Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to create SSL certificates with hostnames other than the real hostname?

Former Member

‎03-30-2010 1:23 AM

0 Kudos

We have an issue where we are trying to have external partners connect to us as a hostname other than our real internal hostname. i.e. the internal name of server is slquqx.qas.acme.com, we want users to connect to our alternate hostname of shopping.qas.acme.com. Only the shopping.qas.acme.com hostname has an external DNS entry. When partners connect they receive an error stating that our certificates do not match our hostname. How can we generate our certificates as a name other than our real internal hostname? These certificates are signed by an external CA (Certificate Authority).

7 REPLIES 7

Former Member

‎03-30-2010 9:59 AM

0 Kudos

Hi,

I don't understand where is the problem here : you can put whatever name you want in an ssl certificate.

Regards,

Olivier

Former Member
In response to Former Member

‎03-30-2010 1:25 PM

0 Kudos

Let me clarify...

When I generated the SSL_Server cert in STRUST, it forces you to use the name of the hostname, for me slquqx.qas.acme.com. However, I do not broadcast this hostname externally in DNS.

I want to use a secondary virtual IP on this system, that I map to an external IP, so I can move this virtual IP to other servers during testing phases. For example, I would move the virtual IP to slqcxl, and use this system for partner testing too.

The issue is I told the partners that the name of the server is shopping.qas.acme.com, so when they hit the server they get a warning that the hostname and certificates do not match, which is true. I was wondering if I could somehow have multiple names in a server cert, or have multiple server certs with different hostnames, etc....

I can't figure out a way around this. We have thought about implementing Web Dispatcher, but for technical reasons we do not want to terminate the SSL cert at the Dispatcher, but at the Central Instance and Application Servers, so I don't think that will help either.

Thanks for your help and assistance in working this issue through.

Former Member
In response to Former Member

‎03-31-2010 3:15 AM

0 Kudos

Have you tried using the default server PSE (single system-wide SSL server PSE) instead of the <em>server specific PSE</em>? You can generate/use [wildcard certificates|http://wiki.cacert.org/WildcardCertificates], e.g. see the example in the [SAP online help - Creating the SSL Server PSE|http://help.sap.com/saphelp_nw2004s/helpdata/EN/20/37c33ae8361838e10000000a11402f/frameset.htm] or the corresponding [docupedia page - Creating the SSL Server PSE|https://cw.sdn.sap.com/cw/docs/DOC-108483%3bsaplb_*=%28J2EE8941720%298941750].

Maybe somebody else knows a better way (I think I've seen something that on the Java stack you could have multiple server certificates, but not for the ABAP stack)....

Former Member
In response to Former Member

‎03-31-2010 9:27 AM

0 Kudos

Hi,

>When I generated the SSL_Server cert in STRUST, it forces you to use the name of the hostname, for me >slquqx.qas.acme.com. However, I do not broadcast this hostname externally in DNS.

This the part where I disagree : I can enter whatever I want in the CN when I create the SSL server cert in STRUST.

Regards,

Olivier

Former Member
In response to Former Member

‎03-31-2010 11:30 PM

0 Kudos

> for technical reasons we do not want to terminate the SSL cert at the Dispatcher, but at the Central Instance

Perhaps you want to look into configuration possibilities on the message server if you trust it.

Take a look at service.sap.com/securitynotes for an ACL for the message server. I am not sure how a (re) direct would work but you can block it for sure.

Cheers,

Julius

sebastian_broll
Explorer
In response to Former Member

‎04-01-2010 8:07 AM

0 Kudos

When creating your SSL server PSE, first a popup comes up proposing the name for the "standard" PSE, using a name like "CN=*.<my domain name>, ...".

Leave this on at the proposed value.

The next popup asks for the DN(s) of the application server specific PSEs. Now it gets interesting:

You should see the "pen" icon in the lower area of the popup. Click it.

A new mode appears with a simple input field, containing the full DN in canonical form, as proposed by the system. You can change it easily to any value of your preference, and you may add attributes (OIDs) that had not been used in the proposal. Note, though, that the value you enter needs to form a proper DN.

Actually, this procedure is described in note 511919, together with some additional related information.

If you want to change single application server specific PSE(s) after the SSL Server PSE had been created, you also may use the context menu item "Change" -- but be careful: a change in the DN of a PSE will lead to a new PSE being created, with a new unique key pair, and a fresh (empty) certificate list. The previously existing PSE is discarded completely and can not be recovered (unless you saved it before).

Use this information at your own risk.

It is always a good idea to try out the procedures in a test system!

Edited by: Sebastian Broll on Apr 1, 2010 9:09 AM (remove typos)

Former Member

‎03-30-2010 11:08 AM

0 Kudos

Not sure if I understand you correctly, but if your goal is to run two different applications on one machine/single network card with different SSL certificates you probably want to take a look at [IP aliasing|http://www.ibm.com/developerworks/web/library/wa-multissl.html].

Cheers, harald