Configuring SSL for SAP Host Agent on UNIX


In the following procedure we assume that you are using the default naming for the server PSE. If you want to override the default .pse name, you can use the following value in the profile file of SAP Host Agent ( host_profile):
ssl/server_pse= <Path to Server PSE>

1. Prepare the Personal Security Environment (PSE) for the server:

The server PSE contains the server certificate that is presented to the client when establishing the SSL connection, and the names and public keys of the trusted certificates. Trusted certificates can be either certificates issued by a Certification Authority (CA) or individually trusted certificates.

2. Restart SAP Host Agent.

3. Prepare the Personal Security Environment (PSE) for the client:

The client PSE contains the client certificate that is sent to SAP Host Agent when the SSL connection is established, and the names and public keys of the trusted certificates from CA.

The configuration steps are client-specific, that is why we only describe them in a generic way. Follow the instructions in the specific client documentation.

Examples for possible clients are the SAP Management Console (SAP MC), the SAP Solution Manager Diagnostics Agent, or the SAP Landscape Virtualization Management (LVM) software (formerly known as Adaptive Computing Controller (ACC)).

Link for better understanding :

If there is no certificate in the SAP Host Agent security directory, the SAP HANA database lifecycle manager generates one. The SAP HANA host name is used as the default certificate owner. The certificate owner can be changed by using the call option --certificates_hostmap

To enable secure communication with the SAP Host Agent over HTTPS, the SAP Host Agent needs a secure sockets layer (SSL) certificate in its security directory. This certificate is also used by the SAP HANA database lifecycle manager (HDBLCM) Web-based user interface and the SAP HANA cockpit for offline administration because the Web pages are served by the SAP Host Agent