O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
SAP	
  Host	
  Agent	
  x509	
  Authentication
• This	
  document	
  provides	
  a	
  quick	
  overview	
  of	
  how	
  to	
  setup	
  SSL	
  
connectivity	
  from	
  SA...
Diagrammatic	
  Overview
Certificate	
  Chain
Server	
  ALVM	
  Server
(lvm01.com
)
Hostagent
PSE /usr/sap/hostctrl/exe/se...
• Generate	
  a	
  Certificate	
  Signing	
  Request	
  (CSR)	
  from	
  
“LVMView”	
  key	
  store	
  view	
  in	
  NetWe...
• You	
  must get	
  a	
  signed	
  certificate	
  from	
  a	
  3rd Party	
  CA
• You	
  can	
  not use	
  a	
  self-­‐sig...
• Download	
  your	
  signed	
  certificate
• Also	
  download	
  the	
  Certificate	
  Authority	
  (CA)	
  and	
  
Inter...
• Create	
  a	
  PSE	
  for	
  the	
  SAP	
  host	
  agent	
  (if	
  not	
  existing)
• The	
  PSE	
  can	
  be	
  self-­‐...
• Add	
  the	
  parameter	
  “service/sso_admin_user_0”	
  to	
  the	
  
host_profileof	
  the	
  host	
  agent
• Restart	...
• You	
  can	
  now	
  edit	
  the	
  hosts	
  in	
  LVM	
  and	
  choose	
  X.509	
  as	
  the	
  host	
  
agent	
  authe...
• SAP	
  Note:	
  1907566	
  -­‐ “Obtaining	
  the	
  Latest	
  SAP	
  Host	
  Agent	
  Documentation”	
  
(see	
  PDF	
  ...
Thank-­‐you
Próximos SlideShares
Carregando em…5
×

SAP Host Agent x509 authentication

See how to setup SSL authentication from SAP Landscape Virtualisation Management to SAP Host Agent

  • Seja o primeiro a comentar

SAP Host Agent x509 authentication

  1. 1. SAP  Host  Agent  x509  Authentication
  2. 2. • This  document  provides  a  quick  overview  of  how  to  setup  SSL   connectivity  from  SAP  LVM  to  the  SAP  Host  Agent • The  SAP  Host  Agent  is  installed  on  every  system  hosting  an  SAP   instance  and  must  be  connected  to  LVM  to  make  use  of  its   functionality • This  document  describes  how  the  SSL  setup  can  be  achieved  in   a  UNIX  environment  but  it  can  be  easily  adapted  for  the   Windows  platform • The  document  is  aimed  at  system  administrators  familiar  with   the  SAP  Host  Agent  who  wish  to  connect  SAP  LVM  to  the  Host   Agent  without  the  need  for  user/password  authentication Introduction
  3. 3. Diagrammatic  Overview Certificate  Chain Server  ALVM  Server (lvm01.com ) Hostagent PSE /usr/sap/hostctrl/exe/sec/SAPSSLS.pse Port  1128  (HTTP) Port  1129  (HTTPS) ICA  certificate CA  certificate CN=lvm01.com    (signed  by   CA) host_profile /usr/sap/hostctrl/exe/host_proflie LVMView Keystore service/sso_admin_user_0  =  CN=lvm01.com,  OU=*,  C=GB HTTP  with  BASIC  (username/password) HTTPS  with  X.509  (client  certificate) Validate  against  CA  &  ICA  in  PSE Added  to  PSE Added  to  keystore view CSR 3rd Party   Certificate   Authority #1 #2 #3 #4 #5 HTTP  Client HTTP  Server $$$
  4. 4. • Generate  a  Certificate  Signing  Request  (CSR)  from   “LVMView”  key  store  view  in  NetWeaver  Administrator • The  CN  should  be  the  server  name  (in  lowercase) (same  as  an  SSL  certificate  at  this  point) • Upload  to  your  favourite  3rd  Party  Certificate  Signing   Authority 1 2 3 4 5
  5. 5. • You  must get  a  signed  certificate  from  a  3rd Party  CA • You  can  not use  a  self-­‐signed certificate (Since  LVM  2.0  sp3  -­‐ SAP  Note:  1878159) • The  certificate  must have “Enhanced  Key  Usage” with  “Client  Authentication”: 1 2 3 4 5
  6. 6. • Download  your  signed  certificate • Also  download  the  Certificate  Authority  (CA)  and   Intermediate  Certificate  Authority  (ICA)  certificates • Upload  the  certificates  into  the  “LVMView”  key  store  view • You  should  have  1  x  private  key  +  n  x  certificates  in   “LVMView” 1 2 3 4 5
  7. 7. • Create  a  PSE  for  the  SAP  host  agent  (if  not  existing) • The  PSE  can  be  self-­‐signed,  you  don’t need  a  signed  certificate   here • Add  *only*  the  CA  and  ICA  certificates  to  the  PSE 1 2 3 4 5
  8. 8. • Add  the  parameter  “service/sso_admin_user_0”  to  the   host_profileof  the  host  agent • Restart  the  host  agent • Check  sapstartsrv.log  (in  the  host  agent  work  directory)  for   confirmation  that  it’s  listening  on  port  1129 1 2 3 4 5
  9. 9. • You  can  now  edit  the  hosts  in  LVM  and  choose  X.509  as  the  host   agent  authentication  mechanism • In  the  drop-­‐down  you  should  see  the  private  key  you  uploaded   into  the  “LVMView”  key  store • Make  sure  you  *test*  the  connection Round  Up
  10. 10. • SAP  Note:  1907566  -­‐ “Obtaining  the  Latest  SAP  Host  Agent  Documentation”   (see  PDF  attached  to  note) • SAP  Note:  1439348  -­‐ “Extended  security  settings  for  sapstartsrv” • help.sap.com:  Configuring  SSL  for  SAP  Host  Agent  on  UNIX • SCN:  http://scn.sap.com/message/16839422 Resources
  11. 11. Thank-­‐you

×