Configure HTTPS to connect to SAP

Create an OpenSSL certificate

• •Download and install OpenSSL on the Secure Agent machine.
• • Based on the operating system of the machine that hosts the Secure Agent and the SAP system, download the latest available patch of the SAPGENPSE Cryptography tool from the SAP Service Marketplace.
Typically, the SAPGENPSE files are extracted to the nt-x86_64 directory.
• •Configure the following SAP parameters: icm/server_port, ssl/ssl_lib, sec/libsapsecu, ssf/ssfapi_lib, ssf/name, icm/HTTPS/verify_client, ssl/client_pse, and wdisp/ssl_encrypt. For more information, see the SAP documentation.

1. 1From the command line, set the OPENSSL_CONF variable to the absolute path to the openssl.cfg file.
For example, run the following command: set OPENSSL_CONF= C:\OpenSSL-Win64\bin\openssl.cfg
2. 2Navigate to the <openSSL installation directory>\bin directory.
3. 3To generate a 2048-bit RSA private key, run the following command:
openssl.exe req -new -newkey rsa:2048 -sha1 -keyout <RSAkey File_Name>.key -out <RSAkey File_Name>.csr
4. 4When prompted, enter the following values:
• - Private key password (PEM pass phrase). Enter a phrase that you want to use to encrypt the secret key. Re-enter the password for verification.
Important: Make a note of this PEM password. You need to keep this password handy while creating a self-signed key and PKCS#12 certificate.
• - Two-letter code for country name.
• - State or province name.
• - Locality name.
• - Organization name
• - Organization unit name.
• - Common name (CN). Mandatory.
Important: Enter the fully qualified host name of the machine that hosts the Secure Agent.
• - Email address.
5. 5Optionally, enter the following attributes that you want to pass along with the certificate request:
• - Challenge password.
• - Optional company name.
A RSA private key of 2048-bit size is created. The <RSAkey File_Name>.key and <RSAkey File_Name>.csr files are generated in the current location.
6. 6To generate a self-signed key using the RSA private key, run the following command:
openssl x509 -req -days 11499 -in <RSAkey File_Name>.csr -signkey <RSAkey File_Name>.key –out <Certificate File_Name>.crt
7. 7When prompted, enter the PEM pass phrase for the RSA private key.
The <Certificate File_Name>.crt file is generated in the current location.
8. 8To concatenate the contents of the <Certificate File_Name>.crt file and the <RSAkey File_Name>.key file to a .pem file, perform the following tasks:
1. aOpen the <Certificate File_Name>.crt file and the <RSAkey File_Name>.key files in a Text editor.
2. bCreate a file and save it as <PEM File_Name>.pem.
3. cCopy the contents of the <Certificate File_Name>.crt file and paste it in the .pem file.
4. dCopy the contents of the <RSAKey_Name>.key file and append it to the existing contents of the .pem file.
5. eSave the <PEM file name>.pem file.
9. 9To create a PKCS#12 certificate, run the following command from the command line:
openssl pkcs12 -export -in <PEM File_Name>.pem -out <P12 File_Name>.p12 –name “domain name”
10. 10When prompted, enter the following details:
• - The PEM pass phrase for the .pem file.
• - An export password for the P12 file. Re-enter the password for verification.
Important: Make a note of this export password for the P12 file. You need to keep this password handy while creating a Java keystore file to connect to SAP through HTTPS.
The <P12 File_Name>.p12 file is generated in the specified directory.
11. 11To create a Java keystore file, enter the following command:
keytool -v -importkeystore -srckeystore <P12 File_Name>.p12 -srcstoretype PKCS12 -destkeystore <JKS File_Name>.jks -deststoretype JKS -srcalias "source alias" –destalias "destination alias"
12. 12When prompted, enter the following details:
• - Password for the destination keystore, the JKS file.
Important: Make a note of this password. You need to keep this password handy while creating an SAP Table connection.
• - Password for the source keystore, the P12 file. Enter the Export password for the P12 file.
The <JKS File_Name>.jks file is generated in the specified directory.
While enabling HTTPS in an SAP Table connection, specify the name and location of this keystore file. You also need to specify the destination keystore password as the Keystore Password and the source keystore password as the Private Key Password.

Convert an OpenSSL certificate to PSE format

1. 1From the command line, navigate to the <SAPGENPSE Extraction Directory> directory.
2. 2To generate a PSE file, run the following command:
sapgenpse import_p12 -p <PSE_Directory>\<PSE File_Name>.pse <P12 Certificate_Directory>\<P12 File_Name>.p12
3. 3When prompted, enter the following details:
• - Password for the P12 file. Enter the Export password for the P12 file.
• - Personal identification number (PIN) to protect the PSE file. Re-enter the PIN for verification.
The <PSE File_Name>.pse file is generated in the specified directory.
4. 4To generate the certificate based on the PSE format, run the following command:
sapgenpse export_own_cert -p <PSE File_Directory>\<PSE File_Name>.pse -o <Certificate_Name>.crt
5. 5When prompted, enter the PSE PIN number.
The <Certificate_Name>.crt file is generated in the specified directory. Import this certificate file to the SAP system trust store.

Enable the HTTPS service on the SAP system

Import the certificate to the SAP system trust store

1. 1Log in to SAP and go to the STRUST transaction.
2. 2Select SSL Client (Standard) and specify the password.
In the Import Certificate dialog, you need to select Base64 format as the certificate file format.
3. 3Click the Import icon, and select the <Certificate_Name>.crt file in PSE format.
Note: If a user is on a different SAP network, you might need to add a DNS entry of the agent host on the SAP app server.
4. 4Click Add to Certificate List.
5. 5Restart the ICM.