Creating or Replacing a PSE

Use the procedure below to create or replace a PSE. For example, you may have to replace a PSE when the public-key certificate contained in the PSE is about to expire

Prerequisites

You know the syntax for the Distinguished Name (DN) of the server. For more information, see the following tables.

Table 1: Distinguished Name Parts
DN Part	Definition	Examples
CN	Common Name	`<SID>`
EMAIL	E-Mail	E-mail address for Subject Note If you are using X.509v3 certificates, you must use third-party tools to integrate an e-mail address into a Subject Alternative Name.
OU	Organizational Unit (optional)	Department name
O	Organization	Company name
C	Country	USA: US Germany: DE

Table 2: Requirements for the Distinguished Name of the Server per PSE Type
PSE	Requirement
System PSE	Default Distinguished Name: `CN=<SID>` If no system PSE exists when the application server is started, then the system automatically creates the public-key certificate for the system PSE using the Distinguished Name `CN=<SID>`. If you replace this PSE, you can freely choose the new Distinguished Name.
SNC PSE	The Distinguished Name must correspond to `snc/identity/as` The Distinguished Name used for the SNC PSE's public-key certificate must match the Distinguished Name part of the server's SNC name (without the `p:`), which is specified in the application server's profile parameter snc/identity/as.
SSL Server PSE	CN part of Distinguished Name: `CN=<fully_qualified_host_name>` The Common Name (CN) part of the Distinguished Name for the SSL server PSE's public-key certificate must correspond to the fully qualified host name that users will use to access the application server, for example, `CN=host123.example.com`.
Anonymous SSL Client PSE	Distinguished Name: `CN=anonymous` The system automatically uses the Distinguished Name `CN=anonymous` for the anonymous SSL client PSE's public-key certificate. You cannot change this name. In addition, the application server cannot use this identity to authenticate itself.
All Other PSEs	Distinguished Name: No special requirements You can freely choose the Distinguished Name for the public-key certificates stored in the rest of the PSEs.

If you use the SAP CA as the issuing CA, then the rest of the Distinguished Name (not the CN part) must be as follows:

OU=I<customer_number>-<company_name>, OU=SAP Web Application Server, O=SAP Trust Community, C=DE

For the first OU (Organizational Unit) part, you specify your customer number only. The SAP CA automatically extends the OU part to include your company name.

Context

Note

We recommend using the report SSFALRTEXP to automatically receive a system log message and alert in CCMS for certificates contained in the various PSEs that are about to expire. Alternatively, we also provide the report SSF_ALERTCERT_EXPIRE that you can use manually or plan as a background job.

For more information, see SAP Note 572035 Information published on SAP site .

Procedure

Start Trust Manager (transaction STRUST).
Select a PSE node.
Using the context menu, choose Create (if no PSE exists) or Replace.

Enter the components of the Distinguished Name of the system in the corresponding fields.

If you use a reference to a CA name space, the system automatically includes those components of the CA's Distinguished Name in the newly generated name. See the table and examples below.

Table 3: Distinguished Name Parts
Field	DN Part	Input	Comment
Name	CN	`<Common_Name>`	For example, `<SID>`.
Org. (opt.)	OU	`<Organizational_Unit>`	For example, the department name. Input is optional. Default = `<installation_number>`.
Comp./Org.	OU O	`<Organizational_Unit>` `<Organization>`	If you use a reference to a CA name space, the system uses the input for this field as an additional OU part. Otherwise, it uses this entry for the O part. The default entry is the OU part when using the SAP CA: `SAP Web Application Server`. Use the toggle function () to activate or deactivate the reference to a CA name space.
Country	C	`<Country>`	Input is only available if you do not use a reference to a CA name space.
CA	Not applicable	`<CA_Name_Space>`	Input is available if you use a reference to a CA. Enter the CA's name space. The default entry is the name space for the SAP CA (O=SAP Trust Community, C=DE). The server or system's Distinguished Name is then generated using this extension. See the examples below.

Reference to the SAP CA Name Space

The following example uses the input provided and a reference to the SAP CA name space:

Name = MY1
Org. (opt.): = I0120007965 (default)
Company = SAP Web Application Server (default)
CA Reference = O=SAP Trust Community, C=DE (default)

The trust manager then generates a public-key certificate with the Distinguished Name CN=MY1, OU=I0120007965, OU=SAP Web Application Server, O=SAP Trust Community, C=DE.

No reference to a CA Name Space

The following example does not use a reference to a CA name space.

Input:

Name = MY1
Company = MyCompany
Country = US

The Distinguished Name is then CN=MY1, O=MyCompany, C=US.

Choose Enter.

Note
If you are creating an SSL server PSE, then the system generates a default system-wide Distinguished Name and then provides you with a list of possible server-specific names. For each application server, you can then choose to use either the server-specific Distinguished Name or you can use the system-wide name.

Results

The system creates a new public and private key pair and self-signed public-key certificate that are stored in the PSE. If the PSE is stored in the database and should be distributed, then the system automatically distributes the PSE to the individual application servers.