SAP PO – https configuration + generating a certificate

You need to enable https for your SAP PO. Nothing simpler, look below.

Add HTTPS port

Run SAP Netweaver Administration, e.g. http://hostname:55200/nwa

Next choose Configuration tab and run:

You can see that for instance number 52 I haven’t define SSL port. I created new port “55201“.

Defined a new port creates new entries in the instance profile:

j2ee/instance_id = ID5252255
icm/server_port_0 = PROT=P4, PORT=55204
icm/server_port_1 = PROT=HTTP, PORT=55200, TIMEOUT=60, PROCTIMEOUT=600
icm/server_port_2 = PROT=HTTPS, PORT=55201, SSLCONFIG=ssl_config_2
icm/ssl_config_2 = VCLIENT=0, CRED=/usr/sap/SID/J52/sec/SAPSSLS.pse
icm/server_port_3 = PROT=IIOP, PORT=55207
icm/server_port_4 = PROT=TELNET, PORT=55208, HOST=localhost

Now You need restart SAP instance. After that new port will be active.

Generating a certificate

  1. Run SAP Netweaver Administration, e.g. http://hostname:55200/nwa and find: Certificates and Keys -> Key Storage.
  2. We generate a new one ssl-credentials in Keystore: ICM_SSL_InstanceNumber_PORT, e.g. ICM_SSL_4229679_55201 – old entry we can delete or rename. New port will be available after instance restart.
  • Step 1 -> Entry name – we must enter the name: ssl-credentials.
  • Step 1 -> Valid from/to – enter the validity of the certificate.
  • Step 1 -> Store Certificate – don’t mark this option, because system create a Self-Signed certificate.
  • Step 2 -> Fill the appropriate fields. I filled only: CN, C, O and OU.
  • Step 3 -> skip
  • Step 4 -> Click Finish

3. Now You can find new entry in View Entries tab for ICM_SSL_4229679_55201 (generated in point 2), i.e. ssl-credentials.

  • Select the row with ssl-credentials and click the button: “Generate CSR Request

4. Download certificate request and send it to CA. expected result: PKCS#12 Key Pair + password. Additional You need rootca and subca certificate

5. After receiving all the certificates, we follow the steps below:

  • Log on OS and choose folder: /usr/sap/SID/J52/sec
  • backup old PSE files (if they are), e.g. SAPSSLS.pse i SAPSSLS_52201.pse and next delete them.
  • now log to NWA and run: Certificates and Keys: Key Storage
  • select Keystore ICM_SSL_4229679_55201 and delete all in View Entries below
  • now we change the file names of received certificates, i.e. for file: *.p12 we set: “ssl-credentials.p12“. While for our server certificate we set a name: ssl-credentials-cert.crt. Rootca and subca can be left unchanged.
  • now in NWA in Kestore: ICM_SSL_4229679_55201 we will be import certificates. Choose: “Import Entry“. First we import PKCS12 certificate -> choose ssl-credentials.p12 and put password. Next import X.509 Certificates, i.e. sl-credentials-cert.crt and others (rootca and subca)
  • after uploading the certificates, select Keystore ICM_SSL_4229679_55201 and put the button: “Export View to PSE

5. On OS in folder: /usr/sap/SID/J52/sec new PSE files should be created.

6. Now we can restart the service SSL Provider (Start&Stop: Java Services -> Java Services) or generally SAP instance.

7. Verify – log to NWA and next check certificate after run URL: https://hostname:55201/nwa