cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Setting up SSL in IDM 8

Go to solution
former_member2987
Active Contributor

on ‎04-16-2015 10:02 PM

0 Kudos

Hi Folks,

I'm trying to follow the documentation for setting up V8, but I'm hitting a slight snag when dealing with the SSL configuration.

Looking at the documentation,SAP Identity Management Installation Guide - SAP Library and  Adding New SSL Access Points - Network and Transport Layer Security - SAP Library. I'm told to open a port, but I don't know which one to open.  Is this an arbitrary number or am I supposed to choose a specific value.

Thanks,

Matt

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

mohinder_singh2
Participant
‎04-17-2015 4:36 PM
0 Kudos

Hi Matt,

SSL configuration is very easy in IDM 8.

please follow these steps

1. enable ssl  and create self sign certificate on nwa > configuration >Security > ssl on port 50001 or any other port you wish to use

2. then click on export entry  your certificate and copy into c:\program files\java\java version\lib/security\ ( please check windows java environment for correct java path )


3. export SAPLogonKeypair.cert from TicketKeystore (/nwa) and copy into c:\program files\java\java version\lib\security\

4. then use this command to add all certificate into java cacerts

keytool -import -alias my_ssl_cert -file certificate_name .crt -keystore cacerts

then open Developer studio and configure port 50001

Regards,

Mohinder

Show replies
Show replies
former_member2987
Active Contributor
‎04-17-2015 6:14 PM
0 Kudos

Thanks Mohinder,

Do you have  instructions on handling point #1 in your message?

Thanks,

Matt

avatartest
Explorer
‎04-20-2015 7:57 AM
0 Kudos

Hi Matt,

You could try this for point#1:

Configuring the Use of SSL on the AS Java - Network and Transport Layer Security - SAP Library

Kind Regards,

Rali


SAP Identity Management Development

mohinder_singh2
Participant
‎04-20-2015 11:29 AM
0 Kudos
  1. 1. Assign administration rights for performing these steps in SAP NetWeaver Administration.

    2. Download SAP Cryptography Library from     http://service.sap.com/swdc-> Installations and Upgrades -> Browse our Download
    Catalog -> SAP Cryptography Software -> SAPCryptolib for Installation
    ->  SAPCRYPTOLIB X_X_X -> <OS> -> Latest SAPCRYPTOLIB_<XX>.SAR

    3. Extract the contents of SAPCRYPTOLIB_<XX>.SAR using SAPCAR tool. e.g.
    (cmd> SAPCAR –xvf SAPCRYPTOLIB_<XX>.SAR)

    4. Copy & Paste the library, the configuration tool, and the license ticket
    to the corresponding directories

    SAP Cryptographic Library & Configuration Tool:
    /usr/sap/<SID>/SYS/exe.

    Ticket: /usr/sap/<SID>/<instance>/sec.

    5. Now, log on to SA Net Weaver Administration i.e.     http://<j2ee_host_name>:50000/nwathen go to Configuration -> Security -> SSL and click to
    open the configuration tool.

        6. Select the instance and push the Edit button and then browse the SSL Library and Ticket file.

         7. In SSL Access Points section, choose the Add pushbutton.

          8. Enter the number of the port (e.g. 50001)


          9. Select the Protocol (e.g.HTTPS)

          10.Select the keystore view (e.g. Instance Default)

          11. Select the Client Authentication Mode (e.g. Request)

          12. Finally push SAVE button to save the all configuration objects and restart the ICM to take effect the changes.

          13. Open Web Browser and enter the below URL https://<j2ee_host_name>:<ICM_https_port>

former_member190695
Participant
‎04-21-2015 3:16 PM
0 Kudos

Hi Matt,

SAPCrypto library should be part of your default AS Java installation, so it's only necessary to download it If you have a very old version. Check your version using sapgenpse tool.

It should be Version 8.x.x.

Go to NWA --> Configuration --> SSL and choose a port that you want to use e.g. 443, 50001, etc,

choose the required Client Authentication Mode (e.g. Request) and enable SSL by browsing to the ticket file.

If you have a Certificate Authority use this to issue the certificate instead of a self-signed certificate.

The private key of the server certificate should be imported in the Server Identity section and the issuer certificate should then be imported in the Trusted CAs section.

Restart the AS Java Instance (ICM) and test the SSL connection.

Regards,

Ridouan

former_member2987
Active Contributor
‎04-21-2015 9:37 PM
0 Kudos

Hi Mohinder,

So your instructions make sense, thank you! However now my SAP Java Instance SSL Status is Red.  How do I troubleshoot this?

Thanks,

Matt

Former Member
‎04-22-2015 2:37 AM
0 Kudos

Hi Ridouan & Matt, do you need SSL for eclipse to access identity center ? Per documentation, we should be allowed to access the same over 50000 as well right ?

  did you make any progress with your SSL and are you able to get to the IC ? FYI, my SSL is green however when I authenticate over 50001 I get the message: "Login failed: Unrecognized SS message" and below is the log:

Any help appreciated ! Thanks

Prashanth

5155081696

mohinder_singh2
Participant
‎04-22-2015 8:51 AM
0 Kudos

Hi Matt,

Please use FDQN in Canonical Host Name. eg. servername.domain.com

Regards,

Mohinder Singh

mohinder_singh2
Participant
‎04-22-2015 8:51 AM
0 Kudos

Please follow these steps now

3. export SAPLogonKeypair.cert from TicketKeystore (/nwa) and copy into c:\program files\java\java version\lib\security\

4. then use this command to add all certificate into java cacerts

keytool -import -alias my_ssl_cert -file certificate_name .crt -keystore cacerts

After that error will gone

Former Member
‎07-16-2015 7:13 AM
0 Kudos

This message was moderated.

Answers (3)

Answers (3)

Former Member
‎07-17-2015 10:27 AM
0 Kudos

Hi Experts

Can you please help me with this ssl certificate problem.

Followed all the steps as per the documentation but still I’m getting this error.

  

The error is LOGIN FAILED : unrecognized ssl service  .

I’m using jre 1.8 and eclipse Kepler 4.5 and sap idm 8.0.11

Steps I followed:

STEP 1 : Add path to eclipse.ini file

STEP 2 :  Copy ssl-credentials-cert1.crt Download ssl-credentials-cert1.crt file and copy to C:\ProgramFiles\Java\jre7\lib\security\

STEP 3: Command Prompt Run as administrator

STEP 4 : Goto JAVA path

                cd   C:\Program Files\Java\jre7\bin

STEP 5 : Delete ssl cert if exists

  1. keytool.exe -delete -alias my_ssl_cert  –keystore    ..\lib\security\cacerts

STEP 6 : Import SSL

  1. keytool.exe -import -alias my_ssl_cert  -file ..\lib\security\ssl-credentials-

cert1.crt -keystore ..\lib\security\cacerts

Then certificate was exported to keystore message displayed in command prompt.

STEP 7 : Launch Eclipse.exe

STEP 8 : Remaining configuration of sap idm

Application server , port , datasource and then login with the credentials .

Thanks,

Anurag Kulkarni

Show replies
Show replies
jrondorf
Participant
‎07-17-2015 10:50 AM
0 Kudos

if you are using JRE 8, why are you then changing the JRE 7 keystore?

Make sure that you are using the same JRE for Eclipse, where you imported the certificate.

Former Member
‎07-17-2015 12:53 PM
0 Kudos

yes i'm using eclipse kepler , jre 7 , sap idm 8.0.11 on windows 8.1 platform.

i have installed the ssl certificate in the jre 7 keystore.

Can you explain me what is the root cause of this error???

Thanks,

Anurag

jrondorf
Participant
‎07-17-2015 1:02 PM
0 Kudos

How many JREs do you have on this machine, and if more than one, do you know that the same one is used for starting eclipse like the one where you imported the cert?

Former Member
‎07-17-2015 1:04 PM
0 Kudos

i have only one jre 7

i could see only one jre 7 is installed in eclipse

eclipse -> preferences -> java -> installed jres ( the path where jre is installed )

former_member190695
Participant
‎07-18-2015 11:39 AM
0 Kudos

Hi,

You can verify which Java version eclipse is using in the configuration tab.

Help --> About Eclipse --> Installation Details --> Configuration.

Please try the following:

..\\jre1.7.x_xx\lib\security>..\..\bin\keytool.exe -import -alias <hostname> -Keystore cacerts -file "hostname.crt"

Check your SSL connection in the browser.

Check the SSL service is up and running.

Check your server (AS Java) firewall and ports.

Good luck!

Regards,

Ridouan

Former Member
‎07-20-2015 6:24 AM
0 Kudos

Hi Ridouan Taibi,

I have imported the certificate in the keystore

keytool.exe -import -alias my_ssl_cert  -file ..\lib\security\ssl-credentials-

cert1.crt -keystore ..\lib\security\cacerts

1 . Check your ssl connection in the browser ???

      its saying your connection is not private

      The identity of this website is not verified

       server certificate does not match the  url

        server certificate is not trusted

    => in my browser it shows me the different certificate , its not taking the certificate from my keystore my_ssl_cert which i have installed using keytool        utility

2 how to check the ssl service is up and running???

3 how to  check your server firewall and ports???

ole_k_rosberg
Explorer
‎07-21-2015 8:34 AM
0 Kudos

Hi,

Check your cert and verify that it has the correct server setting

Ole K.

Former Member
‎07-21-2015 5:49 PM
0 Kudos

Hi ,

The cert is working with older versions of sap idm 8.0.7 , the same cert file is not working with newer versions of sap idm 8.0.11 ???

i did same configurations but i don't know why it is not working with sap idm 8.0.1 1 ...........

Thanks,

Anurag

former_member190695
Participant
‎07-21-2015 5:50 PM
0 Kudos

Hi,

1- As Ole pointed, the certificate dn should match your server name (don't use localhost).

Here are some keytool commands: The Most Common Java Keytool Keystore Commands

Please review your my_ssl_cert certificate and ensure the dn is matching your AS Java host.

You can also dubbel click the certificate and look for Subject Alternative Name in the details tab.

2- This is the idmdevstudio service that you have deployed together with the app, model and workflow.

3- Ask a basis resource or disable the firewall If you have a standalone installation.

Regards,

Ridouan

Former Member
‎07-21-2015 6:03 PM
0 Kudos

Hi ,

The cert is working with older versions of sap idm 8.0.7 , the same cert file is not working with newer versions of sap idm 8.0.11 ???

i did same configurations but i don't know why it is not working with sap idm 8.0.1 1 ...........

Thanks,

Anurag

Former Member
‎07-23-2015 6:31 AM
0 Kudos

Hi ,

Any help please

yes i have checked the certificate on the server and the configuartion is correct.

I am using the same cert , it worked with 8.0.7 and the same certificate is not working with 8.0.11 .....

Thnaks,

Anurag

mohinder_singh2
Participant
‎07-23-2015 6:37 AM
0 Kudos

Hi Anurag,

Please update SCA file in IDM and then same version in Eclipse Plugin .

Regards,

Mohinder

Former Member
‎07-23-2015 1:06 PM
0 Kudos

Hi ,

yes it worked for me

Thanks for your direction

Thanks,

Anurag

karthikeyan_viswanathan2
Explorer
‎04-17-2015 3:17 AM
0 Kudos

Hi Matt,

For SSL the port setting is required along with the certificate configuration in both Netweaver Developer studio JAVA and also in the JAVA Server running the IDM. Hope the one below helps for NW Developer Studio

http://help.sap.com/saphelp_nwidmic_80/helpdata/en/34/d1449be534416d9f800f3c91278c67/frameset.htm

Regards,

Karthik

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎04-16-2015 10:08 PM
0 Kudos

Hello Matt,

have you tried the default port for SSL (HTTPS), 443 (which is mentioned in the documentation)?

Regards,

Steffi.

Show replies
Show replies
former_member2987
Active Contributor
‎04-17-2015 1:48 PM
0 Kudos

Thanks, Steffi, I might have overlooked it.  Not a fan of this documentation format and I've already put something into Idea place about it

Ask a Question