Skip to Content
avatar image
Former Member

Error during import certificate into sapwebdispatcher

HI experts:

I have a problem importing a certificate in a web dispatcher. The error is the next:

import_own_cert: Installation of certificate failed

ERROR in ssf_install_CA_response: (1280/0x0500) No certficate with your public k

ey found

Iu00B4m trying importi a verysign certificate.

If i import a temporal certificate from sap page, it works correctly.

The verysign certificate is ok. It is .p7b. I open it and i have 2 certificates into the same file. One of them is with the name of the web dispatcher hostname, and the other: Very sign Class 3.... Both are valid, one of them to 2012 and the other to 2019.

The web dispatcher works between the sap netweaver portal in windows-oracle and the ECC 6.0 in windows-oracle.

The web dispatcher profile is the next:

SAPSYSTEMNAME = JEE

INSTANCE_NAME = WD05

SAPSYSTEM = 06

SAPGLOBALHOST = sapwep.madrid.informa

SAPLOCALHOSTFULL = sapwep.madrid.informa

DIR_INSTANCE=k:\usr\sap\wd\secudir

ssl/ssl_lib=k:\usr\sap\wd\secudir\sapcrypto.dll

ssl/server_pse = k:\usr\sap\wd\secudir\temporal.pse

#ms/https_port = 8101

wdisp/server_info_protocol = http

wdisp/ssl_encrypt = 0

wdisp/add_client_protocol_header = true

icm/HTTPS/verify_client = 0

icm/server_port_1 = PROT=HTTPS, PORT=60000

  1. Example: SAPLOCALHOST=vwdisphost.sap.com

SAPLOCALHOST = sapwep.madrid.informa

#--- SAP Web Dispatcher-specific parameters

icm/server_port_0 = PROT=HTTP, PORT=8206,TIMEOUT=30,PROCTIMEOUT=600

rdisp/mshost = sapvsap.madrid.informa

ms/http_port = 8100

icm/HTTP/admin_0= PREFIX=/sap/wdisp/admin,DOCROOT=./admin

icm/max_conn = 16384

icm/max_sockets = 32768

wdisp/HTTP/max_pooled_con = 16000

wdisp/HTTPS/max_pooled_con = 16000

icm/req_queue_len = 6000

icm/min_threads = 100

icm/max_threads = 500

mpi/total_size_MB = 500

mpi/max_pipes = 20500

mpi/buffer_size = 32768

Iu00B4m trying to import it using:

K:\usr\sap\wd\secudir>sapgenpse import_own_cert -c K:\usr\sap\wd\secudir\certifi

cado.7b -p K:\usr\sap\wd\secudir\prueba.pse -c CA.cer

Can somebody help me?.

Thanks.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Mar 03, 2010 at 12:10 PM

    K:\usr\sap\wd\secudir>sapgenpse import_own_cert -c K:\usr\sap\wd\secudir\certifi

    cado.7b -p K:\usr\sap\wd\secudir\prueba.pse -c CA.cer

    That doesn't look quite right.

    It should be something along the lines of:

     sapgenpse import_own_cert -p K:\usr\sap\wd\secudir\prueba.pse -c K:\usr\sap\wd\secudir\certifi
    cado.7b -r CA.cer
    

    Note the -r for CA root certificate. Although it should not be required for a PKCS#7 certificate to specify a CA root when importing as it should already have it included in the certificate. You can try importing without specifying the CA root too.

    Nelis

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 03, 2010 at 12:44 PM

    If i change the order of the parameter it gives the same error:

    K:\usr\sap\wd\secudir>sapgenpse import_own_cert -p K:\usr\sap\wd\secudir\prueba.

    pse -c K:\usr\sap\wd\secudir\certificado.p7b -r ca.cer

    Please enter PIN:

    import_own_cert: Installation of certificate failed

    ERROR in ssf_install_CA_response: (1280/0x0500) No certficate with your public k

    ey found

    Add comment
    10|10000 characters needed characters exceeded

    • Is your SECUDIR environment variable set to K:\usr\sap\wd\secudir ?

      Make sure this is set correctly and then with all certs in this directory you can run the import without specifying any path.

      Nelis

  • avatar image
    Former Member
    Mar 03, 2010 at 01:09 PM

    the enviroment variable is k:\usr\sap\wd\secudir.

    I donu00B4t know if it can be a problem with my pse. I generate it, after recibe the certificate. Becouse the project was begining by another partner. I donu00B4t know the pse, and req he uses for get the sign. I have a .csr file.

    Iu00B4m lost. Thanks for your response.

    Add comment
    10|10000 characters needed characters exceeded

    • If the certifcate host(usually specified with wdisp/ssl_certhost) for the web dispatcher is the same as the hostname assigned to your ECC systems then you could simply copy the PSE from your ECC system to the web dispatcher and use that PSE. This is normally the way to do it to save having to create separate certificates for every application server.

      Without the original pse there's not much you can do otherwise, sorry.

      Nelis

  • avatar image
    Former Member
    Mar 03, 2010 at 02:20 PM

    Ok. The ECC does not have SSL. The SSL connection is from the portal to the WD. The connection from de WD to de ECC is HTTP.

    Add comment
    10|10000 characters needed characters exceeded