In the previous article, “Web dispatcher up and running but unable to access webadmin in browser
for web dispatcher URL - Part 1, described the procedure to generate SAPSSLS certificate file
automatically and add credential to PSE file automatically.
https://blogs.sap.com/2019/03/10/webdispatcher-is-up-and-running-but-unable-to-access-webdispatcher-...
This article describe the procedure for generating SAPSSLS.pse file manually for Web dispatcher
using the command sapgenpse get_pse.
Login to host using putty tool
Switch to <sid>adm account
$ su - <sid>adm
enter environment variable SECUDIR that points to the path where SAPSSLS.pse file will be resided
i.e. /usr/sap/<SID>/W80/sec )
Use setenv because <sid>adm is the CSHELL.
$ setenv SECUDIR /usr/sap/<SID>/W80/sec
$ env|grep SECUDIR
The output should show the line
/usr/sap/<SID>/W80/sec
Stop Web dispatcher instance
$ sapcontrol -nr 80 -function Stop
Check whether Web dispatcher instance is stopped .
$ sapcontrol -nr 80 -function GetProcessList
The output should show the status as grey
Go to sec folder
$ cd $SECUDIR
$ pwd (check that t the current working directly or folder ) . The output should show the line
/usr/sap/<SID>/W80/sec
Make sure delete or rename existing SAPSSLS.pse file in /usr/sap/<SID>/W80/sec
$ mv SAPSSLS.pse SAPSSLS.pse_1
Run the command to generate certificate SAPSSLS.pse file
$ sapgenpse get_pse -s 2048 -p SAPSSLS.pse -x Abcdef_123 "CN= <hostname>.<domain>"
where hostname can be physical hostname or virtual hostname .
enter OU, O, C are optional.
Where -s is the key length. Default value is 1024. (if -s option is not specified then default value 1024 is taken )
-x is the pin Abcdef_123
As shown in the figure above, certificate file SAPSSLS.pse file was generated and is located in $SECUDIR folder as shown in the figure below.
Run the command to verify whether server credential was added SAPSSLS.pse file or not ?
$ sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse
get_my_name: Couldn't open PSE "/usr/sap/<SID>/W80/sec/SAPSSLS.pse" (Missing PIN/Passphrase, no credentials found)
The above error says that either pin is missing or server credentials not added. But We have specified pin -x Abcdef_123 in the command sapgenpse get_pse -s 2048 command (mentioned
above). So it seemed that server credential was not added
Need to add server credential. The command to add server credential is as shown below
$ sapgenpse seclogin -p SAPSSLS.pse -O <sid>adm (for unix) or for windows -O
SAPService<SID>
$ sapgenpse seclogin -p SAPSSLS.pse (if -O option is not specified then by default it is
<sid>adm )
Specify PIN : ( Abcdef_123 in PIN)
Run the command to verify whether SAPSSLS.pse file is getting error or not ?
$ sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse
As shown in the above, Server credential was successfully added to SAPSSLS.pse certificate file.
Start Web dispatcher instance.
$ sapcontrol -nr 80 -function Start
Check whether Web dispatcher instance is started .
$ sapcontrol -nr 80 -function GetProcessList
The output should show the status as Green .
Then go to work folder and view the dev_webdisp file .
As shown in the above screenshot, there was no error message after starting the webdispatcher
instance. That means certificate file SAPSSLS.pse was generated successfully and Server credential
was added to to SAPSSLS.pse certificate file
Open the browser for web dispatcher admin
https://<hostname>:443xx/sap/wdisp/admin/public/default.html
where xx is the instance number for web dispatcher.
Credential file cred_v2 highlighted in red colour as shown in the above screenshot is generated in /usr/sap/<SID>/W80/sec folder.
credential file cred_v2” will be NOT be added if the system generate SAPSSLS.pse
file (automatically) during starting the web dispatcher instance .
Server Credential file “cred_v2” will be created if server credential was added to SAPSSLS.pse file manually and using sapgenpse seclogin command manually.
FAQ: Can we copy the SAPSSLS.pse file generated from the previous system or system with different customer to my system and then restart webdispatcher instance. ? The Answer is “NO” .
Please do not do that.
Instead run the command sapgenpse -get_pse option to generate certificate PSE file and the
command to add server credential to the certificate pse file
A Prasad Rao
for web dispatcher URL - Part 1, described the procedure to generate SAPSSLS certificate file
automatically and add credential to PSE file automatically.
https://blogs.sap.com/2019/03/10/webdispatcher-is-up-and-running-but-unable-to-access-webdispatcher-...
This article describe the procedure for generating SAPSSLS.pse file manually for Web dispatcher
using the command sapgenpse get_pse.
Procedure :
Login to host using putty tool
Switch to <sid>adm account
$ su - <sid>adm
enter environment variable SECUDIR that points to the path where SAPSSLS.pse file will be resided
i.e. /usr/sap/<SID>/W80/sec )
Use setenv because <sid>adm is the CSHELL.
$ setenv SECUDIR /usr/sap/<SID>/W80/sec
$ env|grep SECUDIR
The output should show the line
/usr/sap/<SID>/W80/sec
Stop Web dispatcher instance
$ sapcontrol -nr 80 -function Stop
Check whether Web dispatcher instance is stopped .
$ sapcontrol -nr 80 -function GetProcessList
The output should show the status as grey
Go to sec folder
$ cd $SECUDIR
$ pwd (check that t the current working directly or folder ) . The output should show the line
/usr/sap/<SID>/W80/sec
Make sure delete or rename existing SAPSSLS.pse file in /usr/sap/<SID>/W80/sec
$ mv SAPSSLS.pse SAPSSLS.pse_1
Run the command to generate certificate SAPSSLS.pse file
$ sapgenpse get_pse -s 2048 -p SAPSSLS.pse -x Abcdef_123 "CN= <hostname>.<domain>"
where hostname can be physical hostname or virtual hostname .
enter OU, O, C are optional.
Where -s is the key length. Default value is 1024. (if -s option is not specified then default value 1024 is taken )
-x is the pin Abcdef_123
As shown in the figure above, certificate file SAPSSLS.pse file was generated and is located in $SECUDIR folder as shown in the figure below.
Run the command to verify whether server credential was added SAPSSLS.pse file or not ?
$ sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse
get_my_name: Couldn't open PSE "/usr/sap/<SID>/W80/sec/SAPSSLS.pse" (Missing PIN/Passphrase, no credentials found)
The above error says that either pin is missing or server credentials not added. But We have specified pin -x Abcdef_123 in the command sapgenpse get_pse -s 2048 command (mentioned
above). So it seemed that server credential was not added
Need to add server credential. The command to add server credential is as shown below
Procedure to add server credential:
$ sapgenpse seclogin -p SAPSSLS.pse -O <sid>adm (for unix) or for windows -O
SAPService<SID>
$ sapgenpse seclogin -p SAPSSLS.pse (if -O option is not specified then by default it is
<sid>adm )
Specify PIN : ( Abcdef_123 in PIN)
Run the command to verify whether SAPSSLS.pse file is getting error or not ?
$ sapgenpse get_my_name -p /usr/sap/<SID>/W80/sec/SAPSSLS.pse
As shown in the above, Server credential was successfully added to SAPSSLS.pse certificate file.
Start Web dispatcher instance.
$ sapcontrol -nr 80 -function Start
Check whether Web dispatcher instance is started .
$ sapcontrol -nr 80 -function GetProcessList
The output should show the status as Green .
Then go to work folder and view the dev_webdisp file .
As shown in the above screenshot, there was no error message after starting the webdispatcher
instance. That means certificate file SAPSSLS.pse was generated successfully and Server credential
was added to to SAPSSLS.pse certificate file
Open the browser for web dispatcher admin
https://<hostname>:443xx/sap/wdisp/admin/public/default.html
where xx is the instance number for web dispatcher.
Finding :
Credential file cred_v2 highlighted in red colour as shown in the above screenshot is generated in /usr/sap/<SID>/W80/sec folder.
Summary :
credential file cred_v2” will be NOT be added if the system generate SAPSSLS.pse
file (automatically) during starting the web dispatcher instance .
Server Credential file “cred_v2” will be created if server credential was added to SAPSSLS.pse file manually and using sapgenpse seclogin command manually.
FAQ: Can we copy the SAPSSLS.pse file generated from the previous system or system with different customer to my system and then restart webdispatcher instance. ? The Answer is “NO” .
Please do not do that.
Instead run the command sapgenpse -get_pse option to generate certificate PSE file and the
command to add server credential to the certificate pse file
A Prasad Rao
- SAP Managed Tags:
3 Comments
