cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL certificate in SAPSSLS.PSE doesnt' match the one in STRUST - SSL Server Standard

HenryLeung
Explorer

on ‎04-21-2017 8:05 PM

0 Kudos

I'm trying to replace the SSL Server Standard certificate because ICM HTTPS has a certificate error: https://<server FQDN>:8443/sap/public/icman/ping

So in STRUST, I deleted the old SSL Server Standard certificate and created a new one. Signed it with our own CA and imported it in. Everything looks fine in STRUST. However, the web page is still using the self-signed certificate. I used sapgenpse.exe to check the certificate in SAPSSLS.pse. It is the same self-signed certificate from the web page.

I performed the same steps for "SSL client SSL Client (Standard)" without any problems. The certificate matched with the one from SAPSSLC.pse. Only SSL Server Standard is not matching. Did I miss a step somewhere?

I can use sapgenpse.exe to sign the certificate as a workaround. But that's not my preferred method. Plus because of the mismatch, it will cause confusions and/or problems later. Does anyone know how to fix this?

Thank you

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

ChrisPaine
Active Contributor
‎08-16-2022 12:12 AM

Hi Matt,

no worries - I hear that weather in northern hemisphere has been such that taking a break is almost a mandatory requirement for some of you!

The reason for not using SAP GUI was to automate the whole process. Having to use GUI means that automation has to be via RPA - which is a bit OTT!

In the end I found a function module which would allow me to pick up the altered/updated PSE from the drive (altered using the SAPGENPSE tool) and would then apply it to the system PSE as stored in the database. Function module for any wanting to try at home is "SSFPSE_STORE".

I had to write a simple ICF handler to allow me to call that and pass in the details of which PSE I wanted to update - but it works!

Now I have a job that is scheduled on the server that hosts my SAP ECC6 instance that automatically updates all the system PSEs every month from Let's Encrypt with no need for manual intervention. Probably saves about 2hrs of effort every 2.5 months for me, probably would be a bit more for folks that had more than just one ECC6 demo system sat there!

Cheers,

Chris

Show replies
Show replies
former_member832724
Member
‎07-27-2023 4:29 PM
0 Kudos

Hello Chris,

This is very good piece of information that you have shared here. However, it would be interesting to know how do you manage your existing certificate list in the various PSE's like SSL standard, SSL client etc. - as these certificates would be lost when you renew a specific PSE.

Best Regards.

ChrisPaine
Active Contributor
‎07-27-2022 8:48 AM
0 Kudos

matt.fraser I'm having a similar issue - have used SAPGENPSE.exe to update a PSE - but now getting error in STRUST because:

Local PSE does not match database original

Message no. TRUST028

Diagnosis

The copy of the PSE on the application server is different from the original PSE in the database.

Which is somewhat a fair statement.

but using the "Distribute All" functionality just updates the cert stored in file that I updated with the old one!

Is there any way to trigger the system to pick up those PSE files updated with SAPGENPSE and use them?

I've tried stopping and restarting the SAP instance and that just sets all the PSE back to what they were before.

I'm feeling like I'm missing a really really simple step, but I can't figure out what it is!

Any quick insight?

Cheers,


Chris

Show replies
Show replies
Matt_Fraser
Active Contributor
‎08-15-2022 11:36 PM
0 Kudos

Hi Chris,

Apologies for a late response; I've been offline the past few weeks and just now saw this.

Is there a strong reason for using SAPGENPSE and not STRUST via the SAPGUI? In the past STRUST lacked certain critical functionality that could only be achieved with the command-line tool, but these days most of what you are likely to need to do can be done there, and that should avoid issues of having mismatched versions.

Generally speaking, when I need to update a certificate on an ABAP system (whether the SSL Server or SSL Client), I do it all from STRUST. Right-click the PSE folder and choose Replace and use the wizard from there. Tick the box for Use certificate list so that you keep all the trusted certs in place, and then when creating the CA signing request, make sure to append a row with the FQDN in the Alternative Owner Name (SAN) box. Paste the result into my CA server's request form, download the certificate chain in Base 64 encoding, and import that in STRUST, then restart the ICM in SMICM. That's always worked pretty well for me.

Cheers,
Matt

Private_Member_588055
Discoverer
‎08-26-2021 2:50 PM
0 Kudos

Was the solution found?

Show replies
Show replies
Matt_Fraser
Active Contributor
‎04-21-2017 8:50 PM
0 Kudos

Hi Henry,

After replacing the SSL certificate in STRUST, you need to restart the ICM, via SMICM -> Administration -> Exit Soft -> Global, in order for the new certificate to take effect.

Cheers,
Matt

Show replies
Show replies
HenryLeung
Explorer
‎04-21-2017 10:09 PM
0 Kudos

Hi Matt,

I tried that already. I even restarted the SAP instance. The problem is that the certificate listed in STRUST (SSL Server Standard) is not the same as the one in SAPSSLS.pse.

After signing the certificate in SAPSSLS.pse using sapgenpse.exe, HTTPS works. HTTPS is showing the same certificate in SAPSSLS.pse but not in STRUST.

Thanks,

Henry

Ask a Question