Skip to Content
Technical Articles

Step to generate SAPSSLS.pse certificate file and add credential to PSE file for web dispatcher – Part – 2

In the previous article,  “Web dispatcher up and running but unable to access webadmin in browser

for web dispatcher URL – Part 1, described the  procedure to generate SAPSSLS certificate file

automatically and add credential to PSE file automatically.

 

https://blogs.sap.com/2019/03/10/webdispatcher-is-up-and-running-but-unable-to-access-webdispatcher-url-part-1/

This article describe the procedure  for generating SAPSSLS.pse  file manually for Web dispatcher

using the command  sapgenpse  get_pse.

 

Procedure :

 

Login to host  using putty tool

Switch to <sid>adm account

$ su – <sid>adm 

enter environment variable SECUDIR that points to the path where SAPSSLS.pse file  will be resided

i.e. /usr/sap/<SID>/W80/sec  )

Use setenv  because <sid>adm is the CSHELL.

$ setenv  SECUDIR  /usr/sap/<SID>/W80/sec

 

$ env|grep SECUDIR

The output should show the line
/usr/sap/<SID>/W80/sec

Stop Web dispatcher instance

$ sapcontrol -nr 80 -function Stop 

Check whether Web dispatcher instance is stopped .

 

$ sapcontrol -nr 80 -function GetProcessList

The output should show the status as grey

Go  to sec folder

$ cd $SECUDIR

$ pwd      (check that t the current working directly or  folder ) . The output should show the line
/usr/sap/<SID>/W80/sec

Make sure delete or rename existing SAPSSLS.pse file  in /usr/sap/<SID>/W80/sec

$ mv SAPSSLS.pse  SAPSSLS.pse_1

Run the command to generate certificate SAPSSLS.pse file

$ sapgenpse get_pse -s 2048 -p SAPSSLS.pse -x  Abcdef_123  “CN= <hostname>.<domain>”

where hostname can be physical hostname or virtual hostname .

enter OU, O, C  are optional.

Where -s  is the key length. Default value is 1024. (if -s option is not specified then default value 1024 is taken )

-x  is the pin  Abcdef_123

As shown in the figure above, certificate file SAPSSLS.pse file was generated  and is located in $SECUDIR folder as shown in the figure below.

Run the command to verify whether server credential was added  SAPSSLS.pse file or not ?

$ sapgenpse get_my_name  -p  /usr/sap/<SID>/W80/sec/SAPSSLS.pse

 

get_my_name: Couldn’t open PSE “/usr/sap/<SID>/W80/sec/SAPSSLS.pse” (Missing PIN/Passphrase, no credentials found)

 

The above error says that either pin is missing or server credentials not added. But We have specified pin -x Abcdef_123 in the command sapgenpse get_pse  -s 2048 command (mentioned

above). So it seemed that  server credential was  not added

Need to add server credential.    The command to add server  credential is as shown below

Procedure to add server credential:

$ sapgenpse seclogin -p SAPSSLS.pse -O <sid>adm   (for unix)     or        for windows -O

SAPService<SID>

$ sapgenpse seclogin -p SAPSSLS.pse        (if -O option is not specified then by default it is

<sid>adm )

Specify PIN :   ( Abcdef_123 in PIN)

 

Run the command to verify whether SAPSSLS.pse file is getting  error or not ?

$ sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse

As shown in the above, Server credential was successfully added to  SAPSSLS.pse  certificate file.

Start Web dispatcher instance.

$ sapcontrol -nr 80 -function Start 

Check whether Web dispatcher instance is started .

$ sapcontrol -nr 80 -function GetProcessList  
The output should show the status as Green .

 

 

Then go to work folder and view the dev_webdisp file .

As shown  in the above screenshot, there was no error message  after starting the webdispatcher

instance. That means certificate file SAPSSLS.pse was generated successfully and Server credential

was added to to SAPSSLS.pse  certificate  file

 

Open the browser for web dispatcher admin
https://<hostname>:443xx/sap/wdisp/admin/public/default.html

where xx is the instance number for web dispatcher.

 

 

Finding :

 

Credential file cred_v2   highlighted in red colour  as shown in the above screenshot is generated  in /usr/sap/<SID>/W80/sec   folder.

 Summary :

credential file cred_v2”  will be NOT be  added  if the system generate SAPSSLS.pse

file  (automatically) during starting the web dispatcher instance  .

Server Credential file “cred_v2” will be  created if server credential was added to SAPSSLS.pse file  manually and using sapgenpse seclogin command manually.

 

FAQ:  Can we copy the SAPSSLS.pse file generated from the previous system or system with different customer to my system  and then restart webdispatcher instance. ?  The Answer is “NO” .

Please do not do that.

Instead run the command sapgenpse -get_pse  option to generate certificate PSE file and the

command to add server credential to the certificate pse file

 

A Prasad Rao

Be the first to leave a comment
You must be Logged on to comment or reply to a post.