Show TOC Anfang des Inhaltsbereichs

Vorgehensweisen Creating the Server's Key Pair to Use for SSL  Dokument im Navigationsbaum lokalisieren

Use

To use SSL, the SAP J2EE Engine must possess a key pair, which consists of a public key, which is distributed using an X.509 public-key certificate, and a corresponding private key. Use the procedure below to create the key pair and public-key certificate on the server.

Hinweis

For SSL, the server needs a key pair that is associated with the fully-qualified host name that is used to access the server. If multiple hosts are accessed using the same fully-qualified host name, then you only have to create one key pair and use it for all hosts.

Beispiel

For example, in a dual-stack system both the ABAP server and the J2EE Engine reside on the same host and therefore use the same fully-qualified host name for access. In this case, create the key pair on the ABAP server, export it, and then upload it on the J2EE Engine.

For more information, see Exporting the SSL Key Pair from the ABAP System.

In addition, when creating a key pair to use for SSL, you must have the public key certified by a Certificate Authority (CA). For this purpose, you will create a certificate signing request (CSR), which you then send to the CA of your choice. The CA will send you the corresponding signed public-key certificate in the form of a certificate request response, which you then import into the keystore entry for which you created the request.

Prerequisites

·        The Key Storage service is running on the server.

·        If you want to import an existing key pair, then this key pair must exist in the file system as a PKCS#12 (Public-Key Cryptography Standard 12) file with the extension .p12.

·        The certificate request response that you receive from the CA must exist as a DER (Distinguished Encoding Rules) or as a Base-64 encoded file.

Procedure

For each server process that is to support SSL:

...

       1.      Select the Key Storage service.

The available views appear. Entries corresponding to the selected view appear in the Entries pane. An entry may be either a public-key certificate only or the complete key pair. The type of entry is shown in the information pane with the indicator PRIVATE KEY or CERTIFICATE along with the rest of the information pertaining to the entry.

For more information about using the Key Storage service, see Key Storage Service.

       2.      Select the service_ssl view.

Any available entries for the service_ssl view appear in the Entries pane.

Empfehlung

Per default, the SAP J2EE Engine uses the ssl-credentials entry for SSL, which contains a public-key certificate that has been signed by a test CA. Although you can use this certificate for testing purposes, we recommend using a certificate that has been signed by a well-known, productive CA.

       3.      If no appropriate entry exists for using SSL, then create a new entry (choose Create) or load an existing one from the file system (choose Load).

Achtung

When creating an entry to use for SSL, the Key and Certificate Generationdialog appears. Note the following:

    Specify the server’s fully-qualified host name as the Common Name part of the Distinguished Name. Otherwise, certain Web browsers will produce a warning if the host name that users use to access the server does not match the host name found in the server’s public-key certificate.

    Select the Store certificate option to save the server’s public-key certificate separately so that you can export it at a later time.

    Select RSA as the Algorithm to use.

       4.      If the corresponding certificate has not yet been signed by a CA, then:

                            a.      Generate a certificate signing request. Select your entry, choose Generate CSR Request and save it to a file.

                            b.      Send the certificate signing request to a CA to be signed.

The exact procedure to use depends on the CA that you use. For the SAP CA, follow the instructions provided by the SAP Trust Center Service at service.sap.com/tcs.

                            c.      Save the certificate request response to a file in the file system. Use the extension .crt (DER-encoded or Base-64 encoded) or .cert (Base-64 encoded).

                            d.      Import the corresponding certificate request response. Choose Import CSR Response and load the response from the file system.

For more information about managing keys and certificates in the Key Storage service, see Managing Entries.

Achtung

If you want to load the public-key certificate as a separate entry, then rename the file before loading. Otherwise, the SAP J2EE Engine will replace the existing PRIVATE KEY entry with a CERTIFICATE entry and the private key will be lost because it uses the file name as the alias when loading.

Result

The server possesses a public and private key pair to use for SSL.

To verify that the import was successful, select the entry. The certificate should contain the name of the CA as the issuer.

Continue with Assigning the Key Pair to Use for a Specific SSL Port.

See also:

Creating the SSL Server PSE (on the ABAP server)

 

 

 

Ende des Inhaltsbereichs