Show TOC

Generating a Keystore using SAPGENPSELocate this document in the navigation structure

Use

You use the cryptography tool SAPGENPSE to generate a keystore in which you can store a certificate. You only need this keystore for storing the root certificate of the portal Web server. It is therefore not necessary that you send the generated certificate request to your CA.

Procedure

You start the cryptography tool SAPGENPSE using a prompt.

Execute the executable file sapgenpse in the directory in which you defined the environment variable SECUDIR. The cryptography tool SAPGENPSE generates the keystores and stores them in this directory.

  1. Generate a new keystore by entering the following command: sapgenpse gen_pse -p SAPSSLS.pse
    Command Function

    sapgenpse

    Starts the cryptography tool SAPGENPSE.

    gen_pse

    Function of SAPGENPSE that you can use to generate a new keystore and a certificate request.

    - p SAPSSLS.pse

    You specify the file name of the keystore that contains the certificate here.

    You are now asked to give more precise specifications on the certificates that you want to generate. Proceed according to the following table:

    Prompt Function/Entry

    Please enter PIN:

    Do not enter a value. Confirm with Return.

    Please reenter PIN:

    Do not enter a value. Confirm with Return.

    get_pse: Distinguished name of PSE owner:

    Specifies the distinguished name (DN) of the certificate owner.

    Make the following specifications: CN=myhost.mydomain, C=mycountry, S=mystate, O=mycompany, OU=mydepartment

    Tip :

    CN=p64883.wdf.sap.corp, C=DE, S=BW, O=SAP-AG, OU=TREX

  1. After you have created a keystore, you have to initialize it for use. In Windows, you must also give the operating system user <SAPSID>adm, which was created during the TREX installation, access permission to the keystores, otherwise it cannot access the files. You do both things by entering the following command:

    sapgenpse seclogin -p SAPSSLS.pse -O <SAPSID>adm

  2. On Windows, you also have to give the user access permission to the keystore files on which the IIS (Internet Information Server) is running.

    sapgenpse seclogin -p SAPSSLS.pse -O <IIS_user>

    Tip

    sapgenpse seclogin -p SAPSSLS.pse -O P78121\IUSR_SAP-DD9CE47C712

    You determine the IIS user using the Windows administration tool Internet Information Services.

    Command Function

    seclogin

    Function of SAPGENPSE that you use to initialize a new keystore for use.

    - p SAPSSLS.pse

    Specify the file name of the keystore that you want to initialize.

    -O trex_<instance_number> or IIS_user

    You use this command to give the user of the TREX instance (created during the installation) and the user on which the IIS is running access to the keystore.

Result

You have created a keystore SAPSSLS.pse into which you can import the root certificate of the portal Web server and store it there.