Configuring the SAP Web AS for Supporting SSL (SAP Library)

Configuring the SAP Web AS for Supporting SSL

Prerequisites

The SAP Cryptographic Library is installed in the $(DIR_EXECUTABLE) directory on the application server. (See Installing the SAP Cryptographic Library.)

Note

If the SAP Cryptographic Library is not installed, then the SSL Server PSE and SSL Client PSE nodes are not included in the trust manager's PSE status section.

The following profile parameters are specified in the application server's instance profile. These parameters are normally set during the installation, however, you may want to adjust their default values.

Parameter	Value
icm/plugin_<xx>	PROT=HTTPS, PLG=$(DIR_EXECUTABLE)/httpplugin.so
icm/server_port_<xx>	HTTPS port
icm/HTTPS/verify_client	0: Do not use certificates 1: Allow certificates (default) 2: Require certificates

Caution

If icm/HTTPS/verify_client = 1, then any users who use Microsoft's Internet Explorer as their Web browser and who do not possess a client certificate will receive an empty certificate selection dialog box when they access the SAP Web Application Server. Therefore, if your users are not going to use client certificates for authentication, then set this parameter to the value 0.

Note

If you make changes to any of the icm profile parameters, then restart the ICManager.

Example

Example Parameters:

icm/plugin_2 PROT=HTTPS, PLG=$(DIR_EXECUTABLE)/
httpplugin.so

icm/server_port_2 PROT=HTTPS, PORT=443, TIMEOUT=15

icm/HTTPS/verify_client 1

Procedure

Creating the SSL Server PSEs

Perform the following to create and maintain the SSL server PSE:

Create the SSL server PSEs.

Generate a certificate request for each SSL server PSE.

Send the certificate requests to a CA to be signed.

Import the certificate request responses into the server's SSL server PSEs.

Maintain the SSL server PSE's certificate list.

Creating the SSL Client PSEs

Perform the following to create and maintain the SSL client PSEs:

Repeat the procedure for the standard SSL client PSE.

If you want the application server to be able to use the anonymous identity to communicate with other Web servers, then repeat the procedure for the anonymous SSL client PSE.

If you want the application server to be able to use individual identities to communicate with other Web servers using SSL, then create individual SSL client PSEs.

Defining Which SSL Client PSE to Use

In transaction SM59, you define the HTTP destinations for the SAP Web Application Server. In these destinations, you can specify whether SSL should be used for the connection and which SSL client PSE the server should use. See Specifying that a Connection Should Use SSL.

Restart the ICManager to make sure that any changes take effect.