Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
cancel
Showing results for 
Search instead for 
Did you mean: 
kundangandhi
Explorer
This blog post is for setting up SSL for Application server S/4HANA for successful connection with SAC (SAP Analytics Cloud).

Background -


When we are connecting SAC (SAP Analytics Cloud) to SAP S/4HANA system with direct live connection, we need to make trusted connection.

Else error can be seen as -


Setting Up SSL



Check CommonCryptoLib version


 

Login into <Applicaion Server Host> as <sid>adm

 
server: <sid>adm > cdexe

server: <sid>adm > pwd

/sapmnt/<SID>/exe/uc/linuxx86_64

server: <sid>adm > sapgenpse -l /sapmnt/<SID>/exe/uc/linuxx86_64/libsapcrypto.s

.

.

.

Using -l parameter to load CommonCryptoLib

   -l "/sapmnt/<SID>/exe/uc/linuxx86_64/libsapcrypto.so"




  Platform:   linux-gcc-4.3-x86-64   (linux-gcc-4.3-x86-64)

  Versions:   SAPGENPSE       8.5.28 (May  8 2019)

              CommonCryptoLib 8.5.28 (May  8 2019) [AES-NI,CLMUL,SSE3,SSSE3]

                Build change list: 238087




  USER="<sid>adm"




  Environment variable $SECUDIR is defined:

  "/usr/sap/<SID>/DVEBMGS00/sec"

 

Update  SAP Crypto library


 

  1. Download latest crypto library from SAP market place:


SAPDownload à Support Packages & Patches à By Category à SAP CRYPTOGRAPHIC SOFTWARE à SAPCRYPTOLIB à COMMONCRYPTOLIB 8 à <Select appropriate OS version> à Download latest SAR file

SAPCRYPTOLIBP_8528-20011697.SAR ---- for Linux X86_64

 

  1. Move SAR file from download basket to application server


Use winscp to move to application server

 

  1. UNCAR SAR file : (login with <SID>adm into application server


SAPCAR -xvf SAPCRYPTOLIBP_8528-20011697.SAR

 

  1. Move uncared all content to Kernel


mv * /sapmnt/<SID>/exe/uc/linuxx86_64


Profile Parameters


 

Login into <Applicaion Server Host> as <sid>adm and remove below profile parameter

 

ssf/name

ssf/ssfapi_lib

sec/libsapsecu

ssl/ssl_lib

 

Define Https parameter 


 

Add below entry into Instance profile

 

icm/server_port_1 = PROT=HTTPS,PORT=52$$,TIMEOUT=30,PROCTIMEOUT=60

 

and restart the application server

 

Generate Certificate


 

  1. Transaction Code - /nstrust and click on edit.




2. Right click on SSL Server Standard and Select Create

 



 

3. Click on OK



4. Update entry as mentioned in the screenshot



 

5. Make sure Algorithm Overview as below -



6. Once you click on OK, you can see entry has been created.



7. Now, Create Certificate Request by clicking on button



 

8. Select algorithm as SHA256



And click on OK

9. Download certificate locally.



10. Save to your local machine.



 

Sign certificate from CA


Get your public key certificates signed by a CA.

 

Here we have used local internal WINDOWS server as certificate authority.

You can refer below blog to setup windows server as CA
(Reference from Virtuallythere “SSL : Part 1 : Building a Microsoft Certificate Authority for your lab”)

https://virtuallythere.blog/2018/04/24/making-things-a-bit-more-secure-part-1/

(Reference from Virtuallythere “SSL : Part 2 : Signing a CSR with your Microsoft Certificate Authority”)

Once you have setup windows server as CA then you can sign your CSR.

 

  1. Copy csr from local machine to windows server.


 

 

2. Open Server Manager --> Tools --> Certificate Authority

 



 

3. You can see pop-up like below -



 

4. Click on Submit new request



 

5. Browse the certificate from Server



 

6. Now you can see certificate in Pending Requests



7. Approve the certificate request (Click on All Tasks --> Issue)



 

8. After that, you can see certificate in the list of Issued certificate.



 

9. Right click and Open



 

10. Click on open > Details > Copy to File



 

11. Click on Next >Select PKCS#7 > Check mark for INCLUDE… > Click on Browse



 

12. Give name and click on SAVE > Verify location and click on Next > Click on Finish > Click on OK

Please note - you are saving file on windows server

 



 

13. Copy response file from Windows server to local machine.


Import Signed Response Certificate


1. Now back to SAP logon.

Double click on SSL server Standard entry



 

2. Click on Import Certificate Response 



 

3.Click on Import > Select the response file and click on Open  



 

4. You can see screen as below and then click on OK.



5. Click on SAVE

 



Finally cross check SSL configurationwith URL

https://<ABAP application Server host>:<https port>/sap/bc/gui/sap/its/webgui?sap-client=<client no....

 

Conclusion


You can make secure connection with SAP Analytics Cloud.
2 Comments
Labels in this area