SAPControl security settings
In the system creation wizard, an SAPControl connection can be made using different variants for HTTP and HTTPS. These are detailed below.
HTTP
HTTP is the default variant and requires no additional settings. To authenticate on SAPControl, an OS username and password must be specified, preferably the <sid>adm user. For some system types, the connection can be setup without an OS username and password, using the button 'Without user'. In this case, the connection is setup without authentication. Note the following:
The specified OS username and password is sent accross unencrypted from the Protect4S system to the satellite system. Using HTTPS is recommened.
Without a username/password, the SAPControl connection is only used for the instance information of the system. The webmethod 'GetSystemInstanceList' must be allowed to use without authentication. Some checks will not be executed without username/password.
HTTPS
It is recommended to use HTTPS for the SAPControl connection. This requires additional configuration. The following is required for each scenario:
On the Protect4S system, the HTTPS service must be permanently activated (transaction SMICM).
The HTTPS port (5<##>14) is enabled on the SAP start service (sapstartsrv).
The 'SSL client SSL Client (Anonymous)' PSE is activated (transaction STRUST) and the certificate of the HTTPS sapstartsrv is trusted by the PSE by adding the certificate to the certificate list.
Without user
Similar to the HTTP variant, for some system types the connection can be setup without an OS username and password. Use the button 'Without user' and leave the SSL Client PSE setting to 'DFAULT'.
Basic authentication
It is recommended to specify the OS username and password to include all checks. Leave the SSL Client PSE setting to 'DFAULT'.
Certificate-based authentication
Instead of an OS username and password, it is possible to use certificate-based authentication. Keep in mind that the Protect4S system acts as a client and the sapstartsrv as a server component. The following is required:
A separate 'SSL Client Identity' must be created and activated on the Protect4S VM system (transaction STRUST).
The certificate of the PSE must be trusted by the sapstartsrv. This is done by adding the certificate to the service PSE of sapstartsrv (default: SAPSSLS.pse).
The certificate of the PSE must be configured on the sapstartsrv. This is done by specifying the allowed attributes using parameter 'service/sso_admin_user_x’.
In the wizard screen, the 'OS user name' and 'password' field need to be empty, and the created SSL Client PSE must be selected.
The sapstartsrv HTTPS service must be configured with a certificate that matches the hostname used for the connection to prevent a hostname mismatch error.
It is recommended to use signed certificates for both the sapstartsrv and the client PSE.
Example
The example below shows how certificate-based authentication is setup for a demo certificate with CN=sapadmin.protect4s.local.
Separate 'SSL Client Identity':
Setup trust and configuration on sapstartsrv. Adding the certificate to SAPSSLS.pse is not required if sapstartsrv and the client PSE is signed by the same CA. Using wildcards in the parameter allows for multiple trusts.
The PSE can now be selected and tested:
Retrieving the sapstartsrv certificate and import in PSE
There are several opportunies to retrieve the certificate. Using a browser is a practical option.
From a (client) system that can connect to the satellite system, navigate to https://<satellite hostname>:5<##>14 where ## is the instance number.
Display the certificate from the browser and save it locally.
Import the certificate in the intended PSE.
Last updated