Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
former_member227600
Contributor
0 Kudos
2,672

1.    Introduction


I have more than 15 years of experience in SAP Basis and HANA administration. I have worked on multiple implementations, Migration (SAP systems and datacenter), Upgradations. I have recently implemented Certificate Life Cycle Management through SLS 3.0 in one of my assignment. I found many good tutorials on ABAP and JAVA system certificate life cycle management but didn't find more information on SLS command line tool "sapslscli" for HANA DB and WD so I decided to write this blog post on sapslscli usage.

In this blog post I will explain to renew SSL certificate of non-ABAP and non-JAVA systems like SAP Web dispatcher and HANA DB through SLS 3.0 command line tool.

2.    Prerequisites and preparation


 

Secure login server should be setup and configured as per the steps given in SPS SLS 3.0 implementations guide.

https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/d4b3c7660a9940e1be2b82d680361...

You can also get good information on SLS 3.0 configuration for ABAP/JAVA on below blog post.

https://blogs.sap.com/2020/11/13/sap-secure-login-server-your-own-ca-on-hand-.../

 

3.    Certificate Lifecycle configurations Steps


 

Check validity of existing pse file using sapgenpse or HANA integrated WD.


Now Enroll the certificates with SLS server using command line tool sapslscli. We need admin user of SLS server with access of role SLAC_CERT_ADMIN.

Enroll Command syntax is  "sapslscli enroll -r <ra_pse> -u <username> -x <password> -e <enroll_url>"


Now Renew certificate using sapslscli (use respective certificate profile). Please check Secure Login Server console to find respective certificate profile.

Renew Command Syntax "sapslscli renew -r <ra_pse> -p <pse> -e <enroll_url>"

 


As we can see certificate of SAPSSL.pse has been renewed and now we can verify the the certificate using sapgenpse tool.


 

We can create a single line script with option g (grace period) like below

sapslscli renew -r <ra_pse> -p <pse> -g<N> -e <enroll_url>

 

-g<N>  don't renew if certificate is still <N> days valid

We use background job in SAP ABAP and Job Scheduler in SAP JAVA system. In case of non-ABAP non-JAVA systems we can use LAMA or OS tool like Cron jobs or windows batch scheduler to execute this script on daily basis.

 

4.      Conclusion


 

Now all certificates can be renewed automatically using command line tool of SLS server and it will save manual efforts by enabling automation using SLS certificate life cycle management functionality.

 
1 Comment
Labels in this area