Maintaining the SSL Server PSE's Certificate List

Use

If users (or other clients) are to be authenticated on the AS ABAP using client certificates, then you must maintain the server's certificate list, which is contained in the server's SSL server PSE. The application server uses this list to determine which CAs the server trusts. Only clients that present client certificates issued by these CAs can be authenticated based on their certificates.

Note

You must also perform additional maintenance tasks to be able to use client certificates for authentication. For more information, see Configuring the System for Using X.509 Client Certificates.

You only need to maintain the certificate list for a single application server's SSL server PSE. The certificate list is distributed to all servers, even if you use server-specific SSL server PSEs.

Caution

The certificate list is only stored in the selected PSE and distributed to the other application servers after saving the data in the trust manager.

Prerequisites

You have access to the CA's root certificate. For example, the SAP CA's certificate is available in the AS ABAP system. If you use a different CA, then you must obtain its public-key certificate and store it in one of the available storage locations (for example, in the certificate database). If you have already imported the CA's certificate to a different PSE on the application server, then you can also use the trust manager to copy it from the PSE into the SSL server PSE.

Procedure

Importing the CA's Root Certificate From the Certificate Database

If the CA's public-key certificate is located in the certificate database:

In the certificate section, choose .

The Import Certificate dialog appears.
Select the Database tabstrip.
Select the certificate from the certificate database and choose Enter.

The certificate appears in the certificate section.
Choose .

The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.
Save the data.

Importing the CA's Root Certificate From the File System

If the CA's public-key certificate is located in the file system:

In the certificate section, choose .

The Import Certificate dialog appears.
Enter the corresponding file name from the file system.
Select the certificate's file format.

Note
To determine which format to select, open the certificate in a text browser that does not use formatting, for example, Notepad. If the contents are readable (although encoded), then the format is Base 64. Otherwise the format is binary.
Choose Enter.

The certificate appears in the certificate maintenance section.
Choose .

The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.
Save the data.

Importing the CA's Root Certificate From a Different PSE

If the CA's public-key certificate is located in a different PSE:

Expand the node for the PSE that contains the certificate and select one of the application servers with a double-click.

The PSE and its certificate list appear in the PSE maintenance section.
Select the certificate with a double-click.

The certificate appears in the certificate maintenance section.
Select one of the application servers under the SSL server PSE node with a double-click.
Choose .

The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.
Save the data.

Importing the SAP CA's Root Certificate

To import the SAP CA's root certificate:

Choose Certificate SAP Portal CA (DSA) .

The SAP CA's certificate appears in the certificate maintenance section.
Choose .

The certificate is added to the certificate list for the PSE displayed in the PSE maintenance section.
Save the data.

Repeat the procedure for all CA root certificates that the server should trust.

Result

The certificate list in the application server's SSL server PSE contains the public-key certificates belonging to the CAs that the server trusts.