Skip to end of metadata
Go to start of metadata

This expert guide explains how to enable certificate based authentication of the Diagnostics Agents towards a SAP Solution Manager 7.1 system.

With Solution Manager 7.1 SP05 and higher


  • You need to be logged on as SOLMAN_ADMIN

Distribute the certificates to the Diagnosts Agents

  • Navigate to solman_setup transaction / Scenario: System Preparation / Step: Set Authentication Policy for Agents
  • Also make sure all previous Steps & Activities within this Scenario (Guided Procedure) have been performed (successfully)
  • Double check the initial counters to see the amount of Authenticated and Non-authenticated Agents currently connected
  • Click on the "Agent Administration" link to navigate to the Agent Administration UI and select the "Connected Agents" tab
  • Make sure all connected Diagnostics Agents are IAIK enabled, by displaying all details in the (connected) Diagnostics Agent list, by enabling the detailed view. In case some Agents do have the SUN provider in place, use the contextual menu to "Install IAIK SSL libraries" on each of these Agents.
  • Additionally navigate to the "Agent Administration" / "Agent Connectivty" and make sure that all Diagnostics Agents (having the IAIK SSL libraries installed) are connected via MS / P4 SSL. Otherwise, update the connection mode and press each time "Apply" at the end of the table line.
  • Back in the solman_setup window, now select "Use Authentication via certificate"
  • Press "Generate new certificate..." and provide a validity duration. Remind that the certificate will have to be regenerated before it will expire in the coming months.
  • Finally press "Save"
  • Now press regularly the "Refresh" button within this Step in order to double check that in the following minutes the amount of Authenticated Agents reaches again the previous number. In case you do not reach this situation, navigate again to the "Agent Administration" / "Non-authenticated" and press "Push Credentials". If this also doesn't help, try to establish back the connection to Solution Manager, in case the Diagnostics Agents were registered in a central or local SLDs, with solman_setup transaction / Scenario: System Preparation / Step: Connect Diagnostics Agents. Make sure to always select the appropriate SLD, where each time the specific Diagnostics Agent to be re-connected is directly registered in.

With Solution Manager 7.1 SPs lower than SP05 or troubleshooting


Prepare the Solution Manager and the Diagnostics Agents for Certifcate Based Diagnostics Agent authentication

Navigate to „Agent Administration" tab „Advanced Setup, click on "Diagnostics Agent Support Tool", navigate to tab "SMD Server Runtime" and expand tray "Agent Security Configuation"

Click thumbnail to open image!

  1. Click on "Install SSL Libraries on all Agents" (this needs to be repeated if new agents are installed and the SSL libraries are not installed on the agents)
  2. Click on "Setup Certificate Logon Module"
  3. Click on "Generate Agent Certificate", here you can choose which user the certificate will be mapped against and how long the certificate will be valid. Before the end of validity is reached you can use this button also to generate a new certificate with a new validity date. Don't forget that this newly generated certificate needs then to be republished to all agents

Distribute the certificates to the Diagnosts Agents

Navigate to „Agent Administration" tab „Agent Credentials" and expand tray "Certificate"

Click thumbnail to open image!

  1. Select from the "Certificate Migration " drop down list your Agent and click "Set Certificate". Alternativley you can push the Certificates to all agents by clicking on "Set Certificate for all"
    • In the SMDAgent a parameter like this is generated
    • In the SMDAgent runtime properties the Parameter is set
      (in case of user/pwd authentication this should be set back to smdserver.connection.requiresAuthentication=basic)
      Will be set automatically back to "basic" when connection via certificate is not longer possible (e.g. user locked, cert not longer valid) and the SMDAgent trys to get Agent Connectivity Credentials again via SLD
  2. If your original certificate is not valid anymore or you choose to use a different user mapping, you can republish the newly generated certificate by clicking "Re-push certificate to all agents".

Setting the default authentication

If you want to reconfigure all new agents to certificate based authentication, you can use the setting "Authentication Method Migration". After switching here, all newly connected agent will be configured to use certificate based authentication by default and you do not need to reconfigure all agents manually.

  • No labels