Depending on the server type (AS ABAP or AS Java) and the security product used, the keys to use for the security functions are stored differently. The tool to use for key maintenance also depends on these factors. See the example and table below.
Example
On the AS ABAP, when using the SAP Cryptographic Library for SSL or SNC, each key pair is stored in a file called a Personal Security Environment (PSE). To maintain the PSEs, use the trust manager (transaction STRUST).
For SSL on the AS Java, the key pairs are stored in keystore entries in keystore views. To maintain the keys, use the Key Storage service.
For SSL on the SAP Web Dispatcher, the keys are also stored in PSEs. To maintain the keys, you can either use the trust manager on an AS ABAP and export the PSEs, or you can use the command line tool sapgenpse.
For SNC partner products, the storage location and maintenance tools depend on the product being used.
See the table below.
Server Component |
Security Mechanism |
Security Product |
Key Storage Location |
Maintenance Tool |
---|---|---|---|---|
AS ABAP |
SSL |
SAP Cryptographic Library |
As server component: SSL server PSE As client component: SSL client PSE |
Trust manager |
SNC |
SAP Cryptographic Library |
SNC PSE |
Trust manager |
|
SNC |
Partner product |
Product-specific |
Product-specific |
|
AS Java |
SSL |
SAP Java Crpytographic Toolkit |
As server component: Keystore view service_ssl, entry ssl-credentials As client component: connection-specific view and entry |
Key Storage service |
SNC |
SAP Cryptographic Library |
SNC PSE |
sapgenpse |
|
SAP Web Dispatcher |
SSL |
SAP Cryptographic Library |
As server component: SSL server PSE As client component: SSL client PSE |
sapgenpse (or trust manager) |
The information stored in the corresponding PSE or keystore view includes:
The server's public and private key pair to use for the various security functions (signing, verifying signatures, encrypting, or decrypting messages).
The certificate list, which is the list of trusted communication partners.
Note
The server's public key can be exported from the PSE or keystore view, however, the private key is not accessible.
Each PSE or keystore view stores the keys and certificate list to use for a particular connection type. For example, the SSL server PSE on the AS ABAP contains the key pair and certificate list to use for SSL connections where the AS ABAP is the server component for the connection. The SSL client PSE is used for SSL connections where the AS ABAP is the client component for the connection. On the AS Java, the service_ssl keystore view contains an entry called ssl-credentials where the keys to for incoming SSL connections are stored. For outgoing connections, you must set up corresponding keystore views and entries. For SNC, the SNC PSE is used for incoming and outgoing connections on both the AS Java and the AS ABAP.