Show TOC Start of Content Area

Process documentation Configuring SSL Between the UME and an LDAP Directory  Locate the document in its SAP Library structure

Use

You can configure secure connections using the Secure Sockets Layer (SSL) protocol between the user management engine (UME) and an LDAP directory. When SSL is used, the data transferred between the two parties (client and server) is encrypted.

The UME service uses server authentication for the SSL connection between the LDAP directories and the UME. This means that the server (in this case, the LDAP directory) provides its identity to the client (in this case the UME) using a certificate, but the client does not provide its identity to the server.

Once the secure connection is established, the UME binds to the LDAP directory with the LDAP protocol using user ID and password. This user ID and password, and all other data that is passed between the two parties is encrypted.

Restrictions

Setting up SSL with client authentication, where the UME provides its identity to the LDAP directory using a certificate, is not supported.

Prerequisites

      The following users must be stored in a data source other than the LDAP directory server that is accessed through SSL:

       Administrator user

       Guest user

       All service users

If you use one of the preconfigured data source configuration files for an LDAP data source, these are configured to store the above users in the database. Therefore no extra action is necessary.

The reason for this constraint is that in the SAP NetWeaver Application Server (AS) Java, the UME service starts before the key storage service. However the key storage service is required to enable the SSL connection to the LDAP directory server. Therefore it is not possible to create the SSL connection to the LDAP at the time when the UME service is started. This means that all users that are used to start the applications and services of the AS Java must be stored in a data source other than the LDAP directory server that is accessed through SSL.

      You have configured the UME to use an LDAP directory server as data source. For more information, see Configuring the UME to Use an LDAP Directory as Data Source. Remember that the administrator, guest, and service users must be stored in a data source other than the LDAP directory.

      In the data source configuration file, the property ume.ldap.access.ssl_socket_factory is set to com.sap.security.core.server.https.SecureConnectionFactory.

      You have generated a certificate for the LDAP directory server. This can either be a self-signed certificate or a certificate issued by a certification authority. Read the documentation of your directory server vendor for instructions on how to generate a certificate.

Caution

Make sure that the server name in the subject part of the server certificate matches the LDAP server name in the UME configuration. For more information, see SAP Note 736464.

      You have configured the LDAP directory server to support SSL. Read the directory server documentation for instructions.

Process

...

       1.      In the Visual Administrator, import the root certificate of the LDAP directory server into the key storage service of the AS Java. See Importing the Root Certificate of the LDAP Directory.

This ensures that the AS Java trusts the LDAP directory server.

       2.      Change the UME LDAP configuration to use an SSL connection to the directory server. See Changing the UME LDAP Configuration.

End of Content Area