Key Storage and Maintenance
The location of the keys for security functions and the tools to manage these keys depend on a number of factors.
On SAP NetWeaver AS for ABAP, when using the SAP Cryptographic Library for SSL or SNC, each key pair is stored in a file called a personal security environment (PSE). To maintain the PSEs, use Trust Manager (transaction STRUST).
For SSL on SAP NetWeaver AS for Java, the key pairs are stored in keystore entries in keystore views. To maintain the keys, use the Key Storage service.
For SSL on the SAP Web Dispatcher, the keys are also stored in PSEs. To maintain the keys, you can either use the Trust Manager on SAP NetWeaver AS for ABAP and export the PSEs, or you can use the command line tool sapgenpse.
For SNC partner products, the storage location and maintenance tools depend on the product being used.
See the table below.
|
Server Component |
Security Mechanism |
Security Product |
Key Storage Location |
Maintenance Tool |
|---|---|---|---|---|
|
SAP NetWeaver AS for ABAP |
SSL |
SAP Cryptographic Library |
As server component: SSL server PSE As client component: SSL client PSE |
Trust Manager |
|
SNC |
SAP Cryptographic Library |
SNC PSE |
Trust Manager |
|
|
SNC |
Partner product |
Product-specific |
Product-specific |
|
|
SAP NetWeaver AS for Java |
SSL |
SAP Java Crpytographic Toolkit |
As server component: Keystore view service_ssl, entry ssl-credentials As client component: connection-specific view and entry |
Key Storage service |
|
SNC |
SAP Cryptographic Library |
SNC PSE |
sapgenpse |
|
|
SAP Web Dispatcher |
SSL |
SAP Cryptographic Library |
As server component: SSL server PSE As client component: SSL client PSE |
sapgenpse (or Trust Manager) |
The information stored in the corresponding key storage includes:
-
The server's public and private key pair to use for the various security functions (signing, verifying signatures, encrypting, or decrypting messages).
NoteThe server's public key can be exported from the key storage, however, the private key is not accessible.
-
The certificate list, which is the list of trusted communication partners.
Each key storage stores the keys and certificate list to use for a particular connection type.
Example
The SSL server PSE on SAP NetWeaver AS for ABAP contains the key pair and certificate list to use for SSL connections where SAP NetWeaver AS for ABAP is the server component for the connection. The SSL client PSE is used for SSL connections where SAP NetWeaver AS for ABAP is the client component for the connection.
On SAP NetWeaver AS for Java, the service_ssl keystore view contains an entry called ssl-credentials where the keys to for incoming SSL connections are stored. For outgoing connections, you must set up corresponding keystore views and entries.
For SNC, the SNC PSE is used for incoming and outgoing connections.