SYSTEM.PSE replace

Former Member · ‎12-14-2007

Hello,

I am thinking to use txn.STRUST and replace SYSTEM.PSE to correct current DN in the live system. I am wondering what I have to take into considerations before doing taht and what possibly needs to be fixed/corrected afterwards.

Thanks,

Robert

WolfgangJanzen · ‎12-17-2007

Well, you need to be careful when replacing a PSE (= kind of "keystore", containing certificate, private key and list of imported certificates) which has been previously used.

Especially the "System PSE" is critical since it can be used for multiple purposes, e.g. for URL signing, to sign/verify SAP Logon Tickets, to sign application data (-> function module SSFT_PPPI_SIGN), etc.

Only if you are sure that the PSE has never been used before you can replace it without taking any special precautions.

When the PSE was only used for SAP Logon Tickets (SSO2), you have to reestablish the SSO2 trust relationship afterwards.

However, you have to be very careful when this PSE was used to sign data. Replacing the PSE results in the inability to verify the data.

In all cases, it is therefore highly advised to keep a file-copy of the PSE file (which you can re-import using transaction STRUST, if required).

Regards, Wolfgang

Former Member · ‎12-17-2007

Thanks Wolfgang.

After reading your answer got few questions in my mind:

1. I want to correct DN. Can I do it without regenerating key pair ? I guess it should be possible. Do you know how to do that ?

2. You mention backup certificate , you mean using PSE Export ?

Thanks,

Robert

WolfgangJanzen · ‎12-17-2007

> 1. I want to correct DN. Can I do it without regenerating key pair ? I guess it should be possible. Do you know how to do that ?

Theoretically you are right. But practically (with the tools provided) that's not possible.

> 2. You mention backup certificate , you mean using PSE Export ?

Yes.