You configure Secure Network Communication (SNC) on TREX side with the help of the security configuration tool SAPGENPSE. You use SAPGENPSE to generate the key storeSAPSNCS.pse, in which you can store the certificates. You only need this key store for storing the certificate of the ABAP application using TREX. It is therefore not necessary that you send the generated certificate request to your CA.
Prerequisites
For configuring SNC on TREX side you have to provide the following prerequisites:
For details seeDownloading the SAP Cryptographic Library.
For details seeConfiguring SAPGENPSE for Use.
Generating the Key Store SAPSNCS.pse
You start the cryptography tool SAPGENPSE using a prompt.
Execute the executable filesapgenpse in the directory in which you defined the environment variable SECUDIR. The cryptography tool SAPGENPSE generates the key store and stores it in this directory.
sapgenpse gen_pse -p SAPSNCS.pse CN=<SID>-TRX<instance_number>,O=<mycompany>,C=<mycountry>
sapgenpse gen_pse -p SAPSNCS.pse CN=ADS-TRX00,O=SAP,C=DE
Command |
Function |
sapgenpse |
Starts the cryptography tool SAPGENPSE. |
gen_pse |
Function of SAPGENPSE that you can use to generate a new key store. |
- p SAPSNCS .pse |
You specify the file name of the key store that contains the certificate here. |
You are now asked to give more precise specifications on the certificates that you want to generate. Proceed according to the following table:
Prompt | Function/Entry |
---|---|
Please enter PIN: |
Do not enter a value. Confirm with Return. |
Please reenter PIN: |
Do not enter a value. Confirm with Return. |
get_pse: Distinguished name of PSE owner: |
Specifies the distinguished name (DN) of the certificate owner. Make the following specifications: CN=myhost.mydomain, C=mycountry, O=mycompany Note :
CN=ADS-TRX00, C=DE, S=BW,O=SAP |
It is also very important to create the credential for the user who runs the server's process. For example, for the TREX server, the user is typically<sapsid>adm (UNIX) orSAPService<SAPSID> (Windows).
The credentials are located in the filecred_v2 in the directory specified in the environment variableSECUDIR. Make sure that only the user under which the TREX service runs has access to this file (including read access).
On Windows, you must also give the operating system user <SAPSID>adm, which was created during the TREX installation, access permission to the key stores; otherwise it cannot access the files. You do both things by entering the following command:
Command | Function |
---|---|
seclogin |
Function of SAPGENPSE that you use to initialize a new key store for use. |
- p SAPSNCS.pse |
Specify the file name of the keystore that you want to initialize. |
-O SAPService<SAPSID> or <SAPSID>adm |
You use this command to give the userSAPService <SAPSID> or<SAPSID>adm access to the key store. |
Result
You have created the key storeSAPSNCS.pse. into which you can import the certificate of the ABAP application using TREX and store it there.