Instructions For Key Replacement

How To GuideHow To Guide
Document Version: 1.1 2014-10-15
Instructions for Key Replacement

Instructions to Accompany SAP Note 2068693
PUBLIC
Typographic Conventions
Type Style
Description
Example
Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example
Emphasized words or expressions.
EXAMPLE
Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
Example
Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example
Exact user entry. These are words or characters that you enter in the system exactly as they
appear in the documentation.
<Example>
Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
EXAMPLE
Keys on the keyboard, for example, F 2 or E N T E R .
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.

Typographic Conventions
Document History
Caution
Befores you start the implementation, make sure that you have the latest version of this document that is
available from SAP Note 2068693.
Version
Date
Change
1.0
2014-10-14
Initial release.
1.1
2014-10-15
In section 1.3.5, step 1, SS02 applications were mistakenly excluded as not

being signed with the DSA algorithm.

Document History
PUBLICPUBLIC
Table of Contents
1
1.1
1.2
1.3
Replacing Key Pairs for Cryptographic Functions ................................................................................. 5

Overview of the Replacement Procedure.............................................................................................................. 5
Notes on the Replacement of the System PSE..................................................................................................... 5
Generating a Worklist from SAP Solution Manager ............................................................................................. 6
1.3.1
Generating a Worklist for SAP NetWeaver AS for ABAP ..................................................................... 7
1.3.2
Exporting the Validation Table of ABAP Systems ................................................................................ 7
1.3.3
Generating a Worklist for SAP NetWeaver AS for Java ....................................................................... 8
1.3.4
Exporting the Validation Table of Java Systems .................................................................................. 8
1.3.5
Sorting the ABAP Data ........................................................................................................................... 9
1.3.6
Replacing PSEs and Exchanging Certificates ...................................................................................... 11
2
2.1
2.2
2.3
2.4
Tool-Supported PSE Replacement........................................................................................................ 13

Creating Replacement PSEs on SAP NetWeaver AS for ABAP ......................................................................... 13
Importing Public Keys on SAP NetWeaver AS for ABAP ................................................................................... 15
Testing the Business Processes .......................................................................................................................... 15
Deleting the Old PSEs and Public Keys................................................................................................................ 16
3
3.1
Scenario Specific Instructions and Manual Procedures...................................................................... 18

Scenario Logon Tickets and Authentication Assertion Tickets ........................................................................ 18
3.1.1
Creating New Keys with Identical Names ........................................................................................... 18
3.1.2
Exporting the Public Keys to the Receiving Systems ........................................................................20
3.1.3
Start Using the New Private Keys ........................................................................................................ 21
3.1.4
Testing the New Key Pairs.................................................................................................................... 22
3.1.5
Delete the Old Public Keys ................................................................................................................... 22
Scenario Secure URLs for Content Server .......................................................................................................... 23
3.2.1
Creating New Keys with Identical Names ...........................................................................................24
3.2.2
Exporting the Public Keys to the Receiving Systems ........................................................................24
3.2.3
Using the New Private Keys ................................................................................................................. 25
3.2.4
Testing the New Key Pairs.................................................................................................................... 25
3.2.5
Deleting the Old Public Keys ................................................................................................................ 25
3.2
4
4.1
4.2
4.3
Checking for Compliance ...................................................................................................................... 27

Choosing a Template for Compliance Checks .................................................................................................... 27
Configuring the Target System Template for Compliance Checks ..................................................................28
Executing Compliance Checks .............................................................................................................................29
PUBLICPUBLIC

Table of Contents
Replacing Key Pairs for Cryptographic

Functions
There are times during the lifecycle of a system that you want to replace the key pairs used cryptographic
functions. For example: the validity period of the key pair can expire, the key pair can be revoked, or you can
proactively replace the key pair with a new one.
This guide describes how to replace private keys in issuing systems and the corresponding public keys in
validating systems. The procedures are based primarily on SAP NetWeaver Application Server (SAP NetWeaver
AS) for ABAP as the issuing system. We assume in this document that you want to replace DSA signatures,
though most of the functions described here work for any type of algorithm.
1.1
Overview of the Replacement Procedure
This procedure requires you to go into the issuing and receiving systems at least twice for each system.
Before you begin, ensure that you have the latest version of the SAP Cryptographic Library.
Procedure
1.
Create keys with identical names on the system that issues signatures.
Caution
Do not use the new keys for signatures, yet!
2.
Export the public keys of the new keys.
3.
Import the new keys into all receiving systems.
4. On the key issuing systems, create a backup of the old key pairs.
5.
On the key issuing systems, switch to the new keys for signatures.
6. Test your business processes.

7.
Remove the old keys from the issuing and receiving systems..
1.2
Notes on the Replacement of the System PSE
When replacing the system PSE of SAP NetWeaver AS for ABAP, be aware that many applications use the system
PSE by default. When the system is configured this way, the PSE is used for radically different purposes and has
different requirements. For example, some documents digitally signed by the system PSE have very short
lifetimes, while other documents must continue to be validated over years. When you replace the system PSE

Replacing Key Pairs for Cryptographic Functions
PUBLICPUBLIC
consider review the procedures for all the relevant scenarios listed in this document. Be sure the steps you follow
apply to all the scenarios that apply to you. Consider using separate PSEs for different scenarios.
Note
If you use signatures that must be validated over a long period of time, such as for FDA compliance,
archive the relevant PSEs and create an image of the relevant systems including the documents. The
archived key pairs and system data serve as the preservation of evidence that the documents had been
signed by those key pairs at that point in time.
SAP Solution Manager also provides tools to help you keep track of PSE certificates. For more information, see 1.3
below.
1.3
Generating a Worklist from SAP Solution Manager
SAP Solution Manager offers the capability to view which PSEs are used in which SAP NetWeaver AS systems in
your landscape. When you determine which PSEs need to be replaced, use the following instructions to find other
SAP systems that rely on the PSE certificates.
Prerequisites
Potential systems must be connected to SAP Solution Manager 7.10 SPS 10 or higher and report PSE (X.509
key) information to SAP Solution Manager.
You have prepared system comparison lists in SAP Solution Manager: one for SAP NetWeaver AS for ABAP
systems in your landscape and one for SAP NetWeaver AS for Java systems in your landscape.
SAP HANA systems and other SAP or third-party systems are currently not supported. These systems also
have the potential to be issuing or receiving systems, too. For more information, see the product
documentation for your system.
You have the required authorizations.
For more information about using SAP Solution Manager, see the documentation for SAP Solution Manager at
https://help.sap.com/solutionmanager.
For more information about using Configuration Validation in SAP Solution Manager, see Configuration
Validation in the documentation for SAP Solution Manager.
For more information about using Configuration and Change Database (CCDB) in SAP Solution Manager, see
Configuration and Change Database (CCDB) in the documentation for SAP Solution Manager.
Note
Even if you can use this procedure, review your system landscape to identify other systems not covered
by SAP Solution Manager.
PUBLICPUBLIC

1.3.1
Generating a Worklist for SAP NetWeaver AS for ABAP
SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list of
these PSEs.
Procedure
1.
In SAP Solution Manager, start SAP Solution Manager: Work Centers (transaction SM_WORKCENTER).
2.
Choose the Root Cause Analysis tab.
3.
Choose Configuration Validation.
4.
On the Report Execution tab, choose Reporting Templates.
5.
Under the Choose Reference System section, on the Select Reference System tab, choose the 0ALERT
system.
6.
On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.
7.
Choose the Start operator validation reporting pushbutton.
8.
In the Configuration Validation Viewer, enter the required data.

In the Config Store field, enter PSE_CERT.
In the Comparison List field, select the list you prepared for SAP NetWeaver AS for ABAP systems.
9. Choose the Validate pushbutton.

You now have a list of PSE certificates.
1.3.2
Exporting the Validation Table of ABAP Systems
To prepare the list for export to Excel, do the following.
Procedure
1.
From the context menu of the resulting table in the Configuration Validation Viewer, choose User Settings >
More
2.
Choose the following columns for display:

o SID
o TYPE
o APPLICATION
o CONTEXT
o SUBJECT
o ISSUER
o SERIALNO
3.
Choose OK.
4. Choose
(Export to Spreadsheet).

PUBLICPUBLIC
5.
Save the Excel file to the file system.
1.3.3
Generating a Worklist for SAP NetWeaver AS for Java
these PSEs.
Procedure
1.
In your SAP Solution Manager system, start SAP Solution Manager: Work Centers (transaction
SM_WORKCENTER).
2.
3.
4. On the Report Execution tab, choose Reporting Templates.

5.
Under the Choose Reference System section, on the Select Reference System tab, choose the 0ALERT
system.
6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.
7.
8. In the Configuration Validation Viewer, enter the required data.

In the Config Store field, enter J2EE_PSE_CERT.
In the Comparison List field, select the list you prepared for SAP NetWeaver AS for Java systems.
You now have a list of PSE certificates stored in SAP NetWeaver AS for Java.
1.3.4
Exporting the Validation Table of Java Systems
To prepare the list for export to Excel, do the following.
Procedure
1.
From the context menu of the resulting table in the Configuration Validation Viewer, choose User Settings >
More
2.
Choose the following columns for display:

o SID
o TYPE
o ALIAS
o VIEW
o SUBJECT
PUBLICPUBLIC

o ISSUER
o SERIALNO
3.
Choose OK.
4. Choose
5.
(Export to Spreadsheet).
Save the Excel file to the file system.
1.3.5
Sorting the ABAP Data
Now that you have the Excel files, you can create a worklist. As stated above, this procedure assumes we want to
find all PSEs that issue or validate DSA signatures.
Procedure
1.
In the Excel of ABAP PSEs, use the CONTEXT and APPLICATION columns to include only entries with the
values shown in the table below.
Context
Application
Usage
PROG
<SYST>
System PSE. System PSE can have

multiple usages.
SMIM
Secure/Multipurpose Internet Mail

Extensions (S/MIME) applications.
SSFA
Secure store and forward (SSF)

applications.
The following figures show examples of how the sorting of the context and applications appear in Microsoft
Excel. In the left figure, we exclude the SSLC, SSLS, and WSSE contexts because these PSEs use RSA
algorithm. For this example, we are only targeting DSA signatures. The same is true for the application SNCS
shown in the figure to the right.

PUBLICPUBLIC
2.
Sort the PSEs by SUBJECT, ISSUER, and SERIALNO.

For example, in Microsoft Excel on the Data tab, choose Sort and sort by SUBJECT then ISSUER, and then
SERIALNO as show in the figure that follows.
3.
10
Filter the resulting list on the TYPE column for OWN-CERTIFICATE.
PUBLICPUBLIC

These systems, as identified by the SID, are issuing systems. Shown in the Excel are the certificates for each
server instance. All certificate instances with the same subject, issuer, and serial number are the same PSE. It
is likely that you will have multiple entries per certificate.
In this example we want to replace PSEs created with the DSA algorithm. Some of these certificates may not
be relevant. Check the algorithm used to generate the OWN-CERTIFICATEs.
1.
In the ABAP system identified by the SID, start the trust manager (transaction STRUST).
2.
Double-click the PSE for the certificate and then, under Own Certificate, double-click the Owner (or
Subject depending on your software release).
The PSEs start with System PSE, SMIME, or SSF. Under Certificate, make sure the subject, issuer, and
serial number match the OWN-CERTIFICATE in the Excel.
3.
Under Certificate, check the algorithm.

If anything other than DSA appears under the algorithm, remove the entry from your Excel list. We only
want certificates with DSA algorithms in the list for our example.
You should now have a complete worklist of systems with OWN-CERTIFICATES to replace. This document refers
to this list as the List of ABAP OWN-CERTIFICATEs.
1.3.6
Replacing PSEs and Exchanging Certificates
After assembling a worklist of PSEs to replace, create a new key pair for each PSE. Export the public key of the key
pair and import the public key into the receiving systems. Importing the public key enables the receiving system to
trust and validate signatures from the issuing system.
Procedure
1.
For all the systems in the List of ABAP OWN-CERTIFICATEs, prepare replacement PSEs.
For more information about preparing replacement PSEs with the REPLACE_DSA_PSE report, see 2.1 below.
2.
Remove the filter on the TYPE column of the List of ABAP OWN-CERTIFICATEs Excel.
For each OWN-CERTIFICATE, note any systems with TYPE CERTIFICATE and matching SUBJECT, ISSUER,
and SERIALNO. These are the receiving systems as identified by the SID.
You should now have a complete work list of SAP NetWeaver AS for ABAP systems with CERTIFICATEs that
match a system with an OWN-CERTIFICATE with identical SUBJECT, ISSUER, and SERIALNO. This document
refers to this list as the List of ABAP receiving systems.
3.
For SAP NetWeaver AS for ABAP systems with CERTIFICATES matching an OWN-CERTIFICATE, import the
new public-key certificate from the issuing system.
For more information about importing the public key with the REPLACE_DSA_CERTIFICATES report, see 2.2
below.
4. In the Excel of Java PSEs, sort the PSEs by SUBJECT, ISSUER, and SERIALNO.
For each OWN-CERTIFICATE in the Excel of ABAP PSEs, note any systems with CERTIFICATE matching
SUBJECT, ISSUER, and SERIALNO. These Java systems have imported the public key of the ABAP PSE.
Therefore, these systems are also receiving systems as identified by the SID.

PUBLICPUBLIC
11
You should now have a complete work list of SAP NetWeaver AS for Java systems with CERTIFICATES that
match an SAP NetWeaver AS for ABAP system with an OWN-CERTIFICATE with identical SUBJECT, ISSUER,
and SERIALNO. This document refers to this list as the List of Java receiving systems.
5.
For these systems, import the new public-key certificate from the issuing system as indicated in step 2 of
section 2.2 below.
For your convenience, here again is an overview of the complete process for replacing key pairs for cryptographic
functions from the introduction of this document. Included are the names of the work lists you need for the
different steps of the overview procedure.
1.
Create keys with identical names on the system that issues signatures.
Caution
Do not use the new keys for signatures, yet!
List of ABAP OWN-CERTIFICATEs
2.
Export the public keys of the new keys.

List of ABAP OWN-CERTIFICATEs.
3.
Import the new keys into all receiving systems.

List of ABAP receiving systems
List of Java receiving systems
4. On the key issuing systems, create a backup of the old PSEs.

List of ABAP systems with OWN-CERTIFICATES.
5.
On the key issuing systems, switch to the new keys for signatures.
6. Test your business processes.

7.
Remove the old keys from the issuing and receiving systems.
List of ABAP receiving systems
List of Java receiving systems
Note
The public-key certificates from the old may have been imported into other systems such as SAP HANA
or third-party systems. Import the new public-key certificate into these systems as well. For more
information, see the product documentation for your system.
12
PUBLICPUBLIC

Tool-Supported PSE Replacement
For SAP NetWeaver AS for ABAP, we provide tools to support PSE replacement. To use tool-supported PSE
replacement, implement the SAP Note 2068693.
The replacement process uses two reports for SAP NetWeaver AS for ABAP: one report on the issuing system and
one on the receiving system. SAP Solution Manager provides support for generating work lists for which systems
need PSE replacement.
For more information, see 1.3 above.
An overview of the process is as follows:
1.
Create replacement PSEs on issuing SAP NetWeaver AS for ABAP systems and export the corresponding
public keys.
2.
Import the public keys to receiving systems.
3.
Activate the replacement PSEs and test the business process.
4.
Delete the old PSEs and corresponding public-key certificates.

Be sure to archive the old PSEs before removing them from the system.
2.1
Creating Replacement PSEs on SAP NetWeaver AS for

ABAP
Report REPLACE_DSA_PSE enables you to generate inactive replacement PSEs. Before you activate the PSE,
export the public-key certificate of the new PSE and import the certificate into systems that trusted the old PSE.
Prerequisites
You have installed the current SAP Cryptographic Library.
If you do not have a current version of the SAP Cryptographic Library, REPLACE_DSA_PSE shows the
following icon under Action 1:
(You need a new SAPCRYPTOLIB /CommonCryptoLib).
For more information about the SAP Cryptographic Library, see SAP Note 1848999.
You have implemented the correction instructions in SAP Note 2068693.
You have authorizations to use Trust Manager (transaction STRUST).
You have created a backup of the old PSE just in case you run into problems during testing. Archive the old
PSE in case you ever need to restore the old environment in the future.
Caution
If you do not have a backup of the old PSE and delete it, there is no way to recover or validate information
protected by the cryptographic function.

PUBLICPUBLIC
13
Note
If you use signatures that must be validated over a long period of time, such as for FDA compliance,
create an image of the relevant systems. The archived PSEs and system data serve to preservation the
evidence that the documents had been signed by those PSEs at that point in time.
Procedure
1.
On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).
The report displays the PSEs with keys that need replacing.
Icon
Description
Is not a self-signed certificate. You should consider
replacing this PSE, but requires additional effort. You
must have your certificate signed by a certification
authority (CA).
The old PSE is still active and in use. Replace the PSE
with a new PSE.
One of two states
This PSE has been replaced or does not need
replacement. You have completed the process.
You have replaced the PSE, but have not deleted
the old PSE yet. Finish your testing. Be sure you
have archived the old PSE. The old PSE is still in
the database. For housekeeping purposes you
can delete the old PSE.
There are minor inconsistencies in the system. You
must enter the PIN before the report can determine
the status of the PSE.
2.
For each PSE, choose
(Generate new keypair).
This generates a new key pair for the PSE.

3.
Choose
(Download new certificate) to save the new public key to the file system.
Import the public-key certificate to the receiving system.

For more information, see documentation of the receiving system.
To assist you with importing new public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693
includes REPLACE_DSA_CERTIFICATES, which enables you to import these certificates.
14
PUBLICPUBLIC

2.2
Importing Public Keys on SAP NetWeaver AS for ABAP
Report REPLACE_DSA_CERTIFICATES enables you to import public-keys for existing trust relationships.
Importing the public keys is an important prerequisite before switching to the new PSE and testing the business
process.
Prerequisites
You have downloaded the public key from the issuing system.
You have authorizations to use Trust Manager (transaction STRUST).
You have implemented SAP Note 2068693.
Procedure
1.
On the receiving system, start report REPLACE_DSA_CERTIFICATES in ABAP: Program Execution

(transaction SA38).
The report displays the PSEs with public keys in their certificate lists that need replacing.
Icon
Description
Nothing has been done yet. You should import the
relevant public-key certificate.
Old and new public-key certificates are in the
certificate list. Finish testing the business process,
archive the old public key, and then delete the old
public-key.
The PSE has the new public-key certificate in its
certificate list. You have completed the process.
There are minor inconsistencies in the system. You
must enter the PIN before the report can determine
the status of the PSE.
2.
For each PSE, choose
2.3
(Import new certificate).
Testing the Business Processes
Activate the replacement PSE and test whether your business processes still work.

PUBLICPUBLIC
15
Prerequisites
You have generated replacements PSEs.
You have imported the public-key certificates of the replacement PSEs into the receiving systems.
Procedure
1.
2.
Choose
3.
Thoroughly test the affected business processes.
(Switch from old to new PSE) to use the new certificates.
If you encounter a problem during your testing, choose

previous configuration.
2.4
(Switch from new to old PSE) to go back to the
Deleting the Old PSEs and Public Keys
Once you are convinced that your business processes are correctly configured, you can remove the old PSEs from
the issuing system and the old public-key certificates from the receiving system.
Note
Depending on the scenarios that use the PSE, you may need to consider how to validate signatures made
by the old PSE that are still in the system. Once the old public key has been deleted, the system can no
longer validate signatures made by the old PSE. Consider the national laws, which mandate audits of
documents signed by your business processes.
If you use signatures that must be validated over a long period of time, such as for FDA compliance, save
archive the PSE and create an image of the relevant systems. The archived PSEs and system data serve
to preservation the evidence that the documents had been signed by those PSEs at that point in time.
For the reasons mentioned above, the report REPLACE_DSA_PSE requires you to save a copy of the old
PSE before you delete it.
Prerequisites
Be sure you have archived the old PSE. With the old PSE you can export the public key and recover older
signatures.
Procedure
1.
2.
Choose
(Finally: delete old PSE).
The report requires you to save a copy of the old PSE before deleting it.
3.
16
On the receiving system, delete the old public-key certificate.
PUBLICPUBLIC

Depending on what scenarios you have running in your system landscape you may have to delete the public
keys on a variety of different systems. The scenario descriptions in the sections that follow provide additional
information.
To assist you with deleting old public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693
includes report REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates.
1.
On the receiving system, start report REPLACE_DSA_CERTIFICATES in ABAP: Program Execution

(transaction SA38).
The report displays the PSEs with public keys in their certificate lists that need replacing.
2.
Choose

PUBLICPUBLIC
17
Scenario Specific Instructions and Manual

Procedures
This section provides information about various scenarios in SAP landscapes. Each scenario provides
recommendations for replacing PSEs as well as manual procedures for the replacement process. Manual
replacement can be a laborious process. We recommend using the tool-supported process for SAP NetWeaver
AS for ABAP, where possible.
For more information, see 2 Tool-Supported PSE Replacement.
The following are scenarios that use DSA signatures:
Logon tickets and authentication assertion tickets
Secure URLs for Content Server
SAP Passports
E-Learning
System Signatures for SSF Signatures
Custom Development Using SSF Functions
ITS Applet Handling
3.1
Scenario Logon Tickets and Authentication Assertion

Tickets
SAP servers sign and issue logon tickets to users that log on. The users client then presents these tickets to other
systems, which accept the signature on the logon ticket, as long as trust has been established. To establish trust
an administrator must have installed the public key of the ticket issuing system in the ticket receiving system.
Authentication assertion tickets are used for server-to-server connections. With authentication assertion tickets,
another system is the client instead of a user. Otherwise the principles remain the same.
SAP HANA does not issue logon tickets, but it can issue authentication assertion tickets. SAP HANA has the
capability to issue assertion tickets from SAP HANA 1.0 SP7 and higher. SAP NetWeaver AS for ABAP issues both
types of tickets.
For SAP NetWeaver AS for ABAP, we provide a number of tools to make switching keys easier. For more
information, see 2 above. Otherwise you must repeat this procedure for every client in your SAP NetWeaver AS
for ABAP.
3.1.1
Creating New Keys with Identical Names
Create new key pairs to replace the old key pairs.
18
PUBLICPUBLIC

Scenario Specific Instructions and Manual Procedures
3.1.1.1
Creating Duplicate PSE on SAP NetWeaver AS for

ABAP
Procedure
1.
Start Trust Manager (transaction STRUST).
2.
Switch to Edit mode
3.
Double-click the System PSE. This is the default PSE used to sign logon tickets.
4.
Create a backup of the System PSE.
Choose PSE > Export.

5.
In the Own Certificate section, double-click the subject.
6. Copy the subject of the certificate to a temporary file.

7.
From the context menu of the File PSE, choose Create.
8. Choose
(Revise DN).
9. Enter the subject of the old certificate in the DN field. Keep the algorithm and key length.
10. Save your entries.
11. Double-click the system PSE.
12. For every certificate in the certificate list of the PSE, double-click the certificate subject in the list and choose
(Export Certificate), saving each certificate to a separate .cer file.
13. Double-click File PSE and open the file PSE you just saved in step 10 above.
14. For every certificate you saved in step 12 above, choose
the file PSE you opened in step 13 above.
15. Choose
3.1.1.2
(Import Certificate) and Add to Certificate List to
(Save) to save the file PSE.
Creating Duplicate PSE on SAP HANA
On SAP HANA the PSE is typically named saplogon.pse or saplogonSign.pse.
Prerequisites
Log on as the SID admin (<SID>adm) user.
Procedure
1.
Determine if your SAP HANA system has any DSA PSEs.

1.
View what PSEs are in your system:

Enter the following command:
dir $SECUDIR

PUBLICPUBLIC
19
This command lists the contents of the following directory:

/usr/sap/<SID>/HDB<instance number>/<machine name>/sec
Note
In a cluster environment, check every cluster node.
2.
Change to the SAP HANA trust store directory:

cd $SECUDIR
This should be the following directory:
Note
In a cluster environment, you must check every node in the cluster.
3.
For each PSE in this directory view the PSE attributes by entering the following command.
./sapgenpse get_my_name p <pse_name>
The following is an example of the result:
No SSO for USER "<sidadm>"
with PSE file "$SECUDIR/saplogon.pse"
Subject : CN=MYSAPSSO
Issuer
: CN=MYSAPSSO
Serialno: 20:14:07:17:13:13:01
KeyInfo : DSA, 1024-bit
Validity
NotBefore:
NotAfter:
Thu Jul 17 14:13:01 2014 (140717131301Z)

Fri Jan
1 01:00:01 2038 (380101000001Z)
If KeyInfo reveals a key of type DSA, make sure you have a current version of the SAP Cryptographic Library
and replace the key pair.
2.
Create a new PSE, using the same data as the original PSE for assertion tickets.
./sapgenpse gen_pse a DSA s 1024 p saplogonSign_new.pse CN=<host>.<domain>,
OU=<instance>, O=<org>, C=<country>
3.
Export any certificates within the logon certificate trust store saplogonSign.pse.
./sapgenpse maintain_pk -l PEMlist p saplogonSign.pse
The output appears a one or more binary large objects (BLOB).
4. Import the certificates to the new PSE.

./sapgenpse maintain_pk m <BLOB file> -p saplogonSign_new.pse
3.1.2
Exporting the Public Keys to the Receiving Systems
So that the receiving systems can verify the signatures of the new private keys, the receiving systems need a copy
of the public keys.
20
PUBLICPUBLIC

3.1.2.1
Exporting the Public Keys from SAP NetWeaver AS

for ABAP
This procedure requires you to log on to SAP NetWeaver AS for ABAP, save the public key to the file system, and
import that file in a new system.
Procedure
1.
2.
Double-click File PSE and open the new file PSE.
3.
Double-click the Subject under Own Certificate.
4. In the Certificate section, choose

5.
(Export Certificate).
Save the public key certificate to the file system or a network share.
6. Copy the certificate to a network share or the file system of the receiving system.
7.
Import the public key certificate to the receiving system.

3.1.2.2
Exporting the Public Keys from SAP HANA
Procedure
1.
Export the public-key certificate from the SAP HANA trust store, using the following command:
./sapgenpse export_own_cert -p saplogonSign.pse
2.
Save the public key certificate to the file system or a network share.
3.
Copy the certificate to a network share or the file system of the receiving system.
4. Import the public key certificate to the receiving system.

3.1.3
Start Using the New Private Keys
Once you have completed this step, you have completed the most critical part of this security note. Create a
backup of the old private keys just in case you run into problems during testing. Archive the old private keys in
case you ever need to restore the old environment in the future.

PUBLICPUBLIC
21
3.1.3.1
Switching to the New Private Keys on SAP

NetWeaver AS for ABAP
Procedure
1.
2.
Switch to Edit mode
3.
4. Choose PSE > Save As and choose System PSE.
3.1.3.2
Switching to the New Private Keys on SAP HANA
Procedure
1.
Rename the old PSE.

For example, rename the file from saplogonSign.pse to saplogonSign_old.pse. Archive the old PSE in
case you ever need to restore the system or problems occur during testing.
Note
2.
Rename the new PSE.

For example, rename the file from saplogonSign_new.pse to saplogonSign.pse.
In a cluster environment, every node uses the same PSE. Copy the same PSE to every node in the cluster.
3.1.4
Testing the New Key Pairs
Procedure
Thoroughly test the affected systems. Log on to the ticket issuing system and then logon on to all systems that
accept this log on ticket.
If you encounter a problem during testing, you can restore the old private key on the issuing system.
3.1.5
Delete the Old Public Keys
Once your remove the old public keys, receiving systems will no longer be able to validate signatures issued with
the old private key.
22
PUBLICPUBLIC

3.1.5.1
Deleting the Old Public Keys on SAP NetWeaver AS

for ABAP
includes REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates. Use the following
procedure to manually remove the public keys.
Procedure
1.
2.
Switch to Edit mode
3.
Double-click System PSE.
4. Select the old public key from the certificate list.

5.
Choose
3.1.5.2
1.
(Delete selected certificates).
Deleting Old Public Keys on SAP HANA
Change to the SAP HANA trust store directory:

cd $SECUDIR
This should be the following directory:
Note
2.
List the certificates in the certificate list of the PSE.

./sapgenpse maintain_pk l -p saplogonSign.pse
3.
Note the certificate numbers of the public keys to delete.
4. Delete the public keys in the certificate list.

./sapgenpse maintain_pk d <number> -p saplogonSign.pse
3.2
Scenario Secure URLs for Content Server
The content server of SAP NetWeaver AS for ABAP uses the system PSE by default. If you created a PSE just for
the content server (HTTP Content Server), replace the certificate for the content server PSE.
We recommend you used tool-supported replacement of keys.
For more information, see 2 Tool-Supported PSE Replacement.
If you choose to replace the keys manually, use the following procedures in every client of the system.

PUBLICPUBLIC
23
3.2.1
Creating New Keys with Identical Names
Create new key pairs to replace the old key pairs.
Procedure
1.
2.
Switch to Edit mode
3.
Double-click the content server PSE.
The default PSE used by the content server is the system PSE. If you created your own PSE for the content
server, choose the HTTP Content Server PSE.
4. Create a backup of the content server PSE.
Choose PSE > Export.
5.
In the Own Certificate section, double-click the subject.
6. Copy the subject of the certificate to a temporary file.

7.
From the context menu of the File PSE, choose Create.
8. Choose
(Revise DN).
9. Enter the subject of the old certificate in the DN field. Keep the algorithm and key length.
11. Double-click the content server PSE.
12. For every certificate in the certificate list of the PSE, double-click the certificate subject in the list and choose
(Export Certificate), saving each certificate to a separate .cer file.
13. Double-click File PSE and open the file PSE you just saved in step 10 above.
14. For every certificate you saved in step 12 above, choose
the file PSE you opened in step 13 above.
15. Choose
3.2.2
(Import Certificate) and Add to Certificate List to
(Save) to save the file PSE.
Exporting the Public Keys to the Receiving Systems
So that the receiving systems can verify the signatures of the new private keys, the receiving systems need a copy
of the public keys.
This procedure requires you to log on to SAP NetWeaver AS for ABAP.
Procedure
1.
Start Display Content Repositories: Overview (transaction OAC0).
2.
For each content repository, double-click the name of the repository.
3.
Choose
4.
Activate the new certificate on the target content repository.
24
(Send certificate).
PUBLICPUBLIC

o If the target system is SAP NetWeaver AS ABAP or supports the administration interface, choose the CS
ADMIN pushbutton and activate the new certificate.
For more information, see Certificates.
o If the target system does not support the administration interface, log on to the target system and
activate the new certificate.
For more information, see the documentation of the target content repository.
3.2.3
Using the New Private Keys
Once you have completed this step, you have completed the most critical part of this security note. Create a
backup of the old private keys just in case you run into problems during testing. Archive the old private keys in
case you ever need to restore the old environment in the future.
Procedure
1.
2.
Switch to Edit mode
3.
4.
Choose PSE > Save As.. and choose the content server PSE.
The default PSE used by the content server is the system PSE. If you created your own PSE for the content
server, choose the HTTP Content Server PSE.
3.2.4
Testing the New Key Pairs
Procedure
Thoroughly test the affected systems. If you encounter a problem during testing, you can restore the old private
key on the issuing system. The following is an example of an error message that occurs in report RSCMST when
trust has not been established between systems. Otherwise the message appears in the logs of SAP Content
Server.
HTTP/1.1 401 (Unauthorized)
X-ErrorDescription: "Security SsfVerify failed rc=5, , PSE=C:\Program
Files\SAP\Content Server\Security\REPOSITORY.pse,"
3.2.5
Deleting the Old Public Keys
Once your remove the old public keys, receiving systems will no longer be able to validate signatures issued with
the old private key.

PUBLICPUBLIC
25
includes report REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates. Use the following
procedure to manually remove the public keys.
Procedure
1.
Start Display Content Repositories: Overview (transaction OAC0).
2.
For each content repository, double-click the name of the repository.
3.
Delete the old certificate on the target content repository.

o If the target system is SAP NetWeaver AS ABAP or supports the administration interface, choose the CS
ADMIN pushbutton and delete the old certificate.
For more information, see Certificates.
o If the target system does not support the administration interface, log on to the target system and delete
the old certificate.
For more information, see the documentation of the target content repository.
26
PUBLICPUBLIC

Checking for Compliance
You can use the information stored in SAP Solution Manager to determine if SAP NetWeaver Application Server
for ABAP systems in your landscape are compliant with changes you made in your landscape. For this example,
we assume that you want to ensure all PSEs were created with a current version of SAP Cryptographic Library in
the year 2000 or later. To do this, you create a template from a source system, configure a target system based
on the source system template, and then run the compliance check for a set of systems connected to SAP
Solution Manager.
4.1
Choosing a Template for Compliance Checks
Create a source system template from which you can create a target system template for the compliance check.
The source system template includes the PSE_CERT configuration store, which has information about PSEs of the
monitored systems.
Procedure
1.
SM_WORKCENTER).
2.
3.
4. On the Target System Maintenance tab, choose Create.

5.
Under the Source System section, enter selection criteria to find a system to use as a template and choose
Display Selection.
6. Under Select Source Systems, select a system to use as a template.

7.
Under Select Config Stores, filter the results for PSE_CERT.
8. Select a configuration store and choose Create from selected Stores.

9. Enter a system ID under which you will store the source system template.
You will use this template for the configuration check later in a following procedure.
You have created a source system template for defining a target system template for compliance checks.

PUBLICPUBLIC
27
4.2
Configuring the Target System Template for Compliance

Checks
Once you have a source system template, you can create a target system template. In the target system template
you define configuration store values that lead to compliance and a counter example that does not lead to
compliance.
Procedure
1.
SM_WORKCENTER).
2.
3.
4.
On the Target System Maintenance tab, choose Edit.
5.
Enter the name of the source system template you created in the previous procedure.
6. Choose
7.
Display selection.
Under Config Stores of Target System:<Long SID>, choose the Store Name PSE_CERT.
8. Delete the content of the comparison store.

Choose
9. Choose
(Select all entries) and then
(Delete selected).
(Add an empty entry to the Target System).
10. Except for the SERIALNO field, set the operator to Contains and the value to *. Set operator and value of the
SERIALNO field to Contains and 0A20* respectively.
The result should appear as follows in the figure below.
11. Choose Apply changes and choose

12. Choose
(Save).
(Add an empty entry to the Target System).
13. Except for the VALID_TO field, set the operator to Contains and the value to *. Set operator and value of the
VALID_TO field to Contains and Non_Compliant respectively.
The result should appear as follows in the figure below.
28
PUBLICPUBLIC

14. Choose Apply changes and choose
(Save).
You have created a target system template to use as a reference system in the compliance check.
4.3
Executing Compliance Checks
these PSEs and check their compliance against a target system template.
Procedure
1.
In SAP Solution Manager, start SAP Solution Manager: Work Centers (transaction SM_WORKCENTER).
2.
3.
4.
On the Report Execution tab, choose Reporting Templates.
5.
Under the Choose Reference System section, on the Select Reference System tab, choose the name of the
target system template you created in the previous procedure.
6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.
7.
8. In the Configuration Validation Viewer, enter the required data.

o In the Config Store field, enter PSE_CERT.
o In the Comparison List field, select the list you prepared for SAP NetWeaver AS for ABAP systems.
You now have a list of PSE certificates. The final column indicates whether the PSE is compliant or not. For those
PSE which are not compliant, go through the process to replace the PSE.

PUBLICPUBLIC
29
www.sap.com/contactsap

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated
companies (SAP Group) for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that are
set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
SAP AG in Germany and other countries. Please see
www.sap.com/corporate-en/legal/copyright/index.epx#trademark
for additional trademark information and notices.

Instructions For Key Replacement

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Instructions For Key Replacement

Încărcat de

Drepturi de autor:

Formate disponibile

How To GuideHow To Guide

Document Version: 1.1 2014-10-15

Instructions for Key Replacement

Emphasized words or expressions.

Keys on the keyboard, for example, F 2 or E N T E R .

Instructions for Key Replacement

In section 1.3.5, step 1, SS02 applications were mistakenly excluded as not

Instructions for Key Replacement

Replacing Key Pairs for Cryptographic Functions ................................................................................. 5

Tool-Supported PSE Replacement........................................................................................................ 13

Scenario Specific Instructions and Manual Procedures...................................................................... 18

Checking for Compliance ...................................................................................................................... 27

Instructions for Key Replacement

Replacing Key Pairs for Cryptographic

Overview of the Replacement Procedure

Export the public keys of the new keys.

Import the new keys into all receiving systems.

6. Test your business processes.

Notes on the Replacement of the System PSE

Instructions for Key Replacement

Generating a Worklist from SAP Solution Manager

Instructions for Key Replacement

Generating a Worklist for SAP NetWeaver AS for ABAP

Choose the Root Cause Analysis tab.

Choose Configuration Validation.

On the Report Execution tab, choose Reporting Templates.

Choose the Start operator validation reporting pushbutton.

In the Configuration Validation Viewer, enter the required data.

9. Choose the Validate pushbutton.

Exporting the Validation Table of ABAP Systems

To prepare the list for export to Excel, do the following.

Choose the following columns for display:

Instructions for Key Replacement

Save the Excel file to the file system.

Generating a Worklist for SAP NetWeaver AS for Java

Choose the Root Cause Analysis tab.

Choose Configuration Validation.

4. On the Report Execution tab, choose Reporting Templates.

Choose the Start operator validation reporting pushbutton.

8. In the Configuration Validation Viewer, enter the required data.

Exporting the Validation Table of Java Systems

To prepare the list for export to Excel, do the following.

Choose the following columns for display:

Instructions for Key Replacement

Save the Excel file to the file system.

Sorting the ABAP Data

System PSE. System PSE can have

Secure/Multipurpose Internet Mail

Secure store and forward (SSF)

Instructions for Key Replacement

Sort the PSEs by SUBJECT, ISSUER, and SERIALNO.

Filter the resulting list on the TYPE column for OWN-CERTIFICATE.

Instructions for Key Replacement

Under Certificate, check the algorithm.

Replacing PSEs and Exchanging Certificates

Instructions for Key Replacement

Export the public keys of the new keys.

Import the new keys into all receiving systems.

4. On the key issuing systems, create a backup of the old PSEs.

6. Test your business processes.

Instructions for Key Replacement

Tool-Supported PSE Replacement

Import the public keys to receiving systems.