Replacing the Key Pair to Use for Logon
Tickets
Use
There are several use cases for replacing the key pair to use for logon tickets on the J2EE Engine, for example:
● In a dual-stack system where the SIDs for both the ABAP server and the J2EE Engine are the same, you must replace one of the key pairs so that the Distinguished Names are unique.
● You must replace the key pair used for logon tickets before the public-key certificate expires.
This procedure describes how to replace the J2EE Engine’s key pair to use for logon tickets.
When creating the key pair, you must use the following information.
● The key pair must exist in the keystore view TicketKeystore.
● The entry must have the name SAPLogonTicketKeypair.
● Later, you have to be able to export the public-key certificate so that you can import it into the accepting servers’ keystores or Personal Security Environments (PSEs). Therefore, store the public-key certificate separately using the Store certificate option.
● Use the DSA algorithm.
Procedure
Using the Visual Administrator:
...
1. Select the Key Storage Service.
2. Select the TicketKeystore view.
3. Delete the SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert entries.
4. Under Entry, choose Create.
The Key and Certificate Generation dialog appears.
5. Enter the Subject Properties in the corresponding fields.
The entries in these fields build a Distinguished Name in the form:
CN=<Common Name>, OU=<Organization Unit Name>, O=<Organization Name>, L=< Locality Name >, ST=<State/Province>, C=DE
Use capital letters for the Country Name.
6. Enter SAPLogonTicketKeypair as the Entry Name.
Do not enter a different name. This J2EE Engine uses the entry with this name to sign logon tickets.
7. Select the Store certificate option and choose DSA as the algorithm to use.
8. Choose Generate.
Result
The J2EE Engine uses this public-key certificate to digitally sign logon tickets.
You must also import this key pair into all ticket-accepting systems.