cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cloud Connector Wild card SSL Certificate Windows Server

ikirilova1
Participant

on ‎01-29-2024 4:16 PM

0 Kudos

Hello, SAP gurus!

I have the following problem:

We are using wildcard SSL certificate for several things. We want to use it for the Cloud Connector as well. I was able to import the cert in the SCC UI. When trying to import it in Tomcat, I wasn't able to import the same *.pfx file. The error is "Input not an X.509 certificate". I successfully imported *.crt version of the same certificate. In the Tomcat config I uncommented


<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000
>
<SSLHostConfig>
<Certificate certificateKeystoreFile="C:\Users\Administrator\.keystore"
type="RSA" certificateKeystorePass="XXX"/>
</SSLHostConfig>
</Connector>

Cloud Connector is opening on localhost:8443, but the browser does not believe it and I have to accept the risk. Once logged in, the UI certificate is ok in the Cloud Connector.

I am wondering how to remove the certificate not valid error in the browser.

I updated to the latest SACKIT397 - Cloud Connector version 2.16.0.

Labels:
Show replies
Show replies
ikirilova1
Participant
‎01-30-2024 9:36 AM
0 Kudos

We have Single Sign On between SAC and BW so I needed to set up Principle propagation in the Cloud Connector. Here it is written that I need to install system certificate for mutual authentication - https://help.sap.com/docs/SAP_ANALYTICS_CLOUD/00f68c2e08b941f081002fd3691d86a7/3bdb65253c8046b2b8234... and there is a link for description how to do it. This is why I imported our own p12 certificate into SCC. As I said earlier, after that I wasn't able to access the system.

The default Tomcat server.xml freshly installed from the latest SAC Simple Development Kit looks like this - TLS/SSL section is not active:

ikirilova1_0-1706607527586.png

 

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

HAL9000
Product and Topic Expert
Product and Topic Expert
‎01-29-2024 7:04 PM
0 Kudos

With manually modifying Tomcat configuration files of your Cloud Connector installation, you are risking the upgradeability of the product. And more important: you may loose also the eligibility to get support from SAP.
I strongly recommend not to do this. It is also not necessary. Importing the UI certificate is all you need to do at Cloud Connector side.

The UI certificate must contain a SAN DNS entry which matches the fully qualified hostname used in the address URL of your browser. If you use the address 'https://localhost:8443' in your browser, then also the UI certificate must contain the SAN DNS entry 'localhost', which is not recommended. A real certificate should not be signed for such an undefined hostname. So, use your real (full) hostname instead, which matches to the wildcard entry of the imported UI certificate, or create a new UI certificate for your Cloud Connector host.

Furthermore, the certificate authority, which issued/signed the UI certificate, or any intermediate certificate up to the root certificate authority, must belong to the trusted authorities of your browser's certificate store.

Show replies
Show replies
ikirilova1
Participant
‎01-29-2024 7:26 PM
0 Kudos
When I imported the UI certificate in SCC the access to it was stopped until I configured Tomcat to use SSL, so modifying the config files was necessary. It is even described on the Apache website to do so.
HAL9000
Product and Topic Expert
Product and Topic Expert
‎01-29-2024 7:52 PM
0 Kudos

That's not true. You can connect via SSL also without trusting the default self-signed certificate.
And SAP does not ship Apache Tomcat as a product free to use on its own. It's just used as an internal component of Cloud Connector.
So please stick to the SAP documentation, unless it explicitly refers to Apache Tomcat documentation.

See also https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/recommendations-for-secure-setup#ui-a...

ikirilova1
Participant
‎01-30-2024 7:34 AM
0 Kudos

SCC came with its default certificate and with big red message to replace it with own UI cert. When we added our wild card p12 certificate, the access to SCC was stopped because of Tomcat not being set for SSL.

HAL9000
Product and Topic Expert
Product and Topic Expert
‎01-30-2024 8:24 AM
0 Kudos

Cloud Connector's Tomcat is for sure configured to use TLS/SSL by default. Compare with a server.xml of a fresh installation. If TLS/SSL was previously disabled in your installation, this must already have been modified manually before. That's why you should not touch any Cloud Connector xml configuration files in a text editor. All you need can be configured via UI or REST services.

Also see the big red Caution box in the Cloud Connector documentation:
https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/installation

Ask a Question