Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IIS 7.0 and NW 7.0 Ehp1 SSL Configuration

Former Member

‎08-19-2011 10:35 PM

0 Kudos

Hi

We have generated the CSR from IIS 7.0 and got it signed from Verisign. Our current Netweaver version is 7.0 Ehp1. We need to configure the SSL while the certificate is signed for IIS.

How is it possible.Also if the certificate is installed on IIS, which certificate do we use in Visual Admin

Regards

Neel

10 REPLIES 10

Former Member

‎08-22-2011 8:40 AM

0 Kudos

Hi

Could someone please reply on this

Regards

Neel

Former Member
In response to Former Member

‎08-22-2011 9:18 PM

0 Kudos

So SAP is connecting to an external web server and this should use SSL.

Are you familiar with transaction STRUST or the VA? You need to create an SSL client server PSE and import the generated cert from the CA (Verisign).

This is well documented in the online help of transaction STRUST and the Netweaver Administrator on the Java Stack (or the VA), so I would suggest reading that and then let is know if you get stuck.

You should perhaps also mention the system type (PI?) you are using?

Cheers,

Julius

Edited by: Julius Bussche on Aug 22, 2011 10:18 PM

mvoros
Active Contributor

‎08-23-2011 12:59 AM

0 Kudos

Hi,

you should be more specific about your scenario. Why do you need to import certificate for IIS into SAP application server? I guess that they don't run on same box so host name will be different. This might not be a problem but it is really hard to understand what you want to do.More confusion comes when you mention visual admin. So you also have Java stack in your landscape.

Cheers

Former Member

‎08-23-2011 8:13 AM

0 Kudos

Hi Julius/Martin

Thank you for your reply.

I will explain the scenario below:

This is Netweaver 7.0 Ehp1. It contains the ABAP and Java stack. The ABAP stack and database (MSSQL 2008) are in private zone. The Java stack is in DMZ zone. In our scenario there is no separate web-server.The users directly hit the Java server from internet.The OS of the java server as well as ABAP server is Windows 2008 R2.

Since the public IP is not accessible from within the server due to security policies we have generated the Certificate signing request from IIS rather than visual administrator.

Now we have a SSL certificate which is signed by Verisign

How do we proceed further from here?

Hope the above data points help to clearly understand the scenario.Please let me know if any further data points are required.

Thanks

Neel

Former Member
In response to Former Member

‎08-23-2011 12:55 PM

0 Kudos

Hi,

If I understand well, you don't use a reverse proxy to protect your java stack from the internet. (Even if it is isolated in a DMZ, this is not a good idea IMHO...).

It means that the SSL signed certificate has to be installed on the java stack but you cannot use a certificate generated on IIS because it waill have a different key pair. You have to generate the CSR from the Java stack system.

Regards,

Olivier

Former Member
In response to Former Member

‎08-23-2011 9:22 PM

0 Kudos

Hi Olivier,

Are you using self-signed server PSEs?

IMO you can use any supported CA to generate a CSR provided the root certificate is supported by the browser (for encryption only).

Or is SSO wanted here? (I assumed that it is only encryption SSL being asked about, however I thought initially that the SAP WAS was the client component which seems not to be the case).

Cheers,

Julius

mvoros
Active Contributor
In response to Former Member

‎08-23-2011 10:46 PM

0 Kudos

Olivier is right that all documented ways of creating SSL certificate is to generate certificate on Java AS and then send it to CA. You did that outside of Java AS. You might be able to import it using tools like OpenSSL. In what format do you have your do you have your certificate? sapgense allows to import certificate in PKCS#12 format.

Cheers

Former Member
In response to Former Member

‎08-23-2011 11:13 PM

0 Kudos

D'oh

Yes you are correct, you do generate the CSR for the server and send it to the CA, but that can be any supported CA and does not have to be a specific server (you can import certificates).

So I guess the question is: which type of CSR was generated on the IIS 7.0 for which common servers to be able to import it into the SAP WAS?

The setup is a bit suspect, so I hope that I am wrong.

Cheers,

Julius

Former Member
In response to Former Member

‎08-24-2011 12:21 PM

0 Kudos

In fact it is possible to import a key pair in the Java Key storage but it is much easier to generate it and then the CSR for CA signature.

In fact, I usually use self signed ceritificates on the SAP back end systems and use CA signed certificates on the SAP Web Dispatchers I use as reverse proxy, load balancer and also to simplify URLs and ports.

At first, I thought that the OP uses IIS as a reverse proxy.

Regards,

Olivier

mvoros
Active Contributor
In response to Former Member

‎08-25-2011 12:14 AM

0 Kudos

That's a good approach. Nowadays, I think that using self-signed certificates in scenario where you can control all clients is event better than using certificates signed by CA.

Cheers