Skip to Content
Technical Articles
Author's profile photo Geferson Hess

Configuring wildcard certificates in the ABAP Netweaver AS

In some scenarios, it may be interesting to use a wildcard certificate to match different instances. First of all, it’s important to understand how they work. Everything is perfectly explained in RFC 6125.

If you are unsure about PSE’s and certificates in the ABAP environment, check SAP Note 510007 and Expert Webinar 2445947.

Creating the PSE

First of all, it’s necessary to create the ‘SSL Server Standard’, which is responsible for all incoming connections that the server may receive.

A new window will appear, where you can define the ‘Name’ to be a wildcard value.

Hit the confirm button and you will notice a green entry for each instance that you have in your system.

By selecting the ‘SSL server Standard’, the wildcard certificate will appear:

Also, you can check that each instance has a specific certificate create to it. In my system, there is only one instance, and the certificate can be checked by double-clicking the instance specific button.

Testing the scenario

Now, we can test the communication. Let’s use the ‘WEBGUI’ transaction to check whether the communication is secure or not.

Not working. This is a common error and the solution is described in KBA 2339387. Basically, the web browser doesn’t trust in my server’s certificate, because it is self-signed and I did not imported it in the browser.

Signing the wildcard certificate

To solve this issue, let’s sign the wildcard certificate. If you have any queries about it, you can check this blog post, which contains a guide explaining how to generate the Request and import the Response received by the Certificate Authority.

Ok. Certificate signed:

Let’s test the WebGUI again.

Wait, what? The same error happened. Let’s take a closer look at this error.

If you click on ‘Continue to this website (not recommended)’ message, the login page of  WebGUI will appear. Then, we can click in ‘Certificate error’ (at the right end of the red address bar) to show up the certificate returned by the server.

Well, this is not our wildcard certificate, but the instance specific.

Actually, this is the expected behavior. The Application Server will always return the instance specific certificate.

What we need to do now is to configure the Application Server to use the wildcard certificate instead of the instance specific.

Changing the certificate for one instance

This is simple. Access ‘STRUST’ transaction and:

  1. Right click the ‘SSL server Standard’;
  2. Select the ‘Change’ option.

A new window will appear, showing the DN of each instance.

Then, you can delete the value of the instance specific field (left it empty), as the wizard states:
“Instances with empty distinguished names are given the standard PSE”.

In fact, the process can be simplified when the PSE was created. In the first creation wizard, it’s possible to already do this part of the configuration and do not create any instance specific entries, only the system wide one (which should be created with the wildcard certificate).

To finish, just confirm the changes. Back in STRUST, hit the ‘Save’ button at the top.

Depending on you NW release, it may be necessary to restart the ICM to the changes take effect.

Final test

Let’s check the WebGUI again:

Now, everything is working fine. There is no error message and the wildcard certificate is being used. 😀

Usually, there is more than one instance that will use this certificate. All you need to do is, in the ‘Change’ window, to configure the wildcard certificate to be used in that instance too.

Additional information

510007 : Setting up SSL on Application Server ABAP

2339387 : Warning “There is a problem with this website’s security certificate” when accessing AS ABAP via HTTPS URL

RFC 6125 : Best Practices for Checking of Server Identities in the Context of Transport Layer Security (TLS)

How to create the CSR and how to import the certificate response? : Signing certificates in STRUST

2445947 : [WEBINAR] Setting up SSL on NetWeaver Application Server for ABAP

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Jordan McHale
      Jordan McHale

      Hi, What version of SAP no longer requires a restart of icm after changing a certificate?  We have outages every month because we have ssl certificates from vendors that expire monthly.  If we don't actually have to restart the ICM, that would be great.

       

      Great blog!

       

      Warmest Regards, JM

      Author's profile photo Geferson Hess
      Geferson Hess
      Blog Post Author

      Hi Jordan,

      Beginning with SAP_BASIS 710 and 702 the icm should be notified.

      Regards,
      Geferson Hess

       

      Author's profile photo Jordan McHale
      Jordan McHale

      Thank you, Geferson.

      We do see a message that says "ICM has been notified" when saving in transaction smicm.   Should we take that to mean that the icm doesn't require a restart?

      Author's profile photo Geferson Hess
      Geferson Hess
      Blog Post Author

      Hi,

      Yes, but in STRUST tx, not SMICM.

      Regards

      Author's profile photo Jordan McHale
      Jordan McHale

      Oops - yes, I meant strust / strustsso2.  Thank you! This will save us from a lot of unnecessary downtime.

      Author's profile photo Mohammed Adeel Khan
      Mohammed Adeel Khan

      Hi Geferson,

      Great Blog.

      Want to ask do we need SAN (subject alternative name) also because certificate doesn't work in chrome browser without SAN. How do I generate the CSR with SAN.

       

      Kindly guide as I am stuck at this point.

      Author's profile photo Anderson Goularte
      Anderson Goularte

      Hello Mohammed,

      In order to generate obtain the desired SAN, there are a number of possible steps depending on the local environment's BASIS release.

      These steps, along with other noteworthy reservations, are described further in SAP Note 2478769 - Obtaining certificates with subject Alternative Name (SAN) within STRUST.

      Best regards,
      Anderson

      Author's profile photo Peter Müller
      Peter Müller

      Hello,

      We had the scenario as well that we have purchased a Root-CA signed wildcard certificate for our domain. Most instructions (like the one above) found on the web are about getting a signed certificate via CSR, a certificate signing request, which means that the self-signed certificate gets signed by a Root-CA.
      ​Our challenge was to get the already existing SSL server certificate into the ABAP stacks STRUST.

      The following notes provide a good guideline:
      ​https://launchpad.support.sap.com/#/notes/3040959
      ​https://launchpad.support.sap.com/#/notes/2148457
      ​https://launchpad.support.sap.com/#/notes/1473710

       

      Briefly, the procedure is like

      • Certificate file must be present as PFX, password is known. If you got a .crt and .key file it has to be converted.
      • Using sapgenpse from the „SAP COMMONCRYPTOLIB 8“ the PFX is converted into a PSE.
      • Use full patch for the -p parameter, add -r parameter for eventuelly unknown CA Roots. Error messages will guide you.
      • It is possible to add a password while generating the PSE file. If a password is used, it has to be entered multiple times during the subsequent steps.
      • Use STRUST, double click on "File" (lower left) to load and display the PSE, and note down the entry in "Subject" (this is what's called DN in the above referred notes)
      • In STRUST, for SSL Server Standard, right-click and "replace", enter as "Subject" the one that you have noted for the generated PSE.
      • To import, call STRUST, double click on "File" (lower left), then open the PSE file again, then call PSE -> Save as -> SSL Server Standard.
      • In case the STRUST SSL Server Standard contains any instance-specific entries, they have to be removed so that the SSL Server Standard main entry is used. Right-click on SSL Server Standard, then „Change“, then remove the instance specific entries if present

      Good luck & best regards
      ​Peter Mueller