1.
As user
set the environment variables SNC_LIB and SECUDIR:
|
UNIX
|
SECUDIR =
SNC_LIB = |
|
Windows
NT, 2000, XP or higher
|
SECUDIR =
SNC_LIB = |
|
Note
I
|
After configuring the variables in
Windows, verify them with the command 'set'. In case the variables are not
displayed as entered, please reboot the server.
|
|
Note
II
|
2.
Change to Certification. From the list of SAProuters registered to your
installation, choose the relevant "Distinguished Name".
Example:
sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"
sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -r certreq -p local.pse "CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"
Alternatively use the two commands:
sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -noreq -p local.pse ""
sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
sapgenpse get_pse -v -a sha256WithRsaEncryption -s 2048 -noreq -p local.pse "
sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
You will be asked twice for a PIN here. Please
choose a PIN and document it, you have to enter it identically both times. Then
you will have to enter the same PIN every time you want to use this PSE.
4 Display the output file
"certreq" and with copy & paste (including the BEGIN and END
statement) insert the certificate request into the text area of the same form
on the SAP Service Marketplace from which you copied the Distinguished Name.
5.
In response you will
receive the certificate signed by the CA in the Service Marketplace. Copy &
paste the text to a new local file named "srcert", which must be
created in the same directory as the sapgenpse executable.
6.
With this in turn you
can install the certificate in your SAProuter by calling:
sapgenpse import_own_cert -c srcert -p local.pse
sapgenpse import_own_cert -c srcert -p local.pse
7 Now you will have to create the
credentials for the SAProuter with the same program (if you omit -O ,
the credentials are created for the logged in user account):
sapgenpse seclogin -p local.pse -O
sapgenpse seclogin -p local.pse -O
Note: The account of the service user should always be entered in
full \
8 This will create a file
called "cred_v2" in the same directory as "local.pse"
For increased security please check that the
file can only be accessed by the user running the SAProuter.
Do not allow any other access
(not even from the same group)!
On UNIX this will mean permissions being set to 600 or even 400!
On Windows check that the permissions are granted only to the user the service is running as!
On UNIX this will mean permissions being set to 600 or even 400!
On Windows check that the permissions are granted only to the user the service is running as!
9.
Check if the certificate
has been imported successfully with the following command:
sapgenpse get_my_name -v
-n Issuer
The name of the Issuer should be:
CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE
10.
If this is not the case,
delete the files "cred_v2", "local.pse", "srcert"
and "certreq" and start over at item 3. If the output still does not
match please open an incident at component XX-SER-NET stating the actions you have taken so far
and the output of the commands 3.,6.,7. and 9.
