Skip to Content
avatar image
Former Member

Can I share a PSE betweem WD and ABAP system?

My CA has a cert product that lets you list a number FQDNs in one cert. I would like to use a single server PSE across all my web servers (to minimize TCO for signed certs). For all my Web Dispatchers that is no problem, I can just copy the SAPSSLS.pse file around after the CA signs it. On an ABAP server the server PSE resides in the database as well as in the SAPSSLS.pse file. If I mearly replace the SAPSSLS.pse file, STRUST tells me that the PSE is damaged (it doesn't match what is stored in the database). It allows me to re-create SAPSSLS.pse from the database ... Can I go the other direction ... import the PSE contents into the database (priveate key, public key, cert, and trusted cert list)?

Ken Chamberlain

University of Toronto

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Sep 08, 2008 at 12:46 PM

    Yes, you can also import complete PSE's with STRUST. Just make sure that the snc/identity/as parameter is the same as the CN part of the certificate inside the PSE. It may be necessary to import the CA certificate first as well. You can also do this with STRUST.

    I've done this a lot of times. You can contact me if you need more details.

    However, from a security point of view, this is a bad idea. You should not share PSE's between servers (Exception: only if they are part of the same logon group). Another point is that you trust this CA to correctly issue certificates. If someone manages to trick that CA in issuing a certificate, you're hosed. The certificate will, most likely, also expire relatively soon.

    In short, I advise against it.

    You're better off with setting up a small PKI yourself. You then have complete control. There are a large number of (sometimes freely available) software packages doing exactly that. It's more secure and most probably also more cost effective.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 09, 2008 at 05:37 PM

    Perhaps I should explain further. First of all we are an authorized reseller of Comodo Instant Certificates, so my CA is a few cubicles down the aisle in the same office as I am located. The group certificate that has attracted attention lists our company as CN=UNIVERSITY of TORONTO and has in the altsubject field the list of my servers (web dispatcher and SAP ICM). The PSE I want to share is the server PSE for web dispatcher and the standard server PSE for SAP.

    Also my environment is tightly controlled. Not only is there a firewall between the outside world and SAP web Dispatch, but there is another between SAP web dispatcher and my SAP systems. My group controlls all the hosts behind these two firewalls. OS level access to these hosts is also limited to my group.

    Yes please, provide more detail. Lets not go private. This forum is meant to help others find their own answers.

    /Ken Chamberlain

    University of Toronto

    Add comment
    10|10000 characters needed characters exceeded

    • >

      > So you already have your "own" PKI, then. The "AltSubjectName" extension is not supported by the SAP CryptoLib. It just checks the CN part of the subject with the parameter snc/identity/as. So, it won't work in your case. I may put the details in a blog post sometime so I can just refer people to that, but I haven't had time to do that.

      Future releases (NetWeaver 7.1) will support the evaluation of the "AltSubjectName" - when using the so-called "rule-based certificate mapping" solution. Potentially this feature could be downported to NW 7.0 (enhancement pack).

  • Sep 11, 2008 at 11:21 AM

    >

    > My CA has a cert product that lets you list a number FQDNs in one cert. I would like to use a single server PSE across all my web servers (to minimize TCO for signed certs). For all my Web Dispatchers that is no problem, I can just copy the SAPSSLS.pse file around after the CA signs it. On an ABAP server the server PSE resides in the database as well as in the SAPSSLS.pse file. If I mearly replace the SAPSSLS.pse file, STRUST tells me that the PSE is damaged (it doesn't match what is stored in the database). It allows me to re-create SAPSSLS.pse from the database ... Can I go the other direction ... import the PSE contents into the database (priveate key, public key, cert, and trusted cert list)?

    >

    > Ken Chamberlain

    > University of Toronto

    Oh, I see. You are referring to SSL Server Certificates (my previous posting was referring to user certificates).

    Well, you could either issue SSL Server Certificates with wildcards (e.g. "CN=*.domain.com, ...") or you could use the "import PSE" function provided by ABAP transaction STRUST to import an entire PSE file (containing the certificate, the corresponding private key and imported certificates (of trusted client certificate issuing CAs)); after uploading the PSE file you will be prompted to select which type of PSE file you want to replace; you then have to choose "SSL Server".

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Well, you could either issue SSL Server Certificates with wildcards (e.g. "CN=*.domain.com, ...") or you could use the "import PSE" function provided by ABAP transaction STRUST to import an entire PSE file (containing the certificate, the corresponding private key and imported certificates (of trusted client certificate issuing CAs)); after uploading the PSE file you will be prompted to select which type of PSE file you want to replace; you then have to choose "SSL Server".

      Unfortunately, it isn't so simple. You'll have to import the CA certificate first, for example.