cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL certificate import

markus_schalk
Participant

on ‎09-28-2012 1:22 PM

0 Kudos

Hello experts,

we often face some troubles with https-calls out of pi (7.11). And it's still not clear to me if it is always necessary to import all certificates

of a https address. I thought it should be enough to import only the chain above a server certificate. For example:

Shouldn't it be enough to import the Thawte SSL CA and the root?

Another problem is, that we sometimes need to restart the as java nodes, to get imported certs to be kind of "activated".

I think this shouldn't be so, but it is...

Is there any document or website explaning the kind of keystore topics (howto) in detail.

What is needed to be imported, when do we need a restart etc.?

Thanks in advance.

Kind regards

Markus

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎09-28-2012 2:41 PM
0 Kudos

Hi Markus,

You have to install all the certificates starting from root node to its child node.

Please find the below steps.

  1.      Install the SAP Cryptographic Library on the application server.

  2.      Set the profile parameters.

  3.      Create and maintain the SSL Server PSEs as follows:

      a.      Create the SSL server PSEs.

      b.      Generate a certificate request for each SSL server PSE.

      c.      Send the certificate requests to a CA to be signed.

      d.      Import the certificate request responses into the server's SSL server PSEs.

      e.      Maintain the SSL server PSE's certificate list.

   4.      Creating the SSL Client PSEs as follows:

       a.      Repeat the procedure for the standard SSL client PSE.

       b.      If you want the application server to be able to use the anonymous identity to communicate with other Web servers, then repeat the procedure for the anonymous SSL client PSE.

       c.      If you want the application server to be able to use individual identities to communicate with other Web servers using SSL, then create individual SSL client PSEs.

       5.      Define which SSL Client PSE to use for each connection as follows:

       a.      In transaction SM59, you define the HTTP destinations for the SAP Web Application Server. In these destinations, you can specify whether SSL should be used for the connection and which SSL client PSE the server should use. See Specifying that a Connection Should Use SSL.

       b.      Restart the ICM to make sure that any changes take effect.

       6.      Test the connections.

               Follow the url http://help.sap.com/search/highlightContent.jsp.

Best Regards,

Sagarika

Show replies
Show replies
peter_wallner2
Active Contributor
‎09-28-2012 1:40 PM
0 Kudos

Hello Markus,

You have to import all certificates. You have to start with the Primayr Root CA, then the SSL CA and then the techsupport.endress.com. It is important to keep the sequence.

Looking at this thread I think it is safer to restart: http://scn.sap.com/thread/2063256

Sorry, I do not know about any document describing this in detail but there are numerous threads on scn on that topic.

Best regards,

Peter

Show replies
Show replies
Ask a Question