Configuring the Use of SSL on the AS Java the

AS Java by adding a new access point

Purpose
Configuration of the AS Java as an SSL server by adding a new access point using the Netweaver Adminstrators SSL
configuration tool. Valid for Netweaver AS Java 7.20 - 7.3x

Overview
As described in Configuring the Use of SSL on the AS Java the AS Java can be manually configured for SSL by
configuring the ICM and the AS Java keystore separately or alternatively the SSL configuration tool can be used, which
simplifies the process considerable. Here the latter approach is illustrated.

Configuration
Here its is assumed that the SAP Cryptographic Library is already installed.
1.

Access the Netweaver Administrator SSL configuration tool at http://<server:port>/ssl using an administrator
user. If the SSL library and Ticket File are not found and displayed in the SAP Java Instance list, use the browse
function to upload both the file system location of the SAP Cryptographic Library and check that the SSL Status is green
(OK).

2.

Choose Add to add a new access point and enter the port number on which the AS Java will accept the
incoming SSL connection and select the appropriate protocol. For the purposes of this document HTTPS is chosen. You
can adjust the Client Authentication Mode at a later time when configuring x.509 client certificate authentication, so
leave at Do Not Request for now and it is sufficient to leave the Keystore View Name as instance default unless you
would like to use a different keystore view per port.

3.

When the access point is added a keypair is created for that port and the private key is displayed in the Server
Identity area and the public key certificate in the Trusted CAs area. The keypair is self-signed with localhost as the CN
of the subject name so it should be recreated with a CN name matching the FQDN used to access the AS Java over
SSL. Delete the existing ssl-credentials keystore entry and create a new one with the same name entering the FQDN as
the value for the CN in the subject properties

4.

With the new keypair created and the private key displayed in the Server Identity area, generate a certificate
signing request and send it to the Certificate Authority of your
choice

5.

Import the CSR response and note in the Server Identity area that the Issuer Name of the ssl-credentials has
changed to the DN of the signing Certificate

Authority

6.

Select the Trusted CAs tab and import the root certificate of the Certificate Authority. This is a very important
step. Otherwise the view content will not be exported to the PSE on the file system and the errors described in SAP
note 1834904 - PSE file not updated or created -> Required but missing endpoint CA certificate can occur

7.

In order for the ssl-credentials to be used as the identity for the port of the SSL access point, press Save.

8.

When ICM has been restarted, test that you can access the AS Java using the FQDN specified as the value
for the CN in the ssl-credentials subject name and the SSL port, for example entering https://<FQDN>:50001 in the
browser address bar