Creating an SSL Server PSE

The SSL server PSE contains the security information of the application server that it needs to communicate using SSL as the server component. For each SSL port activated (see the profile parameter icm/server_port_<xx>), set up a corresponding SSL server PSE to use.

Prerequisites

You know the naming convention to use for the distinguished name (DN) of the server. The syntax of the DN depends on the certification authority (CA) you use.

Example
For example, if you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE.
If you are using multiple SSL server PSEs, then the multiple identities are specified in the trust manager. For more information, see Creating Additional Identities.

Context

This information, in particular the distinguished name of the server, is used to identify the server when a connection is established. Therefore, if you have a system with multiple application server instances, then the following options are available for resolving the server identity:

Use a single system-wide SSL server PSE where the DN is the same for all servers.
Use server-specific SSL server PSEs for individual application servers.
Use a combination of both types. (Some application servers use a system-wide SSL server PSE, and other application servers use server-specific SSL server PSEs.)

Note
Use a system-wide PSE for those application servers that are accessed via a Network Address Translator (NAT). Use the fully-qualified host name of the NAT as the common name (CN) part of the distinguished name.

Procedure

Start trust manager (transaction STRUST).
Select the SSL Server PSE node.
Using the context menu, choose Create (if no PSE exists) or Replace.

The <Create/Replace> PSE dialog appears.
Enter the distinguished name parts for a default SSL server PSE in the corresponding fields. For the default SSL server PSE, use the wildcard character asterisk (*) as the host name in the Name field.
For example:
- Name= *.mycompany.com
- Org. (opt.)= Test
- Comp./Org.= MyCompany
- Country= US
  
  Note
  If you want to use a reference to a CA name space, then elements contained in the name space of the CA are automatically used for the DN of the server. In addition, you cannot modify the Country field. Use the toggle function () to activate or deactivate the reference to a CA name space.
The system uses these components to build a default DN to use for a system-wide PSE, as well as for building the server-specific names for individual PSEs.

The SSL Server screen then appears. In this screen, you can decide whether the individual application servers should use the default DN and system-wide SSL server PSE or individual PSEs. The default DN appears in the Default PSE DN field. The server-specific DN appears in the table in the Distinguished Name column.
If necessary, modify or delete any of the individual distinguished names of the application server to meet you own needs.
For example:
- Delete the DN entry for any servers that are to use the default DN.
- Assign the same DN to all servers that are to be accessed via a NAT.
- Modify the DN to adhere to the naming convention of your CA (for example, adding an attribute such as L=<Locality>).
  
  Note
  If the system could not determine a DN for the server, then an error has occurred either in the connection or the configuration of the target server is not set up correctly.
Choose Enter.

Results

The system creates the SSL server PSEs and distributes them to the individual application servers.