You configure Secure Network Communication (SNC) on TREX side with the help of the SAPGENPSE security configuration tool. You use SAPGENPSE to generate the SAPSNCS.pse keystore for storing the certificates. You only need this keystore for storing the certificate of the ABAP application using TREX. It is therefore not necessary that you send the generated certificate request to your CA.
For configuring SNC on TREX side you have to provide the following prerequisites:
● You have downloaded the SAP Cryptographic Library (sapcrypto.dll/exe for Windows or libsapcrypto.<ext> for UNIX) with the SAPGENPSE security configuration tool and the corresponding license ticket (ticket).
More information: Downloading the SAP Cryptographic Library.
● You have configured the SAPGENPSE security configuration tool for use. You do this by setting up the environment variable SECUDIR (Windows only) and saving the downloaded files in recommended storage locations.
More information: Configuring SAPGENPSE for Use.
You start the SAPGENPSE cryptography tool using a prompt.
Execute the sapgenpse executable file in the directory in which you defined the SECUDIR environment variable. The SAPGENPSE cryptography tool generates the keystore and stores it in this directory.
...
1. Generate a new keystore by entering the following command:
sapgenpse gen_pse -p SAPSNCS.pse CN=<SID>-TRX<instance_number>,O=<mycompany>,C=<mycountry>
sapgenpse gen_pse -p SAPSNCS.pse CN=ADS-TRX00,O=SAP,C=DE
Command |
Function |
sapgenpse |
Starts the SAPGENPSE cryptography tool. |
gen_pse |
Function of SAPGENPSE that you can use to generate a new keystore. |
- p SAPSNCS.pse |
You specify the file name of the keystore that contains the certificate here. |
You are now asked to give more precise specifications on the certificates that you want to generate. Proceed according to the following table:
Prompt |
Function/Entry |
Please enter PIN: |
Do not enter a value. Confirm with Return. |
Please reenter PIN: |
Do not enter a value. Confirm with Return. |
get_pse: Distinguished name of PSE owner: |
Specifies the distinguished name (DN) of the certificate owner. Make the following specifications: CN=myhost.mydomain, C=mycountry, O=mycompany : CN= ADS-TRX00, C=DE, S=BW, O=SAP |
2. After you have created a keystore, you have to initialize it for use. The server must have active credentials at runtime. Therefore, to produce active credentials, you must use the configuration tool’s seclogin command to open the server’s key store.
It is also very important to create the credential for the user who runs the server’s process. For example, for the TREX server, the user is typically <sapsid>adm (UNIX) or SAPService<SAPSID> (Windows).
The credentials are located in the cred_v2 file in the directory specified in the SECUDIR environment variable. Make sure that only the user under which the TREX service runs has access to this file (including read access).
On Windows, you must also give the <SAPSID>adm operating system user, which was created during the TREX installation, access permission to the keystores; otherwise it cannot access the files. You do both things by entering the following command:
○ Windows: sapgenpse seclogin -p SAPSNCS.pse -O SAPService<SAPSID>
○ UNIX: sapgenpse seclogin -p SAPSNCS.pse -O <SAPSID>adm
Command |
Function |
seclogin |
Function of SAPGENPSE that you use to initialize a new keystore for use. |
- p SAPSNCS.pse |
Specify the file name of the keystore that you want to initialize. |
-O SAPService<SAPSID> or <SAPSID>adm |
You use this command to give the SAPService <SAPSID> or <SAPSID>adm user access to the key store. |
You have created the SAPSNCS.pse keystore. You can import the certificate of the ABAP application using TREX to this keystore and store it there.