Creating the SSL Server PSE (SAP Library

Creating the SSL Server PSE

Use

The SSL Server PSE contains the application server's security information that it needs to communicate using SSL. If you have a system with multiple application servers, then the following options are available:

Use a single system-wide SSL server PSE for all servers.
Use server-specific SSL server PSEs for individual application servers.
Use a combination of both types. (Some application servers use a system-wide SSL server PSE, and other application servers use server-specific SSL server PSEs.)

Note

Use a system-wide PSE for those application servers that are accessed via a Network Address Translator (NAT). Use the NAT's fully-qualified host name as the Common Name (CN) part of the Distinguished Name.

Prerequisites

You know the naming convention to use for the server's Distinguished Name. The syntax of the Distinguished Name depends on the Certification Authority (CA) you use.

Example

For example, if you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web Application Server, O=SAP Trust Community, C=DE.

Procedure

From the Trust Manager screen:

Select the SSL Server PSE node.

Using the context menu, choose Create (if no PSE exists) or Replace.

The <Create/Replace> PSE dialog appears.

Enter the Distinguished Name parts in the corresponding fields. For example:

Name = <host_name>

Org. (opt.) = Test

Comp./Org. = MyCompany

Country = US

Note

If you use the SAP CA, see the SAP Web AS certificate request area on the SAP Service Marketplace at http://service.sap.com/ssltest for information about how to determine the server's Distinguished Name.

Note

If you want to use a reference to a CA name space, then elements contained in the CA's name space are automatically used for the server's Distinguished Name. In addition, you cannot modify the Country field. Use the toggle function ( This graphic is explained in the accompanying text ) to activate or deactivate the reference to a CA name space.

The system uses these components to build a default Distinguished Name to use for a system-wide PSE, as well as for building the server-specific names for individual PSEs.

The SSL Server screen then appears. In this screen, you can decide whether the individual application servers should use the default Distinguished Name and system-wide SSL server PSE or individual PSEs. The default Distinguished Name appears in the Default PSE DN field. The server-specific Distinguished Names appear in the table in the Distinguished Name column.

If necessary, modify or delete any of the individual application server's Distinguished Names to meet you own needs.

For example:

Delete the Distinguished Name entry for any servers that should receive the default Distinguished Name.

Assign the same Distinguished Name to all servers that are to be accessed via a NAT.

Modify the Distinguished Name to adhere to your CA's naming convention (for example, adding an attribute such as L=<Locality>).

Note

If the system could not determine a Distinguished Name for the server, then an error has occurred (for example, the ICMan has not been installed on the server).

Choose Enter.

You return to the Trust Manager screen.

Result

The system creates the SSL server PSEs and distributes them to the individual application servers.