Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

System-wide SSL server PSE for all servers

Former Member

‎10-27-2009 9:59 AM

0 Kudos

Hi,

I am trying to get single SSL certificate into a server with multiple SAP Systems ? Is that even possible ?

10 REPLIES 10

martin_voros
Active Contributor

‎10-27-2009 10:12 PM

0 Kudos

Hi,

yes it is. You can set up common host name for all application servers using parameter wdisp/ssl_certhost. Hence you will need just one certificate for your host name. Check documentation for wdisp/ssl_certhost in RZ11.

Cheers

Former Member
In response to martin_voros

‎10-28-2009 4:10 AM

0 Kudos

Hi Martin,

Where do we enter the profile? It is in Web Dispatcher's profile of SAP Application server's profile? Does this mean we do not have to go to STRUST and generate certificate request under SSL server Standard folder?

Rgds,

Hapizorr

martin_voros
Active Contributor
In response to martin_voros

‎10-28-2009 5:10 AM

0 Kudos

The process if installing one certificate to each application server is described [here|http://help.sap.com/saphelp_nw04/helpdata/en/24/61ab3b92818b70e10000000a114084/frameset.htm].

Cheers

Former Member
In response to martin_voros

‎10-28-2009 7:37 AM

0 Kudos

I am looking at the documentation. Do I need to re-distribute to all application servers or do I need to import the certificate reponse to all the application servers ?

I am generating the PSE via SAP Webdispatcher, or can I generate PSE via any ABAP WebAS and re-distribute from there ?

Former Member
In response to martin_voros

‎10-28-2009 8:15 AM

0 Kudos

Hi Martin,

I'm having BI, SRM EBP, SRM SUS and Portal in one physical server, meaning one hostname, so my FQDN is myhost.company.com which applies to all those instances. Does this mean that I can use one single certificate for all those instances?

Rgds,

Hapizorr

Former Member
In response to martin_voros

‎10-28-2009 3:09 PM

0 Kudos

Hi,

Can anyone guide me how to implement system-wide SSL server PSE? I've generated certificate request from one of the ABAP instances and sent it to SAP for test certificate. However, the certificte response given by SAP can only be imported into the ABAP instance which I originally generated the certificate request. I cannot import it to other ABAP instances. Does system-wide SSL server PSE mean single certificate applies to all ABAP instances? Correct me if I'm wrong. Pls help.

Thank you.

martin_voros
Active Contributor
In response to martin_voros

‎10-31-2009 4:07 AM

0 Kudos

Hi,

yes I think so. I haven't tried this but it should not be a problem. SSL certificate is issued for a host name not for particular service. Therefore it should not be a problem.

BTW hijacking of thread is not a good thing.

Cheers

martin_voros
Active Contributor
In response to martin_voros

‎10-31-2009 4:29 AM

0 Kudos

Hi,

there are 3 different ways how to use web dispatcher with SSL. 1) You can have a SSL connection only between client and web dispatcher, 2) one SSL connection between client and host (web dispatcher works as a router) and 3) 2 different SSL connections: one between client and web dispatcher and second one between web dispatcher and host. For case 1, you need to install your certificate to web dispatcher only. For case 2, you need to install your certificate into every application server (using transaciton STRUST). You use parameter wdisp/ssl_certhost to define common host name. For case 3, you can again use same certificate for all application servers but you need to turn off host name validation in web dispatcher. You can do this with parameter wdisp/ssl_ignore_host_mismatch.

All cases are described [here|http://help.sap.com/saphelp_nw04s/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/content.htm].

Cheers

Former Member
In response to martin_voros

‎10-31-2009 9:16 AM

0 Kudos

> BTW hijacking of thread is not a good thing.

The "alias" part is operative... =

> You use parameter wdisp/ssl_certhost to define common host name.

This controls only a default suggestion for the CN, but that seems to be the alias which Hapizorr is looking for.

What you can do is create a shared CN for servers in the domain using *.networkdomain.company.com for the certificate request from one of the servers and import this same response into all the others as well.

This gives them all the same identity and if you are using end-to-end SSL with load balancing to the servers, then it does not matter when the serverhost part of the fully qualified hostname changes because it is still a part of the CN.

The catch here is how you balance the user distribution within the common server identities and whether the connection for whatever application reasons can be terminated or needs to remain open at each request.

The easy way out is to buy one really big server and use SSL termination on the web dispatcher within the hardened server network...

Cheers,

Julius

martin_voros
Active Contributor
In response to martin_voros

‎10-31-2009 11:10 AM

0 Kudos

Hi,

I don't think you need a wild card certificate. You can use standard certificate for one domain. Here is a quote from SAP documentation for the parameter wdisp/ssl_certhost.

Your server certificate is issued on the name "www.sap.com". You activate this certificate for all application servers in transaction STRUST. You also set the value of wdisp/ssl_certhost to www.sap.com. 
If this parameter is not set, the host names on the message server (transaction SMLG) and the names the certificates are issued with must be the same.

Cheers