SAP Data Services Job Server - SSL Configuration

Product: SAP Data Services
Component: JobServer
Version: 4.2SP0 - 4.2SP14
OS: Windows

SAP Doc #1: https://help.sap.com/docs/SAP_DATA_SERVICES/2d2abbb0fab34071a4c53b7de873241b/571a69626d6d1014b3fc9283b0e91070.html?locale=en-US

SAP Doc #2: https://help.sap.com/docs/SAP_DATA_SERVICES/e54136ab6a4a43e6a370265bf0a2d744/571dc02c6d6d1014b3fc9283b0e91070.html?locale=en-US&version=4.2.8

SAP Doc #3: https://help.sap.com/docs/SAP_DATA_SERVICES/e54136ab6a4a43e6a370265bf0a2d744/571db2eb6d6d1014b3fc9283b0e91070.html?locale=en-US&version=4.2.8

SAP has a relatively poor documentation about custom SSL certificate setup for BODS Data Services, which is Job Server.  They break it into several different chapters and failed to leverage "Related information" section to help customer to bridge the information together.

There are 2 main directories, and 1 tool (Data Services Server Manager in Windows, and svrcfg in Linux) to configure the SSL certificate:

• %LINK_DIR%\ssl\server
• %LINK_DIR%\ssl\trusted_certs

The most common mistaken about SSL certificate is that administrator failed to read SAP's doc that their program only recognize PEM format SSL certificate (there are DER, PKCS12 that are common).

Let me list down a list of files and directory of each, which is applicable to both self-signed, or paid SSL cert:

1. Custom root CA SSL cert > %LINK_DIR%\ssl\trusted_certs
2. Custom root CA SSL cert private key, password file > not required
3. Custom intermediate #1 CA SSL cert > %LINK_DIR%\ssl\trusted_certs
4. Custom intermediate #1 CA SSL cert private key, password file
5. Custom intermediate #2 CA SSL cert > %LINK_DIR%\ssl\trusted_certs
6. Custom intermediate #2 CA SSL cert private key, password file
7. Custom intermediate #3 CA SSL cert > %LINK_DIR%\ssl\trusted_certs
8. Custom intermediate #3 CA SSL cert private key, password file
9. Custom BODS server SSL cert > %LINK_DIR%\ssl\server
10. Custom BODS server SSL cert private key > %LINK_DIR%\ssl\server
11. Custom BODS server SSL cert password file > %LINK_DIR%\ssl\server
12. There is no SSL certificate keystore for Job Server configuration

There are several catch that SAP document doesn't cover, as well as misleading info in SAP KB:

1. %LINK_DIR%\ssl\trusted_certs can contains additional SSL certs files
2. %LINK_DIR%\ssl\trusted_certs cannot contains other files that are not SSL cert files, or it will complain error "Unable to load verify locations"
3. If %LINK_DIR%\ssl\trusted_certs contains private key PEM file, Server Manager will complain error "Unable to load verify locations" as the same reason explained in #2 above
4. %LINK_DIR%\ssl\trusted_certs can contains unused SSL certs, such as put new self-signed or paid cert files together with OOTB self-signed cert files
5. SSL cert that is V1 or V3 are both accepted
6. SSL cert that is RSA 1024-bit or 4096-bit are all accepted
7. The program is not able to produce meaningful log, and no way to enable debugging log
8. The openssl command in SAP's doc implies to generate PEM format certificate, but that command is actually generates "certificate request" file, and not the final certificate
9. SAP document wrote to put all the signed SSL certs into "%LINK_DIR%\ssl\trusted_certs" but you just need to put the root, intermediate, and parent SSL certs into it (as PEM format)
10. You can have SSL file extension other than crt: crt, cer, pem
11. The SSL cert that issue to BODS server should put under %LINK_DIR%\ssl\server directory, which SAP doc failed to mention.  This is for consistency of their design, and won't break application functionality.  I recommend to keep existing architecture instead of follow their doc
12. In Data Services Server Manager > SSL tab, configures
1. Server certificate file: Location of the PEM SSL cert file that issued to this BODS server.  It should be in  %LINK_DIR%\ssl\server directory
2. Server private key file: Part 2/3 file for above SSL cert. It should be PEM format, and located in same dir as above
3. Use Server private key password file: Recommends to has a password file for above SSL cert.  Recommends to keep in same dir as above
4. Trusted certificates folder: No need to change, but ensures copy all the root and intermediate cert files into dir %LINK_DIR%\ssl\trusted_certs (default).  You do not need to change this location

You can use both Windows, or bundled openssl utility to convert SSL certificate to PEM format that recognized by BODS.  PEM format file is ASCII file, which you can open it up in text editor to confirm that it is not binary file.

Following is openssl command to convert DER format SSL cert file to PEM format:

%LINK_DIR%\bin\openssl x509 -inform DER -in custom.cert1.crt -out custom.cert1.pem.crt

Error: Not able to read the specified certificate file error BODI-320039

SAP Note 2287520 - Not able to read the specified certificate file error BODI-320039
https://launchpad.support.sap.com/#/notes/2287520
Cause: cer file generated by Microsoft CA was not in the format Data Services expects
Resolution: Regenerate the cer file in correct format as per Administrator Guide. Internet Explorer may be able to open the cer file properly but check from application like notepad the correct format expected by DataServices contains "BEGIN CERTIFICATE"

My comment: Data Services only recognize PEM format SSL cert, but not DER or PKCS12 format even the file has cer, crt, or PEM extension.

Error: Unable to load verify locations

SAP Note 2409684 - Error: Unable to load verify locations is prompted when making changes in Data Service Server Manager

URL: https://launchpad.support.sap.com/#/notes/2409684
Cause: You have unnecessary certificates under trusted_certs which are 3rd party products(Coupa and GoDaddy). They were saved into the Data Server SSL folder
Resolution: Move the 3rd party SSL certificates to a different location

My comment: %LINK_DIR%\ssl\trusted_certs can contains any 3rd party SSL certificates, as well as unused, or inactive, or extra, or duplicate, or expired SSL certificates.  It can contains non-PEM format SSL as well.  Above error is not due to additional SSL certificate.

My resolution: Ensures the directory only contains SSL certificate, but no other files, such as private key, or password file