01-12-2012 11:49 AM
Hi Experts,
My client wants to enable https for ITS. currently i have configured ITS for http.
I have installed latest sapcrypto files on the application server.
1. when i execute STRUST, I cant see the "SSL server" node.
(we are on ECC6.0 EHP4, SUSE 2.6. )
2. I tried to generate the certificate with sapgenpse gen_pse -p <filename>
It has asked for pin and owner name. (Distinguished name of PSE owner)
I am not sure what to provide here.
I am referring and performing as mentioned in sap note 510007. Please advice me. Am i doing it correct?
Do suggest me if i have to do any additional settings or am i missing some thing?
Regards,
Srihari
Edited by: Srihari Rao on Jan 12, 2012 5:20 PM
01-12-2012 5:24 PM
Hi Srihari Rao,
The easiest way is to use STRUST (and not sapgenpse) to generate the SSL server certificate.
(right click on SSL Server Standard node --> Create, choose RSA).
Then you can generate the CSR to get the signature from a CA.
Regards,
Olivier
01-12-2012 5:24 PM
Hi Srihari Rao,
The easiest way is to use STRUST (and not sapgenpse) to generate the SSL server certificate.
(right click on SSL Server Standard node --> Create, choose RSA).
Then you can generate the CSR to get the signature from a CA.
Regards,
Olivier
01-13-2012 8:09 AM
Hi Olivier,
Thanks for your reply. In STRUST am not able to see the SSL server node. please see my initial query.
I can only see the following:
System PSE
File
SSF e-Learning
Must i execute this in 000 with SAP* or DDIC. Currently, I executed it with my ID in our client xxx say, 100.
One more thing, i have visited service.sap.com/tcs. here they mention that we need to apply for Server SSL certificates.
Please let me know if we have to first apply for it? even then how am i gonna get SSL Server node in STRUST?
Thanks in advance for your reply.
Regards,
Srihari
Edited by: Srihari Rao on Jan 13, 2012 1:39 PM
01-13-2012 9:24 AM
Hi Srihari Rao,
If you don't see the SSL server node in STRUST, it means that your sapcryptolib is not properly installed.
Check help.sap.com for the correct installation.
You can use STRUST in your current client.
You don't have to sign the certificate. It depends from your server usage and the security policy in your company.
you don' have to use SAP TCS to sign SAP certificates, it is just a possibility.
I suggest that you learn first about the concepts of SSL and SSL certificates before trying to implement them.
Try Wikipedia for exemple.
Then read help.sap.com. All is explained here.
Regards,
Olivier
01-13-2012 9:35 AM
Hi Olivier,
Thanks again for your inputs. Am going through help.sap.com and Wiki. Recently i have installed sapcryptolib Ver555 pl32 on SUSE x86_64.
I have:
1. copied the sapcrypto.lst, libsapcrypto.so and sapgenpse into usr/sap/SID/SYS/exe/run.
2. Copied the ticket to /usr/sap/SID/DVEBMGSnn/sec
3. set the parameters (sap note: 510007)
4. set SECUDIR in the .profile of sidadm
SAP is not stopped-started for the parameters to take effect. It will be done on weekend. I presume that once the sap is restarted, i must be able to see SSL server node.
Must i also update sapseculib?
Meanwhile, please let me know if i have to do any additional settings/configurations?
Regards,
Srihari
01-13-2012 12:28 PM
Hi again,
You don't need to restart the full SAP system. Restarting the ICM is enough.
You need these 3 parameters :
ssf/name
ssf/ssfapi_lib
sec/libsapsecu
ssl/ssl_lib
You don't need to update sapseculib as sapcrytolib will be used instead.
Regards,
Olivier
01-13-2012 12:51 PM
Hi Olivier,
I have already set these parameters:
ssf/name
ssf/ssfapi_lib
sec/libsapsecu
ssl/ssl_lib
but these require start-stop right? (atleast the SECUDIR requires the restart, cz its maintained in the .profile of sidadm) thats what i have mentioned in my earlier post.
I have restarted the ICM. But when i open the browser
http://xxxx.xx.xx.xx:8000/sap/bc/gui/sap/its/webgui
I get the following on the display: No switch to HTTPS occurred, so it is not secure to send a password.
So i presume that only after the start-stop the parameters will get effected and I will update this thread about the info /error.
Regards,
Srihari
01-13-2012 4:49 PM
Hi,
>
> I have restarted the ICM. But when i open the browser
>
> http://xxxx.xx.xx.xx:8000/sap/bc/gui/sap/its/webgui
>
> I get the following on the display: No switch to HTTPS occurred, so it is not secure to send a password.
> Srihari
Check
https://xxxx.xx.xx.xx:ssl_port/sap/bc/gui/sap/its/webgui
The message with "no switch to HTTPS" is, I think, because the System Logon configuration from SICF is set to :
Actions During Logon
Protocol : "Do not switch"
You can choose "Logon via HTTPS" or "switch to HTTPS".
Regards,
Olivier
01-16-2012 10:03 AM
Hi Oilivier,
I have enabled the switching. When i reload the configuration from:
SMICM->administration->icsm->configuration->reload, it gives me: Message no. ICM006 (operation failed RC =2 ).
Also, I tried to activate the HPPTS service, am getting the same Message no. ICM006 with RC 1.
Please let me know. Meanwhile i will search for the errors am getting.
Regards,
Srihari
01-16-2012 5:23 PM
Hi,
You should try to restart the ICM :Administration --> ICM --> Exit Soft --> Global.
You have to search your error messages, I don't know what are your messages and I don't have time to find out.
You know, I'm paid to do my own job...
Regards,
Olivier
01-25-2012 2:16 PM
Hi Olivier,
Thanks for your replies. I know your paid to do your job ..:-)
As you were the only expert replying for my query, I did ask.
Any ways, thanks for your inputs. But my problem still persists. I shall raise a message to SAP.
Closing this thread. Will post if I my query gets resolved.
Regards,
Srihari
05-25-2016 9:38 PM
H Srihari, I am facing the same issue. Could you please let me know if you get the solution. I would be trying to restart the system meanwhile.
Thanks