You can configure secure connections using the Secure Sockets Layer (SSL) protocol between the user management engine (UME) and an LDAP directory. When SSL is used, the data transferred between the two parties (client and server) is encrypted.
The UMEservice uses server authentication for the SSL connection between the LDAP directories and the UME. This means that the server (in this case, the LDAP directory) provides its identity to the client (in this case the UME) using a certificate, but the client does not provide its identity to the server.
Once the secure connection is established, the UMEbinds to the LDAP directory with the LDAP protocol using user ID and password. This user ID and password, and all other data that is passed between the two parties is encrypted.
Setting up SSL with client authentication, where the UMEprovides its identity to the LDAP directory using a certificate, is not supported.
If you use one of the preconfigured data source configuration files for an LDAP data source, these are configured to store the above users in the database. Therefore no extra action is necessary.
The reason for this constraint is that in the SAP NetWeaver Application Server (AS) Java, the UMEservice starts before the key storage service. However the key storage service is required to enable the SSL connection to the LDAP directory server. Therefore it is not possible to create the SSL connection to the LDAP at the time when the UMEservice is started. This means that all users that are used to start the applications and services of the AS Java must be stored in a data source other than the LDAP directory server that is accessed through SSL.
Make sure that the server name in the subject part of the server certificate matches the LDAP server name in the UMEconfiguration. For more information, see SAP Note 736464.
This ensures that the AS Java trusts the LDAP directory server.