Maintaining the SSL Server PSE's Certificate List

Use

If users (or other clients) are to be authenticated on the AS ABAP using client certificates, then you must maintain the server's certificate list, which is contained in the server's SSL server PSE. The application server uses this list to determine which CAs the server trusts. Only clients that present client certificates issued by these CAs can be authenticated based on their certificates.

You only need to maintain the certificate list for a single application server's SSL server PSE. The certificate list is distributed to all servers, even if you use server-specific SSL server PSEs.

Prerequisites

You have access to the CA's root certificate. For example, the SAP CA's certificate is available in the AS ABAP system. If you use a different CA, then you must obtain its public-key certificate and store it in one of the available storage locations (for example, in the certificate database). If you have already imported the CA's certificate to a different PSE on the application server, then you can also use the trust manager to copy it from the PSE into the SSL server PSE.

Procedure

Importing the CA's Root Certificate From the Certificate Database

If the CA's public-key certificate is located in the certificate database:

  1. In the certificate section, choose Import certificate.

    The Import Certificate dialog appears.

  2. Select the Database tabstrip.

  3. Select the certificate from the certificate database and choose Enter.

    The certificate appears in the certificate section.

  4. Choose Add to Certificate List.

    The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.

  5. Save the data.

Importing the CA's Root Certificate From the File System

If the CA's public-key certificate is located in the file system:

  1. In the certificate section, choose Import certificate.

    The Import Certificate dialog appears.

  2. Enter the corresponding file name from the file system.

  3. Select the certificate's file format.

  4. Choose Enter.

    The certificate appears in the certificate maintenance section.

  5. Choose Add to Certificate List.

    The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.

  6. Save the data.

Importing the CA's Root Certificate From a Different PSE

If the CA's public-key certificate is located in a different PSE:

  1. Expand the node for the PSE that contains the certificate and select one of the application servers with a double-click.

    The PSE and its certificate list appear in the PSE maintenance section.

  2. Select the certificate with a double-click.

    The certificate appears in the certificate maintenance section.

  3. Select one of the application servers under the SSL server PSE node with a double-click.

  4. Choose Add to Certificate List.

    The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.

  5. Save the data.

Importing the SAP CA's Root Certificate

To import the SAP CA's root certificate:

  1. Choose Start of the navigation pathCertificate Next navigation step SAP Portal CA (DSA)End of the navigation path.

    The SAP CA's certificate appears in the certificate maintenance section.

  2. Choose Add to Certificate List.

    The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.

  3. Save the data.

Repeat the procedure for all CA root certificates that the server should trust.

Result

The certificate list in the application server's SSL server PSE contains the public-key certificates belonging to the CAs that the server trusts.