Implementing SHA2 / SHA256 type certificate in SAP Netweaver 7.0 for JAVA
Create SHA2 / SHA256 certificate using external tool sapgenpse for SAP JAVA system.
Pre-requisites:
Make sure the CommonCryptoLib is at least version 8.4.11 as per SAP note 1931778
1) Create the SHA2 certificate with below command:
Check SECUDIR environment settings if needed adjust environment
You can make copy of /usr/sap/<SID>/<INSTANCE>/sec folder
If needed you can download and extract the latest SAPCRYPTOGRAPHIC library in this folder
set SECUDIR=/usr/sap/<SID>/<INSTANCE>/sec
sapgenpse get_pse -a sha256WithRsaEncryption -s 2048 -p <PSEFile>.pse -noreq -x “CN=asappreep.abc.com, OU=SAP, O=ABC Technologies Ltd, L=Pune, ST=Maharashtra, C=IN”
This will generate the <PSEFile>.pse in the /sec folder
2) Create sso logon for PSE
sapgenpse seclogin –p <PSEFile>.pse –O <sid>adm –x <password>
3) Create certificate response for CA signing authority
sapgenpse export_own_cert -o <CRTFile>.csr -p <PSEFile>.pse
Send the <CSRFile>.csr file to signing authority,
send note that we need Base64 .CER format
4) Create Certificate file to be imported into Visual Admin
sapgenpse export_own_cert -o <CRTFile>-cert.crt -p <PSEFIle>.pse
Create Private key file to be Imported into Visual Admin
sapgenpse export_p12 -p <PSEFile>.pse <PRIVKeyFile>.p12
5) Import the certificate in Visual Administrator tool
Start the Visual Admin Tool –> Logon as ADMINISTRATOR server –> TicketKeyStore –> service_ssl –> Load button
Import below files using above option:
1) <CRTFile>-cert.crt
2) <PRIVKeyFile>.p12
After completion of Import of Private Key & Certificate file.
6) Import the CA Response directly into Visual Admin tool
copy the CA response file send by CA authority along with ROOT & Intermediate certificate into /sec folder
Start the Visual Admin tool
Server –> KeyStorage –> service_ssl –>
Click on Import Certificate Response –> Provide the file input from the CA response file
Click OK
These steps import the CSR response file into KeyStorage you have selected.
7) Now you can map the new certificate to the SSL Port in Visual Admin
Dispatcher –> SSL Provider –> select dispatcher –> click on Client Identities tab
–> click on Add –> it will show you the certificate list –> choose your certificate and click OK
Post completion of above steps, you can either take RESTART of KeyStorage Service and SSL Provider service or take complete application restart.
Now you are good to start with application testing by opening page in your Browser
https:/<applicationHost>/:<SSLPort>/index.html
you should see the lock symbol in url post opening of page.
Congratulations !! You have completed the SSL certificate implementation in SAP JAVA system.
Reference#
2172534 – NWA is unable to create certifcates with SHA256, create them externally using sapgenpse
1622263 – SAP Release Note for LMAUTOSTD 1.0 SP03