Implementing SSL using Wildcard certificate on S4HANA_Fiori_WebDispatcher

 

Wildcard certificate generation for SAP systems & SSL using WC on S4HANA_Fiori_WebDispatcher


1-What is wild card certificate:

A SSL Wildcard certificate is a single certificate with a wildcard character (*) in the domain name field. This allows the certificate to secure multiple sub domain names (hosts) pertaining to the same base domain.

2-Format of the Wildcard certificate

A {SSL} Wildcard certificate should be considered an option when looking to secure a number of sub domains, such as “secure.<domainname>.com”, “www.<domainname>.com” with a single certificate.The format of the common name entered for the SSL Wildcard Certificate will be '*.(domainname).com'.

3-Prerequisite

1.       Login to OS level as sidadm

2.       Check the SHELL then manually change the SHELL file (csh or bsh) 


3.       Check environment variable (SECDIR) is set or not by executing sapgenpse 

4.       Environment variable is not set so set the env 

5.       Again, execute the command sapgenpse and check

6.       The output will looks like 

 

How to generate the Wildcard certificate

1.      Create the SHA2 certificate & certificate response for CA signing authority with below Execute - (As per the requirement here the requirement was SHA-256 Key Length 4096 ) 

sapgenpse get_pse -a sha256WithRsaEncryption -s 4096 -p ssl-credentials.pse -r ssl-credentials.req -x <password> "CN=*.domainname.com, O=organization name, C=country"

Two entries got created: ssl_credentials.pse & ssl_credentials.req

 

3.       Export entries to private key & certificate format which will be imported

Create sso logon for PSE

Execute– sapgenpse seclogin –p ssl-credentials.pse –O sidadm –x <password>

Create Certificate file to be imported into NWA/ABAP

Execute – sapgenpse export_own_cert -o ssl-credentials-cert.crt -p ssl-credentials.pse

Execute - sapgenpse export_p12 -p ssl-credentials.pse ssl-credentials.p12


4.       Check the other two created entries: ssl-credentials-cert.crt & ssl-credentials.p12



  Transfer files ssl-credentials.req , ssl-credentials-cert.crt & ssl-credentials.p12 to Jump Server via Winscp.

6.       Open the ssl-crerdentials.req file and save as .csr file. Check the ssl-credentails.csr file and it should have Algorithm as SHA256, key length here 4096 (you can generate as per your requirement) and common domain name <CN entry = *.domain.com>

7.       Send this file – ssl-credentials.csr to for CA signed.

Need to generate the PSE from the signed PKCS#12 or PFX file

2148457 - How to convert the keypair of a PKCS#12 / PFX container into a PSE file

Steps :

1.Set the environment variable : SAPGENPSE

SECUDIR=/usr/sap/SID/<instant>/sec

export SECUDIR

for permanent change :

setenv SECUDIR /usr/sap/SID/<instance>/sec

Run the command : sapgenpse from SIDADM

2.Convert the .PFX file to .PSE

sapgenpse import_p12 -p <New>.pse communication-partner-supplied.pfx

Procedure to apply the wildcard certificate in Web dispatcher

1.Shutdown the SAP Web dispatcher .

2.Take the backup of the existing SAPSSLS.pse to SAPSSLS.psc_baclup

3.Places the earlier created <New>.pse in the location /use/sap/SID/<IN>/sec

4.Rename the <New>.pse to SAPSSLS.pse 

5. Start the SAP Web dispatcher.


Procedure to apply the wildcard certificate in  S/4 HANA

1.Once the new.pse will generate as per the above step .

2.Login to the S4/H system

3.Tcode : strustsso2

4.Client : 000

5.Delete the existing SSL server standard certificate ( As Its not signed Certificate)

6.Now import the wild card certificate which was created with the name <New>.pse

Select SSL server standard à PSE à Import









 

Once Saved this will reflect as trusted


 

Procedure to apply the wildcard certificate in Fiori

1.Login to the Fiori system

2.Tcode : strustsso2

3.Client : 000

4.Delete the existing SSL server standard certificate ( As Its not signed Certificate)

5.Now import the wild card certificate which was created with the name <New>.pse

Select SSL server standard à PSE à Import








Once Saved this will reflect as trusted




Completed. :) 

Please provide your valuable feedback.

 

 

 

 

 

 

Comments

  1. AnonymousAugust 25, 2020 at 2:21 AM

    I have gone through your earlier document also. Your guides are very easy to follow and understand. Thanks! Keep writing 👍

    ReplyDelete
  2. UnknownAugust 25, 2020 at 6:11 AM

    Awesome Nitya once again. Very much helpful. Its a value addition to the customers because they do not need to generate multiple certificates

    ReplyDelete
  3. Shrijal V DaveJune 1, 2021 at 4:20 AM

    I found this document very relevant to my need. This helped me to apply my existing wildcard certificate to my SAP ABAP system as well as to SAP PORTAL system.
    Once again, thanks a lot for providing such good help.
    Keep it up.

    ReplyDelete
  4. AnonymousOctober 16, 2022 at 3:29 AM

    Excellent document.

    ReplyDelete

Post a Comment

Popular posts from this blog

SAML2 Made Easy-Step by Step guide: SAML2 configuration for SAP Fiori / S/4 HANA

Image
  SAML2 configuration in Fiori system via web dispatcher with 3 rd party portal SP : Service Provider – SAP systems IDP : Identity Provider – Non SAP Portal or AD Ref Note :  2485474 - How to configure SSO from Fiori Launchpad to a back-end system with logon ticket 2740052 - Which paths are necessary to configure Web Dispatcher for Fiori Launchpad scenarios Pre Requisites ( A ) Add the system in Web dispatcher wdisp/system_0 = SID=<Fiori SID>, MSHOST=<Fiori host>, MSPORT=8101, SRCSRV=*:<srcport>,SRCURL=/sap/bc/webdynpro/sap/saml2;/sap/saml2/sp/metadata;/sap/saml2;/sap/public/bc/themes;/sap/public/bc/ui2/logon;/sap/public/bc/ui2/services;/sap/vui/;/sap/bc/ping/;/sap/bc/lrep;/sap/bc/ui2/;/sap/bc/ui2/flp/;/sap/bc/ui5_ui5/;/sap/opu/odata/;/sap/bw/ina;/sap/opu/odata4/;/sap/resources/sap/ushell/;/sap/bc/webdynpro/sap/dba_cockpit;/sap/bc/webdynpro/sap/sec_diag_tool,SSL_ENCRYPT=1,SSL_IGNORE_HOST_MISMATCH=true (B) Activate webgui and wendyanpro service...
Read more

Implementing SSL using Wildcard certificate in SAP PO system

Image
  Implementing SSL using Wildcard certificate in PO system (wildcard extension .pfx ) A SSL Wildcard certificate is a single certificate with a wildcard character (*) in the domain name field. This allows the certificate to secure multiple sub domain names (hosts) pertaining to the same base domain. The wildcard certificate was provided by the client with the extension .pfx. Step 1 - Convert “.pfx” to “*.pse” sapgenpse import_p12 -p domain.pse domain.pfx Failed due to unrecognition of root certificate : but certificate chain is incomplete, need certificate of 'CN= Secure Certificate Authority , OU=XXXX, O="XXXX", L=XX, SP=XX, C=XX' Step 2 - Convert pfx to pem first through openssl command Note:   The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machine...
Read more