8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 1/10
Purpose
The Secure Socket Layer [SSL] needs to be implemented on the J2ee engine forenabling transport layer security when using HTTP.
Objective
By enabling SSL you can provide authentication of users, data integrity that
provides protection from tampering during data transfer and data privacy thatprevents eavesdropping [hacking].
How to Configure SSL in SAP Java stack
Configuring the SSL on the J2EE engine consists of two main steps:
A. Generating the key pair on each server of the J2EE engineB. Assigning the keys to a specific SSL port.
Following are the detailed steps involved in enabling the SSL on the J2EE engine.
1. Change the startup mode of the SSL provider and the key provider service.2. Create the public and the private keys.3. Create a certificate signing request.
4. Submit the certificate to the Certification Authority (CA).5. Import the certificate request response into the KeyStore.6. Assign the key pair to the SSL port.7. Maintain the list of trusted certificates.8. Test the SSL connection.
Procedure
1. Change the startup mode of the SSL provider and the key provider service.
SSL providerNavigate to\usr\sap\<SID>\<Instance>\J2EE\configtool\configtool.sh [UNIX]<Drive>:usr\sap\<SID>\<Instance>\J2EE\configtool\configtool.bat [Windows]
And double click
8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 2/10
Make sure in Configtool for both Cluster data Global Dispatcher and GlobalServer, in it SSL and KEYSTORE startup mode should be set to “always”
Navigate to Configtool Global Cluster ConfigurationServices ssl
Note: If startup mode is set to “always” request to restart J2EE Engine to get effect.
2. Create the public and the private keys
The Next step is to create key pair for the J2ee engine. The key pair consists of apublic and private key.
Note: The private and public keys are provided during the defaultinstallation
Public Key
The public key is distributed using an X.509 public key certificate and to view
Navigate to Visual Administrator Cluster <SID> Server <XXXX> Services
Key Storage Choose View: “Default”
8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 3/10
Note: In our PSS Service do not recreate Public Key further remain as it is,nothing to do with it.
Private Key
Private Keys are located at
Navigate to Visual Administrator Cluster <SID> Server <XXXX> Services
Key Storage Choose View: “service_ssl”
Note: You can view two certificates ssl-credentials and ssl-credentials-certwhich are provided during the initial installation, which are signed by test CA, whichcan be deleted as they are provided by SAP test purpose.
3. Create a certificate signing request
You have to create new certificate that is to be signed by an actual productive CA
when running the J2EE engine in production mode.
How to create new Private Key
8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 4/10
Fill all the entries provided in Subject properties, for an example shown below andClick on Generate
Below shows private key has been generated which need to be bind with TrustedRoot Certification Authorities Store in order to get valid certificate for accessingportal through https port, else if not Portal will be prompting warning whileaccessing https url.
8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 5/10
In order to generate Certificate Signing Request [CSR] to submit Trusted RootCertification Authorities Store [CA], need to click on Generate CSR Request
SAVE Certificate Signing Request [CSR] file into file system with extension named.csr
Ex: PORTAL<SID>.csr
8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 6/10
4. Submit the certificate to the Certification Authority (CA)
Open PORTAL<SID>.csr file, copy the content as shows below screen
Note: Make sure that there is no extra spaces added or removed while copying
Navigate to Online Certification Authorities portal to generate secure certificatei.e. to certify the certificate request generated Certificate Signing Request [CSR]file.In this scenario we are using SAP security certificates.Go to URL https://security.wdf.sap.corp -> Click on Online CA
8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 7/10
OR
https://security.wdf.sap.corp/onlineCA/
Click on Certificate Request for SAPNet Servers
Paste content of request generated Certificate Signing Request [CSR] file and
select “certify the cert req” from drop down of “Select cmd” click on Submit
button to get the response certificate
8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 8/10
Copy response to file and save it as Portal<SID>-SSL.cert file under the location\\hostname\<SID>\JC<nr>\j2ee\admin OR<Drive>\usr\sap\<SID>\JC<nr>\j2ee\admin
Note: Copy the text from“-----BEGIN NEW CERTIFICATE REQUEST-----“to “-----END NEW
CERTIFICATE REQUEST-----“And make sure that there are no extra spaces added or removed whilecopying.
5. Import the certificate request response into the Key Store
Import Certificate Signing Request [CSR] file responded through OnlineCertification Authorities through Visual Administrator.
Navigate to Visual Administrator Choose Cluster (TAB) <SID> Server
<X_XXXXX> (hostname.wdf.sap.corp)Services Key Store Runtime (TAB)
views – service_ssl Click on Import CSR Response
8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 9/10
8/6/2019 SSL Configuration Draft1.0
http://slidepdf.com/reader/full/ssl-configuration-draft10 10/10
6. Assign the key pair to the SSL port