If the SAP Web Dispatcher is to terminate or reencrypt an incoming SSL connection request, then it needs to possess a key pair and public-key certificate to use for the incoming SSL connection. This information is stored in the SAP Web Dispatcher's SSL server PSE.
If it also uses SSL for the connection to the back-end server (reencryption), then it also needs to possess a key pair to use for this connection. This information is stored in its SSL client PSE. Although you can use the same file for both of these PSEs, we refer to them separately in the documentation.
You can either use the trust manager on the AS ABAP to create the PSEs or you can use the configuration tool sapgenpse. See the procedures below.
If the SAP Web Dispatcher is to pass the SSL connection to the back-end application server, you do need to perform these steps.
If you are using the trust manager to create the PSEs, then the SAP Cryptographic Library is installed on the application server and the environment variable SECUDIR is set to the directory where the license ticket is located. (For more information, see Installing the SAP Cryptographic Library on the AS ABAP.)
If you are using sapgenpse, then the SAP Cryptographic Library is installed on the SAP Web Dispatcher and the environment variable SECUDIR is set to the directory where the license ticket is located.
You know the naming convention to use for the SAP Web Dispatcher's Distinguished Name. The syntax of the Distinguished Name depends on the CA that you use.
For example, if you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE.
You can use either the command line tool sapgenpse or the trust manager to create the PSE and certificate requests. The procedures to use for each case are described below.
Creating the SAP Web Dispatcher's PSEs and Certificate Requests Using SAPGENPSE
Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket is located. If the environment variable is not yet set, set it using the command line as shown below.
set SECUDIR=<SECUDIR_directory>
Use the tool's command get_pse as shown below to create the SAP Web Dispatcher's PSE.
sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_file_name> -x <PIN> <Distinguished_Name>
Where:
Option |
Parameter |
Description |
Allowed Values |
Default |
---|---|---|---|---|
-p |
<PSE_Name> |
Path and file name for the PSE. If the complete path is not included, then the PSE file is created in the SECUDIR directory. |
For the SSL server PSE, the file name must correspond to the file name you specify in the profile parameter ssl/server_pse. For the SSL client PSE, the file name must correspond to the name you specify in the profile parameter ssl/client_pse (or wdisp/ssl_cred, if wdisp/ssl_auth= 2). Examples: SAPSSLS.pse or SAPSSLC.pse) |
None |
-r |
<file_name> |
File name for the certificate request. |
Path description (in quotation marks, if spaces exist). |
stdout |
-x |
<PIN> |
PIN that protects the PSE. |
Character string |
None |
None |
<Distinguished_Name> |
The Distinguished Name for the SAP Web Dispatcher. |
Character string (in quotation marks, if spaces exist). |
None |
For more information about the profile parameter settings, see Setting the SSL Relevant Profile Parameters for the SAP Web Dispatcher.
Option |
Parameter |
Description |
Allowed Values |
Default |
---|---|---|---|---|
-s |
<key_len> |
Key length |
512, 1024, 2048 |
1024 |
-a |
<algorithm> |
Algorithm used |
RSA, DSA |
RSA |
-noreq |
None |
Only generate a key pair and PSE. Do not create a certificate request. |
Not applicable |
Not set |
-only req |
None |
Generate a certificate request for the public key stored in the PSE specified by the -p parameter. |
Not applicable |
Not set |
The command line below creates the SAP Web Dispatcher's SSL server PSE and certificate request using the following information:
The environment variable SECUDIR is set to C:\Program Files\ SAP\ SAPWebDisp\ sec.
The PSE is to be located at C:\Program Files\ SAP\ SAPWebDisp\ sec\ SAPSSLS.pse.
The PIN used to protect the PSE is abcpin..
The name of the certificate request file is abc.req.
The SAP Web Dispatcher is accessed using the fully-qualified host name host123.mycompany.com.
The CA used is the SAP CA.
Therefore, the server's Distinguished Name is CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE.
The command line that creates the corresponding SSL server PSE and certificate request is
sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req "CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE"
Creating the SAP Web Dispatcher's PSEs Using the Trust Manager
Start the trust manager (transaction STRUST).
Using the context menu for the File node, choose Create (RSA).
For SSL, you must create a PSE that contains an RSA key pair. If you choose Create, the trust manager creates a DSA key pair, which cannot be used for SSL.
The Create PSE dialog appears.
Enter the Distinguished Name parts in the corresponding fields according to your CA's naming convention.
For the SSL server PSE, the Common Name part of the Distinguished Name must correspond to the fully-qualified host name used to access the SAP Web Dispatcher.
For more information about how the trust manager builds the Distinguished Name from the field entries, see Creating or Replacing a PSE in the trust manager documentation.
Save the PSE to local file (for example, the SAP Web Dispatcher's SECUDIR directory).
For the SSL server PSE, make sure you use the same file name that you also specify in the profile parameter ssl/server_pse.
For the SSL client PSE, the file name must correspond to the name you specify in the profile parameter ssl/client_pse (or wdisp/ssl_cred, if wdisp/ssl_auth= 2).
For more information, see Setting the SSL Relevant Profile Parameters for the SAP Web Dispatcher.
SSL server PSE: SAPSSLS.pse
SSL client PSE: SAPSSLC.pse
Creating the Certificate Request Using the Trust Manager
Once you have created the PSE, you must create a corresponding certificate request. For this procedure, you can also use the trust manager. If you created two PSEs in the last step, then perform the following for each of the PSEs.
Select the File node with a double-click.
The Open dialog appears.
Select the PSE you saved in the previous procedure.
The corresponding certificate appears in the PSE maintenance section in the Owner field.
In the PSE maintenance section, choose
A dialog appears showing the certificate request.
Select the content of the request and copy it to your clipboard (Choose ) or save the certificate request to a file ( <file_name>.P10) by choosing .
You have created the PSE(s) to use for SSL and the corresponding certificate requests. Continue with Sending the Certificate Requests to a CA.