Skip to Content
author's profile photo Former Member
Former Member

Do you need new SSL certificates after a homogenious system copy?

We routinely copy various abap landscapes from prod to Q/A, Sandbox etc. Until recently we were not using SSL so we did not need to worry about SSL certificates, only SSO certificates.

I'm trying to figure out if there is a way to "save" the PSE and replace it after the database is copied.

For example suppose we copy system PRD to QAS.

in strustsso2, QAS had a name of cn=QAS before the copy. Immediately after the system copy, it will be cn=PRD.

If we replace the system name and reset it to cn=QAS, we have to reexport SSO certificates and copy those to other QAS systems like BW, or portal, or at least import their certificates into the QAS system.

Also, we have the SSL certificate of PRD so we have to delete the one for PRD in the just copied QAS system. It seems when you rename the system in strustsso2 your previous ssl certificate response for QAS cannot be imported. Am i ccrrect in thinking that you create a new PSE when you do the replace?

So since you can not import your old certificate response, I request a new SSL certificate, send the request fiile to CA and import a new CA response file. And of course pay for that addiitional certificat.

So the question is, is there an easier way to handle these so we can reuse the old certificates after a system copy?

We have not been copying our java system routinely, but I am thinking they have the same problem if copied.

The abap and java system copied have been NW 701 systems.

Edited by: Fett Patrick on Dec 1, 2011 10:39 PM

Add a comment
10|10000 characters needed characters exceeded

Related questions

4 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Dec 01, 2011 at 10:30 PM

    Hi Fett,

    There is a useful OSS Note for this, Please go through it.

    1473710 - STRUST: How to Export/Import a PSE from/to STRUST

    Let me know if this clears / helps your query.

    Regards,

    Sriniavs Repala

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 06, 2011 at 12:35 PM

    Hi,

    My workaround for this problem is to install a SAP Web Dispatcher on the CI server and to terminate the SSL connection on the web disaptcher. Therefore the SSL certificate is kept after homegeneous system copy.

    Regards,

    Olivier

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Patrick,

      My abap servers do have self signed certificates but in fact, it does not matter because the connection between the SAP Web Dispatcher is HTTP and not HTTPS.

      After a system copy, we just delete the old SSL server PSE (which are red because they are invalid) and recreate self signed certificates.

      I always use a web dispatcher as a http front end even if I don't need load balancing because I can :

      Terminate SSL connections,

      redirect URLs,

      rewrite URLs,

      filter IP adresses,

      Filter authorised URLs

      etc...

      The Web dispatcehr is in my opinion a very useful tool !

      Regards,

      Olivier

  • author's profile photo Former Member
    Former Member
    Posted on Dec 02, 2011 at 07:19 AM

    Hello Fett,

    You should reconfigure SSL after system copy on target system QAS. You can export PSE before system copy from QAS but it will not work after you import into it after system copy. Same case happened to me as well. So that is the reason I started reconfiguring SSL setup after refresh. 😊

    Thanks,

    Siva Kumar

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hello Fett,

      I did not say that I was not able to save PSE successfully. I said I was able to export before system copy and import the same after system copy but SSL connection did not work. I have also followed the note 1473710.

      Since it did not work to me, I had to reconfigure SSL after system copy.

      Thanks,

      Siva Kumar

  • author's profile photo Former Member
    Former Member
    Posted on Dec 15, 2011 at 06:02 PM

    I followed note 1473710 - STRUST: How to Export/Import a PSE from/to STRUST

    IThe note worked perfectly. A 2 iteration process is needed. First save the system pse, then the ssl pse. After system copy repeate by first recreating system pse per the note, then restore the ssl server pse.

    After that all I had to do was fix the ACLs as they are not part of the PSEs.

    Thank you

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.