You need to enable https for your SAP PO. Nothing simpler, look below.
Add HTTPS port
Run SAP Netweaver Administration, e.g. http://hostname:55200/nwa
Next choose Configuration tab and run:
You can see that for instance number 52 I haven’t define SSL port. I created new port “55201“.
Defined a new port creates new entries in the instance profile:
j2ee/instance_id = ID5252255 icm/server_port_0 = PROT=P4, PORT=55204 icm/server_port_1 = PROT=HTTP, PORT=55200, TIMEOUT=60, PROCTIMEOUT=600 icm/server_port_2 = PROT=HTTPS, PORT=55201, SSLCONFIG=ssl_config_2 icm/ssl_config_2 = VCLIENT=0, CRED=/usr/sap/SID/J52/sec/SAPSSLS.pse icm/server_port_3 = PROT=IIOP, PORT=55207 icm/server_port_4 = PROT=TELNET, PORT=55208, HOST=localhost
Now You need restart SAP instance. After that new port will be active.
Generating a certificate
- Run SAP Netweaver Administration, e.g. http://hostname:55200/nwa and find: Certificates and Keys -> Key Storage.
- We generate a new one ssl-credentials in Keystore: ICM_SSL_InstanceNumber_PORT, e.g. ICM_SSL_4229679_55201 – old entry we can delete or rename. New port will be available after instance restart.
- Step 1 -> Entry name – we must enter the name: ssl-credentials.
- Step 1 -> Valid from/to – enter the validity of the certificate.
- Step 1 -> Store Certificate – don’t mark this option, because system create a Self-Signed certificate.
- Step 2 -> Fill the appropriate fields. I filled only: CN, C, O and OU.
- Step 3 -> skip
- Step 4 -> Click Finish
3. Now You can find new entry in View Entries tab for ICM_SSL_4229679_55201 (generated in point 2), i.e. ssl-credentials.
- Select the row with ssl-credentials and click the button: “Generate CSR Request“
4. Download certificate request and send it to CA. expected result: PKCS#12 Key Pair + password. Additional You need rootca and subca certificate
5. After receiving all the certificates, we follow the steps below:
- Log on OS and choose folder: /usr/sap/SID/J52/sec
- backup old PSE files (if they are), e.g. SAPSSLS.pse i SAPSSLS_52201.pse and next delete them.
- now log to NWA and run: Certificates and Keys: Key Storage
- select Keystore ICM_SSL_4229679_55201 and delete all in View Entries below
- now we change the file names of received certificates, i.e. for file: *.p12 we set: “ssl-credentials.p12“. While for our server certificate we set a name: “ssl-credentials-cert.crt“. Rootca and subca can be left unchanged.
- now in NWA in Kestore: ICM_SSL_4229679_55201 we will be import certificates. Choose: “Import Entry“. First we import PKCS12 certificate -> choose ssl-credentials.p12 and put password. Next import X.509 Certificates, i.e. sl-credentials-cert.crt and others (rootca and subca)
- after uploading the certificates, select Keystore ICM_SSL_4229679_55201 and put the button: “Export View to PSE“
5. On OS in folder: /usr/sap/SID/J52/sec new PSE files should be created.
6. Now we can restart the service SSL Provider (Start&Stop: Java Services -> Java Services) or generally SAP instance.
7. Verify – log to NWA and next check certificate after run URL: https://hostname:55201/nwa