Maintaining the SSL Server PSE's Certificate List
Use
If users are to be authenticated on the SAP Web Application Server using client certificates, then you must maintain the server's certificate list, which is contained in the server's SSL server PSE. The application server uses this list to determine which CAs the server trusts. Only users who present client certificates issued by these CAs can be authenticated based on their certificates.
You must also perform additional maintenance tasks to be able to use client certificates for authentication. For more information, see
Configuring the System for Using X.509 Client Certificates.
You only need to maintain the certificate list for a single application server's SSL server PSE. The certificate list is distributed to all servers, even if you use server-specific SSL server PSEs.
The certificate list is only stored in the selected PSE and distributed to the other application servers after saving the data in the trust manager.
Prerequisites
You have access to the CA's root certificate. For example, the SAP CA's certificate is available in the SAP System. If you use a different CA, then you must obtain its public-key certificate and store it in one of the available storage locations (for example, in the certificate database). If you have already imported the CA's certificate to a different PSE on the application server, then you can also use the trust manager to copy it from the PSE into the SSL server PSE.
Procedure
Importing the CA's Root Certificate if it is Located in the Certificate Database
If the CA's public-key certificate is located in the certificate database:
Import certificate.The Import Certificate dialog appears.
The certificate appears in the certificate section.
Add to Certificate List.The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.
Importing the CA's Root Certificate if it is Located in the File System
If the CA's public-key certificate is located in the file system:
Import certificate.The Import Certificate dialog appears.
If you are not sure which format to select, open the certificate in a text browser that does not use formatting, for example, Notepad. If the contents are readable (although encoded), then the format is Base 64. Otherwise the format is binary.
The certificate appears in the certificate maintenance section.
Add to Certificate List.The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.
Importing the CA's Root Certificate if it is Located in a Different PSE
If the CA's public-key certificate is located in a different PSE in the SAP System:
The PSE and its certificate list appear in the PSE maintenance section.
The certificate appears in the certificate maintenance section.
Add to Certificate List.The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.
Importing the SAP CA's Root Certificate
To import the SAP CA's root certificate:
The SAP CA's certificate appears in the certificate maintenance section.
Add to Certificate List.The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.
Repeat the procedure for all CA root certificates that the server should trust.
Result
The certificate list in the application server's SSL server PSE contains the public-key certificates belonging to the CAs that the server trusts.