Prerequisites for Using the Use Client Certificate Parameter

To use this function, you must first configure the SDA host agent to use the SHA PSE infrastructure as the certificate infrastructure (see SAP Note 2778709 – Use SAP Host Agent PSE infrastructure on SDA).

In addition, you must set a valid client PSE. If you don't set a client PSE, the Health Monitoring app uses the server PSE for client communication.

You set a client PSE as follows:

  1. Log on to the host agent and open the command line.
  2. Enter the working directory:
    /usr/sap/hostctrl/exe
    Enter the necessary environment variables:
    LD_LIBRARY_PATH=/usr/sap/hostctrl/exe
    SECUDIR=/usr/sap/hostctrl/exe/sec
    Note: Execute all commands as root in sapadm context by using sudo -u sapadm ./sapgenpse...
  3. Import the CA-generated p7b certificate:
    ./sapgenpse import_own_cert -p SAPSSLC.pse -x <password> -c <response.p7b>
  4. Allow sapadm to access SAPSSLC.pse:
    ./sapgenpse seclogin -p SAPSSLC.pse -x <password> -O sapadm
  5. Finally, check the result by displaying the content of SAPSSLC.pse