Show TOC

Configuring the AS ABAP for Supporting SSLLocate this document in the navigation structure

Prerequisites

  • The server possesses a public and private key pair and public-key certificate.

    The SSL protocol uses public-key technology to provide its protection. Therefore, the server must possess a public and private key pair and a corresponding public-key certificate. It must possess one key pair and certificate to identify itself as the server component and another key pair and certificate if it is to identify itself as a client component. These key pairs and certificates are stored in the server's own Personal Security Environments (PSEs), the SSL server PSE and the SSL client PSE, respectively. (For more information, see Public-Key Technology.)

  • You have downloaded the SAP Cryptographic Library.

    For more information, see The SAP Cryptographic Library Installation Package.

    Caution

    The distribution of the SAP Cryptographic Library is subject to and controlled by German export regulations and is not available to all customers. In addition, the library may be subject to local regulations of your own country that may further restrict the import, use and (re)export of cryptographic software. If you have any further questions on this issue, contact your local SAP subsidiary.

Context

Use the Secure Sockets Layer (SSL) protocol to secure HTTP connections to and from SAP NetWeaver Application Server (AS) ABAP. When using SSL, the data being transferred between the two parties (client and server) is encrypted and the two partners can be authenticated. For example, if a user must transfer his or her account information, then you can use SSL to authenticate the user and encrypt the information during transfer.

Note

There are also templates available for automating some of the configuration tasks and for validating the configuration. For more information, see http://service.sap.com instguidesInformation published on non-SAP site Start of the navigation path Installation and Upgrade Guides Next navigation step SAP Business Suite Applications Next navigation step Cross-Applications Tools Next navigation step Automated Configuration End of the navigation path.

Procedure


  1. Install the SAP Cryptographic Library on the application server.

    For more information, see Installing the SAP Cryptographic Library on the AS ABAP.

  2. Set the profile parameter.

    For more information, see Setting the Profile Parameters for Using SSL.

  3. Create and maintain the SSL Server PSEs as follows:

    1. Create the SSL server PSEs.

      For more information, see Creating SSL Server PSEs.

    2. Generate a certificate request for each SSL server PSE.

      For more information, see Generating Certificate Requests for the SSL Server PSEs.

    3. Send the certificate requests to a CA to be signed.

      For more information, see Sending the Certificate Requests to a CA.

    4. Import the certificate request responses into the server's SSL server PSEs.

      For more information, see Importing the Certificate Request Response.

    5. Maintain the SSL server PSE's certificate list.

      For more information, see Maintaining the SSL Server PSE's Certificate List.

  4. Creating the SSL client PSEs as follows:

    1. Repeat the procedure for the standard SSL client PSE.

      For more information, see Creating the Standard SSL Client PSE.

    2. To enable the application server to be able to use the anonymous identity to communicate with other Web servers, repeat the procedure for the anonymous SSL client PSE.

      For more information, see Creating the Anonymous SSL Client PSE.

    3. To enable the application server to be able to use individual identities to communicate with other Web servers using SSL, then create individual SSL client PSEs.

      For more information, see Creating Individual SSL Client PSEs.

  5. Define which SSL client PSE to use for each connection as follows:

    1. In transaction SM59, you define the HTTP destinations for the AS ABAP. In these destinations, you can specify whether SSL should be used for the connection and which SSL client PSE the server should use.

      For more information, see Specifying that a Connection Should Use SSL.

    2. If SSL with mutual authentication should be used for the configuration, then you must also maintain a mapping between the identity found in the client certificate used for the connection and the user ID to use for the connection. Maintain this mapping in the table USREXTID in the target system.

      For more information, see Maintaining the User Mapping for Incoming Connections that Use Authentication.

  6. Test the connections.

    For more information, see Testing the SSL Configuration.

Results

After completing the configuration, make sure that application or scenario-specific configuration changes are also made. Examples of changes that may be necessary include:

  • Changing the protocol from HTTP to HTTPS in URLs or other parameters.

  • Changing the hostname from a short name to a full-qualified hostname in URLs or other parameters.

  • Changing the HTTP port to the target HTTPS port in URLs or other parameters.

For more information, see the application or scenario-specific configuration documentation.

Next Steps

See also SAP Note 1527879 Information published on SAP site for more information about switching from HTTP to HTTPS in a complete landscape.