Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Moving servers to different country - Effects on Certificates?

Former Member
0 Kudos

Hi,

We are in a process to move all our SAP servers from one country to another. After the move, the IP address, hostnames and the actual servers will get changed for all SAP systems. When the servers will be moved, we are analyzing the affect on these changes on the communications of PI with external partners. We have our PI systems using certificates both at ABAP and Java level. So following are the major concers:

1. For incoming messages from External partners to PI using HTTPS, we have web dispatcher. The web dispatcher will also be moved. If we don't change the hostnames of Web dispatcher, will the certificates still work for us from other country? While getting the certificates signed by verifying authority, we provide the details like Country. Therefore we had doubt if it could have any effect when the country from which the communication occur changes.

2. We have Java based certificates generated in NetWeaver Administrator for communications like AS2 where we generate certificate at our side and send the public ones to the partners. Will these certificates work from the new environment (servers, IPs, hostnames) or do we need to regenerate these certificates?

I found this question more suitable for Security forum and I hope I don't have to move my question to PI forum or may be NetWeaver Administrator forum

Best regards,

Prateek Raj Srivastava

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Prateek,

Are you using SSL termination at the webdispatcher or end-to-end SSL? From an effort perspective you might get away with only creating new certificates for the web dispatcher.

The "country" attribute in the name does not really matter as the server does not know which country it is located in so at runtime it is a true global citizen...

What does matter is the host name(s) for which you have created either individual, standard or common PSE's for the servers.

Do they all have the same "identity" and only need to trust each other? For PI I see this as being highly unlikely so you will most likely end up having to request new certificates.

Please give us a few more details on the architecture to be able to comment with more certainty.

Cheers,

Julius

7 REPLIES 7

Former Member
0 Kudos

Hi Prateek,

Are you using SSL termination at the webdispatcher or end-to-end SSL? From an effort perspective you might get away with only creating new certificates for the web dispatcher.

The "country" attribute in the name does not really matter as the server does not know which country it is located in so at runtime it is a true global citizen...

What does matter is the host name(s) for which you have created either individual, standard or common PSE's for the servers.

Do they all have the same "identity" and only need to trust each other? For PI I see this as being highly unlikely so you will most likely end up having to request new certificates.

Please give us a few more details on the architecture to be able to comment with more certainty.

Cheers,

Julius

0 Kudos

Hello,

>>Are you using SSL termination at the webdispatcher or end-to-end SSL?

For incoming messages from external partners, the SSL is utilized only till the web dispatcher and between Web Dispatcher and PI, it is HTTP.

>>From an effort perspective you might get away with only creating new certificates for the web dispatcher.

Even though the original hostname of Web Dispatcher change, we thought of using the current name as alias of the new hostname.

>>What does matter is the host name(s) for which you have created either individual, standard or common PSE's for the servers.

We created certificates at PI and shared it with external parties. Incoming communication from External partners to PI comes via Web Dispatcher. Outgoing communication is open and PI can send any data to third party without routing it through Web Dispatcher. Therefore for outgoing messages PI uses third party certificates using which data is sent directly to partners.

>>SSL certificate are usually issued for host names.

So with the hostnames/IP getting changed, do you mean all certificates have to be replaced? These certificates are shared with external parties and therefore we thought of being very sure theoretically at the beginning.

Best regards,

Prateek

0 Kudos

Even though the original hostname of Web Dispatcher change, we thought of using the current name as alias of the new hostname.

In the case of SSL termination, if the client is sending an https request to the dispatcher using the same common domain as used before, and you are aliasing them to hide the true name or IP (for more infos see [wiki on NAT translators|http://en.wikipedia.org/wiki/Network_address_translation] ) then in theory you should be fine.

One of my customers was looking into something similar when working out a plan for what to do if of the their certificates was compromised. They eventually came to the conclusion that they would simply replace them all if this happened.. In this case you are also fine in practice as well as theory...

After moving the servers, check in transaction STRUST whether the certificates are all still green.

Cheers,

Julius

0 Kudos

Hi Prateek,

If you are terminating SSL at your dispather, then I would anyway replace all certificates in a clean sweap as you are not using it in that direction for a mutual authentication with the servers. Little can go wrong and it should be a low effort.

See [drawback of network address translation|http://en.wikipedia.org/wiki/Network_address_translation#Drawbacks] and the section on application gateways. SAP and partners make extensive use of these - if some program is registered at the gateway and your external client tries to communicate directly with it expecting the request to be encryted then your back end application server might have problems as well.

I only know of one vendor where this will happen with almost certainty (document conversion server from SEAL) because it cannot monitor the gatways directly anymore.

Give it a try and let us know. Personally I would replace them all with new ones, particularly if they are "self signed".

Cheers,

Julius

0 Kudos

Hi,

I just want to add that replacing SSL certificate is not unusual. Each certificate has limited period of validity therefore it has to be changed unless you decommission your system before expiry date. So maybe document this process this time and next time it will be just following a simple how-to document.

Cheers

0 Kudos

I agree with Martin.

Your basis team should be ready for this anyway, sooner or later...

Cheers,

Julius

martin_voros
Active Contributor
0 Kudos

Hi,

SSL certificate are usually issued for host names. Therefore unless your certificate is issued with IP address as common name then it shouldn't be a problem to change IP address for each host without re-issuing certificate.

SSL/TLS uses X.509 standard for certificates but as Julius mentioned SSL does not use country attribute during connection.

Cheers