sap_swpm: sapinst now requires online verification of certficate revocation list (CRL) resulting in failure #946
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi All,
Hot off the press :). As of last week all versions of SWPM (released after 10/1/25) which are based on 753.0.10 framework perform a mandatory CRL check by getting the revocation list from https://tcs.mysap.com/crl/crlbag.p7s . In most cases the server we are installing SAP on will NOT have internet access. In previous version this was ignored, but as of now this leads to a fatal installation error.
Note 3207613 (point 5) explains the behaviour.
As a workaround I have downloaded the CRL into a central location and created symlinks to it from /root/.sapinst/crlbag.p7s, but a more sensible and systematic solution is required.
As per the note there are several different properties can be set:
SAPINST_CRL_SOURCE_URL= - for custom locally accessible URL to CRL
SAPINST_CRL_PATH= - for custom location on the local filesystem (instead of /root/.sapinst/crlbag.p7s)
SAPINST_ENFORCE_CRL=false - which will completely disable the CRL check. This is obviously discouraged by SAP.
In addition an environment variable HTTPS_PROXY can be set which will make SWPM/sapinst use the proxy to get the CRL file.
So now we have 4 new options and 5 different behaviours which need to be taken care of
I'm happy to write some code and possibly test it, but I am wondering if you guys have a view how this should be handled. Create three mutually exclusive parameters + a control parameter + https_proxy parameter? Something else?
The text was updated successfully, but these errors were encountered: