Creating a System-Specific Certificate for Content Server Access (SAP Library

Creating a System-Specific Certificate for Content Server Access

Use

To ensure that every SAP system has its own certificate (system-specific certificate), a Personal Security Environment (PSE) (see also Personal Security Environment) must be created on every SAP system when it is installed. This only needs to be done once for every system. You set up the PSE in the Trust Manager (transaction STRUST, see also Trust Manager).

As a rule, the SAP system PSE is used to create and verify signed URLs in the SAP system. From SAP Web Application Server release 6.10, you can also use your own PSE.

Two different scenarios are possible here:

If the SAP system is functioning as a client and is using an external content server as a repository, once you create your own PSE, URLs are from then on signed with your PSE and not with the system PSE. In this case, only private and public key are relevant; the certificate list is irrelevant.
If the SAP system is functioning as a Content Server and is using HTTP via SAP Web Application Server, the PSE then also has the effect that all public keys needed for checking signatures are stored in the certificate list.

Content Server Administration is used for the checking process itself (see also Content Server and Cache Server Administration). This takes place in transaction CSADMIN, on the tab page Certificates.

Note

Carry out the procedure described below for creating a certificate for Content Server access before creating repositories.

If you do this after you create repositories, you will have to re-send the certificates to all HTTP repositories and reactivate all the certificates. This is because the certificate changes when you create a new PSE.

If you are accessing the database via HTTP (see also HTTP Access for Repositories on the SAP Web Application Server), you also have to redistribute and reactivate the certificates.

Procedure

Take the following steps to create your own PSE:

Call transaction STRUST.

The Trust Manager opens.

Choose Applications.

Choose New Entries.

Use F4 Help to select HTTP Content Server and confirm this by choosing Enter.

Additional fields for application-specific Secure Store & Forward (SSF) parameters and standard values for empty fields are grayed out.

Make the following entries:

In the field Security/Product, enter SAPSECULIB.

In the field SSF Format, choose International standard PKCS#7.

In the field Priv. add. book, enter SAPHTTPCS.pse.

In the field SSF profile, also enter SAPHTTPCS.pse.

In the field SSF ProfileID, enter CN=<Common name>,OU=<Organization Unit>,O=<Organization>,C=<Country>.

For example: CN=BCECS,OU=DEV,O=SAP-AG,C=DE

Check Distribute PSE (Only SAPSECULIB).

Save your entries.

Call transaction STRUST again.

Select HTTP Content Server.

Choose Replace from the context menu.

Confirm this at the confirmation prompt.

Confirm your entries by choosing This graphic is explained in the accompanying text

in the next popup (Replace PSE).

Example

The HTTP Content Server PSE links to a system-specific PSE. This means that you can specify that you no longer want to use a specific certificate, for example. In this case, you have to open Content Server Administration and delete the certificate in all repositories. You also have to delete it from the certificate list.