Skip to Content

1.    Introduction –

Requirement is that users want to implement accessing AS Java via SSL (Secure Sockets Layer).

As a result of this document, you will be able to:

·        Use the Key Storage and the SSL Provider Services

·        Configure SAP J2EE Engine for using SSL

·        Configure the use of client certificates for authentication

This document describes step by step procedure for implement accessing AS Java via SSL with SAP Netweaver 7.3x AS Java.

I hereby confirm that the Images/screenshots are created by me during the installation and there is no IP violation in this document.

2.    Pre-Requisites –

·        Following user accounts should exists:

User Accounts

Generic name

Operating system account with login
(for Unix  “su” command functionality)

unixacc

Operating system account with root / admin privileges UNIX : without login

saproot

SAP admin account :

sidadm

SAP Administrator account :

Administrator

SAP Central Services hostname

hostname1

SAP Dispatcher hostname

hostname2

Download Directory: /download

 

3.    Installation Procedure –

No

Activity

1

Prepare crypto tools

  1. K unixacc

cd /tmp;mkdir crypto;cd crypto

SAPCAR -xvf /download/90000104.SAR

cdexe

cp /tmp/crypto/aix-6.1.0-64/sapgenpse .

cp /tmp/crypto/aix-6.1.0-64/libsapcrypto.o .

cp /tmp/crypto/ticket /usr/sap/SID/SCS00/sec/

cp /tmp/crypto/ticket /usr/sap/SID/J00/sec/

vi scs.lst

Add an entry : libsapcrypto.o

2

Maintain SAP parameters

  1. K unixacc

cdpro

vi SID_SCS00_hostname1

Add lines :

ssl/ssl_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)

sec/libsapsecu = $(ssl/ssl_lib)

ssf/ssfapi_lib = $(ssl/ssl_lib)

ms/server_port_1 = PROT=HTTPS,PORT=95$$

vi SID_J00_hostname1

Add lines :

icm/server_port_0 = PROT=IIOP, PORT=51007

icm/server_port_1 = PROT=TELNET, PORT=51008, HOST=localhost

icm/server_port_2 = PROT=P4, PORT=51004

icm/server_port_3 = PROT=HTTP, PORT=51000, TIMEOUT=60, PROCTIMEOUT=600

icm/server_port_4 = PROT=HTTPS, PORT=51001, SSLCONFIG=ssl_config_4

icm/ssl_config_4 = VCLIENT=0, CRED=/usr/sap/SID/J00/sec/SAPSSLS.pse

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, FOR= hostname1:51000, PROT=https, HOST=hostname1, PORT=51001

icm/HTTP/redirect_1 = PREFIX=/, FROM=*, FROMPROT=http, FOR= hostname2:51000, PROT=https, HOST=hostname2, PORT=51001

icm/add_client_protocol_header = true

icm/HTTP/esid_support = true

icm/handle_webdisp_ap_header = 1

3

Create PSE certificate request for message server

  1. K unixacc

cd /usr/sap/SID/SCS00/sec

setenv SECUDIR /usr/sap/SID/SCS00/sec

sapgenpse get_pse -p SAPSSLS.pse -a RSA -s 1024 cn=name as standard to the company

Do not enter a password

Create the response certificate file :

cd $SECUDIR

vi response_hostname1.cer

In this file copy the certificate response provided in the above step and also the Base-64 encode X-509 certificate

Import the certificate response file in the PSE :

sapgenpse import_own_cert -c response_hostname1.cer -p SAPSSLS.pse

4

Create PSE certificate request for dispatcher server

  1. K unixacc

cd /usr/sap/SID/J00/sec

setenv SECUDIR /usr/sap/SID/J00/sec

sapgenpse get_pse -p SAPSSLS.pse -a RSA -s 1024 cn=name as standard to the company

Do not enter a password

Create the response certificate file :

cd $SECUDIR

vi response_hostname2.cer

In this file copy the certificate response provided in the above step and also the Base-64 encode X-509 certificate

Import the certificate response file in the PSE :

sapgenpse import_own_cert -c response_hostname2.cer -p SAPSSLS.pse

5

Export P12 certificate for J00 instance

  1. K unixacc

setenv SECUDIR /usr/sap/SID/J00/sec

cd $SECUDIR

sapgenpse export_p12 -p SAPSSLS.pse $HOME/SSL_pki_SID_hostname2.p12

enter the password

6

Import the private key in NWA

1.      Logon to the Netweaver Administrator http://<hostname2>:<port>/NWA

2.      Navigate to: Configuration Management > System > Certificate and Keys.

3.      From the list of Keystore Views, select the ICM_SSL_<instance_ID>

              The contents of the selected keystore view appear.

4.      Navigate to Configuration à Certificates and Keys à Click Keystore View Name (from Above step) à In Details of the view “Import Entry”

select Files of Type : PKCS#12 Key

select the file P12 files exported in the previous steps :

  1. Import SSL_pki_SID_hostname2.p12and also provide the password in order to import à Entry imported
  2. Navigate to Configuration à SSL à Edit à Give Port and Protocol for https à Save
  3. ICM Restart pop-up à Close

7

Restart ICM for activating SSL

  1. K unixacc

cdpro

jsmon pf=SID_J00_hostname1

Restart ICM

8

Test SSL for application servers

In Internet browser browser call URL :

https://hostname1:9500/msgserver/

https://hostname1:50001/index.html

https://hostname2:50001/index.html

References

https://service.sap.com/notes

1770585                How to configure SSL on the AS Java

http://help.sap.com/saphelp_nw73/helpdata/en/48/3d993fb08c72d1e10000000a42189c/content.htm?frameset=/en/48/45acaf43a64bb8e10000000a42189b/frameset.htm

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply