Show TOC

Usage of KeystoresLocate this document in the navigation structure

Note the following when using the keystores SAPSSLA.pse, SAPSSLC.pse, and SAPSSLS.pse:

  • Keystore SAPSSLS.psein SECUDIR

    A SAPSSLS.pse keystore has to exist in the directory that you have defined under the SECUDIR environment variable. This is because the SAPCYPTOLIB(Librarysapcrypto.dll (Windows) orlibsapcrypto.<ext> (UNIX)) is only initialized if a keystore in the formSAPSSLS.pse exists. Therefore, check existing keystores before creating and configuring new keystores, and make sure that SAPSLLS.pse does not already exist.

  • Access Sequence

    SAPCRYPTOLIB accesses existing keystores in the following sequence:

    1. SAPSSLA.pse → 2. SAPSSLC.pse → 3. SAPSSLS.pse

    If these keystores exist, you have to import your certificates to the keystores in the following order:

    1. Import the certificate to the keystore SAPSSLA.pse.

    2. Import the certificate to the keystore SAPSSLC.pse.

    3. Import the certificate to the keystore SAPSSLS.pse.

    This sequence is only valid for anonymous client authentication such as that configured between the portal Web server and the TREX preprocessor.

  • Format

    For the keystore, write the part of the name that appears before the period in capitals (for example, SAPSSL.pse) and use lower case for the file extension (for example, SAPSSL.pse).

  • Initializing Key Stores/Access Permissions to Key Stores/Create Active  Credentials

    After you have created a key store, you have to initialize it for use. The server must have active credentials at run-time. Therefore, to produce active credentials, you must use the configuration tool's commandseclogin to open the server's key store. It is also very important to create the credential for the user who runs the server's process. For example, for the TREX server, the user is typically<sapsid>adm (UNIX) orSAPService<SAPSID> (Windows).

    Note

    The credentials are located in the filecred_v2 in the directory specified in the environment variableSECUDIR. Make sure that only the user under which the TREX service runs has access to this file (including read access).

    On Windows, you must also give the operating system user <SAPSID>adm, which was created during the TREX installation, access permission to the key stores; otherwise it cannot access the files. You do this by entering the following command:

    • Windows:sapgenpse seclogin -p SAPS< SLS_or_NCS >.pse -O SAPService<SAPSID>
    • UNIX:sapgenpse seclogin -p SAPS< SLS_or_NCS >.pse -O <SAPSID>adm
      Note

      When you installed TREX you created a separate user for each TREX instance. This user has access to all files and directories that belong to the instance in question. The specification <instance_number> must match the number that you specified when you installed the TREX instance.

      Command Function

      seclogin

      Function of SAPGENPSE that you use to initialize a new keystore for use.

      -p SAPSSLS.pse or SAPSNCS.pse

      Specify the file name of the keystore that you want to initialize.

      -O SAPService<SAPSID> or<SAPSID>adm

      You use this command to give the userSAPService <SAPSID> or<SAPSID>adm access to the key store. The operating system user SAPService<SAPSID> was created during the TREX installation.
  • Using SAPGENPSE to Extend Expired Certificates

    When the certificate that you have stored in a keystore expires, you can use SAPGENPSE to extend it again.

    You do this by entering the following:

    sapgenpse gen_pse -onlyreq -p sapSSLS.pse -r certreq_pse.txt

    Command Function

    gen_pse

    SAPGENPSE function that allows you to generate a certificate request for a certificate extension for a keystore that already exists in this case.

    -onlyreq

    Generates a certificate request for an existing keystore.

    - p SAPSSLS.pse

    You specify here the file name of the keystore that contains the certificate that you want to extend.

    -r certreq_pse.txt

    Generates a certification request for your certification authority (CA).

    Send the certification request certreq_pse.txt to your CA.

    Once you have received a response from your CA in the form certresp_pse.cer, you import the extended certificate using the following SAPGENPSE command:

    sapgenpse import_own_cert -p sapSSLS.pse -c certresp_pse.cer

    Command Function

    import_own_cert

    Imports the response to a certification request from the CA.

    - p SAPSSLS.pse

    You specify here the file name of the keystore that contains the certificate that you want to extend.

    -c certresp_pse.cer

    File name that contains the certificate extended by your CA.
Result

You use the SAPGENPSE cryptography tool to configure secure communication between the TREX preprocessor and the Web server of the application using TREX and between the TREX Web server and the TREX name server.

Note

You start the cryptography tool SAPGENPSE using a prompt.

See: