With SAP Focused Run 3.0 Feature Pack 02, it is possible to setup certificate-based communication for new customer networks. A migration of existing networks is possible with SAP Focused Run 3.0 Feature Pack 3, and for Feature Pack 2 through SAP Note 3138250.
In Global Settings & Network Configuration, there is now the option to select “HTTPS / Certificate-based Authentication”.
The prerequisite for this is a successful preparation of the infrastructure, to achieve secure communication. This is a customer responsibility. The product SAP Focused Run does not offer mechanisms to manage or distribute certificates.
Fundamentally, this setup requires a sound knowledge of certificate handling and SSL encryption at customer side.
This documentation introduces the topic based on SAP products e.g., SAP Web Dispatcher. It is possible to use other tools, the parameterization will be slightly different. The overall concept stays valid.
To realize a certificate-based communication, the SAP NetWeaver ABAP functionality certrule is used. Links to the documentation can be found in the last section “Links and Help”.
There are three areas, that can be considered for certificate-based communication. It is possible to use certificate-based communication only partly.
For a general understanding it may be helpful to roughly outline the communication flow:
Detailed documentation for certrule is provided in last chapter “Links and Help”.
Certrule application will be called by transaction certrule.
The various applications in SAP Focused Run use their own technical users, which are created automatically during the initial setup of a customer network.
During Simple System Integration of a technical system, this user data are transferred to the Simple Diagnostics Agent and are used for data transfer to the SAP Focused Run system.
The certrule application offers the option to map a certificate to one specific user in the ABAP system. Therefore, a central technical user must be set up, which combines all the necessary roles of the SAP Focused Run applications.
This is done as part of the customer network creation if the option “HTTPS / Certificate-based Authentication” is selected. Per default a technical user FRN_CRT_<CID> will be created. This user can be used directly for certrule mapping, or as a template for a copy.
The certrule mapping is carried out by the Reverse Proxy based on the incoming/forwarded client certificate. There are 2 possibilities for setup, rule-based or explicit.
With explicit mapping a 1-to-1 relationship is established between the certificate and a user. A separate mapping must be set up for different certificates.
With rule-based mapping a certificate attribute is interpreted as an existing username in the SAP Focused Run system. It is possible to use a pattern from Subject or Subject Alternative Name. This means, depending on the pattern selected, a user with the same name must exist in the SAP Focused Run system. This user needs all necessary roles assigned.
The password of this user can be deactivated to make it impossible to log in without a certificate.
In the example below, the certificate attribute “OU=VALFRUN” in the Subject line is used for a rule. A user VALFRUN is present in SAP Focused Run system, therefore the rule matches:
To use the certificate-based communication including mapping via certrule, the below listed parameters must be maintained. An already prepared SAP Focused Run system to handle HTTPS and SSL is considered as already parameterized.
More details are provided in Webdispatcher documentation (last section “Links and Help”)
In SAP Focused Run system – DEFAULT profile:
On Webdispatcher (Reverse Proxy) – Instance profile:
The Simple Diagnostics Agent uses the SAP Host Agent PSE files in /usr/sap/hostctrl/exe/sec. The SAP Host Agent must be prepared to have a valid SAPSSLC.PSE, that is accepted at the Reverse Proxy and meets the certrule mapping in the SAP Focused Run system.
Details on the SSL preparation of the SAP Host Agent can be found in the last chapter "Links and Help".
The SAP EarlyWatch Alert has an independent data transfer from SAP NetWeaver ABAP systems to SAP Focused Run. For this purpose, an RFC is set up in the connected ABAP system back to the SAP Focused Run to send the collected data. This RFC can be changed to certificate-based communication and assigned to a separate user or to the central user via the certrule mapping mechanism described in chapter “CERTRULE Mapping”. The existing role with SAP EarlyWatch Alert relevant permissions must be assigned or is available with the centrally created user.
The used client certificate in managed SAP NetWeaver ABAP system must be accepted on Reverse Proxy and met the certrule mapping.
The various SLD data supplier can be switched to certificate-based communication. Here, too, a client certificate is required, which is accepted on Reverse Proxy and match certrule settings (see chapter “CERTRULE Mapping”).
-> Activation via the parameters -sldusessl -sldusecertauth
(e.g., saphostctrl -function ConfigureOutsideDiscovery -enable -sldhost <ReverseProxyHost> -sldport <ReverseProxyPort> -sldusessl -sldusecertauth)
-> The RFC destination SLD_DS_<custom_description> has to be adapted for certificate based authentication
-> Activation via the parameters -sldusessl -sslcertauth
(e.g.: sldreg -configure /usr/sap/<SID>/SYS/global/slddest.cfg -usekeyfile -host <Reverse_Proxy_Host> -port <Reverse_Proxy_Port> -sldusessl -sslcertauth -noninteractive)
-> Activation same as sldreg, because with hdblcm it is not possible to set certificate based authentication
-> in SAP NetWeaver Administrator it is possible to setup the SLD_DataSupplier to use the SAPSSLC.PSE client certificate.
1 Is certrule active?
2 Test certrule mappings:
3 Requests are arriving and accepted in SAP Focused Run ICM?
If there is an error in the log or nothing visible, the certificate chain has to be checked.
4 Webdispatcher Administration UI
For analysis and PSE maintenance on the Webdispatcher (Reverse Proxy), it is recommended to activate the Webdispatcher Administration UI via the parameter icm/HTTP/admin_0.
SAP Note 2807522 - SLDREG configuration for HTTPS
SAP Note 2765539 - Transferring SLD Data From a SAP HANA DB to a SLD Systems Using HTTPS Looks up the Wrong Directory for the .PSE Files
Prepare SAP Host Agent for https
Certrule Mapping Documentation
Webdispatcher SSL Preparation
SAP Note 2052899 - ICM - Multiple Trusted Reverse Proxies