Enabling Secure Synchronization using
SSL
Use
SAP MI uses per
default the HTTP protocol to transfer data between client and server. If this
does not meet your security requirements you can use the SSL based HTTPS
protocol. This technology offers authentication based on certificates and
encrypted data transfer. For more information on Transport Layer Security, see
Transport
Layer Security.
Enabling HTTPS port in the ABAP stack
If HTTPS is already activated in the ABAP stack you can skip this step.
...
1. Download the SAP Cryptographic Library from service.sap.com/swdc → Download → SAP Cryptographic Software.
2.
Install the SAP
Cryptographic Library (see
Installing the SAP
Cryptographic Library on the SAP Web AS).
3.
Set the profile
parameters (see
Setting the Profile
Parameters for Using SSL).
4. Restart the system.
5. Start transaction SMICM, and choose Goto → Services.
The list of available ICM services displays.
6. If the HTTPS protocol is not active yet, mark it and choose Service → Activate.
Generating and exporting the SSL server certificate
For productive
use, SAP recommends to purchase a certificate from a certification authority
like VeriSign, Thawte, TrustCenter or others. For information on the relevant
procedure when using a certificate issued or signe by a certification
authority, see
Configuring the SAP
Web AS for Supporting SSL.
For a test environment, a self-signed certificate can be used instead as described below.
...
1. Start transaction STRUSTSSO2.
2. If the entry SSL Server is marked with the folder icon, open the folder check if it contains a green-marked entry. If it does, the server certificate is already generated. Continue with step 3.
If the entry SSL Server is marked with a red cross, click the entry with the secondary mouse button and choose Create to create the SSL server certificate.
Enter the fully qualified ABAP host in the Name field.
It is important that this entry matches exactely the host name used for client synchronization. If the name differs, you cannot use the HostNameVerifying functionality of the mobile client, which protects against Man-in-the-Middle attacks.
3. Double-click the green-marked entry below the SSL Server node.
The certificate displays in the upper right area.
4. Double-click the certificate in the upper right area.
In the lower right area, the details of the certificate appear.
5. Choose Certificate → Export. to export the certificate to a file.
6. Enter the local path and file name and choose Enter.
Enabling SSL in the client
For productive usage, SAP recommends to purchase a certificate from a certification authority.
...
1. Enable SSL in the mobile client by adjusting the MobileEngine.config file, see Parameters for Secure Sockets Layer (SSL) Support and Configuration of Mobile Devices.
It is strongly recommended that the common name of the certificate and the synchronization name have the same name. If they do not have the same name, you need to disable host name verifying. To do this, set the parameter MobileEngine.Security.HostnameVerifying=false (not recommended).
2. Depending Java version and operation system on the mobile device, you might need to deploy additional files to the client, see Files for SSL Support.
Importing the server certificate to the clients truststore file
...
1. Import the server certificate into the truststore file of the mobile client (located in the <MI_HOME>\settings folder), see Making External Server Certificates Trusted.
For more information on server certificates, also see Server Certificates and Deleting Server Certificates