Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

ssl re-encryption : multiple certificates required?

Former Member

‎2009 Nov 09 7:01 AM

0 Likes
675

Hi,

I am setting up a Web Dispatcher for SSL. It must use re-encryption. (going live with E-recruiting)

Do I need a seperate generated certificate for the Web Dispatcher and the ABAP WAS backend?

I would prefer to make one single request to the CA and use the certificate for both the Web Dispatcher and thr ABAP WAS backend.

Thanks,

Adriaan

3 REPLIES 3
Read only

Former Member

‎2009 Nov 09 7:30 AM

0 Likes
609

Why does e-Recruiting require "re-encryption"?

Are you terminating connections on the webdispatcher? This anyway means that you will need to have a high level of trust and security on the webdispatcher itself... and if you encrypt again then your webdispatcher might become a performance bottleneck in the design...

Anyway, if you create a certificate request for a shared PSE, then they will have the same identity and you can use the same response for both.

Cheers,

Julius

Read only

Former Member
In response to Former Member

‎2009 Nov 09 7:48 AM

0 Likes
609

HI Julius,

Thank you very much for your answer in regards to the shared PSE, I think this almost answers the question.

Should I generate the PSE in the WAS and export to the Web Dispatcher ot rather generate in Web Dispatcher(sapgenpse) and import into WAS?

In regards to your first paragraph:

Unfortunately I was instructed to use re-encryption on SSL all the way to the WAS.

How heavy is the load caused by the web dispatcher in this case? Is it a case of marginal CPU load or should I have a seperate box for the WAS? Currently I have installed it on the same box as the CI? (The web dispatcher will only be used for load balancing, we have MS ISA servers as reverse proxies).

Many thanks!

Adriaan

Read only

Former Member
In response to Former Member

‎2009 Nov 09 6:06 PM

0 Likes
609

It is much easier to do in STRUST than sapgenpse, but I have also read in a manual that you should not mix use of the two. No reason was given - perhaps someone else knows and has run into troubles with it?

If I understand correctly, you are NOT using session termination as I originally thought, but rather using the webdispatcher as a load balancer and need to decrypt the https requests to know which server the user already is logged onto?

I think this is unnecessarily complicated...

If you are keeping the session connected, then why don´t you point your webdispatcher to the message server and let that balance the user load. It also natively knows which servers are available and is much easier to implement?

Cheers,

Julius