Note the following when using the SAPSSLA.pse, SAPSSLC.pse, and SAPSSLS.pse keystores.
There must be an SAPSSLS.pse keystore in the directory that you have defined using the SECUDIR environment variable. This is because SAPCYPTOLIB (sapcrypto.dll (Windows) or libsapcrypto.<ext> (UNIX)) is only initialized if there is a keystore in the form SAPSSLS.pse. Therefore, check existing keystores before creating and configuring new keystores, and check whether a keystore in the form SAPSLLS.pse already exists.
SAPCRYPTOLIB accesses existing keystores in the following sequence:
1. SAPSSLA.pse → 2. SAPSSLC.pse → 3. SAPSSLS.pse
If these keystores exist, you have to import your certificates to the keystores in the following order:
This sequence is only valid for anonymous client authentication such as that configured between the portal Web server and the TREX preprocessor.
For the keystore, write the part of the name that appears before the period in capitals (for example, SAPSSL.pse) and use lowercase for the file extension (for example, SAPSSL.pse).
After you have created a keystore, you have to initialize it for use. The server must have active credentials at runtime. To produce active credentials, you must use the configuration tool's seclogin command to open the server's keystore. It is also very important to create the credential for the user who runs the server's process. For example, for a TREX server, the user is typically <sapsid>adm (UNIX) or SAPService<SAPSID> (Windows).
The credentials are located in the cred_v2 file in the directory specified in the SECUDIR environment variable. Make sure that only the user under which the TREX service runs has access to this file (including read access).
On Windows, you must also give the <SAPSID>adm operating system user that was created during the TREX installation access permission to the keystores; otherwise it cannot access the files. You do this by entering the following:
When you installed TREX you created a separate user for each TREX instance. This user has access to all files and directories that belong to the TREX instance in question. The specification <instance_number> must match the number that you specified when you installed the TREX instance.
Command | Function |
---|---|
seclogin |
Function of SAPGENPSE that you use to initialize a new keystore for use. |
-p SAPSSLS.pse or SAPSNCS.pse |
Specify the file name of the keystore that you want to initialize. |
-O SAPService<SAPSID> or <SAPSID>adm |
You use this command to give the user SAPService <SAPSID> or <SAPSID>adm access to the keystore. The SAPService<SAPSID> operating system user was created during the TREX installation. |
When the certificate that you have stored in a keystore expires, you can use SAPGENPSE to extend it again.
You do this by entering the following:
sapgenpse gen_pse -onlyreq -p sapSSLS.pse -r certreq_pse.txt
Command | Function |
---|---|
gen_pse |
SAPGENPSE function that allows you to generate a certificate request for a certificate extension for a keystore that already exists in this case. |
-onlyreq |
Generates a certificate request for an existing keystore. |
-p SAPSSLS.pse |
You specify the file name of the keystore that contains the certificate that you want to extend here. |
-r certreq_pse.txt |
Generates a certification request for your certification authority (CA). |
Send the certreq_pse.txt certification request to your CA.
Once you have received a response from your CA in the form certresp_pse.cer, you import the extended certificate using the following SAPGENPSE command:
sapgenpse import_own_cert -p sapSSLS.pse -c certresp_pse.cer
Command | Function |
---|---|
import_own_cert |
Imports the response from the CA to a certification request |
-p SAPSSLS.pse |
You specify the file name of the keystore that contains the certificate that you want to extend here. |
-c certresp_pse.cer |
File name that contains the certificate extended by your CA. |
You use the SAPGENPSE cryptography tool to configure secure communication between the TREX preprocessor and the portal Web server and between the TREX Web server and the TREX name server.
You start the SAPGENPSE cryptography tool using a prompt.