Help with understanding SSL on Netweaver 7.1 and the relevant key stores.

I am having a great difficulty in understanding how SAP manages and uses SSL certificates in Netweaver 7.1. More specifically, what the difference is between System, Server, and Client.

As I can see, there are three PSE key stores I see within STRUST.

1. SSL System PSE

2. SSL Server PSE

3. SSL Client PSE

The System PSE I believe is installed by default and enables the systems to communicate between each other, such as Application Servers and the Central Instance.

The Server PSE is the where I store the certificate I generated and had signed by a CA (certificate authority). It contains a root and intermediate certificate and both have been imported back into the Server PSE store. When partners connect to me and I agree to accept server only authentication, it is this cert that identifies my server as a trusted server the partner. Do I need to add the partneru2019s u201Crootu201D or u201Cintermediateu201D certs to my Server PSE in order to allow SSL login?

The Client PSE is where I store partneru2019s client certificates that I allow to login via u201Cclientu201D authentication. Without their key installed in this store, they will not be allowed to login via SSL.

When I wish to make connections to partners, I will take my Server key from the Server PSE, export the key, and send it to the partner so they can import it in their key store.

Does the above sounds right? Any clarification would be greatly appreciated.

Thanks,

Mike.

P.S. I also have questions about how and if certificates are synchronized from the ABAP stack (STRUST) to the JAVA stack (Netweaver Administrator), as keys can be stored in either direction. If not, does where you store the certificate depend if it is an ABAP or JAVA type connection?