Creating a PSE for the Server Using SAPGENPSE 
Use
Use the command get_pse to generate the server's PSE, which includes the public and private key pair and a public-key certificate. If you are using a trusted CA, then you can also use the get_pse command to generate a certificate request. Per default, all of the items are generated, however, you can use the options -noreq or -onlyreq to explicitly include or omit the certificate request.
For easier administration, we currently recommend using self-signed certificates that are not signed by a trusted CA.
If you are using a single PSE for all server components and you have already create the PSE on a different server, then copy the PSE to the appropriate location instead of creating a new one.
Prerequisites
- The SAP Cryptographic Library is installed on the server.
- The environment variable SECUDIR has been set to the location where the PSE is to be stored.
Procedure
Use the following command line to generate a PSE. Create the server's PSE in the SECUDIR directory.
sapgenpse get_pse <additional_options> [-p <PSE_name>] [-r <cert_req_file_name>] [-x <PIN>] [DN]
Where:
Standard Options
Option
Parameter
Description
Allowed Values
Default
-p
<PSE_name>
Path and file name for the server's PSE
Path description (in quotation marks, if spaces exist)
None
-r
<file_name>
File name for the certificate request
Path description (in quotation marks, if spaces exist)
stdout
-x
<PIN>
PIN that protects the PSE
Character string
None
None
DN
Distinguished Name for the server
The Distinguished Name is used to build the server's SNC name.
Character string (in quotation marks, if spaces exist)
None
The Distinguished Name consists of the following elements:
- CN = <Common_Name>
- OU = <Organizational_Unit>
- O = <Organization>
- C = <Country>
For example, for the application server for system ABC where <SID> is defined as the Common Name, Test as the Organizational Unit, MyCompany as the Organization, and DE (Germany) as the country, the Distinguished Name is:
CN=ABC, OU=Test, O=MyCompany, C=DE
Additional Options
Option
Parameter
Description
Allowed Values
Default
-s
<key_len>
Key length
512, 1024, 2048
1024
-a
<algorithm>
Algorithm used
RSA, DSA
RSA
-noreq
None
Only generate a key pair and PSE. Do not generate a certificate request.
Not applicable
Not set
-onlyreq
None
Generate a certificate request for the public key stored in the PSE specified by the -p parameter.
Not applicable
Not set
Generating a PSE and Self-Signed Certificate for the SAP System Application Server
The following command line generates a PSE for the SAP System application server (<SID> = ABC) containing a self-signed certificate. No certificate request is needed. The PSE is to be located at D:\usr\sap\ABC\DVEBMGS28\sec\ABC.pse. The PIN that protects the PSE is abcpin. The server's Distinguished Name is CN=ABC, OU=Test, O=MyCompany, C=DE.
sapgenpse get_pse -p D:\usr\sap\ABC\DVEBMGS28\sec\ABC.pse
-noreq -x abcpin "CN=ABC, OU=Test, O=MyCompany, C=DE"
Generating a PSE and Self-Signed Certificate for the AGate Component
The following command line generates a PSE for the AGate component containing a self-signed certificate. No certificate request is needed. The PSE is to be located at D:\Program Files\SAP\ITS\2.0\ABC\sec\ABC_AGate.pse. The PIN that protects the PSE is abcagatepin. The server's Distinguished Name is CN=ABC_AGate, OU=Test, O=MyCompany, C=DE.
sapgenpse get_pse -p "D:\Program Files\SAP\ITS\2.0\ABC\sec\
ABC_AGate.pse" -noreq -x abcagatepin "CN=ABC_AGate, OU=Test, O=MyCompany, C=DE"
Result
The server's PSE is created in the directory you specified.
Check the contents of the directory at the operating system level to make sure the PSE was created in the correct location before proceeding with the next step.
没有评论:
发表评论