Creating the PSEs and Certificate RequestsLocate this document in the navigation structure

Use

If the SAP Web Dispatcher is to terminate or reencrypt an incoming SSL connection request, then it needs to possess a key pair and public-key certificate to use for the incoming SSL connection. This information is stored in the SAP Web Dispatcher's SSL server PSE.

If it also uses SSL for the connection to the back-end server (reencryption), then it also needs to possess a key pair to use for this connection. This information is stored in its SSL client PSE. Although you can use the same file for both of these PSEs, we refer to them separately in the documentation.

You can either use the trust manager on the AS ABAP to create the PSEs or you can use the configuration tool sapgenpse. See the procedures below.

If the SAP Web Dispatcher is to pass the SSL connection to the back-end application server, you do need to perform these steps.

Prerequisites
  • If you are using the trust manager to create the PSEs, then the SAP Cryptographic Library is installed on the application server and the environment variable SECUDIR is set to the directory where the license ticket is located. (For more information, see Installing the SAP Cryptographic Library on the AS ABAP.)

  • If you are using sapgenpse, then the SAP Cryptographic Library is installed on the SAP Web Dispatcher and the environment variable SECUDIR is set to the directory where the license ticket is located.

  • You know the naming convention to use for the SAP Web Dispatcher's Distinguished Name. The syntax of the Distinguished Name depends on the CA that you use.

Example

For example, if you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE.

Procedure

You can use either the command line tool sapgenpse or the trust manager to create the PSE and certificate requests. The procedures to use for each case are described below.

Creating the SAP Web Dispatcher's PSEs and Certificate Requests Using SAPGENPSE

  1. Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket is located. If the environment variable is not yet set, set it using the command line as shown below.

    set SECUDIR=<SECUDIR_directory>

  2. Use the tool's command get_pse as shown below to create the SAP Web Dispatcher's PSE.

    sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_file_name> -x <PIN> <Distinguished_Name>

    Where:

Option

Parameter

Description

Allowed Values

Default

-p

<PSE_Name>

Path and file name for the PSE.

If the complete path is not included, then the PSE file is created in the SECUDIR directory.

For the SSL server PSE, the file name must correspond to the file name you specify in the profile parameter ssl/server_pse.

For the SSL client PSE, the file name must correspond to the name you specify in the profile parameter ssl/client_pse (or wdisp/ssl_cred, if wdisp/ssl_auth= 2).

Examples: SAPSSLS.pse or SAPSSLC.pse)

None

-r

<file_name>

File name for the certificate request.

Path description (in quotation marks, if spaces exist).

stdout

-x

<PIN>

PIN that protects the PSE.

Character string

None

None

<Distinguished_Name>

The Distinguished Name for the SAP Web Dispatcher.

Character string (in quotation marks, if spaces exist).

None

Note

For more information about the profile parameter settings, see Setting the SSL Relevant Profile Parameters for the SAP Web Dispatcher.

Option

Parameter

Description

Allowed Values

Default

-s

<key_len>

Key length

512, 1024, 2048

1024

-a

<algorithm>

Algorithm used

RSA, DSA

RSA

-noreq

None

Only generate a key pair and PSE. Do not create a certificate request.

Not applicable

Not set

-only req

None

Generate a certificate request for the public key stored in the PSE specified by the -p parameter.

Not applicable

Not set

Example

The command line below creates the SAP Web Dispatcher's SSL server PSE and certificate request using the following information:

  • The environment variable SECUDIR is set to C:\Program Files\ SAP\ SAPWebDisp\ sec.

  • The PSE is to be located at C:\Program Files\ SAP\ SAPWebDisp\ sec\ SAPSSLS.pse.

  • The PIN used to protect the PSE is abcpin..

  • The name of the certificate request file is abc.req.

  • The SAP Web Dispatcher is accessed using the fully-qualified host name host123.mycompany.com.

  • The CA used is the SAP CA.

  • Therefore, the server's Distinguished Name is CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE.

The command line that creates the corresponding SSL server PSE and certificate request is

sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req "CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE"

Creating the SAP Web Dispatcher's PSEs Using the Trust Manager

  1. Start the trust manager (transaction STRUST).

  2. Using the context menu for the File node, choose Create (RSA).

    Caution

    For SSL, you must create a PSE that contains an RSA key pair. If you choose Create, the trust manager creates a DSA key pair, which cannot be used for SSL.

    The Create PSE dialog appears.

  3. Enter the Distinguished Name parts in the corresponding fields according to your CA's naming convention.

    Note

    For the SSL server PSE, the Common Name part of the Distinguished Name must correspond to the fully-qualified host name used to access the SAP Web Dispatcher.

    For more information about how the trust manager builds the Distinguished Name from the field entries, see Creating or Replacing a PSE in the trust manager documentation.

  4. Save the PSE to local file (for example, the SAP Web Dispatcher's SECUDIR directory).

    For the SSL server PSE, make sure you use the same file name that you also specify in the profile parameter ssl/server_pse.

    For the SSL client PSE, the file name must correspond to the name you specify in the profile parameter ssl/client_pse (or wdisp/ssl_cred, if wdisp/ssl_auth= 2).

    For more information, see Setting the SSL Relevant Profile Parameters for the SAP Web Dispatcher.

    Example
    • SSL server PSE: SAPSSLS.pse

    • SSL client PSE: SAPSSLC.pse

Creating the Certificate Request Using the Trust Manager

Once you have created the PSE, you must create a corresponding certificate request. For this procedure, you can also use the trust manager. If you created two PSEs in the last step, then perform the following for each of the PSEs.

  1. Select the File node with a double-click.

    The Open dialog appears.

  2. Select the PSE you saved in the previous procedure.

    The corresponding certificate appears in the PSE maintenance section in the Owner field.

  3. In the PSE maintenance section, choose Create Certificate Request

    A dialog appears showing the certificate request.

  4. Select the content of the request and copy it to your clipboard (Choose Copy) or save the certificate request to a file ( <file_name>.P10) by choosing Save as local file.

Result

You have created the PSE(s) to use for SSL and the corresponding certificate requests. Continue with Sending the Certificate Requests to a CA.