Configuring the SSL certificates

To set up the Rational® Connector on an Apache Tomcat Application Server, you must configure the SSL authentication.

About this task

You configure the server side and the client side of the SSL connection.

These steps are the high-level steps for configuring the server side of the SSL connection:
  1. Delete the default SSL key pair/certificate.
  2. Generate the public and private keys in the new server keystore to contain only those keys that are needed by the Tomcat server side for an SSL connection.
  3. Export the trust certificate that contains the public key from the new server keystore.
These steps are the high-level steps for configuring the client side of the SSL connection:
  1. Import the trust certificate from the ABAP server that contains the public key to the new client truststore.
  2. Configure the Tomcat server to point to this new client truststore.
Important: The following paths are used in the steps. If you need to, substitute the paths with the paths you use in your installation environment.
  • Server Root: c:\Program Files\IBM\SapConnector
  • Tomcat SSL certificate: c:\IBM Rational\client.crt
  • ABAP SSL certificate; c:\IBM Rational\ABAPclientSSL.crt

Procedure

Configure the server side of the SSL connection.

  1. Go to the directory where the keystore file is located.
    SAPCInstallDir\server\tomcat\

    Run the keytool commands from the SAPCInstallDir\server\tomcat\ directory.

  2. Delete the ibm-team certificate. Run this command:
    "c:\Program Files\IBM\SapConnector\server\jre\bin\keytool.exe" -delete -v -keystore "c:\Program Files\IBM\SapConnector\server\tomcat\ibmteam-ssl.keystore" -storepass ibm-team -alias ibm-team
  3. Generate a new certificate in the keystore.
    1. Run this command:
      "c:\Program Files\IBM\SapConnector\server\jre\bin\keytool.exe -genkey -v -keystore "c:\Program Files\IBM\SapConnector\server\tomcat\ibmteam-ssl.keystore" -storepass ibm-team -keyalg RSA -alias ibm-team
      As the certificate generation process runs, you are prompted to enter information.
    2. The keytool program prompts you for your first and last name. You must enter the fully qualified domain name of the Tomcat server that you are deploying the connector to. For example, use vmw3319.wdf.sap.corp.
      Warning: The fully qualified host name of the server must match the name that you enter for the certificate. Otherwise, a security certificate error results when you connect. Depending on the browser that is used to connect, you might not be able to accept the certificate, and some content might be hidden.
    3. Use your company information to complete the remaining prompts. The other parts of the distinguished name do not matter, except for the country code, which must be a legal two letter code (for example, US or DE). For the key password prompt, press RETURN to use the same password as the keystore password.

      These values are for information purposes only.

      After you complete the prompts, the ibm-team-ssl.keystore file is changed so that it contains a self-signed certificate that is based on your company information.
  4. Export the ibm-team-ssl.keystore file to a file. Type this command.
    "c:\Program Files\IBM\SapConnector\server\jre\bin\keytool.exe" -export -v -keystore "c:\Program Files\IBM\SapConnector\server\tomcat\ibmteam-ssl.keystore" -storepass ibm-team -alias ibm-team -file "c:\IBM Rational\client.crt" 

Configure the client side of the SSL connection:

  1. Import the keystore file into the ABAP keystore. Type this command:
    "c:\Program Files\IBM\SapConnector\server\jre\bin\keytool.exe" -import -v -keystore "c:\IBM Rational\sslclient.jks" -storepass changeit -alias ssl -file "c:\IBM Rational\ABAPclientSSL.crt"
  2. When prompted for a password, type changeit.
  3. When prompted for Trust this certificate, type Yes. A message displays indicating that the certificate was added to the keystore.
  4. Edit "c:\Program Files\IBM\SapConnector\server\tomcat\bin\catalina.bat"
    1. Locate the line that contains the text :execCmd
    2. Add the following code just after the located line.
      set CATALINA_OPTS="-Djavax.net.ssl.trustStore=c:\IBM Rational\sslclient.jks" "-Djavax.net.ssl.trustStorePassword=changeit"
    3. Save the file and close.

What to do next

Set up and deploy the connector web application from Apache Tomcat, see Starting Apache Tomcat.

Feedback