We have small requirement for our AS ABAP for SSL implementation, we need this because we need Secure Coomunication between backend (ECC) and SAP EP (AS JAVA).
For our customer side, they are already buy Public Key from Thawte Inc and we can directly assign in their system (Non SAP and SAP).
First of all, we need Public Key (zip file) from Our customer , password of Public Key so we can deploy at Our SAP system.
Lets start it
- if we chek at ABAP with transaction code STRUST, we dont configure SSL anything!!!
- Please download sapgenpse,libcrypto.so from http://service.sap.com based on your OS
- Please ask the customer, we need Public Key from Thawte for example xxxsslkey.p12
How to assign this to our SAP
- After download sapgenpse, libcrypto.so from SMP, you have to copy both files to /usr/sap/SID/DVEBMGS00/sec
- Copy xxxsslkey.p12 to /usr/sap/SID/DVEBMGS00/sec
- please make sure this environment configured, if not you can set now by :
- #export LIBPATH=/usr/sap/SID/DVEBMGS00/sec
- #export SECUDIR=/usr/sap/SID/DVEBMGS00/sec
In our case, we did not generate PSE, because PSE will be generated when we execute command use
sapgenpse
- In the console you need run this command
#export SECUDIR=/usr/sap/SID/DVEBMGS00/sec
#./sapgenpse import_p12 -p /usr/sap/SID/DVEBMGS00/sec/SAPSSLC.pse /usr/sap/SID/DVEBMGS00/sec/xxxsslkey.p12
after you execute those command, you will receive this
import_p12: MISSING password for PKCS#12 file "/usr/sap/DEV/DVEBMGS00/sec/axisworld.p12"
Please enter PKCS#12 encryption password: *************
PKCS#12/PFX file contains 1 keypair:
You have to put
xxxsslkey.p12 password (ask the customer or Thawte consultan) , after you put the password you receive the message
1. FriendlyName = "<none>"
X.509v3 (type=Both) RSA-2048 (signed with sha1WithRsaEncryption)
Subject="CN=*.domain.co.id, OU=IT, O=Company, L=Jakarta Selatan, SP=DKI Jakarta, C=ID"
Issuer ="CN=Thawte SSL CA, O="Thawte, Inc.", C=US"
Choose a PIN for your new PSE "/usr/sap/SID/DVEBMGS00/sec/SAPSSLC.pse"
Please enter PIN: *************
Please reenter PIN: *************
PIN, you need put PIN here, PIN is free, you can fill anything, its best idea, same with password.
In this step we already create PSE (please check at SAPSSL.pse at that directory), but we are not finish yet....
We need generate cred_v2 for running SSL at particular port (for example 8001 by user root)
please run this command by user root.
we need add user <sid>adm which can run SSL at particulat port.
#./sapgenpse seclogin -p SAPSSL.pse -x <PIN> -O <sid>adm
after you can run this command, you will receive
running seclogin with USER="root"
creating credentials for secondary user "<sid>adm" ...
Added SSO-credentials for PSE "/usr/sap/SID/DVEBMGS00/sec/SAPSSLC.pse"
"CN="
after successfully runned, you need check file cred_v2, you must see file cred_v2
OK...in this case, we almost done..
back to SAP gui, please restart services SSL by tcode SMICM and make sure you have configured this parameters :
- ssl/server_pse has value /usr/sap/SID/DVEBMGS00/sec/SAPSSLC.pse
- ssf/ssfapi_lib has value /usr/sap/SID/SYS/exe/run/libsapcrypto.o
- sec/libsapsecu has value /usr/sap/SID/SYS/exe/run/libsapcrypto.o
- ssl/ssl_lib has value /usr/sap/SID/SYS/exe/run/libsapcrypto.o
- ssf/name has value SAPSECULIB
If you check at SMICM, you will see like this message
Done..enjoy the SSL.