Migration of Secure Store Data
Migration / Support / Upgrade project where installation number is changed from source to target system
The objective of this document is to explain the steps required to be taken in order to migrate secstore data, which is required in case installation number of system is changed.
The installation number is part of the system-dependent data with which the key is generated. If your installation number changes, the data created with the previous installation number can no longer be read.
It is possible for the installation number to change even in a system used productively. This is accompanied by the importing of a new license (however, not every importing of a new license means the changing of the installation number).
To be able to continue working with existing entries in the secure storage in a case like this, you receive a release key from SAP together with the new license (if this will change the installation number). You can use this to migrate the entries in the secure storage. The migration key is not a skeleton key. It only releases the conversion of data from another installation number to your current installation number.
We assign the release key only if the installation number of a production system changes. You cannot request the release key for other situations (test systems, transporting database entries between systems).
The secure storage is a component of the SAP Web Application Server ABAP. It allows the encrypted storage of sensitive data that SAP applications require when logging on to other systems.
The encrypted storage of the data in the database prevents unauthorized persons or programs being able to access this data.
The following SAP applications use the secure storage to store passwords:
- RFC destinations
- Exchange Infrastructure (XI)
- LDAP system users
- CCMS (Generic Request and Message Generator)
For legal reasons, only SAP applications may use the secure storage. We therefore use technical measures to prevent the secure storage being used in customer developments.
Checking SecStore Entries
You can check the entries in the secure storage across clients in transaction SECSTORE (without seeing their contents).
The check consists of several steps:
- The technical check checks whether the system can read the entries and the internal administration structures of the secure storage are consistent. This check applies to the entries in all clients.
- The application that created the entry performs an application check. During this, the application checks, for example, whether the entry is still required, or that the access authorizations specified by the application are sufficient for the entry.
The application may not perform a check in the following cases:
- The creating application does not provide a check function.
- The check function of the application can only check entries in the logon client.
To be able to execute the transaction, you require the authorization object S_RZL_ADM (system administration) with activity 03.
- Choose the Check Entries tab.
- Specify the entries to be checked.
- Specify entries for a particular application in the Selected Application field.
- Specify the names of individual entries in the Record ID fields.
- Choose Execute.
The Contents of Secure Storage result list appears.
The result list lists the entries contained in the secure storage. In the navigation tree on the left, the entries are grouped by client and creating application. For the program to be able to group an entry under a particular application, the application must provide a function with which transaction SECSTORE can assign the entry. Entries that cannot be assigned are shown under Others.
The following functions are also available in the result list:
- If the creating application supports doing so, you can branch from the message list to the editing of the entry. To do this, double-click the message line.
- You can delete all entries for which the application check found that they are no longer required by choosing Clean Up.
- You can delete the entries selected in the message list from the secure storage by choosing Delete. To do this, you require authorization S_RZL_ADM with activity. The system log logs the deletion.
Migrating Encrypted Data After Changing Installation Number
During project exercise, there was a requirement of system copy from production system, which was apparently done by customer and customer refreshed his quality system with production system.
During the time when system was refreshed, customer number was changed and also while doing system refresh instead of using existing installation number, customer decided to use new installation number.
Since, secure storage is an ABAP-kernel function for storing encoded data. The function is used by applications in the SAP system in order to securely store access data for external systems.
The installation number of the system and the system ID are used when creating the key for the secure storage. If one or more of these values changes, the data in the secure storage can no longer be read.
Under certain circumstances, you can migrate the data. You need the migration key to be able to carry out the migration.
If the change of the installation number is caused by importing a new license, SAP automatically generates the migration keys and sends it with the mail for the new license.
Alternatively, the migration key can be generated in SAP Service Marketplace.
You can find this application in SAP Support Portal under "Keys & Requests --> Migration Keys --> Secure Storage Migration".
After you log on, you can select the old and new installation numbers assigned to your user, and can generate the migration key.
If the old installation number and the new installation number are assigned to different customer numbers, and these customers are not linked to each other by the corporate group functions, you cannot create the migration key as described above.
Due to change in customer number and installation number, all RFC’s started failing.
This error is because of change in installation number and customer number.
Earlier installation number for DR2 system was: XXXXXX46
However, the same has been changed to: XXXXXX39
Hence, all securestore data has been invalidated and needs to be migrated to updated system configuration.
To check the same, please execute T-Code: SECSTORE & Execute.
All RFC destination are inconsistent
Similar problem has been explained in SAP Note:
To resolve the same below steps has to be performed:
- Customer systems with SAP_BASIS 7.00 or higher
Start Transaction SECSTORE and switch to the "System data changed" tab.
Fill the fields "Old system name", "Old installation number" and "Release Key" (referred to as "migration key" in the text of this note) and choose "Execute".
Following above mentioned note, T-code: SECSTORE executed
Go to TAB: System Data Changed
Enter old System SID.
Enter old Installation Number.
Generate Migration key from service marketplace. And provide the same in release key box.
However, since secstore is used for all secured interfaces and data exchange, hence any change in secstore should be validated by testing relevant connected systems and interfaces.