sap-linuxlab
sap_swpm: sapinst now requires online verification of certficate revocation list (CRL) resulting in failure
Hi All,
Hot off the press :). As of last week all versions of SWPM (released after 10/1/25) which are based on 753.0.10 framework perform a mandatory CRL check by getting the revocation list from https://tcs.mysap.com/crl/crlbag.p7s . In most cases the server we are installing SAP on will NOT have internet access. In previous version this was ignored, but as of now this leads to a fatal installation error.
Note 3207613 (point 5) explains the behaviour.
As a workaround I have downloaded the CRL into a central location and created symlinks to it from /root/.sapinst/crlbag.p7s, but a more sensible and systematic solution is required.
As per the note there are several different properties can be set:
SAPINST_CRL_SOURCE_URL=<custom URL> - for custom locally accessible URL to CRL
SAPINST_CRL_PATH=
So now we have 4 new options and 5 different behaviours which need to be taken care of
- Get CRL from default location (Default behaviour). With or without a proxy
- Get CRL from custom URL. With or without proxy
- Get CRL from a local file
- Ignore CRL checks
I'm happy to write some code and possibly test it, but I am wondering if you guys have a view how this should be handled. Create three mutually exclusive parameters + a control parameter + https_proxy parameter? Something else?
@rob0d - FYI - I have started working on the issue.
Some more details on the error:
The role sap_swpm aborts in task SAP SWPM - Verify if sapinst process finished successfully
with the following message shown in the first 10 lines:
Abort execution because of \nCRL is enforced by SAPINST_ENFORCE_CRL, but the CRL path '/root/.sapinst/crlbag.p7s' does not exist. See SAP Note 3207613.
I forgot to mention, in a mean time I've created a role to download CRL
https://docs.galaxy.saponrhel.org/collections/sap/sap_operations/sapinst_crl_role.html#ansible-collections-sap-sap-operations-sapinst-crl-role
