Using the Secure Sockets Layer Protocol (SAP Library - SAP Web Application Server Security)

Using the Secure Sockets Layer Protocol

Use

You can use the Secure Sockets Layer (SSL) protocol to secure HTTP connections to and from the SAP Web Application Server. When SSL is used, the data being transferred between the two parties (client and server) is encrypted and the two partners can be authenticated. For example, if a user must transfer his or her account information, then you can use SSL to authenticate the user and encrypt the information during transfer.

Note

Users that access a service that is protected with SSL use the prefix https: in the URL instead of http:.

Prerequisites

The server possesses a public and private key pair and public-key certificate.

The SSL protocol uses public-key technology to provide its protection. Therefore, the server must possess a public and private key pair and a corresponding public-key certificate. It must possess one key pair and certificate to identify itself as the server component and another key pair and certificate if it is to identify itself as a client component. These key pairs and certificates are stored in the server's own Personal Security Environments (PSEs), the SSL server PSE and the SSL client PSE, respectively. (For more information, see Public-Key Technology.)

You are authorized to receive the SAP Cryptographic Library.

Caution

The distribution of the SAP Cryptographic Library is subject to and controlled by German export regulations and is not available to all customers. In addition, the library may be subject to local regulations of your own country that may further restrict the import, use and (re-)export of cryptographic software. If you have any further questions on this issue, contact your local SAP subsidiary.

Features

By supporting SSL, the SAP Web Application Server can provide the following:

Server-side authentication

With server-side authentication, the server identifies itself to the client when the connection is established, which reduces the risk of using "fake" servers to gain information from clients.

Client-side authentication

With client-side authentication, the client identifies itself when the connection is established. You can use SSL client-side authentication, for example, to authenticate users instead of using user IDs and passwords.

Mutual authentication

In this case, both the server and the client are authenticated.

Data encryption

In addition to authenticating the communication partners, the data being transferred between the client and server is encrypted, which provides for integrity and privacy protection. An eavesdropper cannot access or manipulate the data.

Integration

Use the following functions to maintain the server's SSL information:

Profile parameter maintenance (transaction RZ10)
Trust manager (transaction STRUST)

For more information, see Using the Trust Manager.

RFC destination maintenance (transaction SM59)
ICM Monitor (transaction SMICM)

For more information, see Monitoring the ICM with the ICM Monitor.

See also:

For more information about public-key technology and SSL, see:

Public-Key Technology

Terminology and Abbreviations

SSL information provided by Netscape:

http://www.netscape.com/security/techbriefs/ssl.html

http://developer.netscape.com/docs/manuals/security/sslin/contents.htm