06-12-2009 1:46 PM
Hello Experts,
For our NW700 Java system, we have got Verisign SSL Certificate. Installation instructions from Verisign says - we need to install Intermediate Certificate also along with SSL certificate for our Common Name.
Can you please let me know how we install Verisign SSL Certificate on NW700 JAVA system using Visual Admin.
Instructions from Verisgn says:
Install Intermediate Certificate on server.
Install SSL certificate.
Thanks
Davinder
06-12-2009 2:25 PM
Hi Davinder
When you import the CSR response from Verisign into the keystore of the Visual Administrator, your keypair will now be signed, see step 4 from here http://help.sap.com/saphelp_nw04s/helpdata/en/a6/98f73dbc570302e10000000a114084/content.htm
However you need to now form a certificate chain consisting of the signed server certificate, the intermediate certificate and the Versign CA root certificate. I suggest following the steps from SAP 694290, section " Apply to SAP J2EE Server 6.30". The order in which you import the certififcates to form the chain is important, so follow the note carefully
06-12-2009 2:25 PM
Hi Davinder
When you import the CSR response from Verisign into the keystore of the Visual Administrator, your keypair will now be signed, see step 4 from here http://help.sap.com/saphelp_nw04s/helpdata/en/a6/98f73dbc570302e10000000a114084/content.htm
However you need to now form a certificate chain consisting of the signed server certificate, the intermediate certificate and the Versign CA root certificate. I suggest following the steps from SAP 694290, section " Apply to SAP J2EE Server 6.30". The order in which you import the certififcates to form the chain is important, so follow the note carefully
06-12-2009 3:05 PM
Thanks Patrick,
Following are the instructions from Verisgn for installing SSL certificate, even Verisign support is unable to comment how to do Step 1 on SAP NW Java 700 for the first time.
Concerns:
1. Verisign doesn't know how can we execute Step1 on SAP NW Java through Visual Admin.
2. Verisign installation instructions doesn't say to install Verisign Root CA Certificate but SAP note 694290 speak about this.
3. SAP note 694290 is for installing Verisign CA Certificate once it is expired, but in our case we need to install it for the first time, so do we need to follow step 5 to 9 in case you are installing for the first time?
Would really appreciate if you can guide me further.
*******************
1. INTERMEDIATE CERTIFICATE ADVISORY:
You MUST install the VeriSign Secure Site certificates on your server together with your Certificate or it will not operate correctly.
If Microsoft IIS 5.0 or above was selected, you DO NOT need to install the intermediate certificates.
2. INSTALL CERTIFICATE:
For installation instructions for your SSL Certificate, go to:
https://www.verisign.com/support/ssl-certificates-support/install-ssl-certificate.html
3. CHECK INSTALLATION:
Ensure you have installed your certificate correctly at:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=certchecker
4. INSTALL THE VERISIGN SITE SEAL:
Additionally, as part of your Secure Site Service, you are entitled to display the VeriSign Secured Seal - recognized across the Internet and around the world as a symbol of authenticity, security, and trust - to build consumer confidence in your Web site.
Installation instructions for the VeriSign Secured® Seal can be found on the following link:
https://www.verisign.co.uk/ssl/secured-seal/index.html
***********************************
Thanks
Davinder
06-12-2009 3:17 PM
Hi, you created a keypair for SSL in the Key Store service interface in the Visual Administrator, generated a CSR response and sent it to Verisign. Now you have the CSR response from Verisign - is my understanding of the situation correct?
You can import this into the Key Store service, by highlighting the private key of the keypair and choosing 'Import CSR Response'. Now your key pair is signed.
However there is no chain formed. You need to now follow the aforementioned note and export the private key and public key certificate separately by higlighting the private key and choosing 'Export'. Export with the 'Files of type' drop down box set to (*p8), and after exporting the private key you will be able to export the public key cert. This is step 6 and 7 of the note. Now follow steps 8-12 to form the chain
Once the chain is loaded into the Key Store, you need to ensure that the Java dispatcher is configured to send the signed server certificate for the relevant SSL ports - see here http://help.sap.com/saphelp_nw04/helpdata/en/5c/15f73dd0408e5be10000000a114084/content.htm
06-12-2009 3:44 PM
Hello Patrick,
Thanks for the information:
you created a keypair for SSL in the Key Store service interface in the Visual Administrator, generated a CSR response and sent it to Verisign. Now you have the CSR response from Verisign - is my understanding of the situation correct?
Absolutely right
You can import this into the Key Store service, by highlighting the private key of the keypair and choosing 'Import CSR Response'. Now your key pair is signed.
Successfully done.
After this i can see that PRIVATE KEY (IssueDN has been changed to Verisign)
But CERTIFICATE ISSUER DN is not changed.
Now if i try to access the site with https, able to do properly and if click on the Lock icon on the browser, i can see certificate is 3 Chained
Verisign Trial Secure Server Root CA - G2
----> Verisign Trial Secure Server CA - G2
----> -
So it looks to be working fine.
However there is no chain formed. You need to now follow the aforementioned note and export the private key and public key certificate separately by higlighting the private key and choosing 'Export'. Export with the 'Files of type' drop down box set to (*p8), and after exporting the private key you will be able to export the public key cert. This is step 6 and 7 of the note. Now follow steps 8-12 to form the chain
No Chains has been made in Visual Admin, and i tried these on another server - it works as you are saying.
But is there any benefit of importing Intermediate, Root Certificates - as mentioned in SAP note steps 8 to 12.
If yes, then is it mandatory to make the chain till 3rd level (means Root Certificate also).
Once the chain is loaded into the Key Store, you need to ensure that the Java dispatcher is configured to send the signed server certificate for the relevant SSL ports - see here http://help.sap.com/saphelp_nw04/helpdata/en/5c/15f73dd0408e5be10000000a114084/content.htm
Edited by: Julius Bussche on Aug 10, 2009 3:44 PM
code --> quote
08-10-2009 2:37 PM
09-01-2009 10:18 PM
Hi D P Singh ,
We are planning to install Verisign SSL certificate on NW 7 Java (Portal) System. Could you please share your experience and steps how can do that.
Thanks
Aravind
09-03-2009 7:23 AM
Hi DP singh
i want to apply SSL certificate for EP 7.0 MSCS.
can you tell me the steps to configure
which CA is to buy?
thanks alot
09-07-2009 3:26 PM
Aravinda, Rao
We are using Verisign SSL certificate.
1. Generate the Certificate - please make sure that all necessary fields are entered ortherwise the CSR request will not be accepted by Verisign. In my case example is:
CN = test.com
OU=UK
O=TEST
L=London
ST=London
C=GB
2. Get the CSR request and get it signed from Verisign.
3. Import CSR Response.
4.Follow SAP note 694290 under section - Apply to SAP J2EE Server 6.30
As per understanding for MSCS environment, there should not be extra step.
Davinder
09-09-2009 4:57 PM
Hi Davinder,
Thanks for your response. It could be nice if you write a blog on this topic. It would be really helpful for SDN community.
Thanks
Aravind