Simple Diagnostics Agent TLS Configuration

The SDA can act as client and as server. Mostly, the SDA operates as a client. In the setup of system landscape data router (SLDR) the SDA operates as a server. The documentation below describes the steps to set up TLS and SSO in the SDA keystore.

Expert tasks for the maintenance of the SDA keystore are described in the following notes. Whether these tasks need to be executed depends on your security policy.

Notes for optional operations:

To reuse certificates from PCKS#12 keystore, follow the SAP Note 2633417

To enable server certificate verification at TLS handshake, apply SAP Note 2632984

To allow usage of keystores and certificates protected by custom passwords, follow SAP Note 2651765

To enable SNC on SDA for secure communication from SDA to ABAP, follow SAP Note 2633417

Prepare the SDA as Client

The SDA as a client can make authenticated requests to servers using a client certificate. 
Prerequisite:  Signed client certificate in PKCS#7 format. Install a client certificate into the java keystore by using keytool (shipped with SAPJVM) as follows:


/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore /usr/sap/hostctrl/SMDAgent/default/configuration/agent/#/keystore.ks -storepass simple -alias “host *” -file $FILE

($FILE stands for the client certificate file name)

Prepare the SDA as Server

The SDA can act as a HTTP server. Current use case is the Simple Landscape Data Router (SLDR). For a client to communicate with the SLDR via SSL, an SLDR server certificate is needed. Install the server certificate into the SDA's keystore by using keytool as follows :

/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore /usr/sap/hostctrl/SMDAgent/default/configuration/agent/#/keystore.ks -storepass simple -alias “server *” -file $FILE

($FILE stands for is the server certificate file name)

Establish Trust on SDA

The SDA validates client certificates of communication partners with the root certificate in the trust store. Install a CA certificate into the SDA's trust store by using keytool as follows :

/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore /usr/sap/hostctrl/SMDAgent/default/configuration/agent/#/truststore.ks -storepass simple -alias “global root 1” -file $FILE

($FILE stands for the partner's certificate root's certificate file name)

Configure SLDR

Explain Inbound Configuration

Starting SDA version 1.16 every port can have its own configured user.

For every inbound channel the following properties are supported: 

  • "port" = digit number which opens a tcp/ip port for incoming requests. This port will be used to configure the data supplier of the managed system.
  • "secure" = true/false, where true stands for HTTPS and false for HTTP. The default value is false.
  • "basic-auth"=true/false, where true stands for authorization via basic authentication and false for certificate-based authentication . The default value is true.
  • "user"= the subject of the client certificate, if basic-auth=false (e.g. user= CN=wdflbmd16834.wdf.sap.corp,OU=SE,O=SAP,C=DE). If basic-auth=true, then the user can be configured as desired (e.g. user=SLD_DS_USR).
  • "password" = the password specific to the user of that port; this will validated if basic-auth=true

If only one inbound port needs to be configured, there is no unique identifier necessary. Otherwise, if further inbound ports are needed then, they can be configured by adding a dot followed by a non-empty sequence of digits to the keyword "port", e.g." port.1", "port.2", "port.3", etc. The same applies to the "secure", "basic-auth", "user", "password" properties. 

Explain Outbound Configuration

For every outbound channel the following properties are supported. The outbound configurations needs always an unique identifier as suffix: 

  • "URL.<ID>" = true/false, where true stands for HTTPS and false for HTTP. The default value is false.
  • "user.<ID>"= the user name needs to be configured as desired (e.g. user=SLD_DS_USR) for basic authentication. Otherwise the SDA tries to authenticate using certificates
  • "password.<ID>" = the password specific to the user of that port;
  • "primary.<ID>" = true/false; where true identifies the system which return code is used to forward to the data supplier client 

If further outbound ports are needed then, they can be configured by adding a dot followed by a non-empty sequence of digits to the keyword "port", e.g." port.1", "port.2", "port.3", etc. The same applies to the "secure", "basic-auth", "user", "password" properties.

 

Send the Configuration

To activate and configure the SLDR a proper configuration request needs to be executed against the SDA. This can be achieved manually by sending an HTTP POST request to the SDA with the following URL:

http://<HOST>:1128/lmsl/sda/default/?service=configuration&json-types=SecureProperties&application=t-connector&solution-manager=<SID>

The body of the request has to contain the following JSON formatted configuration:

SLDR configuration with 2 inbound ports and two outbound ports

 

 

{

 

    "active":{"value":"true"},

    "URL.ID1":{"value":"http:<REVERSEPROXY-HOST>:<REVERSEPROXY-PORT>/sld/ds"},

    "user.ID1":{"value":"<LMDB-DS-USERNAME>"},

    "password.ID1":{"value":"<LMDB-DS-PASSWORD>","isSecret":true},

 

    "URL.ID2":{"value":"https:<REVERSEPROXY-HOST>:<REVERSEPROXY-PORT>/sld/ds"}, //certificate based authentication at destination, if for the given URL a certificate stored in the keystore

 

 

    "secure":{"value":"false"},

    "basic-auth":{"value":"true"},

 

 

    "port":{"value":"<SLDR-inbound-port1>"}, //inbound port

    "user":{"value":"<SLDR-DS-USERNAME>"}, //inbound user name

    "password":{"value":"<SLDR-DS-PASSWORD>","isSecret":true} //inbound user password

 

    "secure.1":{"value":"true"},

    "basic-auth.1":{"value":"false"},

    "port.1":{"value":"<SLDR-inbound-port2>"},

    "user.1":{"value":"<accepted-certificate-DN>"}

 

}

 

 

If the configuration is saved in a file (JSON formatted), say SLDR.CONFIG, you could use the following command to apply it to the SLDR:

Configure SLDR request

 

curl -v --noproxy "*" --user sapadm --request POST --header "Content-Type: application/json" --data-binary @SLDR.CONFIG 'http://<SLDR-HOST>:1128/lmsl/sda/default/?service=configuration&json-types=SecureProperties&application=t-connector&solution-manager=<SRSM-SID>'

 

As this request is addressed to the SAP Host Agent and all services of it require authentication, the sapadm user and password need to be used.

No restart of the SDA is required.

 

Addendum

Example Setup Keystore

PrerequisitesSigned certificate in PKCS#7 format exists (e.g. "cert_request_response.txt"). 

Import server certificate

 

/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore configuration/agent/#/keystore.ks -storepass simple -alias "server 8091" -file cert_request_response.txt

 

 

Import client certificate

 

/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore configuration/agent/#/keystore.ks -storepass simple -alias "addr frunhostname:44301" -file cert_request_response.txt

 

Example SLDR Configuration

Do not use the SLDR configuration UI in the agent administration in case of complex configurations for FRUN FP02.

The below example configuration is for the excampl usecase

 

First create SLDR-config file (e.g. SLDR.CONFIG) in JSON format.

Configuration with Outbound HTTP in SLDR.CONFIG file

 

{

    "active":{"value":"true"},

    "URL.FRN":{"value":"http://frunhostname:50000/sld/ds"},

    "user.FRN":{"value":"FRN_LDDS_FRN"},

    "password.FRN":{"value":"Qwertz@123","isSecret":true},

    "primary.FRN":{"value":"true"},

 

    "URL.SLD":{"value":"http://sldhostname:50000/sld/ds"},

    "user.SLD":{"value":"SLDDS_USER"},

    "password.SLD":{"value":"Qwertz@123","isSecret":true},

     

    "port.0":{"value":"8090"},

    "user.0":{"value":"FRN_SLDDS_FRN"},

    "password.0":{"value":"Qwertz@123","isSecret":true},

    "secure.0":{"value":"false"},

    "basic-auth.0":{"value":"true"},

 

    "port.1":{"value":"8091"},

    "user.1":{"value":"CN=hostname,OU=SE,O=SAP,C=DE"},

    "secure.1":{"value":"true"},

    "basic-auth.1":{"value":"false"},

 

    "port.2":{"value":"8092"},

    "user.2":{"value":"FRN_SLDDS_FRN"},

    "password.2":{"value":"Qwertz@123","isSecret":true},

    "secure.2":{"value":"true"},

    "basic-auth.2":{"value":"false"}

}

 

Configuration with Outbound HTTPS in SLDR.CONFIG file

 

{

    "active":{"value":"true"},

    "URL.FRN":{"value":"https://frunhostname:44301/sld/ds"},

     

 

    "port.0":{"value":"8090"},

    "user.0":{"value":"FRN_LDDS_FRN"},

    "password.0":{"value":"Qwertz@123","isSecret":true},

    "secure.0":{"value":"false"},

    "basic-auth.0":{"value":"true"},

 

    "port.1":{"value":"8091"},

    "user.1":{"value":"CN=hostname,OU=SE,O=SAP,C=DE"},

    "secure.1":{"value":"true"},

    "basic-auth.1":{"value":"false"},

 

    "port.2":{"value":"8092"},

    "user.2":{"value":"FRN_LDDS_FRN"},

    "password.2":{"value":"Qwertz@123","isSecret":true},

    "secure.2":{"value":"true"},

    "basic-auth.2":{"value":"false"}

}

 

Send the SLDR configuration as a HTTP-POST  request to the following URL: 

http://sldrhost:1128/lmsl/sda/default/?service=configuration&json-types=SecureProperties&application=t-connector&solution-manager=FRN

 

curl -v --noproxy "*" --user sapadm --request POST --header "Content-Type: application/json" --data-binary SLDR.CONFIG 'http://localhost:1128/lmsl/sda/default/?service=configuration&json-types=SecureProperties&application=t-connector&solution-manager=FRN'

 

You will find the transferred properties at /usr/sap/hostctrl/SMDAgent/default/configuration/t-connector/FRN/custome.properties. Based on our example with HTTP as outbound configuration, the file has the following content. Any passwords are stored encrypted at /usr/sap/hostctrl/SMDAgent/default/configuration/t-connector/FRN/secure.properties.

 

# written by Diagnostics Agent on

#Thu Dec 07 16:57:46 CET 2017

active=true

URL.FRN=http\://frunhostname\:50000/sld/ds

user.FRN=FRN_LDDS_FRN

URL.SLD=http\://sldhostname\:50000/sld/ds

user.SLD=SLDDS_USER

primary.FRN=true

port.0=8090

user.0=FRN_SLD_SDA

basic-auth.0=true

secure.0=false

port.1=8091

user.1=CN\=hostname,OU\=SE,O\=SAP,C\=DE

basic-auth.1=false

secure.1=true

port.2=8092

user.2=FRN_SLDDS_FRN

basic-auth.2=true

secure.2=true

 

 

Outside Discovery of SAP Host agent

The SAP Host agent provide web methods for the configuration of the Outside Discovery.  The Outside Discovery is providing  different SLD DS per default

  • ComputerSystem (host data)
  • DatabaseOutsideDiscovery (non Hana database data )
  • SRDiagnosticsAgent (Simple Diagnostics Agent data)
  • MSIISOutsideDisovery (Microsoft Internet Information Server data)
  • BCHostcontroller (SAP Host agent data )
  • generic registered SLD payload  (currently consumed by ISEM Server (CA APM Instroscope data)) 

All the above SLD payload's are send via HTTPS  if global configured for Outside Discovery 

The parameter to to configure outside discovery using HTTP  is in the online documentation of SHA. You can open the onlinde documentation of the SHA  by call (in windows notation)

C:\Program Files\SAP\hostctrl\exe>saphostctrl.exe 

There your find the  method  ConfigureOutsideDiscovery   

ConfigureOutsideDiscove

Configure the Outside Discovery Job which runs periodicaly
These Options control the Outside Discovery Job.
If frequency is not provided, it will run every 12 hou
If execution options are not provided the default will be used (detect everything and try to register it).

         -enable
        [-frequency <X> Run frequency in minutes]
        [-jobtimeout <X> Wait X seconds for the Outside Discovery Job which was started with the enable option and return            the results]

        Outside Discovery Execution Options
         [-sldreg Run SLD registration after Outside Discovery]
          [-computersystem Discover only the Host ComputerSystem]
          [-database Discover only the Database(s) on this host]
          [-smdagent Discover the Solution Manager Diagnostic Instance(s) and Host ComputerSystem]
          [-saphostagent Discover the SAPHostAgent]
          [-msiis Discover only the Microsoft Internet Information Service]
          [-xmlfromconfig Register XML(s) configured with the ConfigureOutsideDiscoveryPath webservice]
         [-verbose Append discovered data to the webservice result as CIMObject]
          [-cleanup Delete the generated sldreg XML input files after the discovery]
         -disable
         -auto detect Outside Discovery settings automatically

         Outside Discovery Destinations:
         -sldhost
          -sldport
         -sldusername
         -sldpassword
         -sldusessl

 

Example for the request  below  is called locally as root using comandline webservice client saphostctrl  (unix notation). Remote calls,  authentication as sapadm instead of root , or other webservice clients are possibel as well

ldXXXX:/usr/sap/hostctrl/exe # ./saphostctrl -function ConfigureOutsideDiscovery- sldhost ldfrnwebdisp -sldport 8091 -sldusername FRN_LDDS_ABC -sldpasword Secret01# -sldusessl

-sldusessl  is set without a value   Please be aware of copy and paste errors with dashes when copying the command

Prerequisite that the ssl can be used by OutsideDiscovery is that the SHA  is configured for SHA .  Please see offical documentation of SHA  at
 https://help.sap.com/saphelp_nw73ehp1/helpdata/en/6a/ac42c2e742413da050eaecd57f785d/frameset.htm