Creating the SSL Server PSE

The SSL server PSE contains the application server's security information that it needs to communicate using SSL as the server component. This information, in particular the server's Distinguished Name, is used to identify the server when a connection is established. Therefore, if you have a system with multiple application server instances, then the following options are available for resolving the server identity:

Use a single system-wide SSL server PSE where the Distinguished Name is the same for all servers.
Use server-specific SSL server PSEs for individual application servers.
Use a combination of both types. (Some application servers use a system-wide SSL server PSE, and other application servers use server-specific SSL server PSEs.)

Note
Use a system-wide PSE for those application servers that are accessed via a Network Address Translator (NAT). Use the NAT's fully-qualified host name as the Common Name (CN) part of the Distinguished Name.

End of the note.

Use the trust manager (transaction STRUST) to maintain the PSEs.

Prerequisites

The SAP Cryptographic Library is installed in the $(DIR_EXECUTABLE) directory on the application server.

Note
If the SAP Cryptographic Library is not installed, then the SSL Server PSE and SSL Client PSE nodes are not included in the trust manager's PSE status section.

End of the note.
You know the naming convention to use for the server's Distinguished Name. The syntax of the Distinguished Name depends on the Certification Authority (CA) you use.

Example
For example, if you use the SAP CA, the naming convention is CN=<host_name>, OU=I<installation_number>-<company_name>, OU=SAP Web AS, O=SAP Trust Community, C=DE.

End of the example.

Note
For more information about the SAP CA naming conventions, see the SAP Trust Center Service at http://service.sap.com/tcs.

End of the note.

Procedure

From the Trust Manager screen:

Select the SSL Server PSE node.
Using the context menu, choose Create (if no PSE exists) or Replace.
The <Create/Replace> PSE dialog appears.
Enter the Distinguished Name parts for a default SSL server PSE in the corresponding fields. For the default SSL server PSE, use a wildcard character (*) as the host name in the Name field. For example:
- Name = *.mycompany.com
- Org. (opt.) = Test
- Comp./Org. = MyCompany
- Country = US
  
  Note
  If you want to use a reference to a CA name space, then elements contained in the CA's name space are automatically used for the server's Distinguished Name. In addition, you cannot modify the Country field. Use the toggle function ( (Namespace Active/Inactive)) to activate or deactivate the reference to a CA name space.
  
  End of the note.
The system uses these components to build a default Distinguished Name to use for a system-wide PSE, as well as for building the server-specific names for individual PSEs.

The SSL Server screen then appears. In this screen, you can decide whether the individual application servers should use the default Distinguished Name and system-wide SSL server PSE or individual PSEs. The default Distinguished Name appears in the Default PSE DN field. The server-specific Distinguished Names appear in the table in the Distinguished Name column.
If necessary, modify or delete any of the individual application server's Distinguished Names to meet you own needs.
For example:
- Delete the Distinguished Name entry for any servers that are to use the default Distinguished Name.
- Assign the same Distinguished Name to all servers that are to be accessed via a NAT.
- Modify the Distinguished Name to adhere to your CA's naming convention (for example, adding an attribute such as L=<Locality>).
  
  Note
  If the system could not determine a Distinguished Name for the server, then an error has occurred either in the connection or the target server's configuration is not set up correctly.
  
  End of the note.
Choose Enter.
You return to the Trust Manager screen.

Result

The system creates the SSL server PSEs and distributes them to the individual application servers.