Adding New SSL Access Points

Prerequisites

You have obtained the SAP Cryptographic Library and the corresponding license ticket and they are installed on the server. For more information, see Installing the SAP Cryptographic Library for SSL .

If the library and ticket are not yet installed in the correct place, you can use the Browse function to upload the files from the file system.

Context

You can use this procedure to add new SSL access points (ports). For example, you can open the default SSL port, which is 443.

Procedure

Start the SSL configuration tool in the SAP NetWeaver Administrator by following the path Configuration Management Security SSL .
Select the instance for which you want to create a new access point. Choose the Edit pushbutton.
In the SSL Access Points section, choose the Add pushbutton.
Enter the number of the port which you want to open.
Select the protocol to be used for the port.
Select the Client Authentication Mode .
The different modes have the following meaning:
- Do Not Request - No certification is required and the server does not ask for one.
- Request - The server asks the client to transfer a certificate. If the client does not send a certificate, authentication is performed using another method such as basic authentication (default setting).
- Required - The client must transfer a valid certificate to the server, otherwise, access is denied.
Select the keystore view that provides the server key pair and trusted CA certificates for the specified port:
- Select Instance Default , if you want to use the default server key pair and trusted CA certificates.
- Select Port Specific , if you want to use different server key pair and trusted CA certificates for the new access point. In this case you must manually create or import the required certificates.
  
  More information: Configuration of the AS Java Keystore Views for SSL and Configuring the SSL Key Pair and Trusted X.509 Certificates .
Choose the Save pushbutton.

Note
Before the changes take effect, you must restart the ICM.

Results

When you create a new access point, the SSL configuration tool creates a keystore view for the specified port. The view contains the server key pair and trusted CA certificates to use for this port. The tool also automatically exports the view to a corresponding PSE file in the secudir .

Next Steps

Maintaining SSL Access Points