To Create PSE for the Client
-
Create a directory on your system to store the PSE.
-
Copy the ticket license file and the SAP Certified Client Cryptographic library (ex. SECUDE) to the directory you just created.
Make sure you set the SECUDIR environment variable to this directory, copy the library to a different directory, and add this path to your "PATH" environment variable.
-
Execute the following command to generate the PSE
The client PSE is named as RFC.pse. From the command line, you can specify the distinguished name. For example: "CN=RFC, OU=IT, O=CSW, C=DE"
> sapgenpse gen_pse -v -p RFC.pse
Got absolute PSE path "<your path>/RFC.pse".
Please enter PIN: ********
Please reenter PIN: ********
get_pse: Distinguished name of PSE owner: CN=RFC, OU=IT, O=CSW, C=DE
Supplied distinguished name: "CN=RFC, OU=IT, O=CSW, C=DE"
Generating key (RSA, 1024-bits) ... succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
Generating certificate request... ok.
PKCS#10 certificate request for "<your path>/RFC.pse"
-
Execute the following command to export the Client Certificate of the newly created PSE.
The exported certificate is named as RFC.crt.
> sapgenpse export_own_cert -v -p RFC.pse -o RFC.crt
Opening PSE your path>/RFC.pse"...
No SSO credentials found for this PSE.
Please enter PIN: ********
PSE open ok.
Retrieving my certificate... ok.
writing to file ...... ok
-
Import the Client Certificate to Server PSE.
You can import the client Certificate via Transaction STRUST.
-
Export the Server Certificate.
Export the Server Certificate via the Transaction STRUST.
-
Import the Server Certificate to the Client PSE
On the command line run:
> sapgenpse maintain_pk -v -a SNC.crt -p RFC.pse
Opening PSE your path>/RFC.pse"...
No SSO credentials found for this PSE.
Please enter PIN: ********
PSE open ok.
Adding new certificate from file "SNC.crt"
----------------------------------------------------------------------------
Subject : CN=IDS, OU=IT, O=CSW, C=DE
Issuer : CN=IDS, OU=IT, O=CSW, C=DE
Serialno: 00
KeyInfo : RSA, 2048-bit
Validity - NotBefore: Wed Mar 6 21:37:32 2008 (060927193732Z)
NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z)
-----------------------------------------------------------------------------
PKList updated (1 entries total, 1 newly added)
-
Create the cred_v2 file.
After setting up the client PSE you must create a file called cred_v2 which is used to securely give the RFC Program access to the PSE without providing the password for the PSE.
On the command line run:
> sapgenpse seclogin -p RFC.pse -O root running seclogin with USER="root"
creatingcredentials for yourself (USER="root")...
Please enter PIN: ********
Added SSO-credentials for PSE "<your path>/RFC.pse"
"CN=RFC, OU=IT, O=CSW, C=DE"
Note –When you generate the cred_v2 file, the seclogin must be carried out under the account of the <sid>adm.
-
Allow SNC RFC Connection.
Now you need to map the x.509 certificates that were created for the user accounts on the SAP Server.
-
Start Transaction SM30 and enter the view VSNCSYSACL.
This view is used to restrict the SNC RFC Connections by an Access Control List (ACL). You will see an alert window pop-up, just click on the "right" symbol.
-
Choose "E" for the Type of ACL entry.
-
Enter System ID and SNC name.
Note –Do not forget the "p:" in front of the DN.
-
Check the boxes according to the following figure.
-
Save the entry.
Note –When trying to edit the entry, you might see an alert window pop-up. Just click on the "right" symbol and make your changes.
-
-
Map the X.509 Certificate to the User.
The X.509 Certificate must be accepted for a successful Login.
- © 2010, Oracle Corporation and/or its affiliates