Hi,
A lot has been said and written about howto use ssl on a reverse proxy - webdispatcher - AS java 7.3 with a webchannel experience . However none of them cover the real issues as some of us face. In the above situation this is what I want . A self signed 512 bit RSA certificate ( no need to hog the processor ) on the AS java terminated on the webdispatcher. Again a self signed 512 bit RSA certificate on the web dispatcher terminated on the reverse proxy. On the reverse proxy a SIGNED 2048 bit certificate for the outside world. Ssl-end-to-end is not in this discussion/question.
Creating the SAPSSLS.pse and SAPSSLC.pse in the webdispatcher is not difficult. Connecting to the webdispatcher via https results in a expected unverified certificate error. Nothing new there. The same for the AS Java 7.3. In netweaver administrator one create a certificate and here also the expected unverified certificate error. Webchannel experience is working directly connecting to the AS Java.
Now the problem. When I connect via the webdispatcher I get the famous "ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete" , Found root certificate of <CN=someserver, C=NL> which does not fit the given PKRoot.
This sucks as many of you learned. So google is your friend and I found that adding the AS Java certificate to the webdispatchers pse should do the trick.
Well, it didn't. With sapgenpse maintain_pk -a certificate.cer the certificate is added but somehow I still get the above error. Makes me wonder if it is possible to create a certificate that is it's own issuer and add it to the web dispatcher. Is it correct that the certificate from the AS Java added to the web dispatcher HAS to be signed. If not then what would be a propper the procedure.
Kind regards
Patrick
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.