Skip to Content
Technical Articles

How to Install an SSL/TLS Certificate on SAP Web Application Server?

Let’s cut to the chase! Why does your server need a digital certificate? SSL/TLS certificates are used to establish an encrypted communication channel between a client machine and your application server that users are trying to access. In this article, we’ll look at how to install a certificate on the SAP NetWeaver application server. But this raises the question of why end-users shouldn’t connect over an unencrypted HTTP connection. When any user connects over HTTP, all their data flows in plaintext. It implies that all transmitted information and exchanges with the server, including account credentials, financial information, etc. can be intercepted and read by an attacker listening in on the network. The primary reason for adopting HTTPS is data security and confidentiality. With HTTPS, even if an attacker intercepts any sensitive information, they can’t read the data without an associated private key.

Where Does SSL Fit in the Context of SAP Web Application Server?

SAP Web Application Server (aka SAP NetWeaver Application Server) is a component of SAP NetWeaver, a software stack for several SAP SE applications. The architecture of the SAP server can be split primarily into five layers, namely – presentation layer, business layer, integration layer, connectivity layer, persistence layer. Out of these, the connectivity layer is the one concerned with communication protocols, and this is where HTTPS running over a secure socket layer (SSL) comes into play.  The application server’s connectivity layer extends support for HTTPS that enables encrypted communication using the SAP Cryptographic Library. Secure Network Communications (SNC), a SAP software layer providing application-level end-to-end security, can be used to protect connections using the SAP communication protocols RFC and DIAG for encrypted communications.

Generate a Certificate Signing Request (CSR)

Even before your order for an SSL certificate can be placed, one of the first steps is to generate a certificate signing request (CSR), usually on the same server where it’ll be installed. It is an encoded text that contains details such as the hostname of your server, email address, city, country, etc. It’ll also include the public key of the server that’ll be used by the certificate authority (CA) when generating your SSL certificate. The public key is linked to a corresponding private key that’ll remain stored on the SAP server and should never be disclosed.

If the application server uses a server-specific Personal Security Environment (PSE), individual CSRs must be generated for each application server. However, if you employ a system-wide SSL server PSE, only a single CSR needs to be generated.

Steps to Generate a CSR on SAP NetWeaver Application Server

The steps given below describe how to generate your CSR code:

  1. Head over to the admin console and open the Trust Manager.
  2. Browse through the Trust Manager screen and, from there, expand the SSL server PSE node.
  3. In the PSE maintenance section, you’ll find the application server’s certificate in the Owner field.
  4. For each SSL server PSE (server-specific or system-wide), select the application server, and fill in the required information (such as the fully qualified domain name, city, country, etc.).
  5. Select Create Certificate Request from the PSE maintenance menu.
  6. A dialog box will open up, showing the certificate request.
  7. From there, select the content of the certificate request to copy and save it on your local device in the format <file_name>.P10.

Once that’s done, and you’ve successfully generated the CSR file, it needs to be sent to a CA to be signed. To complete the SSL certificate order, you can use any text editor (like Notepad) to copy the CSR content (including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines) and share it with your CA. The exact procedure to complete the order may vary slightly from one CA to another. Typically, a stepwise process will be available on their website.

Install the SSL/TLS Certificate on Your SAP Web Application Server

Once the CA shares the SSL certificate and all associated files, the first step is to determine if they’re in the correct format. The trust manager necessitates that the files (the signed public-key certificate and the CA’s root certificate) must adhere to the PKCS#7 certificate chain format. Alternatively, the CA may also issue a public-key certificate in PEM format.

  1. Download and extract the contents of the ZIP file shared by the CA. It should contain the SSL certificate, the root certificate, and the CA bundle (intermediate certificates).
  2. Use a text editor to open these three files and save them with a .txt extension.
  3. Once the files are ready, log in to your admin console.
  4. Expand the SSL server PSE node from the trust manager and double-click on your application server to select it.
  5. From the PSE maintenance section, select Import Cert. Response.
  6. You can click on Load local to upload your SSL Certificate with the .crt extension, or you can paste the contents of the .txt files created previously into the corresponding box.
  7. Your SSL certificate should now be displayed in the PSE maintenance section after getting imported into the SSL server PSE. As a final step, save the complete data.

Next, you’ll need to add the intermediate and root certificates in any one of these locations, depending upon your system setup.

Importing CA’s Root Certificate From the Certificate Database

  1. Go to the certificate section and click on Import Certificate. From the dialog box that appears, choose the Database tab.
  2. Next, click on your certificate and select Enter. You should see the certificate displayed in the certificate section.
  3. Click on Add to Certificate List and Save the data.
  4. The certificate will get added to the certificate list in the PSE maintenance section.

Importing CA’s Root Certificate From the File System

  1. Go to the certificate section and click on Import Certificate. In the import certificate dialog box, specify the associated file name from the file system.
  2. Next, select Base 64 as the certificate’s file format and hit Enter. You should see the certificate displayed in the certificate section.
  3. Click on Add to Certificate List and Save the data.
  4. The certificate will get added to the certificate list in the PSE maintenance section.

Importing CA’s Root Certificate From a Different PSE

  1. Expand the SSL server PSE node that hosts the certificate. Double-click on one of your application servers to select it.
  2. Double-click on your certificate from the certificate list in the maintenance section.
  3. Under the SSL server PSE node, double-click to choose a single application server.
  4. Click on Add to Certificate List and Save the data. The certificate will get added to the certificate list in the PSE maintenance section.

After the certificate installation process, you can use an SSL checker tool to run a diagnostic test that verifies the installation has completed without any errors.

Wrapping Up

In the past, a missing or an expired SSL/TLS certificate has been held responsible for several prominent security breaches, for example, the Equifax data breach. The security afforded by installing a digital certificate far outweighs its cost. Besides, all digital certificates offer an equivalent level of encryption strength, and the variation is typically on the validation level and the scope of domains covered. This means that even the lowest priced certificate will get the job done (in terms of encryption strength) just as well as the most expensive certificate on your list. There are multiple affordable solutions offered by various vendors, and sometimes you can also find coupon codes that offer additional discounts.

2 Comments
You must be Logged on to comment or reply to a post.