This document provides instructions for generating a Certificate Signing Request (CSR) for SAP WEB Dispatcher. If you are unable to use these instructions for your server, Symantec recommends that you contact SAP.
To generate a CSR on SAP WEB Dispatcher follow one of the following Methods:
Method 1. Generate CSR using the Trust Manager
Step 1. Generate a Key Pair:
- Start the trust manager (transaction STRUST)
- Using the context menu for the FIle node, choose Create RSA
NOTE: For SSL, you must create a PSE that contains the RSA key pair.
- Enter the Distinguished Name parts in the corresponding fields. For the SSL Server PSE, the Common Name must respond to the FQDN used to access the Web Dispatcher.
- Save the PSE to the local file (e.g. the Web Dispatcher's Secure ID directory). Use the file name that you specified in the profile parameters ssl/server_pse and wdisp/ssl_cred for the SSL server PSE and the SSL client PSE respectively.
Step 2. Creating the Certificate Signing Request
- Once you have created the PSE, you must create the corresponding certificate request.
- Select the File node with a double-click. The Open dialog appears
- Select the PSE that you saved in the previous procedure. The corresponding certificate appears in the PSE maintenance section in the Owner field.
- Fill out the required information:
- Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California.
- Locality or City (L): The Locality field is the city or town name, for example: Berkeley.
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.
- Organizational Unit (OU): This field is the name of the department or organization unit making the request.
- Common Name (CN): The Common Name is the Host + Domain Name. It looks like "www.symantec.com" or "symantec.com".
NOTE: Symantec certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "symantec.com" will receive a warning if accessing a site named "www.symantec.com" or "secure.symantec.com", because "www.symantec.com" and "secure.symantec.com" are different from "symantec.com".
- In the PSE maintenance section, choose Create Certificate Request. A dialog appears showing the certificate request.
- Select the content of the request and copy it to your clipboard ( Copy ) or save the certificate request to the file using ( filename.p10 ) using Save as local file.
- Verify your CSR
Method 2. Generate CSR using SAPGENPSE
- Use the configuration tool sapgenpse to create the SAP Web Dispatcher's PSEs.
NOTE: Before you can use sapgenpse to create the SSL server PSE, the environment variable SECUDIR must be set to
the directory where the license ticket is located. If the environment variable is not yet set, then set it using the
command line as shown below.
- Use the tool's command get_pse as shown below to create the SAP Web Dispatcher's PSE.
sapgenpse get_pse <additional_options> -p <PSE_Name> -r <cert_req_file_name> -x <PIN> <Distinguished_Name>
- The command line below creates the SAP Web Dispatcher's SSL server PSE and certificate request using the following information:
- The environment variable SECUDIR is set to C:Program FilesSAPSAPWebDispsec.
- The PSE is to be located at C:Program FilesSAPSAPWebDispsecSAPSSLS.pse.
- The PIN used to protect the PSE is abcpin.
- The name of the certificate request file is abc.req.
- The SAP Web Dispatcher is accessed using the fully-qualified host name.
- The CA used is the SAP.CA.
Example: sapgenpse get_pse -p SAPSSLS.pse -x abcpin -r abc.req " CN=Fully Qualified Domain Name, OU=dept. name, O=Organizational Name, SP=State and Province value, L=Locality value,C=ISO country code value".
- Verify your CSR