Configuring SAP Host Agent

 How to Configure SAP Hostagent ?

To understand what is a SAP Hostagent and how it is installed and used , SAP Hostagent Introduction

Whenever we talk about SAP Hostagent Configuration these are the things that needs to be discussed, We are already aware that port used for sap hostagent is 1128

1. Enabling SAP Host Agent Registration in SLD 

2. SSL Configuration of SAP Host Agent 

3. Enable Audit Log

4. Binding only specific IP

Enabling SAP Host Agent Registration in SLD 

Now let's understand the need of it we obviously need to link our saphostagent with the SLD (SLD), To enable the automatic registration in SLD we need to configure the connectivity information using the command line tool sldreg.

This topic is somehow centered towards connection with SOLMAN , Prerequisite to enable this configuration is obviously that SAP Hostagent is already installed.

Note :

1. Is you selected to add SLD during data service installation . this enabling procedure would have been automatically done\
2. This process involves creation of both slddest.cfg and slddest.cfg.key and both are required for the SLD to work.

Configuring :

1. Login as root user or from administrator group in case of windows
2. Navigate to hostctrl executable files in case of linux cd /usr/sap/hostctrl/exe
3. Run the sldreg (SLD registration tool) ./sldreg -configure slddest.cfg     [slddest-> sld destination]
4. As mentioned it is sld destination you need to fill the destination configuration

sld destiination configuration file has following data 

UserName : SLD user which has assigned role DataSupplierID
Password : password of the above user 
Host : SLD host
Port Number : port of SLD that needs to be used
Specify to use http/https: Protocol that needs to be used

sldreg will automatically create slddest.cfg.key while performing the configuration , that key will be use by the DataSupplier user to push the information to SLD.

5. Confirm that the slddest.cfg file is in stored in encrypted file
6. Take a hostagent restart ./saphostexec -restart

Note : In order to SLD registration to work SLDReg must be running in <LINK_DIR>/sldreg otherwise all the files need to be manually copied to this directory

In order to check if the registration was done properly you can log in to https://<hotname>:<port >/sld , Choose your technical system and the registered host is displayed

Your local host is registered to SLD now.

SSL Configuration of SAP Host Agent 

Main steps are as followed :-

1. Preparing the environment for SAP Cryptographic Library

2. Preparing the pse (personal security environment ) for the server

3. Preparing the pse (personal security environment ) for the client

4. Establishing trust between the client and sap hostagent

5. Allowing the client to issue admin commands 

Prerequisite would be that saphostagent is already installed and login as root user 

If you are using the default naming server proceed as mentioned [path where pse files are stored] ,if you want to override the default[default path] .pse name you can see the following value for host_profile.

ssl/server_pse = <path to server pse> 

The server PSE contains the server certificate that is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates

1. Create a directory to store pse files

mkdir /usr/sap/hostctrl/exe/sec

2. Assign the ownership to sapadm:sapsys top the sec folder

3. Shared Dynamic Library (Shared / Dynamic Libraries ) should be understood here 

Set up the shared library search path ( LD_LIBRARY_PATHLIBPATH or SHLIB_PATH) and SECUDIR environment variables, and change to the exe directory of SAP Host Agent

export LD = /usr/sap/hostctrl/exe/
export SECUDIR = /usr/sap/hostctrl/exe/sec

To avoid issue with sapgense tool we give exact path in SECUDIR (sapgenpse)

4. Create the server PSE, the server certificate therein, and the Certificate Signing Request (CSR)

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse gen_pse -p SAPSSLS.pse -x <password> -r /tmp/myhost-csr.p10 ", O=SAP AG, C=DE"

This command creates a PSE file named SAPSSLS.pse (name is fixed), which can be used to authenticate for incoming SSL connections. The access to the PSE file is protected with a password. Use the -r option to direct the certificate signing request to a file, or omit it if you intend to copy and paste the CSR into a web formular.

5. Grant SAP Hostagent access to the server pse

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse seclogin -p SAPSSLS.pse -x <password> -O sapadm

6. Get the CA Certificate [We generally have a separate team which performs this] So to request for this certificate you need to share the file which was generate in step 4 , the CSR which was saved in tmp/myhost-csr.p10  needs to be sent along with request will revert with CA-response-file which contains the signed certificate in the PKCS#7 format.

7. Import the signed server in the pse

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse import_own_cert -p SAPSSLS.pse -x <password> -c /tmp/myhost.p7b

8. Verify the server certificate 

sudo -u sapadm LD_LIBRARY_PATH=/usr/sap/hostctrl/exe SECUDIR=/usr/sap/hostctrl/exe/sec /usr/sap/hostctrl/exe/sapgenpse get_my_name -p SAPSSLS.pse -x <password> -v

9. Restart SAP Hostagent 

10. Prepare PSE for the client : This is application dependent so read the manual of the application to check the SAP Hostagent

Enable Audit Log

The operating systems which are supported by Host Agent have built-in means of audit logging. On UNIX and Linux, SAP Host Agent uses the syslog (/var/log/messages), and in Windows the Application Eventlog. The user can decide if audit logging is done using OS means or provide a file to which all audit messages are written. Audit logging is disabled by default. You can enable and configure it using host_profile parameters.

1. Edit the host_profile in /usr/sap/hostctrl/exe/ [executable path for hostctrl]

2. host_profile 

Parameters : service/auditlevel =0/1 1 will enable audit logging

service/auditlogfile = |If an audit logfile is provided by the user, SAP Host Agent uses the <FILE_NAME> logfile in the SAP Host Agent’s work directory for audit logging. Eventlog and Syslog are not used in this case. If the file does not exist, it is created by SAP Host Agent.

service/auditlogfilesize : If an audit logfile is provided, the user can decide to which extent the logfile is allowed to grow. All sizes must be given in MB (Megabyte). If the configured size is exceeded, the current audit logfile is saved to <FILENAME>.old and a new audit logfile is created. If the size is set to 0 or if the parameter is not configured at all, the audit logfile can grow unlimitedly.

Binding only specific IP

You can configure SAP Host agent only to accept network connections for specific IP addresses or host names

1. Specify the following value in the host_profile of the SAP Host Agent:

service/hostname = <host_name>


service/hostname = <IP_Address>

2. Restart saphostagent , saphostexec -restart 

We can also configure as Network Access Control  List using SAP note 1495075

How to check which ip as bound with host

<hostagent exe path > netstat -tlnp | grep 1128

Read more :