1. Creating the Server's Key Pair to Use for SSL
Use
To use SSL, the SAP J2EE Engine must possess a key pair, which consists of a public
key, which is distributed using an X.509 public-key certificate, and a corresponding
private key. Use the procedure below to create the key pair and public-key certificate on
the server.
For SSL, the server needs a key pair that is associated with the fully-qualified host name
that is used to access the server. If multiple hosts are accessed using the same fully-
qualified host name, then you only have to create one key pair and use it for all hosts.
For example, in a dual-stack system both the ABAP server and the J2EE Engine reside
on the same host and therefore use the same fully-qualified host name for access. In this
case, create the key pair on the ABAP server, export it, and then upload it on the J2EE
Engine.
For more information, see Exporting the SSL Key Pair from the ABAP System.
In addition, when creating a key pair to use for SSL, you must have the public key
certified by a Certificate Authority (CA). For this purpose, you will create a certificate
signing request (CSR), which you then send to the CA of your choice. The CA will send
you the corresponding signed public-key certificate in the form of a certificate request
response, which you then import into the keystore entry for which you created the
request.
Prerequisites
· The Key Storage service is running on the server.
· If you want to import an existing key pair, then this key pair must exist in the file
system as a PKCS#12 (Public-Key Cryptography Standard 12) file with the
extension .p12.
· The certificate request response that you receive from the CA must exist as a DER
(Distinguished Encoding Rules) or as a Base-64 encoded file.
Procedure
For each server process that is to support SSL:
1. Select the Key Storage service.
The available views appear. Entries corresponding to the selected view appear in
the Entries pane. An entry may be either a public-key certificate only or the
complete key pair. The type of entry is shown in the information pane with the
indicator PRIVATE KEY or CERTIFICATE along with the rest of the information
pertaining to the entry.
For more information about using the Key Storage service, see Key Storage
Service.
2. Select the service_ssl view.
Any available entries for the service_ssl view appear in the Entries pane.

2. Per default, the SAP J2EE Engine uses the ssl-credentials entry for SSL, which contains
a public-key certificate that has been signed by a test CA. Although you can use this
certificate for testing purposes, we recommend using a certificate that has been signed
by a well-known, productive CA.
3. If no appropriate entry exists for using SSL, then create a new entry (choose Create)
or load an existing one from the file system (choose Load).
When creating an entry to use for SSL, the Key and Certificate Generationdialog
appears. Note the following:
● Specify the server’s fully-qualified host name as the Common Name part of the
Distinguished Name. Otherwise, certain Web browsers will produce a warning if the
host name that users use to access the server does not match the host name found in the
server’s public-key certificate.
● Select the Store certificate option to save the server’s public-key certificate separately
so that you can export it at a later time.
● Select RSA as the Algorithm to use.
4. If the corresponding certificate has not yet been signed by a CA, then:
a. Generate a certificate signing request. Select your entry, choose Generate CSR
Request and save it to a file.
b. Send the certificate signing request to a CA to be signed.
c. Save the certificate request response to a file in the file system. Use the
extension .crt (DER-encoded or Base-64 encoded) or .cert (Base-64 encoded).
d. Import the corresponding certificate request response. Choose Import CSR
Response and load the response from the file system.
For more information about managing keys and certificates in the Key Storage
service, see Managing Entries.
If you want to load the public-key certificate as a separate entry, then rename the file
before loading. Otherwise, the SAP J2EE Engine will replace the existing PRIVATE
KEY entry with a CERTIFICATE entry and the private key will be lost because it uses the
file name as the alias when loading.

3. Creating a Key Pair and Public-Key Certificate
Procedure
1. Open the Key Storage service Runtime tab.
2. Select the view for which you want to create a key pair and certificate, and choose Create.
The Key and Certificate Generation dialog appears.
3. In Subject Properties, specify the following properties for the certificate:
a. Country Name – specify the country two-letter code.
b. State/Province – specify the full name of your state or province.
c. Locality Name – specify the city, for example.
d. Organization Name – specify the name of the organization.
e. Organization Unit Name– specify the organization unit name.
f. Common Name – specify the common name.
To specify information for additional options such as initials, street address or title, select the
last empty field by double-clicking on it. Modify the property values in accordance with the
subject’s data.
4. In the Entry Name field, specify a name for the certificate.
5. Specify the certificate validity period in the Valid From and Valid To fields.
Enter the values using the format mm/dd/yy hh:mm <AM,PM>.
6. Specify the certificate key length in Key length. You can choose a value from 1024 or 512 bits
or specify another value as appropriate.
7. Choose the certificate algorithm from the Algorithm. You can choose RSA (Rivest, Shamir,
Adleman), DSA (Digital Signature Algorithm) or DH (Diffie-Hellman).
8. If you want to store the generated certificate in the key storage, choose Store Certificate.
9. If you want to specify a Certification Authority key, choose the Select CA Key button and
select it from the list.
10. Choose the Generate button.