Skip to Content
avatar image
Former Member

How to use one PSE with multiple URLs?


I need to hit my DMZ SAP Web Dispatcher with multiple unique URLs.  I am starting off using webdisp1.abc.com and webdisp2.vde.com.  DNS will resolve both the Web Dispatcher Host.  Following Tobias Winterhalter's Blog: Name-based virtual hosts and one SAP Web Dispatcher to access multiple SAP systems.

My question is how do I go about generating the pse so I can store both webdisp1.abc.com and webdisp2.vde.com?  Do I just import the first request and initiate another certificate request using the same pse?

Example

sapgenpse gen_pse -s 2048 -p D:\ \SAPSSLS.pse -r D:\ \webdisp1.req CN= webdisp1.abc.com, OU=IT, O=XYZ Inc., C=US

Cheers,

Dan Mead

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Jun 04, 2014 at 05:51 PM

    All -

    I appreciate all the responses.  Our CA provider is currently Entrust.  The Subject (Alt) names are added when posting the CSR.  If we want to use more than two "Subject (Alt) names"  in addition to the DN then we request what Entrust calls a MultiDomain certificate.

    Depending on your scenario, one of these nifty profile parameters will come in handy.

    wdisp/system_conflict_resolution

    wdisp/ssl_ignore_host_mismatch

    wdisp/ssl_certhost

    Cheers,

    Dan Mead

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 12, 2014 at 11:28 PM

    Hi,

    I am almost 99% sure that sapgenpse does not support creating cert with alternative names. Hence I would try to generate cert using other tool such as OpenSSL (blog with examples). I am 100% sure that web dispatcher supports alternative names because one of my previous clients uses this. I can see in cert's section Extensions -> Certificate Subject Alt Names lines like

    DNS Name: hostname1

    DNS Name: hostname2

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Daniel,

      what you are looking for are so called SAN certificates. As Martin said, with sapgenpse you are pretty out of luck. However you can create the certificates using openssl and then use sapgenpse to import them into a pse. There are a number of guides on how to create SAN certificates on the web, like the one mentioned by Martin from CAcert (which is one of the best imho) or this one. And there are also guides on the internet on how to convert OpenSSL keys to PSE.

      You should however keep in mind, that SAN certificates are more expensive than standard certificates. Therefor they only pay if the hostnames in there are stable for the lifetime of the certificate. If the hostnames need to change once a year, you already will be better off (from a cost perspective) by creating one pse per hostname an let the webdispatcher listen to different addresses, as each hostname requires a new certificate signed by the CA.

      Please also make sure, the systems and browsers connecting to your webservers are able to understand SAN certificates. For SAP systems this requires at least pl24 of the sapcryptolib.

      Kind regards,

      Patrick

  • avatar image
    Former Member
    Mar 17, 2014 at 05:42 PM

    Hello,

    I do use a SAP Web Dispatcher terminating SSL connections and using 2 DNS alternate names (SAN).

    The trick is to use transaction STRUST instead of sapgenpse to create the SSL PSE. If your SP level is high enough, you can see the new field "Subject (Alt.)" in the certificate display.

    To create the certificate, you just enter both SN separated by a ";" character.

    Best Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded

    • You need a recent enough SAP_BASIS and SAP CRYPTOLIB version in order to use Alternative Subject Names in STRUST. Can you share the versions you have? See also the incoming links of this discussion thread for more information on the subject.