Administering the Secure Storage in the File System (AS ABAP)

Context

This procedure lists the commands with which you can administer the data records in the secure storage, for example, by inserting or checking records. To do this, you use the command line tool rsecssfx, which is delivered as part of the kernel executable archive.

Procedure

Start the command line tool with the system's instance profile. From this, the tool determines the values of the profile parameters SAPSYSTEMNAME, rsec/ssfs_datapath, and rsec/ssfs_keypath.

To do this, enter a command with the following syntax:

rsecssfx pf= <profile> <command> <[command arguments>] <[command options>]

Note
Instead of using the profile, you can also set the environment variables SAPSYSTEMNAME, RSEC_SSFS_DATAPATH, and RSEC_SSFS_KEYPATH. As soon as you set these environment variables, they overwrite the corresponding value from the profile. This configuration option exists for all standalone tools using the secure storage in the file system (for example, r3trans or tp). There is no configuration option in the kernel of the AS ABAP (Disp+Work). Being a part of the kernel, the secure storage in the file system can be configured in the profile parameters.

Insert the commands, command arguments, and command options required for your action into the command line.

Command	Command Arguments	Command Options	Description
help	No entry If you execute the command without a command argument, the tool displays basic help information, including a list of the available commands. `<command>` If you execute the command with a command as an argument, the tool displays detailed help for this command, including example calls.	None	Displays the tool's help text, which contains, in principle, the same information as this document, but may be more up-to-date.
put	`<record_identifier>` `<value>` Value to be stored, which you need to leave out when using the option -valuefile or binary. If your system is a no Unicode system, you must use characters of the ASCII character set. Otherwise an error occurs. If your system is a Unicode system, you can also store characters outside the ASCII character set. To avoid problems with code pages or character sets, the content of this argument must be the UTF-8 representation of the value to be stored. You can directly enter characters that are contained in the ASCII character set. You need to enter other characters, on the other hand, as a two-character hexadecimal code, prefixed with a percentage sign (%) as an escape character. Example The name `Jürgen` contains the German umlaut `ü`, for which the UTF-8 representation is `0xC3, 0xBC`. The value for the command line is then `J%C3%BCrgen`. If you have an AS ABAP available, you can use the report RSECSSFX_ESCAPE to support you when creating a value with the correct escape characters.	-plain The system stores the value unencrypted. This affects values that are required to connect to the database, but which are not sensitive, such as the host name or connection parameters. If you store values unencrypted, you can display them using the command get. -valuefile `<file name>` With this option, the system does not expect the value to be stored in the data record as a command argument, but rather as the content of the file specified in the option. For binary values, the file must contain the value in UTF-8 format and must start with the correct UTF-8 byte order mark ( `0xEF, 0xBB, 0xBF`). It must also contain no characters other than the value to be stored, such as line breaks or tabs, if these are not part of the actual value. -valuefile7bit Disable the UTF-8 byte order mark check with this option. The value file must then contain only the value (no byte order mark). Trailing carriage return and line feed characters are permitted, but are ignored without warning. -binary This option stores a binary value. The value is read from a file that must be passed by valuefile.	Inserts or overwrites a data record into the secure storage.
get	`<record_identifier>`	-getPlainValueToConsole Displays only the data record value on the console, including the escape character as described above, but without any additional data record information. This command also works if the data record value is more than 60 characters long. If you use this option for an encrypted value, the system triggers an error. -valuefile For binary values only: Writes the binary data to a file whose name is given by this option. If you use this option for an encrypted value, the system triggers an error.	Fetches a data record from the secure storage. The escape characters for the value are displayed as described for the operation put. You can use the report RSECSSFX_ESCAPE to convert the value to the correct format for your character set. The tool does not display the values of data records that have been stored encrypted. If the value is more than 60 characters long, it is also not displayed in the regular output to avoid an overrun of the console. In such cases, use the command -getPlainValueToConsole.
remove	`<record_identifier>` Key of the data record	None	Removes a data record from the secure storage. Physically, the tool only initially marks the data record as deleted, and only removes it from the file when you execute the command compact. Caution You cannot restore deleted data records.
list	None	None	Lists the data records in the secure storage, provides a data record counter, and information about the storage locations of the data file and the key file.
compact	None	None	Releases space in the data file of the secure storage that is occupied by entries that have been deleted. When you delete or update a data record, the tool does not immediately remove the data from the data file, but rather only marks it as deleted. You can use this command to reduce the size of the data file.
generatekey	None	None	Generates a random encryption key to be used in command changekey and sends it to the console. This command does not change data (see also Key Management).
changekey	`<new_encryption_key>` New encryption key generated with the command generatekey.	None	Changes the encryption key of the secure storage and re-encrypts all existing data records that were encrypted with the current encryption key with the new encryption key (see also Key Management). Note The tool only updates the key file with the new encryption key if it can decrypt at least one of the encrypted data records in the secure storage with the current encryption key.
migrate	`<old_encryption_key>` Encryption key with which data records that can no longer be read were placed into the secure storage.	None	Attempts to decrypt data records that were placed in the secure storage with an encryption key other than the current key. This command is intended as an emergency solution if you have changed the key file outside the tool and therefore can no longer read the data records. The prerequisite for this, however, is that you still know the encryption key that was used to insert the entries that can no longer be read. Note If you use the tool to change the key, it automatically re-encrypts the data records. You cannot destroy data by executing this command. Data records that the tool still cannot decrypt using the specified old encryption key are retained as they are. This means that you can attempt to decrypt these records again later.
removelock	None	None	Forces the removal of the update lock for the secure storage. If you receive the error message for update operations that the update is locked by another user, and the other user confirms that he or she has completed his or her operation, use this command. In this case, the lock was retained due to a system error.