Defining a Certificate for Content Server Access

Use

To ensure that every SAP system has its own certificate (system-specific certificate), a Personal Security Environment (PSE) must be created on every SAP system when it is installed. You do this in the Trust Manager (transaction STRUST, see also the documentation Trust Manager).

As a rule, the SAP system PSE is used to create and verify signed URLs in the SAP system. From SAP Web Application Server release 6.10, you can also use your own PSE.

Two cases must be distinguished here:

  • If the SAP system is functioning as a client and is using an external content server as a repository, once you create your own PSE, URLs are from then on signed with your PSE and not with the system PSE. In this case, only private and public key are relevant; the certificate list is irrelevant.

  • If the SAP system is functioning as a content server and is using HTTP via SAP Web Application Server, the PSE then also has the effect that all public keys needed for checking signatures are stored in the certificate list.

However the check itself takes place using the content server administration (see also HTTP Access for Repositories on SAP Web Application Server): This takes place in transaction CSADMIN, on the tab page Certificates.

Procedure

Take the following steps to use a PSE of your own for creating and verifying signed URLs in your SAP system:

  1. Call transaction STRUST.

    You branch to the Trust Manager.

  2. Choose Applications.

  3. Choose New Entries.

  4. Use F4 Help to select HTTP Content Server and confirm this by choosing Enter.

    Additional fields for application-specific Secure Store & Forward (SSF) parameters and standard values for empty fields are grayed out.

  5. Make the following entries:

    1. Enter SAPSECULIBin the Sec. Product field.

    2. Select International Standard PKCS#7 as SSF Format.

    3. Enter SAPHTTPCS.pse in the Priv. Add. Book field.

    4. Enter SAPHTTPCS.pse in the SSF Profile Name field.

    5. Enter CN=<Common name>,OU=<Organization Unit>,O=<Organization>,C=<Country> in the SSF Profile ID field.

      Example: CN=BCECS,OU=DEV,O=SAP-AG,C=DE

    6. Select the Distribute PSE option.

  6. Save your entries.

  7. Call transaction STRUST again.

  8. Select the entry HTTP Content Server.

  9. In the context menu, choose Replace.

  10. Confirm the following confirmation prompts.

  11. In the Replace PSE window, confirm your entries with .

Example

The HTTP Content Server PSE links to a system-specific PSE. This means that you can specify that you no longer want to use a specific certificate. In this case, you have to open Content Server Administration and delete the certificate in all repositories. You also have to delete it from the certificate list.