Show TOC

Configuring the SSL Key Pair and Trusted X.509 CertificatesLocate this document in the navigation structure

Prerequisites

  • To import an existing key pair or a trusted X.509 client certificate, the key pair must exist in the file system in a specific format. For more information about the supported formats, see How to Use Key Storage .

  • The certificate request response that you receive from the CA must exist as a DER (Distinguished Encoding Rules) or as a Base 64-encoded file.

Context

You can use the procedure below to configure the key pair and trusted client certificates to use for establishing SSL connections on the AS Java. You create a new key pair or upload an existing key pair or a trusted X.509 client certificate from the file system.

Note

For SSL, the server needs a key pair that is associated with its fully-qualified host name that is used to access the server. If multiple hosts are accessed using the same fully-qualified host name, then you only have to create one key pair and use it for all hosts.

Procedure


  1. Using the Key Storage management functions of the SAP NetWeaver Administrator, open the Content tab. For more information about managing keys and certificates in the Key Storage, see Managing Entries .

  2. From the list of Keystore Views , select the ICM_SSL_ <instance_ID> or one of the ICM_SSL_ <instance_ID>_<port> keystore views. The contents of the selected keystore view appear.

    By default, these keystore views contain a key pair that is created during installation for using SSL on the AS Java. This key pair is signed by a testing CA, therefore we recommend that you limit the use of the default certificate to testing purposes.

    Caution

    By default, the AS Java uses the ICM_SSL_ <instance_ID> view for setting up an SSL connection. The ICM_SSL_ <instance_ID>_<port> views are used for setting up additional ports for SSL connections. More information about these views: Additional SSL Ports .

    Proceed as shown in the table below to configure the key pair and trusted client certificates to use for SSL connections:

    Task

    Procedure

    Import a saved key pair entry

    1. Choose Delete for the existing AS Java key pair entry in the ICM_SSL_ <instance_ID> view.

    2. Choose Import From File .

      The Entry Import dialog appears.

    3. Choose the PKCS type for the key pair to import and enter the path and password for the PKCS file.

    4. Choose Import to add the key pair entry to the keystore view.

    Import trusted X.509 client certificates for SSL

    Note

    To use SSL with client certificates, you also have to configure the VCLIENT parameter for the instance profile of the AS Java ICM. For more information, see Maintaining ICM Parameters for SSL .

    1. Choose Import From File .

      The Entry Import dialog appears.

    2. Choose X.509 Client Certificate for the entry type to import and enter the path to stored X.509 certificate.

    3. Choose Import to add the trusted X.509 certificate to the ICM_SSL_ <instance_ID> keystore view.

    Create new key pair entry to use for SSL

    1. Choose Delete for the existing AS Java key pair entry in the ICM_SSL_ <instance_ID> view.

    2. Choose Create to create a new key pair.

    3. Follow the New Entry wizard that appears.

      Note the following:

      • Specify the name to use to identify the private key entry in the keystore view in step 1 of the wizard.

      • In step 1 of the wizard, select the Store certificate option to save the server's public-key certificate separately so that you can export it at a later time.

      • Select RSA as the Algorithm to use.

      • Specify the server's fully-qualified host name as the Common Name part of the Distinguished Name in step 2 of the wizard dialog. Otherwise, certain Web browsers can produce a warning if the host name that users use to access the server does not match the host name found in the server's public-key certificate.

    Generate a certificate signing request:

    Note

    You need to perform this configuration step if the corresponding certificate has not yet been signed by a CA. We recommend that you use a well known CA that your client systems trust for signing the SSL keys.

    1. Select the SSL key entry.

    2. Choose Generate CSR Request .

    3. Save the CSR request to a file.

    4. Send the certificate signing request to a CA to be signed.

      The exact procedure to use depends on the CA that you use. For the SAP CA, follow the instructions provided by the SAP Trust Center Service at service.sap.com/tcs.

    5. Save the certificate request response to a file in the file system. Use the extension .crt (DER-encoded or Base-64 encoded) or .cert (Base-64 encoded).

    6. To import the corresponding certificate request response, choose Import CSR Response and load the response from the file system.

  3. Restart the SSL service of the AS Java to make the SSL key pair change effective.

Results

The server possesses a public and private key pair to use for SSL. To verify that the import was successful, select the private key entry. The certificate should contain the name of the CA as the issuer.

Continue with Testing the SSL Connection .