Configuring SNC on TREX Side
You configure Secure Network Communication (SNC) on TREX side with the help of the security configuration tool SAPGENPSE. You use SAPGENPSE to generate the key store SAPSNCS.pse, in which you can store the certificates. You only need this key store for storing the certificate of the ABAP application using TREX. It is therefore not necessary that you send the generated certificate request to your CA.
For configuring SNC on TREX side you have to provide the following prerequisites:
-
You have downloaded the SAP Cryptographic Library ( sapcrypto.dll/exe for Windows or libsapcrypto.<ext> for UNIX) with the security configuration tool SAPGENPSE and the corresponding license ticket ( ticket).
For details see Downloading the SAP Cryptographic Library.
-
You have configured the security configuration tool SAPGENPSE for use. You do this by setting up the environment variable SECUDIR (Windows only) and saving the downloaded files in recommended storage locations.
For details see Configuring SAPGENPSE for Use.
Generating the Key Store SAPSNCS.pse
You start the cryptography tool SAPGENPSE using a prompt.
Execute the executable file sapgenpse in the directory in which you defined the environment variable SECUDIR. The cryptography tool SAPGENPSE generates the key store and stores it in this directory.
-
Generate a new key store by entering the following command:
sapgenpse gen_pse -p SAPSNCS.pse CN=<SID>-TRX<instance_number>,O=<mycompany>,C=<mycountry>
Examplesapgenpse gen_pse -p SAPSNCS.pse CN=ADS-TRX00,O=SAP,C=DE
Command
Function
sapgenpse
Starts the SAPGENPSE cryptography tool.
gen_pse
Function of SAPGENPSE that you can use to generate a new key store.
- p SAPSNCS.pse
You specify the file name of the key store that contains the certificate here.
You are now asked to give more precise specifications on the certificates that you want to generate. Proceed according to the following table:
Prompt
Function/Entry
Please enter PIN:
Do not enter a value. Confirm with Return.
Please reenter PIN:
Do not enter a value. Confirm with Return.
get_pse: Distinguished name of PSE owner:
Specifies the distinguished name (DN) of the certificate owner.
Make the following specifications:
CN=myhost.mydomain, C=mycountry, O=mycompany
ExampleCN= ADS-TRX00, C=DE, S=BW, O=SAP
-
After you have created a key store, you have to initialize it for use. The server must have active credentials at run-time. Therefore, to produce active credentials, you must use the configuration tool's command seclogin to open the server's key store.
It is also very important to create the credential for the user who runs the server's process. For example, for the TREX server, the user is typically <sapsid>adm (UNIX) or SAPService<SAPSID> (Windows).
NoteThe credentials are located in the file cred_v2 in the directory specified in the environment variable SECUDIR. Make sure that only the user under which the TREX service runs has access to this file (including read access).
On Windows, you must also give the operating system user <SAPSID>adm, which was created during the TREX installation, access permission to the key stores; otherwise it cannot access the files. You do both things by entering the following command:
-
Windows: sapgenpse seclogin -p SAPSNCS.pse -O SAPService<SAPSID>
-
UNIX: sapgenpse seclogin -p SAPSNCS.pse -O <SAPSID>adm
Command
Function
seclogin
Function of SAPGENPSE that you use to initialize a new key store for use.
- p SAPSNCS.pse
Specify the file name of the keystore that you want to initialize.
-O SAPService<SAPSID> or <SAPSID>adm
You use this command to give the user SAPService <SAPSID> or <SAPSID>adm access to the key store.
-
You have created the key store SAPSNCS.pse. into which you can import the certificate of the ABAP application using TREX and store it there.