Simple Diagnostics Agent TLS Configuration

Starting with Simple Diagnostics Agent (SDA) version 1.35, it is preferred to use the Private Security Environment (PSE) of the SAP Host Agent. For further information and please check SAP Note 2778709.


In the following it is described, how you can setup SDA using its own keystore:

The SDA can act as client and as server. Mostly, the SDA operates as a client. In the setup of system landscape data router (SLDR) the SDA operates as a server. The documentation below describes the steps to set up TLS and SSO in the SDA keystore.

Expert tasks for the maintenance of the SDA keystore are described in the following notes. Whether these tasks need to be executed depends on your security policy.

Notes for optional operations:

  • To reuse certificates from PCKS#12 keystore, follow the SAP Note 2633417
  • To enable server certificate verification at TLS handshake, apply SAP Note 2632984
    • Starting with SAP Focused Run 4.0 FP03, is it possible to enable the verification of server certificates on SDA level during the network administration
  • To allow usage of keystores and certificates protected by custom passwords, follow SAP Note 2651765
  • To enable SNC on SDA for secure communication from SDA to ABAP, follow SAP Note 2607542

Prepare the SDA as Client

The SDA as a client can make authenticated requests to servers using a client certificate. 
Prerequisite:  Signed client certificate in PKCS#7 format. Install a client certificate into the java keystore by using keytool (shipped with SAPJVM) as follows:

keytool 
/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore /usr/sap/hostctrl/SMDAgent/default/configuration/agent/#/keystore.ks -storepass simple -alias “host *” -file $FILE

($FILE stands for the client certificate file name)

Prepare the SDA as Server

The SDA can act as a HTTP server. Current use case is the Simple Landscape Data Router (SLDR). For a client to communicate with the SLDR via SSL, an SLDR server certificate is needed. Install the server certificate into the SDA's keystore by using keytool as follows:

keytool 
/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore /usr/sap/hostctrl/SMDAgent/default/configuration/agent/#/keystore.ks -storepass simple -alias “server *” -file $FILE

($FILE stands for the client certificate file name)

Establish Trust on SDA

The SDA validates client certificates of communication partners with the root certificate in the trust store. Install a CA certificate into the SDA's trust store by using keytool as follows:

keytool 
/usr/sap/hostctrl/SMDAgent/default/sapjvm/bin/keytool -importcert -keystore /usr/sap/hostctrl/SMDAgent/default/configuration/agent/#/truststore.ks -storepass simple -alias “global root 1” -file $FILE

($FILE stands for the client certificate file name)

Configure SLDR

Please check the page for Preparing System Landscape Data Router.