Simple Diagnostics Agent TLS Configuration

The SDA can act as client and as server. Mostly, the SDA operates as a client. In the setup of system landscape data router (SLDR) the SDA operates as a server. The documentation below describes the steps to set up TLS and SSO in the SDA keystore.

Expert tasks for the maintenance of the SDA keystore are described in the following notes. Whether these tasks need to be executed depends on your security policy.

Notes for optional operations:

To reuse certificates from PCKS#12 keystore, follow the SAP Note 2633417

To enable server certificate verification at TLS handshake, apply SAP Note 2632984

To allow usage of keystores and certificates protected by custom passwords, follow SAP Note 2651765

To enable SNC on SDA for secure communication from SDA to ABAP, follow SAP Note 2633417

Prepare the SDA as Client

The SDA as a client can make authenticated requests to servers using a client certificate. 
Prerequisite:  Signed client certificate in PKCS#7 format. Install a client certificate into the java keystore by using keytool (shipped with SAPJVM) as follows:


/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore /usr/sap/hostctrl/SMDAgent/default/configuration/agent/#/keystore.ks -storepass simple -alias “host *” -file $FILE

($FILE stands for the client certificate file name)

Prepare the SDA as Server

The SDA can act as a HTTP server. Current use case is the Simple Landscape Data Router (SLDR). For a client to communicate with the SLDR via SSL, an SLDR server certificate is needed. Install the server certificate into the SDA's keystore by using keytool as follows :

/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore /usr/sap/hostctrl/SMDAgent/default/configuration/agent/#/keystore.ks -storepass simple -alias “server *” -file $FILE

($FILE stands for is the server certificate file name)

Establish Trust on SDA

The SDA validates client certificates of communication partners with the root certificate in the trust store. Install a CA certificate into the SDA's trust store by using keytool as follows :

/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore /usr/sap/hostctrl/SMDAgent/default/configuration/agent/#/truststore.ks -storepass simple -alias “global root 1” -file $FILE

($FILE stands for the partner's certificate root's certificate file name)

Configure SLDR

Explain Inbound Configuration

Starting SDA version 1.16 every port can have its own configured user.

For every inbound channel the following properties are supported: 

  • "port" = digit number which opens a tcp/ip port for incoming requests. This port will be used to configure the data supplier of the managed system.
  • "secure" = true/false, where true stands for HTTPS and false for HTTP. The default value is false.
  • "basic-auth"=true/false, where true stands for authorization via basic authentication and false for certificate-based authentication . The default value is true.
  • "user"= the subject of the client certificate, if basic-auth=false (e.g. user= CN=wdflbmd16834.wdf.sap.corp,OU=SE,O=SAP,C=DE). If basic-auth=true, then the user can be configured as desired (e.g. user=SLD_DS_USR).
  • "password" = the password specific to the user of that port; this will validated if basic-auth=true

If only one inbound port needs to be configured, there is no unique identifier necessary. Otherwise, if further inbound ports are needed then, they can be configured by adding a dot followed by a non-empty sequence of digits to the keyword "port", e.g." port.1", "port.2", "port.3", etc. The same applies to the "secure", "basic-auth", "user", "password" properties. 

Explain Outbound Configuration

For every outbound channel the following properties are supported. The outbound configurations needs always an unique identifier as suffix: 

  • "URL.<ID>" = true/false, where true stands for HTTPS and false for HTTP. The default value is false.
  • "user.<ID>"= the user name needs to be configured as desired (e.g. user=SLD_DS_USR) for basic authentication. Otherwise the SDA tries to authenticate using certificates
  • "password.<ID>" = the password specific to the user of that port;
  • "primary.<ID>" = true/false; where true identifies the system which return code is used to forward to the data supplier client 

If further outbound ports are needed then, they can be configured by adding a dot followed by a non-empty sequence of digits to the keyword "port", e.g." port.1", "port.2", "port.3", etc. The same applies to the "secure", "basic-auth", "user", "password" properties.

 

Send the Configuration

To activate and configure the SLDR a proper configuration request needs to be executed against the SDA. This can be achieved manually by sending an HTTP POST request to the SDA with the following URL:

http://<HOST>:1128/lmsl/sda/default/?service=configuration&json-types=SecureProperties&application=t-connector&solution-manager=<SID>

The body of the request has to contain the following JSON formatted configuration:

SLDR configuration with 2 inbound ports and two outbound ports

 

 

{

 

    "active":{"value":"true"},

    "URL.ID1":{"value":"http:<REVERSEPROXY-HOST>:<REVERSEPROXY-PORT>/sld/ds"},

    "user.ID1":{"value":"<LMDB-DS-USERNAME>"},

    "password.ID1":{"value":"<LMDB-DS-PASSWORD>","isSecret":true},

 

    "URL.ID2":{"value":"https:<REVERSEPROXY-HOST>:<REVERSEPROXY-PORT>/sld/ds"}, //certificate based authentication at destination, if for the given URL a certificate stored in the keystore

 

 

    "secure":{"value":"false"},

    "basic-auth":{"value":"true"},

 

 

    "port":{"value":"<SLDR-inbound-port1>"}, //inbound port

    "user":{"value":"<SLDR-DS-USERNAME>"}, //inbound user name

    "password":{"value":"<SLDR-DS-PASSWORD>","isSecret":true} //inbound user password

 

    "secure.1":{"value":"true"},

    "basic-auth.1":{"value":"false"},

    "port.1":{"value":"<SLDR-inbound-port2>"},

    "user.1":{"value":"<accepted-certificate-DN>"}

 

}

 

 

If the configuration is saved in a file (JSON formatted), say SLDR.CONFIG, you could use the following command to apply it to the SLDR:

Configure SLDR request

 

curl -v --noproxy "*" --user sapadm --request POST --header "Content-Type: application/json" --data-binary @SLDR.CONFIG 'http://<SLDR-HOST>:1128/lmsl/sda/default/?service=configuration&json-types=SecureProperties&application=t-connector&solution-manager=<SRSM-SID>'

 

As this request is addressed to the SAP Host Agent and all services of it require authentication, the sapadm user and password need to be used.

No restart of the SDA is required.

 

Addendum

Example Setup Keystore

PrerequisitesSigned certificate in PKCS#7 format exists (e.g. "cert_request_response.txt"). 

Import server certificate

 

/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore configuration/agent/#/keystore.ks -storepass simple -alias "server 8091" -file cert_request_response.txt

 

 

Import client certificate

 

/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore configuration/agent/#/keystore.ks -storepass simple -alias "addr frunhostname:44301" -file cert_request_response.txt

 

Example SLDR Configuration

Do not use the SLDR configuration UI in the agent administration in case of complex configurations for FRUN FP02.

The below example configuration is for the excampl usecase

 

First create SLDR-config file (e.g. SLDR.CONFIG) in JSON format.

Configuration with Outbound HTTP in SLDR.CONFIG file

 

{

    "active":{"value":"true"},

    "URL.FRN":{"value":"http://frunhostname:50000/sld/ds"},

    "user.FRN":{"value":"FRN_LDDS_FRN"},

    "password.FRN":{"value":"Qwertz@123","isSecret":true},

    "primary.FRN":{"value":"true"},

 

    "URL.SLD":{"value":"http://sldhostname:50000/sld/ds"},

    "user.SLD":{"value":"SLDDS_USER"},

    "password.SLD":{"value":"Qwertz@123","isSecret":true},

     

    "port.0":{"value":"8090"},

    "user.0":{"value":"FRN_SLDDS_FRN"},

    "password.0":{"value":"Qwertz@123","isSecret":true},

    "secure.0":{"value":"false"},

    "basic-auth.0":{"value":"true"},

 

    "port.1":{"value":"8091"},

    "user.1":{"value":"CN=hostname,OU=SE,O=SAP,C=DE"},

    "secure.1":{"value":"true"},

    "basic-auth.1":{"value":"false"},

 

    "port.2":{"value":"8092"},

    "user.2":{"value":"FRN_SLDDS_FRN"},

    "password.2":{"value":"Qwertz@123","isSecret":true},

    "secure.2":{"value":"true"},

    "basic-auth.2":{"value":"false"}

}

 

Configuration with Outbound HTTPS in SLDR.CONFIG file

 

{

    "active":{"value":"true"},

    "URL.FRN":{"value":"https://frunhostname:44301/sld/ds"},

     

 

    "port.0":{"value":"8090"},

    "user.0":{"value":"FRN_LDDS_FRN"},

    "password.0":{"value":"Qwertz@123","isSecret":true},

    "secure.0":{"value":"false"},

    "basic-auth.0":{"value":"true"},

 

    "port.1":{"value":"8091"},

    "user.1":{"value":"CN=hostname,OU=SE,O=SAP,C=DE"},

    "secure.1":{"value":"true"},

    "basic-auth.1":{"value":"false"},

 

    "port.2":{"value":"8092"},

    "user.2":{"value":"FRN_LDDS_FRN"},

    "password.2":{"value":"Qwertz@123","isSecret":true},

    "secure.2":{"value":"true"},

    "basic-auth.2":{"value":"false"}

}

 

Send the SLDR configuration as a HTTP-POST  request to the following URL: 

http://sldrhost:1128/lmsl/sda/default/?service=configuration&json-types=SecureProperties&application=t-connector&solution-manager=FRN

 

curl -v --noproxy "*" --user sapadm --request POST --header "Content-Type: application/json" --data-binary SLDR.CONFIG 'http://localhost:1128/lmsl/sda/default/?service=configuration&json-types=SecureProperties&application=t-connector&solution-manager=FRN'

 

You will find the transferred properties at /usr/sap/hostctrl/SMDAgent/default/configuration/t-connector/FRN/custome.properties. Based on our example with HTTP as outbound configuration, the file has the following content. Any passwords are stored encrypted at /usr/sap/hostctrl/SMDAgent/default/configuration/t-connector/FRN/secure.properties.

 

# written by Diagnostics Agent on

#Thu Dec 07 16:57:46 CET 2017

active=true

URL.FRN=http\://frunhostname\:50000/sld/ds

user.FRN=FRN_LDDS_FRN

URL.SLD=http\://sldhostname\:50000/sld/ds

user.SLD=SLDDS_USER

primary.FRN=true

port.0=8090

user.0=FRN_SLD_SDA

basic-auth.0=true

secure.0=false

port.1=8091

user.1=CN\=hostname,OU\=SE,O\=SAP,C\=DE

basic-auth.1=false

secure.1=true

port.2=8092

user.2=FRN_SLDDS_FRN

basic-auth.2=true

secure.2=true