Creating Certificate for Restful Interfaces

Use

A SSL certificate must be installed on the server before https can be used. Restful Interfaces needs:

• A server-type certificate.

  For Java applications also KeyUsage must be defined in the request.

• A keystore. You can use either Windows keystore or Java keystore, select the type in the virtual unit installation, see Restful Interfaces (RI) Variables. If Java keystore is selected, you must generate Java Keystore.

  Note:

  As of 1702, Windows keystore is supported in Microsoft Windows Server 2012 and later versions only.

Procedure

1. Generate a certificate request for the server authentication (use OID=1.3.6.1.5.5.7.3.1 in the request).

   To enable secured communication between ECF Web Server and RI, add the IP addresses of both ECF VU and RI VU to both ECF and RI certificate request extensions. For example:

   [NewRequest]
   Subject = "CN=<common name>,O=<organization>,OU=<organizational unit>,L=<location/city>,S=<state/province>,C=<country>"
   Exportable = TRUE
   KeySpec = 1
   KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE"
   KeyLength = 2048
   MachineKeySet = TRUE
   HashAlgorithm = sha256
   [EnhancedKeyUsageExtension]
   OID = 1.3.6.1.5.5.7.3.1
   [Extensions]
   2.5.29.17 = "{text}"
   _continue_ = "DNS=[Fully Qualified Domain Name (FQDN)]&"
   _continue_ = "ipaddress=[IP address of ECF VU]&"
   _continue_ = "ipaddress=[IP address of RI VU]&"
   

   RI always uses IP address of ECF Web Server to send HTTP requests, and it also gives its own address using IP address. IP addresses are fetched from database virtual units. This means that the ECF and RI certificates should have IP addresses in Subject Alternative Names (SANs). SANs can also have the DNS name, but it is not used by the RI-ECF communication.

2. Acquire the certificate

3. Receive and install the certificate. If you have selected Windows Personal Certificate Store for the Keystore Type, place the certificate in the folder of personal certificates of the HAC service user. NOTE: Windows Personal Certificate Store works only in Windows Server 2012, or newer.

   To enable secured communication between ECF Web Server and RI, when you receive the certificate, enter it to Java folder, for example use a command of the following type, according your system file structure:

   SET JAVA_HOME=C:\Program Files (x86)\Java\jre1.8.0_112
   "%JAVA_HOME%\bin\keytool" -import -alias SAP_CCtr -file [certificate file name] -keystore "%JAVA_HOME%\lib\security\cacerts" -storepass changeit -noprompt

4. Verify the certificate

5. If you have selected Java Keystore for the Keystore Type, you must generate Java Keystore.