The SSL server PSE contains the security information of the application server that it
needs to communicate using SSL as the server component. For each SSL port activated (see the
profile parameter
icm/server_port_<xx>), set up a
corresponding SSL server PSE to use.
Prerequisites
-
You know the naming convention to use for the distinguished name (DN) of the
server. The syntax of the DN depends on the certification authority (CA) you
use.
Example
For example, if you use the SAP CA, the naming convention is
CN=<host_name>,
OU=I<installation_number>-<company_name>,
OU=SAP Web AS, O=SAP Trust Community, C=DE.
-
If you are using multiple SSL server PSEs, then the multiple identities are
specified in the trust manager. For more information, see Creating Additional Identities.
Context
This information, in particular the distinguished name of the server, is used to
identify the server when a connection is established. Therefore, if you have a system
with multiple application server instances, then the following options are available for
resolving the server identity:
-
Use a single system-wide SSL server PSE where the DN is the same for all
servers.
-
Use server-specific SSL server PSEs for individual application servers.
-
Use a combination of both types. (Some application servers use a system-wide SSL
server PSE, and other application servers use server-specific SSL server
PSEs.)
Note
Use a system-wide PSE for those application servers that are accessed via a
Network Address Translator (NAT). Use the fully-qualified host name of the NAT
as the common name (CN) part of the distinguished name.
Procedure
- Start trust manager (transaction
STRUST).
- Select the SSL Server PSE node.
- Using the context menu, choose Create (if no PSE exists) or
Replace.
The <Create/Replace> PSE dialog
appears.
- Enter the distinguished name parts for a default SSL server PSE in the
corresponding fields. For the default SSL server PSE, use the wildcard character
asterisk (*) as the host name in the
Name field.
For example:
-
Name= *.mycompany.com
-
Org. (opt.)= Test
-
Comp./Org.= MyCompany
-
Country= US
Note
If you want to use a reference to a CA name space, then elements
contained in the name space of the CA are automatically used for the DN
of the server. In addition, you cannot modify the
Country field. Use the toggle function () to activate or deactivate the reference to a CA name space.
The system uses these components to build a default DN to use for a system-wide
PSE, as well as for building the server-specific names for individual PSEs.
The SSL Server screen then appears. In this screen, you can
decide whether the individual application servers should use the default DN and
system-wide SSL server PSE or individual PSEs. The default DN appears in the
Default PSE DN field. The server-specific DN appears in
the table in the Distinguished Name column.
- If necessary, modify or delete any of the individual distinguished names of the
application server to meet you own needs.
For example:
-
Delete the DN entry for any servers that are to use the default DN.
-
Assign the same DN to all servers that are to be accessed via a NAT.
-
Modify the DN to adhere to the naming convention of your CA (for example,
adding an attribute such as
L=<Locality>).
Note
If the system could not determine a DN for the server, then an error has
occurred either in the connection or the configuration of the target
server is not set up correctly.
- Choose Enter.
Results
The system creates the SSL server PSEs and distributes them to the individual
application servers.