SAP Fiori, SAP NetWeaver

Free SSL for SAP Web Dispatcher – Let’s Encrypt

Recently I came across situation where I need to configure my SAP Web Dispatcher to SSL and in order to perform testing I have to start with my sandbox environment. When you talk about SSL it has approximately $250.00 price tag associated with certificate for your each environment.

Now my challange was to get this testing done as soon as possible with free of cost and users should not get certificate errors when accessing from internet or intranet.

Read More: SAP Fiori Application Developer Certification Preparation Guide

Let me share what type of architecture I have

Now lets start configuring SAP Web Dispatcher for SSL

Creating PSE file for SAP Web Dispatcher

  • Login to SAP webdispatcher administration URL https://hostname.domain.com/sap/wdisp/admin/public/default.html
  • Navigate to PSE Management
  • Create PSE as shown below…(just for an example)
  • Now you have PSE created as below

Requesting Certificate

Note: Open firewall port 80 for your SAP web dispatcher prior steps below

  • Open https://www.sslforfree.com/

Note: This can be done via https://zerossl.com/ with similar steps

  • Provide website URL as below
  • Click On Manual Verification
  • Click on Manually Verify Domain
  • Now will be on screen below
  • Click on step 1. Download File #1
  • Once you save this file it will be long name like – XXXXXXXXXXXXXXXXXXMYFV03nUWvwX8ksFo
  • Now add below to you SAP Web Dispatcher instance profile petameter
#-----------------------------------------------------------------------
# SSL Letsencrypt
#-----------------------------------------------------------------------
icm/HTTP/redirect_0 = PREFIX=/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXMYFV03nUWvwX8ksFo, TO=/sap/wdisp/admin/public/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXMYFV03nUWvwX8ksFo
  • Copy this file in to location below on your SAP Web Dispatcher installation ….

E:\usr\sap\WFX\W00\data\icmandir\admin\public.well-known\acme-challenge

Note: You need to create folders manually

Tip: Use command prompt to create folders

  • Now restart your SAP Webdispatcher
  • Now you should able to access this URL shown on page … example below

Now Click Download SSL Certificate

  • On next screen you will see all three certificates been generated… as below and Download All SSL Certificate files
  • Save file
  • Extract file and you will have files as below

Extract Root Certificate from Certificate.crt file

  • Open certificate.crt and click on Certification Path TAB

– Highlight DST Root CA X3 and click View certificate and go to Details tab and Click Copy to File

  • Save as DER encoded…
  • Save as Root certificate
  • Now you have certificate as below

Install OPENSSL in to your local computer/PC

You need to install openssl software prior you go to next step in your local computer

You can download for windows from : https://slproweb.com/products/Win32OpenSSL.html

Note: Get 64x if possible

Once you install you will able to run openssl command as below

Working with files to generate SAPSSLS.pse file

  • Run following command

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt

Note: No password required…

  • You have new file created as below Certificate.pfx
  • Delete or rename SAPSSLS.pse file from sec folder…
  • Copy Root.cer, certificate.pfx and ca_bundle.crt to X:\usr\sap\SID\W00\sec folder
  • Run command as below as login

sapgenpse import_p12 -r ca_bundle.crt -r root.cer -p SAPSSLS.pse certificate.pfx

  • This will crate pse file as below

Restart SAP Webdispatcher and now you see that your certificate is issues by Let’s Encrypt authority

Leave a Reply

Your email address will not be published. Required fields are marked *