SAP JAVA HTTPS Cert update with SAN entry

by · September 26, 2018

SSL configuration is the key configuration for any SAP system which is accessed over a web browser. All SAP JAVA systems are web-based systems and hence SSL configuration is a must there. When we do SSL configuration, the key activity in that is to update the certificate for the URL and get it signed. With the latest security enhancements for browsers like Chrome etc., SAN entry addition is a must for any certificate. In this article, we will see how to get SAP JAVA HTTPS Cert update with SAN entry.

Steps for SAP JAVA HTTPS Cert update with SAN entry

  • Login with sidadm
  • Set ENV variable SECUDIR pointing to /usr/sap/<SID>/<Instance>/sec
  • Take a backup of all files under /usr/sap/<SID>/<Instance>/sec
  • Generate new PSE with SAN
    • sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p <SID>J2eeSystemSAN.pse -k GN-dNSName:<hostname with fqdn>
    • Provide Password : *********
    • Provide the Distinguished name of the PSE owner : CN=<hostname with fqdn>
  • <SID>J2eeSystemSAN.pse will get created and the CSR request is printed onto the screen, copy and submit it to the issuing Certificate authority (like Entrust etc.) to get a response
  • Once you get a response from CA (Certificate Authorities), you may need to add root and/or intermediate certificates as well.
  • Once the response is available, copy it to the server as <SID>JavaSSL.csr
  • Import CSR in PSE
    • sapgenpse import_own_cert -c <SID>JavaSSL.csr -p <SID>J2eeSystemSAN.pse
  • To upload the certificate in NWA/VISUAL-ADMIN, convert it to p12 file
    • sapgenpse export_p12 -p <SID>J2eeSystemSAN.pse -x <PSE Password> -z <PSE Password> <SID>_SSL_<Hostname>
  • For 7.0X or lower systems (Visual Admin)
    • Load this p12 file in KeyStorage -> service_ssl, it will ask for a PSE password.
    • Add the Name of the new entry created as per the above step in the Server Identity tab under Dispatcher -> Services -> SSL Provider via VISUAL ADMIN
  • For Systems > 7.0X (NWA)
    • Check the Keystore used for SSL in NWA -> Configuration -> SSL
    • Import p12 file in NWA -> Configuration -> Certificate & Keys -> <keysore found in above step>, normally it will be ICM_SSL_<Instance ID>, it will ask for Password
    • Take a backup of existing SSL private Key if any by exporting it
    • Delete the old Private SSL key if there are two keys now after importing of newly generated p12 file
    • Restart ICM

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!