Administering the Secure Storage in the File System (AS ABAP)

This procedure lists the commands with which you can administer the data records in the secure storage, for example, by inserting or checking records. To do this, you use the command line tool rsecssfx, which is delivered as part of the kernel executable archive.

Procedure

Start the command line tool with the system’s instance profile. From this, the tool determines the values of the profile parameters SAPSYSTEMNAME, rsec/ssfs_datapath, and rsec/ssfs_keypath.

To do this, enter a command with the following syntax:

rsecssfx pf=<profile> <command> <[command arguments>] <[command options>]

Note
Instead of using the profile, you can also set the environment variables SAPSYSTEMNAME, RSEC_SSFS_DATAPATH, and RSEC_SSFS_KEYPATH. As soon as you set these environment variables, they overwrite the corresponding value from the profile.

End of the note.

Insert the commands, command arguments, and command options required for your action into the command line.

Input Options for the Command Line Tool rsecssfx
Command	Command Arguments	Command Options	Description
`help`	No entry If you execute the command without a command argument, the tool displays basic help information, including a list of the available commands. `<command>` If you execute the command with a command as an argument, the tool displays detailed help for this command, including example calls.	None	Displays the tool’s help text, which contains, in principle, the same information as this document, but may be more up-to-date.
`put`	`<key>` `<value>` Value to be stored, which you need to leave out when using the options `-valuefile` or `-binary`. To avoid problems with code pages or character sets, the content of this argument is the UTF-8 representation of the value to be stored. You can directly enter characters that are contained in the ASCII character set. You need to enter other characters, on the other hand, as a two-character hexadecimal code, prefixed with a percentage sign (%) as an escape character. Example The name `Jürgen` contains the German umlaut `ü`, for which the UTF-8 representation is `0xC3, 0xBC`. The value for the command line is then `J%C3%BCrgen`. If you have an AS ABAP available, you can use the report `RSECSSFX_ESCAPE` to support you when creating a value with the correct escape characters. End of the example.	`-plain` The system stores the value unencrypted. This affects values that are required to connect to the database, but which are not sensitive, such as the host name or connection parameters. If you store values unencrypted, you can display or extract them using the command `get`. `-valuefile` `<file name>` With this option, the system does not expect the value to be stored in the data record as a command argument, but rather as the content of the file specified in the option. For text values, the file must contain the value in UTF-8 format and must start with the correct UTF-8 byte order mark (`0xEF, 0xBB, 0xBF`). It must also contain no characters other than the value to be stored, such as line breaks or tabs, if these are not part of the actual value. For binary values, the content must have the signature of a PSE file, unless `-plain` is used. `-valuefile7bit` Disable the UTF-8 byte order mark check with this option. The value file must then contain only the value (no byte order mark). Trailing carriage return and line feed characters are permitted, but are ignored without warning. `-binary` This option stores a binary value. The value is read from a file that must be passed by `-valuefile`.	Inserts or overwrites a data record into the secure storage.
`get`	`<key>`	`-getPlainValueToConsole` For text values only: Displays only the data record value on the console, including the escape character as described above, but without any additional data record information. This command also works if the data record value is more than 60 characters long. If you use this option for an encrypted value, the system triggers an error. `-valuefile` For binary values only: Writes the binary data to a file whose name is given by this option. If you use this option for an encrypted value, the system triggers an error.	Fetches a data record from the secure storage. The escape characters for text values are displayed as described for the operation `put`. You can use the report `RSECSSFX_ESCAPE` to convert the value to the correct format for your character set. The tool does not display the values of data records that have been stored encrypted. If a text value is more than 60 characters long, it is also not displayed in the regular output to avoid an overrun of the console. In such cases, use the command `-getPlainValueToConsole`.
`remove`	`<key>` Key of the data record	None	Removes a data record from the secure storage. Physically, the tool only initially marks the data record as deleted, and only removes it from the file when you execute the command `compact`. Caution You cannot restore deleted data records. End of the caution.
`list`	None	None	Lists the data records in the secure storage, provides a data record counter, and information about the storage locations of the data file and the key file.
`compact`	None	None	Releases space in the data file of the secure storage that is occupied by entries that have been deleted. When you delete or update a data record, the tool does not immediately remove the data from the data file, but rather only marks it as deleted. You can use this command to reduce the size of the data file.
`changekey`	`<new key>` New encryption key, which you enter with 24 bytes in hexadecimal format, that is with 48 characters in the range 0...9 and A...F. You can use the ABAP report `RSECKEYGEN` to generate this data from a pass phrase.	None	Changes the encryption key of the secure storage and re-encrypts all existing data records that were encrypted with the current encryption key with the new encryption key. Note The tool only updates the key file with the new encryption key if it can decrypt at least one of the encrypted data records in the secure storage with the current encryption key. End of the note.
`migrate`	`<old key>` Encryption key with which data records that can no longer be read were placed into the secure storage.	None	Attempts to decrypt data records that were placed in the secure storage with an encryption key other than the current key. This command is intended as an emergency solution if you have changed the key file outside the tool and therefore can no longer read the data records. The prerequisite for this, however, is that you still know the encryption key that was used to insert the entries that can no longer be read. Note If you use the tool to change the key, it automatically re-encrypts the data records. End of the note. You cannot destroy data by executing this command. Data records that the tool still cannot decrypt using the specified old encryption key are retained as they are. This means that you can attempt to decrypt these records again later.
`removelock`	None	None	Forces the removal of the update lock for the secure storage. If you receive the error message for update operations that the update is locked by another user, and the other user confirms that he or she has completed his or her operation, use this command. In this case, the lock was retained due to a system error.