Skip to Content
0

Public Certificate to setup external SSL Trust to Web Dispatcher

Feb 03, 2017 at 03:54 PM

744

avatar image
Former Member

We've setup a Web Dispatcher in our DMZ to enable Fiori to connect through our firewall to a backend Gateway System. When we run https://fiori.abc.com to hit that DMZ server it needs a certificate for *.abc.com that says that site can be trusted and has been signed by a Certificate Authority. My company uses COMODO RSA to do that signing. I have their three crt's for setting this up:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSAOrganizationValidationSecureServerCA.crt

I've tried every sapgenpse import_own_cert method I can think of and none of them work. They all seem to conflict with my Old Certificate in the PSE. I get the error, "No certificate with your public key found in supplied input". That Old Certificate has CN=<FQHN> in it.

Does anyone have an example of how to setup COMODO with sapgenpse?

Do I use the Server PSE (SAPSSLS.pse) or the Client PSE (SAPSSLC.pse)?

10 |10000 characters needed characters left characters exceeded
Former Member

How to Setup a Valid Server Certificate in SAP Web Dispatcher

I followed this Wiki and successfully setup an SSL Certificate for my server name, plus my intermediate and root certs, as required. This works fine for internal use cases where the URL uses my physical hostname.

But from the internet, my https://fiori.abc.com URL is not the same as my physical hostname. It should not be. So I get the error that fiori.abc.com uses an invalid security certificate.

I cannot find a Wiki or Note that details how to setup this external trust to my Web Dispatcher. Anyone know of where I can find something like that?

0
* Please Login or Register to Answer, Follow or Comment.

2 Answers

avatar image
Former Member Feb 10, 2017 at 03:47 PM
1

DISCLAIMER: I am new to this and barely understand how it all works but I did get it to work. The Fiori App on you phone will not work if HTTPS is not successful. For the first time, I'm connecting my Fiori App to my backend system inside of our firewall. Wohoo!

First, my company Web Support Team provided me with a STAR_abc_com.pfx certificate. This is the certificate that says all URL's to *.abc.com are trusted and have been signed by a CA. My first attempts to load that pfx with sapgenpse failed.

sapgenpse import_p12 -p SAPSSLS.pse /tmp/STAR_abc_com.pfx

import_p12: Sorry, but certificate chain is incomplete, need certificate of 'CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, SP=Greater Manchester, C=GB'!

To solve this error, I used the import_p12 command but added my COMODO certs to the string with -r entries. It looked like this:

sapgenpse import_p12 -r /tmp/COMODORSAOrganizationValidationSecureServerCA.crt -r /tmp/COMODORSAAddTrustCA.crt -r /tmp/AddTrustExternalCARoot.crt -p SAPSSLS.pse /tmp/STAR_abc_com.pfx

The -r values must proceed the -p value or you'll get syntax issues when they are at the end. Also, you need all three certs in the sting. If you just do one, or two of them, it will fail saying it misses the other.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Aug 11, 2017 at 03:57 AM
0

Thanks, Richard. The solution that you have given works.

Share
10 |10000 characters needed characters left characters exceeded