Comment on page
SAPControl security settings
In the system creation wizard, an SAPControl connection can be made using different variants for HTTP and HTTPS. These are detailed below.
HTTP is the default variant and requires no additional settings. To authenticate on SAPControl, an OS username and password must be specified, preferably the <sid>adm user. For some system types, the connection can be setup without an OS username and password, using the button 'Without user'. In this case, the connection is setup without authentication. Note the following:
- The specified OS username and password is sent accross unencrypted from the Protect4S system to the satellite system. Using HTTPS is recommened.
- Without a username/password, the SAPControl connection is only used for the instance information of the system. The webmethod 'GetSystemInstanceList' must be allowed to use without authentication. Some checks will not be executed without username/password.
It is recommended to use HTTPS for the SAPControl connection. This requires additional configuration. The following is required for each scenario:
- On the Protect4S system, the HTTPS service must be permanently activated (transaction SMICM).
- The HTTPS port (5<##>14) is enabled on the SAP start service (sapstartsrv).
- The 'SSL client SSL Client (Anonymous)' PSE is activated (transaction STRUST) and the certificate of the HTTPS sapstartsrv is trusted by the PSE by adding the certificate to the certificate list.
Similar to the HTTP variant, for some system types the connection can be setup without an OS username and password. Use the button 'Without user' and leave the SSL Client PSE setting to 'DFAULT'.
It is recommended to specify the OS username and password to include all checks. Leave the SSL Client PSE setting to 'DFAULT'.
Instead of an OS username and password, it is possible to use certificate-based authentication. Keep in mind that the Protect4S system acts as a client and the sapstartsrv as a server component. The following is required:
- A separate 'SSL Client Identity' must be created and activated on the Protect4S VM system (transaction STRUST).
- The certificate of the PSE must be trusted by the sapstartsrv. This is done by adding the certificate to the service PSE of sapstartsrv (default: SAPSSLS.pse).
- The certificate of the PSE must be configured on the sapstartsrv. This is done by specifying the allowed attributes using parameter 'service/sso_admin_user_x’.
- In the wizard screen, the 'OS user name' and 'password' field need to be empty, and the created SSL Client PSE must be selected.
- The sapstartsrv HTTPS service must be configured with a certificate that matches the hostname used for the connection to prevent a hostname mismatch error.
- It is recommended to use signed certificates for both the sapstartsrv and the client PSE.
The example below shows how certificate-based authentication is setup for a demo certificate with CN=sapadmin.protect4s.local.
- Separate 'SSL Client Identity':
- Setup trust and configuration on sapstartsrv. Adding the certificate to SAPSSLS.pse is not required if sapstartsrv and the client PSE is signed by the same CA. Using wildcards in the parameter allows for multiple trusts.
- The PSE can now be selected and tested:
There are several opportunies to retrieve the certificate. Using a browser is a practical option.
- From a (client) system that can connect to the satellite system, navigate to https://<satellite hostname>:5<##>14 where ## is the instance number.
- Display the certificate from the browser and save it locally.
- Import the certificate in the intended PSE.