This procedure lists the commands with which you can administer the data records in the secure storage, for example, by inserting or checking records. To do this, you use the command line tool rsecssfx, which is delivered as part of the kernel executable archive.
Start the command line tool with the system’s instance profile. From this, the tool determines the values of the profile parameters SAPSYSTEMNAME, rsec/ssfs_datapath, and rsec/ssfs_keypath.
To do this, enter a command with the following syntax:
rsecssfx pf=<profile> <command> <[command arguments>] <[command options>]
Note
Instead of using the profile, you can also set the environment variables SAPSYSTEMNAME, RSEC_SSFS_DATAPATH, and RSEC_SSFS_KEYPATH. As soon as you set these environment variables, they overwrite the corresponding value from the profile.
Insert the commands, command arguments, and command options required for your action into the command line.
Command |
Command Arguments |
Command Options |
Description |
---|---|---|---|
help |
|
None |
Displays the tool’s help text, which contains, in principle, the same information as this document, but may be more up-to-date. |
put |
|
|
Inserts or overwrites a data record into the secure storage. |
get |
<key> |
|
Fetches a data record from the secure storage. The escape characters for text values are displayed as described for the operation put. You can use the report RSECSSFX_ESCAPE to convert the value to the correct format for your character set. The tool does not display the values of data records that have been stored encrypted. If a text value is more than 60 characters long, it is also not displayed in the regular output to avoid an overrun of the console. In such cases, use the command -getPlainValueToConsole. |
remove |
<key> Key of the data record |
None |
Removes a data record from the secure storage. Physically, the tool only initially marks the data record as deleted, and only removes it from the file when you execute the command compact. Caution You cannot restore deleted data records. End of the caution. |
list |
None |
None |
Lists the data records in the secure storage, provides a data record counter, and information about the storage locations of the data file and the key file. |
compact |
None |
None |
Releases space in the data file of the secure storage that is occupied by entries that have been deleted. When you delete or update a data record, the tool does not immediately remove the data from the data file, but rather only marks it as deleted. You can use this command to reduce the size of the data file. |
changekey |
<new key> New encryption key, which you enter with 24 bytes in hexadecimal format, that is with 48 characters in the range 0...9 and A...F. You can use the ABAP report RSECKEYGEN to generate this data from a pass phrase. |
None |
Changes the encryption key of the secure storage and re-encrypts all existing data records that were encrypted with the current encryption key with the new encryption key. Note The tool only updates the key file with the new encryption key if it can decrypt at least one of the encrypted data records in the secure storage with the current encryption key. End of the note. |
migrate |
<old key> Encryption key with which data records that can no longer be read were placed into the secure storage. |
None |
Attempts to decrypt data records that were placed in the secure storage with an encryption key other than the current key. This command is intended as an emergency solution if you have changed the key file outside the tool and therefore can no longer read the data records. The prerequisite for this, however, is that you still know the encryption key that was used to insert the entries that can no longer be read. Note If you use the tool to change the key, it automatically re-encrypts the data records. End of the note. You cannot destroy data by executing this command. Data records that the tool still cannot decrypt using the specified old encryption key are retained as they are. This means that you can attempt to decrypt these records again later. |
removelock |
None |
None |
Forces the removal of the update lock for the secure storage. If you receive the error message for update operations that the update is locked by another user, and the other user confirms that he or she has completed his or her operation, use this command. In this case, the lock was retained due to a system error. |