on 05-29-2015 11:57 AM
Hi guys,
I've upgraded solman to 7.1 SP12 recently and I'm currently configuring Technical operations. At one stage, there's a requirement to configure SSL for ABAP and enable HTTPS in SMICM. I'm following note 510007. I've done the following steps:
1) In t-code STRUSTSSO2, under 'SSL Server Standard', I created a PSE.
2) Under 'Own Certificate', I clicked on 'Create Certificate Request' which gives me a text file having the 'Begin certificate request' and 'End certificate request' details.
From here, I'm supposed to get the request signed from sapmarketplace under Trust Center Services. From here, I don't know how to proceed. Please advise.
regards,
Suraj
Hi,
When you create the PSE, automatically a self signed certificate is created.
Then you make double click on it. It's data will be shown on the "Certificate" tab (second one on right). After that click on button "Add to ACL". From now on it can be used on for SSL logon tickets.
Regards,
M
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Does it have to be signed by SAP CA? For SolMan purposes, I'm guessing you really only need your internal servers and clients to trust the certificate. So, you can either use an internal CA, such as Microsoft Certificate Services (which is handy for pushing trust of the CA to internal IE browsers via group policy), or you can manually add the self-signed certificate to the trust stores of those servers and clients that actually need it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks all,
Sorry for late reply. I followed Manuel's suggestion and indeed the SSL is now working.
I now have another similar config related to the Technical Operations (Rapid Content Delivery). Please guide me how to do it before I close this discussion. As per the related documentation (Rapid Content Delivery - Technical Operations - SCN Wiki):
In transaction STRUST, you have registered the following certificates for the SSL Client SSL Client (Standard) server:
How do I register the above certificates in SOLMAN?
regards,
Suraj
Hi Suraj,
Glad that I helped.
To add the 3 certificates you need to download the .cer files to your PC.
Then, you go to STRUSTSSO2 and on the tab CERTIFICATE click on button "Import Certificate". After each import, click on "Add to certificate list". Then the certificate will appear on the upper tab.
Regards,
MM
Hi Manuel & Matt,
Thanks again for the info.
I imported the certificates in STRUSTSSO2 and restarted the ICM. Then I tried to test the RFC destination SMPAUDWNLD (SM59) for which I was doing this certificate configuration. However, it is giving the error:
ICM_HTTP_SSL_ERROR.
Below is an extract of the ICM log:
[Thr 16] Thu Jun 4 09:28:19 2015
[Thr 16] IcmNetCheck: network check passed without detecting problems
[Thr 13] HttpExtractArchive: files from archive /usr/sap/S01/DVEBMGS00/exe/ITS.SAR in directory /usr/sap/S01/DVEBMGS00/data/icmandir
[Thr 12] Thu Jun 4 09:28:35 2015
[Thr 12] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
[Thr 12] session uses PSE file "/usr/sap/S01/DVEBMGS00/sec/SAPSSLC.pse"
[Thr 12] SecudeSSL_SessionStart: SSL_connect() failed
[Thr 12] secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"
[Thr 12] >> Begin of Secude-SSL Errorstack >>
[Thr 12] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer
[Thr 12] << End of Secude-SSL Errorstack
[Thr 12] SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"
[Thr 12] No certificate request received from Server
[Thr 12] SSL NI-sock: local=172.16.20.221:35980 peer=125.252.237.34:443
[Thr 12] <<- ERROR: SapSSLSessionStart(sssl_hdl=107004e90)==SSSLERR_SSL_CONNECT
[Thr 12] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00000006} [icxxconn_mt.c 1989]
Is there something specific I need to focus on?
regards,
Suraj
Hello Suraj,
For that particular error, please check the following OSS note noting point #7 and set the parameter as shown below. You will have to restart your system after you have set the parameter.
510007 - Setting up SSL on Application Server ABAP
ssl/client_ciphersuites=208:HIGH:MEDIUM:+e3DES
Kind Regards,
Amerjit
Hello Suraj,
Earlier it was possible to submit the CSR request that you created in STRUST in SAP's Test SSL CA.
And SAP portal would provide a signed response , which you then import back into your PSE.
Followed by downloading the 'root' certificate of SAP Test CA into your STRUST root database.
You then had 30 days untill you make a decision to buy the SSL certificate.
However, now I can't see a link to submit the CSR, I can see the link to download 'root' certificate of SAP Test CA though.
You will have to find/purchase an SSL certificate from another CA or SAP CA. You could also try enabling SSL using self signed certificates. Self signed certificates can be generated using openssl, you can find commands if you google them.
Regards,
Siddhesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.