SAP Host Agent x509 authentication

SAP  Host  Agent  x509  Authentication

• This  document  provides  a  quick  overview  of  how  to  setup  SSL  connectivity  from  SAP  LVM  to  the  SAP  Host  Agent

• The  SAP  Host  Agent  is  installed  on  every  system  hosting  an  SAP  instance  and  must  be  connected  to  LVM  to  make  use  of  its  functionality

• This  document  describes  how  the  SSL  setup  can  be  achieved  in  a  UNIX  environment  but  it  can  be  easily  adapted  for  the  Windows  platform

• The  document  is  aimed  at  system  administrators  familiar  with  the  SAP  Host  Agent  who  wish  to  connect  SAP  LVM  to  the  Host  Agent  without  the  need  for  user/password  authentication

Introduction

Diagrammatic  Overview

Certificate  Chain

Server  ALVM  Server(lvm01.com

)Hostagent

PSE /usr/sap/hostctrl/exe/sec/SAPSSLS.pse

Port  1128   (HTTP)Port  1129   (HTTPS)

ICA  certificate

CA  certificate

CN=lvm01.com    (signed  by  CA)

host_profile /usr/sap/hostctrl/exe/host_proflie

LVMViewKeystore

service/sso_admin_user_0  =  CN=lvm01.com,  OU=*,  C=GB

HTTP  with  BASIC  (username/password)

HTTPS  with  X.509  (client  certificate)

Validate  against  CA  &  ICA  in  PSE

Added   to  PSE

Added   to  keystore view

CSR

3rd Party  Certificate  Authority

#1

#2

#3#4

#5

HTTP  Client HTTP  Server

$$$

• Generate  a  Certificate  Signing  Request  (CSR)  from  “LVMView”  key  store  view  in  NetWeaver  Administrator

• The  CN  should  be  the  server  name  (in  lowercase)(same  as  an  SSL  certificate  at  this  point)

• Upload  to  your  favourite  3rd  Party  Certificate  Signing  Authority

1 2 3 4 5

• You  must get  a  signed  certificate  from  a  3rd Party  CA

• You  can  not use  a  self-­‐signed certificate

(Since  LVM  2.0  sp3  -­‐ SAP  Note:  1878159)

• The  certificate  must have

“Enhanced  Key  Usage”

with  “Client  Authentication”:

1 2 3 4 5

• Download  your  signed  certificate

• Also  download  the  Certificate  Authority  (CA)  and  

Intermediate  Certificate  Authority  (ICA)  certificates

• Upload  the  certificates  into  the  “LVMView”  key  store  view

• You  should  have  1  x  private  key  +  n  x  certificates  in  

“LVMView”

1 2 3 4 5

• Create  a  PSE  for  the  SAP  host  agent  (if  not  existing)

• The  PSE  can  be  self-­‐signed,  you  don’t need  a  signed  certificate  

here

• Add  *only*  the  CA  and  ICA  certificates  to  the  PSE

1 2 3 4 5

• Add  the  parameter  “service/sso_admin_user_0”  to  the  

host_profileof  the  host  agent

• Restart  the  host  agent

• Check  sapstartsrv.log  (in  the  host  agent  work  directory)  for  

confirmation  that  it’s  listening  on  port  1129

1 2 3 4 5

• You  can  now  edit  the  hosts  in  LVM  and  choose  X.509  as  the  host  

agent  authentication  mechanism

• In  the  drop-­‐down  you  should  see  the  private  key  you  uploaded  

into  the  “LVMView”  key  store

• Make  sure  you  *test*  the  connection

Round  Up

• SAP  Note:  1907566  -­‐ “Obtaining  the  Latest  SAP  Host  Agent  Documentation”  

(see  PDF  attached  to  note)

• SAP  Note:  1439348  -­‐ “Extended  security  settings  for  sapstartsrv”

• help.sap.com:  Configuring  SSL  for  SAP  Host  Agent  on  UNIX

• SCN:  http://scn.sap.com/message/16839422

Resources

Thank-­‐you