Ask a Question

Solution ID : SO22372

Last Modified : 05/21/2018

Managed PKI for SSL - Certificate Signing Request (CSR) Generation Instructions for SAP Web Dispatcher

Solution

 This document provides instructions for generating a Certificate Signing Request (CSR) for SAP WEB Dispather. If you are unable to use these instructions for your server, Symantec recommends that you contact SAP.
 
NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.

To generate a CSR on SAP WEB Dispather follow one of the following Methods:

Method 1. Generate CSR using the Trust Manager

Step 1. Generate a Key Pair:

  1. Start the trust manager (transaction STRUST)
  2. Using the context menu for the FIle node, choose Create RSA
    NOTE: For SSL, you must create a PSE that contains the RSA key pair. If only Create is selected, then a DSA key pair is created which cannot be used for SSL.
  3. Enter the Distinguished Name parts in the corresponding fields. For the SSL Server PSE, the Common Name must respond to the FQDN used to access the Web Dispatcher.
  4. Save the PSE to the local file (e.g. the Web Dispatcher's Secure ID directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively.
     

Step 2. Creating the Certificate Signing Request

  1. Once you have created the PSE, you must create the corresponding certificate request.
  2. Select the File node with a double-click. The Open dialog appears
  3. Select the PSE that you saved in the previous procedure. The corresponding certificate appears in the PSE maintenance section in the Owner field.
  4. Fill out the required infromation:
     
    • Common Name: The fully-qualified domain name to which your certificate will be issued.
    • Organization: The full legal name of your company.
    • Organizational Unit: Use this field to differentiate between divisions within an organization.
    • City or Locality: Usually the city of your organization's main office, or a main office for your organization.
    • State or Province: Enter the full name of your state or province. 
      Note: Make sure the State or Province is not abbreviated (e.g. California).
    • Country: Enter the two-character abbreviation of country in which organization resides (e.g. US).
       
  5. In the PSE maintenance section, choose Create Certificate Request. A dialog appears showing the certificate request.
  6. Select the content of the request and copy it to your clipboard ( Copy ) or save the certificate request to the file using ( filename.p10 ) using Save as local file.



Method 2. Generate CSR using SAPGENPSE

  1. Use the configuration tool sapgenpse to create the SAP Web Dispatcher's PSEs.
    NOTE: Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to the directory where the license ticket
    is located. If the environment variable is not yet set, then set it using the command line as shown below.

    set SECUDIR=<SECUDIR_directory>
     
  2. Use the tool's command get_pse as shown below to create the SAP Web Dispatcher's PSE.

    sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_file_name> -x <PIN> <Distinguished_Name>
     
  3. The command line below creates the SAP Web Dispatcher's SSL server PSE and certificate request using the following information:
  • The environment variable SECUDIR is set to C:\Program Files\SAP\SAPWebDisp\sec.
  • The PSE is to be located at C:\Program Files\SAP\SAPWebDisp\sec\SAPSSLS.pse.
  • The PIN used to protect the PSE is abcpin.
  • The name of the certificate request file is abc.req.
  • The SAP Web Dispatcher is accessed using the fully-qualified host name host123.mysymantec.com.
  • The CA used is the SAP.CA.

    Example: sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req " CN=host123.mysymantec.com, OU=dept. name, O=Organizational Name, SP=State and Province value, L=Locality value,C=ISO country code value".
     

 Once the SSL certificate has been issued, follow the steps from this link to install it on the server: SO22371