Skip to end of metadata
Go to start of metadata


  • Host Agent installed and configured for BI Platform Support Tool


Bolded values should be exchanged for values appropriate for your environment

Configure Host Agent to use SSL

  1. Log in as a user with root authorization

  2. Navigate to /usr/sap/hostctrl/exe

  3. Create a subdirectory named sec and set the SECUDIR environment variable to refer to the new directory using the following commands:
    1. mkdir sec
  4. Set the environment variables for the environment
    1. export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/sap/hostctrl/exe/
    2. export SECUDIR=/usr/sap/hostctrl/exe/sec/
  5. Grant the sapadm user, and sapsys group ownership of the sec directory
  6. Run:
    1. chown sapadm:sapsys ./sec
  7. Execute the following as the sapadm user so that correct permisions are set:

  8. Run:

    1. sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -a RSA:2048:SHA256 -p SAPSSLS.pse -r "/usr/boeuser/SSL/hostagent.p10" -x Password1 ", OU=My Org Unit, O=Company, C=US"

  9. Grant the sapadm user read/write permissions to the file SAPSSLS.pse

  10. Run: 

    1. sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x Password1 -O sapadm

  11. The output file hostagent.p10 is the certificate request for this system
  12. Follow either 13 or 14 in order to generate a signed certificate to the PSE
  13. Sign your certificate request using a self-signed certificate to add to the PSE

    1. Follow the instructions here to complete these steps

  14. Provide the hostagent.p10 file to your Certificate authority to sign 

    1. You should receive one file containing the signed certificates, and other certificates in the chain of trust - myserver.pk7, or multiple certificates such as myserver.pem and cacert.pem
  15. Import your certificate(s) into the PSE
  16. Run: 
    1. ./sapgenpse import_own_cert -p SAPSSLS.pse -x Password1 -c "C:\HostAgentSSL\myserver.pem" -r "C:\HostAgentSSL\cacert.pem" -v
    2. For additional instructions on importing, run: 
    3. ./sapgenpse import_own_cert -h
  17. Verify that the certificate was installed
  18. Run: 
    1. ./sapgenpse get_my_name -p SAPSSLS.pse -x Password1 -v
  19. Restart SAP Host Agent
  20. Run: 
    1. ./saphostexec.exe -restart
  21. Navigate to https://<host>:1129/SAPHostControl/?wsdl in a browser window and ensure that the host agent is running with SSL on that port and an xml file is seen

Configure BI Platform Support Tool to Trust the CA

  1. On the computer where BIPST is installed open a command window and navigate to <BIPSTHOME>\BISupport\bin
  2. Run: keytool -importcert -file "C:\HostAgentSSL\cacert.pem" -alias cacert -keystore "C:\BIPST210\BISupport\lib\security\cacerts" -storepass changeit
    1. Note: The default password for the cacerts keystore is "changeit"

Note: It is only necessary to perform the CA certificate import into the truststore once per CA certificate

Configure BI Platform Support Tool to use SSL with Host Agent

  1. Open BI Platform Support Tool
  2. Navigate to Landscape Configuration and select a server
  3. Click HostAgent Settings and click "Enable SSL" to change the WSDL address to an https:// address
  4. Click Validate
  • No labels