Start of Content Area

Procedure documentation Configuring SNC on TREX Side  Locate the document in its SAP Library structure

Use

You configure Secure Network Communication (SNC) on TREX side with the help of the SAPGENPSE security configuration tool. You use SAPGENPSE to generate the SAPSNCS.pse keystore for storing the certificates. You only need this keystore for storing the certificate of the ABAP application using TREX. It is therefore not necessary that you send the generated certificate request to your CA.

Prerequisites

For configuring SNC on TREX side you have to provide the following prerequisites:

      You have downloaded the SAP Cryptographic Library (sapcrypto.dll/exe for Windows or libsapcrypto.<ext> for UNIX) with the SAPGENPSE security configuration tool and the corresponding license ticket (ticket).

More information: Downloading the SAP Cryptographic Library.

      You have configured the SAPGENPSE security configuration tool for use. You do this by setting up the environment variable SECUDIR (Windows only) and saving the downloaded files in recommended storage locations.

More information: Configuring SAPGENPSE for Use.

 

Generating the SAPSNCS.pse Keystore

You start the SAPGENPSE cryptography tool using a prompt.

Execute the sapgenpse executable file in the directory in which you defined the SECUDIR environment variable. The SAPGENPSE cryptography tool generates the keystore and stores it in this directory.

...

       1.      Generate a new keystore by entering the following command:

sapgenpse gen_pse -p SAPSNCS.pse CN=<SID>-TRX<instance_number>,O=<mycompany>,C=<mycountry>

This graphic is explained in the accompanying text

sapgenpse gen_pse -p SAPSNCS.pse CN=ADS-TRX00,O=SAP,C=DE

Command

Function

sapgenpse

Starts the SAPGENPSE cryptography tool.

gen_pse

Function of SAPGENPSE that you can use to generate a new keystore.

- p SAPSNCS.pse

You specify the file name of the keystore that contains the certificate here.

You are now asked to give more precise specifications on the certificates that you want to generate. Proceed according to the following table:

Prompt

Function/Entry

Please enter PIN:

Do not enter a value. Confirm with Return.

Please reenter PIN:

Do not enter a value. Confirm with Return.

get_pse: Distinguished name of PSE owner:

Specifies the distinguished name (DN) of the certificate owner.

Make the following specifications:

CN=myhost.mydomain, C=mycountry, O=mycompany

:This graphic is explained in the accompanying text

CN= ADS-TRX00, C=DE, S=BW, O=SAP

       2.      After you have created a keystore, you have to initialize it for use. The server must have active credentials at runtime. Therefore, to produce active credentials, you must use the configuration tool’s seclogin command to open the server’s key store.

It is also very important to create the credential for the user who runs the server’s process. For example, for the TREX server, the user is typically <sapsid>adm (UNIX) or SAPService<SAPSID> (Windows).

This graphic is explained in the accompanying text

The credentials are located in the cred_v2 file in the directory specified in the SECUDIR environment variable. Make sure that only the user under which the TREX service runs has access to this file (including read access).

On Windows, you must also give the <SAPSID>adm operating system user, which was created during the TREX installation, access permission to the keystores; otherwise it cannot access the files. You do both things by entering the following command:

       Windows: sapgenpse seclogin -p SAPSNCS.pse -O SAPService<SAPSID>

       UNIX: sapgenpse seclogin -p SAPSNCS.pse -O <SAPSID>adm

Command

Function

seclogin

Function of SAPGENPSE that you use to initialize a new keystore for use.

- p SAPSNCS.pse

Specify the file name of the keystore that you want to initialize.

-O SAPService<SAPSID> or <SAPSID>adm

You use this command to give the SAPService <SAPSID> or <SAPSID>adm user access to the key store.

Result

You have created the SAPSNCS.pse keystore. You can import the certificate of the ABAP application using TREX to this keystore and store it there.

 

 

 

End of Content Area