Configuring SSL Between the UMEand an LDAP Directory

You can configure secure connections using the Secure Sockets Layer (SSL) protocol between the user management engine (UME) and an LDAP directory. When SSL is used, the data transferred between the two parties (client and server) is encrypted.

The UMEservice uses server authentication for the SSL connection between the LDAP directories and the UME. This means that the server (in this case, the LDAP directory) provides its identity to the client (in this case the UME) using a certificate, but the client does not provide its identity to the server.

Once the secure connection is established, the UMEbinds to the LDAP directory with the LDAP protocol using user ID and password. This user ID and password, and all other data that is passed between the two parties is encrypted.

Setting up SSL with client authentication, where the UMEprovides its identity to the LDAP directory using a certificate, is not supported.

• The following users must be stored in a data source other than the LDAP directory server that is accessed through SSL:
  • Administrator user
  • Guest user
  • All service users

  If you use one of the preconfigured data source configuration files for an LDAP data source, these are configured to store the above users in the database. Therefore no extra action is necessary.

  The reason for this constraint is that in the SAP NetWeaver Application Server (AS) Java, the UMEservice starts before the key storage service. However the key storage service is required to enable the SSL connection to the LDAP directory server. Therefore it is not possible to create the SSL connection to the LDAP at the time when the UMEservice is started. This means that all users that are used to start the applications and services of the AS Java must be stored in a data source other than the LDAP directory server that is accessed through SSL.

• You have configured the UMEto use an LDAP directory server as data source. For more information, see Configuring the UME to Use an LDAP Directory as Data Source . Remember that the administrator, guest, and service users must be stored in a data source other than the LDAP directory.
• You have generated a certificate for the LDAP directory server. This can either be a self-signed certificate or a certificate issued by a certification authority. Read the documentation of your directory server vendor for instructions on how to generate a certificate.
  Caution

  Make sure that the server name in the subject part of the server certificate matches the LDAP server name in the UMEconfiguration. For more information, see SAP Note 736464.

• You have configured the LDAP directory server to support SSL. Read the directory server documentation for instructions.

1. In the SAP NetWeaver Administrator, import the root certificate of the LDAP directory server into the key storage service of the AS Java. See Importing the Root Certificate of the LDAP Directory .

   This ensures that the AS Java trusts the LDAP directory server.

2. Change the UME LDAP configuration to use an SSL connection to the directory server. See Changing the UME LDAP Configuration .