Protecting the Application Server's Keys

Each AS ABAP server owns a public and private key pair to use for digitally signing. The private key is contained in the system PSE (personal security environment) (filename SAPSYS.pse; in Release 4.5, filename SAPSECU.pse), which is located in the subdirectory sec of the directory specified by the profile parameter DIR-INSTANCE. Only the user running the application server process (for example, <sid>adm) is allowed to access the files in the sec directory.

If you have reasons to believe that the application server's private key has been compromised, you should create a back-up or the system PSE and delete it using the trust manager (transaction STRUST). During the next start-up, the application server will generate a new PSE with a new key pair.

The public-key certificate that corresponds to the server's generated key pair is a self-signed (signed with the application server's private key) public-key certificate. As an alternative, you can use certificates that have been signed by a Certification Authority (CA). To verify the certificates, note the following:

• Self-Signed Certificates

  If you use self-signed certificates (for example, the application server signs its own certificate, as with archive requests using the SAP ArchiveLink Content Server HTTP interface 4.5), then the receiver of the certificate should explicitly validate it before accepting it for the first time.

• CA-Signed Certificates

  If you use certificates that have been signed by a CA and the receiver of the certificates trusts the issuing CA, then the system can automatically verify the certificate. The automated verification process depends on the external security product that you use and can also require many preconditions. For more information, see the documentation provided by the product vendor.