Usage of Keystores (SAP Library - Search and Classification (TREX))

Usage of Keystores

Note the following when using the keystores SAPSSLA.pse, SAPSSLC.pse, and SAPSSLS.pse:

...

● Keystore SAPSSLS.pse in SECUDIR

A SAPSSLS.pse keystore has to exist in the directory that you have defined under the SECUDIR environment variable. This is because the SAPCYPTOLIB (Library sapcrypto.dll (Windows) or libsapcrypto.<ext> (UNIX)) is only initialized if a keystore in the form SAPSSLS.pse exists. Therefore, check existing keystores before creating and configuring new keystores, and make sure that SAPSLLS.pse does not already exist.

● Access Sequence

SAPCRYPTOLIB accesses existing keystores in the following sequence:

1. SAPSSLA.pse ® 2. SAPSSLC.pse ® 3. SAPSSLS.pse

If these keystores exist, you have to import your certificates to the keystores in the following order:

1. Import the certificate to the keystore SAPSSLA.pse.

2. Import the certificate to the keystore SAPSSLC.pse.

3. Import the certificate to the keystore SAPSSLS.pse.

This sequence is only valid for anonymous client authentication such as that configured between the portal Web server and the TREX preprocessor.

● Format

For the keystore, write the part of the name that appears before the period in capitals (for example, SAPSSL.pse) and use lower case for the file extension (for example, SAPSSL.pse).

● Initializing Keystores/Access Permissions to Keystores

(Windows)

After you have created a keystore, you have to initialize it for use. On Windows, you also have to give the user access permission for the keystore files that you created when installing the TREX Instance. You do both things by entering the following command:

sapgenpse seclogin -p SAPSSLS.pse -O trex_<instance_number>

Note

When you installed TREX you created a separate user for each TREX instance. This user has access to all files and directories that belong to the instance in question. The specification <instance_number> must match the number that you specified when you installed the TREX instance.

Command	Function
seclogin	Function of SAPGENPSE that you use to initialize a new keystore for use.
-p SAPSSLS.pse	Specify the file name of the keystore that you want to initialize.
-O SAPService<SAPSID>	This command allows you to give the operating system user SAPService<SAPSID> that was created during the TREX installation access to the keystore.

● Using SAPGENPSE to Extend Expired Certificates

When the certificate that you have stored in a keystore expires, you can use SAPGENPSE to extend it again.

You do this by entering the following:

sapgenpse gen_pse -onlyreq -p sapSSLS.pse -r certreq_pse.txt

Command	Function
gen_pse	SAPGENPSE function that allows you to generate a certificate request for a certificate extension for a keystore that already exists in this case.
-onlyreq	Generates a certificate request for an existing keystore.
- p SAPSSLS.pse	You specify here the file name of the keystore that contains the certificate that you want to extend.
-r certreq_pse.txt	Generates a certification request for your certification authority (CA).

Send the certification request certreq_pse.txt to your CA.

Once you have received a response from your CA in the form certresp_pse.cer, you import the extended certificate using the following SAPGENPSE command:

sapgenpse import_own_cert -p sapSSLS.pse -c certresp_pse.cer

Command	Function
import_own_cert	Imports the response to a certification request from the CA.
- p SAPSSLS.pse	You specify here the file name of the keystore that contains the certificate that you want to extend.
-c certresp_pse.cer	File name that contains the certificate extended by your CA.

Result

You use the SAPGENPSE cryptography tool to configure secure communication between the TREX preprocessor and the Web server of the application using TREX and between the TREX Web server and the TREX name server.

Note

You start the cryptography tool SAPGENPSE using a prompt.

See:

TREX Preprocessor and Portal Web Server

TREX Web Server and TREX Name Server