Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

smartcard instead of of a PSE file

Former Member

‎03-04-2010 8:42 PM

0 Kudos

Hello all

I will describe my situation first and after that I will shoot the question. Here it goes u2026

In have two NetWeaver instances - one SAP NetWeaver PI 7.0 and one SAP NetWeaver Portal 7.0 (bith same patch level etc.). I am able to connect from the SAP NW PI system to the SAP NW Portal system using an HTTPS connection that, on its turn, uses an x.509 client certificate for authentication.

How is made? Here it is:

On the SAP Portal side I have installed a CA that has signed the SSL server certificate for the SAP NetWeaver Portal system. This CA (a Microsoft CA) also issues certificates for SAP Portal users in two ways:

a) Via Certificate Services Web enrollment functionality directly to the useru2019s workstations (note that the private key of the useru2019s certificate is marked as exportable ! u2013 very useful for sapgenpse)

b) Via Certificate Services Web enrollment functionality to a smartcard (note that in this case the private key is not exportable)

All the users that get user certificates from that CA are able to connect and login to the SAP Portal system (in fact our SAP Portal system is only accessible via HTTPS and only using x.509 client certificates for authentication).

The SAP NW PI system needs to connect to the SAP Portal just as users do (so very well). So the SAP NW PI system needs a client certificate to authenticate. No problem: I have generated a user certificate and I have saved it the u201C.p12u201D form. Then I have converted the .p12 certificate into the PSE format (using sapgenpse executable), I have imported the PSE into the SAP NW PI system using STRUST transaction, I have saved it as a client certificate and so the SAP NW PI can access and login to the SAP Portal system over an HTTPS connection.

Now The Problem:

I cannot get user certificates in .p12 format anymore and so I need the SAP NW of the PI system to be use a smartcar instead of a PSE file (that, in turn, would came from a .p12 file). I did not find any documentation on this yet ...

Any help is appreciated.

Best wishes

Vasile Poenaru

3 REPLIES 3

Former Member

‎03-04-2010 11:32 PM

0 Kudos

Have you tried using the command line tool SAPGENPSE instead of STRUST?

I am not sure of the current status, but P12 can be successfully installed from the OS itself.

Cheers,

Julius

Former Member
In response to Former Member

‎03-16-2010 12:10 PM

0 Kudos

Hello

Yes, .p12 file can (and are allready) installed (converted intro PSE files) at OS level.

The problem is that I will NOT have .p12 file any more but, instead of them, I will have only a smartcards with the certificates.

Any ideas are apreciated.

best wishes

Vasile

martin_voros
Active Contributor

‎03-16-2010 10:29 PM

0 Kudos

As far as I understand your requirement you don't want to store PSE on disk, but you want to use smart card for this purpose. I don't think that this is supported by SAPCRYPTOLIB. You need to look for 3rd party product which allows you to use smart card as a store for your certificates.

Cheers