Entering content frame

Procedure documentation Configuring the IisProxy Module to Support SSL

Use

To communicate with the SAP J2EE Engine using SSL, the IisProxy module must possess a security environment to use for the connection. To manage this security environment, it uses the functions provided by the SAP Cryptographic Library.

Use the procedure below to install the library and create the IisProxy module’s security environment.

Prerequisites

·        You have obtained the SAP Cryptographic Library package. The library is available on the SAP Service Marketplace at service.sap.com/download.

·        The root certificate belonging to the CA that issued the SAP J2EE Engine’s SSL server certificate exists as a file in the file system.

Procedure

...

       1.      Install the SAP Cryptographic Library ( sapcrypto.dll) and the configuration tool ( sapgenpse.exe) in a directory on the IIS server that is accessible by the system’s %PATH% environment variable, for example, C:\WinNT\System32.

       2.      Install the license ticket ( ticket) in the directory where the IisProxy module’s PSE and credentials are to be stored, for example, C:\sec. We refer to this directory as the SECUDIR directory.

       3.      Set the environment variable for the user that runs the IIS (for example, SYSTEM) to this directory.

       4.      Using the command line editor:

                            a.      Change to the SECUDIR directory.

Note

If the IIS runs under a different user than the actual user or SYSTEM, then you also have to set the environment variable SECUDIR temporarily for use in the command line. The easiest way is to change to the SECUDIR directory and use the command set SECUDIR=. .

                            b.      Using the configuration tool’s command gen_pse, create an SSL server PSE and an SSL client PSE for the IisProxy module.

Syntax

sapgenpse gen_pse –p <PSE_Name> -x <PIN> <Distinguished Name>

Note

Because the IisProxy module establishes the connection to the SAP J2EE Engine as the client component in the connection, it will only use the SSL client PSE ( SAPSSLC.pse). However, the SSL server PSE must exist for SSL to work.

Recommendation

If you want to use SSL with mutual authentication between the IisProxy module and the SAP J2EE Engine, then we recommend also generating a certificate request for the IisProxy module’s key pair from the SSL client PSE.

·         Use the  –r option for the command gen_pse to save the request to a file.

·         Send the request to a CA to be signed.

·         Import the response into the SSL client PSE. To import the response use the tool’s command import_own_cert.

                            c.      Using the configuration tool’s command seclogin, create credentials for the IisProxy module so that it can access both the SSL server PSE and the SSL client PSE at run-time. Use the –O option to create the credentials for the user under which the IIS runs (and therefore also the IisProxy module), for example, SYSTEM.

Syntax

sapgenpse seclogin –p <PSE_Name> -x <PIN> -O [Windows_Domain>\]<user_ID>

                            d.      Using the configuration tool’s command maintain_pk, import the root certificate for the CA that issued the SAP J2EE Engine its certificate into the SSL client PSE.

Syntax

sapgenpse maintain_pk –a <CA_root_cert> -p <PSE_Name>

       5.      Restart the IIS.

       6.      If the IisProxy module will be authenticated using SSL, then import the CA root certificate for the CA that issued the IisProxy module its SSL certificate into the list of trusted CAs on the SAP J2EE Engine. (Using the Key Storage service, import the CA root certificate into the TrustedCAs view.)

       7.      Using the SSL Provider service, specify how the SAP J2EE Engine should handle SSL client certificates:

                            a.      For the corresponding SSL port, choose the Client Authentication tab page and specify whether client certificates are to be requested or required for authentication on the server. (The IisProxy module is the client for this connection.)

                            b.      If the IisProxy module will be authenticated, add the CA root certificate to the list of trusted CAs for the SSL port. (Choose Add.)

       8.      If you are using client certificates for user authentication, then Structure linkconfigure their use on the SAP J2EE Engine.

Result

The IIS can be used as an intermediary server and SSL can be used between the IIS and the SAP J2EE Engine.

Example

The following command line creates the SSL server PSE.

sapgenpse gen_pse –p SAPSSLS.pse –noreq -x mypin “CN=IisProxy_Server, O=MyCompany, C=US”

The following command line creates the SSL client PSE.

sapgenpse gen_pse –p SAPSSLC.pse -x mypin “CN=IisProxy_Client, O=MyCompany, C=US”

The following command line creates credentials so that the user SYSTEM can access the SSL server PSE at run-time.

sapgenpse seclogin –p SAPSSLS.pse -x mypin –O SYSTEM

The following command line creates credentials so that the user SYSTEM can access the SSL client PSE at run-time.

sapgenpse seclogin –p SAPSSLC.pse -x mypin –O SYSTEM

The following command line imports the CA root certificate ( CA.cer) into the SSL client PSE.

sapgenpse maintain_pk –p SAPSSLC.pse –x mypin –a CA.cer

 

 

 

Leaving content frame