SAP Certificates Guide

This section will help you understand the Certificate Management needed to ensure secure connections are established between SAP and AWS.

Topics

• Understanding SAP Certificates
• Manually importing the certificates
• Automatic Certificate Management
  • Install Required Software at Operating System level
  • Configure your SAP Server to use both programs
  • Import the certificates for the first time
  • Schedule a job for periodical renewal

---

Understanding SAP Certificates

As part of CxLink ABAP Suite implementation, as in any SAP Netweaver based server, there is a requirement to establish SSL (Secure Sockets Layer) security for an ABAP-based system that requires secure, encrypted communications. SSL (Secure Sockets Layer) is a communication method whereby secure communication between system entities is accomplished by the use of encryption facilitated by X.509 certificates published by Certificate Authorities (CA) in tandem with public and private decryption keys.

SAP Help Page

You can find a detailed guide in how to configure SSL in ABAP System in the following SAP Help Guide: https://help.sap.com/viewer/e73bba71770e4c0ca5fb2a3c17e8e229/7.5.9/en-US/4923501ebf5a1902e10000000a42189c.html

For your SAP Server to connect to AWS Services you will need to ensure that it meets all requirements from SAP to enable SSL communications. That includes the need to store all AWS Endpoint certificates into the SAP STRUST transaction, including the Root and CA certificates in the certificate chain.

You can choose to manually import all needed certificates or leverage that operation to the CxLink ABAP Suite add-on. To do so, you will need to perform the following additional actions.

---

Manually importing the certificates

If you don't want to leverage the certificate installation to CxLink ABAP Suite, you will need to manually download and import the following certificates and import them into the STRUST transaction:

• Root & CA certificates can be downloaded by right-clicking the following links and using the Save Link as... option to store the files in your hard drive:

  • https://dl.cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem
  • https://dl.cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt.pem
  • https://www.amazontrust.com/repository/SFSRootCAG2.pem
  • https://www.amazontrust.com/repository/AmazonRootCA1.pem
  • https://www.amazontrust.com/repository/AmazonRootCA2.pem
  • https://www.amazontrust.com/repository/AmazonRootCA3.pem
  • https://www.amazontrust.com/repository/AmazonRootCA4.pem

• AWS Endpoints Certificates

  At least download the certificates for the following endpoints. Add any other endpoint that you want your SAP Server to interact with:

  • iam.amazonaws.com
  • s3.amazonaws.com
  • s3.<aws_region>.amazonaws.com
  • sts.<aws_region>.amazonaws.com
  • kms.<aws_region>.amazonaws.com
  • kinesis.<aws_region>.amazonaws.com (Only for CxLink Datalakes)

  AWS Endpoint certificates cannot be downloaded directly from a URL. You will need to use alternative options to download them from its sources.

  One way to do it is by using OpenSSL from a computer/server that has it installed. You can download the certificates to a filesystem or disk by executing the following command (Remember to change service):

  openssl s_client -showcerts -connect <service-endpoint>.amazonaws.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./<*service-endpoint*>.cert.pem
  

---

Automatic Certificate Management

AWS certificates can be invalidated or expire. If that happens, new certificate(s) must be installed in STRUST to ensure CxLink ABAP Suite can run properly.

Install Required Software at Operating System level

CxLink ABAP Suite will handle the certification import and maintenance for all required AWS Services.

For that, you will need to ensure that both WGET and OpenSSL packages are installed in your SAP Server and that the SAP Administrator User sidadm can execute both of them. Below you can find additional information of each package:

• OpenSSL. Used to retrieve the Amazon Service Endpoints certificates

  Minimum version recommended: 1.1.0

  Proxy Requirements

  If the server must use a Proxy to access the internet OpenSSL version 1.1.0 is mandatory. Older versions of OpenSSL can be bypassed by installing proxytunnel or similar software in the system.

• Wget. Used to retrieve the Amazon CA and Issuer Certification certificates

  Minimum version required: 1.20

Configure your SAP Server to use both programs

SAP Server must be able to execute openssl and wget commands from command line to download the certificates. Follow the specific instructions for your operating system platform:

---

Import the certificates for the first time

To download and store the AWS Endpoint certificates in your SAP Server, execute the following steps:

1. Open transaction SE38
2. Execute report /LNKAWS/AWS_STRUST by pressing F8 or execute button.

---

Schedule a job for periodical renewal

To ensure that the latest certificates are always stored in the STRUST transaction, schedule the following job in your SAP Server by following the next steps:

1. Open transaction SM36

2. Create a New Job.

3. In the Define Background Job page, set /LNKAWS/LNKAWS_STRUST as the job name and click on the Steps button.

   

4. In Create Step 1, set /LNKAWS/AWS_STRUST as the ABAP program name and Save

   

5. Go back to the main page by selecting Exit in the Step List Overview section.

6. Press Start Condition, set the job periodicity and Save.

Best Practice

It is recommended to schedule the job /LNKAWS/AWS_STRUST on a daily basis.