Backup a certificate including private key in SAP ...

Former Member · ‎01-22-2007

Dear SDN'ers,

We recently had a problem in our SAP R3 environment (after a database restore) which had the effect that we lost our instance PSE. The instance PSE still existed. We therefore had to recreate the instant PSE and also request a re-issue of the Verisign certificate.

Has anyone encountered a similar problem after a restore? How can I backup and restore the certificate including the private key. This way we wouldn't require any reissue of certifcates.

Do I need to make use of the SAPGENPSE tool? I had a look at note 578377. Is there another note?

Hope to hear your reactions soon.

Thanks

Dries

WolfgangJanzen · ‎01-22-2007

That cannot be - an ABAP system stores the PSE (Personal Security Environment, a kind of keystore containing the certificate and the corresponding private key) in the database (tables SSF_PSE_D and SSF_PSE_H). At system startup a copy of the database content is written to the file system and used for operation.

Therefore, when performing a database recovery / restore the PSEs will be restored as well. Maybe you have to run transaction STRUST and perform the operation "distribute" if you have performed an online database recovery / restore (to notify the work processes to replace the PSE files, if required).

Regards, Wolfgang

Former Member · ‎01-22-2007

Hi Wolfgang,

Thanks for your quick reply. That was my first reaction aswell. However this problem did occur right after the Basis team did the "restore". Sorry, for the misunderstanding caused due to the terminolgy used, but it wasn't a typical database restore.

The only thing I can think is that all the activities wasn't performed correctly and completely. The purpose of the restore was moving the data that was still existing on the local disks (on the server) to the SAN. The database files was already moved to the SAN long before. The rest of the directories included all data on the C drive (OS) and E drive (\usr\sap\<SID>\; therefore the database wasn't restore but the OS files and application files. Also Windows was reinstalled because of the registry entries referring to the SAN.

What I did see the day of the problem was that the variable for SECUDIR wasn't set in the environment vaiables. I guess this could the reason for the problem as well.

OK, I understand that the cause can be related to a couple of things. The Security guys still wants a backup of the certificate and the private key. Do you know how this can be done safely?

Regards Dries,

Former Member · ‎01-22-2007

Hi Wolfgang,

Yes, I installed the certificate response with the root certificate and it accpeted it. Thereafter I stopped the ICM and then the problems with the Security alert was gone. All seems to be working fine. It was only the cause of the problem that didn't make sense. And to be on the safe side a backup has to be made of the certificate and private key.

Regards Dries

WolfgangJanzen · ‎01-22-2007

You have two ways to perform a backup of the PSE:

- copy the PSE file

- perform a DB backup (of the two tables I've mentioned)

Copying the files is much easier, of course.

But please make sure that STRUST does not report any "red lights" regarding those PSEs at the time you copy the files. Otherwise you'd potentially copy outdated PSE files (which are inconsistent with the DB original).

Yes, the environment variable could have caused the problem.

Also, if the ticket file (required for SAPCRYPTOLIB) or the SAPCRYPTOLIB itself is missing. Such severe problems are written to the trace file (dev_icm - in case of SSL problems). And STRUST would have shown errors ("red lights" with message texts when clicking on them) as well.

Regards, Wolfgang

Former Member · ‎01-26-2007

Hi Wolfgang,

Sorry but this is the first time I am making suchy a backup using STRUST and/or SAPGENPSE. I haven't used SAPGENPSE before.

From The STRUST transaction and the menu can you please explain how this is done. Is there a note or weblog that you can refer me to.

Regards

Dries Yssel

WolfgangJanzen · ‎01-26-2007

I can only provide you a rough skeleton (not a reliable step-by-step instruction that can be followed blindly).

Create a file backup of a PSE:

1. choose PSE from the list (by double-click)

2. choose menu item "PSE" -> "Export": a file selector occurs (rest: self-explaining)

Restoring a PSE file is only slightly less intuitive:

1. choose menu item "PSE" -> "Import": a file selector occurs

2. if import was successful, content of the PSE will be displayed (on the right side)

3. choose menu item "PSE" -> "Save As" : choose PSE you want to replace (be careful to choose the right one!) and confirm

Regards, Wolfgang

WolfgangJanzen · ‎01-22-2007

2nd remark: since you are talking of a "VeriSign certificate" you are most likely referring to a "SSL server certificate". That certificate is usually stored in the "SSL Server" PSE. Since the ICM process is caching that PSE file you need to restart the ICM (e.g. by using ABAP transaction SMICM) on each application server instance after any changes to the PSE (using ABAP transaction STRUST) in order to make them effective immediately.

Regards, Wolfgang

Backup a certificate including private key in SAP R3