SAP Certificates Guide
This section will help you understand the Certificate Management needed to ensure secure connections are established between SAP and AWS.
Topics
Understanding SAP Certificates
As part of CxLink ABAP Suite implementation, as in any SAP Netweaver based server, there is a requirement to establish SSL (Secure Sockets Layer) security for an ABAP-based system that requires secure, encrypted communications. SSL (Secure Sockets Layer) is a communication method whereby secure communication between system entities is accomplished by the use of encryption facilitated by X.509 certificates published by Certificate Authorities (CA) in tandem with public and private decryption keys.
SAP Help Page
You can find a detailed guide in how to configure SSL in ABAP System in the following SAP Help Guide: https://help.sap.com/viewer/e73bba71770e4c0ca5fb2a3c17e8e229/7.5.9/en-US/4923501ebf5a1902e10000000a42189c.html
For your SAP Server to connect to AWS Services you will need to ensure that it meets all requirements from SAP to enable SSL communications. That includes the need to store all AWS Endpoint certificates
into the SAP STRUST
transaction, including the Root and CA certificates in the certificate chain.
You can choose to manually import all needed certificates or leverage that operation to the CxLink ABAP Suite add-on. To do so, you will need to perform the following additional actions.
Manually importing the certificates
If you don't want to leverage the certificate installation to CxLink ABAP Suite, you will need to manually download and import the following certificates and import them into the STRUST transaction:
Root & CA certificates can be downloaded by right-clicking the following links and using the
Save Link as...
option to store the files in your hard drive:- https://dl.cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem
- https://dl.cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt.pem
- https://www.amazontrust.com/repository/SFSRootCAG2.pem
- https://www.amazontrust.com/repository/AmazonRootCA1.pem
- https://www.amazontrust.com/repository/AmazonRootCA2.pem
- https://www.amazontrust.com/repository/AmazonRootCA3.pem
- https://www.amazontrust.com/repository/AmazonRootCA4.pem
AWS Endpoints Certificates
At least download the certificates for the following endpoints. Add any other endpoint that you want your SAP Server to interact with:
- iam.amazonaws.com
- s3.amazonaws.com
- s3.<aws_region>.amazonaws.com
- sts.<aws_region>.amazonaws.com
- kms.<aws_region>.amazonaws.com
- kinesis.<aws_region>.amazonaws.com (Only for CxLink Datalakes)
AWS Endpoint certificates cannot be downloaded directly from a URL. You will need to use alternative options to download them from its sources.
One way to do it is by using OpenSSL from a computer/server that has it installed. You can download the certificates to a filesystem or disk by executing the following command (Remember to change service):
openssl s_client -showcerts -connect <service-endpoint>.amazonaws.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./<*service-endpoint*>.cert.pem
Automatic Certificate Management
AWS certificates can be invalidated or expire. If that happens, new certificate(s) must be installed in STRUST to ensure CxLink ABAP Suite can run properly.
Install Required Software at Operating System level
CxLink ABAP Suite will handle the certification import and maintenance for all required AWS Services.
For that, you will need to ensure that both WGET and OpenSSL packages are installed in your SAP Server and that the SAP Administrator User sidadm
can execute both of them. Below you can find additional information of each package:
OpenSSL. Used to retrieve the Amazon Service Endpoints certificates
Minimum version recommended: 1.1.0
Proxy Requirements
If the server must use a Proxy to access the internet OpenSSL version 1.1.0 is mandatory. Older versions of OpenSSL can be bypassed by installing proxytunnel or similar software in the system.
Wget. Used to retrieve the Amazon CA and Issuer Certification certificates
Minimum version required: 1.20
Configure your SAP Server to use both programs
SAP Server must be able to execute openssl
and wget
commands from command line to download the certificates. Follow the specific instructions for your operating system platform:
Import the certificates for the first time
To download and store the AWS Endpoint certificates in your SAP Server, execute the following steps:
- Open transaction SE38
- Execute report
/LNKAWS/AWS_STRUST
by pressing F8 or execute button.
Schedule a job for periodical renewal
To ensure that the latest certificates are always stored in the STRUST transaction, schedule the following job in your SAP Server by following the next steps:
Open transaction SM36
Create a New Job.
In the Define Background Job page, set
/LNKAWS/LNKAWS_STRUST
as the job name and click on the Steps button.In Create Step 1, set
/LNKAWS/AWS_STRUST
as the ABAP program name and SaveGo back to the main page by selecting Exit in the Step List Overview section.
Press Start Condition, set the job periodicity and Save.
Best Practice
It is recommended to schedule the job /LNKAWS/AWS_STRUST
on a daily basis.