09-06-2007 10:00 AM
Hi,
we hav e a fully trusted SSL certificate on both the ABAP and J2EE
listeners for the XI systems. As an example, on abc.
Accessing the J2EE stack
https://abc.com:50001/index.html we have already
generated a self-signed certificate registered to
abc.com. I have subsequenly had the related CSR
sent to a trust authority and paid for the CSR to be signed. Hence, I
have a fully trusted, valid certificate witha CN
=abc.com
How to export to ABAP stack?
I am unable to export the signed certificate from the J2EE stack and
import it into the ABAP stack
Error: CA certificate missing in database
"ABAP stack for https://abc.com:40001 "
Regards
Ben
09-06-2007 12:34 PM
Hi Ben,
have you already copied the private key from the J2EE engine to the ABAP stack? If not, you need to do that first (export from J2EE as PKCS#12, convert PKCS#12 to PSE using sapgenpse, import PSE to STRUST). In this case you get both the private key and the signed certificate, and you are done.
If you have already copied the private key, you need to import the root certificate of the trust authority into STRUST (menu Certificate -> Import -> File) and then save it to the database (menu Certificate -> Export -> Database). After that, you can import the signed certificate into the ABAP stack.
Best regards,
Klaus
09-06-2007 12:34 PM
Hi Ben,
have you already copied the private key from the J2EE engine to the ABAP stack? If not, you need to do that first (export from J2EE as PKCS#12, convert PKCS#12 to PSE using sapgenpse, import PSE to STRUST). In this case you get both the private key and the signed certificate, and you are done.
If you have already copied the private key, you need to import the root certificate of the trust authority into STRUST (menu Certificate -> Import -> File) and then save it to the database (menu Certificate -> Export -> Database). After that, you can import the signed certificate into the ABAP stack.
Best regards,
Klaus
09-06-2007 12:56 PM
Hi Klaus,
Thank you very much
Could you please explain more copy private key from J2EE engine and how ti user sapgenpse?
While exporting database what are the parameters
Trust Center ?
category ?
Regards
Ben
09-06-2007 2:05 PM
Hi Ben,
in order to export the private key (and the certificate) from the J2EE Engine, go to the keystore service and export the corresponding entry as PKCS#12 file. Then call sapgenpse (which you have downloaded with SAPCryptolib) with command import_p12 (sapgenpse import_p12 will display a help text) in order to create a PSE file. If you wish to store the root certficate of the trust center to the database of STRUST, choose as Trust Center any short name starting with Y or Z and as category Server CA.
Best regards,
Klaus
09-06-2007 2:19 PM
Hi Klaus,
I got the following error.
sapgenpse import_p12 -p SAPSSLS.pse z_test6.p12,.pfx
import_p12: ERROR -- MISSING password for PKCS#12 file "z_test6.p12,.pfx"
Please enter PKCS#12 encryption password: ******
ERROR: Incomplete certification path -- NEED certificate of "OU=Equifax Secure Certificate Authority, O=Equifax, C=US"!
Regards
Radha
09-06-2007 2:37 PM
Hi Radha,
I guess you need to store the certificate "OU=Equifax Secure Certificate Authority, O=Equifax, C=US" to a file and provide it to sapgenpse import_p12 using the -r option: sapgenpse import_p12 -r <certfile> -p SAPSSLS.pse z_test6.p12,.pfx
Best regards,
Klaus
09-06-2007 3:02 PM
Hi Klaus,
I am able to cereate SAPSSLS.pse and I exported to database.
Trust center :ZABC
Certificate Category: SERV
Still same problem CA certificate missing in database
Regards
Ben
09-06-2007 3:34 PM
Hi Ben,
don't save the PSE in the database - you might save the certificate "OU=Equifax Secure Certificate Authority, O=Equifax, C=US" in the database. Load the SAPSSLS.pse into STRUST by choosing PSE -> Import from the menu and save it as SSL Server.
Best regards,
Klaus
09-06-2007 3:42 PM