on 04-24-2006 3:00 PM
Hi,
We've registered a SSL certificate with wildcard option via GlobalSign. The history of this process is as below:
1. We created a Certificate Request with IIS and send it to GS (GlobalSign).
2. They send us the certificate file Globalsign Primary Secure Server CA and Globalsign Server Sign CA files.
3. Import all ceritifcates into IIS and then exported the certificate into a Cert.pfx file.
4. By using this file, we are able to import the SSL certificate into J2EE WAS 640 of Portal system.
5. Now we want to use same certificate to establish a web dispatcher installation as intermediate server for internet access.
Web Dispatcher documentations says to create a pse and req file with sapgenpse program and then send it to CA (here globalsign) to get a certificate.
But when we asked GS, they told us to use the certificate they send us before. They cannot create a certificate file for the ourput of web dispatcher. It will be billed us if we persist.
So, we have to find a way to use the existing certificate to enable SSL of Web Dispatcher.
Any idea?
Try using the import_p12 option of sapgenpse.
ie: sapgenpse import_p12 -p SAPSSLS.PSE exportfile.pfx
This is supposed to create a new "SAPSSLS.PSE" file with the private/public key pair, and signed cert from your export file. Let us all know if it works out for you.
Regards,
Karl
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Huseyin,
The documentation is hard to find for the import_p12 option to say the least. I had to figure it out by using "sapgenpse -h" and fumbling through the options. You can use export_p12 to move the cert back the other direction as well. Can you explain what your other option was?
Regards,
Karl Litterer
Hi Karl,
The other option, is to provide SSL-termination via Apache Web Server. This idea is raised by someone said "you can use IIS with Web Dispatcher which is SSL enabled."
On front, Apache is providing a standart html page which submits user/password to /irj/portal
This Web Server is SSL enabled and Apache is redirecting requests to https://<domain>/irj/portal which is under redirected to internal portal servers SSL address.
So, what we do is to set apache redirection to web dispatcher port via the following conf. in httpd.conf;
<b>
RewriteRule ^/irj/(.*) https://localhost:8003/irj/$1 [P]
RewriteRule ^/logon/(.*) https://localhost:8003/logon/$1 [P]
RewriteRule ^/webdynpro/(.*) https://localhost:8003/$1 [P]</b>
sap web dispatcher is configured for SSL termination with the following conf.
<b># Profile generated by sapwebdisp bootstrap
unique instance number
SAPSYSTEM = 1
Accesssability of Message Servers
rdisp/mshost = 10.180.1.10
ms/http_port = 8101
SAP Web Dispatcher Parameter
wdisp/auto_refresh = 120
wdisp/max_servers = 100
wdisp/shm_attach_mode = 6
configuration for large scenario
icm/max_conn = 8192
icm/max_sockets = 16384
icm/req_queue_len = 6000
icm/min_threads = 100
icm/max_threads = 200
mpi/total_size_MB = 300
mpi/buffer_size = 32768
mpi/max_pipes = 21000
#maximum number of concurrent connections to one server
wdisp/HTTP/max_pooled_con = 8192
wdisp/HTTPS/max_pooled_con = 8192
SAP Web Dispatcher Web Administration
icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin
SAP Web Dispatcher Ports
icm/server_port_0 = PROT=HTTPS,PORT=8003
icm/server_port_1 = PROT=HTTP,PORT=0
wdisp/ssl_encrypt = 0
wdisp/add_client_protocol_header = true
icm/HTTPS/verify_client = 0
ssl/ssl_lib=/webdisp/secudir/libsapcrypto.so
ssl/server_pse=/webdisp/secudir/SAPSSL.pse</b>
This working at the moment.
regards
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.