2011 Aug 19 10:35 PM
Hi
We have generated the CSR from IIS 7.0 and got it signed from Verisign. Our current Netweaver version is 7.0 Ehp1. We need to configure the SSL while the certificate is signed for IIS.
How is it possible.Also if the certificate is installed on IIS, which certificate do we use in Visual Admin
Regards
Neel
2011 Aug 22 8:40 AM
2011 Aug 22 9:18 PM
So SAP is connecting to an external web server and this should use SSL.
Are you familiar with transaction STRUST or the VA? You need to create an SSL client server PSE and import the generated cert from the CA (Verisign).
This is well documented in the online help of transaction STRUST and the Netweaver Administrator on the Java Stack (or the VA), so I would suggest reading that and then let is know if you get stuck.
You should perhaps also mention the system type (PI?) you are using?
Cheers,
Julius
Edited by: Julius Bussche on Aug 22, 2011 10:18 PM
2011 Aug 23 12:59 AM
Hi,
you should be more specific about your scenario. Why do you need to import certificate for IIS into SAP application server? I guess that they don't run on same box so host name will be different. This might not be a problem but it is really hard to understand what you want to do.More confusion comes when you mention visual admin. So you also have Java stack in your landscape.
Cheers
2011 Aug 23 8:13 AM
Hi Julius/Martin
Thank you for your reply.
I will explain the scenario below:
This is Netweaver 7.0 Ehp1. It contains the ABAP and Java stack. The ABAP stack and database (MSSQL 2008) are in private zone. The Java stack is in DMZ zone. In our scenario there is no separate web-server.The users directly hit the Java server from internet.The OS of the java server as well as ABAP server is Windows 2008 R2.
Since the public IP is not accessible from within the server due to security policies we have generated the Certificate signing request from IIS rather than visual administrator.
Now we have a SSL certificate which is signed by Verisign
How do we proceed further from here?
Hope the above data points help to clearly understand the scenario.Please let me know if any further data points are required.
Thanks
Neel
2011 Aug 23 12:55 PM
Hi,
If I understand well, you don't use a reverse proxy to protect your java stack from the internet. (Even if it is isolated in a DMZ, this is not a good idea IMHO...).
It means that the SSL signed certificate has to be installed on the java stack but you cannot use a certificate generated on IIS because it waill have a different key pair. You have to generate the CSR from the Java stack system.
Regards,
Olivier
2011 Aug 23 9:22 PM
Hi Olivier,
Are you using self-signed server PSEs?
IMO you can use any supported CA to generate a CSR provided the root certificate is supported by the browser (for encryption only).
Or is SSO wanted here? (I assumed that it is only encryption SSL being asked about, however I thought initially that the SAP WAS was the client component which seems not to be the case).
Cheers,
Julius
2011 Aug 23 10:46 PM
Olivier is right that all documented ways of creating SSL certificate is to generate certificate on Java AS and then send it to CA. You did that outside of Java AS. You might be able to import it using tools like OpenSSL. In what format do you have your do you have your certificate? sapgense allows to import certificate in PKCS#12 format.
Cheers
2011 Aug 23 11:13 PM
D'oh
Yes you are correct, you do generate the CSR for the server and send it to the CA, but that can be any supported CA and does not have to be a specific server (you can import certificates).
So I guess the question is: which type of CSR was generated on the IIS 7.0 for which common servers to be able to import it into the SAP WAS?
The setup is a bit suspect, so I hope that I am wrong.
Cheers,
Julius
2011 Aug 24 12:21 PM
In fact it is possible to import a key pair in the Java Key storage but it is much easier to generate it and then the CSR for CA signature.
In fact, I usually use self signed ceritificates on the SAP back end systems and use CA signed certificates on the SAP Web Dispatchers I use as reverse proxy, load balancer and also to simplify URLs and ports.
At first, I thought that the OP uses IIS as a reverse proxy.
Regards,
Olivier
2011 Aug 25 12:14 AM
That's a good approach. Nowadays, I think that using self-signed certificates in scenario where you can control all clients is event better than using certificates signed by CA.
Cheers