Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

import data from file system PSE into STRUST ?

Go to solution
nelis
Active Contributor

‎08-26-2009 1:48 PM

0 Kudos

Good day,

Once a month we do a database copy from our PRD to TST environment. We have pre-configured SSL certificates CA signed in TST system which are being overwritten with the PRD certificate information each time we do the copy. It appears the database information takes precedence over the files located in /usr/sap/<SID>/<INST>sec and these files get overwritten from the STRUST database information.

Is there any way to prevent this by perhaps removing the data from the database and then "importing" the valid PSE certificates from the file system ? I have a backup copy of the valid certs/PSE files. How do I get my valid system PSE's back into the TST database ?

Thanks.

Regards,

Nelis

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎08-26-2009 11:11 PM

0 Kudos

I guess it is intentional that the PSE's usefullness in distroyed when it is copied. Makes sense.

The same goes for the SecureStore.

In transaction STRUST you can import the certificates again from your backup. The lower section is basically just a copy&paste area for importing and exporting the credentials. The important part is what you do with that "clipboard" in the certificate list (top section).

I have not seen any automatic ways of doing this, other that using STRUST or command line tools "online" - but I guess it can be done. However I know that SAP recommends sticking to either one or the other and not mixing them.

Cheers,

Julius

7 REPLIES 7

Go to solution
Former Member

‎08-26-2009 11:11 PM

0 Kudos

I guess it is intentional that the PSE's usefullness in distroyed when it is copied. Makes sense.

The same goes for the SecureStore.

In transaction STRUST you can import the certificates again from your backup. The lower section is basically just a copy&paste area for importing and exporting the credentials. The important part is what you do with that "clipboard" in the certificate list (top section).

I have not seen any automatic ways of doing this, other that using STRUST or command line tools "online" - but I guess it can be done. However I know that SAP recommends sticking to either one or the other and not mixing them.

Cheers,

Julius

Go to solution
nelis
Active Contributor
In response to Former Member

‎08-27-2009 7:02 AM

0 Kudos 
In transaction STRUST you can import the certificates again from your backup.

The problem here is that the certificates are based on the PSE's and they are not the same so it will not allow me to import the CA signed certificate unless I have the correct PSE. If I could use the original PSE somehow and it didn't get overwritten then I could import the certificate again, no problem.

Hope what I'm saying is clear.

Nelis

Go to solution
Former Member
In response to Former Member

‎08-28-2009 11:29 AM

0 Kudos

I export the PSE prior to a copy and reimport it back afterwards. In my opinion you have the two options:

- recreate the PSE with your original certificate and signing req response

- export the PSE in STRUST-> menu -> PSE -> export (or save as... file) and reimport after the copy

Best regards, Michael

Go to solution
Former Member
In response to Former Member

‎08-28-2009 11:59 AM

0 Kudos

> - recreate the PSE with your original certificate and signing req response

It is a good idea to have a backup of these in a safe place anyway, so I would go for option A (to test the backup :-).

Cheers,

Julius

Go to solution
nelis
Active Contributor
In response to Former Member

‎08-28-2009 1:11 PM

0 Kudos 
export the PSE in STRUST-> menu -> PSE -> export (or save as... file) and reimport after the copy

Thanks Michael that sounds like a plan. 

recreate the PSE with your original certificate and signing req response

Is it possible though to recreate the PSE with original certificate ? I thought maybe it used some random generator for this. I'm sure I have already tried this and it gave me an error as mentioned above that I needed to use the original PSE when adding the req response.

Nelis

Go to solution
Former Member
In response to Former Member

‎08-28-2009 1:28 PM

0 Kudos 
Is it possible though to recreate the PSE with original certificate ?

If you generated a certificat in STRUST, then... guess not. In my place, our CA can also create PSE's (as far as I know a PSE is just a container for certificates). So these 'original' PSE's can be installed directly.

After a second thought, i have to admit that what I was saying earlier is not correct: "recreate the PSE with your original certificate and signing req response". If you recreate the PSE, then it will generate a new certificate. Sorry for that, but as I said, exporting the PSE prior to a system copy works fine, except the handling in STRUST is very cumbersome. After importing the PSE, you have to "Save PSE" as System PSE.

Cheers, Michael

Go to solution
nelis
Active Contributor
In response to Former Member

‎08-28-2009 1:42 PM

0 Kudos

Ah not too worry. Your explanation gave me the hint I needed so now I've imported the correct certs from the PSE files I had saved previously. All I had to do was do the whole 'save as' part after the import to get them into the store correctly so to speak ...I used the files(to import) directly from the sec directory I had made a backup of, so obviously don't need to export them if you already have them.

Thanks!

Nelis