cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Running Certificate Instances paralelly on XI Box

Former Member

on ‎11-07-2008 11:01 AM

0 Kudos

Hi Experts,

Please guide in the following issue which we are facing in Installing / Running the certificate at XI BOX which shared to Partners(Public / Private Key Mechanism)...

The certificate installed in the XI Box is going expire nearly with in 1 month..So we need to update the same certificate at XI and as well as with all the partners simultaneously to stop the message Failures...

But the Requirement here is the customer wants to renew the certificate with the partners Phase wise by running the two certificates(Old and the new Certificate) at Production BOX that is with out Renewing the Certificate at all partners side at a time,Phase wise the partners will be updating their old certificate to the New Certificate by Maintaining the two Certificates in the XI BOX . ..

Please provide your Suggestions at the earliest... Valuable suggestions will be rewarded Accordingly....

Thanks,

Kiran.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎11-14-2008 3:19 AM
0 Kudos

Hi Kiran

You can run the certificates (SSL) for different ICM ports. But if you have to do it for same port then it will be difficult

Moreover if you have load balancing environment you can do this phase wise installation as per client.

Thanks

Gaurav

Show replies
Show replies
Former Member
‎11-13-2008 6:06 PM
0 Kudos

Hi Kiran,

I canu2019t tell from your question exactly what need to do, but are you talking about X509 certificates which are used to secure the SSL communication from your clients to the XI server? If so, then I think it depends on if your current certificate is signed by a certificate authority (CA), like Verisign, or if itu2019s self-signed? If itu2019s signed by a CA, then your clients will likely have had to trust this CA at the time you setup the connection. A new server cert installed on the XI server, signed by the same CA, would normally also trusted by the same client (as long as the signing CA cert is the same). If you are using a self-signed cert, then your CA is effectively the self-signed cert itself. Which means the CA is changing and the clients will need to install/trust the new CA. The SSL setup varies from client to client so this is just some generic feedback.

As for having the server present two different certs to your clients, I think this could be possible if you have the flexibility to use a different port number. Meaning, the current port presents your old cert, and a new port is setup to present your new cert. This may not be a real option for you given the extra complexity and potential network restrictions. The clients would need to change the port number as they migrate. On the java side of things I believe you can specify which cert you are presenting for a given port in the SSL Provider service. On the ABAP side in the ICM I think you could control this for the new port using icm/ssl_config_<xx>. I have not tied this so if this is something you want to pursue, you may want to open a new forum question for some feedback specific to the question of multiple SSL ports using different certs.

http://help.sap.com/saphelp_nwce10/helpdata/en/25/7e153a1a5b4c2de10000000a114084/frameset.htm

If you are talking about some other form of encryption or signatures please provide more details.

Thanks,

-Russ

Show replies
Show replies
Ask a Question