It is becoming common the need of replacing old PSEs, created with SHA-1 algorithm, by new PSEs, using SHA-2 algorithm family.

Here you will find the steps to replace a PSE in STRUST and the steps to create a PSE using sapgenpse (e.g. when using the SAP Web Dispatcher).

1. Prerequisites

The system must have SAPCRYPTOLIB 5.5.5 patch level 34 (or higher) or any CommonCryptoLib installed.

It is possible to verify the SAPCRYPTOLIB/CommonCryptoLib version by executing the command:

sapgenpse

in the command line interface (running as SIDadm) or via report RSBDCOS0.

Example:

“…

Loaded CommonCryptoLib from sapgenpse folder

“/usr/sap/SID/DVEBMGS00/exe/libsapcrypto.so”

Platform: linux-gcc-4.3-x86-64 (linux-gcc-4.3-x86-64)

Versions: SAPGENPSE 8.4.35 (Mar 16 2015)

            FILE-Version 8.4.35.0

            CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.35 pl40 (Mar 16 2015) MT-safe

USER=”sidadm”

Environment variable $SECUDIR is defined:

“/usr/sap/SID/DVEBMGS00/sec”

…”

It is also important to have the kernel patch level mentioned in SAP note 1739681 running in the system.

In your ABAP system, use SNOTE to implement SAP note 1740744. For newer releases, e.g. Netweaver 7.40, the correction is already in place.

2. Replacing a PSE in STRUST

Access STRUST, right click in the PSE you want to use SHA-2 algorithm an click in replace.

Now select the relevant algorithm in the dropdown box, as shown below:

STRUST SHA-256.jpg

Enter the remaining details and confirm.

If a PSE from a productive system needs to be replaced, then it is recommended to follow the steps from SAP note 1178155.

You can confirm the use of SHA-2 algorithm by double-clicking the Own Certificate. The Certificate section presents the details:

STRUST SHA-256 Certificate.jpg

After you have imported the certificate response, verify whether the ICM was notified about the change. It might be necessary to import the corrections from SAP note 2417844.

3. Creating a PSE using sapgenpse

In a command line interface execute the following command:

sapgenpse gen_pse -p <PSENAME> -a sha256WithRsaEncryption -x <PIN>

(replace <PSENAME> and <PIN> for the necessary PSE name and PIN).

Inform the relevant DN and see the CSR as output.

In order to verify the algorithm, just execute:

sapgenpse get_my_name -p <PSENAME> -v -v -x <PIN>

In section “My Certificate” should be presented:

“…

  Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

…”

4. Reference Documents

2147844 – STRUST | ICM is not always notified when SSL Server PSEs are created or deleted

1740744 – SSFPSE_CREATE: Support creation of RSA-PSEs with SHA-256

1739681 – Kernel: Support creation of RSA-PSEs with SHA-256

1689776 – SAPCRYPTOLIB 555pl34: bugfixes, AES-NI support

1178155 – Replacing PSEs in productive SSL Servers

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Erika Bustamante

    Very clear information.  Thanks.

    If we want to replace the SSL Server certificates to use SHA-2, is it necessary to change the system PSE too?  Can the system PSE stay at DSA-1 while SSL Server moves to SHA-2?  Are there any security risks?

    (0) 
    1. Cristiano Hansen Post author

      Hi Erika,

       

      No, you only need to replace the SSL-related PSEs. The System PSE uses DSA algorithm. There is no need to change it.

       

      Kind regards,

      Cris

      (1) 

Leave a Reply