06-02-2010 9:10 AM
Good day,
I have a problem deleting an expired certificate from the Certificate List and the Access Control List (ACL).
When I run transaction strustsso2 and select the expired certificate, then select delete, it returns below error:
(Error occurred during deletion) Message no. TRUST035
Your support is highly appreciated
Jassem
06-04-2010 4:20 AM
hello jassem,
if you really want to remove a certain certificate from the PSE's certificate list, you may proceed as follows.
please do this ONLY, if the removing of certificates does not work from transaction STRUST.
the procedure requires SAPCRYPTOLIB to be installed, as it's commant line tool 'sapgenpse' is used.
first:
it's a good idea to have a safe copy of your PSE as well as all certificates contained - just in case that something goes wrong.
then:
open a shell or command prompt on your server and go to the directory where the PSEs are stored. assure that you are logged on with the correct user, and the environment variable SECUDIR is set correctly.
execute the command:
sapgenpse maintain_pk -l -p <file name of the PSE>
this command lists the certificates from the PSE"s certificate list, numbered with tags beginning with "1"
from the result, keep in memory the tag number of the certificate to remove.
now, execute the command
sapgenpse maintain_pk -d <tag number of cert to delete> -p <PSE file name>
this command will remove the certificate identified by the tag number.
please note, that this procedure is described in note 800240.
if this procedure does not work, you can also flush all certificates from the certificate list - keep in mind, that after re-importing the modified PSE into STRUST, you need to re-import the certificates into the PSE's certificate list that were not supposed to be deleted. (hopefully you stored safe copies of these certificates beforehand!)
the command to glush the certificate list is:
sapgenpse maintain_pk -f -p<PSE file name>
finally, you need to re-import the modified PSE into STRUST. copy the modified PSE to your workstation (PC) and proceed as described in knowledge base article 1473710 for PSE import.
regards,
sebastian
06-02-2010 1:07 PM
Hi,
Have you checked SU53 for missing authorization? You can get your message after calling two FMs: SSFP_REMOVECERTIFICATE or SSFPSE_REMOVE. So if you have some basic debugging skills then you can put a break point at the start of each FM and see what error do you get. There are different reasons why it can fail.
Cheers
06-02-2010 2:29 PM
Hi Jassem,
As far as I know, you should delete the entire PSE and recreate it. In this case, removing the PSE also deletes the contained unique key pair. Replacing a PSE requires to freshly exchange certificates with communication partners as required by the applications using the PSE (certificates contained).
I hope this helps.
All the best,
Cristiano
06-02-2010 9:49 PM
As far as I know, you should delete the entire PSE and recreate it. In this case, removing the PSE also deletes the contained unique key pair.
Caution: a PSE (Personal Security Environment) is like a keystore.
It contains a certificate and the corresponding private key (keypair) as well as a trust anchor list (aka "certificate list" / "private address book"). If you just want to remove an entry from the trust anchor list, you should not delete the entire PSE since you also loose your (own) certificate / keypair.
If you experience problems when performing PSE operations using transaction STRUST or STRUSTSSO2, then first check whether you are using an older version of SAPseculib or SAPcryptolib and consider to use the latest version of SAPcryptolib, if applicable. If this does not help to resolve the problem, then consider to file a bug report to SAP (message component BC-SEC-SSF).
Best regards,
Wolfgang
06-04-2010 4:20 AM
hello jassem,
if you really want to remove a certain certificate from the PSE's certificate list, you may proceed as follows.
please do this ONLY, if the removing of certificates does not work from transaction STRUST.
the procedure requires SAPCRYPTOLIB to be installed, as it's commant line tool 'sapgenpse' is used.
first:
it's a good idea to have a safe copy of your PSE as well as all certificates contained - just in case that something goes wrong.
then:
open a shell or command prompt on your server and go to the directory where the PSEs are stored. assure that you are logged on with the correct user, and the environment variable SECUDIR is set correctly.
execute the command:
sapgenpse maintain_pk -l -p <file name of the PSE>
this command lists the certificates from the PSE"s certificate list, numbered with tags beginning with "1"
from the result, keep in memory the tag number of the certificate to remove.
now, execute the command
sapgenpse maintain_pk -d <tag number of cert to delete> -p <PSE file name>
this command will remove the certificate identified by the tag number.
please note, that this procedure is described in note 800240.
if this procedure does not work, you can also flush all certificates from the certificate list - keep in mind, that after re-importing the modified PSE into STRUST, you need to re-import the certificates into the PSE's certificate list that were not supposed to be deleted. (hopefully you stored safe copies of these certificates beforehand!)
the command to glush the certificate list is:
sapgenpse maintain_pk -f -p<PSE file name>
finally, you need to re-import the modified PSE into STRUST. copy the modified PSE to your workstation (PC) and proceed as described in knowledge base article 1473710 for PSE import.
regards,
sebastian
06-29-2010 8:17 AM
Thanks gentlemen for your support
I already have the required authorization assigned but yet it throws the same error. We've opened OSS note with SAP and the resolution was similar to Sebastian's post.
Thanks and Regards,
Jassem
07-25-2011 10:29 AM
Hi Guys,
We are facing the same issue while deleting the certificate from the System PSE through transaction strustsso2. We are trying to delete the certificate of the solman system.
sapgenpse is not available in the kernel, hence i would need to know the solution for removing the certificate through ABAP itself and not through sapgenpse at OS level.
Please help.
Regards,
Ragav