Creating the PSEs and Certificate
Requests 
Use
If the SAP Web Dispatcher is to terminate the SSL connection, then it needs to possess a key pair and public-key certificate to use for the incoming SSL connection. This information is stored in the SAP Web Dispatcher’s SSL server PSE.
If it also uses SSL for the connection to the backend server, then it also needs to possess a key pair to use for this connection. This information is stored in its SSL client PSE. Although you can use the same file for both of these PSEs, we refer to them separately in the documentation.
You can either use the trust manager to create the PSEs or you can use the configuration tool sapgenpse. See the procedures below.
If the SAP Web Dispatcher is to pass the SSL connection to the SAP Web Application Server, then you do not need to perform these steps.
Prerequisites
· If you are using the trust manager to create the PSEs, then the SAP Cryptographic Library is installed on the application server and the environment variable SECUDIR is set to the directory where the license ticket is located. (See also Installing the SAP Cryptographic Library on the SAP Web AS.)
· If you are using sapgenpse, then the SAP Cryptographic Library is installed on the SAP Web Dispatcher and the environment variable SECUDIR is set to the directory where the license ticket is located..
· You know the naming convention to use for the SAP Web Dispatcher’s Distinguished Name. The syntax of the Distinguished Name depends on the CA that you use.
For example, if you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE.
Procedure
Creating the SAP Web Dispatcher’s PSEs Using the Trust Manager
To create each PSE (SSL server PSE and SSL client PSE), using the trust manager:
...
1. Start the trust manager (transaction STRUST).
2. Using the context menu for the File node, choose Create (RSA).
For SSL, you must create a PSE that contains an RSA key pair. If you choose Create, then a DSA key pair is created, which cannot be used for SSL.
The Create PSE dialog appears.
3. Enter the Distinguished Name parts in the corresponding fields according to your CA’s naming convention.
For the SSL server PSE, the Common Name part of the Distinguished Name must correspond to the fully-qualified host name used to access the Web Dispatcher.
For more
information about how the trust manager builds the Distinguished Name from the
field entries, see 
Creating or Replacing
a PSE in the Trust Manager
documentation.
4. Save the PSE to local file (for example, the Web Dispatcher’s SECUDIR directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively.
Creating the Certificate Request Using the Trust Manager
Once you have created the PSE, you must create a corresponding certificate request. For this procedure you can also use the trust manager. If you created two PSEs in the last step, then perform the following for each of the PSEs:
...
1. Select the File node with a double-click.
The Open dialog appears.
2. Select the PSE that you saved in the previous procedure.
The corresponding certificate appears in the PSE maintenance section in the Own certif. field.
3.
In the PSE maintenance
section, choose 
Create Certificate
Request.
A dialog appears showing the certificate request.
4.
Select the content of the
request and copy it to your clipboard (
Copy) or save the
certificate request to a file (
<file_name>.P10)
using 
Save as local
file.
Creating the SAP Web Dispatcher’s PSEs and Certificate Requests Using SAPGENPSE
As an alternative, you can use the configuration tool sapgenpse to create the SAP Web Dispatcher’s PSEs.
Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket is located. If the environment variable is not yet set, then set it using the command line as shown below.
set SECUDIR=<SECUDIR_directory>
Use the tool’s command get_pse as shown below to create the SAP Web Dispatcher’s PSE.
sapgenpse get_pse <additional_options> -p <PSE_Name> –r <cert_req_file_name> -x <PIN> <Distinguished_Name>
Where:
Standard Options
|
Option |
Parameter |
Description |
Allowed Values |
Default |
|
-p |
<PSE_Name> |
Path and file name for the PSE. If the complete path is not included, then the PSE file is created in the SECUDIR directory. |
The file name must correspond to the file name specified in the profile parameter ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively (for example, SAPSSLS.pse or SAPSSLC.pse). |
None |
|
-r |
<file_name> |
File name for the certificate request |
Path description (in quotation marks, if spaces exist) |
stdout |
|
-x |
<PIN> |
PIN that protects the PSE |
Character string |
None |
|
None |
<Distinguished_Name> |
The Distinguished Name for the SAP Web Dispatcher |
Character string (in quotation marks, if spaces exist) |
None |
Additional Options
|
Option |
Parameter |
Description |
Allowed Values |
Default |
|
-s |
<key_len> |
Key length |
512, 1024, 2048 |
1024 |
|
-a |
<algorithm> |
Algorithm used |
RSA, DAS |
RSA |
|
-noreq |
None |
Only generate a key pair and PSE. Do not create a certificate request. |
Not applicable |
Not set |
|
-only |
None |
Generate a certificate request for the public key stored in the PSE specified by the –p parameter. |
Not applicable |
Not set |
The command line below creates the SAP Web Dispatcher’s SSL server PSE and certificate request using the following information:
· The environment variable SECUDIR is set to C:\Program Files\SAP\SAPWebDisp\sec.
· The PSE is to be located at C:\Program Files\SAP\SAPWebDisp\sec\SAPSSLS.pse.
· The PIN used to protect the PSE is abcpin..
· The name of the certificate request file is abc.req.
· The SAP Web Dispatcher is accessed using the fully-qualified host name host123.mycompany.com.
· The CA used is the SAP CA.
· Therefore, the server’s Distinguished Name is CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE.
sapgenpse get_pse –p SAPSSLS.pse –x abcpin –r abc.req "CN=host123.mycompany.com, OU=I1234567890-MyCompany, OU=SAP Web AS, O=SAP Trust Community, C=DE"