cancel
Showing results for 
Search instead for 
Did you mean: 

Anyone peformed a system refresh that has SSL?

Former Member
0 Kudos

We did a refresh of our QA ECC system from Production. Our QA server is configured for SSL. However after the refresh, the verisign certificates can not be imported again to the QA system.

Should there been a task done before the refresh to be able to restore the certificates response and request?

Accepted Solutions (1)

Accepted Solutions (1)

JPReyes
Active Contributor
0 Kudos

Hi Alan,

As Olivier mentioned, you can dump the old certificate and create a new on in STRUSTSSO2 or STRUST; just right click on "System PSE" and delete, replace or create a new one.

Regards

Juan

Former Member
0 Kudos

Hello,

Replacing the PSE is not the issue. This issue is, when generating the correct PSE after the refresh of production to QAS, that the "signed" certificates that you get from a CA when you generate a request, are no longer valid.

So the question is, how do you avoid, go around, or handle this type of situation when your QAS system is SSL configured.

Former Member
0 Kudos

Hello,

In fact, it seems very logical to me.

When you regenerate the SSL Server PSE, you create new private and public keys.

As the CA certificate signs the previous key pair, it is not valid anymore !

I guess the solution is to export your SSL server PSE as a file prior to the refresh and to reimport it after the refresh.

I never did it so you'll have to experiment for your next refresh.

For this one, I think your only solution is to buy a new certificate from the CA.

The problem is that, contrary to the web dispatcher, the PSE is in the database.

I did not have the problem because we buy CA certificates only for the production systems.

Regards,

Olivier

Former Member
0 Kudos

Thanks Olivier,

Your suggestion worked!

We re-imported the old SSL server PSE and everything is fine now.

tombo_larsen
Active Participant
0 Kudos

How did you succeed in importing the PSE file?

We have tried to import a previous exported PSE file (for the "Server SSL").

We start transaction STRUST and use the function: PSE --> Import

After the import of the file, it's DN is shown in the "own certificate" part of the screen, but it does not created the "SSL Server" directory icon in the left site of the screen.

So if transaction STRUST is left and started again - no "SSL Server" PSE exist.

BR

Tom

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi,

Great that you could re import the SSL certificate after a system refresh.

We are facing the same problem and can you please elaborate on how exactly you have reimported the SSL certificate.

1. Did you do it at the UNIX level using sapgenpse?

2. Or, did you do it from STRUST.

Any, kind of information is greatly appreciated.

Thanks,

Nag.

Former Member
0 Kudos

Hi,

We resolved the issue by importing the SAPSSL.pse file back after a refresh.

Below are the steps:

1. Export the file SAPSSL.pse from /usr/sap/<sid>/DDVEBMGS<sys #>/sec to your desktop

2. log onto the ECC system, use transaction strustsso2

3. double click on SSL server

4. on the top menue go PSE - import select the previous file exported from your file system (SAPSSL.pse)

5. save

This should restore your SSL configuration.

Former Member
0 Kudos

Hello,

What do you mean by "can not be imported again to the QA system" ?

Do you get an error in transaction STRUST ?

If yes, which one ?

Did you recreate the SSL server PSE ?

Regards,

Olivier