Skip to end of metadata
Go to start of metadata


  • Host Agent installed and configured for BI Platform Support Tool


Bolded values should be exchanged for values appropriate for your environment

Configure Host Agent to use SSL

  1. Open a command line window and navigate to %PROGRAMFILES%\SAP\hostctrl\exe

  2. Create a subdirectory named sec and set the SECUDIR environment variable to refer to the new directory using the following commands:
    1. %PROGRAMFILES%\SAP\hostctrl\exe> mkdir sec
    2. %PROGRAMFILES%\SAP\hostctrl\exe> set SECUDIR=%PROGRAMFILES%\SAP\hostctrl\exe\sec
  3. Run: sapgenpse gen_pse -a RSA:2048:SHA256 -p SAPSSLS.pse -r "C:\HostAgentSSL\myserver.p10" -x Password1 ", OU=My Org Unit, O=Company, C=US"

  4. Grant the sapadm user read/write permissions to the file SAPSSLS.pse

  5. Run: sapgenpse seclogin -p SAPSSLS.pse -x Password1 -O sapadm

  6. Follow either 7 or 8 in order to add a signed certificate to the PSE
  7. Generate a self-signed certificate to add to the PSE

    1. Follow the instructions here to complete these steps

  8. Generate a private key, and a certificate signing request 

    1. Provide myserver.p10 to your Certificate Authority to sign
    2. You should receive one file containing the signed certificates, and other certificates in the chain of trust - myserver.pk7, or multiple certificates such as myserver.pem and cacert.pem
  9. Import your certificate(s) into the PSE
  10. Run: sapgenpse import_own_cert -p SAPSSLS.pse -x Password1 -c "C:\HostAgentSSL\myserver.pem" -r "C:\HostAgentSSL\cacert.pem" -v
    1. For additional instructions on importing, run: sapgenpse import_own_cert -h
  11. Verify that the certificate was installed
  12. Run: sapgenpse get_my_name -p SAPSSLS.pse -x Password1 -v
  13. Restart SAP Host Agent
  14. Run: saphostexec.exe -restart
  15. Navigate to https://<host>:1129/SAPHostControl/?wsdl in a browser window and ensure that the host agent is running with SSL on that port and an xml file is seen

Configure BI Platform Support Tool to Trust the CA

  1. On the computer where BIPST is installed open a command window and navigate to <BIPSTHOME>\BISupport\bin
  2. Run: keytool -importcert -file "C:\HostAgentSSL\cacert.pem" -alias cacert -keystore "C:\BIPST210\BISupport\lib\security\cacerts" -storepass changeit
    1. Note: The default password for the cacerts keystore is "changeit"
  3. Open BI Platform Support Tool
  4. Navigate to Landscape Configuration and select a server
  5. Click HostAgent Settings and click "Enable SSL" to change the WSDL address to an https:// address
  6. Click Validate

Note: It is only necessary to perform the CA certificate import into the truststore once per CA certificate

  • No labels