Beruflich Dokumente
Kultur Dokumente
Installation guide:
1/43
1.
Overview ...........................................................................................................................4
Workflow Overview ............................................................................................. 4
2.
3.
4.
2/43
5.
3/43
1. Overview
This document provides detailed instructions for configuring the SAP J2EE Engine
6.20 for secure communication.
This chapter includes:
Workflow Overview
Getting the SAP J2EE Engine ready for secure communication requires more than
copying a few files. The following is a list of steps required to achieve this. This guide
will take you through all the steps listed below, and will refer you to supplemental
documentation when needed.
1. Decide on your system configuration: Are you just configuring the SAP J2EE
Engine for secure communication or do you use the J2EE Engine in combination
with another Web Server?
2. Download the required cryptographic software.
3. Configure the SAP J2EE Engine for secure communication.
4. Integrate the SAP J2EE Engine with another Web Server.
4/43
5/43
3. Configuring the
communication
SAP
J2EE
Engine
for
secure
<J2EE-dir>\admin\lib
<J2EE-dir>\alone\additional-lib
<J2EE-dir>\admin\lib
<J2EE-dir>\cluster\dispatcher\additional-lib
<J2EE-dir>\cluster\server\additional-lib
<J2EE-dir>\alone\additional-lib
6/43
<J2EE-dir>\cluster\server\additional-lib
For a cluster installation of the SAP J2EE Engine, change the Startup Mode
in both the cluster/dispatcher services keystore and cluster/server
services keystore service nodes.
4. Navigate to the ssl service(s) and set the Startup Mode from Manual to Always,
too.
5. From the File menu, click Apply to save your changes.
6. Close the SAP J2EE Engine Config tool.
7. Start the SAP J2EE Engine.
7/43
8/43
Change the Common Name to the fully qualified host name that you want
to use in communication with the J2EE Engine.
After changing the Common Name value, submit your editing with the TAB
key.
7. Choose a name for the certificate and enter it in the Key Alias field.
9/43
Result
You have created a self-signed certificate in your keystore.
You can now configure the ssl service to use this certificate for testing.
If you do not plan to have the certificate signed by a Certificate Authority, skip to
Configuring the ssl service on page 13.
10/43
3. In the pop-up window, enter a filename and choose PKCS#8 Private Key (*.p8)
from the Files of Type list. Click OK to save the private key.
Always enter file names with the appropriate extension the J2EE Engine
Administrator does not add a default extension.
The default directory for storing and loading certificates and keys is the
<J2EE-dir>/admin directory.
After saving the private key file, you are asked to store the certificate. Click
Cancel to skip saving the certificate itself.
4. Click Generate CSR to create the Certificate Signing Request.
5. In the pop-up window, enter a filename and choose PKCS#8 Private Key (*.p8)
from the Files of Type list. Click OK to save the private key.
11/43
Result
The certificate signing request file is stored on your disk.
Send the certificate request file to a trusted certificate authority, e.g. Verisign. The
certificate authority will sign the certificate and return the signed server certificate.
Refer to Appendix A for additional information about the Microsoft CA on Windows
2000 Advanced Server.
Check that you have generated a private key file from your self-signed
certificate before proceeding.
2. Select the self-signed certificate from which you have generated the Certificate
Signing Request and click Delete.
You cannot load a certificate into an existing keystore entry Therefore you
have to delete the self-signed certificate before loading the CA-signed one.
3. Click the Load button.
4. In the pop-up box, choose PKCS#8 Private Key (*.p8) from the Files of Type list
and select the private key file youve generated when creating the CSR file. Click
OK.
The pop-up box changes and asks for the first certificate of a certificate chain.
5. Select the signed certificate file youve received from the Certificate Authority and
click OK.
If your certificate file does not show up in the file list, choose All Files (*.*)
from the Files of Type list.
12/43
Choose Add in the Certificates tab and select your server certificate from the
pop-up list. Close the pop-up list with OK.
13/43
As a result you should see the same signed and generated certificate that we
imported into the servers keystore.
14/43
15/43
Tip : If you want this dialog to disappear in the future you have to double click the
root certificate in the certificate chain and press the Install Certificate button and
follow the Internet Explorer Certificate Import Wizard till the end.
16/43
After the import you can open your Internet Explorer browser and select Tools
Options from the menu bar. Then select the Content tab and press the Certificates
button.
Select the Trusted Root Certification Authorities tab and verify if the browser trusts
our CA certificate that we recently imported into the browser store.
Caution:
The SSL browser warning will pop up all the time if the Common Name (CN) of the
certificate does not match the URL machine name in the browser, e.g. the browser
wants to connect to https://myhost/dummy.html but the CN of the SAPJ2EE server
certificate is localhost (CN=localhost). Then the browser will prompt the warning
dialog again.
17/43
18/43
19/43
Press the Edit button to change the global configuration of the IIS server.
20/43
Select the ISAPI Filters tab and select the In-Q-My (or SAPJ2EE) filter item and
press the Remove button.
21/43
Select the scripts node inside the IIS snap-in an after right click on the node select
Properties from the popup menu.
22/43
the
Select the ISAPI extension (either the InQMyProxyExt.dll or the SAPJ2EE.dll) in the
App Mappings tab and press the Remove button
Note: If you want to uninstall a previous version of the SAPJ2EE.dll you are also
allowed just to rename the old SAPJ2EE.dll and copy the new version of the DLL and
the INI file to the Inetpub\Scripts directory. After that you have to restart your IIS
server to apply the changes.
23/43
24/43
Press the Edit button to change the global configuration of the IIS server.
25/43
Click on the ISAPI Filters tab and add the SAPJ2EE ISAPI filter to the list of filters
by pressing the Add button. Then select the SAPJ2EE.DLL file on your hard drive
and choose any name for the filter with a high priority.
After setting up the filter we have to set up the ISAPI extension inside the Scripts
application of the IIS.
26/43
Select the scripts node inside the IIS snap-in an after right click on the node select
Properties from the popup menu.
27/43
28/43
After that press the Configuration button to add the extension to the list of
extensions for the IIS.
In the dialog Application Configuration click the Add button to add the extension.
Then select the SAPJ2EE.DLL file which you have copied before as the executable
and choose * as extension.
29/43
extension.url
The parameter extension.url allows you to redirect all requests for the ISAPI
module extension to any desired relative path from the IIS root directory.
e.g. :
extension.url
= /scripts/SAPJ2EE.dll
All requests that the SAPJ2EE ISAPI filter redirects to the SAPJ2EE ISAPI
extension are send to /scripts/SAPJ2EE.dll. Thats the default location of the
ISAPI module.
url.mapping
This is the most important parameter in the INI file. It specifies the redirection
rules for the ISAPI filter. The request from the browser is first send to the IIS. The
IIS subsequently calls all installed ISAPI filter to process the request. If the
request matches one redirect rule specified in the url.mapping parameter the
SAPJ2EE ISAPI filter redirects the request to the SAPJ2EE ISAPI extension.
e.g. :
http: /test --> http://myServer:8100
The incoming http request to a path /test is forwarded to the SAPJ2EE engine
using this URL: http://myServer:8443/test
30/43
log.level
This flag controls the logging level of the filter and the extension. Log level 1 is
the lowest logging level, whereas log level 3 nearly loggs all the activities.
1 : logs the start-up phase of the ISAPI module and the INI filconfiguration.
2 : logs basic HTTP traffic information such as request and response and all I
internal error messages
3 : additionally the complete HTTP data is written into a extra log
The rest of the parameters are described in detail in the SAPJ2EE INI file.
Requirements
The SSL support requires the current release of the SAPCRYPTOLIB on the target
system.
31/43
download the library, you will automatically have the "SAP Cryptographic
Library" structure offered when you access the download site. Contact your
local subsidiary if you cannot access the library.
You must also adhere to any import regulations that may apply.
The SAP Cryptographic Library is available for download from the SAP Service
Marketplace at http://service.sap.com/crypto. You need to have a valid S-User
account that is allowed to download restricted and cryptographic software.
The upcoming chapters assume that you already installed a valid server certificate for
the SAPJ2EE engine as described in the previous chapters.
Important considerations
To establish a SSL connection between the ISAPI module and the SAPJ2EE engine
it is necessary to that the common name (CN) of the SAPJ2EE server certificate
should match the host name that you choose in the ISAPI filter INI file as redirection
address, otherwise the SAP SSL API will not connect properly.
E.g. :
The content of the SAPJ2EE INI file looks like this:
url.mapping
The SSL connection between the ISAPI module and the SAPJ2EE server can only
be established if the common name ( CN ) of the previously created and installed
server certificate is myhost.test.com.
Create a folder C:\sec. (You can also choose any other folder location or name.)
Copy the files SAPGENPSE.exe, ticket and sapcrypto.dll into this directory.
32/43
Reboot your machine after adding the environment variable to your system
variables.
Export the generated SAPJ2EE test server certificate into a certificate file and
store it somewhere on your hard disk. To export a server certificate from the
SAPJ2EE engine you have to follow these steps:
o Open the SAPJ2EE Administrator application and login.
o Select the generated test certificate from the key store and click the Store
button. Choose the Base64 encoded file type and choose any name
and location for the certificate export files. Since SAPJ2EE engine 6.20 the
export generates three files. One key file and two certificate ( CER files )
which represent the certificate chain of the server certificate. If you choose
a self signed certificate you will only get one CER file from the export
process. For certain SAPJ2EE installations the export creates files without
a file extension. In this case you have to add the file extension CER
manually.
33/43
o The CER file representing the CA root part of the server certificate should
be further used for an import into the client PSE file. Copy this CER file to
c:\sec\ca.cer. If you choose a self signed certificate you need to copy this
CER file to c:\sec\ca.cer.
Then the client and server PSE files have to be created. The PSE file represent
the keystores for the ISAPI module. We have to create a client and a server
keystore for the ISAPI module. Therefore we have to open a DOS prompt at
C:\sec.
o First create the client PSE with the following command :
o After that create the server PSE file with the following command :
After creating the PSE files we have to initialise the PSE files for further usage.
o Initialise the client PSE by entering the following command :
Now we have to grant the LocalSystem NT user account access to the PSE files.
This step is required because the IIS server process runs in the LocalSystem
account.
34/43
After initialisation we have to import the server certificates CA root part into the
client PSE file. This is achieved by entering the following command to the
command prompt. If you used self signed certificates before you have to apply the
same procedure.
o C:\sec\sapgenpse.exe maintain_pk a ca.cer
If this method fails with an error messages that the SAPSSLC.pse is not
found, copy the PSE files to the destination specified in the error message.
After that repeat the command. If the command executes properly copy the
PSE back to C:\sec. Assuming that the file ca.cer is located in c:\sec you
should see the imported certificate when you type C:\sec\sapgenpse.exe
maintain_pk l -v to the command prompt. Make sure that the file ca.cer
only contains the CA root part of the server certificate.
Reboot your machine again to allow the IIS to read the PSE files during runtime.
35/43
36/43
To request a certificate select the Request a certificate radio button and press Next.
37/43
Choose the Submit a certificate request.. radio button and click Next.
38/43
Paste the content of the CSR file generated by the SAPJ2EE engine into the
appropriate text area field and press the Submit button.
39/43
Now you have to login to the machine where the MS CA is installed and open the
MMC Certification Authority snap in and you should see the following window.
40/43
Select the Pending Request node and right click the pending certificate that you
originally requested and issue the certificate.
Now the certificate is issued and can be downloaded from the CAs web site. Just
open your browser and browse to the web site of the MS CA again. You should see
the welcome screen again but instead of requesting a certificate you check on a
pending certificate.
41/43
Select your request in the listbox and press the Next button.
If the certificate request is issued by the CA you should see the following browser
window.
42/43
Now you are able to download your signed SSL server certificate. You have to import
this certificate into the SAPJ2EE engine as described in the first chapters.
43/43