02-24-2011 9:12 PM
Dear community,
I have just taken a (homogenous) system copy of our production system, and refreshed our test system.
Platform is oracle and suse linux on IBM Power, ERP 6.0, SR2.
On our production system we have configured credit card encryption, which is working well.
After the copy this is not working.
Test program CCARDEC_CHECK gives :
Encryption failed
Decryption failed
Process Encryption/Decryption failed
I have cleaned up any errors in strust, so all components now show green status.
Followed by restart in /smicm
Test program ZSSF_TEST_PSE for filename SAPCCARD030.pse shows:
Test encryption : Encryption ERROR - SSF error: Unknown error in external security product
System log shows :
Time Type Nr Clt User TCode Grp N Text
20:16:20 DIA 000 030 EIRIKUR SE38 RD 3 SSF_KRN_ENVELOPE: Function Returned 13
Can you please suggest what I might be missing ?
If I can supply further information to isolate the problem, please advice.
Rgds, Eirikur.
02-24-2011 10:36 PM
Take a look in STRUST which certificate is red. Try export the certificate from prod and import into test (but this will depend on the encryption keys to be able to decrypt... so just verifying the certs is not enough for the data).
"Tokenization" is IMO a more central way of solving this credit card issue - so you do not even have the pestilent data
Cheers,
Julius
Edited by: Julius Bussche on Feb 24, 2011 11:40 PM
02-24-2011 10:36 PM
Take a look in STRUST which certificate is red. Try export the certificate from prod and import into test (but this will depend on the encryption keys to be able to decrypt... so just verifying the certs is not enough for the data).
"Tokenization" is IMO a more central way of solving this credit card issue - so you do not even have the pestilent data
Cheers,
Julius
Edited by: Julius Bussche on Feb 24, 2011 11:40 PM
02-24-2011 10:41 PM
Dear Julius,
thank you for the reply.
I dont have any red status in strust, as mentioned already in my post.
Does Tokenization refer to some form of implementation that you can recommend and share documentation about ?
Edited by: Eirikur Ingibergsson on Feb 24, 2011 11:42 PM
02-24-2011 10:49 PM
I just edited my post before you had questioned this.
How was the data encrypted? That is independent from STRUST.
Personally I like the tokenization design more. You can search for it and find lots of docs.
If your ssf cert was created for prod server, then you cannot decrypt it for a QAS server.
Common cert DNs or "standard" certs would have been an option, but it seems that these were not intended. This might also be intentional so check on that?
Cheers,
Julius
02-25-2011 1:02 AM
>
> Personally I like the tokenization design more. You can search for it and find lots of docs.
I agree but I haven't noticed any solution from SAP. Have you?
Cheers
02-25-2011 11:09 AM
The solution from SAP is support and compatibility with available tokenization providers.
A good article on it from SAP can be found [here|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0f44a4b-cefa-2d10-5584-bb53ff2662ab?quicklink=index&overridelayout=true] and searching will eventually lead you to paymetric (see the EcoHub on SDN).
There are also some flamewar blogs about decryption and Idocs...
Cheers,
Julius
06-17-2011 9:24 PM
02-24-2011 11:13 PM
It is working now.
the solution was to recreate the strust pse for cc encryption with RSA encryption instead of the default DSA.
Rgds, Eirikur.
02-25-2011 12:05 AM
05-12-2011 12:56 AM
Hi Eirikur,
I got the same proble after system copy from PRD to test system. Can you please give me the detail steps how did you fix it?
Thanks a lot.
Lily
06-17-2011 9:54 PM
06-20-2011 4:03 PM
Just to complete the documentation of the solution:
In transaction /strust there is an entry u201ESSF Encryption of Payment Cardu201C
I recreated this entry (right click -> replace -> confirm with yes )
In the u201Ereplace PSEu201C dialog screen the default algorith was DSA, which I needed to change to RSA.
Rgds, Eirikur.
10-21-2012 8:56 PM
Thanks for the solution. It works for me. Same error message - 13
N OUT SsfEnvelope() result/CRC: 13 (SSF_API_UNKNOWN_SECTK_ERROR)
N SecTK Lasterror 1542 "pkcs_get_encryptedKey failed"
N ---------- Begin SecTK Lasterror Details ----------
N ERROR in pkcs_envelope_ContentInfo: (1542/0x0606) pkcs_get_encryptedKey failed
N ERROR in pkcs_get_encryptedKey: (1542/0x0606) sec_encrypt_key failed
N ERROR in sec_encrypt_key: (1542/0x0606) invalid or unknown alg_id
After regenerating of pse with RSA it works without problems. The reason behind is
I think DSA is only for Signatures valid - and RSA is able to sign and crypt.
Regards Matthias
10-22-2012 5:11 AM
As per this note - 662340 ,
SAPSECULIB - library can be used for digital signatures created by the SAP system, but not for encrypting data. To have the system encrypt data, you must replace the SAPSECULIB with the SAP Cryptographic Library (SAPCRYPTOLIB).
Not sure if it helps.
Thanks,
Dev