SAP Certificates Guide

This section will help you understand the Certificate Management needed to ensure secure connections are established between SAP and AWS.


Understanding SAP Certificates

As part of CxLink ABAP Suite implementation, as in any SAP Netweaver based server, there is a requirement to establish SSL (Secure Sockets Layer) security for an ABAP-based system that requires secure, encrypted communications. SSL (Secure Sockets Layer) is a communication method whereby secure communication between system entities is accomplished by the use of encryption facilitated by X.509 certificates published by Certificate Authorities (CA) in tandem with public and private decryption keys.

SAP Help Page

You can find a detailed guide in how to configure SSL in ABAP System in the following SAP Help Guide: in new window

For your SAP Server to connect to AWS Services you will need to ensure that it meets all requirements from SAP to enable SSL communications. That includes the need to store all AWS Endpoint certificates into the SAP STRUST transaction, including the Root and CA certificates in the certificate chain.

You can choose to manually import all needed certificates or leverage that operation to the CxLink ABAP Suite add-on. To do so, you will need to perform the following additional actions.

Manually importing the certificates

If you don't want to leverage the certificate installation to CxLink ABAP Suite, you will need to manually download and import the following certificates and import them into the STRUST transaction:

Automatic Certificate Management

AWS certificates can be invalidated or expire. If that happens, new certificate(s) must be installed in STRUST to ensure CxLink ABAP Suite can run properly.

Install Required Software at Operating System level

CxLink ABAP Suite will handle the certification import and maintenance for all required AWS Services.

For that, you will need to ensure that both WGET and OpenSSL packages are installed in your SAP Server and that the SAP Administrator User sidadm can execute both of them. Below you can find additional information of each package:

  • OpenSSLopen in new window. Used to retrieve the Amazon Service Endpoints certificates

    Minimum version recommended: 1.1.0

    Proxy Requirements

    If the server must use a Proxy to access the internet OpenSSL version 1.1.0 is mandatory. Older versions of OpenSSL can be bypassed by installing proxytunnel or similar software in the system.

  • Wgetopen in new window. Used to retrieve the Amazon CA and Issuer Certification certificates

    Minimum version required: 1.20

Configure your SAP Server to use both programs

SAP Server must be able to execute openssl and wget commands from command line to download the certificates. Follow the specific instructions for your operating system platform:

Import the certificates for the first time

To download and store the AWS Endpoint certificates in your SAP Server, execute the following steps:

  1. Open transaction SE38
  2. Execute report /LNKAWS/AWS_STRUST by pressing F8 or execute button.

Schedule a job for periodical renewal

To ensure that the latest certificates are always stored in the STRUST transaction, schedule the following job in your SAP Server by following the next steps:

  1. Open transaction SM36

  2. Create a New Job.

  3. In the Define Background Job page, set /LNKAWS/LNKAWS_STRUST as the job name and click on the Steps button.

    Image ALT

  4. In Create Step 1, set /LNKAWS/AWS_STRUST as the ABAP program name and Save

    Image ALT

  5. Go back to the main page by selecting Exit in the Step List Overview section.

  6. Press Start Condition, set the job periodicity and Save.

Best Practice

It is recommended to schedule the job /LNKAWS/AWS_STRUST on a daily basis.