Purpose

The Secure Socket Layer [SSL] needs to be implemented on the J2ee engine for
enabling transport layer security when using HTTP.
Objective
By enabling SSL you can provide authentication of users, data integrity that
provides protection from tampering during data transfer and data privacy that
prevents eavesdropping [hacking].
How to Configure SSL in SAP Java stack
Configuring the SSL on the J2EE engine consists of two main steps:
A. Generating the key pair on each server of the J2EE engine
B. Assigning the keys to a specific SSL port.
Following are the detailed steps involved in enabling the SSL on the J2EE engine.
1. Change the startup mode of the SSL provider and the key provider service.
2. Create the public and the private keys.
3. Create a certificate signing request.
4. Submit the certificate to the Certification Authority (CA).
5. Import the certificate request response into the KeyStore.
6. Assign the key pair to the SSL port.
7. Maintain the list of trusted certificates.
8. Test the SSL connection.
Procedure
1. Change the startup mode of the SSL provider and the key provider service.
SSL provider
Navigate to
\usr\sap\<SID>\<Instance>\J2EE\configtool\configtool.sh [UNIX]
<Drive>:usr\sap\<SID>\<Instance>\J2EE\configtool\configtool.bat [Windows]
And double click
Make sure in Configtool for both Cluster data  Global Dispatcher and Global
Server, in it SSL and KEYSTORE startup mode should be set to “always”

Navigate to Configtool  Global Cluster Configuration Services  ssl

Note: If startup mode is set to “always” request to restart J2EE Engine to get effect.

2. Create the public and the private keys

The Next step is to create key pair for the J2ee engine. The key pair consists of a
public and private key.

Note: The private and public keys are provided during the default
installation

Public Key

The public key is distributed using an X.509 public key certificate and to view

Navigate to Visual Administrator  Cluster  <SID>  Server <XXXX>  Services

 Key Storage  Choose View: “Default”
Note: In our PSS Service do not recreate Public Key further remain as it is,
nothing to do with it.

Private Key

Private Keys are located at

Navigate to Visual Administrator  Cluster  <SID>  Server <XXXX>  Services

 Key Storage  Choose View: “service_ssl”

Note: You can view two certificates ssl-credentials and ssl-credentials-cert

which are provided during the initial installation, which are signed by test CA, which
can be deleted as they are provided by SAP test purpose.

3. Create a certificate signing request

You have to create new certificate that is to be signed by an actual productive CA

when running the J2EE engine in production mode.

How to create new Private Key

Fill all the entries provided in Subject properties, for an example shown below and
Click on Generate

Below shows private key has been generated which need to be bind with Trusted
Root Certification Authorities Store in order to get valid certificate for accessing
portal through https port, else if not Portal will be prompting warning while
accessing https url.
In order to generate Certificate Signing Request [CSR] to submit Trusted Root
Certification Authorities Store [CA], need to click on Generate CSR Request

SAVE Certificate Signing Request [CSR] file into file system with extension named
.csr
Ex: PORTAL<SID>.csr
4. Submit the certificate to the Certification Authority (CA)
Open PORTAL<SID>.csr file, copy the content as shows below screen

Note: Make sure that there is no extra spaces added or removed while copying

Navigate to Online Certification Authorities portal to generate secure certificate

i.e. to certify the certificate request generated Certificate Signing Request [CSR]
file.
In this scenario we are using SAP security certificates.
Go to URL https://security.wdf.sap.corp -> Click on Online CA
 OR
https://security.wdf.sap.corp/onlineCA/

Click on Certificate Request for SAPNet Servers

Paste content of request generated Certificate Signing Request [CSR] file and
select “certify the cert req” from drop down of “Select cmd” click on Submit
button to get the response certificate
Copy response to file and save it as Portal<SID>-SSL.cert file under the location
\\hostname\<SID>\JC<nr>\j2ee\admin OR
<Drive>\usr\sap\<SID>\JC<nr>\j2ee\admin

Note: Copy the text from

“-----BEGIN NEW CERTIFICATE REQUEST-----“to “-----END NEW
CERTIFICATE REQUEST-----“
And make sure that there are no extra spaces added or removed while
copying.

5. Import the certificate request response into the Key Store

Import Certificate Signing Request [CSR] file responded through Online

Certification Authorities through Visual Administrator.

Navigate to Visual Administrator  Choose Cluster (TAB)  <SID> Server

<X_XXXXX> (hostname.wdf.sap.corp) Services Key Store  Runtime (TAB) 
views – service_ssl  Click on Import CSR Response
Below screen represents Certificate response has been imported which has been
generated from Online Certification Authorities
6. Assign the key pair to the SSL port