Show TOC

Procedure documentationMaintaining SAP HANA Trust Stores Locate this document in the navigation structure


The SAP HANA trust store contains the root certificate authority (CA) that is used to sign the trusted certificates required for SSO authentication.


To maintain the trust stores for SAP HANA and the SAP Web Dispatcher, you need the following libraries and utilities, which you can download from the SAP Service Marketplace (SMP):

  • The SAP encryption library

  • The SAP trust store generation utility sapgenpse

Note Note

The SAP Web Dispatcher referred to here is internal to SAP HANA XS and not the SAP Web Dispatcher included in the SAP Fiori / SAP Smart Business system landscape.

End of the note.


  1. Install the SAP HANA encryption library.

    Put the encryption library in the following location on your SAP HANA server: /usr/sap/<SAPHANAInstance>/SYS/global/security/lib2.

  2. Install the SAP HANA trust store utility.

    Put the trust store utility sapgenpse in the following location on your SAP HANA server: /usr/sap/<SAPHANAInstance>/SYS/global/security/lib3.

  3. Create the trust store files.

    You need to set up several trust stores, for example, for SAP HANA and for the SAP Web Dispatcher.

    1. Set up the SAP HANA trust store sapsrv.pse.

      ./sapgenpse gen_pse -p /usr/sap/<SAPHANAInstance>/HBD<InstNo>/<Hostname>/sec/sapsrv.pse

      Note Note

      Do not define a personal identification number (PIN) for the trust store (press ENTER twice when prompted for the PIN). For the Distinguished name of PSE owner type CN=<yourhostname>, where <yourhostname> is the host name of the SAP HANA server.

      End of the note.
    2. Set up the SAP Web Dispatcher trust store SAPSSL.pse.

      ./sapgenpse gen_pse -p /usr/sap/<SAPHANAInstance>/HBD<InstNo>/<Hostname>/sec/SAPSSL.pse

    3. Set up the trust store sapcli.pse.

      ./sapgenpse gen_pse -p /usr/sap/<SAPHANAInstance>/HBD<InstNo>/<Hostname>/sec/sapcli.pse

  4. Have the trust store (.pse files) signed by a CA.

    All the trust stores you create in this step are self-signed. In a productive environment, you must have the trust store files signed by a CA.