PSE Certificate
To secure the connection between the Identity Center and the ABAP system, SNC (Secure Network Communications) requires the use of an external security product to perform the security functions. For this purpose, you use the SAP Cryptographic Library or any SNC-certified product.
Prerequisites
- The SAP Cryptographic Library is available on the application server.
If the SAP Cryptographic Library is not installed, the trust manager does not display the node for the SNC PSE.
- The environment variable SECUDIR is set to the location where the PSE is stored.
- SNC PSE - The naming convention you use for the Distinguished Name must match the Distinguished Name part of the server's SNC name, which you define in the profile parameter snc/identity/as. If this profile parameter is not yet set, you can still specify the server's Distinguished Name, but you receive a warning that you have to maintain the profile parameter.
- The application server's Distinguished Name for SNC must also be unique. You cannot specify a Distinguished Name that the server uses in a different PSE, for example, the system PSE.
Procedure
- Use the trust manager and open the transaction STRUST.
- Select the SNC PSE node.
- Call the context menu and choose Create (if no PSE exists) or Replace. The <Create/Replace> PSE dialog appears. Using the context menu, choose Create (if no PSE exists) or Replace.
- Enter the components of the Distinguished Name of the system in the corresponding fields. If the server's SNC name is defined in the profile parameter snc/identity/as, the system automatically determines the Distinguished Name accordingly. Table shows the parts of the Distinguished Name:
If you use a reference to a CA namespace, the elements contained in the CA field are automatically used for the server's Distinguished Name. In this case, you are also unable to modify the Country field. Use the toggle function () to activate or deactivate the reference to a CA name space.DN Part
Definition
Example
CN
Common Name
<SID>
EMAIL
E-Mail
E-mail address for Subject
Note:
If you are using X.509v3 certificates, you must use third-party tools to integrate an e-mail address into a Subject Alternative Name.OU
Organizational Unit (optional)
Department Name
O
Organization
Company Name
C
Country
USA: US
Germany: DE
If you use the SAP CA as the issuing CA, then the rest of the Distinguished Name (not the CN part) must be as follows:OU=I-, OU=SAP Web Application Server, O=SAP Trust Community, C=DE
For the first OU (Organizational Unit) part, you specify your customer number only. The SAP CA automatically extends the OU part to include your company name. - Choose Enter. You return to the Trust Manager screen.
- For SNC, you must assign a password to the PSE. Choose Assign password. The PSE dialog appears.
- Enter a password for the PSE and choose Enter. You return to the Trust Manager screen.