To set up the Rational® Connector
on an Apache Tomcat Application Server, you must configure the SSL
authentication.
About this task
You configure the server side and the client side of the
SSL connection.
These steps are the high-level steps for configuring
the server side of the SSL connection:
- Delete the default SSL key pair/certificate.
- Generate the public and private keys in the new server keystore
to contain only those keys that are needed by the Tomcat server side
for an SSL connection.
- Export the trust certificate that contains the public key from
the new server keystore.
These steps are the high-level steps for configuring the
client side of the SSL connection:
- Import the trust certificate from the ABAP server that contains
the public key to the new client truststore.
- Configure the Tomcat server to point to this new client truststore.
Important: The following paths are used in
the steps. If you need to, substitute the paths with the paths you
use in your installation environment.
- Server Root: c:\Program Files\IBM\SapConnector
- Tomcat SSL certificate: c:\IBM Rational\client.crt
- ABAP SSL certificate; c:\IBM Rational\ABAPclientSSL.crt
Procedure
Configure the server side of the SSL connection.
- Go to the directory where the keystore file is located.
SAPCInstallDir\server\tomcat\
Run
the keytool commands from the SAPCInstallDir\server\tomcat\ directory.
- Delete the ibm-team certificate. Run
this command:
"c:\Program Files\IBM\SapConnector\server\jre\bin\keytool.exe" -delete -v -keystore "c:\Program Files\IBM\SapConnector\server\tomcat\ibmteam-ssl.keystore" -storepass ibm-team -alias ibm-team
- Generate a new certificate in the keystore.
- Run this command:
"c:\Program Files\IBM\SapConnector\server\jre\bin\keytool.exe -genkey -v -keystore "c:\Program Files\IBM\SapConnector\server\tomcat\ibmteam-ssl.keystore" -storepass ibm-team -keyalg RSA -alias ibm-team
As the certificate generation process runs, you are prompted
to enter information.
- The keytool program prompts you for your first and last
name. You must enter the fully qualified domain name of the Tomcat
server that you are deploying the connector to. For
example, use vmw3319.wdf.sap.corp.
Warning: The fully qualified host name of the server must match
the name that you enter for the certificate. Otherwise, a security
certificate error results when you connect. Depending on the browser
that is used to connect, you might not be able to accept the certificate,
and some content might be hidden.
- Use your company information to complete the remaining
prompts. The other parts of the distinguished name do not matter,
except for the country code, which must be a legal two letter code
(for example, US or DE). For the key password prompt, press RETURN to
use the same password as the keystore password.
These
values are for information purposes only.
After
you complete the prompts, the ibm-team-ssl.keystore file
is changed so that it contains a self-signed certificate that is based
on your company information.
- Export the ibm-team-ssl.keystore file
to a file. Type this command.
"c:\Program Files\IBM\SapConnector\server\jre\bin\keytool.exe" -export -v -keystore "c:\Program Files\IBM\SapConnector\server\tomcat\ibmteam-ssl.keystore" -storepass ibm-team -alias ibm-team -file "c:\IBM Rational\client.crt"
Configure the client side of the SSL connection:
- Import the keystore file into the ABAP keystore. Type this
command:
"c:\Program Files\IBM\SapConnector\server\jre\bin\keytool.exe" -import -v -keystore "c:\IBM Rational\sslclient.jks" -storepass changeit -alias ssl -file "c:\IBM Rational\ABAPclientSSL.crt"
- When prompted for a password, type changeit.
- When prompted for Trust this certificate,
type Yes. A message displays
indicating that the certificate was added to the keystore.
- Edit "c:\Program Files\IBM\SapConnector\server\tomcat\bin\catalina.bat"
- Locate the line that contains the text :execCmd
- Add the following code just after the located line.
set CATALINA_OPTS="-Djavax.net.ssl.trustStore=c:\IBM Rational\sslclient.jks" "-Djavax.net.ssl.trustStorePassword=changeit"
- Save the file and close.
What to do next
Set up and deploy the connector web application from Apache
Tomcat, see
Starting Apache Tomcat.