Skip to Content
Technical Articles
Author's profile photo A Prasad Rao

Step to generate SAPSSLS.pse certificate file and add credential to PSE file for web dispatcher – Part – 2

In the previous article,  “Web dispatcher up and running but unable to access webadmin in browser

for web dispatcher URL – Part 1, described the  procedure to generate SAPSSLS certificate file

automatically and add credential to PSE file automatically.

 

https://blogs.sap.com/2019/03/10/webdispatcher-is-up-and-running-but-unable-to-access-webdispatcher-url-part-1/

This article describe the procedure  for generating SAPSSLS.pse  file manually for Web dispatcher

using the command  sapgenpse  get_pse.

 

Procedure :

 

Login to host  using putty tool

Switch to <sid>adm account

$ su – <sid>adm 

enter environment variable SECUDIR that points to the path where SAPSSLS.pse file  will be resided

i.e. /usr/sap/<SID>/W80/sec  )

Use setenv  because <sid>adm is the CSHELL.

$ setenv  SECUDIR  /usr/sap/<SID>/W80/sec

 

$ env|grep SECUDIR

The output should show the line
/usr/sap/<SID>/W80/sec

Stop Web dispatcher instance

$ sapcontrol -nr 80 -function Stop 

Check whether Web dispatcher instance is stopped .

 

$ sapcontrol -nr 80 -function GetProcessList

The output should show the status as grey

Go  to sec folder

$ cd $SECUDIR

$ pwd      (check that t the current working directly or  folder ) . The output should show the line
/usr/sap/<SID>/W80/sec

Make sure delete or rename existing SAPSSLS.pse file  in /usr/sap/<SID>/W80/sec

$ mv SAPSSLS.pse  SAPSSLS.pse_1

Run the command to generate certificate SAPSSLS.pse file

$ sapgenpse get_pse -s 2048 -p SAPSSLS.pse -x  Abcdef_123  “CN= <hostname>.<domain>”

where hostname can be physical hostname or virtual hostname .

enter OU, O, C  are optional.

Where -s  is the key length. Default value is 1024. (if -s option is not specified then default value 1024 is taken )

-x  is the pin  Abcdef_123

As shown in the figure above, certificate file SAPSSLS.pse file was generated  and is located in $SECUDIR folder as shown in the figure below.

Run the command to verify whether server credential was added  SAPSSLS.pse file or not ?

$ sapgenpse get_my_name  -p  /usr/sap/<SID>/W80/sec/SAPSSLS.pse

 

get_my_name: Couldn’t open PSE “/usr/sap/<SID>/W80/sec/SAPSSLS.pse” (Missing PIN/Passphrase, no credentials found)

 

The above error says that either pin is missing or server credentials not added. But We have specified pin -x Abcdef_123 in the command sapgenpse get_pse  -s 2048 command (mentioned

above). So it seemed that  server credential was  not added

Need to add server credential.    The command to add server  credential is as shown below

Procedure to add server credential:

$ sapgenpse seclogin -p SAPSSLS.pse -O <sid>adm   (for unix)     or        for windows -O

SAPService<SID>

$ sapgenpse seclogin -p SAPSSLS.pse        (if -O option is not specified then by default it is

<sid>adm )

Specify PIN :   ( Abcdef_123 in PIN)

 

Run the command to verify whether SAPSSLS.pse file is getting  error or not ?

$ sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse

As shown in the above, Server credential was successfully added to  SAPSSLS.pse  certificate file.

Start Web dispatcher instance.

$ sapcontrol -nr 80 -function Start 

Check whether Web dispatcher instance is started .

$ sapcontrol -nr 80 -function GetProcessList  
The output should show the status as Green .

 

 

Then go to work folder and view the dev_webdisp file .

As shown  in the above screenshot, there was no error message  after starting the webdispatcher

instance. That means certificate file SAPSSLS.pse was generated successfully and Server credential

was added to to SAPSSLS.pse  certificate  file

 

Open the browser for web dispatcher admin
https://<hostname>:443xx/sap/wdisp/admin/public/default.html

where xx is the instance number for web dispatcher.

 

 

Finding :

 

Credential file cred_v2   highlighted in red colour  as shown in the above screenshot is generated  in /usr/sap/<SID>/W80/sec   folder.

 Summary :

credential file cred_v2”  will be NOT be  added  if the system generate SAPSSLS.pse

file  (automatically) during starting the web dispatcher instance  .

Server Credential file “cred_v2” will be  created if server credential was added to SAPSSLS.pse file  manually and using sapgenpse seclogin command manually.

 

FAQ:  Can we copy the SAPSSLS.pse file generated from the previous system or system with different customer to my system  and then restart webdispatcher instance. ?  The Answer is “NO” .

Please do not do that.

Instead run the command sapgenpse -get_pse  option to generate certificate PSE file and the

command to add server credential to the certificate pse file

 

A Prasad Rao

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Marcus Vinicius de Oliveira Ribeiro
      Marcus Vinicius de Oliveira Ribeiro

      Very good procedure! In my case, although, I had to force the use of -x followed by password after previous suggested command (sapgenpse seclogin -p SAPSSLS.pse).

      It was supposed to asked me a password, but it didn't, probably due to my old version software...

      Anyway, it was very helpful! You did a brazillian basis very happy today! LoL

      Thank you!

      Author's profile photo Mahesh L
      Mahesh L

      I am the first one to like it ?

      Thanks for the beautiful detailed blog

      Any blog to do this from Web administration page please ?

      I tried it but while importing the CA response, im facing error Installation of CA certificate failed in the portal

      Please help..

      Thank you..

      Author's profile photo miguel angel Franco
      miguel angel Franco

      Hi, question, i have file pse cer user password, my questin its how i can be conected using that information.

      im trying to create an aplication to use bapi, also we have a lot of bapi. and i want to create some app that can help us to do some other things,