Enabling SSL and Client Certificates on the SAP J2EE Engine

Angel Dichev RIG, SAP Labs

SAP AG

Learning Objectives

As a result of this session, you will be able to:

Understand the different SAP J2EE Engine SSL scenarios Use the Key Storage and the SSL Provider Services Configure SAP J2EE Engine for using SSL Configure the use of client certificates for authentication

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

SAP AG

SAP J2EE Engine - SSL Scenarios Key Storage and SSL Provider Services Enabling SSL on SAP J2EE Engine Client Certificates for Authentication

SAP AG

SSL Transport Layer Scenarios

SAP J2EE Engine as server component

HTTPS (SSL)
SAP Java Cryptographic Toolkit

SAP J2EE Engine as client component

SAP Java Cryptographic Toolkit

HTTPS (SSL)

WEB Proxy

Using an Intermediary Proxy Server

HTTPS (SSL)

HTTPS (SSL)

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

SSL is a quasi-standard protocol developed by Netscape. SSL can be used with the Web AS for securing application protocols: HTTP, P4, LDAP. SAP J2EE engine as client and using intermediary proxy server are not covered in this session.

WEB Server SAP Java Cryptographic Toolkit

SAP AG

SAP J2EE Engine SSL Scenarios Key Storage and SSL Provider Services Enabling SSL on SAP J2EE Engine Client Certificates for Authentication

SAP AG

SAP J2EE Security Services Overview

Security Provider Service Secure Storage Service User Storage Service

SAML Authentication Service

SecurityRelated Services

Virus Scan Provider

Key Storage Service

SSL Provider Service

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

Providing security for the applications that run on the J2EE Engine is an important aspect in the overall architecture of the SAP Web Application Server. You need to be able to identify the users that access the server and you need to protect access to individual resources. In addition, confidentiality is also important when dealing with sensitive information. The J2EE Engine services help to perform the various security-related administration tasks. For using SSL, the services Key Storage Service and SSL Provider Service are used.

SAP AG

Key Storage Service

Manages certificates and credentials used by SAP J2EE Engine Is an enabler to generate keys and certificates needed for encryption, identification, and verification. Compatible with the Java Cryptography Architecture (JCA) Keystore entries are stored in a distributed database with particular access rights on it

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

The Key Storage Service of the SAP J2EE Engine enables you to manage certificates and credentials on the server, e.g. for using SSL. The Key Storage Service enables you to generate keys and certificates. You can use them for encryption, identification, and verification. The Keystore entries are stored in a distributed database and can be assigned particular access rights. The service is compatible with the Java Cryptography Architecture. To take full advantage of the Key Storage service functionality that is provided by the Visual Administrator tool, a full version of the IAIK package must be used. IAIK package can be downloaded from the service marketplace.

SAP AG

Key Storage Service

Public-key certificates are to be stored in a keystore entry in the Key Storage Service You need to configure the Key Storage Service if you want to:
establish an SSL connection authenticate users via an X.509 client certificate use logon tickets for Single Sign-On

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

Public-key certificates are to be stored in a keystore entry in the Key Storage Service. These include the trusted CAs' certificate to use to verify the target server's server certificate and, if applicable, the user's X.509 client certificate to use for authentication. HTTP destinations can also use the Secure Sockets Layer (SSL) protocol to establish secure connections to the target server. The Destination service uses the secure connection factory to establish these connections. So if you either want to establish an SSL connection or authenticate users via X.509 client certificates you have to use and properly configure the Key Storage Service. The Key Storage Service and its proper configuration is also mandatory for using the Secure Storage service. The Key Storage Service is found in SAP J2EE Engine Administrator -> Cluster -> Services -> Key Storage The role KeystoreAdministrator is required for performing Key Storage Service maintenance on the SAP J2EE Engine.

SAP AG

SSL Provider Service

Uses the certificates created using Key Storage Service Maps SSL sockets and entry points to certain credentials. Manages the credentials and trusted certificates to use SSL

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

The SSL Provider Service offers the selection of the key pair that the server uses for SSL. If you are using client certificates for user authentication, then you also maintain the list of CAs who you trust as issuers of client certificates. The SSL Provider Service is able to manage Cipher Suites (e.g. SSL_RSA_WITH_RC4_128_SHA or SSL_RSA_WITH_DES_CBC_SHA), Credentials and Client Authentication. Managing Cipher Suites: If the client has the same cipher suites as the ones included in the SSL Provider, you can use it during the handshake phase. On the Cipher Suite tab you can add or remove such suites. Also you can set their priority, that is, you can define the order in which the cipher suites are used.

SAP AG

SAP J2EE Engine SSL Scenarios Key Storage and SSL Provider Services Enabling SSL on SAP J2EE Engine Client Certificates for Authentication

SAP AG

10

Configuring the SAP J2EE Engine to use SSL

Prerequisites for SSL Configuration:

download and deploy the SAP Cryptographic Toolkit download and apply the Java Unlimited Strength Jurisdiction Policy Files

Steps for configuring SSL:

1. Change startup-mode for SSL Provider Service; SSL Provider Service in running mode. 2. Create Servers Public/Private key pair 3. Generate Certificate Signing Request (CSR); Sign CSR from a Certification Authority (CA); Import Sighed Certificate 4. Bind the key pair to specific SSL Port

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

SAP AG

11

Prerequisite SAP Cryptographic Toolkit 1/3

Restrictions from SAP

The distribution of SAP cryptographic software is controlled by German export regulations Therefore SAP delivers per default only cryptographic functions for Digital Signatures For using SSL, the SAP Java Cryptographic Toolkit must be installed. It can be downloaded from the Service Marketplace if the customer meets certain legal requirements

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

SAP AG

12

Prerequisite SAP Cryptographic Toolkit 2/3

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

Prerequisites and step by step instruction to download the SAP Cryptographic Toolkit: You have authorized access to the SAP Service Marketplace with a SAP s-user ID. You have installed the SAP Download Manager in your system (For more information on downloading, installing, and configuring the SAP download manager, visit the Software Distribution Center (http://service.sap.com/download) in the SAP Service Marketplace). You have installed the SAP archiving tool SAPCAR (see SAP note 212876 for more information on downloading, installing, and configuring SAPCAR). Log on with your SAP s-user ID to http://service.sap.com/download and navigate to Download -> SAP Cryptographic Software. In the SAP Download Area, choose SAP JAVA Cryptographic Toolkit and download the file using the SAP Download Manager. Store the files in a temporary directory in your system, and unpack them using SAPCAR. After unpacking youll see 2

SAP AG

13

Prerequisite SAP Cryptographic Toolkit 3/3

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

Prerequisites and step by step instruction to deploy the SAP Cryptographic Toolkit: You have copied the files from the SAP JAVA Cryptographic Toolkit to your host and can now install and start the SAP Crypto Manager. After unpacking, use the Software Delivery Manager (SDM) to deploy the correspondent Cryptographic Toolkit to your server. You should have your Web AS and SDM server up and running. Start SDM client from <usr>/sap/<SID>/JC00/SDM/program/RemoteGui.bat Use your SDM client password for logging to the Remote SDM Gui. Navigate to Deployment Tab, Click on Add SCA/SDA to deployment list icon and navigate to SAP crypto sda file (tc_sec_java_crypto_signed_fs_lib.sda); Click Next, Next, Start Deployment; Restart Web AS You can verify that the correct library has been properly deployed and loaded under Dispatcher/Server Libraries core_lib in the Visual Administrator. The iaik_jce.jar should be included in the list of loaded jars and not iaik_jce_export.jar Result The SAP Java Cryptographic Toolkit replaces the export version of the toolkit on the J2EE dispatcher and server. You should periodically check for an updated version of this library on the SAP Service Marketplace, for example, when you install new support packages.
SAP AG

14

Prerequisite Java Cryptography Extension (JCE) 1/2

Restrictions from SUN

The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files is a set of packages that provide a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. JCE was previously an optional package (extension) to the Java 2 SDK, Standard Edition (Java 2 SDK), versions 1.2.x and 1.3.x. JCE has now been integrated into the Java 2 SDK, v 1.4. Starting from J2SE 1.4 it is also necessary to install the JCE Unlimited Strength Jurisdiction Policy Files from Sun in order to use the strong cryptographic functions necessary for SSL.

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

Prerequisites and step by step instruction to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Sun Microsystems, Inc.: Due to import regulations in various countries, Sun Microsystems, Inc. differentiates between limited and unlimited strength cryptography in its J2SE 1.4.x packages by providing different strength policy files (limited and unlimited). Per default, the limited policy files are delivered with the J2SE packages. Therefore, to use the strong cryptography functions provided with the Secure Storage FS and SSL Provider services, you have to use the unlimited strength cryptographic functions. In this case, download and install the unlimited strength jurisdiction policy files from Sun Microsystems, Inc. Due to import control restrictions of some countries, the JCE jurisdiction policy files shipped with the Java 2 SDK, v 1.4 allow "strong" but limited cryptography to be used. An "unlimited strength" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which are most countries). You can download this version and replace the strong cryptography versions supplied with the Java 2 SDK, v 1.4 with the unlimited ones. The policy files are available from Sun Microsystems, Inc. at http://java.sun.com.

SAP AG

15

Prerequisite Java Cryptography Extension (JCE) 2/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

Prerequisites and step by step instruction to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Sun Microsystems, Inc.: Download the unlimited strength JCE policy files http://java.sun.com Uncompress and extract them to a temporary folder. Replace the strong policy files with the unlimited strength versions extracted in the previous step. The standard place for JCE jurisdiction policy JAR files is: <java-home>\lib\security for Win32 and <java-home>/lib/security for Solaris If you are using JRE you should replace the JCE jurisdiction policy JAR files under <Program Files>\Java\lib\security

SAP AG

16

1. Change startup-mode for SSL Provider service 1/2

Use the Config tool for changing the startup-mode of the SSL Provider Service

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

The default setting for the SSL Provider Service for the Server is automatic start. The default setting for the SSL Provider Service for the Dispatcher is a manual start. If you want to enable SSL on your J2EE engine you should configure the Service for automatic startup. Config Tool: Start the Config Tool: <usr>/sap/<SID>/JC<xx>/j2ee/configtool/ Navigate to Instance -> Dispatcher -> services -> ssl and change the Startup Mode of the SSL Service to always; Apply the changes; Restart node. The next time the J2EE Engine is started, the SSL Provider service will also be automatically started. The default setting for the Keystorage Service for both Dispatcher and Server nodes is automatic start. So you do not need to change it. Note: If for any reason the Keystorage service (Dispatcher and Server) and SSL Provider Service (Server) and not running, please proceed with the same steps. You should have both services Keystorage and SSL Provider always up and running on all Dispatcher and Server nodes you want to enable for SSL usage.

SAP AG

17

1. SSL Provider Service in running mode 2/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

This Window should appear after restarting the J2EE engine when the startup mode of the SSL Provider Service is changed to always, or just after starting the SSL Provider Service under the Dispatcher node. There are 3 active sockets 5<xx>01 is used for the HTTPS SSL 5<xx>03 is used for the IIOP SSL 5<xx>06 is used for P4 SSL

SAP AG

18

2. Creation of a Servers Public-Private Key Pair 1/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

To create the Public-Private-Key Pair go to Server view service_ssl

Services

Key Storage and click on the

The available views appear. Entries corresponding to the selected view appear in the Entries pane. An entry may be either a public-key certificate only or the complete key pair. The type of entry is shown in the information pane with the indicator PRIVATE KEY or CERTIFICATE along with the rest of the information pertaining to the entry. Press the button Create (under Entry) and proceed on the new opened Key and Certificate Generation window. (Next slide) Note: Per default, the SAP J2EE Engine uses the ssl-credentials entry for SSL, which contains a public-key certificate that has been signed by a test CA. Although this certificate can be used for testing purposes, a certificate that has been signed by a well-known, productive CA should be used when in production mode.

SAP AG

19

3. Creation of a Servers Public-Private Key Pair 2/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

To create the Public-Private-Key Pair go to Server view service_ssl

Services

Key Storage and click on the

Press the button Create (under Entry) and you will see the screen depicted on the Slide Fill out the subject properties. Important is the Common Name, which must be the fully qualified domain name which will be used in the HTTP-Requests (e.g. if your J2EE engine will be accessed via https://sapwas123.sap.corp:50001/.. then you must use sapwas123.sap.corp as the Common Name). Otherwise, certain Web browsers will produce a warning if the host name that users use to access the server does not match the host name found in the servers public-key certificate. You can add more properties after clicking on the empty field. The Entry Name is just a name for identifying the key pair in the key store. Specify Validity period; Select RSA as secure algorithm to use; Select 1024 as Key Length Choose Store Certificate, to generate a Certificate as well. Press Generate Note: During the Installation of the SAP J2EE Engine a private key and a certificate issued by a test CA for the Common Name localhost (entry names ssl_credentials and ssl_credentials_certificate) are created. These entries should be used only for testing purposes.

SAP AG

20

3. Generate, Sign, Import CSR

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

In the Key Storage Service, choose Runtime

Contents tab.

Select your entry, choose Generate CSR Request and save it to a file. Send the Certificate Signing Request to a CA to be signed. The exact procedure to use depends on the CA that you use. For the SAP CA, follow the instructions provided by the SAP Trust Center Service at http://service.sap.com/tcs Save the certificate request response to a file in the file system. Use the extension .crt (DERencoded or Base-64 encoded) or .cert (Base-64 encoded). Import the corresponding certificate request response. Choose Import CSR Response and load the response from the file system. To verify that the import was successful, select the entry. Now the certificate should contain the name of the CA as the issuer. Note: If you want to load the public-key certificate as a separate entry, then rename the file before loading. Otherwise, the SAP J2EE Engine will replace the existing PRIVATE KEY entry with a CERTIFICATE entry and the private key will be lost since it uses the file name as the alias when loading.
SAP AG

21

3. View after Import of the Certificate

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

SAP AG

22

4. Bind the key pair to specific SSL Port 1/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

In the next step you have to bind the key pair and certificate to a port. Go to the Server Service SSL Provider, select the appropriate dispatcher; the available sockets and their corresponding ports appear in the Configuration pane Select the socket that corresponds to the SSL port you want to configure; click on Server Identity tab and choose the Button Add. Then you see the potential entries in the key store which might be used. Choose the correspondent entry (available under the service_ssl view in the Keystorage). Press OK. If the server process is to accept the use of client certificates for authentication, then set this option in the Client Authentication tab page. (Described in the next chapter)

SAP AG

23

4. Bind the key pair to specific SSL Port 2/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

This is the final view. The J2EE Engine will use the specified key pair for SSL connections to the designated host and port.

SAP AG

24

Add or Remove Cipher Suites (optional)

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

If the client has the same cipher suites as the ones included in the SSL Provider, you can use it during the handshake phase. On the Cipher Suite tab you can add or remove such suites. Also you can set their priority, that is, you can define the order in which the cipher suites are used.

SAP AG

25

Testing the SSL Connection

Test the SSL connection with https://<servername>:<SSL port>

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

If a HTTP 403 error code appears the client does not support the required ciphers as chosen in the SSL Provider Service cipher suites (for example: SAP J2EE demands 128 bit RC4 but the Client only supports only 40 bit). If SSL is configured correctly, then the SAP J2EE Engines start page appears in your Web browser. Many Web browsers also display a lock in their footer. Select the lock with a double-click to view the servers certificate. You may receive a warning Security Alert in the following cases: The SSL server certificate has expired or is invalid. You do not trust the CA that issued the server its certificate. (The CAs root certificate is not contained in your Web browsers list of trusted CAs.) The host name contained in the servers Distinguished Name does not match the host name you used in the URL. (Like on the screenshot) If you do receive a warning, confirm it and continue. Nevertheless, SSL still works properly. However, we recommend correcting the problem that caused the warning. For example, if the CAs root certificate is not considered trusted, but you do trust this CA, then import the CAs root certificate into your Web browser. 26

SAP AG

SAP J2EE Engine SSL Scenarios Key Storage and SSL Provider Services Enabling SSL on SAP J2EE Engine Client Certificates for Authentication

SAP AG

27

Configuring the Use of Client Certificates

Prerequisite
The SAP J2EE Engine is enabled for SSL

Steps for Configuring the Use of Client Certificates

1. Set the UME property ume.logon.allow_cert to true. 2. Create client key pair and certificate; Generate, Sign, and Import CSR 3. Specify request for client certificate for specific SSL socket Managing Client Authentication 4. Map Client Certificate to UME User 5. Adjust the login module stacks for those applications that will be accepting client certificates 6. Export of the generated Private Key to file (password protected) 7. Import of the Private Key to the browser personal certificates.

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

SAP AG

28

1. ume.logon.allow_cert = true
Set the UME property ume.logon.allow_cert to true

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

Navigate to Server -> Services -> UME Provider Service Choose ume.logon.allow_cert property and change the value to true. Restart Web AS. Note: You can use ConfigTool for changing the property as well.

SAP AG

29

2. Create client key pair and certificate; handle CSR

Check Store Certificate

Create Client Certificate and Key-Pair under TrustedCAs View

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

To create the Public-Private-Key Pair go to Server view TrustedCAs Press the button Create (under Entry)

Services

Key Storage and click on the

Fill out the subject properties. You can add more properties after clicking on the empty field. Common Name suppose to be the name or ID of the user you are creating a key-pair of (In this case User1) The Entry Name is just a name for identifying the key pair in the key store. Specify Validity period; Select RSA as secure algorithm to use; Select 1024 as Key Length Choose Store Certificate check box. Press Generate Sign the generated client key pair by a CA, to do so proceed in the same way as for signing server certificate from CA Choose the client Private Key -> click on Generate CSR Request -> export the request to a file > Send the file to your CA -> Import the signed response to the Key Pair Note: You can also load a user public-key certificate, if the key is stored with either the extension .crt (DER encoded or Base-64 encoded) or .cert (Base 64 encoded).

SAP AG

30

4. Managing Client Authentication 1/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

Navigate to the SSL Provider Service Choose the Dispatcher Select the socket that you want to configure for client certificates Navigate to the Client Authentication tab Choose between the options: Do not request client certificate; Request client certificate; Require client certificate (See the next slide) Choose the certificate from the TrustedCAs. Note: SSL should already be activate, and the Root Server certificate installed under the Server Identity tab

SAP AG

31

4. Managing Client Authentication 2/2

Option
Do not request client certificate

Description
The system does not require the client to give a client certificate during the handshake, although the client can provide it. The server requests a certificate but the certificate is not required. If the client has a certificate it is sent with the request; otherwise, the system reverts to Basic Authentication. The server only accepts certificates that have been issued by a trusted CA. The server requests a certificate and the client must send one. Also, the certificate that the client sends must have been issued by a trusted CA.

Request client certificate

Require client certificate

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

SAP AG

32

4. Map Client Certificate to UME user 1/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

The generated Client certificate should be bound to UME user. In the Visual Administrator, choose Security Provider. Choose the User Management tab and navigate to the user you want to bind certificate. (Or just create new one in the desired user group - in this case User1 created with Administrator role under the Administrators group)

SAP AG

33

4. Map Client Certificate to UME user 2/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

The generated Client certificate should be bound to UME user. In the Visual Administrator, choose Security Provider. Choose the User Management tab and navigate to the user you want to bind certificate. (Or just create new one in the desired user group - in this case User1 created with Administrator role under the Administrators group) Press the pencil icon (for activating edit mode) Press the Add button under the Certificates section, a new window Add Certificates appear. Navigate to the TrustedCAs store, and choose the client certificate. Note: You can add more than one certificate with different privileges to one and same user.

SAP AG

34

5. Adjust the applications login module stacks 1/3

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

In the Visual Administrator, choose Security Provider. Choose the User Management tab and choose Policy Configurations. Navigate to the component you want to enable for accepting Client Certificates (In this case: the System Information application with Basic Authentication Login Module by default) Choose the Authentication tab Press the Pencil icon to activate edit mode. Click on Add New icon

SAP AG

35

5. Adjust the applications login module stacks 2/3

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

In the Visual Administrator, choose Security Provider. Choose the User Management tab and choose Policy Configurations. Navigate to the component you want to enable for accepting Client Certificates (In this case: the System Information application with Basic Authentication Login Module by default) Choose the Authentication tab Press the Pencil icon to activate edit mode. Click on Add New icon On the new opened window Available Login Modules choose the ClientCertLoginModule and click OK, The Client Certificate Login Module appear in the Component Login Modules. Choose the ClientCErtLoginModule and press Modify button. Specify the Login Module Position and the Flag Priority. Minimize the priority of the default login module BasicPassword You can also use the predefined Authentication Templates.

SAP AG

36

5. Adjust the applications login module stacks 3/3

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

Choose the Security roles tab and manage the users, roles, groups allowed to access this application. Programmatic secure roles, credentials may required. Note: In this case this is no need to maintain security roles as User1 belongs to the Administrator group.

SAP AG

37

6. Export of the generated Private Key to file

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

To export the Client Public-Private-Key Pair go to Server the view TrustedCAs

Services

Key Storage and click on

Navigate to the generated and signed from a CA private key pair -> Click Export -> choose PKCS#12 (p12) as cryptography standard -> specify password -> press OK The exported key, the password used to generate the key, and the public CA certificate used for signing the client certificate (if available) should be provided to the user in secure manner. Note: The server can export Private Key in Information Syntax Standard (PKCS) #8 and #12, please consider that different Web Browsers support different cryptography standards. PKCS #12 - Personal Information Exchange: specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc. (This format preserves the chain of certification authorities) PKCS #8 - describes a format for private key information. This information includes a private key for some public-key algorithm, and optionally a set of attributes. (Doesnt preserve the chain of CAs, youll need to provide all chained X.509 CAs certificates during export)

SAP AG

38

7. Import private key into browser 1/2

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

The described process is for MS Internet Explorer. Go to: Tools -> Internet Options -> Content -> Certificates -> Personal -> Import -> Navigate to the PKCS#12 file -> Provide the password (Specified during key export)

SAP AG

39

7. Import private key into browser 2/2 optional

(If provided) Install the trusted public certificate under the Trusted Root Certification Authorities store

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

To enable trust to this client certificate you can install the root certificate (if provided from your CA) used to sign the client certificate under the Trusted Root Certification Authorities store If the client certificate is self signed, just install it again in the trusted certificates store.

SAP AG

40

Objectives

You should now be able to:

Understand the different SAP J2EE Engine SSL scenarios Use the Key Storage and the SSL Provider Services Configure SAP J2EE Engine for using SSL Configure the use of client certificates for authentication

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

SAP AG

41

Information sources

http://service.sap.com/security http://sdn.sap.corp -> Web AS -> Security

SAP AG 2005, Enabling SSL on the SAP J2EE Engine

SAP AG

42