1. Introduction –
Requirement is that users want to implement accessing AS Java via SSL (Secure Sockets Layer).
As a result of this document, you will be able to:
· Use the Key Storage and the SSL Provider Services
· Configure SAP J2EE Engine for using SSL
· Configure the use of client certificates for authentication
This document describes step by step procedure for implement accessing AS Java via SSL with SAP Netweaver 7.3x AS Java.
I hereby confirm that the Images/screenshots are created by me during the installation and there is no IP violation in this document.
2. Pre-Requisites –
· Following user accounts should exists:
User Accounts | Generic name |
Operating system account with login | unixacc |
Operating system account with root / admin privileges UNIX : without login | saproot |
SAP admin account : | sidadm |
SAP Administrator account : | Administrator |
SAP Central Services hostname | hostname1 |
SAP Dispatcher hostname | hostname2 |
Download Directory: /download
3. Installation Procedure –
No | Activity |
1 | Prepare crypto tools
cd /tmp;mkdir crypto;cd crypto SAPCAR -xvf /download/90000104.SAR cdexe cp /tmp/crypto/aix-6.1.0-64/sapgenpse . cp /tmp/crypto/aix-6.1.0-64/libsapcrypto.o . cp /tmp/crypto/ticket /usr/sap/SID/SCS00/sec/ cp /tmp/crypto/ticket /usr/sap/SID/J00/sec/
vi scs.lst Add an entry : libsapcrypto.o |
2 | Maintain SAP parameters
cdpro vi SID_SCS00_hostname1 Add lines : ssl/ssl_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL) sec/libsapsecu = $(ssl/ssl_lib) ssf/ssfapi_lib = $(ssl/ssl_lib) ms/server_port_1 = PROT=HTTPS,PORT=95$$
vi SID_J00_hostname1 Add lines : icm/server_port_0 = PROT=IIOP, PORT=51007 icm/server_port_1 = PROT=TELNET, PORT=51008, HOST=localhost icm/server_port_2 = PROT=P4, PORT=51004 icm/server_port_3 = PROT=HTTP, PORT=51000, TIMEOUT=60, PROCTIMEOUT=600 icm/server_port_4 = PROT=HTTPS, PORT=51001, SSLCONFIG=ssl_config_4 icm/ssl_config_4 = VCLIENT=0, CRED=/usr/sap/SID/J00/sec/SAPSSLS.pse icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, FOR= hostname1:51000, PROT=https, HOST=hostname1, PORT=51001 icm/HTTP/redirect_1 = PREFIX=/, FROM=*, FROMPROT=http, FOR= hostname2:51000, PROT=https, HOST=hostname2, PORT=51001 icm/add_client_protocol_header = true icm/HTTP/esid_support = true icm/handle_webdisp_ap_header = 1 |
3 | Create PSE certificate request for message server
cd /usr/sap/SID/SCS00/sec setenv SECUDIR /usr/sap/SID/SCS00/sec sapgenpse get_pse -p SAPSSLS.pse -a RSA -s 1024 cn=name as standard to the company Do not enter a password Create the response certificate file : cd $SECUDIR vi response_hostname1.cer In this file copy the certificate response provided in the above step and also the Base-64 encode X-509 certificate Import the certificate response file in the PSE : sapgenpse import_own_cert -c response_hostname1.cer -p SAPSSLS.pse |
4 | Create PSE certificate request for dispatcher server
cd /usr/sap/SID/J00/sec setenv SECUDIR /usr/sap/SID/J00/sec sapgenpse get_pse -p SAPSSLS.pse -a RSA -s 1024 cn=name as standard to the company Do not enter a password Create the response certificate file : cd $SECUDIR vi response_hostname2.cer In this file copy the certificate response provided in the above step and also the Base-64 encode X-509 certificate Import the certificate response file in the PSE : sapgenpse import_own_cert -c response_hostname2.cer -p SAPSSLS.pse |
5 | Export P12 certificate for J00 instance
setenv SECUDIR /usr/sap/SID/J00/sec cd $SECUDIR sapgenpse export_p12 -p SAPSSLS.pse $HOME/SSL_pki_SID_hostname2.p12 enter the password |
6 | Import the private key in NWA 1. Logon to the Netweaver Administrator http://<hostname2>:<port>/NWA 2. Navigate to: Configuration Management > System > Certificate and Keys. 3. From the list of Keystore Views, select the ICM_SSL_<instance_ID> The contents of the selected keystore view appear. 4. Navigate to Configuration à Certificates and Keys à Click Keystore View Name (from Above step) à In Details of the view “Import Entry” select Files of Type : PKCS#12 Key select the file P12 files exported in the previous steps :
|
7 | Restart ICM for activating SSL
cdpro jsmon pf=SID_J00_hostname1 Restart ICM |
8 | Test SSL for application servers In Internet browser browser call URL : https://hostname1:9500/msgserver/ |
References
https://service.sap.com/notes
1770585 How to configure SSL on the AS Java