Configuring SAP Mobile Server SSL Configuration

Configure the keystore, security profile, and authentication properties for SAP Mobile Server.

  1. Create the user certificate.
    1. Manually generate a .jks file (local keystore file).
    2. Generate a keypair with the fully qualified domain name of the SAP Mobile Server.
    3. Generate a certification request.
    4. Get the certificate request signed by the certification authority, SAPNetCA.
    5. Import the CA reply into the keypair.
    6. Export the keypair as a .p12 certificate.
  2. Configure the SAP Mobile Server keystore.
    1. Log on to SAP Control Center.
    2. Click Configuration in the left pane.
    3. Select General and SSL Configuration in the right pane.
    4. Click Key Store Configuration.
      The Key Store Properties window lists all certificates in the SAP Mobile Server keystore.
    5. Click Import to import the certificate to the SAP Mobile Server keystore.

      You can import two types of certificates: X.509 and PKCS #12.

      • An X.509 certificate does not have a private key, and is usually used as a trusted certificate.
      • A PKCS #12 certificate has a private key, and can be used as an identity.
  3. Configure a security profile.

    SAP Mobile Server has two default security profiles: default and default_mutual. The profile default is for one-way authentication, default_mutual is for two-way authentication. You can add a new security profile and use your own certificate.

    1. Log on to SAP Control Center.
    2. Click Configuration in the left pane.
    3. Select General and SSL Configuration in the right pane.
    4. Click <ADD NEW SECURITY PROFILE> in the table cell, then enter the security profile name.
      The existing profiles default and default_mutual already have the certificate aliases "sample1" and "sample2" respectively. These aliases are used by default. To override this behavior, you can choose an imported certificate (certificate alias) from the drop-down menu.
    5. In the Certificate Alias column, select the appropriate alias. This alias may be the one imported in the previous step.
    6. In the Mutual SSL column, select True for mutual SSL authentication.
  4. Enable mutual SSL authentication by registering the application HTTPS port (by default 8002) on SAP Mobile Server.
    1. Log on to SAP Control Center.
    2. Click Configuration in the left pane.
    3. Select Web Container in the right pane.
      SAP Mobile Server already has a HTTPS port 8002 for mutual SSL authentication, but it is disabled.
    4. To enable the port, select it, click Properties, change Status to Enabled in the Port Properties window, and click OK.
    5. To create a new port, click New, specify the Port, Status, Protocol and Security profile in the Port Properties window. Leave the others properties with default values, and click OK.
  5. Enable mutual SSL authentication to synchronize the data HTTPS port (by default 2482) on SAP Mobile Server.
    1. Log on to SAP Control Center.
    2. Click Configuration in the left pane.
    3. Select General and Components in the right pane.
    4. Check Replication in Configure system components.
    5. Click Properties.
    6. Check Mutual secure port, and set a value for it (the default value is 2482).
    7. Set the correct certificate and trust root.
  6. Add the CertificateValidationLoginModule for the security configuration to validate the RSOE user certificate.
    1. Select the Security node in the left pane, and select the security configuration you want to use for mutual SSL logins.
    2. Select the Authentication tab in the right pane.
    3. Click New in Configure authentication properties.
    4. Select com.sybase.security.core.CertificateValidationLoginModule in the Add Provider window’s Authentication provider.
    5. Add the property Validated Certificate Is Identity, then set it to True.
    6. Click OK.
  7. Add CertificateAuthenticationLoginModule to the security configuration for SAP Mobile Server.
  8. Remove the unused modules.
    1. Select the Authentication tab in the right pane.
    2. Check NoSecLoginModule, then click Delete.
    3. Select the Authorization tab in the right pane.
    4. Check NoSecAuthorizer, then click Delete.
    5. Select the Attribution tab in the right pane.
    6. Check NoSecAttributer, then click Delete.
  9. Select the General tab, then click Apply to save the security configuration change.
  10. Restart the SAP Mobile Server.
Parent topic: Authenticating at the Network Edge with Relay Server