SSL Configuration

yuuvis® RAD repository-manager 10.x »

As a general rule, a certificate for data consistency and security must be imported and the repositorymanager-prod.yml configuration file must be modified accordingly, the certificate needs to be integrated in yuuvis® RAD service-manager, and corresponding adaptations must be made to the SAP SSL configuration to communicate with SAP.

Certificate

The free software OpenSSL can be used to generate a certificate for development and test systems. For example, once OpenSSL has been installed, the following commands can be executed to generate a certificate. The first commands define an individual password for the certificate and its parameters.

set pass=pass:optimal
set caSubj=/C=DE/ST=DE-DE/L=Berlin/CN=localhost

openssl genrsa -des3 -passout %pass% -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj %caSubj% -passin %pass%
openssl pkcs12 -inkey ca.key -in ca.crt -export -out ca.p12 -passin %pass% -passout %pass%

Executing them will create the ca.crt, ca.key, and ca.p12 files.

Copy the ca.p12 file to the directory specified in the repositorymanager-prod.yml configuration file. Example:

\service-manager\apps\repositorymanager

The repositorymanager-prod.yml Configuration File

The repositorymanager-prod.yml configuration file in the \services\service-manager\config\ directory must have the following entries added to it:

eureka:
  instance:
    ip-address: localhost
    hostname: localhost
    non-secure-port-enabled: false
    secure-port-enabled: true
    secure-port: ${server.port}
    statusPageUrl: https://localhost:${eureka.instance.secure-port}/manage/info
    healthCheckUrl: https://localhost:${eureka.instance.secure-port}/manage/health
    secureHealthCheckUrl: https://localhost:${eureka.instance.secure-port}/manage/health
    homePageUrl: https://localhost:${eureka.instance.secure-port}/

server:
  ssl:
    enabled: true
    key-store-type: PKCS12
    key-store: <Path_service-manager>/apps/repositorymanager/ca.p12
    key-store-password: optimal
    key-alias: '1'
    enabled-protocols: 'TLSv1.2,TLSv1.3'

security:
  require-ssl: true
Adjustments:
eureka:instance:ip‑address IP address of the 'repository manager' microservice
eureka:instance:hostname Host name
server:ssl:key-store Path to the certificate
server:ssl:key‑store:password Password for the certificate

Following this, the 'repository-manager' microservice must be restarted.

Integration in yuuvis® RAD service-manager

A certificate can be integrated using the command prompt or using tools such as KeyStore Explorer.

Command prompt:

  • Execute the following commands in the command prompt:

    <Path_service-manager>\jdk\bin\keytool ^
        -importkeystore -srckeystore <Path_service-manager>\apps\repositorymanager\ca.p12 ^
        -srcstorepass optimal -destkeystore <Path_service-manager>\jdk\lib\security\cacerts ^
        -srcstoretype PKCS12 -deststoretype JKS ^
        -deststorepass changeit
    Adjustments:
    -importkeystore -srckeystore Path to the certificate
    -srcstorepass Password for the certificate
    -deststorepass

    Password for certificate administration

    Default: changeit

  • Once completed, yuuvis® RAD service-manager needs to be restarted.

SAP Configuration

  • Call the 'STRUST' transaction.

  • Go to 'SSL Client Standard'.

  • Switch to the Edit mode.

  • Click the Import button.

  • Specify the certificate.

  • Select 'Add to Certificate List'.

  • Save the configuration.

In addition, the host name of the respective SAP system must be edited such that the host name of the imported certificate is mapped to the IP address of the server for which the certificate was issued.

AL and ILM Connections

For AL and ILM connections, the HTTP server inputs must correspond to the hostname of the certificate, not the IP address.

In the 'Logon&Security' section, enable the 'SSL active' option and select the appropriate certificate list into which you have previously imported the certificate.

For configuration details, refer to the SAP documentation.