Configuring SSL communication with Content Server
The content server communication with SAP can optionally have an SSL port enabled which also requires some certificates to be adjusted so that communication with SAP can be secure. The following example uses the command line tool called openssl. There are various ways to generate certificates so this example is just one way. Getting the openssl utility installed in your environment is not part of this guide. This example also generates what are known as self signed certificates. Generating signed certificates from certificate authorities is outside the scope of this document.
First you’ll need to get a private key and convert it to the appropriate format required by the Gimmal Link Enterprise Connector.
- Generate an encrypted private key using openssl.
openssl genrsa -aes256 -out my_private_key.pem 2048
This generates an RSA private key using AES256 encryption (other types of encryption are possible if AES256 is deemed insecure by your organization. It will prompt you to enter in a passphrase for the encryption, make sure to choose something that you will remember. The format of this certificate should be human readable since it is in the PEM format. The 2048 at the end of the command tells this key to be 2048 bits long (you could also use something like 4096 here instead of 2048)
2. Convert the private key to the pkcs8 structure
openssl pkcs8 -topk8 -inform pem -in my_private_key.pem -outform pem -nocrypt -out entlink_private_key_pkcs8.pem
This command takes the input file generated in the previous step and converts it into the pkcs8 structure used by the Enterprise Connector. Note that the nocrypt command here also unencrypts the private key. Since this could allow vulnerabilities you may wish to restrict who has access to the folder where the certificates are stored. Just make sure that the Windows server that runs the Gimmal Link Enterprise Connector has access to the folder by creating a logon user for the service if need be.
3. Store the private key in the config directory under the installation folder. 4. Change the private key name to be entlink_private_key_pkcs8.pem if you chose a different name in the previous steps. if you wish to keep the name that you originally chose you can optionally adjust the Config.properties file found under the config directory under the installation folder to point tp the new peivate key file you have created. You will need to adjust the content.pem.file to be the name of the file you have chosen.
Ex: content.pem.file=my_private_key_pkcs8.pem (if you chose my_private_key_pkcs8.pem as the output file when converting to the pkcs8 structure.
5. Generate a public cerificate from the private key using openssl. Make surethat the common name matches the host used in the OAC0 ArchiveLink configuration (ip or hostname).
openssl req -new -x509 -key my_private_key.pem -out entlink_public.cer -days 3650
This command creates a new self signed certificate that is valid for 3,650 days.
It will prompt you to enter the passphrase you chose earlier for your private key.
Then it will ask you to enter in a country designation, state or province, and city.
Next enter in your company name and an optional organizational unit from within your company (this can be left blank).
For the common name make sure to enter the ip address or hostname you used or will use when configuring the ArchiveLink repository under OAC0.
You can optionally enter in an email address as well.
6. Store the public certificate in the config directory under the installation folder. 7. Change the public certificate name to be entlink_public.cer if you chose a different name in the previous steps. If you wihs to keep the name that you originally chose you can optinally adjust the Config.properties file under the config directory under the installation folder to point to the new public certificate you have created. You will need to adjust the content.cer.file to be the name of the file you have chosen.
Ex: content.cer.file=my_public.cer (if you chose my_public.cer as the output file when creating the certificate).
8. Store the publiccertificate in SAP using the transaction STRUST. This lets SAP know that calls out to the content server using this public certificate are trusted.
- Execute transaction STRUST
- Double click on the SSL System Client SSL Client on the left hand side (note there may be two variants of the System SSL client so repeat the process for both SSL clients )
- Verify that the right hand side says "SSL System Client SSL Client" at the top
- On the bottom certificate section on the right hand side click on the import certificate button found in the lower left.
- Select the certificate file that was previously generated and upload the certificate.
- Verify that the certificate details get loaded up into the screen.
- Finally click on the “Add to Certificate List”
- Verify that the certificate list in the middle of the right hand side now contains an entry for the newly created public certificate (you may have to scroll down through the list of certificates).
- Repeat the process if there was more than one SSL System client.
9. Adjust the content server configuration tab in the Profile Wizard that will be using SSL communication by adding an SSL port number to configuration.
10. Make sure that the same port number is configured in the ArchiveLink repository that will be used with this configuration via transaction OAC0.
11. Make sure to save configuration to active profile and restart the Gimmal Link Enterprise Connector Windows service for the changes to take effect.
12. In order to verify that the SSL configuration is correct you will need to attempt to store and retrieve (view) a business document that is associated with the ArchiveLink repository configured to use SSL. Note that testing the connection to the ArchiveLink repository does not test the SSL connection since that information is sent over the non-SSL port. This also means that ArchiveLink repository configurations must have both an SSL port and a regular port configured.