Creating the PSEs and Certificate Requests

Use

If the SAP Web Dispatcher is to terminate or reencrypt an incoming SSL connection request, then it needs to possess a key pair and public-key certificate to use for the incoming SSL connection. This information is stored in the SAP Web Dispatcher's SSL server PSE.

If it also uses SSL for the connection to the back-end server (reencryption), then it also needs to possess a key pair to use for this connection. This information is stored in its SSL client PSE. Although you can use the same file for both of these PSEs, we refer to them separately in the documentation.

Prerequisites

You can either use the trust manager on the AS ABAP to create the PSEs or you can use the configuration tool sapgenpse. See the procedures below.

If the SAP Web Dispatcher is to pass the SSL connection to the back-end application server, you do need to perform these steps.

You can use the trust manager to create the PSEs.
If you are using sapgenpse the environment variable SECUDIR is set to the directory where the license ticket is located.
You know the naming convention to use for the SAP Web Dispatcher's Distinguished Name. The syntax of the Distinguished Name depends on the CA that you use.

Procedure

You can use either the command line tool sapgenpse or the trust manager to create the PSE and certificate requests. The procedures to use for each case are described below.

Creating the SAP Web Dispatcher's PSEs and Certificate Requests Using SAPGENPSE

Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket is located. If the environment variable is not yet set, set it using the command line as shown below.

set SECUDIR=<SECUDIR_directory>
Use the tool's command get_pse as shown below to create the SAP Web Dispatcher's PSE.

sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_file_name> -x <PIN> <Distinguished_Name>

Where:

Option	Parameter	Description	Allowed Values	Default
`-p`	`<PSE_Name>`	Path and file name for the PSE. If the complete path is not included, then the PSE file is created in the SECUDIR directory.	For the SSL server PSE, the file name must correspond to the file name you specify in the profile parameter ssl/server_pse. For the SSL client PSE, the file name must correspond to the name you specify in the profile parameter ssl/client_pse (or wdisp/ssl_cred, if wdisp/ssl_auth= 2). Examples: SAPSSLS.pse or SAPSSLC.pse)	None
`-r`	`<file_name>`	File name for the certificate request.	Path description (in quotation marks, if spaces exist).	`stdout`
`-x`	`<PIN>`	PIN that protects the PSE.	Character string	None
None	`<Distinguished_Name>`	The Distinguished Name for the SAP Web Dispatcher.	Character string (in quotation marks, if spaces exist).	None

Option	Parameter	Description	Allowed Values	Default
`-s`	`<key_len>`	Key length	512, 1024, 2048, 4096	1024
`-a`	`<algorithm>`	Algorithm used	RSA, DSA	RSA
`-noreq`	None	Only generate a key pair and PSE. Do not create a certificate request.	Not applicable	Not set
`-only req`	None	Generate a certificate request for the public key stored in the PSE specified by the -p parameter.	Not applicable	Not set

Example

The command line below creates the SAP Web Dispatcher's SSL server PSE and certificate request using the following information:

The environment variable SECUDIR is set to C:\Program Files\ SAP\ SAPWebDisp\ sec.
The PSE is to be located at C:\Program Files\ SAP\ SAPWebDisp\ sec\ SAPSSLS.pse.
The PIN used to protect the PSE is abcpin..
The name of the certificate request file is abc.req.
The SAP Web Dispatcher is accessed using the fully-qualified host name host123.mycompany.com.
The CA used is the SAP CA.
Therefore, the server's Distinguished Name is CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE.

The command line that creates the corresponding SSL server PSE and certificate request is

sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req "CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE"

Creating the SAP Web Dispatcher's PSEs Using the Trust Manager

Start the trust manager (transaction STRUST).
Using the context menu for the File node, choose Create (RSA).

Caution

For SSL, you must create a PSE that contains an RSA key pair. If you choose Create, the trust manager creates a DSA key pair, which cannot be used for SSL.

The Create PSE dialog appears.
Enter the Distinguished Name parts in the corresponding fields according to your CA's naming convention.

Note

For the SSL server PSE, the Common Name part of the Distinguished Name must correspond to the fully-qualified host name used to access the SAP Web Dispatcher.

For more information about how the trust manager builds the Distinguished Name from the field entries, see Creating or Replacing a PSE in the trust manager documentation.
Save the PSE to local file (for example, the SAP Web Dispatcher's SECUDIR directory).

For the SSL server PSE, make sure you use the same file name that you also specify in the profile parameter ssl/server_pse.

For the SSL client PSE, the file name must correspond to the name you specify in the profile parameter ssl/client_pse (or wdisp/ssl_cred, if wdisp/ssl_auth= 2).
Example
- SSL server PSE: SAPSSLS.pse
- SSL client PSE: SAPSSLC.pse

Creating the Certificate Request Using the Trust Manager

Once you have created the PSE, you must create a corresponding certificate request. For this procedure, you can also use the trust manager. If you created two PSEs in the last step, then perform the following for each of the PSEs.

Select the File node with a double-click.

The Open dialog appears.
Select the PSE you saved in the previous procedure.

The corresponding certificate appears in the PSE maintenance section in the Owner field.
In the PSE maintenance section, choose

A dialog appears showing the certificate request.
Select the content of the request and copy it to your clipboard (Choose ) or save the certificate request to a file ( <file_name>.P10) by choosing .

Result

You have created the PSE(s) to use for SSL and the corresponding certificate requests. Continue with sending the certificate requests to a CA.