Can we conclude even with the latest NW7.3 Web Dispatcher, one SAP WD with multiple hostnames/IPs cannot have multiple SSL certificates (one for each FQDN)?

Hello,

No, it is now indeed possible to use a SAP Web Dispatcher using a sngle SSL certificate with 2 Subject Alternate Names. I generate the Web Dispatcher PSE with transaction STRUST from Netweaver Abap >= 7.30. Our internal PKI CA has been configured to accept to sign these double named certificates.

I have already explained that in other SCN threads.

Best Regards,

Olivier

Hi Oliver,

appreciate on your sharing:

it can be achieved with Subject Alternate Name(SAN) cert using STRUST with alternate names field.

further clarifications on front end browser output. What will it be if:

1) SAN cert with a.domain.com and b.domain.com. User hit a.domain.com. When the cert is opened, what DN is being shown?

2) single cert with <SID>. User hit a.domain.com or b.domain.com. Will it cause any browser error or warning?

LAstly, can SAPGENPSE generate SAN CSR for a public CA to sign?

THanks for your help!

Hi Roger,

1) The DN shown when the cert is open, is the one you chose to put first when creating the cert in STRUST. In my case, I use Windows servers and they are in both the Windows domain and in a DNS domain. The Windows server has a hostname and also a DNS alias used for disaster recovery.

In the past we called SAP web applications using the hostname and the DNS domain.

Now we have a disaster recovery system and we use SPNego/Kerberos SSO which means we have to call SAP web applications using the DNS alias and the Windows Domain.

But as the old URLs have links configured everywhere in the intranet, for compability reasons, we needed to be able to call the applications with both URLs :

Old one : https://hostname.dnsdomain/sap/....      for compatibility

New one : https://dnsalias.windowsdoamin/sap/.... for disaster recovery and Kerberos.

Therefore the need for a certificate with both these Alternate Subject Names.

When I create the PSE with STRUST, I enter both names separated by ;

When the cert is displayed from the browser, I get :

Delivered to : dnsalias.windowsdoamin

and in the Details tab, I get:

Object : CN=dnsalias.windowsdoamin  OU = ....

Alternate Names :

DNS Name =dnsalias.windowsdoamin

DNS Name = hostname.dnsdomain

2) I don't understand what you call single cert with <SID>

3) I never succeeded to use SAPGENPSE to generate SAN CSR. Therefore I don't think it is possible. I only succeeded using the file option of transaction STRUST.

Regards,

Olivier

Great stuff Oliver. Now I can understand your background of using this.

My background of using multiple SSL for one Dispatcher is because of the design of a frontend DMZ server for multiple backend ERP, BW and NWGW.

we intend to use different virtual IPs and DNS records within a Web Dispatcher in DMZ server as a SSL terminator.

So the the scenario will be having Internet users hitting SSL URLs:

erp.abc.com

bw.abc.com

nwgw.abc.com

intended to use multiple SSL Certs but a single SAP WD can only support a single SSL Cert.

1. Let say we use CN=abc.com and perform self sign using STRUST. When user hit any of the 3 above URLs, what will the browser complain? Or no issues?

2. Since STRUST can generate SAN certs, can it generate SAN or wildcard CSR?

Hello Roger,

1. If you set CN=abc.com the browser will always complain that the certificate is wrong and the connection unsafe because the CN would be different from the URL.

In my opinion, you would have to set CN=*.abc.com but I think that this kind of certificate is very expensive to get signed by a "well known" CA.

2. I've never had to use STRUST for wildcard CSR but I think it should be possible. You should gib*ve it a try.

In your case, I would try to use STRUST to create a PSE certificate with CN=erp.abc.com and with 3 Alternate Subject Names :

erp.abc.com

bw.abc.com

nwgw.abc.com

You should check in advance with the CA if they are able to sign this kind of certifcates.

Best Regards,

Olivier

great to see your reply again Oliver. Cheers!

1. STRUST to generate wildcard CSR is possible. But like what you indicate it is damn expensive. About $499/yr. Interesting, some of the browser does not support wildcard SSL and it is even mentioned in SAP note that wildcard CN is not a recommended or even recognized way on the Internet.

2. I have check your another SCN thread that once you got your own CA PKI to sign the cert, it will appear in the SAN of STRUST. I tried it in my test server and there is no way to get it in the SAN field of STRUST. The only way for me is to insert in the DN field with multiple CN separated by ;

Am I right?

Hello Roger,

2.  This is correct : To generate the self signed certificate, I enter multiple CN separated by ";".

I see my 2 SAN in STRUST only after importing the signature from the PKI.

Best Regards,

Olivier

Hi Oliver,

i tried to creat a certificate request in STRUST -> create   with two CN 's seperate by ";"

mit.vaillant-group.com

groupnet.vaillant-group.com

But i got following error "Fields contained invalide characters"

Could you explane the right way in STRUST?

Thank you

Pia Menzel

Hello Pia,

I just re-did  a test to remember how to do it.

STRUST --> Right Click on File --> Create --> popup "Create PSE" opens up.

Click on "pencil" button (Revise DN)

Choose

Algorithm : RSA with Sha-1

Key Length : 2048

In the DN field, I enter my 2 CNs separated by ;

CN=name1.domain1,OU=xxxx,O=company,C=yy ; CN=name2.domain2,OU=xxxx,O=company,C=yy

Then I have to choose the PSE Filename and directory to save it.

If I double click on "File" I am able to load the PSE and to generate a CSR to have it signed by our PKI. On the PKI screen, I have also to enter both FQDN as Alternate Subject Names.

When I load the p7b file (answer from the PKI) in STRUST in the SSL certificate, I can see 2 dNSNames in the Subject (Alt.) field.

When I save, I can now copy the signed PSE in the sec directory of the SAP Web Dispatcher and call https Urls using both names without browser errors.

Best Regards,

Olivier

PS : What a crappy forum software ! My message is now so badly formatted....  

Hi Olivier,

thanks a lot for your fast help . Now i could create the cert request and sended to PKI, hope the response works fine.

Best Regards

Pia

HI Olivier,

now i got the respons from PKI and the import via STRUST works fine, i can see :

But if i export the server pse as SAPSSLS.pse and copy to WEb dispatcher in DMZ i get this error with sapgenpse tool:

sapgenpse get_my_name -p SAPSSLS.neu.pse

get_my_name: Couldn't open PSE "/usr/sap/WD2/W00/sec/SAPSSLS.neu.pse"

I tried it with and without password, but it not works. PSE file has all rights and is assigned to the right user "wd2adm"

What can caused this error?
Could you helb me?

Regards

Pia Menzel

Hi Pia Menzel,

You should copy the PSE from your Web Dispatcher to your ABAP store server and import in via STRUST. Thereafter, add the signed certificate to the PSE.

Then export the PSE and copy back to your Web Dispatcher.

Hello Pia,

I don't understand what you're trying to do with sapgenpse. After importing the PKI response with STRUST, you just save the signed PSE to the web dispatcher /sec directory, restart the web dispatcher and all should be ok.

I don't use sapgen pse at all, only STRUST.

Best Regards,

Olivier

Morning Olivier,

i used sapgenpse to check the signed certificate and the authorisation.

OK i restarted my WD with new SAPSSLS.pse but i get also an error:

Thr 139814821607168] *** ERROR =>   secudessl_Create_SSL_CTX():  PSE "/usr/sap/WD2/W00/sec/SAPSSLS.pse": unable to use! [ssslsecu_mt. 1735]

[Thr 139814821607168] No Secude Error present in trace stack!

[Thr 139814821607168] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential

        for "/usr/sap/WD2/W00/sec/SAPSSLS.pse" [ssslxxi_mt.c 2324]

[Thr 139814821607168] *** ERROR => Initialization of SSL library failed -- NO SSL available!

[Thr 139814821607168] =================================================

[Thr 139814821607168]

[Thr 139814821607168] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR

[Thr 139814821607168] *** ERROR => IcmServInitSSL: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv_mt. 251]

What i did to create SAPSSLS.pse:

- i created a cert request in STRUST in one of our ABAP Systems (Rel 731)

- send to PKI (by customer)

- after response from PKI i imported the cert response (with root and intermediate cert) in the Server PSE in Strust

- then i export this PSE to file system (base64)

- and copy the SAPSSLS.pse to sec directory of WD (Rel 730)

- and now i get the SSL error

What i have done wrong?

Regards

Pia

Hello Pia,

Strange, I've never had this error.

How did you create the PSE with STRUST ?

Did you choose "File --> Right click --> Create"  and not "SSL server standard --> Right click --> Create" ?

Do you have the "ticket" file in the sec directory of the web dispatcher ?

Best Regards,

Olivier

Here is an extract of a SAP Web Dispatcher Trace file when starting SSL with a STRUST generated PSE :

[Thr 12020] =================================================

[Thr 12020] = SSL Initialization    platform tag=(NTAMD64)

[Thr 12020] =   (720_REL,Nov 20 2011,mt,ascii,SAP_UC/size_t/void* = 8/64/64)

[Thr 12020]   profile param "ssl/ssl_lib" = "D:\usr\sap\DEV\WebDisp\sapcrypto.dll"

[Thr 12020]            resulting Filename = "D:\usr\sap\DEV\WebDisp\sapcrypto.dll"

[Thr 12020] =   found SAPCRYPTOLIB  5.5.5C pl32  (Apr  2 2011) MT-safe

[Thr 12020] =   current UserID: TESTBED\SAPServiceDEV

[Thr 12020] =   using SECUDIR=D:\usr\sap\DEV\WebDisp\sec

[Thr 12020]   profile param "ssl/server_pse" = "D:\usr\sap\DEV\WebDisp\sec\SAPSSLS_DEV_testbed_bpa_signed.pse"

[Thr 12020]            resulting Filename = "D:\usr\sap\DEV\WebDisp\sec\SAPSSLS_DEV_testbed_bpa_signed.pse"

[Thr 12020] =  secudessl_Create_SSL_CTX():  PSE "D:\usr\sap\DEV\WebDisp\sec\SAPSSLC.pse" not found,

[Thr 12020] =      using PSE "D:\usr\sap\DEV\WebDisp\sec\SAPSSLS_DEV_testbed_bpa_signed.pse" as fallback

[Thr 12020] =  secudessl_Create_SSL_CTX():  PSE "D:\usr\sap\DEV\WebDisp\sec\SAPSSLA.pse" not found,

[Thr 12020] =      using PSE "D:\usr\sap\DEV\WebDisp\sec\SAPSSLS_DEV_testbed_bpa_signed.pse" as fallback

[Thr 12020] ******** Warning ********

[Thr 12020] *** No SSL-client PSE "SAPSSLC.pse" available

[Thr 12020] *** -- this will probably limit SSL-client side connectivity

[Thr 12020] ********

[Thr 12020] = Success -- SapCryptoLib SSL ready!

[Thr 12020] =================================================

Best Regards,

Olivier

Hi Olivier,

i configured a lot of Web dispatcher with SSL in the past, i know the WD trace for SSL  .

And before i switched to this new certificate the Web dispatcher was running with an SSL certificate without errors. And if i switch to the "old" SAPSSLS.pse it works also fine.

Only with the new one it not works.

Regarding

How did you create the PSE with STRUST ?

Did you choose "File --> Right click --> Create"  and not "SSL server standard --> Right click --> Create" ?

--> i used "SSL server standard" --> is that the problem ?

Regards

Pia

Pia,

--> i used "SSL server standard" --> is that the problem ?

I think so. This entry is to create a SSL PSE for the abap ICM.

Try to recreate your PSE with "File --> Right click --> Create".

That"s the way I do it and it works for me for several production systems...

Best Regards,

Olivier

Hi Olivier,

thanks a lot.

I will try it again via "FILE". Hope my customer get no additional costs if he send the next cert request to Symantec.

We will see.

Regards

Pia