How to Generate CSR and install SSL in SAP

If the SAP Web Dispatcher is to terminate or re-encrypt an incoming SSL connection request, then it must have a key pair and public-key certificate to use for the incoming SSL connection. This information will get stored in the SAP Web Dispatcher’s SSL server PSE.

If it uses SSL for the connection to the back-end server (re-encryption), then it also needs to have a key pair to use for this connection. This information will get stored in its SSL client PSE. Although you can use the same file for both of these PSEs, we refer to them separately in the documentation.

You can use either the trust manager to create the PSEs on the AS ABAP or the configuration tool SAPGENPSE.

If the SAP Web Dispatcher is to pass the SSL connection to the back-end application server, you do need to perform below given steps.

  1. Generate CSR using SAPGENPSE
  2. Generate CSR using the Trust Manager
  3. Install an SSL Certificate on SAP Using SAPGENPSE
  4. Install an SSL Certificate on SAP Using STRUST manager

1.Generate CSR using SAPGENPSE

    1. Use the configuration tool sapgenpse to create the SAP Web Dispatcher’s PSEs.
      NOTE: Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must set to the directory where the licensed ticket has located. If the environment variable has not set, then set it using the command line as shown below.
      set SECUDIR = < SECUDIR_directory >
    2. Use the tool’s command get_pse as shown below to create the SAP Web Dispatcher’s PSE.
      sapgenpse get_pse < additional_options > -p -r < cert_req_file_name > -x < PIN > < Distinguished_Name >
    3. The command line below creates the SAP Web Dispatcher’s SSL server PSE and certificate request using the following information:
      • The environment variable SECUDIR is set to C:\Program Files\SAP\SAPWebDisp\sec.
      • The PSE is to be located at C:\Program Files\SAP\SAPWebDisp\sec\SAPSSLS.pse.
      • The PIN used to protect the PSE is abcpin.
      • The name of the certificate request file is abc.req.
      • The SAP Web Dispatcher is accessed using the fully-qualified host name host123.mydomain.com.
      • The CA used is the SAP.CA.

Example: sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req ” CN=host123.mydomain.com, OU=dept. name, O=Organizational Name, SP=State and Province value, L=Locality value,C=ISO country code value”.

The request file (abc.req) has been created.

2. Generate CSR using the Trust Manager

Step 1. Generate a Key Pair:

      1. Start the trust manager (transaction STRUST)
      2. Using the context menu for the FIle node, choose Create RSA
        NOTE: For SSL, you must create a PSE that contains the RSA key pair. If only Create is selected, then a DSA key pair is created which cannot be used for SSL.
      3. Enter the Distinguished Name parts in the corresponding fields. For the SSL Server PSE, the Common Name must respond to the FQDN used to access the Web Dispatcher.
      4. Save the PSE to the local file (e.g. the Web Dispatcher’s Secure ID directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively.

Step 2. Creating the Certificate Signing Request

      1. Once you have created the PSE, you must create the corresponding certificate request.
      2. Double click to select the File node. The Open dialog appears.
      3. Select the PSE that you saved in the previous procedure. The corresponding certificate appears in the PSE maintenance section in the Owner field.
      4. Fill out the required information:
        • Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
        • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
        • Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
        • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
        • Organizational Unit (OU): This field is the name of the department or organization unit making the request.
        • Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”.
          NOTE: Symantec certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain “domain.com” will receive a warning if accessing a site named “www.domain.com” or “secure.domain.com”, because “www.domain.com” and “secure.domain.com” are different from “domain.com”.
        • In the PSE maintenance section, choose Create Certificate Request. A dialog appears showing the certificate request.
        • Select the content of the request and copy it to your clipboard (Copy) or save the certificate request to the file using (filename.p10) using Save as local file.
        • Verify your CSR

3. Install an SSL Certificate on SAP Using SAPGENPSE

If you are using sapgenpse, use the tool’s command import_own_cert to import the certificate request as shown below.

sapgenpse import_own_cert < Additional_options > -p < PSE_file > -c [-r < RootCA_cert_file >] -x < PIN >

Option Parameter Description Allowed Values Default
-p < PSE_Name > Path and file name of the PSE. Path description (in quotation marks, if spaces exist). None
-c < Cert_file > Path and file name of the certificate request response. Path description (in quotation marks, if spaces exist). None
-r < RootCA_ cert_ file > File containing the CA’s root certificate (and any intermediate CA certificates). This parameter is necessary if the CA root and any intermediate CA certificates are not included in the certificate request response. Path description (in quotation marks, if spaces exist). Not set
-x < PIN > PIN that protects the PSE. Character string None

Example:
The following command line imports the certificate request response (ABC.crt) into the SAP Web Dispatcher’s SSL server PSE that is stored at C:\Program Files\ SAP\ SAPWebDisp\ sec\ SAPSSLS.pse. The environment variable SECUDIR is set to C:\Program Files\ SAP\ SAPWebDisp\ sec. The PIN that protects the PSE is defpin.

sapgenpse import_own_cert -c ABC.crt -p SAPSSLS.pse -x defpin

NOTE: IF the file containing both Root CA certificate and the Intermediate CA certificate.

Intermediate CA certificate has to be first, then following by the Root CA.

Example:Open any text editor (Notepad, Sublime) then paste the Intermediate CA certificate (Example: Intermediate.crt) and Root CA (Example: SSL247-Root.crt) in the following order:

—–BEGIN CERTIFICATE—– [Intermediate 1] —–END CERTIFICATE—–
—–BEGIN CERTIFICATE—– [Intermediate 2] —–END CERTIFICATE—–
—–BEGIN CERTIFICATE—– [Root CA] —–END CERTIFICATE—–

Or this process can be also completed through using the following command:
> cat intermediate1.crt intermediate2.crt root.crt > ssl-bundle.crt

4. Install an SSL Certificate on SAP Using STRUST manager

After the CA delivers the necessary SSL files to your inbox, your first step is to download the ZIP Folder and extract its contents on your desktop.

For your SSL Certificate to work on SAP, the following files are required:

      • The SSL Certificate itself with x509/.cer/.crt/.pem extension
      • The intermediate certificate is also known as the CA Bundle or Chain Certificate.
      • The root certificate from your CA (if you don’t have it, consult your CA)

Open these three files with a plain text editor, and copy the contents of each certificate into a separate file with a .txt extension. You should have at least three .txt files with your primary, intermediate, and root certificates.

Once your SSL files are ready, perform the following:

      1. Log into your admin console
      2. From Trust Manager, expand the SSL server PSE node
      3. Select your application server by double-clicking on it
      4. In the PSE maintenance section, select Import Cert. Response
      5. Click Load local and upload your primary SSL Certificate with the .crt extension. Alternatively, you can paste the contents of your SSL Certificate .txt file into the corresponding box.
      6. Your SSL Certificate should now display in the PSE maintenance section
      7. Save the data.

Next, depending on your system setup, you will add the intermediate and root certificates in these locations:

Certificate Database:

      1. In the certificate section, select Import certificate
      2. In the Import Certificate dialog, select the Database tab
      3. From the certificate database, choose your certificate and select Enter. The certificate will display in the certificate section
      4. Click Add to Certificate List
      5. Save the data.

We hope this article helped you with this easy process. If you are unable to use these instructions, Acmetek recommends that you contact either the vendor of your software or the hosting organization that supports it.

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »