Solved: sapcrypto errors after system copy

esi · ‎02-24-2011

Dear community,

I have just taken a (homogenous) system copy of our production system, and refreshed our test system.

Platform is oracle and suse linux on IBM Power, ERP 6.0, SR2.

On our production system we have configured credit card encryption, which is working well.

After the copy this is not working.

Test program CCARDEC_CHECK gives :

Encryption failed

Decryption failed

Process Encryption/Decryption failed

I have cleaned up any errors in strust, so all components now show green status.

Followed by restart in /smicm

Test program ZSSF_TEST_PSE for filename SAPCCARD030.pse shows:

Test encryption : Encryption ERROR - SSF error: Unknown error in external security product

System log shows :

Time Type Nr Clt User TCode Grp N Text

20:16:20 DIA 000 030 EIRIKUR SE38 RD 3 SSF_KRN_ENVELOPE: Function Returned 13

Can you please suggest what I might be missing ?

If I can supply further information to isolate the problem, please advice.

Rgds, Eirikur.

Former Member · ‎02-24-2011

Take a look in STRUST which certificate is red. Try export the certificate from prod and import into test (but this will depend on the encryption keys to be able to decrypt... so just verifying the certs is not enough for the data).

"Tokenization" is IMO a more central way of solving this credit card issue - so you do not even have the pestilent data

Cheers,

Julius

Edited by: Julius Bussche on Feb 24, 2011 11:40 PM

Former Member · ‎02-24-2011

Take a look in STRUST which certificate is red. Try export the certificate from prod and import into test (but this will depend on the encryption keys to be able to decrypt... so just verifying the certs is not enough for the data).

"Tokenization" is IMO a more central way of solving this credit card issue - so you do not even have the pestilent data

Cheers,

Julius

Edited by: Julius Bussche on Feb 24, 2011 11:40 PM

esi · ‎02-24-2011

Dear Julius,

thank you for the reply.

I dont have any red status in strust, as mentioned already in my post.

Does Tokenization refer to some form of implementation that you can recommend and share documentation about ?

Edited by: Eirikur Ingibergsson on Feb 24, 2011 11:42 PM

Former Member · ‎02-24-2011

I just edited my post before you had questioned this.

How was the data encrypted? That is independent from STRUST.

Personally I like the tokenization design more. You can search for it and find lots of docs.

If your ssf cert was created for prod server, then you cannot decrypt it for a QAS server.

Common cert DNs or "standard" certs would have been an option, but it seems that these were not intended. This might also be intentional so check on that?

Cheers,

Julius

mvoros · ‎02-25-2011

>


> Personally I like the tokenization design more. You can search for it and find lots of docs.

I agree but I haven't noticed any solution from SAP. Have you?

Cheers

Former Member · ‎02-25-2011

The solution from SAP is support and compatibility with available tokenization providers.

A good article on it from SAP can be found [here|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0f44a4b-cefa-2d10-5584-bb53ff2662ab?quicklink=index&overridelayout=true] and searching will eventually lead you to paymetric (see the EcoHub on SDN).

There are also some flamewar blogs about decryption and Idocs...

Cheers,

Julius

former_member202002 · ‎06-17-2011

This message was moderated.

esi · ‎02-24-2011

It is working now.

the solution was to recreate the strust pse for cc encryption with RSA encryption instead of the default DSA.

Rgds, Eirikur.

Former Member · ‎02-25-2011

Hmmm... <note to self>

Former Member · ‎05-12-2011

Hi Eirikur,

I got the same proble after system copy from PRD to test system. Can you please give me the detail steps how did you fix it?

Thanks a lot.

Lily

former_member202002 · ‎06-17-2011

This message was moderated.

esi · ‎06-20-2011

Just to complete the documentation of the solution:

In transaction /strust there is an entry u201ESSF Encryption of Payment Cardu201C

I recreated this entry (right click -> replace -> confirm with yes )

In the u201Ereplace PSEu201C dialog screen the default algorith was DSA, which I needed to change to RSA.

Rgds, Eirikur.

Former Member · ‎10-21-2012

Thanks for the solution. It works for me. Same error message - 13

N OUT SsfEnvelope() result/CRC: 13 (SSF_API_UNKNOWN_SECTK_ERROR)

N SecTK Lasterror 1542 "pkcs_get_encryptedKey failed"

N ---------- Begin SecTK Lasterror Details ----------

N ERROR in pkcs_envelope_ContentInfo: (1542/0x0606) pkcs_get_encryptedKey failed

N ERROR in pkcs_get_encryptedKey: (1542/0x0606) sec_encrypt_key failed

N ERROR in sec_encrypt_key: (1542/0x0606) invalid or unknown alg_id

After regenerating of pse with RSA it works without problems. The reason behind is

I think DSA is only for Signatures valid - and RSA is able to sign and crypt.

Regards Matthias

Former Member · ‎10-22-2012

As per this note - 662340 ,

SAPSECULIB - library can be used for digital signatures created by the SAP system, but not for encrypting data. To have the system encrypt data, you must replace the SAPSECULIB with the SAP Cryptographic Library (SAPCRYPTOLIB).

Not sure if it helps.

Thanks,

Dev