Configuring SSL for SAP Host Agent on UNIX

https://help.sap.com/viewer/141cbf7f183242b0ad0964a5195b24e7/114/en-US/8d12f7b9244b44219bd14d619d3a2123.html

Configuring SSL for SAP Host Agent on UNIX
This section exemplarily describes SSL configuration for the SAP Host Agent on UNIX.

Prerequisites
You are logged on as a user with root authorization.

Context
In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent ( host_profile):

     ssl/server_pse= <Path to Server PSE>

Procedure
Prepare the Personal Security Environment (PSE) for the server:
The server PSE contains the server certificate that is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.

Proceed as follows:

        Create a directory /usr/sap/hostctrl/exe/sec using the mkdir command.

Note
Alternatively, you can also use another directory, but then you have to specify the location of the PSE file using the parameter ssl/server_pse as described above. In the following steps we always refer to the sec directory for the sake of simplicity.

                   Assign the ownership for the sec directory to sapadm:sapsys.

                    Set up the shared library search path ( LD_LIBRARY_PATH, LIBPATH or SHLIB_PATH) and SECUDIR environment variables, and change to the exe directory of SAP Host Agent.

Example
On Linux and Solaris, the required commands are as follows:

                export LD_LIBRARY_PATH=/usr/sap/hostctrl/exe/

                export SECUDIR=/usr/sap/hostctrl/exe/sec

                      cd /usr/sap/hostctrl/exe

On HP-UX, the required commands are as follows:

export SHLIB_PATH=/usr/sap/hostctrl/exe/

export SECUDIR=/usr/sap/hostctrl/exe/sec

cd /usr/sap/hostctrl/exe

On AIX , the required commands are as follows:

export LIBPATH=/usr/sap/hostctrl/exe

export SECUDIR=/usr/sap/hostctrl/exe/sec

cd /usr/sap/hostctrl/exe

Recommendation
Set up SECUDIR as an absolute path in order to avoid trouble with the sapgenpse tool.

Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR).
Run the command as user sapadm so that the created files are owned by this user.
Example
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x -r /tmp/myhost-csr.p10 "CN=myhost.wdf.sap.corp, O=SAP AG, C=DE"

This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate myhost.wdf.sap.corp for incoming SSL connections. The access to the PSE file is protected with a password. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a web formular.

Grant SAP Host Agent access to the server PSE.
Example
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x -O sapadm

Get the certificate as follows:
Send the certificate signing request to an appropriate CA.

Assuming that the CA replies to the request file with a CA-response-file which contains the signed certificate in the PKCS#7 format, you can use this file as an input for importing the signed certificate into the server PSE.

Example
If the used format is PKCS#7, the text file could be named myhost.p7b. We use this file name in the following examples.

Import the signed certificate into the server PSE.
Example
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x -c /tmp/myhost.p7b

Verify the server certificate chain.
Example
sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x -v

Restart SAP Host Agent.
Prepare the Personal Security Environment (PSE) for the client:
The client PSE contains the client certificate that is sent to SAP Host Agent when the SSL connection is established, and the names and public keys of the trusted certificates from CA.

The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.

Examples for possible clients are the SAP Management Console (SAP MC), the SAP Solution Manager Diagnostics Agent, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).

Results
Recommendation
If you successfully applied the procedure described above, SAP Host Agent also serves port 1129 for SSL communication.

原文地址:https://www.cnblogs.com/weikui/p/10339528.html

时间: 2024-11-05 18:47:47

Configuring SSL for SAP Host Agent on UNIX的相关文章

VMware Host Agent服务不能正常启动

VMware Host Agent服务不能正常启动 原因及解决方法 一直都在用VMWare Server 2.0,其他都还好,就是隔三差五的会有些小问题,比如VMware Host Agent服务不能正常启动的问题,表现为VMServer的ui不能打开.解决方法如下(用的是WINDOWS 7,以此为例): 1. 依次打开 C:->ProgramData(隐藏目录)->VMware->VMware Server->hostd,其他操作系统路径可能不一样,请尝试搜索hostd或者dat

禁止requests请求https的提示InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more

提示这个 InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see  可以禁止提示. 方法一: requests.packages.urllib3.disable

Configuring SSL on Enterprise Manager and the SLB (Release 12.1.0.2 and later)

From: http://docs.oracle.com/html/E24089_42/ha_setup.htm#sthref833 If the SLB is configured to use Third-Party/Custom SSL certificates, you must ensure that the CA certificates are properly configured in order for the trust relationship to be maintai

Configuring SSL in Wildfly 8

一:什么是SSL SSL(Security Socket Layer)全称是加密套接字协议层,它位于HTTP协议层和TCP协议层之间,用于建立用户与服务器之间的加密通信,确保所传递信息的安全性,同时SSL安全机制是依靠数字证书来实现的. SSL基于公用密钥和私人密钥,用户使用公用密钥来加密数据,但解密数据必须使用相应的私人密钥.使用SSL安全机制的通信过程如下:用户与服务器建立连接后,服务器会把数字证书与公用密钥发送给用户,用户端生成会话密钥,并用公共密钥对会话密钥进行加密,然后传递给服务器,服

SAP ECC6.0迁移升级到EHP6 on HANA过程

# ./STARTUP confighostagent QAS **** HOST detected as SAPQAS **** The root directory to SUM is /usr/sap/QAS/SUM **** Checking SID parameter[QAS] and parsed one: QAS **** The SUM directory is under SID /usr/sap/$[SID:#required]/SUM **** The saphostage

通过hdblcm更新HANA组件版本

1. 先在support.sap.com上下载最新的更新包IMDB_SERVER100_122_4-10009569.SAR 2. SAPCAR -xvf IMDB_SERVER100_122_4-10009569.SAR -R /hana  得到目录SAP_HANA_DATABASE 3.在studio上查看HANA Server的版本 4.从studio进去到SAP HANA Platform Lifecycle Managerment ,使用磁贴Update System and Comp

HANA System Architecture

Index Server: holds the data and executes all operations Preprocessor: Pre-process unstructured data Name Server: Maintains landscape infomation Statistics Server: Collects performance data about HANA Sap Host Agent, SAPCAR, Im-structure : Enable LM

Unix Shell_Oracle EBS基于主机文件Host开发详解(案例)

2014-06-20 BaoXinjian 一.摘要 Oracle 并发程式中Host Type的可执行程式,它的作用是用于调用Unix Shell去执行某些需求 个人觉得Oracle EBS中引入Host去调用unix shell其弥补了很多PLSQL类型程式无法做的某些功能,以unix shell的语法结构直接对服务器进行操作 写host并发程式时,需要较强的Bash语法知识,个人不做DBA,只了解一部分,所以就不具体介绍了,只说明一下Oracle EBS开发Unix Shell时需要注意的

Zabbix Agent端配置文件说明

由于工作中经常接触到zabbix,所以将agent配置整理一下,方便日常查看. # This is a config file for the Zabbix agent daemon (Unix) # To get more information about Zabbix, visit http://www.zabbix.com ############ GENERAL PARAMETERS ################# ### Option: PidFile #   Name of P