs ABAP -> DB – Disable/Comment below SSL parameter in R3trans ENV and in DB.
  • /usr/sap/HDB/HDB02/servername/global.ini - Host Level – ssl from on to off.
  • /usr/sap/HDB/SYS/global/hdb/custom/config/DB_HDB/global.ini - Database Level
  • /usr/sap/HDB/SYS/global/hdb/custom/config - System level
  • Change – dbs_hdb_connect_property=ENCRYPT=FALSE in dbenv.csh or sapenv.csh - /home/sidadm.

 AJAYTR_ATR66_9-1723540103922.png

AJAYTR_ATR66_10-1723540103925.png

AJAYTR_ATR66_11-1723540103926.png

  • Restart DB then ABAP. ABAP will connect to DB (without SSL).

AJAYTR_ATR66_12-1723540103927.png

NOTE:

  • HTTPs connection will fail/insecure since icm/verify https client still enabled (1). But ABAP System will start and connect to DB.
  • Both ABAP and ASCS Instance should be restarted to take SAP env variables from scratch. Else, it will still consider SSL ENCRYPT TRUE and fail to connect DB.
  • We can use STRUST to renew certificates and then enable SSL.
  • Use the certificate response and renew the certificate – Your Company Root CA/Intermediate CA.

AJAYTR_ATR66_13-1723540103929.png

AJAYTR_ATR66_14-1723540103930.png

  • Add server/root/intermediate certificates in ABAP SAPSSLS Certification lists as well.
  • Recreate SAPSRV.pse & SAPSRV_INTERNAL with renewed certificate. We can export pfx file and certificates from STRUST itself.

AJAYTR_ATR66_15-1723540103934.png

  • We need to renew sapsrv_internal as well since it will act as Internal SSL KeyStore and it will be checked while starting DB.

AJAYTR_ATR66_1-1723541176186.png

AJAYTR_ATR66_16-1723540103936.png

  • Command – sapgenpse import_p12 -r root.cer -r intermediate.cer -p psefile.pse pfxfile.pfx

AJAYTR_ATR66_17-1723540103955.png

  • Add server/root/intermediate certificates of SAPSRV PSE in ABAP SAPSSLS pse file (via STRUST) for ABAP–HANA DB trust and establish connection.

AJAYTR_ATR66_0-1723540948139.png

  • We have already added the same since we are using same (single) certificate both ABAP and HANA DB.
  • We can also use sapgenpse command to add manually instead of using STRUST-> sapgenpse maintain_pk -a certificatename.cer -p SAPSSLS.pse
  • We can delete expired certificates in the list if not required.
  • We have successfully renewed ABAP SAPSSLS as well as DB SAPSRV/SAPSRV_INTERNAL.
  • Certificates of SAPSRV added in ABAP SAPSSLS Lists for ABAP – HANA DB Trust.
  • Enable SSL parameters now and restart ABAP and HANA DB.

AJAYTR_ATR66_18-1723540103957.png

  • We have successfully renewed and configured SSL Connection for SAP System.

WANNA KNOW MORE INFORMATION?

What if?

  • You have maintained ICM parameter – Verify HTTPs client in ASCS profile as well. [Usually done in Productive Environment running with SSL]

AJAYTR_ATR66_19-1723540103958.png

  • For S/4 HANA Systems (Majorly 2020 and above), Systems will have Integrated Webdispatcher - attached to Message server which will be used majorly for Web Assistant/Enable Now purposes. All the requests will go via WD only. If you have maintained Client Verification parameter in ASCS, then SSL verification will be done between ABAP and WD once system started.
  • System will do SSL handshake between ABAP and Message server (sec) instances so that it trusts ABAP server certificate and allow incoming/send outgoing requests via Web dispatcher (Message server) to target and vice versa based on Filter URLs and trust certificates.
  • Server will be ABAP Instance sec (SAPSSL*.PSE -Secure Store) certificate
  • Client will be Web Dispatcher (Message server) Instance sec (SAPSSLC.PSE) certificate
  • System will run fine except ICM requests. All ICM requests will fail with SSL Connection error.
  • We can identify this scenario by checking the IP - Same IP (local/VM server) will be mentioned in both ICM and Web Dispatcher logs.
  • ICM:

AJAYTR_ATR66_20-1723540103961.png

  • WEB DISPATCHER:

AJAYTR_ATR66_21-1723540103974.png

  • Solution - Once Certificate renewed, SAY ABAP SAPSSL* Secure Store (SAPSSLS – My Scenario), Add its Root and Intermediate certificates in ASCS – SAPSSLC pse file.
  • It will be a one-time activity since root and intermediate certificate won’t change mostly for the company.
  • Command -> sapgenpse maintain_pk -a root.cer -p SAPSSLC.pse
  • I have already added certificates in ASCS SAPSSLC.
  • Web Dispatcher and ICM requests works fine.

AJAYTR_ATR66_22-1723540103975.png

 

Thanks for Visiting !

Please do connect and follow my Linked In Profile - https://www.linkedin.com/in/ajaytr66/

AJAY TR - ATR - SAP BASIS ADMINISTRATOR

Labels in this area