Use of SHA-2 algorithm family in SSL PSEs
It is becoming common the need of replacing old PSEs, created with SHA-1 algorithm, by new PSEs, using SHA-2 algorithm family.
Here you will find the steps to replace a PSE in STRUST and the steps to create a PSE using sapgenpse (e.g. when using the SAP Web Dispatcher).
The system must have SAPCRYPTOLIB 5.5.5 patch level 34 (or higher) or any CommonCryptoLib installed.
It is possible to verify the SAPCRYPTOLIB/CommonCryptoLib version by executing the command:
in the command line interface (running as SIDadm) or via report RSBDCOS0.
Loaded CommonCryptoLib from sapgenpse folder
Platform: linux-gcc-4.3-x86-64 (linux-gcc-4.3-x86-64)
Versions: SAPGENPSE 8.4.35 (Mar 16 2015)
CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.35 pl40 (Mar 16 2015) MT-safe
Environment variable $SECUDIR is defined:
It is also important to have the kernel patch level mentioned in SAP note 1739681 running in the system.
In your ABAP system, use SNOTE to implement SAP note 1740744. For newer releases, e.g. Netweaver 7.40, the correction is already in place.
2. Replacing a PSE in STRUST
Access STRUST, right click in the PSE you want to use SHA-2 algorithm an click in replace.
Now select the relevant algorithm in the dropdown box, as shown below:
Enter the remaining details and confirm.
If a PSE from a productive system needs to be replaced, then it is recommended to follow the steps from SAP note 1178155.
You can confirm the use of SHA-2 algorithm by double-clicking the Own Certificate. The Certificate section presents the details:
After you have imported the certificate response, verify whether the ICM was notified about the change. It might be necessary to import the corrections from SAP note 2417844.
3. Creating a PSE using sapgenpse
In a command line interface execute the following command:
sapgenpse gen_pse -p <PSENAME> -a sha256WithRsaEncryption -x <PIN>
(replace <PSENAME> and <PIN> for the necessary PSE name and PIN).
Inform the relevant DN and see the CSR as output.
In order to verify the algorithm, just execute:
sapgenpse get_my_name -p <PSENAME> -v -v -x <PIN>
In section “My Certificate” should be presented:
Signature algorithm:sha256WithRsaEncryption (1.2.840.1135184.108.40.206)
4. Reference Documents
2147844 – STRUST | ICM is not always notified when SSL Server PSEs are created or deleted
1740744 – SSFPSE_CREATE: Support creation of RSA-PSEs with SHA-256
1739681 – Kernel: Support creation of RSA-PSEs with SHA-256
1689776 – SAPCRYPTOLIB 555pl34: bugfixes, AES-NI support
1178155 – Replacing PSEs in productive SSL Servers