How to SSL Server PSEs for SAP WebAS ABAP through transaction STRUST?
While using the SSl/TLS in order to protect the network communication, the server of the communication scenario is typically authenticated by an X.509 certificate, and there is a process for identifying the server by matching the server hostname from the connection parameters (for ex. the URL) with the name attributes in the certificate. This process of matching is known as "server endpoint identification", and was first described in Section 3.1 of rfc2818 "HTTP over TLS" on the basis of behaviour implemented in common web browser at that time. Many other protocols that use TLS also follow similar checking of server endpoint
When creating SSL server PSEs please make sure to place the hostname(s) from the URLs from your server(s) in the Name part of your server certificate(s) or else the clients connecting to your server with SSL/TLS will not report errors about incorrect/mismatching server certificate(s).
If you want to create Certificate Signing Requests (CSRs) with one or multiple SubjectAltName(s) within ABAP t-code STRUST then please check the SAP document 2478769.
Now in order to create or maintain SSL server PSEs please start ABAP transaction STRUST ("Trust Manager").
Now create default SSL server Standard PSE for all those instances which do not have an instance-specific SSL server PSE.
Note: If you are using wildcard server certificate or a multi-hostname certificate matching the hostnames of all your AppServers then you don't need any instance-specific SSL server Standard PSEs.
Select 'Create' in the context menu of the "SSL server" node. The trust manager proposes the correct entries as much as possible so that you can have the certificates signed by the SAP Trust Center Service later.
In particular, set the following values:
Name = <Domain of AS ABAP>
Please do not replace the asterisk (*) with a host name. The default PSE must also exist even if separate PSEs are created for all of the instances. Here, "Name" represents the X.500 attribute "Common Name" (CN).
Optionally create individual PSEs for individual instances. Now a list of all the active instances will be displayed in the second dialog box and if you open the right-mouse-button context menu item "Change" over SSL Server Standard.
The proposed Distinguished Name (DN) will have the following entry:
Name = <Host name>.<Domain of AS ABAP>
Please make sure that the each instance is assigned with the fully qualified host name which is used in the HTTPS protocol. We can assign a DN to multiple instances at the same time, for example, if in case a Network Address Translators (NAT) is used then as CN, the fully qualified host name of the NAT must be specified. All instances with an empty DN receive the default PSE. In Release 6.10, the "Create" checkbox tell us whether the instance gets its own PSE.
Note: Each DN can have a maximum of 255 characters.
Now create certificate requests for all instance PSEs and then expand the 'SSL server' node in the tree control, double-click to load the instance PSE into the relevant node and then select the 'Generate certificate request' function.
For the default PSE we should only create a certificate request if there are instances without their own PSEs for this double-click to load the default PSE into the "SSL server" node. And then send the certificate requests to a CA such as the SAP Trust Center Service (www.service.sap.com/tcs). The response for the certificate should be either PKCS#7 package with a complete upwards path or a text file that contains a list of all of the required certificates in PEM format (with the header "-----BEGIN CERTIFICATE-----" and the footer "-----END CERTIFICATE-----").
According to the release 6.20 the user can also import the certificate response as an individual PEM certificate if the CA certificate is saved in the database (to search for certificates, select "Import certificate", category = "Server CA"). Use of SAP Trust Center Service make sure that the certificate response has a valid format. We should always import the certificate response into the PSE from which the original certificate request was generated (double-click on the corresponding nodes and call the "Import certificate response" function) and save the changes.
If you as a user want to log in via client certificate, import the root certificate of the CA user into one of the SSL server PSEs. While saving the system updates the certificate list of all SSL server PSEs. The certificate list contains the root certificates of those CAs whose user certificates are to be accepted.