Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
cris_hansen
Advisor
Advisor

It is becoming common the need of replacing old PSEs, created with SHA-1 algorithm, by new PSEs, using SHA-2 algorithm family.

Here you will find the steps to replace a PSE in STRUST and the steps to create a PSE using sapgenpse (e.g. when using the SAP Web Dispatcher).

1. Prerequisites

The system must have SAPCRYPTOLIB 5.5.5 patch level 34 (or higher) or any CommonCryptoLib installed.

It is possible to verify the SAPCRYPTOLIB/CommonCryptoLib version by executing the command:

sapgenpse

in the command line interface (running as SIDadm) or via report RSBDCOS0.

Example:

"...

Loaded CommonCryptoLib from sapgenpse folder

"/usr/sap/SID/DVEBMGS00/exe/libsapcrypto.so"

Platform: linux-gcc-4.3-x86-64 (linux-gcc-4.3-x86-64)

Versions: SAPGENPSE 8.4.35 (Mar 16 2015)

            FILE-Version 8.4.35.0

            CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.35 pl40 (Mar 16 2015) MT-safe

USER="sidadm"

Environment variable $SECUDIR is defined:

"/usr/sap/SID/DVEBMGS00/sec"

..."

It is also important to have the kernel patch level mentioned in SAP note 1739681 running in the system.

In your ABAP system, use SNOTE to implement SAP note 1740744. For newer releases, e.g. Netweaver 7.40, the correction is already in place.

2. Replacing a PSE in STRUST

Access STRUST, right click in the PSE you want to use SHA-2 algorithm an click in replace.

Now select the relevant algorithm in the dropdown box, as shown below:

Enter the remaining details and confirm.

If a PSE from a productive system needs to be replaced, then it is recommended to follow the steps from SAP note 1178155.

You can confirm the use of SHA-2 algorithm by double-clicking the Own Certificate. The Certificate section presents the details:

After you have imported the certificate response, verify whether the ICM was notified about the change. It might be necessary to import the corrections from SAP note 2417844.

3. Creating a PSE using sapgenpse

In a command line interface execute the following command:

sapgenpse gen_pse -p <PSENAME> -a sha256WithRsaEncryption -x <PIN>

(replace <PSENAME> and <PIN> for the necessary PSE name and PIN).

Inform the relevant DN and see the CSR as output.

In order to verify the algorithm, just execute:

sapgenpse get_my_name -p <PSENAME> -v -v -x <PIN>

In section "My Certificate" should be presented:

"...

  Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

..."

4. Reference Documents

2147844 - STRUST | ICM is not always notified when SSL Server PSEs are created or deleted

1740744 - SSFPSE_CREATE: Support creation of RSA-PSEs with SHA-256

1739681 - Kernel: Support creation of RSA-PSEs with SHA-256

1689776 - SAPCRYPTOLIB 555pl34: bugfixes, AES-NI support

1178155 - Replacing PSEs in productive SSL Servers

11 Comments