Configuring the SSL Certificate

Ensure the security of encrypted SSL communication between SAP Control Center and browser clients by installing an X.509 certificate.

When you start SAP Control Center for the first time, it generates a self-signed X.509 Secure Sockets Layer (SSL) certificate for the host that it is running on. Because self-signed certificates are not issued by a trusted certificate authority, most browsers show an error when they try to connect to SCC using the self-signed certificate.

To eliminate certificate errors, install a permanent SSL certificate from a certificate authority. SAP recommends that you install a certificate signed by a certificate authority before using SCC in your production network. Obtain a certificate for each machine on which an SCC server is installed.

The following is an overview of purchasing and installing an SSL certificate from a certificate authority. For full details, see http://docs.codehaus.org/display/JETTY/How+to+configure+SSL.

  1. To obtain an SSL certificate from a known certificate authority (such as VeriSign, Inc. or Thawte, Inc.), generate a certificate signing request (CSR) and send it to the certificate authority. Use one of these commands to generate the CSR:

    Windows:

    keytool -certreq -alias jetty -keystore 
    %SYBASE%\SCC-3_3\services\EmbeddedWebContainer\keystore 
    -file scc_jetty.csr
    

    or

    keytool -certreq -alias jetty -keystore 
    C:\sap\SCC-3_3\services\EmbeddedWebContainer\keystore 
    -file scc_jetty.csr
    

    UNIX:

    keytool -certreq -alias jetty -keystore 
    $SYBASE/SCC-3_3/services/EmbeddedWebContainer/keystore 
    -file scc_jetty.csr
    

    or

    keytool -certreq -alias jetty -keystore 
    /opt/sap/SCC-3_3/services/EmbeddedWebContainer/keystore 
    -file scc_jetty.csr
    
    Note: The keytool utility resides in the SAP JRE installation directory:

    Windows: %SAP_JRE7%\bin\keytool

    UNIX: $SAP_JRE7/bin/keytool

  2. Follow the instructions provided by the certificate authority to import the signed certificate into the SCC keystore and, if necessary, to install the certificate authority’s trusted certificate in the “truststore,” cacerts. Typically, the command to import the signed certificate is:

    Windows:

    keytool -keystore %SYBASE%\SCC-3_3\services\EmbeddedWebContainer\keystore 
    -import -alias jetty -file scc_jetty.crt -trustcacerts 

    or

    keytool -keystore C:\sap\SCC-3_3\services\EmbeddedWebContainer\keystore 
    -import -alias jetty -file scc_jetty.crt -trustcacerts 

    UNIX:

    keytool -keystore $SYBASE/SCC-3_3/services/EmbeddedWebContainer/keystore 
    -import -alias jetty -file scc_jetty.crt -trustcacerts 

    or

    keytool -keystore /opt/sap/SCC-3_3/services/EmbeddedWebContainer/keystore 
    -import -alias jetty -file scc_jetty.crt -trustcacerts 

    The initial keystore password is changeit.