06-24-2008 10:43 AM
Hi all,
i want to create the PSE for SNC (SAP Cryptolib). -> Webservices with Certificates
SNC ID: sys-sapsnc@<domain>.com
Algorithm: RSA
Key Length: 1024
Error message:
Error while creating PSE
Message no. TRUST040
System: ERP 2005
System PSE is already created
SSL Server PSE is already created
SSL Client (Anonymous) PSE is already created
SSL Client (Standard) PSE is already created
regards
06-24-2008 1:00 PM
In that case you better leave the SNC PSE alone! Did you install the SAP Crypto Library? Is there a red cross in front of the PSE you want to create?
BTW, by right clicking on the entry, you can delete a PSE.
The system PSE is used for the creation and verification of login tickets. So, if you're using login tickets you should leave the system PSE alone as well.
The user interface of STRUST is very bad. It is normal not to know how to use this transaction.
06-24-2008 1:55 PM
Hi,
we have installed the SAP Crypto Library.
And yes there is a cross in front of the PSE -> shows that the PSE is not yet created
But we use SSL. What PSE entry do i need for SSL?
regards
06-24-2008 2:03 PM
Check this link
/people/gregor.wolf3/blog/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc
http://searchsap.techtarget.com/tip/0,289483,sid21_gci1222189,00.html
06-24-2008 2:10 PM
Hi,
your first link is the document what i want to do....
But i get this error.
regards
06-25-2008 8:44 AM
Forget about SSL! RFC is secured using SNC and has nothing to do with web services at all. This is older technology.
You'll want to use SNC and so a right click on the PSE with the red cross should give you the create option only (as documented in the blog).
06-25-2008 10:28 AM
The blog has one big problem: The license for the SAP Crypto Library will, most probably, not allow its usage for the RFC client. Please review its license carefully! You may obtain a license from [Secude|http://www.secude.com/] in that case.
06-25-2008 10:33 AM
You might also want to consider using Kerberos protocol based SNC libraries, especially if the client application using RFC runs on Windows platform (e.g. on XP or Vista) and the user of the application has already logged onto a Windows domain (e.g. Active Directory). In this case, using Kerberos will allow you to give Single SignOn to the user when they run the client application, and it connects to SAP ABAP using RFC.
To find a SAP partner who provided such libraries I suggest you visit http://www.sap.com/eapcatalog and search for SNC Kerberos keywords in the search box provided. Then, if you contact the vendor/vendors listed they can provide you with more details.
06-26-2008 8:41 AM
>
> Hi,
>
> your first link is the document what i want to do....
>
> But i get this error.
>
> regards
Regarding above - the link you refered to at /people/gregor.wolf3/blog/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc clearly describes using RFCs and not web services. This is why myself and others were giving you information about this, but now you are suggesting you need help with web services, which has nothing to do with the information at this link... I am therefore conufsed about what you want to do, which makes it hard to help.
02-19-2009 4:18 PM
Hi,
We installed certificate on System PSE after installing SAPcryptolibrary and because of that System PSE was in red status so we deleted the system pse. When we go to create "system pse" it says error while loading pse.Another thing is it prompts for password which I don't know?
Do you know how I can create System PSE ?
Thanks,
Misba
06-25-2008 2:33 PM
Hi,
thanks a lot.
But how can i use my webservices with certificates.
What are the main steps? What do i have to configure for this issue?
regards
06-25-2008 4:24 PM
Hi Wolfgang,
you can't use SNC for securing webservice calls. Instead you might want to use SSL (for transport layer security). Please have a look at the following documentation:
[Configuring a Web Service|http://help.sap.com/saphelp_nw70/helpdata/EN/47/3971ff39591a53e10000000a1553f7/frameset.htm]
[Configuring the SAP Web AS for Supporting SSL|http://help.sap.com/saphelp_nw70/helpdata/EN/65/6a563cef658a06e10000000a11405a/frameset.htm]
Best regards,
Klaus
Edited by: Klaus Kiefer on Jun 25, 2008 7:59 PM
06-26-2008 7:17 AM
Hi,
i want to follow this blogs:
/people/gregor.wolf3/blog/2006/09/30/authenticate-from-php-to-a-web-service-using-x509-certificates
/people/gregor.wolf3/blog/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc
Just look at the second one. I have to create the PSE for SAP Cryptolib....
regards
06-26-2008 8:37 AM
Hi Wolfgang,
do you want to secure webservice calls? Then SNC is not relevant for you. Nevertheless, in order to find out the reason for the error when creating the PSE, you might follow [note 800240|https://service.sap.com/sap/support/notes/800240].
Best regards,
Klaus
06-26-2008 9:37 AM
Hi Ralf,
I think I did something similar with XI about a year ago. You have to create or import some certificates / CA Certificates using STRUST (it depends if you have officially signed certificates or if you are using your own selfsigned certificates. In this case you need the root certificate as well).
=> Note 510007 might be useful
=> When importing your own root CA make sure you choose a valid namespace for Trust Center (starting with Z e.g. ZSELFCA) and choose Root-CA for Category.
=> If you want to view, modify or deltete entries choose menu > certificate > database and you will see a screen where you can search for the entries in the certificate database
Just in case you have problems with your PSE make a copy of directory /usr/sap/SID/DVEBMGS<XX>/sec
and delete your existing PSE to create a new one (Carefully!!!
- First of all make sure you installed SAPSECULIB.
- After that you should create a new PSE or create new entries for SSL Server (optionally client etc.)
- You can create an entry directly in TRUST Manager. The resulting certificate will be selfsigned. You can sign
this cert using your CA and then after having it signed you have to import the certificate response (use openssl to do cert stuff)
=> This might be helpful: http://help.sap.com/saphelp_nw04/helpdata/en/24/61ab3b92818b70e10000000a114084/frameset.htm
You can import your own certificates from menu > certificate > import in the maintenance section of the SSL Server PSE or you can just click on the "Import Certificate" button
When done you should check that your generated/imported certificates are working by simple accessing your server using the https protocol (e.g. https://<server>:<sslport>/sap/public/ping should be fine)
Just in case you used your own CA to sign the certificates your Browser will display popup saying that the certificate is not signed by any known trusted CA (we know that so we can ignore that
If you want to use client cert authentication you have to repeat the explained steps for SSL Client (Standard)
=> Create the PSE, sign the generated certificate etc., import the certificate response
When this is all done you should do the following:
- Create a RFC Destination for HTTPS Communication (call sm59, open the Folder HTTP Connections to External Server)
- In the destination enter the destination Host and the path of your application
- After that open the TAB Logon/Security
- In the Status of Secure Protocol Section choose SSL active and DEFAULT SSL Client (Standard) as SSL Client Certificate
- Save all your changes
You should now be able to use this destination for your Webservice communication and it will be encrypted using SSL
Hope this helps
If you have further questions let me know
Cheers
06-26-2008 9:39 AM
06-26-2008 9:42 AM
06-26-2008 9:55 AM
First of all make sure you installed SAPSECULIB.
Small mistake: must be SAPCRYPTOLIB.
Best regards,
Klaus
06-26-2008 9:46 AM
Sorry for calling you Ralf in my latest Post, I was working on another Post and got confused with the names
04-09-2010 9:54 AM
Please check the following parameters
ssf/name SAPSECULIB
ssf/ssfapi_lib d:\usr\sap\<SID>\sys\exe\uc\NTAMD64\sapsecu.dll
sec/libsapsecu d:\usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapsecin.exe <---
The program 'sapsecin.exe' is only useful in certain situations (for
example for error analysis) and can be ignored in the standard
installation.
So, please change 'sec/libsapsecu' to
"d:\usr\sap\SBD\sys\exe\uc\NTAMD64\sapsecu.dll" as well and try
STRUSTSSO2 again.
Regards,
Jobit
Edited by: jobit joy on Apr 9, 2010 10:55 AM