cancel
Showing results for 
Search instead for 
Did you mean: 

Public Certificate to setup external SSL Trust to Web Dispatcher

richard_howard
Active Participant
0 Kudos

We've setup a Web Dispatcher in our DMZ to enable Fiori to connect through our firewall to a backend Gateway System. When we run https://fiori.abc.com to hit that DMZ server it needs a certificate for *.abc.com that says that site can be trusted and has been signed by a Certificate Authority. My company uses COMODO RSA to do that signing. I have their three crt's for setting this up:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSAOrganizationValidationSecureServerCA.crt

I've tried every sapgenpse import_own_cert method I can think of and none of them work. They all seem to conflict with my Old Certificate in the PSE. I get the error, "No certificate with your public key found in supplied input". That Old Certificate has CN=<FQHN> in it.

Does anyone have an example of how to setup COMODO with sapgenpse?

Do I use the Server PSE (SAPSSLS.pse) or the Client PSE (SAPSSLC.pse)?

richard_howard
Active Participant
0 Kudos

How to Setup a Valid Server Certificate in SAP Web Dispatcher

I followed this Wiki and successfully setup an SSL Certificate for my server name, plus my intermediate and root certs, as required. This works fine for internal use cases where the URL uses my physical hostname.

But from the internet, my https://fiori.abc.com URL is not the same as my physical hostname. It should not be. So I get the error that fiori.abc.com uses an invalid security certificate.

I cannot find a Wiki or Note that details how to setup this external trust to my Web Dispatcher. Anyone know of where I can find something like that?

Accepted Solutions (1)

Accepted Solutions (1)

richard_howard
Active Participant

DISCLAIMER: I am new to this and barely understand how it all works but I did get it to work. The Fiori App on you phone will not work if HTTPS is not successful. For the first time, I'm connecting my Fiori App to my backend system inside of our firewall. Wohoo!

First, my company Web Support Team provided me with a STAR_abc_com.pfx certificate. This is the certificate that says all URL's to *.abc.com are trusted and have been signed by a CA. My first attempts to load that pfx with sapgenpse failed.

sapgenpse import_p12 -p SAPSSLS.pse /tmp/STAR_abc_com.pfx

import_p12: Sorry, but certificate chain is incomplete, need certificate of 'CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, SP=Greater Manchester, C=GB'!

To solve this error, I used the import_p12 command but added my COMODO certs to the string with -r entries. It looked like this:

sapgenpse import_p12 -r /tmp/COMODORSAOrganizationValidationSecureServerCA.crt -r /tmp/COMODORSAAddTrustCA.crt -r /tmp/AddTrustExternalCARoot.crt -p SAPSSLS.pse /tmp/STAR_abc_com.pfx

The -r values must proceed the -p value or you'll get syntax issues when they are at the end. Also, you need all three certs in the sting. If you just do one, or two of them, it will fail saying it misses the other.

Former Member
0 Kudos

Thanks, Richard. The solution that you have given works.

ms_gacl
Explorer

Thanks, Richard. The solution you have given also worked for us.

former_member296583
Discoverer
0 Kudos

Thanks, It worked

Answers (0)