Configuration of the AS Java as an SSL server by adding a new access point using the Netweaver Adminstrators SSL configuration tool. Valid for Netweaver AS Java 7.20 - 7.5
As described in Configuring the Use of SSL on the AS Java the AS Java can be manually configured for SSL by configuring the ICM and the AS Java keystore separately or alternatively the SSL configuration tool can be used, which simplifies the process considerable. Here the latter approach is illustrated.
Here it’s is assumed that the SAP Cryptographic Library is already installed.
- Access the Netweaver Administrator SSL configuration tool at http://<server:port>/ssl using an administrator user. If the SSL library and Ticket File are not found and displayed in the SAP Java Instance list, use the browse function to upload both the file system location of the SAP Cryptographic Library and check that the SSL Status is green (OK).
- Choose Add to add a new access point and enter the port number on which the AS Java will accept the incoming SSL connection and select the appropriate protocol. For the purposes of this document HTTPS is chosen. You can adjust the Client Authentication Mode at a later time when configuring x.509 client certificate authentication, so leave at ‘Do Not Request’ for now and it is sufficient to leave the Keystore View Name as instance default unless you would like to use a different keystore view per port.
- When the access point is added a keypair is created for that port and the private key is displayed in the Server Identity area and the public key certificate in the Trusted CAs area. The keypair is self-signed with localhost as the CN of the subject name so it should be recreated with a CN name matching the FQDN used to access the AS Java over SSL. Delete the existing ssl-credentials keystore entry and create a new one with the same name entering the FQDN as the value for the CN in the subject properties
- With the new keypair created and the private key displayed in the Server Identity area, generate a certificate signing request and send it to the Certificate Authority of your choice
- Import the CSR response and note in the Server Identity area that the Issuer Name of the ssl-credentials has changed to the DN of the signing Certificate Authority
- Select the Trusted CAs tab and import the root certificate of the Certificate Authority. This is a very important step. Otherwise the view content will not be exported to the PSE on the file system and the errors described in SAP note 1834904 - PSE file not updated or created -> Required but missing endpoint CA certificate can occur
- In order for the ssl-credentials to be used as the identity for the port of the SSL access point, press Save.
- When ICM has been restarted, test that you can access the AS Java using the FQDN specified as the value for the CN in the ssl-credentials subject name and the SSL port, for example entering https://<FQDN>:50001 in the browser address bar