https://help.sap.com/viewer/141cbf7f183242b0ad0964a5195b24e7/114/en-US/8d12f7b9244b44219bd14d619d3a2123.html

Configuring SSL for SAP Host Agent on UNIX

This section exemplarily describes SSL configuration for the SAP Host Agent on UNIX.

Prerequisites

You are logged on as a user with root authorization.

Context

In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent ( host_profile):

     ssl/server_pse= <Path to Server PSE>

Procedure

Prepare the Personal Security Environment (PSE) for the server:

The server PSE contains the server certificate that is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.

Proceed as follows:

        Create a directory /usr/sap/hostctrl/exe/sec using the mkdir command.

Note

Alternatively, you can also use another directory, but then you have to specify the location of the PSE file using the parameter ssl/server_pse as described above. In the following steps we always refer to the sec directory for the sake of simplicity.

                   Assign the ownership for the sec directory to sapadm:sapsys.

                    Set up the shared library search path ( LD_LIBRARY_PATH, LIBPATH or SHLIB_PATH) and SECUDIR environment variables, and change to the exe directory of SAP Host Agent.

Example

On Linux and Solaris, the required commands are as follows:

                export LD_LIBRARY_PATH=/usr/sap/hostctrl/exe/

                export SECUDIR=/usr/sap/hostctrl/exe/sec

                      cd /usr/sap/hostctrl/exe

On HP-UX, the required commands are as follows:

export SHLIB_PATH=/usr/sap/hostctrl/exe/

export SECUDIR=/usr/sap/hostctrl/exe/sec

cd /usr/sap/hostctrl/exe

On AIX , the required commands are as follows:

export LIBPATH=/usr/sap/hostctrl/exe

export SECUDIR=/usr/sap/hostctrl/exe/sec

cd /usr/sap/hostctrl/exe

Recommendation

Set up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.

Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR).

Run the command as user sapadm so that the created files are owned by this user.

Example

                    sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x <password> -r /tmp/myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"

This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE file is protected with a password. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a web formular.

Grant SAP Host Agent access to the server PSE.

Example

              sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x <password> -O sapadm

Get the certificate as follows:

Send the certificate signing request to an appropriate CA.

Assuming that the CA replies to the request file with a CA-response-file which contains the signed certificate in the PKCS#7 format, you can use this file as an input for importing the signed certificate into the server PSE.

Example

If the used format is PKCS#7, the text file could be named myhost.p7b. We use this file name in the following examples.

Import the signed certificate into the server PSE.

Example

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x -c /tmp/myhost.p7b

Verify the server certificate chain.

Example

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x -v

Restart SAP Host Agent.

Prepare the Personal Security Environment (PSE) for the client:

The client PSE contains the client certificate that is sent to SAP Host Agent when the SSL connection is established, and the names and public keys of the trusted certificates from CA.

The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.

Examples for possible clients are the SAP Management Console (SAP MC), the SAP Solution Manager Diagnostics Agent, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).

Results

Recommendation

If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.

Configuring SSL for SAP Host Agent on UNIX的更多相关文章

  1. windows环境pip安装时一直报错Could not fetch URL https://pypi.org/simple/xrld/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url:

    最近项目不忙了~~有开始专研的python大业,上来想用pip安装一个第三方的库,就一直报错: Could not fetch URL https://pypi.org/simple/xrld/: T ...

  2. 禁止requests请求https的提示InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more

     提示这个 InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from ...

  3. VMware Host Agent服务不能正常启动

    VMware Host Agent服务不能正常启动 原因及解决方法 一直都在用VMWare Server 2.0,其他都还好,就是隔三差五的会有些小问题,比如VMware Host Agent服务不能 ...

  4. SAP Diagnostics Agent无法启动

    [问题]SAP Diagnostics Agent无法启动. [现象]Diagnostics Agent安装并没有发生错误,但是打开SAPMMC,Diagnostics Agent(DAA)的Inst ...

  5. javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

    2019独角兽企业重金招聘Python工程师标准>>> 问题 前两天一个学弟在群里面问一个问题: 请问一下用阿里云服务器发送https请求为什么会失败,是需要有些其他什么配置吗? 同 ...

  6. Configuring SSL on Enterprise Manager and the SLB (Release 12.1.0.2 and later)

    From: http://docs.oracle.com/html/E24089_42/ha_setup.htm#sthref833 If the SLB is configured to use T ...

  7. Maintenance Planner calculate SPs by manual

    note Are you unable to view your system or updated system information? Apply the latest version of t ...

  8. 利用SUM打java补丁

    Upgrade Single JAVA Component Patch Level Using SUM Tool Hi Friends, I came across few posts/threads ...

  9. 你想要了解但是却羞于发问的有关SSL的一切

    Everything You Ever Wanted to Know About SSL (but Were Afraid to Ask) Or perhaps more accurately, &q ...

随机推荐

  1. 解决ubuntu输入正确用户密码重新跳到无法登录

    解决方法:我们需要将.Xauthority的拥有者改为登陆用户(或者干脆将.Xauthority删除,此法转自网上,本人未验证)开机后在登陆界面按下shift + ctrl + F1进入tty命令行终 ...

  2. Web前端3.0时代,“程序猿”如何“渡劫升仙”

    Web前端入行门槛低,很多人在成为前端工程师后很容易进入工作的舒适区,认为该熟悉的业务已熟悉了,然后就是重复用轮子,这样很容易让自己的成长处于原地打转以及低水平重复的状态. 想要不被行业抛弃,就要努力 ...

  3. direnv 一个强大的环境变量管理工具

      direnv 是一个基于golang 编写的强大的环境变量管理工具,可以帮助我们简化环境变量管理,而且 支持的平台比较多. 基本使用 下载二进制软件包 https://github.com/dir ...

  4. flutter Row 垂直或水平放置多个widget

    使用行(Row)水平排列widget,使用列(Column)垂直排列widget.在行或列中嵌套行或列实现复杂的布局.如下图所示: 此布局按行排列.该行包含两个子布局,左侧一列和右侧的图片 对于行(R ...

  5. 嵌入式C语言预处理使用

    #include  包含头文件 #define 宏 #define 宏名 (宏体)    //不进行语法检查 #define ABC(x) (5+(x))    //宏函数 #define #else ...

  6. 嵌入式GCC笔记

    GNU C Complier 查看 gcc 版本 :gcc -v 文件后缀名  .c的后缀 为C语言的文件源码 gcc  -o output gcc -o 输出文件名字 输入文件名 gcc -v -o ...

  7. celery+RabbitMQ 实战记录2—工程化使用

    上篇文章中,已经介绍了celery和RabbitMQ的安装以及基本用法. 本文将从工程的角度介绍如何使用celery. 1.配置和启动RabbitMQ 请参考celery+RabbitMQ实战记录. ...

  8. linux下tomcat启动慢解决方法

    前言 最近在工作中遇到一个问题,在Linux下Tomcat 8启动很慢,且日志上无任何错误,在日志中查看到如下信息: Log4j:[2017-08-2715:47:11] INFO ReadPrope ...

  9. 写好的Java代码在命令窗口运行——总结

    步骤: 1.快捷键 win+r,在窗口中输入cmd,enter键进入DOS窗口. 2.假设写好的代码的目录为:D:\ACM 在DOS中依次写入:cd d: cd ACM 利用cd切换到代码文件所在的目 ...

  10. Laravel笔记--Eloquent 模型

    Eloquent 模型 默认继承use Illuminate\Database\Eloquent\Model类. 数据表名称与模型名称约定: 数据库的表名一般使用“蛇形命名法”命名.蛇形命名法要求单词 ...