Creating the SSL Server PSE (SAP Library - Network and Transport Layer Security)

Creating the SSL Server PSE

Use

The SSL Server PSE contains the application server's security information that it needs to communicate using SSL. If you have a system with multiple application servers, then the following options are available:

· Use a single system-wide SSL server PSE for all servers.

· Use server-specific SSL server PSEs for individual application servers.

· Use a combination of both types. (Some application servers use a system-wide SSL server PSE, and other application servers use server-specific SSL server PSEs.)

Note

Use a system-wide PSE for those application servers that are accessed via a Network Address Translator (NAT). Use the NAT's fully-qualified host name as the Common Name (CN) part of the Distinguished Name.

Prerequisites

· The SAP Cryptographic Library is installed in the $(DIR_EXECUTABLE) directory on the application server.

Note

If the SAP Cryptographic Library is not installed, then the SSL Server PSE and SSL Client PSE nodes are not included in the trust manager's PSE status section.

· You know the naming convention to use for the server's Distinguished Name. The syntax of the Distinguished Name depends on the Certification Authority (CA) you use.

Example

For example, if you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE.

Note

For more information about the SAP CA naming conventions, see the SAP Trust Center Service at http://service.sap.com/tcs.

Procedure

From the Trust Manager screen:

...

1. Select the SSL Server PSE node.

2. Using the context menu, choose Create (if no PSE exists) or Replace.

The <Create/Replace> PSE dialog appears.

3. Enter the Distinguished Name parts for a default SSL server PSE in the corresponding fields. For the default SSL server PSE, use a wildcard character (*) as the host name in the Name field. For example:

¡ Name = *.mycompany.com

¡ Org. (opt.) = Test

¡ Comp./Org. = MyCompany

¡ Country = US

Note

If you want to use a reference to a CA name space, then elements contained in the CA's name space are automatically used for the server's Distinguished Name. In addition, you cannot modify the Country field. Use the toggle function ( This graphic is explained in the accompanying text ) to activate or deactivate the reference to a CA name space.

The system uses these components to build a default Distinguished Name to use for a system-wide PSE, as well as for building the server-specific names for individual PSEs.

The SSL Server screen then appears. In this screen, you can decide whether the individual application servers should use the default Distinguished Name and system-wide SSL server PSE or individual PSEs. The default Distinguished Name appears in the Default PSE DN field. The server-specific Distinguished Names appear in the table in the Distinguished Name column.

4. If necessary, modify or delete any of the individual application server's Distinguished Names to meet you own needs.

For example:

¡ Delete the Distinguished Name entry for any servers that should receive the default Distinguished Name.

¡ Assign the same Distinguished Name to all servers that are to be accessed via a NAT.

¡ Modify the Distinguished Name to adhere to your CA's naming convention (for example, adding an attribute such as L=<Locality>).

Note

If the system could not determine a Distinguished Name for the server, then an error has occurred either in the connection or the target server’s configuration is not set up correctly.

5. Choose Enter.

You return to the Trust Manager screen.

Result

The system creates the SSL server PSEs and distributes them to the individual application servers.