Show TOC

Setting Up SECUDIR and Saving Files (Windows)Locate this document in the navigation structure

Context

You need the system environment variable SECURID and the corresponding directory in order to store the license ticket ( ticket) and the keystores to be created ( SAPSSLS.pse, SAPSSLC.pse, SAPSSLA.pse). Set up the variable by checking existing environment variables and creating SECUDIR if it does not already exist.

Procedure

  • Checking Whether SECUDIR Exists

    The environment variable SECUDIR may already exist on your host as a result of a secure communication configuration. Proceed as follows to check whether SECUDIR already exists.

    1. Choose Start of the navigation path Start Next navigation step Settings Next navigation step Control Panel Next navigation step System End of the navigation path.

    2. Choose Environment Variables from the Advanced tab.

    3. You can check existing environment variables on the Environment Variables screen under System Variables.

  • Creating SECUDIR and its Directory

    If the system environment variable SECUDIR does not already exist, you have to create it anew for the configuration of the cryptography tool SAPGENPSE. Proceed as follows.

    1. Create the <drive>:\usr\sap\TREX\sec directory.

      Note

      You have to assure that the users of the TREX web server as well as the TREX user have the needed permissions on this directory otherwise the security files will not be accessible.

    2. Choose Start of the navigation path Start Next navigation step Settings Next navigation step Control Panel Next navigation step System End of the navigation path.

    3. Choose Environment Variables from the Advanced tab.

    4. Choose System Variables and New on the Environment Variables screen.

    5. Enter SECUDIR as the variable name and <drive>:\usr\sap\TREX\sec as the variable value. Confirm with OK.

    6. Restart your computer so that the new system variable SECUDIR is recognized by your operating system.

  • Saving Files in Recommended Storage Locations

    Recommended Storage Locations

    Files

    Storage Location

    sapcrypto.dll

    sapgenpse.exe

    Central directory for executables - DIR_CT_RUN: <drive>:usr\SAP\<SAPSID>\SYS\exe\nuc\<OS>, for example C:\SAP\B47\SYS\exe\nuc\NT386

    The variable DIR_CT_RUN specifies the path to the central directory for executables. The Central Patch Environment (CPE) takes care of the automatic synchronization of executables and copies them from the central directory into the local TREX directory for executables ( DIR_INSTANCE\exe; <drive>:usr\SAP\<SAPSID>\SYS\TRX<instance_number>\exe).

    Note

    To ensure that automatic synchronization takes place, activate CPE support for TREX security. More information: Enabling CPE Support for TREX Security

    The CIR_CT_RUN variable is defined in the START_TRX<instance_number>_<host> start profile in the SAP system profile directory of your TREX installation: <SAPGLOBALHOST>\sapmnt\<SAPSID>\SYS\profile, for example C:usr\SAP\<SAPSID>\SYS\profile.

    ticket

    SAPSSLS.pse

    SAPSSLC.pse

    SAPSSLA.pse

    SAPSSNCS.pse,

    SECUDIR directory for ticket and key store: <drive>:\usr\sap\TREX\sec

    You have to define a system environment variable SECURDIR, which points to this directory. If the system environment variable SECUDIR and the corresponding directory do not exist, you have to create them both.

    You create the SAPSSLS.pse, SAPSSLC.pse, SAPSSLA.pse, and SAPSSNCS.pse keystores using the SAPGENPSE cryptography tool. These are not part of the SAP Cryptographic Library installation package.

    Note

    Refer to the notes for using keystores.

    Save the downloaded files sapcrypto.dll, sapgenpse.exe and ticket, and the generated keystores, in a backup directory. These files may be lost if you completely reinstall TREX. If this happens, you can copy these files either to the central directory for executables (in the case of sapcrypto.dll and sapgenpse.exe) or to the directory of the system environment variable SECUREDIR (in the case of ticket and the key stores). Your security configuration will then be available again.

Results

You have configured the cryptography tool SAPGENPSE on Windows and can now use it to configure secure communication.

Starting SAPGENPSE

You start the cryptography tool SAPGENPSE using a prompt.

Execute the executable file sapgenpse in the directory in which you defined the system environment variable SECUDIR. The cryptography tool SAPGENPSE generates the keystores and stores them in this directory.