SSL Certificates

Add Certificates to SAP

STRUST Certificates are relevant for the following areas:

• SSL connection from SAP to Controller API - used for Controller Connection Settings verification and Direct Dashboard Uploader
• SSL connection from SAP to Event service API
• SSL connection from SAP to SSL enabled SDK Manager

To add a certificate to SAP, create a new SSL Client Identity or use an existing SSL Client Identity (Anonymous or Standard). Add the certificate into the SSL Client Identity.

Create new SSL Client Identity

1. Go to transaction code STRUST.
2. Navigate to Environment > SSL_Client Identities, and click New Entries from the menu bar.
3. Enter identity name, description and save it.
4. Go to transaction code STRUST, right-click on the SSL identity node and select Create to create a PSE file for new SSL identity.
   
5. On the Create PSE window, enter required PSE options and submit.
   

Add Certificate to SSL Client Identity 

1. Go to transaction code STRUST.
2. Select Certificate > Import from the menu bar.
3. On the Import Certificate window, select your certificate file (*.pem, *.cer, etc.) and confirm the selection.
   
4. View the file content under the Certificate pane. 
   
5. Double-click on the used SSL Client Identity to load it.
6. Click Add to Certificate List in the Certificate pane.
7. Click Save.

8. Restart ICM. Go to transaction code SMICM, click Administration > ICM > Exit Soft > Local.

   

   Newer SAP version does not require a restart, see the status line to determine if it requires a restart or not.

   

   

   SAP HTTPS Service

   In order for any SSL connections to work, the SAP system must have an active HTTPS service setup. Go to transaction code SMICM, click Goto > Services and make sure that the list contains an HTTPS row that is marked as active. Example:

   

Add SSL Certificate to SDK Manager

Use one of the following two methods to add an SSL certificate:

1. Add Own Certificate

2. Generate New Certificate

Ensure that the CN given in the Subject field is the same as the value of the SDK Manager Host field.

Add Own Certificate

1. In the directory where HTTP SDK was manually installed, create a new 'cert' sub-directory.

   /opt/appdynamics/appdhttpsdk/cert

2. Copy the following two certificate files into the new sub-directory. Both the certificate files should contain the same certificate and private key. Make sure that the COMMON NAME (CN) of both certificates is the same as SDK Manager Host.
   1. .pem file that must contain CERTIFICATE and RSA PRIVATE KEY sections.

   2. .jks or .p12 or .pfx or .cfg or .bks file. If this certificate is encrypted, add another file that contains the certificate key as a single line into this directory.
      

3. Add the SSL certificates to SAP. See Add Certificate to SAP.

Generate New Certificate

1. In the directory where HTTP SDK is installed, run the createCertificate script.
   /opt/appdynamics/appdhttpsdk/createCertificate
   1. When prompted, retain default value or enter your own value.
   2. Make sure that the COMMON NAME (CN) of the certificate is the same as SDK Manager Host.
   3. If you choose to enter Export Password, create a new file with name key that contains Export password line in the <path to sdk>/appdhttpsdk/cert directory. 
2. Add the SSL certificates to SAP. See Add Certificate to SAP.

After generating new certificate, you should have the following two (three) files in the <path to sdk>/appdhttpsdk/cert directory:

• cert.pem
• cert.p12
• key (* only for step 1c)

Download SSL Certificates via Web Browser

Open the URL from where you need to download the SSL certificates in a web browser. Access the certificate screen and download all certificates. The exact procedure depends on the web browser.

Edge

1. Click on the lock icon to the left of the URL
   
2. Click on 'View Certificate'
3. Click through all tree levels under 'Certificate Information', press 'Export to file' on each level and safe each certificate file with a unique name. Repeat this step for each tree level of the previous step
   

Chrome

1. Click on the lock icon to the left of the URL
   
2. Click on 'Certificate (Valid)'
3. In the Certificate dialog, switch to 'Certification Path' tab
4. Click trough the 'Certification path' tree. Press 'View Certificate' on each tree level 
   
5. In the new Certificate dialog, switch to 'Details' tab and press 'Copy to File...' 
   
6. Save the certificate as 'Base-64 encoded X.509 (.CER)' file with a unique name
   
7. Repeat steps 5 and 6 for each tree level from step 4

Internet Explorer

1. Click on the lock icon to the right of the URL
   
2. Click on 'View certificates'
3. The rest of the process is the same as for Chrome

Troubleshooting

Problem - Status Code 500 (SSL Peer Certificate Untrusted) error occurs when using SSL connection from ABAP Agent to Remote HTTP SDK.

Solution - In specific cases, this can be caused because of missing intermediate certificates in the .pem certificate file. The .pem file should contain the full certificate chain. The content of the .pem file should be as follows:

1. Server Certificate
2. <Intermediate Certificate>
3. <Intermediate Certificate>
4. ...
5. CA Certificate
6. Private Key