Professional Documents
Culture Documents
Instructions For SAP Note 2068693v1.2 - en
Instructions For SAP Note 2068693v1.2 - en
Example Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
Example Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example Exact user entry. These are words or characters that you enter in the system exactly as they
appear in the documentation.
<Example> Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
Caution
Befores you start the implementation, make sure that you have the latest version of this document that is
available from SAP Note 2068693.
1.1 2014-10-15 In section 1.3.5, step 1, SS02 applications were mistakenly excluded as not
being signed with the DSA algorithm.
1.2 2015-01-09 In section 3.1.1.1, step 12, provide note for how to proceed when a typical
warning appears.
There are times during the lifecycle of a system that you want to replace the key pairs used cryptographic
functions. For example: the validity period of the key pair can expire, the key pair can be revoked, or you can
proactively replace the key pair with a new one.
This guide describes how to replace private keys in issuing systems and the corresponding public keys in
validating systems. The procedures are based primarily on SAP NetWeaver Application Server (SAP NetWeaver
AS) for ABAP as the issuing system. We assume in this document that you want to replace DSA signatures,
though most of the functions described here work for any type of algorithm.
This procedure requires you to go into the issuing and receiving systems at least twice for each system.
Before you begin, ensure that you have the latest version of the SAP Cryptographic Library.
Procedure
1. Create keys with identical names on the system that issues signatures.
Caution
Do not use the new keys for signatures, yet!
2. Export the public keys of the new keys.
3. Import the new keys into all receiving systems.
4. On the key issuing systems, create a backup of the old key pairs.
5. On the key issuing systems, switch to the new keys for signatures.
6. Test your business processes.
7. Remove the old keys from the issuing and receiving systems..
When replacing the system PSE of SAP NetWeaver AS for ABAP, be aware that many applications use the system
PSE by default. When the system is configured this way, the PSE is used for radically different purposes and has
different requirements. For example, some documents digitally signed by the system PSE have very short
lifetimes, while other documents must continue to be validated over years. When you replace the system PSE
Note
If you use signatures that must be validated over a long period of time, such as for FDA compliance,
archive the relevant PSEs and create an image of the relevant systems including the documents. The
archived key pairs and system data serve as the preservation of evidence that the documents had been
signed by those key pairs at that point in time.
SAP Solution Manager also provides tools to help you keep track of PSE certificates. For more information, see 1.3
below.
SAP Solution Manager offers the capability to view which PSEs are used in which SAP NetWeaver AS systems in
your landscape. When you determine which PSEs need to be replaced, use the following instructions to find other
SAP systems that rely on the PSE certificates.
Prerequisites
Potential systems must be connected to SAP Solution Manager 7.10 SPS 10 or higher and report PSE (X.509
key) information to SAP Solution Manager.
You have prepared system comparison lists in SAP Solution Manager: one for SAP NetWeaver AS for ABAP
systems in your landscape and one for SAP NetWeaver AS for Java systems in your landscape.
SAP HANA systems and other SAP or third-party systems are currently not supported. These systems also
have the potential to be issuing or receiving systems, too. For more information, see the product
documentation for your system.
You have the required authorizations.
For more information about using SAP Solution Manager, see the documentation for SAP Solution Manager at
https://help.sap.com/solutionmanager.
For more information about using Configuration Validation in SAP Solution Manager, see Configuration
Validation in the documentation for SAP Solution Manager.
For more information about using Configuration and Change Database (CCDB) in SAP Solution Manager, see
Configuration and Change Database (CCDB) in the documentation for SAP Solution Manager.
Note
Even if you can use this procedure, review your system landscape to identify other systems not covered
by SAP Solution Manager.
SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list of
these PSEs.
Procedure
1. In SAP Solution Manager, start SAP Solution Manager: Work Centers (transaction SM_WORKCENTER).
2. Choose the Root Cause Analysis tab.
3. Choose Configuration Validation.
4. On the Report Execution tab, choose Reporting Templates.
5. Under the Choose Reference System section, on the Select Reference System tab, choose the 0ALERT
system.
6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.
7. Choose the Start operator validation reporting pushbutton.
8. In the Configuration Validation Viewer, enter the required data.
In the Config Store field, enter PSE_CERT.
In the Comparison List field, select the list you prepared for SAP NetWeaver AS for ABAP systems.
9. Choose the Validate pushbutton.
You now have a list of PSE certificates.
Procedure
1. From the context menu of the resulting table in the Configuration Validation Viewer, choose User Settings >
More…
2. Choose the following columns for display:
o SID
o TYPE
o APPLICATION
o CONTEXT
o SUBJECT
o ISSUER
o SERIALNO
3. Choose OK.
4. Choose (Export to Spreadsheet).
SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list of
these PSEs.
Procedure
1. In your SAP Solution Manager system, start SAP Solution Manager: Work Centers (transaction
SM_WORKCENTER).
2. Choose the Root Cause Analysis tab.
3. Choose Configuration Validation.
4. On the Report Execution tab, choose Reporting Templates.
5. Under the Choose Reference System section, on the Select Reference System tab, choose the 0ALERT
system.
6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.
7. Choose the Start operator validation reporting pushbutton.
8. In the Configuration Validation Viewer, enter the required data.
In the Config Store field, enter J2EE_PSE_CERT.
In the Comparison List field, select the list you prepared for SAP NetWeaver AS for Java systems.
9. Choose the Validate pushbutton.
You now have a list of PSE certificates stored in SAP NetWeaver AS for Java.
Procedure
1. From the context menu of the resulting table in the Configuration Validation Viewer, choose User Settings >
More…
2. Choose the following columns for display:
o SID
o TYPE
o ALIAS
o VIEW
o SUBJECT
Now that you have the Excel files, you can create a worklist. As stated above, this procedure assumes we want to
find all PSEs that issue or validate DSA signatures.
Procedure
1. In the Excel of ABAP PSEs, use the CONTEXT and APPLICATION columns to include only entries with the
values shown in the table below.
The following figures show examples of how the sorting of the context and applications appear in Microsoft
Excel. In the left figure, we exclude the SSLC, SSLS, and WSSE contexts because these PSEs use RSA
algorithm. For this example, we are only targeting DSA signatures. The same is true for the application SNCS
shown in the figure to the right.
After assembling a worklist of PSEs to replace, create a new key pair for each PSE. Export the public key of the key
pair and import the public key into the receiving systems. Importing the public key enables the receiving system to
trust and validate signatures from the issuing system.
Procedure
1. For all the systems in the List of ABAP OWN-CERTIFICATEs, prepare replacement PSEs.
For more information about preparing replacement PSEs with the REPLACE_DSA_PSE report, see 2.1 below.
2. Remove the filter on the TYPE column of the List of ABAP OWN-CERTIFICATEs Excel.
For each OWN-CERTIFICATE, note any systems with TYPE CERTIFICATE and matching SUBJECT, ISSUER,
and SERIALNO. These are the receiving systems as identified by the SID.
You should now have a complete work list of SAP NetWeaver AS for ABAP systems with CERTIFICATEs that
match a system with an OWN-CERTIFICATE with identical SUBJECT, ISSUER, and SERIALNO. This document
refers to this list as the List of ABAP receiving systems.
3. For SAP NetWeaver AS for ABAP systems with CERTIFICATES matching an OWN-CERTIFICATE, import the
new public-key certificate from the issuing system.
For more information about importing the public key with the REPLACE_DSA_CERTIFICATES report, see 2.2
below.
4. In the Excel of Java PSEs, sort the PSEs by SUBJECT, ISSUER, and SERIALNO.
For each OWN-CERTIFICATE in the Excel of ABAP PSEs, note any systems with CERTIFICATE matching
SUBJECT, ISSUER, and SERIALNO. These Java systems have imported the public key of the ABAP PSE.
Therefore, these systems are also receiving systems as identified by the SID.
Caution
Do not use the new keys for signatures, yet!
List of ABAP OWN-CERTIFICATEs
2. Export the public keys of the new keys.
List of ABAP OWN-CERTIFICATEs.
3. Import the new keys into all receiving systems.
List of ABAP receiving systems
List of Java receiving systems
4. On the key issuing systems, create a backup of the old PSEs.
List of ABAP systems with OWN-CERTIFICATES.
5. On the key issuing systems, switch to the new keys for signatures.
List of ABAP systems with OWN-CERTIFICATES.
6. Test your business processes.
7. Remove the old keys from the issuing and receiving systems.
List of ABAP systems with OWN-CERTIFICATES.
List of ABAP receiving systems
List of Java receiving systems
Note
The public-key certificates from the old may have been imported into other systems such as SAP HANA
or third-party systems. Import the new public-key certificate into these systems as well. For more
information, see the product documentation for your system.
For SAP NetWeaver AS for ABAP, we provide tools to support PSE replacement. To use tool-supported PSE
replacement, implement the SAP Note 2068693.
The replacement process uses two reports for SAP NetWeaver AS for ABAP: one report on the issuing system and
one on the receiving system. SAP Solution Manager provides support for generating work lists for which systems
need PSE replacement.
For more information, see 1.3 above.
An overview of the process is as follows:
1. Create replacement PSEs on issuing SAP NetWeaver AS for ABAP systems and export the corresponding
public keys.
2. Import the public keys to receiving systems.
3. Activate the replacement PSEs and test the business process.
4. Delete the old PSEs and corresponding public-key certificates.
Be sure to archive the old PSEs before removing them from the system.
Report REPLACE_DSA_PSE enables you to generate inactive replacement PSEs. Before you activate the PSE,
export the public-key certificate of the new PSE and import the certificate into systems that trusted the old PSE.
Prerequisites
Caution
If you do not have a backup of the old PSE and delete it, there is no way to recover or validate information
protected by the cryptographic function.
Procedure
1. On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).
The report displays the PSEs with keys that need replacing.
Icon Description
The old PSE is still active and in use. Replace the PSE
with a new PSE.
Report REPLACE_DSA_CERTIFICATES enables you to import public-keys for existing trust relationships.
Importing the public keys is an important prerequisite before switching to the new PSE and testing the business
process.
Prerequisites
You have downloaded the public key from the issuing system.
You have authorizations to use Trust Manager (transaction STRUST).
You have implemented SAP Note 2068693.
Procedure
Icon Description
Activate the replacement PSE and test whether your business processes still work.
Procedure
1. On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).
2. Choose (Switch from old to new PSE) to use the new certificates.
3. Thoroughly test the affected business processes.
If you encounter a problem during your testing, choose (Switch from new to old PSE) to go back to the
previous configuration.
Once you are convinced that your business processes are correctly configured, you can remove the old PSEs from
the issuing system and the old public-key certificates from the receiving system.
Note
Depending on the scenarios that use the PSE, you may need to consider how to validate signatures made
by the old PSE that are still in the system. Once the old public key has been deleted, the system can no
longer validate signatures made by the old PSE. Consider the national laws, which mandate audits of
documents signed by your business processes.
If you use signatures that must be validated over a long period of time, such as for FDA compliance, save
archive the PSE and create an image of the relevant systems. The archived PSEs and system data serve
to preservation the evidence that the documents had been signed by those PSEs at that point in time.
For the reasons mentioned above, the report REPLACE_DSA_PSE requires you to save a copy of the old
PSE before you delete it.
Prerequisites
Be sure you have archived the old PSE. With the old PSE you can export the public key and recover older
signatures.
Procedure
1. On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).
2. Choose (Finally: delete old PSE).
The report requires you to save a copy of the old PSE before deleting it.
3. On the receiving system, delete the old public-key certificate.
This section provides information about various scenarios in SAP landscapes. Each scenario provides
recommendations for replacing PSEs as well as manual procedures for the replacement process. Manual
replacement can be a laborious process. We recommend using the tool-supported process for SAP NetWeaver
AS for ABAP, where possible.
For more information, see 2 Tool-Supported PSE Replacement.
The following are scenarios that use DSA signatures:
Logon tickets and authentication assertion tickets
Secure URLs for Content Server
SAP Passports
E-Learning
System Signatures for SSF Signatures
Custom Development Using SSF Functions
ITS Applet Handling
SAP servers sign and issue logon tickets to users that log on. The user’s client then presents these tickets to other
systems, which accept the signature on the logon ticket, as long as trust has been established. To establish trust
an administrator must have installed the public key of the ticket issuing system in the ticket receiving system.
Authentication assertion tickets are used for server-to-server connections. With authentication assertion tickets,
another system is the client instead of a user. Otherwise the principles remain the same.
SAP HANA does not issue logon tickets, but it can issue authentication assertion tickets. SAP HANA has the
capability to issue assertion tickets from SAP HANA 1.0 SP7 and higher. SAP NetWeaver AS for ABAP issues both
types of tickets.
For SAP NetWeaver AS for ABAP, we provide a number of tools to make switching keys easier. For more
information, see 2 above. Otherwise you must repeat this procedure for every client in your SAP NetWeaver AS
for ABAP.
Procedure
Note
If the warning Certificate no longer has signature (use restriction) appears, choose E n t e r to continue the
export operation.
13. Double-click File PSE and open the file PSE you just saved in step 10 above.
14. For every certificate you saved in step 12 above, choose (Import Certificate) and Add to Certificate List to
the file PSE you opened in step 13 above.
15. Choose (Save) to save the file PSE.
Prerequisites
Procedure
Note
In a cluster environment, check every cluster node.
2. Change to the SAP HANA trust store directory:
cd $SECUDIR
This should be the following directory:
/usr/sap/<SID>/HDB<instance number>/<machine name>/sec
Note
In a cluster environment, you must check every node in the cluster.
3. For each PSE in this directory view the PSE attributes by entering the following command.
./sapgenpse get_my_name –p <pse_name>
The following is an example of the result:
No SSO for USER "<sidadm>"
with PSE file "$SECUDIR/saplogon.pse"
Subject : CN=MYSAPSSO
Issuer : CN=MYSAPSSO
Serialno: 20:14:07:17:13:13:01
KeyInfo : DSA, 1024-bit
Validity - NotBefore: Thu Jul 17 14:13:01 2014 (140717131301Z)
NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z)
If KeyInfo reveals a key of type DSA, make sure you have a current version of the SAP Cryptographic Library
and replace the key pair.
2. Create a new PSE, using the same data as the original PSE for assertion tickets.
./sapgenpse gen_pse –a DSA –s 1024 –p saplogonSign_new.pse “CN=<host>.<domain>,
OU=<instance>, O=<org>, C=<country>”
3. Export any certificates within the logon certificate trust store saplogonSign.pse.
./sapgenpse maintain_pk -l PEMlist –p saplogonSign.pse
The output appears a one or more binary large objects (BLOB).
4. Import the certificates to the new PSE.
./sapgenpse maintain_pk –m <BLOB file> -p saplogonSign_new.pse
So that the receiving systems can verify the signatures of the new private keys, the receiving systems need a copy
of the public keys.
This procedure requires you to log on to SAP NetWeaver AS for ABAP, save the public key to the file system, and
import that file in a new system.
Procedure
Procedure
1. Export the public-key certificate from the SAP HANA trust store, using the following command:
./sapgenpse export_own_cert -p saplogonSign.pse
2. Save the public key certificate to the file system or a network share.
3. Copy the certificate to a network share or the file system of the receiving system.
4. Import the public key certificate to the receiving system.
For more information, see documentation of the receiving system.
Once you have completed this step, you have completed the most critical part of this security note. Create a
backup of the old private keys just in case you run into problems during testing. Archive the old private keys in
case you ever need to restore the old environment in the future.
Procedure
Procedure
Note
In a cluster environment, you must check every node in the cluster.
2. Rename the new PSE.
For example, rename the file from saplogonSign_new.pse to saplogonSign.pse.
In a cluster environment, every node uses the same PSE. Copy the same PSE to every node in the cluster.
Procedure
Thoroughly test the affected systems. Log on to the ticket issuing system and then logon on to all systems that
accept this log on ticket.
Once your remove the old public keys, receiving systems will no longer be able to validate signatures issued with
the old private key.
To assist you with deleting old public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693
includes REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates. Use the following
procedure to manually remove the public keys.
Procedure
Note
In a cluster environment, you must check every node in the cluster.
2. List the certificates in the certificate list of the PSE.
./sapgenpse maintain_pk –l -p saplogonSign.pse
3. Note the certificate numbers of the public keys to delete.
4. Delete the public keys in the certificate list.
./sapgenpse maintain_pk –d <number> -p saplogonSign.pse
The content server of SAP NetWeaver AS for ABAP uses the system PSE by default. If you created a PSE just for
the content server (HTTP Content Server), replace the certificate for the content server PSE.
We recommend you used tool-supported replacement of keys.
For more information, see 2 Tool-Supported PSE Replacement.
If you choose to replace the keys manually, use the following procedures in every client of the system.
Procedure
So that the receiving systems can verify the signatures of the new private keys, the receiving systems need a copy
of the public keys.
This procedure requires you to log on to SAP NetWeaver AS for ABAP.
Procedure
Once you have completed this step, you have completed the most critical part of this security note. Create a
backup of the old private keys just in case you run into problems during testing. Archive the old private keys in
case you ever need to restore the old environment in the future.
Procedure
Procedure
Thoroughly test the affected systems. If you encounter a problem during testing, you can restore the old private
key on the issuing system. The following is an example of an error message that occurs in report RSCMST when
trust has not been established between systems. Otherwise the message appears in the logs of SAP Content
Server.
HTTP/1.1 401 (Unauthorized)
X-ErrorDescription: "Security SsfVerify failed rc=5, , PSE=C:\Program
Files\SAP\Content Server\Security\REPOSITORY.pse,"
Once your remove the old public keys, receiving systems will no longer be able to validate signatures issued with
the old private key.
To assist you with deleting old public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693
includes report REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates. Use the following
procedure to manually remove the public keys.
Procedure
You can use the information stored in SAP Solution Manager to determine if SAP NetWeaver Application Server
for ABAP systems in your landscape are compliant with changes you made in your landscape. For this example,
we assume that you want to ensure all PSEs were created with a current version of SAP Cryptographic Library in
the year 2000 or later. To do this, you create a template from a source system, configure a target system based
on the source system template, and then run the compliance check for a set of systems connected to SAP
Solution Manager.
Create a source system template from which you can create a target system template for the compliance check.
The source system template includes the PSE_CERT configuration store, which has information about PSEs of the
monitored systems.
Procedure
1. In your SAP Solution Manager system, start SAP Solution Manager: Work Centers (transaction
SM_WORKCENTER).
2. Choose the Root Cause Analysis tab.
3. Choose Configuration Validation.
4. On the Target System Maintenance tab, choose Create.
5. Under the Source System section, enter selection criteria to find a system to use as a template and choose
Display Selection.
6. Under Select Source Systems, select a system to use as a template.
7. Under Select Config Stores, filter the results for PSE_CERT.
8. Select a configuration store and choose Create from selected Stores.
9. Enter a system ID under which you will store the source system template.
You will use this template for the configuration check later in a following procedure.
10. Save your entries.
You have created a source system template for defining a target system template for compliance checks.
Once you have a source system template, you can create a target system template. In the target system template
you define configuration store values that lead to compliance and a counter example that does not lead to
compliance.
Procedure
1. In your SAP Solution Manager system, start SAP Solution Manager: Work Centers (transaction
SM_WORKCENTER).
2. Choose the Root Cause Analysis tab.
3. Choose Configuration Validation.
4. On the Target System Maintenance tab, choose Edit.
5. Enter the name of the source system template you created in the previous procedure.
For more information, see 4.1 above.
6. Choose Display selection.
7. Under Config Stores of Target System:<Long SID>, choose the Store Name PSE_CERT.
8. Delete the content of the comparison store.
Choose (Select all entries) and then (Delete selected).
9. Choose (Add an empty entry to the Target System).
10. Except for the SERIALNO field, set the operator to Contains and the value to *. Set operator and value of the
SERIALNO field to Contains and 0A20* respectively.
The result should appear as follows in the figure below.
SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list of
these PSEs and check their compliance against a target system template.
Procedure
1. In SAP Solution Manager, start SAP Solution Manager: Work Centers (transaction SM_WORKCENTER).
2. Choose the Root Cause Analysis tab.
3. Choose Configuration Validation.
4. On the Report Execution tab, choose Reporting Templates.
5. Under the Choose Reference System section, on the Select Reference System tab, choose the name of the
target system template you created in the previous procedure.
For more information, see 4.2 above.
6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.
7. Choose the Start operator validation reporting pushbutton.
8. In the Configuration Validation Viewer, enter the required data.
o In the Config Store field, enter PSE_CERT.
o In the Comparison List field, select the list you prepared for SAP NetWeaver AS for ABAP systems.
9. Choose the Validate pushbutton.
You now have a list of PSE certificates. The final column indicates whether the PSE is compliant or not. For those
PSE which are not compliant, go through the process to replace the PSE.