- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- SSL enabling
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SSL enabling
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2012 11:49 AM
Hi Experts,
My client wants to enable https for ITS. currently i have configured ITS for http.
I have installed latest sapcrypto files on the application server.
1. when i execute STRUST, I cant see the "SSL server" node.
(we are on ECC6.0 EHP4, SUSE 2.6. )
2. I tried to generate the certificate with sapgenpse gen_pse -p <filename>
It has asked for pin and owner name. (Distinguished name of PSE owner)
I am not sure what to provide here.
I am referring and performing as mentioned in sap note 510007. Please advice me. Am i doing it correct?
Do suggest me if i have to do any additional settings or am i missing some thing?
Regards,
Srihari
Edited by: Srihari Rao on Jan 12, 2012 5:20 PM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2012 5:24 PM
Hi Srihari Rao,
The easiest way is to use STRUST (and not sapgenpse) to generate the SSL server certificate.
(right click on SSL Server Standard node --> Create, choose RSA).
Then you can generate the CSR to get the signature from a CA.
Regards,
Olivier
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2012 5:24 PM
Hi Srihari Rao,
The easiest way is to use STRUST (and not sapgenpse) to generate the SSL server certificate.
(right click on SSL Server Standard node --> Create, choose RSA).
Then you can generate the CSR to get the signature from a CA.
Regards,
Olivier
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2012 8:09 AM
Hi Olivier,
Thanks for your reply. In STRUST am not able to see the SSL server node. please see my initial query.
I can only see the following:
System PSE
File
SSF e-Learning
Must i execute this in 000 with SAP* or DDIC. Currently, I executed it with my ID in our client xxx say, 100.
One more thing, i have visited service.sap.com/tcs. here they mention that we need to apply for Server SSL certificates.
Please let me know if we have to first apply for it? even then how am i gonna get SSL Server node in STRUST?
Thanks in advance for your reply.
Regards,
Srihari
Edited by: Srihari Rao on Jan 13, 2012 1:39 PM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2012 9:24 AM
Hi Srihari Rao,
If you don't see the SSL server node in STRUST, it means that your sapcryptolib is not properly installed.
Check help.sap.com for the correct installation.
You can use STRUST in your current client.
You don't have to sign the certificate. It depends from your server usage and the security policy in your company.
you don' have to use SAP TCS to sign SAP certificates, it is just a possibility.
I suggest that you learn first about the concepts of SSL and SSL certificates before trying to implement them.
Try Wikipedia for exemple.
Then read help.sap.com. All is explained here.
Regards,
Olivier
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2012 9:35 AM
Hi Olivier,
Thanks again for your inputs. Am going through help.sap.com and Wiki. Recently i have installed sapcryptolib Ver555 pl32 on SUSE x86_64.
I have:
1. copied the sapcrypto.lst, libsapcrypto.so and sapgenpse into usr/sap/SID/SYS/exe/run.
2. Copied the ticket to /usr/sap/SID/DVEBMGSnn/sec
3. set the parameters (sap note: 510007)
4. set SECUDIR in the .profile of sidadm
SAP is not stopped-started for the parameters to take effect. It will be done on weekend. I presume that once the sap is restarted, i must be able to see SSL server node.
Must i also update sapseculib?
Meanwhile, please let me know if i have to do any additional settings/configurations?
Regards,
Srihari
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2012 12:28 PM
Hi again,
You don't need to restart the full SAP system. Restarting the ICM is enough.
You need these 3 parameters :
ssf/name
ssf/ssfapi_lib
sec/libsapsecu
ssl/ssl_lib
You don't need to update sapseculib as sapcrytolib will be used instead.
Regards,
Olivier
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2012 12:51 PM
Hi Olivier,
I have already set these parameters:
ssf/name
ssf/ssfapi_lib
sec/libsapsecu
ssl/ssl_lib
but these require start-stop right? (atleast the SECUDIR requires the restart, cz its maintained in the .profile of sidadm) thats what i have mentioned in my earlier post.
I have restarted the ICM. But when i open the browser
http://xxxx.xx.xx.xx:8000/sap/bc/gui/sap/its/webgui
I get the following on the display: No switch to HTTPS occurred, so it is not secure to send a password.
So i presume that only after the start-stop the parameters will get effected and I will update this thread about the info /error.
Regards,
Srihari
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2012 4:49 PM
Hi,
>
> I have restarted the ICM. But when i open the browser
>
> http://xxxx.xx.xx.xx:8000/sap/bc/gui/sap/its/webgui
>
> I get the following on the display: No switch to HTTPS occurred, so it is not secure to send a password.
> Srihari
Check
https://xxxx.xx.xx.xx:ssl_port/sap/bc/gui/sap/its/webgui
The message with "no switch to HTTPS" is, I think, because the System Logon configuration from SICF is set to :
Actions During Logon
Protocol : "Do not switch"
You can choose "Logon via HTTPS" or "switch to HTTPS".
Regards,
Olivier
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2012 10:03 AM
Hi Oilivier,
I have enabled the switching. When i reload the configuration from:
SMICM->administration->icsm->configuration->reload, it gives me: Message no. ICM006 (operation failed RC =2 ).
Also, I tried to activate the HPPTS service, am getting the same Message no. ICM006 with RC 1.
Please let me know. Meanwhile i will search for the errors am getting.
Regards,
Srihari
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2012 5:23 PM
Hi,
You should try to restart the ICM :Administration --> ICM --> Exit Soft --> Global.
You have to search your error messages, I don't know what are your messages and I don't have time to find out.
You know, I'm paid to do my own job...
Regards,
Olivier
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2012 2:16 PM
Hi Olivier,
Thanks for your replies. I know your paid to do your job ..:-)
As you were the only expert replying for my query, I did ask.
Any ways, thanks for your inputs. But my problem still persists. I shall raise a message to SAP.
Closing this thread. Will post if I my query gets resolved.
Regards,
Srihari
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2016 9:38 PM
H Srihari, I am facing the same issue. Could you please let me know if you get the solution. I would be trying to restart the system meanwhile.
Thanks
- SAP Managed Tags:
- Security
