Anda di halaman 1dari 25

30/1/2017 SAPWebDispatcherSSL

(http://go.sap.com/index.html)

Comm
unity
GetStarted(http://go.sap.com/community/gettingstarted.html)
(https://onedx.find.sap.com)
(htt
(http:/ ps://
/go.sa
Archived sha
p.com/
discussion red
comm
sare ui.s
unity.h
readonly. ervi
tml)
Learn ces.
more
/ sap.
aboutSAP
Archives(/) com
Q&A
/ /pro
Discussion
(https://go tect
sArchive
.sap.com/ ed.h
(/discussio
communit tml?
ns) /
y/about/qu ref=
SAP
estions http
NetWeaver
and s://a
Application
answers.h
Server rchi
tml)
(/discussio ve.s
ns/space/n ap.c
etweaver om/
as) /
)
SAP

Solutions (http://go.sap.com/solution.html)

Support (http://go.sap.com/support.html)

Training (http://go.sap.com/training-certication.html)

Community (http://go.sap.com/community.html)

Developer (http://go.sap.com/developer.html)

Partner (http://go.sap.com/partner.html) About (http://go.sap.com/about.html)


https://archive.sap.com/discussions/thread/1847779 1/25
Partner (http://go.sap.com/partner.html)
30/1/2017
About (http://go.sap.com/about.html)
SAPWebDispatcherSSL

WebDispatcherSSL

SAPWebDispatcherSSL
Hellotoall,

we'vegot2domainswithdifferentIPadressespointingtoourwebdispatcher.

a.domain.de

b.domain.de

NowI'veenablesssl.

IfIcreatethereqestfilesthefirstoneworksfine:

CopyCode

1.sapgenpseget_psepSAPSSLS.psexpinra.req"CN=a.domain.de,OU=ABC,O=ABC,C=DE"

NowifIwanttocreatethesecondrequestfilewith:

CopyCode

1.sapgenpseget_psepSAPSSLS.psexpinrb.req"CN=b.domain.de,OU=ABC,O=ABC,C=DE"

Igetanerror:

CopyCode

1.get_pseERROR:PSEalreadyexists"/usr/sap/WDP/W00/sec/SAPSSLS.pse"

Somyquestions:

Couldn'tIimporttwoprivatecertificatesinonePSE?

DoIneedaexplicitwebdispatcherforeachsubdomain?

Bestregards

Christian

(https://people.sap.com/christian.kaiser3)

ChristianKaiser(https://people.sap.com/christian.kaiser3)
April10,2014at13:28PM
0Likes

https://archive.sap.com/discussions/thread/1847779 2/25
30/1/2017 SAPWebDispatcherSSL

Notwhatyouwerelookingfor?Viewmoreonthistopic(https://go.sap.com/community/tag.html?
id=01200615320800000352)or

Askaquestion(https://answers.sap.com/questions/ask.html?primaryTagId=01200615320800000352)

36 replies

(https://people.sap.com/prodyut.sen2)
prodyotsen(https://people.sap.com/prodyut.sen2)replied

December09,2010at15:54PM

HelloChris,

Trybelowsteps.

1)downloadedtheSAPcryptographicsoftwarefrom
service.sap.com/tcs.selectthecorrectoneforyourplatfrom

2)Extractitwithsapcarxvffilename.sar

forwindows/ntinteldirectorywouldbecreatedandthe
followingfileswouldbeextracted

forexample

C:\saprouter\ntintel\sapcrypto.dll

C:\saprouter\ntintel\sapgenpse.exe

C:\saprouter\ticket

3)Itisnecessarytodefinetheenvironmentvariablefor
u201CSECUDIRu201Dandu201CSNC_LIBu201Dunder
systemaccount.

theSNC_LIBpathmaybevaryifyouareusing64bit
windowsserverfollowingisfor32bitwindowsserver.

SECUDIR>C:\saprouter\

SNC_LIB>C:\saprouter\ntintel\sapcrypto.dll

4)Checkiftheenvironmentoftheuserrunningsaprouter
containstheenvironmentvariableSNC_LIB

5)nowapplyforaSAProutercertificatefromtheSAPTrust
CenterServiceofSAPservicemarketplace

service.sap.com/tcs>SAPTrustCenterServiceinDetail>
SAProuterCertificates

https://archive.sap.com/discussions/thread/1847779 3/25
30/1/2017 SAPWebDispatcherSSL

soyougetyourDistinguishedName.

6)Executethefollowingcommandinthe\saprouter\ntintel
directoryinordertogenerateyourcertificatetobeexchanged
withSAP

sapgenpseget_psevrcertreqplocal.pse"Distinguished
Name"

followtheabovestepsforgenerateyourcertificate

Regards,

Sen

(https://people.sap.com/christian.kaiser3)

ChristianKaiser(https://people.sap.com/christian.kaiser3)replied December09,2010at16:08PM

HelloSen,

thanksforyourreply.

Withonecertificatealternativlyonedistinguishedname,thesslfunctionsworksfine.

NowIhavetwodomains,pointingtomyserver.AlsoIhavetwodistinguishednames(DN)
withdifferentIPadresses.

IfIwanttogeneratethesecondcertificaterequestfortheotherDN,Igettheerrorabove.

IsitpossibletoassigntoDNtoonePSEalternativlytoassigntodifferentPSEfilesto
profilparameterssl/server_pse.

RegardsChristian

(https://people.sap.com/tobias.hofmann)

TobiasHofmann(https://people.sap.com/tobias.hofmann)replied December09,2010at22:03PM

Ifyouwanttouse1SSLcertificate,you'llneedtouseonethatisvalidforbothdomain
names.Perdefault,aSSLcertificateisvalidforonenameonly.(Whichmakessense,as
SSLcertificatesareusedtoidentifyasingleserver)

https://archive.sap.com/discussions/thread/1847779 4/25
30/1/2017 SAPWebDispatcherSSL

FortunatelySSLcertificatescanincludeaprincipalnameandalternativenames=>they
canbevalidformorethan1servername
(http://en.wikipedia.org/wiki/Subject_Alternative_Name).

CreateaSSLcertificatethatalsocontainsSANnamesforyourotherservername.

br,

Tobias

(https://people.sap.com/wilbert.jeuken2)

WilbertJeuken(https://people.sap.com/wilbert.jeuken2)replied January03,2011at16:34PM

HelloChristian,

Youcanuseacertificatethatisvalidforbothdomains.

Insteadofhavingonecertificatefor"a.domain.de"andanotherfor"b.domain.de",you
wouldhaveonefor"*.domain.de".

Thiskindofcertificateisabitmoreexpensivethanacertificateforonedomain,butyou
canuseittoaccessmorebackendsystemsusingthisonecertificate.Youshouldseeif
theextracostsareworthitinyourspecificscenario.

Kindregards,Wilbert

Edit:typo

Editedby:WilbertJeukenonJan3,20114:34PM

(https://people.sap.com/christian.kaiser3)

ChristianKaiser(https://people.sap.com/christian.kaiser3)replied January13,2011at08:31AM

HelloWilbert,

wedon'twanttouseawildcardcertificate.

SAPhasansweredfollowing:

https://archive.sap.com/discussions/thread/1847779 5/25
30/1/2017 SAPWebDispatcherSSL

CopyCode

1.TheconfigurationofSAPWebDispatchertomaintaintwodifferentSSL
2.serverPSEatthesametimeisnotdocumentedinNotesorhelp.sap.com.
3.SothereisnoinformationconfirmingthattheSPAWebDispatcheris
4.abletoworkwithmultiplePSEfiles.

Wenowprefertouseanapachebasedreverseproxy.

ItisalsosupportedbySAP:

CopyCode

1.Yes,theApacheWebservercanbeusedasareverseproxy.
2.
3.I'dsuggestyoutorefertothefollowinglinks:
4.
5.http://help.sap.com//saphelp_nw70/helpdata/en/18/5cea2296190e4cb7faf9468ad793ea/framese
6.
7.https://wiki.sdn.sap.com/wiki/display/BSP/Using+Proxies

Christian

(https://people.sap.com/tobias.hofmann)

TobiasHofmann(https://people.sap.com/tobias.hofmann)replied January13,2011at11:54AM

Hi,

acertificatewithSANisn'tanoption?

AsApachehandlesseveralcertificatesitdoesn'tdoloadbalancinglikewebdispatcher
does(connectiontomessageserver).OrdoyouwanttoputtheApacheinfrontofthe
webdispatcher?

br,Tobias

(https://people.sap.com/christian.kaiser3)

ChristianKaiser(https://people.sap.com/christian.kaiser3)replied January13,2011at13:21PM

https://archive.sap.com/discussions/thread/1847779 6/25
30/1/2017 SAPWebDispatcherSSL

HelloTobias,

Ididn'tmindloadbalancingtillnow.It'squiteaimportantpoint.

Haveyouplannedaequalscenario?

IthinkI'llrunAPACHEasreverseproxy.APACHEshoulddotheSSLTerminationand
SAPWebdispatchershoulddotherest

Whatdoyouthink?Mightitwork?

br,Christian

(https://people.sap.com/tobias.hofmann)

TobiasHofmann(https://people.sap.com/tobias.hofmann)replied January13,2011at13:51PM

Hi,

lettingsomethingotherthanWebDispatcherdoingtheSSLterminationisquitecommon:

DedicatedhardwarewithSSLchiptooffloadtheSSLwork

ApacheorotherreverseproxythatservesasanentrypointforHTTPrequests(not
limitedtoSAP)

andhavingtheWebDispatcherbehindthesetodotheloadbalancing:

user<>reverseproxy<>webdispatcher<>SAP

Stagingtheaccessallowsyoutoalsosequentiallyincreasethesecurity:

Generallaccesstothereverseproxy

WebDispatcherisinaseperatedDMZ(securedbyFW)thatonlyallowsconnection
donefromthereverseproxy

backendsystemsinanetworkthatagainonlyallowsconnectionsfromtheWeb
Dispatcher

br,

Tobias

(https://people.sap.com/christian.kaiser3)

https://archive.sap.com/discussions/thread/1847779 7/25
30/1/2017 SAPWebDispatcherSSL

ChristianKaiser(https://people.sap.com/christian.kaiser3)replied January13,2011at14:16PM

HelloTobias,

thankyouforyouradvice.

I'llwillsetupitinthiswayandpostmyresults.

Christian

(https://people.sap.com/christian.kaiser3)

ChristianKaiser(https://people.sap.com/christian.kaiser3)replied July11,2011at09:07AM

Hello,

weuseareverseproxytodetermintateSSLandforwardtherequesttoSAP
WebDispatcher

Everythingworksfine.

Themessagewasmoderated

(https://people.sap.com/jay.b2)
BasisCons(https://people.sap.com/jay.b2)replied

September09,2011at06:53AM

I'mimplementingexactlywhatyouhavediscussedhereand
wouldliketoconfirmifthiscanbeimplementedusingWeb
DispatcherasReverseproxy.

i.e.Clientsslwebdispatcherasreverseproxy(SSL
Termination)webdispatcherforloadbalancingsap
server

DowefaceanyissuewithSSLcertificatesifwehavetwo
reverseproxies&twowebdispatchersoperatinginparallel?

https://archive.sap.com/discussions/thread/1847779 8/25
30/1/2017 SAPWebDispatcherSSL

(https://people.sap.com/stefan.reichert2)

StefanReichert(https://people.sap.com/stefan.reichert2)replied September14,2011at08:43AM

Hi,

we'reusingSAPNW7.3basedWebdispatcher.

Isthisthreadalsousefulfor7.3?

Orisitnowpossibletousemorethanonedomain(withenabledssl)withthisversion?

Kindregards,

Stefan

(https://people.sap.com/chandrakanth.angannagari)

ChandrakanthAngannagari(https://people.sap.com/chandrakanth.angannagari)replied

September23,2011at10:21AM

Hello,

IsitnowpossibletousetwoCN'sinonePSEonthe
webdispatcher?OrareverseproxylikeApacheistheonlly
way?

Thanks

Chan

(https://people.sap.com/tsenol)

https://archive.sap.com/discussions/thread/1847779 9/25
30/1/2017 SAPWebDispatcherSSL

IlkeTutkuSenol(https://people.sap.com/tsenol)replied November15,2013at13:47PM

Ihavesameissuetosolve.Doesanyonehaveanswerforusing2differentsslinaweb
dispatcher?

Regards

Tutku

(https://people.sap.com/happpieee)
RogerFock(https://people.sap.com/happpieee)replied

March28,2014at05:29AM

CanweconcludeevenwiththelatestNW7.3WebDispatcher,
oneSAPWDwithmultiplehostnames/IPscannothavemultiple
SSLcertificates(oneforeachFQDN)?

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied March28,2014at13:45PM

Hello,

No,itisnowindeedpossibletouseaSAPWebDispatcherusingasngleSSLcertificate
with2SubjectAlternateNames.IgeneratetheWebDispatcherPSEwithtransaction
STRUSTfromNetweaverAbap>=7.30.OurinternalPKICAhasbeenconfiguredto
accepttosignthesedoublenamedcertificates.

IhavealreadyexplainedthatinotherSCNthreads.

BestRegards,

Olivier

(https://people.sap.com/happpieee)
RogerFock(https://people.sap.com/happpieee)replied

March28,2014at17:18PM

HiOliver,

https://archive.sap.com/discussions/thread/1847779 10/25
30/1/2017 SAPWebDispatcherSSL

appreciateonyoursharing:HowtouseonePSEwithmultiple
URLs?(/discussions/thread/3518951)

itcanbeachievedwithSubjectAlternateName(SAN)certusing
STRUSTwithalternatenamesfield.

furtherclarificationsonfrontendbrowseroutput.Whatwillitbeif:

1)SANcertwitha.domain.comandb.domain.com.Userhit
a.domain.com.Whenthecertisopened,whatDNisbeing
shown?

2)singlecertwith<SID>.Userhita.domain.comor
b.domain.com.Willitcauseanybrowsererrororwarning?

LAstly,canSAPGENPSEgenerateSANCSRforapublicCAto
sign?

THanksforyourhelp!

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied March28,2014at17:47PM

HiRoger,

1)TheDNshownwhenthecertisopen,istheoneyouchosetoputfirstwhencreating
thecertinSTRUST.Inmycase,IuseWindowsserversandtheyareinboththeWindows
domainandinaDNSdomain.TheWindowsserverhasahostnameandalsoaDNSalias
usedfordisasterrecovery.

InthepastwecalledSAPwebapplicationsusingthehostnameandtheDNSdomain.

NowwehaveadisasterrecoverysystemandweuseSPNego/KerberosSSOwhich
meanswehavetocallSAPwebapplicationsusingtheDNSaliasandtheWindows
Domain.

ButastheoldURLshavelinksconfiguredeverywhereintheintranet,forcompability
reasons,weneededtobeabletocalltheapplicationswithbothURLs:

Oldone:https://hostname.dnsdomain/sap/(https://hostname.dnsdomain/sap/)....for
compatibility

Newone:https://dnsalias.windowsdoamin/sap/(https://dnsalias.windowsdoamin/sap/)....
fordisasterrecoveryandKerberos.

ThereforetheneedforacertificatewithboththeseAlternateSubjectNames.

WhenIcreatethePSEwithSTRUST,Ienterbothnamesseparatedby

https://archive.sap.com/discussions/thread/1847779 11/25
30/1/2017 SAPWebDispatcherSSL

Whenthecertisdisplayedfromthebrowser,Iget:

Deliveredto:dnsalias.windowsdoamin

andintheDetailstab,Iget:

Object:CN=dnsalias.windowsdoaminOU=....

AlternateNames:

DNSName=dnsalias.windowsdoamin

DNSName=hostname.dnsdomain

2)Idon'tunderstandwhatyoucallsinglecertwith<SID>

3)IneversucceededtouseSAPGENPSEtogenerateSANCSR.ThereforeIdon'tthinkit
ispossible.IonlysucceededusingthefileoptionoftransactionSTRUST.

Regards,

Olivier

(https://people.sap.com/happpieee)
RogerFock(https://people.sap.com/happpieee)replied

March28,2014at18:09PM

GreatstuffOliver.NowIcanunderstandyourbackgroundof
usingthis.

MybackgroundofusingmultipleSSLforoneDispatcheris
becauseofthedesignofafrontendDMZserverformultiple
backendERP,BWandNWGW.

weintendtousedifferentvirtualIPsandDNSrecordswithina
WebDispatcherinDMZserverasaSSLterminator.

SothethescenariowillbehavingInternetusershittingSSL
URLs:

erp.abc.com

bw.abc.com

nwgw.abc.com

intendedtousemultipleSSLCertsbutasingleSAPWDcanonly
supportasingleSSLCert.

1.LetsayweuseCN=abc.comandperformselfsignusing
STRUST.Whenuserhitanyofthe3aboveURLs,whatwillthe
browsercomplain?Ornoissues?

https://archive.sap.com/discussions/thread/1847779 12/25
30/1/2017 SAPWebDispatcherSSL

2.SinceSTRUSTcangenerateSANcerts,canitgenerateSAN
orwildcardCSR?

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied March31,2014at13:14PM

HelloRoger,

1.IfyousetCN=abc.comthebrowserwillalwayscomplainthatthecertificateiswrong
andtheconnectionunsafebecausetheCNwouldbedifferentfromtheURL.

Inmyopinion,youwouldhavetosetCN=*.abc.combutIthinkthatthiskindofcertificate
isveryexpensivetogetsignedbya"wellknown"CA.

2.I'veneverhadtouseSTRUSTforwildcardCSRbutIthinkitshouldbepossible.You
shouldgib*veitatry.

Inyourcase,IwouldtrytouseSTRUSTtocreateaPSEcertificatewithCN=erp.abc.com
andwith3AlternateSubjectNames:

erp.abc.com

bw.abc.com

nwgw.abc.com

YoushouldcheckinadvancewiththeCAiftheyareabletosignthiskindofcertifcates.

BestRegards,

Olivier

(https://people.sap.com/happpieee)
RogerFock(https://people.sap.com/happpieee)replied

March31,2014at18:45PM

greattoseeyourreplyagainOliver.Cheers!

1.STRUSTtogeneratewildcardCSRispossible.Butlikewhat
youindicateitisdamnexpensive.About$499/yr.Interesting,
someofthebrowserdoesnotsupportwildcardSSLanditiseven

https://archive.sap.com/discussions/thread/1847779 13/25
30/1/2017 SAPWebDispatcherSSL

mentionedinSAPnotethatwildcardCNisnotarecommendedor
evenrecognizedwayontheInternet.

2.IhavecheckyouranotherSCNthreadthatonceyougotyour
ownCAPKItosignthecert,itwillappearintheSANofSTRUST.
ItrieditinmytestserverandthereisnowaytogetitintheSAN
fieldofSTRUST.TheonlywayformeistoinsertintheDNfield
withmultipleCNseparatedby

AmIright?

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied April01,2014at11:33AM

HelloRoger,

2.Thisiscorrect:Togeneratetheselfsignedcertificate,IentermultipleCNseparated
by"".

Iseemy2SANinSTRUSTonlyafterimportingthesignaturefromthePKI.

BestRegards,

Olivier

(https://people.sap.com/pia.burghardt)
PiaBurghardt(https://people.sap.com/pia.burghardt)replied

April02,2014at13:45PM

HiOliver,

itriedtocreatacertificaterequestinSTRUST>createwithtwo
CN'sseperateby""

mit.vaillantgroup.com

groupnet.vaillantgroup.com

Butigotfollowingerror"Fieldscontainedinvalidecharacters"

CouldyouexplanetherightwayinSTRUST?

Thankyou

https://archive.sap.com/discussions/thread/1847779 14/25
30/1/2017 SAPWebDispatcherSSL

PiaMenzel

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied April02,2014at15:03PM

HelloPia,

Ijustredidatesttorememberhowtodoit.

STRUST>RightClickonFile>Create>popup"CreatePSE"opensup.

Clickon"pencil"button(ReviseDN)

Choose

Algorithm:RSAwithSha1

KeyLength:2048

IntheDNfield,Ientermy2CNsseparatedby

CN=name1.domain1,OU=xxxx,O=company,C=yy
CN=name2.domain2,OU=xxxx,O=company,C=yy

ThenIhavetochoosethePSEFilenameanddirectorytosaveit.

IfIdoubleclickon"File"IamabletoloadthePSEandtogenerateaCSRtohaveit
signedbyourPKI.OnthePKIscreen,IhavealsotoenterbothFQDNasAlternate
SubjectNames.

WhenIloadthep7bfile(answerfromthePKI)inSTRUSTintheSSLcertificate,Icansee
2dNSNamesintheSubject(Alt.)field.

https://archive.sap.com/discussions/thread/1847779 15/25
30/1/2017 SAPWebDispatcherSSL

WhenIsave,IcannowcopythesignedPSEinthesecdirectoryoftheSAPWeb
DispatcherandcallhttpsUrlsusingbothnameswithoutbrowsererrors.

BestRegards,

Olivier

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied April02,2014at15:04PM

PS:Whatacrappyforumsoftware!Mymessageisnowsobadlyformatted....

(https://people.sap.com/pia.burghardt)
PiaBurghardt(https://people.sap.com/pia.burghardt)replied

April02,2014at16:18PM

https://archive.sap.com/discussions/thread/1847779 16/25
30/1/2017 SAPWebDispatcherSSL

HiOlivier,

thanksalotforyourfasthelp .Nowicouldcreatethecertrequestandsendedto
PKI,hopetheresponseworksfine.

BestRegards

Pia

(https://people.sap.com/pia.burghardt)
PiaBurghardt(https://people.sap.com/pia.burghardt)replied

April09,2014at14:04PM

HIOlivier,

nowigottheresponsfromPKIandtheimportviaSTRUSTworks
fine,icansee:

ButifiexporttheserverpseasSAPSSLS.pseandcopytoWEb
dispatcherinDMZigetthiserrorwithsapgenpsetool:

sapgenpseget_my_namepSAPSSLS.neu.pse

get_my_name:Couldn'topenPSE
"/usr/sap/WD2/W00/sec/SAPSSLS.neu.pse"

Itrieditwithandwithoutpassword,butitnotworks.PSEfilehasall
rightsandisassignedtotherightuser"wd2adm"

Whatcancausedthiserror?
Couldyouhelbme?

Regards

PiaMenzel

https://archive.sap.com/discussions/thread/1847779 17/25
30/1/2017 SAPWebDispatcherSSL

(https://people.sap.com/happpieee)
RogerFock(https://people.sap.com/happpieee)replied

April09,2014at17:26PM

HiPiaMenzel,

YoushouldcopythePSEfromyourWebDispatchertoyourABAP
storeserverandimportinviaSTRUST.Thereafter,addthesigned
certificatetothePSE.

ThenexportthePSEandcopybacktoyourWebDispatcher.

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied April09,2014at18:48PM

HelloPia,

Idon'tunderstandwhatyou'retryingtodowithsapgenpse.AfterimportingthePKI
responsewithSTRUST,youjustsavethesignedPSEtothewebdispatcher/sec
directory,restartthewebdispatcherandallshouldbeok.

Idon'tusesapgenpseatall,onlySTRUST.

BestRegards,

Olivier

(https://people.sap.com/pia.burghardt)
PiaBurghardt(https://people.sap.com/pia.burghardt)replied

April10,2014at08:19AM

MorningOlivier,

iusedsapgenpsetocheckthesignedcertificateandthe
authorisation.

OKirestartedmyWDwithnewSAPSSLS.psebutigetalsoan
error:

https://archive.sap.com/discussions/thread/1847779 18/25
30/1/2017 SAPWebDispatcherSSL

Thr139814821607168]***ERROR=>
secudessl_Create_SSL_CTX():PSE
"/usr/sap/WD2/W00/sec/SAPSSLS.pse":unabletouse!
[ssslsecu_mt.1735]

[Thr139814821607168]NoSecudeErrorpresentintracestack!

[Thr139814821607168]***ERROR=>SapISSLAddCredential():
ErrorSSSLERR_PSE_ERRORtryingtocreateSERVERCredential

for"/usr/sap/WD2/W00/sec/SAPSSLS.pse"[ssslxxi_mt.c2324]

[Thr139814821607168]***ERROR=>InitializationofSSLlibrary
failedNOSSLavailable!

[Thr139814821607168]
=================================================

[Thr139814821607168]

[Thr139814821607168]<<ERROR:
SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR

[Thr139814821607168]***ERROR=>IcmServInitSSL:
SapSSLInit(rc=40):SSSLERR_PSE_ERROR[icxxserv_mt.251]

WhatididtocreateSAPSSLS.pse:

icreatedacertrequestinSTRUSTinoneofourABAPSystems
(Rel731)

sendtoPKI(bycustomer)

afterresponsefromPKIiimportedthecertresponse(withroot
andintermediatecert)intheServerPSEinStrust

theniexportthisPSEtofilesystem(base64)

andcopytheSAPSSLS.psetosecdirectoryofWD(Rel730)

andnowigettheSSLerror

Whatihavedonewrong?

Regards

Pia

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied April10,2014at11:36AM

https://archive.sap.com/discussions/thread/1847779 19/25
30/1/2017 SAPWebDispatcherSSL

HelloPia,

Strange,I'veneverhadthiserror.

HowdidyoucreatethePSEwithSTRUST?

Didyouchoose"File>Rightclick>Create"andnot"SSLserverstandard>Right
click>Create"?

Doyouhavethe"ticket"fileinthesecdirectoryofthewebdispatcher?

BestRegards,

Olivier

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied April10,2014at11:40AM

HereisanextractofaSAPWebDispatcherTracefilewhenstartingSSLwithaSTRUST
generatedPSE:

[Thr12020]=================================================

[Thr12020]=SSLInitializationplatformtag=(NTAMD64)

[Thr12020]=(720_REL,Nov202011,mt,ascii,SAP_UC/size_t/void*=8/64/64)

[Thr12020]profileparam"ssl/ssl_lib"="D:\usr\sap\DEV\WebDisp\sapcrypto.dll"

[Thr12020]resultingFilename="D:\usr\sap\DEV\WebDisp\sapcrypto.dll"

[Thr12020]=foundSAPCRYPTOLIB5.5.5Cpl32(Apr22011)MTsafe

[Thr12020]=currentUserID:TESTBED\SAPServiceDEV

[Thr12020]=usingSECUDIR=D:\usr\sap\DEV\WebDisp\sec

[Thr12020]profileparam"ssl/server_pse"=
"D:\usr\sap\DEV\WebDisp\sec\SAPSSLS_DEV_testbed_bpa_signed.pse"

[Thr12020]resultingFilename=
"D:\usr\sap\DEV\WebDisp\sec\SAPSSLS_DEV_testbed_bpa_signed.pse"

[Thr12020]=secudessl_Create_SSL_CTX():PSE
"D:\usr\sap\DEV\WebDisp\sec\SAPSSLC.pse"notfound,

[Thr12020]=usingPSE
"D:\usr\sap\DEV\WebDisp\sec\SAPSSLS_DEV_testbed_bpa_signed.pse"asfallback

[Thr12020]=secudessl_Create_SSL_CTX():PSE
"D:\usr\sap\DEV\WebDisp\sec\SAPSSLA.pse"notfound,

https://archive.sap.com/discussions/thread/1847779 20/25
30/1/2017 SAPWebDispatcherSSL

[Thr12020]=usingPSE
"D:\usr\sap\DEV\WebDisp\sec\SAPSSLS_DEV_testbed_bpa_signed.pse"asfallback

[Thr12020]********Warning********

[Thr12020]***NoSSLclientPSE"SAPSSLC.pse"available

[Thr12020]***thiswillprobablylimitSSLclientsideconnectivity

[Thr12020]********

[Thr12020]=SuccessSapCryptoLibSSLready!

[Thr12020]=================================================

BestRegards,

Olivier

(https://people.sap.com/pia.burghardt)
PiaBurghardt(https://people.sap.com/pia.burghardt)replied

April10,2014at12:29PM

HiOlivier,

iconfiguredalotofWebdispatcherwithSSLinthepast,iknowthe

WDtraceforSSL .

AndbeforeiswitchedtothisnewcertificatetheWebdispatcher
wasrunningwithanSSLcertificatewithouterrors.Andifiswitchto
the"old"SAPSSLS.pseitworksalsofine.

Onlywiththenewoneitnotworks.

Regarding

HowdidyoucreatethePSEwithSTRUST?

Didyouchoose"File>Rightclick>Create"andnot"SSL
serverstandard>Rightclick>Create"?

>iused"SSLserverstandard">isthattheproblem?

Regards

Pia

https://archive.sap.com/discussions/thread/1847779 21/25
30/1/2017 SAPWebDispatcherSSL

(https://people.sap.com/olivier.chretien)

OlivierCHRETIEN(https://people.sap.com/olivier.chretien)replied April10,2014at13:22PM

Pia,

>iused"SSLserverstandard">isthattheproblem?

Ithinkso.ThisentryistocreateaSSLPSEfortheabapICM.

TrytorecreateyourPSEwith"File>Rightclick>Create".

That"sthewayIdoitanditworksformeforseveralproductionsystems...

BestRegards,

Olivier

(https://people.sap.com/pia.burghardt)
PiaBurghardt(https://people.sap.com/pia.burghardt)replied

April10,2014at13:28PM

HiOlivier,

thanksalot.

Iwilltryitagainvia"FILE".Hopemycustomergetnoadditional
costsifhesendthenextcertrequesttoSymantec.

Wewillsee.

Regards

Pia

Share & Follow


(https://www.facebook.com/sapcommunitynetwork?ref=ts) (https://twitter.com/sapcommnet)

(https://www.youtube.com/user/SAPCommunities) (https://www.linkedin.com/company/sap)

(https://plus.google.com/u/0/+SAPCommunities/posts) (https://instagram.com/sap/)

(http://www.slideshare.net/SAP)

Privacy(http://go.sap.com/about/legal/privacy.html) TermsofUse(http://go.sap.com/corporate/en/legal/termsofuse.html)
LegalDisclosure(http://go.sap.com/about/legal/impressum.html) Copyright(http://go.sap.com/about/legal/copyright.html)
Trademark(http://go.sap.com/about/legal/trademark.html) Sitemap(http://www.sap.com/sitemap/index.html) Newsletter
(https://go.sap.com/registration/newsletter.html)
https://archive.sap.com/discussions/thread/1847779 22/25
30/1/2017 SAPWebDispatcherSSL

https://archive.sap.com/discussions/thread/1847779 23/25
30/1/2017 SAPWebDispatcherSSL

https://archive.sap.com/discussions/thread/1847779 24/25
30/1/2017 SAPWebDispatcherSSL

https://archive.sap.com/discussions/thread/1847779 25/25