Help managing the PSE files at the Web Dispatcher.
This page shows how to use the Web Administration page of the SAP Web Dispatcher in order to create and manage the PSE files required for SSL (HTTPS) configuration.The PSE files are required when configuring SSL (HTTPS) at the Web Dispatcher. They are also needed when a “trust relationship” is being configured between the Web Dispatcher and its backend system(s).
The Web Administration page
The Web Administration page is configured with the parameter icm/HTTP/admin_X. This parameter can restrict the access to the Web Administration page to a certain port. By default, the interface can be accessed through the URL:
http://<Web dispatcher server>:<port>/sap/wdisp/admin
An user is required to access the Administration page. The default user ID is "icmadm". The password is configured/generated at installation time. In order to create more users, or change the password of existing users, you can use the wdispmon tool. You can see an example of how to change the password at this WIKI page.
For more information about this tool, read this SAP online documentation.
Managing PSE files through the Web Administration page
In older releases, the sapgenpse command line tool had to be used. This tool will not be covered in this WIKI.
The SAP note 2009483 delivered a new feature that allows the PSE files of the Web Dispatcher to be managed through its Web Administration page. If your current Web Dispatcher is from a release lower than 742, it is possible to upgrade it to a recent release. Newer Web Dispatcher releases are compatible with all backend releases. There is no need to update the backend system(s) as well. You can read more about the Web Dispatcher releases and backend compatibility at the SAP note 908097.
- After accessing the Web Administration page, access the menu option “PSE Management” on the left.
- You can choose which PSE will be managed at the “Manage PSE” drop-down menu.
- SAPSSLS.pse – Server certificate PSE;
- SAPSSLC.pse – Client certificate PSE;
- Click on “Recreate PSE” in order to prepare the certificate details with appropriate values (complete “Distinguished name”).
- Fill the “Distinguished name” with the complete value and click on “Create”.
- Click on “Create CA request”.
- Copy the certificate request from the top text box and save it as a text file (using “notepad”).
- Send the request to the Certification Authority (“CA”).
Once you received the response (the signed certificate), ensure that you also have the certificate of the root CA. For example, an Intermediate CA could have signed the certificate. Such Intermediate CA is below a Root CA. You will need to paste the CA response and the Root CA certificate into the “Import CA response” text box.
- After clicking on “Import”, you can see that the import was successful at the top of the window. You can also see the details of the certificate, like the Subject, the Issuer and the Validity.
Now, you can import any other certificates required using the “Import certificate” button.
For example, if you will enable Single Sign On (SSO), import the Root CA certificate from the CA that will issue the end users’ certificates into the Web Dispatcher Server PSE file.
This is required so the Web Dispatcher can validate the certificate it received from the end user.
The procedure above can be applied when creating the Client PSE file, which is required for configuring the “trust relationship” between the Web Dispatcher and the backend. This “trust relationship” configuration is not mandatory. However, it introduces another level of security.
There would be no need to sign the client certificate as well. You can export the self-signed certificate of the Client PSE and import it at the Server PSE file of the backend, when configuring the trust relationship.
Common causes for the import step to fail
- Only the CA response is being copied to the "Import CA response..." text field.
Ensure that the complete certificate chain (root CA, intermediary CAs, and CA response) is being copied into the field.
- While waiting for the CA to send the response, a new certificate request was created.
There can be only one certificate request at a time, at the PSE file.
Thus, creating a new request deletes the old request.
The CA response must match the existing request on the PSE. Otherwise, the import will fail.
The only way to move forward is to create a new request, send it to the CA for signing and to import the new response, ensuring that a new request was not created in the meantime.