topic Re: SSL in Application Development and Automation Discussions

SSL

Former Member — Thu, 06 Sep 2007 09:00:34 GMT

Hi,

we hav e a fully trusted SSL certificate on both the ABAP and J2EE

listeners for the XI systems. As an example, on abc.

Accessing the J2EE stack

https://abc.com:50001/index.html we have already

generated a self-signed certificate registered to

abc.com. I have subsequenly had the related CSR

sent to a trust authority and paid for the CSR to be signed. Hence, I

have a fully trusted, valid certificate witha CN

=abc.com

How to export to ABAP stack?

I am unable to export the signed certificate from the J2EE stack and

import it into the ABAP stack

Error: CA certificate missing in database

"ABAP stack for https://abc.com:40001 "

Regards

Ben

Re: SSL

former_member402999 — Thu, 06 Sep 2007 11:34:20 GMT

Hi Ben,

have you already copied the private key from the J2EE engine to the ABAP stack? If not, you need to do that first (export from J2EE as PKCS#12, convert PKCS#12 to PSE using sapgenpse, import PSE to STRUST). In this case you get both the private key and the signed certificate, and you are done.

If you have already copied the private key, you need to import the root certificate of the trust authority into STRUST (menu Certificate -> Import -> File) and then save it to the database (menu Certificate -> Export -> Database). After that, you can import the signed certificate into the ABAP stack.

Best regards,

Klaus

Re: SSL

Former Member — Thu, 06 Sep 2007 11:56:08 GMT

Hi Klaus,

Thank you very much

Could you please explain more copy private key from J2EE engine and how ti user sapgenpse?

While exporting database what are the parameters

Trust Center ?

category ?

Regards

Ben

Re: SSL

former_member402999 — Thu, 06 Sep 2007 13:05:38 GMT

Hi Ben,

in order to export the private key (and the certificate) from the J2EE Engine, go to the keystore service and export the corresponding entry as PKCS#12 file. Then call sapgenpse (which you have downloaded with SAPCryptolib) with command import_p12 (sapgenpse import_p12 will display a help text) in order to create a PSE file. If you wish to store the root certficate of the trust center to the database of STRUST, choose as Trust Center any short name starting with Y or Z and as category Server CA.

Best regards,

Klaus

Re: SSL

Former Member — Thu, 06 Sep 2007 13:19:43 GMT

Hi Klaus,

I got the following error.

sapgenpse import_p12 -p SAPSSLS.pse z_test6.p12,.pfx

import_p12: ERROR -- MISSING password for PKCS#12 file "z_test6.p12,.pfx"

Please enter PKCS#12 encryption password: ******

ERROR: Incomplete certification path -- NEED certificate of "OU=Equifax Secure Certificate Authority, O=Equifax, C=US"!

Regards

Radha

Re: SSL

former_member402999 — Thu, 06 Sep 2007 13:37:32 GMT

Hi Radha,

I guess you need to store the certificate "OU=Equifax Secure Certificate Authority, O=Equifax, C=US" to a file and provide it to sapgenpse import_p12 using the -r option: sapgenpse import_p12 -r <certfile> -p SAPSSLS.pse z_test6.p12,.pfx

Best regards,

Klaus

Re: SSL

Former Member — Thu, 06 Sep 2007 14:02:06 GMT

Hi Klaus,

I am able to cereate SAPSSLS.pse and I exported to database.

Trust center :ZABC

Certificate Category: SERV

Still same problem CA certificate missing in database

Regards

Ben

Re: SSL

former_member402999 — Thu, 06 Sep 2007 14:34:17 GMT

Hi Ben,

don't save the PSE in the database - you might save the certificate "OU=Equifax Secure Certificate Authority, O=Equifax, C=US" in the database. Load the SAPSSLS.pse into STRUST by choosing PSE -> Import from the menu and save it as SSL Server.

Best regards,

Klaus

Re: SSL

Former Member — Thu, 06 Sep 2007 14:42:20 GMT

Hi Klaus,

Thank you very much.

Regards

Ben