为SAProuter注册新的证书 引用2

Creating a PSE for the Server Using SAPGENPSE 

Use

Use the command get_pse to generate the server's PSE, which includes the public and private key pair and a public-key certificate. If you are using a trusted CA, then you can also use the get_pse command to generate a certificate request. Per default, all of the items are generated, however, you can use the options -noreq or -onlyreq to explicitly include or omit the certificate request.

For easier administration, we currently recommend using self-signed certificates that are not signed by a trusted CA.

If you are using a single PSE for all server components and you have already create the PSE on a different server, then copy the PSE to the appropriate location instead of creating a new one.

Prerequisites

• The SAP Cryptographic Library is installed on the server.
• The environment variable SECUDIR has been set to the location where the PSE is to be stored.

Procedure

Use the following command line to generate a PSE. Create the server's PSE in the SECUDIR directory.

sapgenpse get_pse <additional_options> [-p <PSE_name>] [-r <cert_req_file_name>] [-x <PIN>] [DN]

Where:

Standard Options

Option

Parameter

Description

Allowed Values

Default

-p

<PSE_name>

Path and file name for the server's PSE

Path description (in quotation marks, if spaces exist)

None

-r

<file_name>

File name for the certificate request

Path description (in quotation marks, if spaces exist)

stdout

-x

<PIN>

PIN that protects the PSE

Character string

None

None

DN

Distinguished Name for the server

The Distinguished Name is used to build the server's SNC name.

Character string (in quotation marks, if spaces exist)

None

The Distinguished Name consists of the following elements:

• • • • • CN = <Common_Name>
        • OU = <Organizational_Unit>
        • O = <Organization>
        • C = <Country>

For example, for the application server for system ABC where <SID> is defined as the Common Name, Test as the Organizational Unit, MyCompany as the Organization, and DE (Germany) as the country, the Distinguished Name is:

CN=ABC, OU=Test, O=MyCompany, C=DE

Additional Options

Option

Parameter

Description

Allowed Values

Default

-s

<key_len>

Key length

512, 1024, 2048

1024

-a

<algorithm>

Algorithm used

RSA, DSA

RSA

-noreq

None

Only generate a key pair and PSE. Do not generate a certificate request.

Not applicable

Not set

-onlyreq

None

Generate a certificate request for the public key stored in the PSE specified by the -p parameter.

Not applicable

Not set

Generating a PSE and Self-Signed Certificate for the SAP System Application Server

The following command line generates a PSE for the SAP System application server (<SID> = ABC) containing a self-signed certificate. No certificate request is needed. The PSE is to be located at D:/usr/sap/ABC/DVEBMGS28/sec/ABC.pse. The PIN that protects the PSE is abcpin. The server's Distinguished Name is CN=ABC, OU=Test, O=MyCompany, C=DE.

sapgenpse get_pse -p D:/usr/sap/ABC/DVEBMGS28/sec/ABC.pse
-noreq -x abcpin "CN=ABC, OU=Test, O=MyCompany, C=DE"

Generating a PSE and Self-Signed Certificate for the AGate Component

The following command line generates a PSE for the AGate component containing a self-signed certificate. No certificate request is needed. The PSE is to be located at D:/Program Files/SAP/ITS/2.0/ABC/sec/ABC_AGate.pse. The PIN that protects the PSE is abcagatepin. The server's Distinguished Name is CN=ABC_AGate, OU=Test, O=MyCompany, C=DE.

sapgenpse get_pse -p "D:/Program Files/SAP/ITS/2.0/ABC/sec/
ABC_AGate.pse" -noreq -x abcagatepin "CN=ABC_AGate, OU=Test, O=MyCompany, C=DE"

Result

The server's PSE is created in the directory you specified.

Check the contents of the directory at the operating system level to make sure the PSE was created in the correct location before proceeding with the next step.