SSL Configuration for SAP Content Server

Hi Experts,

Now , I'm going to SSL Settings between SAP Content Server and End-user-PC.

Of course, we will purchase CA.

But , we don't know how to configuration SSL Settings.

Please let me know the manual or procudure.

I thought that I have to set parameter via VA or Configtool,

but On Content Server go.bat or configtool doesn't exit.

Also I thought I have to execute TCD:STRUST on ECC,

but I think it is between ECC and Content Server.

Not between Content Server and End-User-PC.

[Environment]

-About SAP Content Server

OS: Windows2012

DB:MAXDB

SAP:SAP Contentent Serer 6.50

-About Whole SAP System

ECC6.0 Ehp7

Netweaver Portal7.4

TREX7.1

ADS7.4

Thank you for advance.

Best Regards,

Toshi

SAP Managed Tags:
SAP NetWeaver Application Server

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (0)

Answers (1)

Dear Toshi,

Please have a look at the following SAP Help page: Secure URLs - SAP Content Server.

I hope this helps.

Kind regards,

Cris

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Cris,

Thank you for your reply.

I have already url that you tell me, but I can't have confidence.

Because it seems that all tasks are done on ECC.

What task has to be done on Content Server?

Also, I have question whether I have to execute Visual Administrator or not.

Because I think that SSL parameters are set via Visual Administrator.

But Help Page don't describe it.

http://help.sap.com/saphelp_srm703/helpdata/en/1e/d08ab3d9364737b3d3a1eb4178a442/frameset.htm

https://help.sap.com/saphelp_nw70/helpdata/en/53/251a355d0c4d78e10000009b38f83b/frameset.htm

https://help.sap.com/saphelp_nw70/helpdata/en/fc/ed583c2be8e25fe10000000a114084/content.htm

https://help.sap.com/saphelp_nw70/helpdata/en/6a/f00b95bfd12b4a9e01ca50b9500616/frameset.htm

https://help.sap.com/saphelp_nw70/helpdata/en/40/32104211625933e10000000a155106/content.htm

Dear Toshi,

According to the help page, you should use STRUST (in ECC) to maintain the PSE that holds the content server certificate.

I will see whether I can install a Content Server 6.50 in my test systems, then I will perform the SSL configuration and provide you with my remarks.

Kind regards,

Cris

Hi Cris,

Thanks so much!

Of course, I will test in our test systems as soon as I could prepare test environment.

TO do this, I have to do some procudure of my company.

Best Regards,

Toshi

Hello Toshi,

I finished the installation yesterday and performed some configuration in OAC0 and CSADMIN.
Today I will finish the HTTPS configuration - I already saw a few issues during the configuration.

Later on today (or, worst case scenario, tomorrow afternoon) I will provide you with the steps I performed to have the HTTPS working.

Kind regards,

Cris

Hello Toshi,

It took a bit more than I expected, but it is working now.

Steps I took in my system:

a) Configured OAC0 to use HTTPS (SAP note 712330)

b) Configured an HTTPS port in IIS. Here you will find the first issue. The IIS server certificate does not match the FQDN of the server, i.e. if you use this certificate, the ECC will through a SSSLERR_SERVER_CERT_MISMATCH error).

c) Import the IIS certificate into the SSL client Standard PSE, via STRUST.

d) Test the communication.

Between b) and c) you will need to perform some additional steps, in order to create a PSE with the FQDN from the IIS server. The steps I performed were:

1) Create a new PSE:

sapgenpse gen_pse -p cserver.pse

Then you will need to provide a PIN and the DN of the certificate. The CN part must match the FQDN of your IIS server.

2) Export the PSE to PKCS#12 format:

sapgenpse export_p12 -p cserver.pse cserver.pfx

You will be asked for the PSE PIN and for a PKCS#12 password.

3) Transfer the file to the IIS server

4) Open IIS -> Server Certificates.

5) Import the PKCS#12 file.

6) Change the binding of the SAP_Content_Server site to use the newly created certificate

7) Export the IIS certificate

This should do the trick.

There is no need to use a J2EE system.

I hope this helps,

Cris

Hi Cris, Thank you so much for your help.

Your reply will help us very much.

I would be able to try our system within a week.

Also I have some questions.

Could you tell me?

[Question]

-Did you custmize Instance Profile?

I assumed that we have to set some parameters in ECC.

ex)icm/server_port_<n>=xxxx

etc

>b) Configured an HTTPS port in IIS. Here you will find the first issue.

>The IIS server certificate does not match the FQDN of the server, i.e. if you use this certificate, the ECC will through a >SSSLERR_SERVER_CERT_MISMATCH error).

What does "The IIS server certificate does not match the FQDN of the server" means?

Probably you use self-signed SSL Certificate, but I couldn't understand above yet.

>1) Create a new PSE:

>sapgenpse gen_pse -p cserver.pse

>Then you will need to provide a PIN and the DN of the certificate. The CN part must match the FQDN of your

>IIS server.

Does it mean when I execute cmd in ECC "sapgenpse gen_pse -p cserver.pse",

I would be asked PIN and the DN of the certificate?

And I can't understand PIN means in this case.

>2) Export the PSE to PKCS#12 format:

>sapgenpse export_p12 -p cserver.pse cserver.pfx

>You will be asked for the PSE PIN and for a PKCS#12 password.

"PSE PIN and for a PKCS#12 password" are defined in STEP1)?

>3) Transfer the file to the IIS server File is just cserver.pse?

>There is no need to use a J2EE system.

Thanks, I understand.

Best Regards,

Toshi

Hello Toshi,

As far as I know, IIS brings a self-signed certificate, with a hostname that does not match the fully qualified domain name.

In my case, the certificate had CN = WMSvc-xxxyyyzzz

There is no domain name appending the hostname.

The FQDN I use in my test system is xxxyyyzzz.mydomain.com.

So, when my ECC tried to reach IIS via HTTPS, IIS send the certificate with

CN = WMSvc-xxxyyyzzz

but the ECC was expecting a certificate with

CN = xxxyyyzzz.mydomain.com

As this didn't happen, the SSSLERR_SERVER_CERT_MISMATCH error happened.

Thus, the solution was to create a new PSE, with a valid DN, then import it into IIS.

The PIN is a password for the PSE. When you create the PSE using sapgenpse, you usually would see:

> sapgenpse gen_pse -p cserver.pse

"...

Please enter PSE PIN/Passphrase:

..."

So, this is the password that will protect your PSE.

This PIN is required when you export the file to PKCS#12 format.

The exported file, e.g. cserver.pfx, should be imported into IIS (screenshot attached).

I hope this helps,

Cris

Hi Cris,

Thank you for your support.

I really appiciate your support.

I can try test in my test server today.

I tried to custmize what you told, but I can't understand some steps.

Could you tell me, again?

1.What does "Configured an https port in IIS" mean?

=>I think I can configure TCD:OAC0.

Also you told me I have to configure FQDN of the Content Server not own certificate.

(I assume "WMSvc-<hostname>")

If you mean it was set by OAC0, I can't understand.

OR do you mean it is set by sapgenpse?

2.I can't generate pse although I execute sapgenpse pen_pse.

When I executed command error message was as follows.

Maybe I can't understrand what is suitable for DN.

If I enter FQDN for DN, error message is "Malformed distingushed name",

and pse file isn't generated.

Also I enter "CN=<SID>, OU=xx,O=SAPxxx,C=DE" for DN

that is copied in STRUST,error message is "Can't create PSE".

Also I enter WMSvc<hostname> for DN,error message is "Malformed distinguished name".

Best Regards,

Toshi

Hello Toshi,

By "Configured an https port in IIS", I mean configure the HTTPS in IIS, installed in your Windows server. It is not related to any SAP transaction code or configuration - it is the external web server configuration.

About the PSE creation, could you please copy/paste here the exact command you enter? I also recommend to use the most recent SAPCRYPTOLIB/CommonCryptoLib patch level.

Kind regards,

Cris

Hi, Cris. Thank you for your reply. I understand what "https port in IIS" means. I have already configured it by "Add Site bind" of IIS. About the PSE creation, I enter this command. -Pattern1- sapgenpse.exe -p cms01server.pse Please enter PSE PIN/Passphrase:******** Please reenter PSE PIN/Passphrase:******** get_pse:Distinguished name of PSE owner:WMSvc-get_pse:Malformed distinguished name "WMSvc-" -Pattern2- sapgenpse.exe -p cms01server.pse Please enter PSE PIN/Passphrase:******** Please reenter PSE PIN/Passphrase:******** get_pse:Distinguished name of PSE owner:get_pse:Malformed distinguished name "" -Pattern3- sapgenpse.exe -p cms01server.pse Please enter PSE PIN/Passphrase:******** Please reenter PSE PIN/Passphrase:******** get_pse:Distinguished name of PSE owner:"CN=, OU=xx,O=SAPxxx,C=DE" Can't create PSE. Best Regards, Toshi

Best Regards, T

Hi Toshi,

Please use:

sapgenpse gen_pse -p cserver.pse

(Note that you missed the "gen_pse" command, before the -p switch).

Use a CN with the FQDN of your IIS server.

Kind regards,

Cris

Hi Cris.

Sorry, now I correct my message.

I execute sapgenpse gen_pse -p

-Pattern1-

:\sapgenpse.exe gen_pse -p cms01server.pse

Please enter PSE PIN/Passphrase:********

Please reenter PSE PIN/Passphrase:********

get_pse:Distinguished name of PSE owner:WMSvc-

get_pse:Malformed distinguished name "WMSvc-"

-Pattern2-

:\sapgenpse.exe gen_pse -p cms01server.pse

Please enter PSE PIN/Passphrase:********

Please reenter PSE PIN/Passphrase:********

get_pse:Distinguished name of PSE owner:FQDN

get_pse:Malformed distinguished name "FQDN"

-Pattern3-

:\sapgenpse.exe gen_pse -p cms01server.pse

Please enter PSE PIN/Passphrase:********

Please reenter PSE PIN/Passphrase:********

get_pse:Distinguished name of PSE owner:"CN=,OU=xx,O=SAPxxx,C=DE"

Can't create PSE.

Best Regards,

Toshi

Hello Toshi,

Could you clarify about the SAPCRYPTOLIB version you are using?

Just execute:

sapgenpse

and let me know the result.

When using the 3rd pattern, please add -v -v at the end of the command line, just to have a verbose output. What happens then?

Kind regards,

Cris

Hi, Cris.

Thank you for your reply.

Tomorrow, I could test your advice,

I would reply.

By the way I have one quesiton,

That you can establish is between IIS(Contetn Server) and ECC?

or IIS(Content Server) and your PC?

Now I can establish is between IIS(Content Server) and our PC that doesn't work with ECC Server.

Best Regards,

Toshi

Hello Toshi,

You can use OAC0 to configure the content server (from it you can access CSADMIN). You should be able to connect the Content Server to your ECC server.

Kind regards,

Cris

Hi Cris,

Thanks so much.

Of course, I know we can configure settins in ECC not Content Server.

But in this case I don't have to establish SSL between ECC and Content Server.

I have to establish SSL between Content Server and PC.

Therefore I can't understand yet whether I have to configure STURST in ECC.

Is it not enough to do it by as follows?

Congigure OAC0 (https port)

Import SSL to Content Server

Configure HTTPS port in Content Server

Best Regards,

Toshi

Hi Cris,

I'm so sorry for not update.

Now I don't execute sapgenpse, but I could establish ECC and Content Server
by SSL another way.

I created ".crt, .cer, .pfx" file with OpenSSL, and I could set CN=FQDN.

As I have some issues yet, I would report detail after issues would solve.

Example, Pictures in Content Server can't be displyed normally.

I think something noise data is displayed, tiny picture is displayed it doesn't unconcered assumed pictures.

I think decode doesn't execute normally, or some settings is lack.

I create ".crt" 2048 key length with OpenSSL...

Anyway I would try.

Best Regards,

Toshi

Ask a Question

Top Q&A Solution Author

User

Count