03-12-2014 10:39 PM
I need to hit my DMZ SAP Web Dispatcher with multiple unique URLs. I am starting off using webdisp1.abc.com and webdisp2.vde.com. DNS will resolve both the Web Dispatcher Host. Following Tobias Winterhalter's Blog: Name-based virtual hosts and one SAP Web Dispatcher to access multiple SAP systems.
My question is how do I go about generating the pse so I can store both webdisp1.abc.com and webdisp2.vde.com? Do I just import the first request and initiate another certificate request using the same pse?
Example
sapgenpse gen_pse -s 2048 -p D:\<file path>\SAPSSLS.pse -r D:\<file path>\webdisp1.req CN=webdisp1.abc.com, OU=IT, O=XYZ Inc., C=US
Cheers,
Dan Mead
06-04-2014 6:51 PM
All -
I appreciate all the responses. Our CA provider is currently Entrust. The Subject (Alt) names are added when posting the CSR. If we want to use more than two "Subject (Alt) names" in addition to the DN then we request what Entrust calls a MultiDomain certificate.
Depending on your scenario, one of these nifty profile parameters will come in handy.
wdisp/system_conflict_resolution
wdisp/ssl_ignore_host_mismatch
wdisp/ssl_certhost
Cheers,
Dan Mead
03-12-2014 11:28 PM
Hi,
I am almost 99% sure that sapgenpse does not support creating cert with alternative names. Hence I would try to generate cert using other tool such as OpenSSL (blog with examples). I am 100% sure that web dispatcher supports alternative names because one of my previous clients uses this. I can see in cert's section Extensions -> Certificate Subject Alt Names lines like
DNS Name: hostname1
DNS Name: hostname2
Cheers
03-13-2014 6:50 AM
Hi Daniel,
what you are looking for are so called SAN certificates. As Martin said, with sapgenpse you are pretty out of luck. However you can create the certificates using openssl and then use sapgenpse to import them into a pse. There are a number of guides on how to create SAN certificates on the web, like the one mentioned by Martin from CAcert (which is one of the best imho) or this one. And there are also guides on the internet on how to convert OpenSSL keys to PSE.
You should however keep in mind, that SAN certificates are more expensive than standard certificates. Therefor they only pay if the hostnames in there are stable for the lifetime of the certificate. If the hostnames need to change once a year, you already will be better off (from a cost perspective) by creating one pse per hostname an let the webdispatcher listen to different addresses, as each hostname requires a new certificate signed by the CA.
Please also make sure, the systems and browsers connecting to your webservers are able to understand SAN certificates. For SAP systems this requires at least pl24 of the sapcryptolib.
Kind regards,
Patrick
03-17-2014 5:42 PM
Hello,
I do use a SAP Web Dispatcher terminating SSL connections and using 2 DNS alternate names (SAN).
The trick is to use transaction STRUST instead of sapgenpse to create the SSL PSE. If your SP level is high enough, you can see the new field "Subject (Alt.)" in the certificate display.
To create the certificate, you just enter both SN separated by a ";" character.
Best Regards,
Olivier
06-04-2014 11:40 AM
Hi Oliver,
I am trying your method to add new filed in "Subject (Alt.)". I do not get any option to put anything under this. The only option i get while creating is CN. And when I try to put two hostnames there separated by ; (semi colon), I get the error message that invalid character used.
I do see this "Subject (Alt): in the certificate after i create it and it is blank.
Would be kind enough to share me the step to add this value?
Appreciate your help.
Regards,
Tajinder
06-04-2014 6:35 PM
You need a recent enough SAP_BASIS and SAP CRYPTOLIB version in order to use Alternative Subject Names in STRUST. Can you share the versions you have? See also the incoming links of this discussion thread for more information on the subject.
06-04-2014 6:51 PM
All -
I appreciate all the responses. Our CA provider is currently Entrust. The Subject (Alt) names are added when posting the CSR. If we want to use more than two "Subject (Alt) names" in addition to the DN then we request what Entrust calls a MultiDomain certificate.
Depending on your scenario, one of these nifty profile parameters will come in handy.
wdisp/system_conflict_resolution
wdisp/ssl_ignore_host_mismatch
wdisp/ssl_certhost
Cheers,
Dan Mead