Documente Academic
Documente Profesional
Documente Cultură
PUBLIC
Typographic Conventions
Type Style
Description
Example
Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example
EXAMPLE
Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
Example
Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example
Exact user entry. These are words or characters that you enter in the system exactly as they
appear in the documentation.
<Example>
Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
EXAMPLE
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
Document History
Caution
Befores you start the implementation, make sure that you have the latest version of this document that is
available from SAP Note 2068693.
Version
Date
Change
1.0
2014-10-14
Initial release.
1.1
2014-10-15
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
Table of Contents
1
1.1
1.2
1.3
2
2.1
2.2
2.3
2.4
3
3.1
3.2
4
4.1
4.2
4.3
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
There are times during the lifecycle of a system that you want to replace the key pairs used cryptographic
functions. For example: the validity period of the key pair can expire, the key pair can be revoked, or you can
proactively replace the key pair with a new one.
This guide describes how to replace private keys in issuing systems and the corresponding public keys in
validating systems. The procedures are based primarily on SAP NetWeaver Application Server (SAP NetWeaver
AS) for ABAP as the issuing system. We assume in this document that you want to replace DSA signatures,
though most of the functions described here work for any type of algorithm.
1.1
This procedure requires you to go into the issuing and receiving systems at least twice for each system.
Before you begin, ensure that you have the latest version of the SAP Cryptographic Library.
Procedure
1.
Create keys with identical names on the system that issues signatures.
Caution
Do not use the new keys for signatures, yet!
2.
3.
4. On the key issuing systems, create a backup of the old key pairs.
5.
On the key issuing systems, switch to the new keys for signatures.
Remove the old keys from the issuing and receiving systems..
1.2
When replacing the system PSE of SAP NetWeaver AS for ABAP, be aware that many applications use the system
PSE by default. When the system is configured this way, the PSE is used for radically different purposes and has
different requirements. For example, some documents digitally signed by the system PSE have very short
lifetimes, while other documents must continue to be validated over years. When you replace the system PSE
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
consider review the procedures for all the relevant scenarios listed in this document. Be sure the steps you follow
apply to all the scenarios that apply to you. Consider using separate PSEs for different scenarios.
Note
If you use signatures that must be validated over a long period of time, such as for FDA compliance,
archive the relevant PSEs and create an image of the relevant systems including the documents. The
archived key pairs and system data serve as the preservation of evidence that the documents had been
signed by those key pairs at that point in time.
SAP Solution Manager also provides tools to help you keep track of PSE certificates. For more information, see 1.3
below.
1.3
SAP Solution Manager offers the capability to view which PSEs are used in which SAP NetWeaver AS systems in
your landscape. When you determine which PSEs need to be replaced, use the following instructions to find other
SAP systems that rely on the PSE certificates.
Prerequisites
Potential systems must be connected to SAP Solution Manager 7.10 SPS 10 or higher and report PSE (X.509
key) information to SAP Solution Manager.
You have prepared system comparison lists in SAP Solution Manager: one for SAP NetWeaver AS for ABAP
systems in your landscape and one for SAP NetWeaver AS for Java systems in your landscape.
SAP HANA systems and other SAP or third-party systems are currently not supported. These systems also
have the potential to be issuing or receiving systems, too. For more information, see the product
documentation for your system.
You have the required authorizations.
For more information about using SAP Solution Manager, see the documentation for SAP Solution Manager at
https://help.sap.com/solutionmanager.
For more information about using Configuration Validation in SAP Solution Manager, see Configuration
Validation in the documentation for SAP Solution Manager.
For more information about using Configuration and Change Database (CCDB) in SAP Solution Manager, see
Configuration and Change Database (CCDB) in the documentation for SAP Solution Manager.
Note
Even if you can use this procedure, review your system landscape to identify other systems not covered
by SAP Solution Manager.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
1.3.1
SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list of
these PSEs.
Procedure
1.
In SAP Solution Manager, start SAP Solution Manager: Work Centers (transaction SM_WORKCENTER).
2.
3.
4.
5.
Under the Choose Reference System section, on the Select Reference System tab, choose the 0ALERT
system.
6.
On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.
7.
8.
1.3.2
Procedure
1.
From the context menu of the resulting table in the Configuration Validation Viewer, choose User Settings >
More
2.
3.
Choose OK.
4. Choose
(Export to Spreadsheet).
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
5.
1.3.3
SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list of
these PSEs.
Procedure
1.
In your SAP Solution Manager system, start SAP Solution Manager: Work Centers (transaction
SM_WORKCENTER).
2.
3.
Under the Choose Reference System section, on the Select Reference System tab, choose the 0ALERT
system.
6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.
7.
1.3.4
Procedure
1.
From the context menu of the resulting table in the Configuration Validation Viewer, choose User Settings >
More
2.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
o ISSUER
o SERIALNO
3.
Choose OK.
4. Choose
5.
(Export to Spreadsheet).
1.3.5
Now that you have the Excel files, you can create a worklist. As stated above, this procedure assumes we want to
find all PSEs that issue or validate DSA signatures.
Procedure
1.
In the Excel of ABAP PSEs, use the CONTEXT and APPLICATION columns to include only entries with the
values shown in the table below.
Context
Application
Usage
PROG
<SYST>
SMIM
SSFA
The following figures show examples of how the sorting of the context and applications appear in Microsoft
Excel. In the left figure, we exclude the SSLC, SSLS, and WSSE contexts because these PSEs use RSA
algorithm. For this example, we are only targeting DSA signatures. The same is true for the application SNCS
shown in the figure to the right.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
2.
3.
10
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
These systems, as identified by the SID, are issuing systems. Shown in the Excel are the certificates for each
server instance. All certificate instances with the same subject, issuer, and serial number are the same PSE. It
is likely that you will have multiple entries per certificate.
In this example we want to replace PSEs created with the DSA algorithm. Some of these certificates may not
be relevant. Check the algorithm used to generate the OWN-CERTIFICATEs.
1.
In the ABAP system identified by the SID, start the trust manager (transaction STRUST).
2.
Double-click the PSE for the certificate and then, under Own Certificate, double-click the Owner (or
Subject depending on your software release).
The PSEs start with System PSE, SMIME, or SSF. Under Certificate, make sure the subject, issuer, and
serial number match the OWN-CERTIFICATE in the Excel.
3.
You should now have a complete worklist of systems with OWN-CERTIFICATES to replace. This document refers
to this list as the List of ABAP OWN-CERTIFICATEs.
1.3.6
After assembling a worklist of PSEs to replace, create a new key pair for each PSE. Export the public key of the key
pair and import the public key into the receiving systems. Importing the public key enables the receiving system to
trust and validate signatures from the issuing system.
Procedure
1.
For all the systems in the List of ABAP OWN-CERTIFICATEs, prepare replacement PSEs.
For more information about preparing replacement PSEs with the REPLACE_DSA_PSE report, see 2.1 below.
2.
Remove the filter on the TYPE column of the List of ABAP OWN-CERTIFICATEs Excel.
For each OWN-CERTIFICATE, note any systems with TYPE CERTIFICATE and matching SUBJECT, ISSUER,
and SERIALNO. These are the receiving systems as identified by the SID.
You should now have a complete work list of SAP NetWeaver AS for ABAP systems with CERTIFICATEs that
match a system with an OWN-CERTIFICATE with identical SUBJECT, ISSUER, and SERIALNO. This document
refers to this list as the List of ABAP receiving systems.
3.
For SAP NetWeaver AS for ABAP systems with CERTIFICATES matching an OWN-CERTIFICATE, import the
new public-key certificate from the issuing system.
For more information about importing the public key with the REPLACE_DSA_CERTIFICATES report, see 2.2
below.
4. In the Excel of Java PSEs, sort the PSEs by SUBJECT, ISSUER, and SERIALNO.
For each OWN-CERTIFICATE in the Excel of ABAP PSEs, note any systems with CERTIFICATE matching
SUBJECT, ISSUER, and SERIALNO. These Java systems have imported the public key of the ABAP PSE.
Therefore, these systems are also receiving systems as identified by the SID.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
11
You should now have a complete work list of SAP NetWeaver AS for Java systems with CERTIFICATES that
match an SAP NetWeaver AS for ABAP system with an OWN-CERTIFICATE with identical SUBJECT, ISSUER,
and SERIALNO. This document refers to this list as the List of Java receiving systems.
5.
For these systems, import the new public-key certificate from the issuing system as indicated in step 2 of
section 2.2 below.
For your convenience, here again is an overview of the complete process for replacing key pairs for cryptographic
functions from the introduction of this document. Included are the names of the work lists you need for the
different steps of the overview procedure.
1.
Create keys with identical names on the system that issues signatures.
Caution
Do not use the new keys for signatures, yet!
List of ABAP OWN-CERTIFICATEs
2.
3.
On the key issuing systems, switch to the new keys for signatures.
List of ABAP systems with OWN-CERTIFICATES.
Remove the old keys from the issuing and receiving systems.
List of ABAP systems with OWN-CERTIFICATES.
List of ABAP receiving systems
List of Java receiving systems
Note
The public-key certificates from the old may have been imported into other systems such as SAP HANA
or third-party systems. Import the new public-key certificate into these systems as well. For more
information, see the product documentation for your system.
12
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
For SAP NetWeaver AS for ABAP, we provide tools to support PSE replacement. To use tool-supported PSE
replacement, implement the SAP Note 2068693.
The replacement process uses two reports for SAP NetWeaver AS for ABAP: one report on the issuing system and
one on the receiving system. SAP Solution Manager provides support for generating work lists for which systems
need PSE replacement.
For more information, see 1.3 above.
An overview of the process is as follows:
1.
Create replacement PSEs on issuing SAP NetWeaver AS for ABAP systems and export the corresponding
public keys.
2.
3.
4.
2.1
Report REPLACE_DSA_PSE enables you to generate inactive replacement PSEs. Before you activate the PSE,
export the public-key certificate of the new PSE and import the certificate into systems that trusted the old PSE.
Prerequisites
You have installed the current SAP Cryptographic Library.
If you do not have a current version of the SAP Cryptographic Library, REPLACE_DSA_PSE shows the
following icon under Action 1:
(You need a new SAPCRYPTOLIB /CommonCryptoLib).
For more information about the SAP Cryptographic Library, see SAP Note 1848999.
You have implemented the correction instructions in SAP Note 2068693.
You have authorizations to use Trust Manager (transaction STRUST).
You have created a backup of the old PSE just in case you run into problems during testing. Archive the old
PSE in case you ever need to restore the old environment in the future.
Caution
If you do not have a backup of the old PSE and delete it, there is no way to recover or validate information
protected by the cryptographic function.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
13
Note
If you use signatures that must be validated over a long period of time, such as for FDA compliance,
create an image of the relevant systems. The archived PSEs and system data serve to preservation the
evidence that the documents had been signed by those PSEs at that point in time.
Procedure
1.
On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).
The report displays the PSEs with keys that need replacing.
Icon
Description
Is not a self-signed certificate. You should consider
replacing this PSE, but requires additional effort. You
must have your certificate signed by a certification
authority (CA).
The old PSE is still active and in use. Replace the PSE
with a new PSE.
One of two states
This PSE has been replaced or does not need
replacement. You have completed the process.
You have replaced the PSE, but have not deleted
the old PSE yet. Finish your testing. Be sure you
have archived the old PSE. The old PSE is still in
the database. For housekeeping purposes you
can delete the old PSE.
There are minor inconsistencies in the system. You
must enter the PIN before the report can determine
the status of the PSE.
2.
Choose
(Download new certificate) to save the new public key to the file system.
14
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
2.2
Report REPLACE_DSA_CERTIFICATES enables you to import public-keys for existing trust relationships.
Importing the public keys is an important prerequisite before switching to the new PSE and testing the business
process.
Prerequisites
You have downloaded the public key from the issuing system.
You have authorizations to use Trust Manager (transaction STRUST).
You have implemented SAP Note 2068693.
Procedure
1.
Description
Nothing has been done yet. You should import the
relevant public-key certificate.
Old and new public-key certificates are in the
certificate list. Finish testing the business process,
archive the old public key, and then delete the old
public-key.
The PSE has the new public-key certificate in its
certificate list. You have completed the process.
There are minor inconsistencies in the system. You
must enter the PIN before the report can determine
the status of the PSE.
2.
2.3
Activate the replacement PSE and test whether your business processes still work.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
15
Prerequisites
You have generated replacements PSEs.
You have imported the public-key certificates of the replacement PSEs into the receiving systems.
Procedure
1.
On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).
2.
Choose
3.
2.4
Once you are convinced that your business processes are correctly configured, you can remove the old PSEs from
the issuing system and the old public-key certificates from the receiving system.
Note
Depending on the scenarios that use the PSE, you may need to consider how to validate signatures made
by the old PSE that are still in the system. Once the old public key has been deleted, the system can no
longer validate signatures made by the old PSE. Consider the national laws, which mandate audits of
documents signed by your business processes.
If you use signatures that must be validated over a long period of time, such as for FDA compliance, save
archive the PSE and create an image of the relevant systems. The archived PSEs and system data serve
to preservation the evidence that the documents had been signed by those PSEs at that point in time.
For the reasons mentioned above, the report REPLACE_DSA_PSE requires you to save a copy of the old
PSE before you delete it.
Prerequisites
Be sure you have archived the old PSE. With the old PSE you can export the public key and recover older
signatures.
Procedure
1.
On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).
2.
Choose
The report requires you to save a copy of the old PSE before deleting it.
3.
16
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
Depending on what scenarios you have running in your system landscape you may have to delete the public
keys on a variety of different systems. The scenario descriptions in the sections that follow provide additional
information.
To assist you with deleting old public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693
includes report REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates.
1.
The report displays the PSEs with public keys in their certificate lists that need replacing.
2.
Choose
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
17
This section provides information about various scenarios in SAP landscapes. Each scenario provides
recommendations for replacing PSEs as well as manual procedures for the replacement process. Manual
replacement can be a laborious process. We recommend using the tool-supported process for SAP NetWeaver
AS for ABAP, where possible.
For more information, see 2 Tool-Supported PSE Replacement.
The following are scenarios that use DSA signatures:
Logon tickets and authentication assertion tickets
Secure URLs for Content Server
SAP Passports
E-Learning
System Signatures for SSF Signatures
Custom Development Using SSF Functions
ITS Applet Handling
3.1
SAP servers sign and issue logon tickets to users that log on. The users client then presents these tickets to other
systems, which accept the signature on the logon ticket, as long as trust has been established. To establish trust
an administrator must have installed the public key of the ticket issuing system in the ticket receiving system.
Authentication assertion tickets are used for server-to-server connections. With authentication assertion tickets,
another system is the client instead of a user. Otherwise the principles remain the same.
SAP HANA does not issue logon tickets, but it can issue authentication assertion tickets. SAP HANA has the
capability to issue assertion tickets from SAP HANA 1.0 SP7 and higher. SAP NetWeaver AS for ABAP issues both
types of tickets.
For SAP NetWeaver AS for ABAP, we provide a number of tools to make switching keys easier. For more
information, see 2 above. Otherwise you must repeat this procedure for every client in your SAP NetWeaver AS
for ABAP.
3.1.1
18
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
3.1.1.1
Procedure
1.
2.
3.
Double-click the System PSE. This is the default PSE used to sign logon tickets.
4.
8. Choose
(Revise DN).
9. Enter the subject of the old certificate in the DN field. Keep the algorithm and key length.
10. Save your entries.
11. Double-click the system PSE.
12. For every certificate in the certificate list of the PSE, double-click the certificate subject in the list and choose
(Export Certificate), saving each certificate to a separate .cer file.
13. Double-click File PSE and open the file PSE you just saved in step 10 above.
14. For every certificate you saved in step 12 above, choose
the file PSE you opened in step 13 above.
15. Choose
3.1.1.2
Prerequisites
Log on as the SID admin (<SID>adm) user.
Procedure
1.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
19
Note
In a cluster environment, check every cluster node.
2.
Note
In a cluster environment, you must check every node in the cluster.
3.
For each PSE in this directory view the PSE attributes by entering the following command.
./sapgenpse get_my_name p <pse_name>
The following is an example of the result:
No SSO for USER "<sidadm>"
with PSE file "$SECUDIR/saplogon.pse"
Subject : CN=MYSAPSSO
Issuer
: CN=MYSAPSSO
Serialno: 20:14:07:17:13:13:01
KeyInfo : DSA, 1024-bit
Validity
NotBefore:
NotAfter:
If KeyInfo reveals a key of type DSA, make sure you have a current version of the SAP Cryptographic Library
and replace the key pair.
2.
Create a new PSE, using the same data as the original PSE for assertion tickets.
./sapgenpse gen_pse a DSA s 1024 p saplogonSign_new.pse CN=<host>.<domain>,
OU=<instance>, O=<org>, C=<country>
3.
Export any certificates within the logon certificate trust store saplogonSign.pse.
./sapgenpse maintain_pk -l PEMlist p saplogonSign.pse
The output appears a one or more binary large objects (BLOB).
3.1.2
So that the receiving systems can verify the signatures of the new private keys, the receiving systems need a copy
of the public keys.
20
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
3.1.2.1
This procedure requires you to log on to SAP NetWeaver AS for ABAP, save the public key to the file system, and
import that file in a new system.
Procedure
1.
2.
3.
(Export Certificate).
Save the public key certificate to the file system or a network share.
6. Copy the certificate to a network share or the file system of the receiving system.
7.
3.1.2.2
Procedure
1.
Export the public-key certificate from the SAP HANA trust store, using the following command:
./sapgenpse export_own_cert -p saplogonSign.pse
2.
Save the public key certificate to the file system or a network share.
3.
Copy the certificate to a network share or the file system of the receiving system.
3.1.3
Once you have completed this step, you have completed the most critical part of this security note. Create a
backup of the old private keys just in case you run into problems during testing. Archive the old private keys in
case you ever need to restore the old environment in the future.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
21
3.1.3.1
Procedure
1.
2.
3.
3.1.3.2
Procedure
1.
Note
In a cluster environment, you must check every node in the cluster.
2.
3.1.4
Procedure
Thoroughly test the affected systems. Log on to the ticket issuing system and then logon on to all systems that
accept this log on ticket.
If you encounter a problem during testing, you can restore the old private key on the issuing system.
3.1.5
Once your remove the old public keys, receiving systems will no longer be able to validate signatures issued with
the old private key.
22
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
3.1.5.1
To assist you with deleting old public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693
includes REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates. Use the following
procedure to manually remove the public keys.
Procedure
1.
2.
3.
Choose
3.1.5.2
1.
Note
In a cluster environment, you must check every node in the cluster.
2.
3.
3.2
The content server of SAP NetWeaver AS for ABAP uses the system PSE by default. If you created a PSE just for
the content server (HTTP Content Server), replace the certificate for the content server PSE.
We recommend you used tool-supported replacement of keys.
For more information, see 2 Tool-Supported PSE Replacement.
If you choose to replace the keys manually, use the following procedures in every client of the system.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
23
3.2.1
Procedure
1.
2.
3.
The default PSE used by the content server is the system PSE. If you created your own PSE for the content
server, choose the HTTP Content Server PSE.
4. Create a backup of the content server PSE.
Choose PSE > Export.
5.
8. Choose
(Revise DN).
9. Enter the subject of the old certificate in the DN field. Keep the algorithm and key length.
10. Save your entries.
11. Double-click the content server PSE.
12. For every certificate in the certificate list of the PSE, double-click the certificate subject in the list and choose
(Export Certificate), saving each certificate to a separate .cer file.
13. Double-click File PSE and open the file PSE you just saved in step 10 above.
14. For every certificate you saved in step 12 above, choose
the file PSE you opened in step 13 above.
15. Choose
3.2.2
So that the receiving systems can verify the signatures of the new private keys, the receiving systems need a copy
of the public keys.
This procedure requires you to log on to SAP NetWeaver AS for ABAP.
Procedure
1.
2.
3.
Choose
4.
24
(Send certificate).
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
o If the target system is SAP NetWeaver AS ABAP or supports the administration interface, choose the CS
ADMIN pushbutton and activate the new certificate.
For more information, see Certificates.
o If the target system does not support the administration interface, log on to the target system and
activate the new certificate.
For more information, see the documentation of the target content repository.
3.2.3
Once you have completed this step, you have completed the most critical part of this security note. Create a
backup of the old private keys just in case you run into problems during testing. Archive the old private keys in
case you ever need to restore the old environment in the future.
Procedure
1.
2.
3.
4.
Choose PSE > Save As.. and choose the content server PSE.
The default PSE used by the content server is the system PSE. If you created your own PSE for the content
server, choose the HTTP Content Server PSE.
3.2.4
Procedure
Thoroughly test the affected systems. If you encounter a problem during testing, you can restore the old private
key on the issuing system. The following is an example of an error message that occurs in report RSCMST when
trust has not been established between systems. Otherwise the message appears in the logs of SAP Content
Server.
HTTP/1.1 401 (Unauthorized)
X-ErrorDescription: "Security SsfVerify failed rc=5, , PSE=C:\Program
Files\SAP\Content Server\Security\REPOSITORY.pse,"
3.2.5
Once your remove the old public keys, receiving systems will no longer be able to validate signatures issued with
the old private key.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
25
To assist you with deleting old public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693
includes report REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates. Use the following
procedure to manually remove the public keys.
Procedure
1.
2.
3.
26
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
You can use the information stored in SAP Solution Manager to determine if SAP NetWeaver Application Server
for ABAP systems in your landscape are compliant with changes you made in your landscape. For this example,
we assume that you want to ensure all PSEs were created with a current version of SAP Cryptographic Library in
the year 2000 or later. To do this, you create a template from a source system, configure a target system based
on the source system template, and then run the compliance check for a set of systems connected to SAP
Solution Manager.
4.1
Create a source system template from which you can create a target system template for the compliance check.
The source system template includes the PSE_CERT configuration store, which has information about PSEs of the
monitored systems.
Procedure
1.
In your SAP Solution Manager system, start SAP Solution Manager: Work Centers (transaction
SM_WORKCENTER).
2.
3.
Under the Source System section, enter selection criteria to find a system to use as a template and choose
Display Selection.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
27
4.2
Once you have a source system template, you can create a target system template. In the target system template
you define configuration store values that lead to compliance and a counter example that does not lead to
compliance.
Procedure
1.
In your SAP Solution Manager system, start SAP Solution Manager: Work Centers (transaction
SM_WORKCENTER).
2.
3.
4.
5.
Enter the name of the source system template you created in the previous procedure.
For more information, see 4.1 above.
6. Choose
7.
Display selection.
Under Config Stores of Target System:<Long SID>, choose the Store Name PSE_CERT.
(Delete selected).
10. Except for the SERIALNO field, set the operator to Contains and the value to *. Set operator and value of the
SERIALNO field to Contains and 0A20* respectively.
The result should appear as follows in the figure below.
(Save).
13. Except for the VALID_TO field, set the operator to Contains and the value to *. Set operator and value of the
VALID_TO field to Contains and Non_Compliant respectively.
The result should appear as follows in the figure below.
28
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
(Save).
You have created a target system template to use as a reference system in the compliance check.
4.3
SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list of
these PSEs and check their compliance against a target system template.
Procedure
1.
In SAP Solution Manager, start SAP Solution Manager: Work Centers (transaction SM_WORKCENTER).
2.
3.
4.
5.
Under the Choose Reference System section, on the Select Reference System tab, choose the name of the
target system template you created in the previous procedure.
For more information, see 4.2 above.
6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.
7.
PUBLICPUBLIC
2014 SAP AG or an SAP affiliate company. All rights reserved.
29
www.sap.com/contactsap