Create SHA2 / SHA256 certificate using external tool sapgenpse for SAP JAVA system.


Pre-requisites:


Make sure the CommonCryptoLib is at least version 8.4.11 as per SAP note 1931778



1) Create the SHA2 certificate with below command:         


     Check SECUDIR environment settings if needed adjust environment         

     You can make copy of /usr/sap/<SID>/<INSTANCE>/sec folder         

     If needed you can download and extract the latest SAPCRYPTOGRAPHIC library in this folder


     set SECUDIR=/usr/sap/<SID>/<INSTANCE>/sec


     sapgenpse get_pse -a sha256WithRsaEncryption -s 2048 -p <PSEFile>.pse -noreq -x “CN=asappreep.abc.com, OU=SAP, O=ABC Technologies Ltd, L=Pune, ST=Maharashtra, C=IN”


This will generate the <PSEFile>.pse in the /sec folder


2) Create sso logon for PSE


     sapgenpse seclogin –p <PSEFile>.pse –O <sid>adm –x <password>


3) Create certificate response for CA signing authority


         sapgenpse export_own_cert -o <CRTFile>.csr -p <PSEFile>.pse


Send the <CSRFile>.csr file to signing authority,

send note that we need Base64 .CER format


4) Create Certificate file to be imported into Visual Admin


        sapgenpse export_own_cert -o <CRTFile>-cert.crt -p <PSEFIle>.pse       

    

     Create Private key file to be Imported into Visual Admin

       

     sapgenpse export_p12 -p <PSEFile>.pse  <PRIVKeyFile>.p12


5) Import the certificate in Visual Administrator tool


     Start the Visual Admin Tool –> Logon as ADMINISTRATOR server –> TicketKeyStore –> service_ssl –> Load button


Import below files using above option:           


     1) <CRTFile>-cert.crt           

     2) <PRIVKeyFile>.p12


After completion of Import of Private Key & Certificate file.


6) Import the CA Response directly into Visual Admin tool


     copy the CA response file send by CA authority along with ROOT & Intermediate certificate into /sec folder


     Start the Visual Admin tool


     Server –> KeyStorage –> service_ssl –>        

     Click on Import Certificate Response –> Provide the file input from the CA response file        

     Click OK


These steps import the CSR response file into KeyStorage you have selected.


7) Now you can map the new certificate to the SSL Port in Visual Admin


     Dispatcher –> SSL Provider –> select dispatcher –> click on Client Identities tab

     –> click on Add –> it will show you the certificate list –> choose your certificate and click OK


Post completion of above steps, you can either take RESTART of KeyStorage Service and SSL Provider service or take complete application restart.


Now you are good to start with application testing by opening page in your Browser


https:/<applicationHost>/:<SSLPort>/index.html


you should see the lock symbol in url post opening of page.


Congratulations !! You have completed the SSL certificate implementation in SAP JAVA system.


Reference#


2172534 – NWA is unable to create certifcates with SHA256, create them externally using sapgenpse

1622263 – SAP Release Note for LMAUTOSTD 1.0 SP03


Link#


Creating PSE for UME – Portal Security Guide – SAP Library

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply