cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Automate deployment of SSL certificate in STRUST

Go to solution
former_member594375
Explorer

on ‎01-19-2019 7:19 AM

Hi Guys,

Since I have many servers in our company and manually putting SSL certificates in STRUST is very tiring thing. Also since I am using Letsencrypt as my CA to get the certs signed, it has only 3 months validity, so it's hard to remember the renewal dates. I know how to automate the cert renewal on operating system level by using Certbot.

But how can I automate the deployment process of certs in SAP Tcode - STRUST. Is there any script that can do it ? I just want that whenever a server needs a cert to be renewed it automatically generates Cert signing Request (CSR) gets a signed cert from a CA and deploys it in STRUST.

I am using SAP NetWeaver AS ABAP. Please provide any kind of suggestion that can help automate the process. Has anyone been able to automate this process? How to know when a certificate is about to be expired? how automatically create the x509 cer file? how to upload the x509 automatically to SAP ABAP? Please let me know if more information is needed.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Sandra_Rossi
Active Contributor
‎01-19-2019 8:27 AM

I didn't hear of any tool to mass upload the certificates.

But at least, you may use this report:

SSF_ALERT_CERTEXPIRE

You are alerted for soon-expiring certificates. The report has many options.

ADDENDUM: You may develop your own program by using the APIs provided in note 1014077 - Downport: API for SSO2 trust configuration (ABAP) (STRUSTSSO2 is almost the same as STRUST except that there is an additional part for SAP Logon tickets) ; maybe also check the note 1130923 - External STRUST-API (advance delivery), but it's not obvious whether there is something really official.

Show replies
Show replies
former_member594375
Explorer
‎01-19-2019 11:39 AM
0 Kudos

Hi Sandra,

Thanks a lot for your quick response. Since I am new in this field, If you have any other info regarding this topic then please share. I am looking for this report -> SSF_ALERT_CERTEXPIRE, as you mentioned. It will take me much time to go through this report, if I had any questions on this then I will ask.

former_member600447
Explorer
‎01-29-2019 8:37 AM
0 Kudos

Hi Sandra,

By using sapgenpse commands on our operating system, we can export and import our certificates. My question is after importing the signed cert by sapgenpse will that put the cert directly into the STRUST ? and after importing the signed cert, then I dont need to do anything in SAPGUI (STRUST) ? If everything is done by issuing commands by sapgenpse, then I can automate it by making batch files and run it in job schduler as background job, is it possible ?

Sandra_Rossi
Active Contributor
‎01-29-2019 8:48 AM
0 Kudos

riteshbansal696 do you ask the same question again? If so, then let me answer the same as previously 🙂 By the way, if you plan developing a tool to automate it, and publish it, then the community will thank you a lot, of course. Oh, I saw something, let me edit my answer, please check it in 2 minutes.

Answers (6)

Answers (6)

former_member751361
Explorer
‎05-20-2021 10:24 AM

Are there any updates on this task? Are there plans for the future?

This means for a solution on this I have 3 Options:

1.) Each customer of us will have to do it manually. ==> Means we will get from time to time support requests from customers, because of broken connection. (certificate expired)

2.) We have to write a program on our own based on APIs of note: 1014077 - Downport: API for SSO2 trust configuration (ABAP) (STRUSTSSO2 is almost the same as STRUST except that there is an additional part for SAP Logon tickets) ; maybe also check the note 1130923 - External STRUST-API (advance delivery), but it's not obvious whether there is something really official.

==> This possibly could lead to security issues, with customers.

3.) We give our customers the advice to buy the SAP SSO license that contains a tool that will support automated SSL certificate deployment to STRUST (We would only need this tool and not the rest of this SSO stuff.)

Well it is difficult to explain this to non SAP IT managers, that our customers have to pay for a license just for Certificate Lifecycle Management.

Especially when this is done in Standard Browser automatically in the background. "State of the art".

Thanks in advance for any feedback.

Regards, Mathias

Show replies
Show replies
daniel_hermann
Explorer
‎07-02-2021 6:29 AM
0 Kudos

Hi Mathias,

I have a question to part 3.

Which tool is assigned to the SAP SSO license?

We have the problem that external Connections uses Let's Encrypt Certificates for their webservices... thats annoying but we have to deal with ist.

Maybe we can use this tool for the renewal of those external certificates.

Regards, Daniel

former_member751361
Explorer
‎07-02-2021 8:30 AM
0 Kudos

Zertifikate in regelmäßigen Abständen mit dem Zertifikat-Lifecycle-Management erneuern (sap.com)

These are the programms. see from comment below.

See more details in Certificate Lifecycle Management for ABAP Application Servers.

But I was also facing troubles with self signed certificates. I am not sure but I have something in mind that the self signed certificate need to contain the IP Address or domain name. I was struggeling with it. well try to google this...

Former Member
‎01-26-2019 3:18 PM

You can use sapgenpse import_own_cert in your script to automatically renew the certificate in the PSE issued by Let's Encrypt.

Show replies
Show replies
former_member600447
Explorer
‎01-29-2019 8:19 AM
0 Kudos

Hi Samuli,

Thanks for your valuable response. By using sapgenpse import_own_cert command, will it load the certificate into server system(STRUST). Then I dont need to do anything in STRUST ? I mean by using commands by sapgenpse will allow me to import the signed certificate and load it into STRUST and after importing it then I dont need to do anything in SAPGUI (STRUST). If everything functions by using commands then I can just make a batch file and run it to automate the process.

former_member594375
Explorer
‎02-10-2019 9:41 AM
0 Kudos

Hi Samuli,

I am still waiting for your response.

Also another question, If I want to renew the signed certificate by CA then do I need to create a new Server PSE by sapgenpse ? If not how can I delete the already exisiting signed cert in STRUST via sapgenpse, so that I can import a new signed cert.

Matt_Fraser
Active Contributor
‎01-25-2019 7:56 PM

Ritesh,

Sandra's answer is the best one, but I have to comment that a 3-month validity seems very, very short. Do you need publicly-signed certs -- i.e., are your systems accessible over the Internet? -- or would an internally-generated cert work for you? If the latter is true, is there a reason not to use your own internal CA to sign the certs? If you're on a Windows network, and your users are members of the domain, you can install a Microsoft CA and use Group Policy to push trust of that CA to your domain members, which will work in both IE and Chrome browsers. Then you can control the validity period of your certs, pushing them to, say, 5 years, instead of just 3 months. It's not automation, but it could seriously reduce the headache.

Cheers,
Matt

Show replies
Show replies
former_member600447
Explorer
‎01-29-2019 8:30 AM
0 Kudos

Hi Matt,

Thanks for your response. I need publicly signed certificate, because that will work for all the systems (on all operating systems). It can be that some people are working on Mac or Linux as well, then there will be trust issues. I can easily get a signed certificate by a CA and can renew it every day, but how can I automatically put it in SAP system (STRUST).

former_member594375
Explorer
‎03-13-2019 7:39 PM

Hi Guys,

I solved this by making a PSE file by using sapgenpse commands and then uploading it in STRUST by using a Functional Module - SSFR_PSE_UPLOAD

Show replies
Show replies
ronnyfiebig
Explorer
‎11-12-2019 7:02 PM
0 Kudos

Hi riteshbansal696,

I see you've found a solution to the problem. I am facing the same problem as you and would be interested in the solution. Did you document it somewhere and could you share it with the community? I think some would be interested in your solution.

Regards Ronny

mamartins
Active Contributor
‎05-19-2020 12:26 PM
0 Kudos

One other possible solution is to have on central server based on Linux to automate the Let's Encrypt certification process.

Then export the certificate with the private key and then upload to the instance.

LutzR
Active Contributor
‎02-15-2019 2:15 PM

Hi Ritesh,

one way to treat this issue is to use the certificate lifecycle management functionality of the Secure Logon Server.

Look here: Certificate Lifecycle Management for ABAP Application Servers

This provides full automation but has the following disadvantages:

  • It will cost money ("SAP Single Sign-On"-Licenses)
  • I doubt that it will integrate with a public trusted CA (but I am not sure about it and it may be worth some research)

Regards, Lutz

Show replies
Show replies
sachin_sachdeva2
Explorer
‎01-12-2021 11:59 AM
0 Kudos

Hi Ritesh Bansal,

Will you be able to automate SSL Certs in SAP ABAP & JAVA systems? we have a same requirement but have cert dependency with Venafi.

Regards

Sachin

Show replies
Show replies
Ask a Question