Managing the Credentials and Trusted Certificates to Use SSL (SAP Library

Managing the Credentials and Trusted Certificates to Use SSL

Use

The SSL Provider service also can use the certificates that are generated by the Key Storage service.

Note

You can manage the SSL Provider on both the server and dispatcher nodes. The changes made on the server node apply over all the SSL ports, until the changes made over the dispatcher node SSL Provider are applied only to the dispatcher’s port.

For more information about the Key Storage service, see Managing Keystore Entries.

Prerequisites

The Key Storage service is started on all nodes.

The SSL Provider service on the dispatcher node is started.

Procedure

...

1. Select the socket that you want to configure on the SSL Provider service Runtime tab.

2. Select the communication container from the left-hand side list of available communication containers.

3. Select the type of socket factory to apply the settings to. You can configure:

...

a. Settings to use for newly created sockets – choose New Sockets.

b. Settings to use for the active sockets – choose Active Sockets. Select the desired IP address and the port it is bound to from Configuration.

Managing Cipher Suites

If the client has the same cipher suites as the ones included in the SSL Provider, you can use it during the handshake phase. On the Cipher Suite tab you can add or remove such suites. During the handshake the client sends its cipher suites ordered by priority. The J2EE Engine’s SSL implementation compares them with the list set in the SSL Provider and picks the first that matches the list sent by the client.

Example

In the following example we assume that the J2EE Engine does not support the first cipher suite in the client’s list, but it supports the second cipher suite.

a. The client sends a list of cipher suites, ordered by priority.

b. The J2EE Engine checks if the first one in the list is in its own list of cipher suites for the requested SSL port.

c. The J2EE Engine does not support the first cipher suite in the client’s list. The check continues for the second cipher suite.

d. The J2EE Engine supports the second cipher suite in the client’s list, so it selects this suite.

Managing Credentials

In this tab you can manage the credentials that are used by the SSL Port. If the newly added credentials are of the same type as those that have been already set, the latter are replaced.

Example

If the active socket is configured on port 443 (the port for SSL protocol), all connections using HTTPS use these credentials.

Managing Client Authentication

Choose the Client Authentication tab. You can choose between the following options:

Option	Description	Further Steps
Do not request client certificate	The system does not require the client to give a client certificate during the handshake, although the client can provide it.
Request client certificate	The server requests a certificate but the certificate is not required. If the client has a certificate it is sent with the request; otherwise, the system reverts to Basic Authentication. Also, the server only accepts certificates that have been issued by a trusted CA, meaning that the CA’s root certificate has been marked as trusted.	If there are no certificates applied, a warning message is displayed. Choose Add and select the certificate you want to mark as trusted. Then choose OK.
Require client certificate	The server requests a certificate and the client must send one. Also, the certificate that the client sends must have been issued by a trusted CA.	If there are no certificates applied, a warning message is displayed. Choose Add button and select the certificate you want to mark as trusted. Then choose OK.

Note

When you add a new certificate, note that each of these entries contains a single public-key certificate that belongs to another party. By importing this certificate as a trusted certificate, you indicate that you trust the owner of this certificate is the identity specified in the certificate’s subject.