SAP

Prerequisites

WebDispatcher
  • Ensure the target server IP is accessible from the cloud connector and the port is open.
    1. To SSH into a machine using a specific port, use:
      ssh -p <port_number> <username>@<hostname_or_ip_address>
  • If access elevation is set to None, the application or service users must have the necessary read/write permissions to perform CLM actions on the target server. Commands in this case are executed using the following format:
    • su - {sid}adm -c "some_command"
    • If the SAP SID is configured with password authentication, the command will prompt for it. In such cases, ensure the password is provided in the user interface.
  • When access elevation is set to sudo or dzdo, the application runs commands using the following format:
    • sudo su - sidadm -c "some_command"
    • This means the current SSH user needs permission to run su - {SAPSID}adm via sudo.
    • Make sure the ssh user is added to the sudoers file to execute the sudo/dzdo command.
    • AppViewX supports both password-enabled and passwordless sudo execution.
  • The installation path is based on the user ID. The user ID will be <SAPSID>adm.
  • We use SFTP for file transfers (certificate push), so it's crucial to ensure that SFTP is properly configured for the logged-in user
    1. From the cloud connector: You can use the sftp command to test the connection to an SFTP server. Open your terminal and type:
      sftp username@hostname
    2. Use the put command to upload the file to the remote server:
      put localfile /path/to/remote/directory

ABAP

Create a Web Service for the Function Module

  • SOAMANAGER has to be enabled to create a custom function module in the ABAP to bind the certificate. Authentication details have to be provided on the device onboarding page.
  • Use Basic Authentication with an SAP technical user (e.g., SAP_RFC) and HTTPS for transport security.
  • <protocol>://<deviceIp>:<Web Service Port>/sap/bc/srt/rfc/sap/zws_update_ssl/{Client ID}/zws_update_ssl/zbind_update_ssl

Onboarding SAP

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
  4. Select the SAP logo from the Vendors list.
    The SAP server configuration screen is displayed.
  5. In the Server Details section, enter details as mentioned below.
    Table 1. Server Details - Field Description Table
    Fields Description
    *Server Type Select Server type from radio button options.
    • ABAP
    • WebDispatcher
    *Server name Enter the name of the designated SAP server.
    *IP address/ FQDN Enter the valid IP address or fully qualified domain name (FQDN) for device communication and integration with the SAP.
    Data center Choose the desired data center.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    *SSH Port Retain the value 22; it is the default port used for the SSH communication mode.
    Cert sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, select/enter the details as follows.
    Table 2. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • All supported Internal and external vault
    • SSH
    Note:
    • If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    • If SSH is selected, enter the username, upload the key file, and enter the passphrase (if the private key is password-protected) for authentication.
    *Username Enter the designated username for authentication.. (field displayed for manual entry and SSH)
    *Password Enter the secure password. (field displayed for manual entry only)
    *: Mandatory fields
  7. In the Vendor Specific Details section, enter details as mentioned below.
    Table 3. Vendor Specific Details - Field Description Table
    Fields Description
    Access Elevation Select sudo or dzdo to execute with root privileges using sudo access. The default value is None.

    AppViewX supports both password-enabled and password-less sudo/dzdo execution.

    Note: SSH key-based authentication does not support password-enabled sudo/dzdo.
    *Client ID
    Note: All these fields are enabled when the Server Type = ABAP.
    Enter the following details:
    • Client ID
    • Web Service User ID
    • Web Service Password
    • Web Service Port

    The following fields are required to invoke the web service to bind the certificate into the selected profile. The values entered in the fields are used to frame and invoke the API with the credential.

    Note: For push and bind operations, details of all these fields must be provided.
    *Web Service User ID
    *Web Service Password
    *Web Service Port
    Is Https? Select the checkbox to frame the API with http or https.
    File Upload Temp Path Enter the valid file upload directory. The default value is /tmp/.
    Note: Both the SSH user and SAP user should have read, write, and execute permission.
    *: Mandatory fields
  8. In the SAP SID Details section, enter details as mentioned below.
    Table 4. SAP SID Details - Field Description Table
    Fields Description
    *SAP SID Details Enter the three digit character code SAP System Identification (SAP SID). It corresponds to the identifier for an SAP system. Enter the values in upper case only.
    Password Enter the valid password. This is required when None access elevation is selected and switching to SAP SID is a password-enabled configuration.
    *: Mandatory fields
  9. Click Save.
    The SAP device is added successfully.

Pre-Config Fetch

Device communication check

Command Description Are the commands executed with sudo or dzdo when access elevation is enabled in the UI? 
bind 'set enable-bracketed-paste off'
 To disable bracketed paste mode for the current session No 
su - {sid}adm -c "echo sap"
 The command is used to check the communication Yes

Config Fetch

Perform status and configuration checks for a SAP Web Dispatcher instance.
Command Description Are the commands executed with sudo or dzdo when access elevation is enabled in the UI? 
su - {sid}adm -c "ps -ef | grep {sid}adm | grep sapstartsrv | grep -v grep"
 Check if the SAP Web Dispatcher service (sapstartsrv) is running under the {sid}adm user and collect the SAP instances Yes 
su - {sid}adm -c "test -d /usr/sap/{SID}/{instance} && echo exist || echo not exist"
 This command verifies the existence of a specific SAP Web Dispatcher instance directory using the {sid}adm user. It is executed for each result obtained from the previous command. Yes 
su - {sid}adm -c "sapcontrol -nr {instanceNr} -function GetVersionInfo | grep sapstartsrv | grep -v grep | cut -d, -f2,3"

Command retrieves the version information of the sapstartsrv process for the SAP Web Dispatcher instance, using the {sid}adm user.

Note: Here, instanceNr refers to the last two numeric characters in the Instance ID. If the instance ID is D00, then the -nr should be ‘-nr 00’.

 Yes

Discovery

  • SAP uses its cryptographic tool called sapgenpse. Using this tool, we can create a .PSE file and export the certificate from the PSE file. (Personal Security Environment).
  • Types of PSE file supported:
    1. Server Standard PSE (SAPSSLS.pse)
    2. Client PSE
      1. Anonymous (SAPSSLA.pse)
      2. Standard (SAPSSLC.pse)
    3. Web Service PSE (SAPWSSE.pse)
Command Description Are the commands executed with sudo or dzdo when access elevation is enabled in the UI? 
su - {sid}adm -c "cd /usr/sap/{SID}/{Instance}; find /usr/sap/{SID}/{Instance} -name SAPSSLS.pse -o -name SAPSSLA.pse -o -name SAPSSLC.pse -o -name SAPWSSE.pse"
 This command checks for the presence of specific SAP PSE (Personal Security Environment) certificate files within a given SAP Web Dispatcher instance directory, using the {sid}adm user. Yes 
su - {sid}adm -c "mkdir -p /fileUploadTempPath/{transactionalFolder} "
 This command creates a transactional temp directory inside the /{fileUploadTempPath} given in the UI. Yes 
su - {sid}adm -c "chmod 777 /{fileUploadTempPath}/{transactionalFolder}"
 This command changes the permissions of the transactionalFolder to be rwx by all users (777) Yes 
su - {sid}adm -c "sapgenpse export_p12 -z \"\" -p /usr/sap/{SID}/{Instance}/sec/{pse} /{fileUploadTempPath}/{transactionalFolder}/SAPSSLA.p12"
 This command exports the SAP PSE (Personal Security Environment) certificate in PKCS#12 (.p12) format to the temp directory. Yes 
su - {sid}adm -c "openssl pkcs12 -in /fileUploadTempPath/{transactionalFolder}/SAPSSLA.p12 -out /fileUploadTempPath/{transactionalFolder}/SAPSSLA.txt -nodes -passin pass:"
 To convert the .p12 certificate bundle into a plaintext PEM format containing the certificate and private key, Yes 
su - {sid}adm -c "cat /fileUploadTempPath/{transactionalFolder}/SAPSSLA.txt"
 To view the contents of the extracted SAP SSL certificate and key file Yes

Discovery cert-profile association:

For each instance and its supported PSE files, AppViewX will discover the certificates and generate a profile named in the following format:

Profile Naming Convention: deviceName::sid::instance::pse

202.164.152.121-SAP-ABAP::S4H::ASCS14::SAPSSLC.pse
202.164.152.121-SAP-ABAP::S4H::ASCS14::SAPSSLS.pse

CSR Generation at Endpoint

The Replace PSE File checkbox enables users to generate the new CSR and private key in the Server. This checkbox is displayed only in the case described below:
  1. Select the CSR Generation option as Endpoint.
  2. Select Category as Server, Vendor as ABAP or Web Dispatcher The Profiles dropdown is the only other field displayed below it and is populated with a list of .pse file names.
  3. Select the required Profile from the dropdown. Based on the values selected, the fields in the CSR Parameters section are auto-populated.

The Replace PSE File checkbox is disabled by default and the SAN details fields in CSR Parameters section are also disabled. Selecting the checkbox will make the SAN details enabled and allow for values to be updated.

Command Description Are the commands executed with sudo or dzdo when access elevation is enabled in the UI? 
su - {sid}adm -c "test -f <file_path> && echo exist || echo not exist"
 Check if the PSE file existsand is a regular file. Yes 
su - {sid}adm -c "cp /usr/sap/S4H/D13/sec/SAPSSLA.pse /usr/sap/S4H/D13/sec/backup/SAPSSLA.pse_bkp_1721623695188"
 This creates a backup of the existing PSE file Yes 
su - {sid}adm -c "chmod 755 /usr/sap/S4H/D13/sec/backup/SAPSSLA.pse_bkp_1721623695188"
 This command changes the permissions of the backup file. Yes 
su - {sid}adm -c "rm /usr/sap/S4H/D13/sec/SAPSSLA.pse"
 When Replace PSE Enabled → Then remove the original pse file Yes 
su - {sid}adm -c "sapgenpse gen_pse -p /usr/sap/S4H/D13/sec/SAPSSLA.pse -r /tmp/S4HD13SAPSSLA-csr-1721623774652.p10 -x \"\" -a RSA:2048:SHA256 -k GN-dNSName:appviewx123.test.com 'CN=appviewx123.test.com'"
 When Replace PSE Enabled → Generates a new SAP SSL PSE file. Yes 
su - {sid}adm -c "sapgenpse gen_pse -p /usr/sap/WDP/W00/sec/SAPSSLS.pse -onlyreq -r /tmp/incorrectprofile.p10 -x "" -a RSA:2048:SHA256 -k GN-dNSName:incorrectprofile "CN=incorrectprofile"“
 When Replace PSE Not Enabled → this command would create the Certificate Signing Request (CSR), not the full PSE file Yes 
su - {sid}adm -c "cat /tmp/S4HD13SAPSSLA-csr-1721623774652.p10"
 Read the CSR content Yes 
su - s4hadm -c "rm -f /tmp/S4HD13SAPSSLA-csr-1721623774652.p10"
 Remove this transactional file created to hold the CSR content. Yes

Push Support

  • Only the certificate enrolled at the endpoint can be pushed to the end device.
  • [WebDispatcher] The certificate in P12 format will be uploaded to the SAP temporary directory using SFTP.
  • Pushing Root and Intermediate Certificates is enabled by default and cannot be disabled.
  • [WebDispatcher] Based on the profile selection, select the PSE Type.
  • Select the same profile that is used to enroll a certificate at the endpoint.

Bind Support

WebDispatcher
Command Description Are the commands executed with sudo or dzdo when access elevation is enabled in the UI? 
su - {sid}adm -c "sapgenpse import_own_cert -p /usr/sap/WDP/W00/sec/SAPSSLS.pse -c /tmp/SAPSSLS_W00_temp_20250530084259.txt"
 Import the pushed certificate from the temp directory to the selected profile PSE file. Yes 
su - <SID>adm -c "sapgenpse get_my_name -p /usr/sap/WDP/W00/sec/SAPSSLS.pse
 Check if the bind is successful.
su - {sid}adm -c "rm -f /tmp/SAPSSLS_W00_temp_20250530084259.txt Remove the temp transactional file Yes
The below commands will be executed based on the Service restart request 
su - <SID>adm -c "sapcontrol -nr <instance_number> -function Stop"
 Stops the SAP instance Yes 
su - <SID>adm -c "sapcontrol -nr <instance_number> -function GetProcessList"
 To check if the instance is stopped fully. Yes 
su - <SID>adm -c "cleanipc <instance_number> remove"
 This command cleans up IPC resources like shared memory and semaphores that may not have been properly released, usually after an unclean SAP shutdown. Yes 
su - <SID>adm -c "sapcontrol -nr <instance_number> -function Start"
 To start the SAP instance Yes
ABAP

curl -kv -X POST "https://{ip}}:44313/sap/bc/srt/rfc/sap/zws_update_ssl/300/zws_update_ssl/zbind_update_ssl" \
  -H "Content-Type: text/xml;charset=UTF-8" \
  -H "SOAPAction: urn:sap-com:document:sap:soap:functions:mc-style:ZUpdSslCert" \
  -u <Web Service User ID>:<Web Service Password> \
  --data '<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style">
  <soapenv:Header/>
  <soapenv:Body>
    <urn:ZUpdSslCert>
      <ImOwncert>X</ImOwncert>
      <ImCert>
        ...root, Intermediate and signed certificate.
      </ImCert>
      <ImPsename>{PSE_FILE_NAME.pse}</ImPsename>
      <ImHost>{HOSTNAME}</ImHost>
      <ImInstanceno>{INSTANCE_ID}</ImInstanceno>
    </urn:ZUpdSslCert>
  </soapenv:Body>
</soapenv:Envelope>'
The response XML will be as follows:
<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
   <soap-env:Header/>
   <soap-env:Body>
   <n0:ZUpdSslCertResponse xmlns:n0="urn:sap-com:document:sap:soap:functions:mc-style">
      <ExError/>
   </n0:ZUpdSslCertResponse>
   </soap-env:Body>
</soap-env:Envelope>
If the ExError tag is empty, it means the certificate updation is successful. If there are any errors, the ExError tag will have ‘X’ in it and another tag ExText will contain the error details.
Note: In the event of a failure during the bind operation, an automatic rollback will be performed by restoring the backup PSE file.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified status in the status column.
    The status column will have the value Managed/Monitored/Ignored if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored/Ignored/Failed/Unresolved.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

Limitations

WebDispatcher

SSH private keys cannot be used in conjunction with password-enabled sudo/dzdo settings. So if an SSH key is used for authentication, ensure that the sudo/dzdo configuration is set to passwordless.

ABAP

Service Restart functionality has been disabled for SAP ABAP. Use the postscript execution.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions: