Configuring SSL Between the UME and an LDAP Directory
Use
You can configure secure connections using the Secure Sockets Layer (SSL) protocol between the User Management Engine (UME) and an LDAP directory. When SSL is used, the data transferred between the two parties (client and server) is encrypted.
The user management service uses server authentication for the SSL connection between the LDAP directories and the UME. This means that the server (in this case, the LDAP directory) provides its identity to the client (in this case the UME) using a certificate, but the client does not provide its identity to the server.
Once the secure connection is set up, the UME binds to the LDAP directory with the LDAP protocol using user ID and password. This user ID and password, and all other data that is passed between the two parties is encrypted.
Restrictions
Setting up SSL with client authentication, where the UME provides its identity to the LDAP directory using a certificate, is not supported.
Prerequisites
· The following users must be stored in a data source other than the LDAP directory server that is accessed through SSL:
¡ Administrator user
¡ Guest user
¡ All service users
If you use one of the preconfigured data source configuration files for an LDAP data source, these are configured to store the above users in the database. Therefore no extra action is necessary.
The reason for this constraint is that in the J2EE Engine the UME service is started before the key storage service. However the key storage service is required to enable the SSL connection to the LDAP directory server. Therefore it is not possible to create the SSL connection to the LDAP at the time when the UME service is started. This means that all users that are used to start the applications and services of the J2EE Engine must be stored in a data source other than the LDAP directory server that is accessed through SSL.
· The User Management Engine (UME) is set up to use an LDAP directory server as data source. For more information, see Configuring UME to Use an LDAP Server as Data Source. Keep in mind that the administrator, guest, and service users must be stored in a data source other than the LDAP directory.
· In the data source configuration file being used, the property ume.ldap.access.ssl_socket_factory is set to com.sap.security.core.server.https.SecureConnectionFactory.
· You have downloaded and installed Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Sun Microsystems, Inc.. These are available from Sun Microsystems, Inc. at java.sun.com. Use the search tool to find the files. After unzipping the files onto your local directory, read the readme file for information on where to install the files.
·
You have downloaded
and deployed the full SAP Java Cryptographic
Toolkit. For more information on
how to do this, see 
Deploying the SAP Java
Cryptographic Toolkit.
· You have generated a certificate for the LDAP directory server. This can either be a self-signed certificate or a certificate issued by a certification authority. Read the documentation of your directory server vendor for instructions on how to generate a certificate.
Make sure that the server name in the subject part of the server certificate matches the LDAP server name in the UME configuration. For more information, see SAP Note 736464.
· You have configured the directory server to support SSL. Again, read the directory server documentation for instructions.
Process
...
1.
In the Visual
Administrator, import the root certificate of the LDAP directory server into
the key storage service of the J2EE Engine. See Importing the Root
Certificate of the LDAP Directory.
This ensures that the J2EE Engine trusts the LDAP directory server.
2.
Change the UME LDAP
configuration to use an SSL connection to the directory server. See Changing the UME LDAP
Configuration.
3.
Test the
connection to the LDAP directory.