Show TOC

Configuring SNC on TREX SideLocate this document in the navigation structure


You configure Secure Network Communication (SNC) on TREX side with the help of the security configuration tool SAPGENPSE. You use SAPGENPSE to generate the key storeSAPSNCS.pse, in which you can store the certificates. You only need this key store for storing the certificate of the ABAP application using TREX. It is therefore not necessary that you send the generated certificate request to your CA.


For configuring SNC on TREX side you have to provide the following prerequisites:

  • You have downloaded the SAP Cryptographic Library (sapcrypto.dll/exe for Windows orlibsapcrypto.<ext> for UNIX) with the security configuration tool SAPGENPSE and the corresponding license ticket (ticket).

    For details seeDownloading the SAP Cryptographic Library.

  • You have configured the security configuration tool SAPGENPSE for use. You do this by setting up the environment variable SECUDIR (Windows only) and saving the downloaded files in recommended storage locations.

    For details seeConfiguring SAPGENPSE for Use.

Generating the Key Store SAPSNCS.pse

You start the cryptography tool SAPGENPSE using a prompt.

Execute the executable filesapgenpse in the directory in which you defined the environment variable SECUDIR. The cryptography tool SAPGENPSE generates the key store and stores it in this directory.

  1. Generate a new key store by entering the following command:

    sapgenpse gen_pse -p SAPSNCS.pse CN=<SID>-TRX<instance_number>,O=<mycompany>,C=<mycountry>


    sapgenpse gen_pse -p SAPSNCS.pse CN=ADS-TRX00,O=SAP,C=DE




    Starts the cryptography tool SAPGENPSE.


    Function of SAPGENPSE that you can use to generate a new key store.

    - p SAPSNCS .pse

    You specify the file name of the key store that contains the certificate here.

    You are now asked to give more precise specifications on the certificates that you want to generate. Proceed according to the following table:

    Prompt Function/Entry

    Please enter PIN:

    Do not enter a value. Confirm with Return.

    Please reenter PIN:

    Do not enter a value. Confirm with Return.

    get_pse: Distinguished name of PSE owner:

    Specifies the distinguished name (DN) of the certificate owner.

    Make the following specifications:

    CN=myhost.mydomain, C=mycountry, O=mycompany

    Note :


  2. After you have created a key store, you have to initialize it for use. The server must have active credentials at run-time. Therefore, to produce active credentials, you must use the configuration tool's commandseclogin to open the server's key store.

    It is also very important to create the credential for the user who runs the server's process. For example, for the TREX server, the user is typically<sapsid>adm (UNIX) orSAPService<SAPSID> (Windows).


    The credentials are located in the filecred_v2 in the directory specified in the environment variableSECUDIR. Make sure that only the user under which the TREX service runs has access to this file (including read access).

    On Windows, you must also give the operating system user <SAPSID>adm, which was created during the TREX installation, access permission to the key stores; otherwise it cannot access the files. You do both things by entering the following command:

    • Windows:sapgenpse seclogin -p SAPSNCS.pse -O SAPService<SAPSID>
    • UNIX:sapgenpse seclogin -p SAPSNCS.pse -O <SAPSID>adm
      Command Function


      Function of SAPGENPSE that you use to initialize a new key store for use.

      - p SAPSNCS.pse

      Specify the file name of the keystore that you want to initialize.

      -O SAPService<SAPSID> or <SAPSID>adm

      You use this command to give the userSAPService <SAPSID> or<SAPSID>adm access to the key store.


You have created the key storeSAPSNCS.pse. into which you can import the certificate of the ABAP application using TREX and store it there.