Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

STRUST - Error while creating PSE

Former Member
0 Kudos

Hi all,

i want to create the PSE for SNC (SAP Cryptolib). -> Webservices with Certificates

SNC ID: sys-sapsnc@<domain>.com

Algorithm: RSA

Key Length: 1024

Error message:

Error while creating PSE

Message no. TRUST040

System: ERP 2005

System PSE is already created

SSL Server PSE is already created

SSL Client (Anonymous) PSE is already created

SSL Client (Standard) PSE is already created

regards

19 REPLIES 19

Former Member
0 Kudos

In that case you better leave the SNC PSE alone! Did you install the SAP Crypto Library? Is there a red cross in front of the PSE you want to create?

BTW, by right clicking on the entry, you can delete a PSE.

The system PSE is used for the creation and verification of login tickets. So, if you're using login tickets you should leave the system PSE alone as well.

The user interface of STRUST is very bad. It is normal not to know how to use this transaction.

0 Kudos

Hi,

we have installed the SAP Crypto Library.

And yes there is a cross in front of the PSE -> shows that the PSE is not yet created

But we use SSL. What PSE entry do i need for SSL?

regards

0 Kudos

Check this link

/people/gregor.wolf3/blog/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc

http://searchsap.techtarget.com/tip/0,289483,sid21_gci1222189,00.html

0 Kudos

Hi,

your first link is the document what i want to do....

But i get this error.

regards

0 Kudos

Forget about SSL! RFC is secured using SNC and has nothing to do with web services at all. This is older technology.

You'll want to use SNC and so a right click on the PSE with the red cross should give you the create option only (as documented in the blog).

0 Kudos

The blog has one big problem: The license for the SAP Crypto Library will, most probably, not allow its usage for the RFC client. Please review its license carefully! You may obtain a license from [Secude|http://www.secude.com/] in that case.

0 Kudos

You might also want to consider using Kerberos protocol based SNC libraries, especially if the client application using RFC runs on Windows platform (e.g. on XP or Vista) and the user of the application has already logged onto a Windows domain (e.g. Active Directory). In this case, using Kerberos will allow you to give Single SignOn to the user when they run the client application, and it connects to SAP ABAP using RFC.

To find a SAP partner who provided such libraries I suggest you visit http://www.sap.com/eapcatalog and search for SNC Kerberos keywords in the search box provided. Then, if you contact the vendor/vendors listed they can provide you with more details.

0 Kudos

>

> Hi,

>

> your first link is the document what i want to do....

>

> But i get this error.

>

> regards

Regarding above - the link you refered to at /people/gregor.wolf3/blog/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc clearly describes using RFCs and not web services. This is why myself and others were giving you information about this, but now you are suggesting you need help with web services, which has nothing to do with the information at this link... I am therefore conufsed about what you want to do, which makes it hard to help.

0 Kudos

Hi,

We installed certificate on System PSE after installing SAPcryptolibrary and because of that System PSE was in red status so we deleted the system pse. When we go to create "system pse" it says error while loading pse.Another thing is it prompts for password which I don't know?

Do you know how I can create System PSE ?

Thanks,

Misba

Former Member
0 Kudos

Hi,

thanks a lot.

But how can i use my webservices with certificates.

What are the main steps? What do i have to configure for this issue?

regards

0 Kudos

Hi Wolfgang,

you can't use SNC for securing webservice calls. Instead you might want to use SSL (for transport layer security). Please have a look at the following documentation:

[Configuring a Web Service|http://help.sap.com/saphelp_nw70/helpdata/EN/47/3971ff39591a53e10000000a1553f7/frameset.htm]

[Configuring the SAP Web AS for Supporting SSL|http://help.sap.com/saphelp_nw70/helpdata/EN/65/6a563cef658a06e10000000a11405a/frameset.htm]

Best regards,

Klaus

Edited by: Klaus Kiefer on Jun 25, 2008 7:59 PM

0 Kudos

Hi,

i want to follow this blogs:

/people/gregor.wolf3/blog/2006/09/30/authenticate-from-php-to-a-web-service-using-x509-certificates

/people/gregor.wolf3/blog/2006/09/29/setup-data-encryption-between-rfc-client-and-web-as-abap-with-snc

Just look at the second one. I have to create the PSE for SAP Cryptolib....

regards

0 Kudos

Hi Wolfgang,

do you want to secure webservice calls? Then SNC is not relevant for you. Nevertheless, in order to find out the reason for the error when creating the PSE, you might follow [note 800240|https://service.sap.com/sap/support/notes/800240].

Best regards,

Klaus

former_member698570
Active Participant
0 Kudos

Hi Ralf,

I think I did something similar with XI about a year ago. You have to create or import some certificates / CA Certificates using STRUST (it depends if you have officially signed certificates or if you are using your own selfsigned certificates. In this case you need the root certificate as well).

=> Note 510007 might be useful

=> When importing your own root CA make sure you choose a valid namespace for Trust Center (starting with Z e.g. ZSELFCA) and choose Root-CA for Category.

=> If you want to view, modify or deltete entries choose menu > certificate > database and you will see a screen where you can search for the entries in the certificate database

Just in case you have problems with your PSE make a copy of directory /usr/sap/SID/DVEBMGS<XX>/sec

and delete your existing PSE to create a new one (Carefully!!!

- First of all make sure you installed SAPSECULIB.

- After that you should create a new PSE or create new entries for SSL Server (optionally client etc.)

- You can create an entry directly in TRUST Manager. The resulting certificate will be selfsigned. You can sign

this cert using your CA and then after having it signed you have to import the certificate response (use openssl to do cert stuff)

=> This might be helpful: http://help.sap.com/saphelp_nw04/helpdata/en/24/61ab3b92818b70e10000000a114084/frameset.htm

You can import your own certificates from menu > certificate > import in the maintenance section of the SSL Server PSE or you can just click on the "Import Certificate" button

When done you should check that your generated/imported certificates are working by simple accessing your server using the https protocol (e.g. https://<server>:<sslport>/sap/public/ping should be fine)

Just in case you used your own CA to sign the certificates your Browser will display popup saying that the certificate is not signed by any known trusted CA (we know that so we can ignore that

If you want to use client cert authentication you have to repeat the explained steps for SSL Client (Standard)

=> Create the PSE, sign the generated certificate etc., import the certificate response

When this is all done you should do the following:

- Create a RFC Destination for HTTPS Communication (call sm59, open the Folder HTTP Connections to External Server)

- In the destination enter the destination Host and the path of your application

- After that open the TAB Logon/Security

- In the Status of Secure Protocol Section choose SSL active and DEFAULT SSL Client (Standard) as SSL Client Certificate

- Save all your changes

You should now be able to use this destination for your Webservice communication and it will be encrypted using SSL

Hope this helps

If you have further questions let me know

Cheers

0 Kudos

>

> Hi Ralf,

Who is Ralf?

0 Kudos

I meant Wolfgang, sorry. I was working on two Posts

0 Kudos

First of all make sure you installed SAPSECULIB.

Small mistake: must be SAPCRYPTOLIB.

Best regards,

Klaus

former_member698570
Active Participant
0 Kudos

Sorry for calling you Ralf in my latest Post, I was working on another Post and got confused with the names

Former Member
0 Kudos

Please check the following parameters

ssf/name SAPSECULIB

ssf/ssfapi_lib d:\usr\sap\<SID>\sys\exe\uc\NTAMD64\sapsecu.dll

sec/libsapsecu d:\usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapsecin.exe <---

The program 'sapsecin.exe' is only useful in certain situations (for

example for error analysis) and can be ignored in the standard

installation.

So, please change 'sec/libsapsecu' to

"d:\usr\sap\SBD\sys\exe\uc\NTAMD64\sapsecu.dll" as well and try

STRUSTSSO2 again.

Regards,

Jobit

Edited by: jobit joy on Apr 9, 2010 10:55 AM