Using Certificates and Encrypted Connections

Security is becoming important to the whole SAP Stack. This will also apply for SAP Landscape Management, of course. Within SAP Landscape Management, you have several functionalities from a fine granular access to the system, encryption of connections between SAP Landscape Management, and their managed hosts or leverage from certificates instead of providing user and password.

Depending on your SLAs or your security policies, there is a need to at least encrypt the connection from SAP Landscape Management to every managed host. This can be achieved by switching from HTTP to HTTPS.

By default, SAP’s host agent take requests on port 1128, which is HTTP. To enable the host agent to accept HTTPS requests, we have to provide a server certificate for every host. Depending on a customer's security policy, the SSL certificate can be self-signed or signed by a signing authority. Self-signed certificates enable an encrypted connection and are easy to maintain, but the certificate cannot be verified by SAP Landscape Management and require a greater effort when being compromised.

Signed certificates are harder to maintain at the beginning, simply because they need to be requested, but provide easier handling when compromised, as the Certification Authority (CA) can simply revoke the certificate. Please keep in mind that signed certificates need to be renewed. Depending on your CA, this has to be done every two to three years.

Recommendation: create signed certificates in waves, for example, by SAP Landscape Management Pools to avoid renewing all certificates at the same time.

SAP Landscape Management uses the host agent to connect to every managed host. For this type of connection, you can choose between three options. The first two are the combination of user and password. The difference is, that default credentials means you are using the same password for all sapadm users on all hosts. This is often the case if the sapadm user is a domain user and not a local user. Providing dedicated credentials for each host must be used if local sapadm users have unique password configured and don’t share the same password. While discovering a new system you can only provide one combination of host agent credentials. In this case it’s recommended to discover every single host first and then use the discover option Detect on managed Hosts to get all SAP instances. This helps to avoid error messages during the discovery process.

When an SSL certificate within an SAP Host Agent is provided, you can switch from port 1128 (default) to port 1129. In SAP Landscape Management you’ll find this under: Configuration → Hosts. Select any host and change the port and verify the connection is still working. If you have implemented SSL certificates in your landscape and want to switch all of them at once, please use Mass Configuration.

The third option is using a client certificate instead of any user and password combination. To enable this option, it is not sufficient to create a certificate on each managed host, you also need to implement your root CAs to SAP Landscape Management. SAP Landscape Management can verify the host agent certificates and also the host agent can verify the certificate of SAP Landscape Management. This means on both sides you need a client as well as a server certificate to enable the two-way verification.

The certificate resides in the executable directory of SAP Host Agent. Usually the directory needs to be created and granted the correct authorization to be handled by the SAP Host agent user sapadm.

Use the following command to create the PSE file. With it you create a certificate signing request (CSR) file (*.csr). Send the CSR file to your signing authorization to get a signed certificate back and import it to your PSE:

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe
SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p
SAPSSLS.pse -x lama4HANA -r /tmp/sid-c4h-hdb-csr.p10 "CN=sid-c4h-hdb.dummy.nodomain, O=SAP AG, C=DE"

In case you don’t need a signed certificate, you create a PSE with an unsigned (self-signed) certificate:

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe
SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p
SAPSSLS.pse -x lama4HANA -noreq"CN=sid-c4h-hdb.dummy.nodomain, O=SAP AG, C=DE"

Grant SAP Host Agent access to the PSE File by using the following command:

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe
SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p
SAPSSLS.pse -x lama4HANA -O sapadm

It can be mandatory to import more than one CA certificate. In this case we import an intermediate and the root CA. If only one root CA is used, then only import one:

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe
SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p
 SAPSSLS.pse -x lama4HANA -c /tmp/sid-c4h-hdb.cer -r
/tmp/rootCA1.cer -r /tmp/rootCA2.cer

You can verify your certificate by using the following command:

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe
SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p
SAPSSLS.pse -x lama4HANA -v

Hint

Make sure you receive a certificate with the extended key usage set to server and client certificate.

The figure shows an example of a self-signed certificate.

At this point SAP Landscape Management can already connect via HTTPS with the managed host. We will proceed here enabling the verification of certificates on both sides, SAP Landscape Management as well as on the managed host. Aside from that as SAP Landscape Management has no root CA certificates yet, the managed host certificate cannot be verified yet.

You use the following code:

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe
SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse maintain_pk-p
SAPSSLS.pse -l -x lama4HANA

Even though the host agent has a signed certificate we still have to do more if we want SAP Landscape Management to verify each Host Agent certificate and vice versa.

Check if the servers certificate list has already included your CA certificate. If the output is like that shown in the picture before the list is empty, you have to proceed by adding your root CA certificate.

To maintain a rootCA in a servers certificate, you use the following code:

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe
SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse maintain_pk -p
SAPSSLS.pse -a /tmp/ssl/rootCA.cer – x lama4HANA

After you have added your root CAs, the output looks similar to that and your CA certificate should be shown here. With this configuration the setup on the managed host is finished and we can proceed on SAP Landscape Management to import certificates there as well.

Within the log file of the host agent, you can find the info that SSL was started successfully. If not, please check the log file for further information. The log file itself can be found in /usr/sap/hostctrl/work and is called sapstartsrv.log.

We have now encrypted communication. SAP Landscape Management is still not able to verify if the host agent has a valid certificate, because SAP Landscape Management itself has no root certificates. We will change that with the following task.

We will create a new entry for LVMView to get our SSL client certificate. After the certificate is signed and the signing request response is imported to SAP Landscape Management, we can switch from user based authentication to x.509 certificate.

While requesting the signing request, you have to provide data like algorithm, key length or for how long the certificate will be valid. You can store the certificate to SAP Landscape Managemen but this is usually not necessary until it is signed.

You can finish after step 2 – Subject Properties. Provide the data you have to enter or keep it as simple as the picture above. This is mainly dependent on your signing authority of course.

After we have created the lama-client entry, first generate a CSR and send it to your signing authority.

Use file type Base64 PKCS#10. Send the file or the key from the file to get your signed certificate.

Hint

Make sure your signing authority adds an extended key usage to the certificate and make it a server and client certificate at the same time!

After your request is signed and imported again in SAP Landscape Management, you will find the information while importing. Please check if the values are still the same and nothing has been cut. It can happen that organizations have multiple words, for example SAP Deutschland SE & Co KG, and the signing authority might cut it after the first word. The correct combination will be used later within the host agent.

After the import, check the certificate and the Key Purpose of it. As stated before, it must be a client and server certificate at the same time.

To allow client certificate authentication, the parameter service/sso_admin_user_0 has to be set according to the client certificate.

Note

Make sure that you use the correct subject name as defined in the lama-client certificate. Even differences in blanks are relevant!

The profile parameter needs to be added to the host agent profile. The profile is located in /usr/sap/hostctrl/exe and is called host_profile.

We now have encrypted communication. SAP Landscape Management checks if the host agent provides a valid and signed certificate from your CA. The host agent checks if SAP Landscape Management provides a valid signed client certificate from your CA to allow access to the host agent web services as the user sapadm.