Show TOC

Procedure documentationCreating the PSEs and Certificate Requests Locate this document in the navigation structure

 

If the SAP Web Dispatcher is to terminate or reencrypt an incoming SSL connection request, then it needs to possess a key pair and public-key certificate to use for the incoming SSL connection. This information is stored in the SAP Web Dispatcher's SSL server PSE.

If it also uses SSL for the connection to the back-end server (reencryption), then it also needs to possess a key pair to use for this connection. This information is stored in its SSL client PSE. Although you can use the same file for both of these PSEs, we refer to them separately in the documentation.

You can either use the trust manager on the AS ABAP to create the PSEs or you can use the configuration tool sapgenpse. See the procedures below.

If the SAP Web Dispatcher is to pass the SSL connection to the back-end application server, you do need to perform these steps.

Prerequisites

  • If you are using the trust manager to create the PSEs, then the SAP Cryptographic Library is installed on the application server and the environment variable SECUDIR is set to the directory where the license ticket is located. (For more information, see Installing the SAP Cryptographic Library on the AS ABAP.)

  • If you are using sapgenpse, then the SAP Cryptographic Library is installed on the SAP Web Dispatcher and the environment variable SECUDIR is set to the directory where the license ticket is located.

  • You know the naming convention to use for the SAP Web Dispatcher's Distinguished Name. The syntax of the Distinguished Name depends on the CA that you use.

Example Example

For example, if you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE.

End of the example.

Procedure

You can use either the command line tool sapgenpse or the trust manager to create the PSE and certificate requests. The procedures to use for each case are described below.

Creating the SAP Web Dispatcher's PSEs and Certificate Requests Using SAPGENPSE

  1. Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket is located. If the environment variable is not yet set, set it using the command line as shown below.

    set SECUDIR=<SECUDIR_directory>

  2. Use the tool's command get_pse as shown below to create the SAP Web Dispatcher's PSE.

    sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_file_name> -x <PIN> <Distinguished_Name>

    Where:

Standard Options

Option

Parameter

Description

Allowed Values

Default

-p

<PSE_Name>

Path and file name for the PSE.

If the complete path is not included, then the PSE file is created in the SECUDIR directory.

For the SSL server PSE, the file name must correspond to the file name you specify in the profile parameter ssl/server_pse.

For the SSL client PSE, the file name must correspond to the name you specify in the profile parameter ssl/client_pse (or wdisp/ssl_cred, if wdisp/ssl_auth = 2).

Examples: SAPSSLS.pse or SAPSSLC.pse)

None

-r

<file_name>

File name for the certificate request.

Path description (in quotation marks, if spaces exist).

stdout

-x

<PIN>

PIN that protects the PSE.

Character string

None

None

<Distinguished_Name>

The Distinguished Name for the SAP Web Dispatcher.

Character string (in quotation marks, if spaces exist).

None

Note Note

For more information about the profile parameter settings, see Setting the SSL Relevant Profile Parameters for the SAP Web Dispatcher.

End of the note.
Additional Options

Option

Parameter

Description

Allowed Values

Default

-s

<key_len>

Key length

512, 1024, 2048

1024

-a

<algorithm>

Algorithm used

RSA, DSA

RSA

-noreq

None

Only generate a key pair and PSE. Do not create a certificate request.

Not applicable

Not set

-only req

None

Generate a certificate request for the public key stored in the PSE specified by the -p parameter.

Not applicable

Not set

Example Example

The command line below creates the SAP Web Dispatcher's SSL server PSE and certificate request using the following information:

  • The environment variable SECUDIR is set to C:\Program Files\SAP\SAPWebDisp\sec.

  • The PSE is to be located at C:\Program Files\SAP\SAPWebDisp\sec\SAPSSLS.pse.

  • The PIN used to protect the PSE is abcpin..

  • The name of the certificate request file is abc.req.

  • The SAP Web Dispatcher is accessed using the fully-qualified host name host123.mycompany.com.

  • The CA used is the SAP CA.

  • Therefore, the server's Distinguished Name is CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE.

The command line that creates the corresponding SSL server PSE and certificate request is

sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req "CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE"

End of the example.
Creating the SAP Web Dispatcher's PSEs Using the Trust Manager

  1. Start the trust manager (transaction STRUST).

  2. Using the context menu for the File node, choose Create (RSA).

    Caution Caution

    For SSL, you must create a PSE that contains an RSA key pair. If you choose Create, the trust manager creates a DSA key pair, which cannot be used for SSL.

    End of the caution.

    The Create PSE dialog appears.

  3. Enter the Distinguished Name parts in the corresponding fields according to your CA's naming convention.

    Note Note

    For the SSL server PSE, the Common Name part of the Distinguished Name must correspond to the fully-qualified host name used to access the SAP Web Dispatcher.

    For more information about how the trust manager builds the Distinguished Name from the field entries, see Creating or Replacing a PSEin the trust manager documentation.

    End of the note.

  4. Save the PSE to local file (for example, the SAP Web Dispatcher's SECUDIR directory).

    For the SSL server PSE, make sure you use the same file name that you also specify in the profile parameter ssl/server_pse.

    For the SSL client PSE, the file name must correspond to the name you specify in the profile parameter ssl/client_pse (or wdisp/ssl_cred, if wdisp/ssl_auth = 2).

    For more information, see Setting the SSL Relevant Profile Parameters for the SAP Web Dispatcher.

    Example Example

    • SSL server PSE: SAPSSLS.pse

    • SSL client PSE: SAPSSLC.pse

    End of the example.
Creating the Certificate Request Using the Trust Manager

Once you have created the PSE, you must create a corresponding certificate request. For this procedure, you can also use the trust manager. If you created two PSEs in the last step, then perform the following for each of the PSEs.

  1. Select the File node with a double-click.

    The Open dialog appears.

  2. Select the PSE you saved in the previous procedure.

    The corresponding certificate appears in the PSE maintenance section in the Owner field.

  3. In the PSE maintenance section, choose Create Certificate Request (Create Certificate Request)

    A dialog appears showing the certificate request.

  4. Select the content of the request and copy it to your clipboard (Choose Copy (Copy)) or save the certificate request to a file (<file_name>.P10) by choosing Save as local file (Save as local file).

Result

You have created the PSE(s) to use for SSL and the corresponding certificate requests. Continue with Sending the Certificate Requests to a CA.