Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP WebDispatcher certificate

Former Member
0 Kudos

Dear experts,

Not really sure if this is the correct forum, but I'll give it a shot. I'm having problems with certificate chain on my SAP WebDispatcher:


 secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

is it enough to install the CA chain with sapgenpse? will it remove the server certificate? What would the commandline for "adding" the ca chain?

Any suggestions are greatly appreciated.

Thanks

-Soren

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Soren,

you basically have to do the following:

1. Create a new PSE (Private/Public Keypair)

2. Create a certificate signing request

3. Import the CA response (ideally with the complete certificate chain)

4. Import the CA certificate (if not included in step 3, option "-r", see: [help.sap.com|http://help.sap.com/saphelp_nw04s/helpdata/en/7c/f3d02c3b5e234e8ab2d43d9fd48d29/content.htm])

Done. Importing the CA certificate does not overwrite the server certificate if this was your question.

Regards,

Martin

4 REPLIES 4

Former Member
0 Kudos

Hi Soren,

you basically have to do the following:

1. Create a new PSE (Private/Public Keypair)

2. Create a certificate signing request

3. Import the CA response (ideally with the complete certificate chain)

4. Import the CA certificate (if not included in step 3, option "-r", see: [help.sap.com|http://help.sap.com/saphelp_nw04s/helpdata/en/7c/f3d02c3b5e234e8ab2d43d9fd48d29/content.htm])

Done. Importing the CA certificate does not overwrite the server certificate if this was your question.

Regards,

Martin

0 Kudos

Thanks Martin.

I got it to work by including root certs from CA. Now i run into another problem, maybe someone has an idea.

My webdispatcher is enabling SSL successfully, hence the certificates incl CA chains are ok.

Its my webdispatcher which is going to communicate with my erec system (abap). In erec system I have a self signed SSL Server Cert made i strustsso2. i have exported it and imported it into sap webdispatcher's PKList. (sapgenpse maintain_pk...) I have also imported CA Cert chains into the PKList, but still when swebdispatcher is trying to make a connection to the erec server abap i get:


>> ---------- Begin of Secude-SSL Errorstack ---------- >>
ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed 
ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=erecserver.company.dom, O=My Company, C=country, L=location"
ERROR in get_path: (27/0x001b) Found root certificate of <CN=erecserver.company.dom, O=My Company, C=country, L=location> which does not fit the given PKRoot 
ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=erecserver.company.dom, O=My Company, C=country, L=location> which does not fit the given PKRoot 
<< ---------- End of Secude-SSL Errorstack ----------

I hope someone is able to help me out, or point me in the right direction. Im close to a go-live and I have been struggling wih this webdispatcher setup for a while.

Thanks in advance!

-Soren

0 Kudos

Hi Soren,

that sounds to me like you imported the partner's certificated, but the imported certificate has the same name, but is not the same certificate as on the partner system.

I would export it again on the partner system and reimport it on the web dispatcher.

Regards,

Martin

Former Member
0 Kudos

Hello,

I finally figured out what the problem was and wanted to share it with you guys. It came down to a kernel issue. When I updated the Kernel everything started to work (data got send and systems trust was established). So the stuff I had setup was ok, just the (old) kernel had a erm hickup.

Thanks everyone for the kind help on this issue!

Best Regards,

Soren