SSL Service is developed in accordance with the Transport Layer Security (TLS) specification. It establishes a secure connection between two parties. It uses cryptographic security and runs on both dispatcher and server nodes.
The configuration data of every SSL server socket consists of its credentials, cipher suites, trusted certificates and an indication if the client is required to have a certificate authentication. These configurations are stored in the
socketConfiguration.properties
file located in
<SAPj2eeEngine_install_dir>/cluster/dispatcher/services/ssl
. At SSL Service startup the socket configurations are loaded from this file. If
socketConfiguration.properties
does not exist, SSL Service creates it automatically with default configurations.
The configurations are stored in the file in the following format:
<host>:<port>.cipher.<number>=<cipher_suite_alias>
<host>:<port>.cert.<number>=<credentials_alias>
<host>:<port>.trust.<number>=<trusted_certificate_alias>
<host>:<port>.need.auth=<true/false>
factory.cipher.<number>=<cipher_suite_alias>
factory.cert.<number>=<credentials_alias>
factory.trust.<number>=<trusted_certificate_alias>
factory.need.auth=<true/false>
The
number
parameter in
cipher.<number>
and
trust.<number>
is a consecutive
number, because typically there are more then one cipher suites for each SSL Server Socket.
Example:
0.0.0.0:443.cipher.0=SSL_DH_anon_WITH_DES_CBC_SHA
0.0.0.0:443.cipher.1=SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
0.0.0.0:443.cipher.2=PRIVATE_RSA_WITH_RC2_CBC_MD5
0.0.0.0\:443.trust.0=InQMyDemoCA_cert
factory.cipher.0=SSL_DH_anon_WITH_DES_CBC_SHA
factory.cipher.1=SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
factory.trust.0=ssl-credentials_cert
The
number
parameter in
cert.<number>
shows the type of the certificate. The numbers correspond to the constants defined in
iaik.security.ssl.SSLContext
class.
Example:
0.0.0.0:443.cert.1=ssl-credentilas
factory.cert.1=InQMyDemoCA
SSL Service can be configured at runtime using the “Runtime” tab of the Visual Administrator tool. You can select a communication container from a list of available containers and configure the available credentials to be used by particular sockets. The following options are provided.
The administrator can select a socket factory to be configured to use particular credentials:
This subtab provides a list of supported cipher suites. This list depends on the credentials enabled. Only suites that can use those credentials are shown as available. You can change the priority of particular cipher suites. Cipher suites can be added to, or removed from, the lists. To add the cipher suites that correspond to a particular SSL certificate, this certificate must first be enabled.
This subtab provides a list of enabled SSL certificates. You can enable additional SSL certificates by choosing “Add.” It displays a list of available certificates that can be enabled. If the administrator selects a certificate of a type that has already been enabled, the previously enabled certificate is replaced. SSL certificates can also be disabled using “Remove.”
Note: Certificates can be generated using the “Runtime” tab of Keystore Service and added to server keystore for further configuration. For information on how to create and import certificates into server keystore, refer to the Keystore Service section in this document.
The server specifies a set of trusted certificates for each SSL socket. These certificates are used in client authentication during handshake. Every socket can be configured so that the server either requires or does not require certificate authentication when connecting through this socket. If such authentication is not required, the client is not obliged to provide any certificate, and any provided certificate is accepted. Similar is the situation when the server requires certificate authentication, but there are no trusted certificates specified for this socket. If certificate authentication is required and there are trusted certificates specified for this socket, the server accepts an SSL connection, only if the client provides a trusted certificate. Trusted are the certificates that are included in the set of trusted certificates for this socket, or are signed by some of them. This subtab allows managing these certificates. There is trusted certificate data specified for each server socket and for the new sockets.
To define a certificate as trusted, you must import the certificate in keystore and set it as Trusted Certificate. Set the “Require certificate authentication” indicator. For example, setting SAP Certificate as the only Trusted certificate on port 443 enables only SAP users that connect by HTTPS and provide their certificate signed by SAP Trust Center to connect.
If the “Require certificate authentication” option is disabled, the socket will not require client authentication when connection is established. If the option is enabled but no certificates are marked as trusted, all certificates provided by the client are treated as trusted.
To manage certificates use the buttons of the subtab:
|
|
Server |
|
|
Property Key |
Description |
Default Value |
|
|
|
|
|
ssl.backup.keystore.password |
Specifies the backup keystore user password. |
|
|
ssl.backup.keystore.filename |
Specifies the name of backup keystore file that contains certificates. |
./ssl.cert |
../cluster/dispatcher/services/ssl/properties
This file does not contain any properties to be set by the system administrator.
../cluster/server/services/ssl/properties
SSL Service properties specified in the
Visual Administrator
section can be set from this property file as well.
SAP J2EE Engine 6.20 is not distributed with IAIK packages needed for SSL support. The iaik_jce.jar , iaik_jsse.jar and iaik_ssl.jar packages either can be obtained from the SAP J2EE Engine provider , or can be downloaded at http://jcewww.iaik.at/download/evaluation/index.php . Copy the files into the following directories:
or in directory shown in the
CLASSPATH
variable. Start Keystore and SSL Services on both dispatcher and server nodes. Keystore Service must be started first.