CONTENTS     

Keystore Service

Keystore Service generates keys and certificates used for encrypting, identification, and verification. Keystore entries are stored in a distributed database and are assigned particular access rights. This service is compatible with Java Cryptography Architecture.

Visual Administrator

Runtime Control

Keystore Service runs on both dispatcher and server nodes of SAP J2EE Engine 6.20 cluster. It can be configured at runtime usign the “Runtime” tab of the Visual Administrator tool, only on server nodes. This tab is used to generate credentials: a private key stored as a key entry (which can be protected using Security Service) and a public key, for which a certificate is generated. The “Runtime” tab contains two sub-tabs, which are described below.

Keystore Admin Tab

This tab provides information about keystore entries. It has two panels: the first one lists the names of the keystore entries, the second provides information about a particular entry. This information includes private key and chain info for key entries, and certificate info for certificate entries.  

The “Keystore Admin” tab provides several options to manage keystore entries:

• Delete – deletes a keystore entry, identified by the specified alias
• Load – loads a key or certificate with a specified alias from a file, containing the private key
• Store – stores a key, chain, or both in a specified file. Default storage place is in ../admin .
• Write – saves a key, chain, or both in a specified file in ASCII format. The file created to save this data is located in ../admin directory; thus, you can view the contents of the generated keys and certificates.
• Backup – creates a backup file for the keystore
• Backdown – loads a keystore backup file. Automatic backdown is performed after the installation procedure, or appclear command execution for a keystore file – “ssl.cert”, containing ssl-credentials located in ../server/services/ssl/work .

In addition, you can generate Certificate Sending Requests (CSR) for keystore entries. Choose “Generate CSR,” which is activated when a keystore entry containing private key is selected.

Certificate Generation Tab

This tab manages generation of credentials by specifying input data in the following subtabs:

• Subject Properties – contains a table of fields that specify information about the subject of the certificate. This information is presented as key-value property pairs. The property keys are static
• Country Name (two-letter code)
• State/Province (full name)
• Locality Name (for example, city)
• Organization Name
• Organization Unit Name
• Common Name
• An empty field with drop-down menu for additional options, such as initials, street address, and title
  Property values can be modified in accordance with the subject’s data.
• Issuer Info – visualizes the input data of the issuer, derived from the keystore entry with alias CA (Certificate Authority) Key Alias

The “Certificate Generation” tab also provides the following fields for specifying the certificate data:

• Key Alias – a unique name for the newly generated key entry
• CA Key Alias – a drop-down menu is provided for choosing a CA key entry, which signs the certificate. If the field is empty, the subject signs the certificate personally – that is, the public key of the subject is placed in a certificate signed with his or her private key and with issuer input data.
• Valid from – specifies the date from which this certificate is valid
• Valid to – specifies the date to which this certificate is valid. By default, it is one year.
• Key Length – specifies the length of the key (to be generated). By default there are two values – 512 and 1024 bits.
• Algorithm – a drop-down menu with two options: RSA and DH, specifying the algorithm of the private key

The “Store Certificate” indicator enables you to store the generated certificate as a keystore entry with alias – alias name + “_cert” – for example, xxx_cert.

“Generate” generates the credentials.

Note: For details on how to generate and configure credentials, refer to Configuration Tasks -> Managing Security section in this manual.

Console Administrator

Keystore Service can be administered using the Shell commands from the KEYSTORE command group as well.

Note: For information on Keystore shell commands, refer to the Shell  Commands Reference section.

Property Files

../cluster/dispatcher/services/keystore/properties
This file does not contain any properties to be set by the system administrator.

../cluster/server/services/keystore/properties
This file does not contain any properties to be set by the system administrator.

Critical Information and Troubleshooting Tips

To start Keystore Service, you need to add IAIK packages to the available libraries. You can either obtain them from your SAP J2EE Engine provider, or download iaik_jsse.jar , iaik_ssl.jar , and iaik_jce.jar from http://jcewww.iaik.at/
download/evaluation/index.php . Copy the files into the following directories:

•   ../admin/lib/
• ../alone/additional-lib/
• ../cluster/dispatcher/additional-lib/
• ../cluster/all dispatchers/additional-lib/
• ../cluster/server/additional-lib/
• ../cluster/all servers/additional-lib/ ,

or in a location shown in the system path variable. Start Keystore and SSL Services on both dispatcher and server nodes. Keystore Service must be started first.