SAP NetWeaver Application Server for ABAP, Security

Configuring wildcard certificates in the ABAP Netweaver AS

Creating the PSE

First of all, it’s necessary to create the ‘SSL Server Standard’, which is responsible for all incoming connections that the server may receive.

A new window will appear, where you can define the ‘Name’ to be a wildcard value.

Hit the confirm button and you will notice a green entry for each instance that you have in your system.

By selecting the ‘SSL server Standard’, the wildcard certificate will appear:

Also, you can check that each instance has a specific certificate create to it. In my system, there is only one instance, and the certificate can be checked by double-clicking the instance specific button.

Testing the scenario

Now, we can test the communication. Let’s use the ‘WEBGUI’ transaction to check whether the communication is secure or not.

Not working. This is a common error and the solution is described in KBA 2339387. Basically, the web browser doesn’t trust in my server’s certificate, because it is self-signed and I did not imported it in the browser.

Signing the wildcard certificate

To solve this issue, let’s sign the wildcard certificate. If you have any queries about it, you can check this blog post, which contains a guide explaining how to generate the Request and import the Response received by the Certificate Authority.

Ok. Certificate signed:

Let’s test the WebGUI again.

Wait, what? The same error happened. Let’s take a closer look at this error.

If you click on ‘Continue to this website (not recommended)’ message, the login page of WebGUI will appear. Then, we can click in ‘Certificate error’ (at the right end of the red address bar) to show up the certificate returned by the server.

Well, this is not our wildcard certificate, but the instance specific.

Actually, this is the expected behavior. The Application Server will always return the instance specific certificate.

What we need to do now is to configure the Application Server to use the wildcard certificate instead of the instance specific.

Changing the certificate for one instance

This is simple. Access ‘STRUST’ transaction and:

  1. Right click the ‘SSL server Standard’;
  2. Select the ‘Change’ option.

A new window will appear, showing the DN of each instance.

Then, you can copy the ‘DN of Standard PSE’ value and past in the instance specific field value (or left it empty).

Something like this:

Confirm the changes. Back in STRUST, hit the ‘Save’ button at the top.

Depending on you NW release, it may be necessary to restart the ICM to the changes take effect.

Final test

Let’s check the WebGUI again:

Now, everything is working fine. There is no error message and the wildcard certificate is being used.

Usually, there is more than one instance that will use this certificate. All you need to do is, in the ‘Change’ window, to configure the wildcard certificate to be used in that instance too.

Leave a Reply

Your email address will not be published.