instructions for key replacement

How To GuideHow To GuideDocument Version: 1.1 2014-10-15

PUBLIC

Instructions for Key ReplacementInstructions to Accompany SAP Note 2068693

2PUBLICPUBLIC 2014 SAP AG or an SAP affiliate company. All rights reserved.

Instructions for Key ReplacementTypographic Conventions

Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles,pushbuttons labels, menu names, menu paths, and menu options.Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names,transaction codes, table names, and key concepts of a programming language when theyare surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages,names of variables and parameters, source text, and names of installation, upgrade anddatabase tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as theyappear in the documentation.

Variable user entry. Angle brackets indicate that you replace these words and characterswith appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .

Instructions for Key ReplacementDocument History

PUBLICPUBLIC 2014 SAP AG or an SAP affiliate company. All rights reserved. 3

Document History

CautionBefores you start the implementation, make sure that you have the latest version of this document that isavailable from SAP Note 2068693.

Version Date Change

1.0 2014-10-14 Initial release.

1.1 2014-10-15 In section 1.3.5, step 1, SS02 applications were mistakenly excluded as notbeing signed with the DSA algorithm.


Instructions for Key ReplacementTable of Contents

Table of Contents

1 Replacing Key Pairs for Cryptographic Functions ................................................................................. 51.1 Overview of the Replacement Procedure .............................................................................................................. 51.2 Notes on the Replacement of the System PSE ..................................................................................................... 51.3 Generating a Worklist from SAP Solution Manager ............................................................................................. 6

1.3.1 Generating a Worklist for SAP NetWeaver AS for ABAP ..................................................................... 71.3.2 Exporting the Validation Table of ABAP Systems ................................................................................ 71.3.3 Generating a Worklist for SAP NetWeaver AS for Java ....................................................................... 81.3.4 Exporting the Validation Table of Java Systems .................................................................................. 81.3.5 Sorting the ABAP Data ........................................................................................................................... 91.3.6 Replacing PSEs and Exchanging Certificates ...................................................................................... 11

2 Tool-Supported PSE Replacement........................................................................................................ 132.1 Creating Replacement PSEs on SAP NetWeaver AS for ABAP ......................................................................... 132.2 Importing Public Keys on SAP NetWeaver AS for ABAP ................................................................................... 152.3 Testing the Business Processes .......................................................................................................................... 152.4 Deleting the Old PSEs and Public Keys................................................................................................................ 16

3 Scenario Specific Instructions and Manual Procedures ...................................................................... 183.1 Scenario Logon Tickets and Authentication Assertion Tickets ........................................................................ 18

3.1.1 Creating New Keys with Identical Names ........................................................................................... 183.1.2 Exporting the Public Keys to the Receiving Systems ........................................................................203.1.3 Start Using the New Private Keys ........................................................................................................ 213.1.4 Testing the New Key Pairs .................................................................................................................... 223.1.5 Delete the Old Public Keys ................................................................................................................... 22

3.2 Scenario Secure URLs for Content Server .......................................................................................................... 233.2.1 Creating New Keys with Identical Names ........................................................................................... 243.2.2 Exporting the Public Keys to the Receiving Systems ........................................................................ 243.2.3 Using the New Private Keys ................................................................................................................. 253.2.4 Testing the New Key Pairs .................................................................................................................... 253.2.5 Deleting the Old Public Keys ................................................................................................................ 25

4 Checking for Compliance ...................................................................................................................... 274.1 Choosing a Template for Compliance Checks .................................................................................................... 274.2 Configuring the Target System Template for Compliance Checks .................................................................. 284.3 Executing Compliance Checks ............................................................................................................................. 29

Instructions for Key ReplacementReplacing Key Pairs for Cryptographic Functions


1 Replacing Key Pairs for CryptographicFunctions

There are times during the lifecycle of a system that you want to replace the key pairs used cryptographicfunctions. For example: the validity period of the key pair can expire, the key pair can be revoked, or you canproactively replace the key pair with a new one.This guide describes how to replace private keys in issuing systems and the corresponding public keys invalidating systems. The procedures are based primarily on SAP NetWeaver Application Server (SAP NetWeaverAS) for ABAP as the issuing system. We assume in this document that you want to replace DSA signatures,though most of the functions described here work for any type of algorithm.

1.1 Overview of the Replacement Procedure

This procedure requires you to go into the issuing and receiving systems at least twice for each system.Before you begin, ensure that you have the latest version of the SAP Cryptographic Library.

Procedure

1. Create keys with identical names on the system that issues signatures.

CautionDo not use the new keys for signatures, yet!

2. Export the public keys of the new keys.3. Import the new keys into all receiving systems.4. On the key issuing systems, create a backup of the old key pairs.5. On the key issuing systems, switch to the new keys for signatures.6. Test your business processes.7. Remove the old keys from the issuing and receiving systems..

1.2 Notes on the Replacement of the System PSE

When replacing the system PSE of SAP NetWeaver AS for ABAP, be aware that many applications use the systemPSE by default. When the system is configured this way, the PSE is used for radically different purposes and hasdifferent requirements. For example, some documents digitally signed by the system PSE have very shortlifetimes, while other documents must continue to be validated over years. When you replace the system PSE



consider review the procedures for all the relevant scenarios listed in this document. Be sure the steps you followapply to all the scenarios that apply to you. Consider using separate PSEs for different scenarios.

NoteIf you use signatures that must be validated over a long period of time, such as for FDA compliance,archive the relevant PSEs and create an image of the relevant systems including the documents. Thearchived key pairs and system data serve as the preservation of evidence that the documents had beensigned by those key pairs at that point in time.

SAP Solution Manager also provides tools to help you keep track of PSE certificates. For more information, see 1.3below.

1.3 Generating a Worklist from SAP Solution Manager

SAP Solution Manager offers the capability to view which PSEs are used in which SAP NetWeaver AS systems inyour landscape. When you determine which PSEs need to be replaced, use the following instructions to find otherSAP systems that rely on the PSE certificates.

Prerequisites

x Potential systems must be connected to SAP Solution Manager 7.10 SPS 10 or higher and report PSE (X.509key) information to SAP Solution Manager.

x You have prepared system comparison lists in SAP Solution Manager: one for SAP NetWeaver AS for ABAPsystems in your landscape and one for SAP NetWeaver AS for Java systems in your landscape.SAP HANA systems and other SAP or third-party systems are currently not supported. These systems alsohave the potential to be issuing or receiving systems, too. For more information, see the productdocumentation for your system.

x You have the required authorizations.For more information about using SAP Solution Manager, see the documentation for SAP Solution Manager athttps://help.sap.com/solutionmanager.For more information about using Configuration Validation in SAP Solution Manager, see ConfigurationValidation in the documentation for SAP Solution Manager.For more information about using Configuration and Change Database (CCDB) in SAP Solution Manager, seeConfiguration and Change Database (CCDB) in the documentation for SAP Solution Manager.

NoteEven if you can use this procedure, review your system landscape to identify other systems not coveredby SAP Solution Manager.



1.3.1 Generating a Worklist for SAP NetWeaver AS for ABAP

SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list ofthese PSEs.

Procedure

1. In SAP Solution Manager, start SAP Solution Manager: Work Centers (transaction SM_WORKCENTER).2. Choose the Root Cause Analysis tab.3. Choose Configuration Validation.4. On the Report Execution tab, choose Reporting Templates.5. Under the Choose Reference System section, on the Select Reference System tab, choose the 0ALERT

system.6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.7. Choose the Start operator validation reporting pushbutton.8. In the Configuration Validation Viewer, enter the required data.

In the Config Store field, enter PSE_CERT.In the Comparison List field, select the list you prepared for SAP NetWeaver AS for ABAP systems.

9. Choose the Validate pushbutton.You now have a list of PSE certificates.

1.3.2 Exporting the Validation Table of ABAP Systems

To prepare the list for export to Excel, do the following.

Procedure

1. From the context menu of the resulting table in the Configuration Validation Viewer, choose User Settings >More

2. Choose the following columns for display:o SIDo TYPEo APPLICATIONo CONTEXTo SUBJECTo ISSUERo SERIALNO

3. Choose OK.4. Choose (Export to Spreadsheet).



5. Save the Excel file to the file system.

1.3.3 Generating a Worklist for SAP NetWeaver AS for Java

SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list ofthese PSEs.

Procedure

1. In your SAP Solution Manager system, start SAP Solution Manager: Work Centers (transactionSM_WORKCENTER).

2. Choose the Root Cause Analysis tab.3. Choose Configuration Validation.4. On the Report Execution tab, choose Reporting Templates.5. Under the Choose Reference System section, on the Select Reference System tab, choose the 0ALERT

system.6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.7. Choose the Start operator validation reporting pushbutton.8. In the Configuration Validation Viewer, enter the required data.

In the Config Store field, enter J2EE_PSE_CERT.In the Comparison List field, select the list you prepared for SAP NetWeaver AS for Java systems.

9. Choose the Validate pushbutton.You now have a list of PSE certificates stored in SAP NetWeaver AS for Java.

1.3.4 Exporting the Validation Table of Java Systems

To prepare the list for export to Excel, do the following.

Procedure

1. From the context menu of the resulting table in the Configuration Validation Viewer, choose User Settings >More

2. Choose the following columns for display:o SIDo TYPEo ALIASo VIEWo SUBJECT



o ISSUERo SERIALNO

3. Choose OK.4. Choose (Export to Spreadsheet).5. Save the Excel file to the file system.

1.3.5 Sorting the ABAP Data

Now that you have the Excel files, you can create a worklist. As stated above, this procedure assumes we want tofind all PSEs that issue or validate DSA signatures.

Procedure

1. In the Excel of ABAP PSEs, use the CONTEXT and APPLICATION columns to include only entries with thevalues shown in the table below.

Context Application Usage

PROG System PSE. System PSE can havemultiple usages.

SMIM * Secure/Multipurpose Internet MailExtensions (S/MIME) applications.

SSFA * Secure store and forward (SSF)applications.

The following figures show examples of how the sorting of the context and applications appear in MicrosoftExcel. In the left figure, we exclude the SSLC, SSLS, and WSSE contexts because these PSEs use RSAalgorithm. For this example, we are only targeting DSA signatures. The same is true for the application SNCSshown in the figure to the right.



2. Sort the PSEs by SUBJECT, ISSUER, and SERIALNO.For example, in Microsoft Excel on the Data tab, choose Sort and sort by SUBJECT then ISSUER, and thenSERIALNO as show in the figure that follows.

3. Filter the resulting list on the TYPE column for OWN-CERTIFICATE.



These systems, as identified by the SID, are issuing systems. Shown in the Excel are the certificates for eachserver instance. All certificate instances with the same subject, issuer, and serial number are the same PSE. Itis likely that you will have multiple entries per certificate.In this example we want to replace PSEs created with the DSA algorithm. Some of these certificates may notbe relevant. Check the algorithm used to generate the OWN-CERTIFICATEs.1. In the ABAP system identified by the SID, start the trust manager (transaction STRUST).2. Double-click the PSE for the certificate and then, under Own Certificate, double-click the Owner (or

Subject depending on your software release).The PSEs start with System PSE, SMIME, or SSF. Under Certificate, make sure the subject, issuer, andserial number match the OWN-CERTIFICATE in the Excel.

3. Under Certificate, check the algorithm.If anything other than DSA appears under the algorithm, remove the entry from your Excel list. We onlywant certificates with DSA algorithms in the list for our example.

You should now have a complete worklist of systems with OWN-CERTIFICATES to replace. This document refersto this list as the List of ABAP OWN-CERTIFICATEs.

1.3.6 Replacing PSEs and Exchanging Certificates

After assembling a worklist of PSEs to replace, create a new key pair for each PSE. Export the public key of the keypair and import the public key into the receiving systems. Importing the public key enables the receiving system totrust and validate signatures from the issuing system.

Procedure

1. For all the systems in the List of ABAP OWN-CERTIFICATEs, prepare replacement PSEs.For more information about preparing replacement PSEs with the REPLACE_DSA_PSE report, see 2.1 below.

2. Remove the filter on the TYPE column of the List of ABAP OWN-CERTIFICATEs Excel.For each OWN-CERTIFICATE, note any systems with TYPE CERTIFICATE and matching SUBJECT, ISSUER,and SERIALNO. These are the receiving systems as identified by the SID.You should now have a complete work list of SAP NetWeaver AS for ABAP systems with CERTIFICATEs thatmatch a system with an OWN-CERTIFICATE with identical SUBJECT, ISSUER, and SERIALNO. This documentrefers to this list as the List of ABAP receiving systems.

3. For SAP NetWeaver AS for ABAP systems with CERTIFICATES matching an OWN-CERTIFICATE, import thenew public-key certificate from the issuing system.For more information about importing the public key with the REPLACE_DSA_CERTIFICATES report, see 2.2below.

4. In the Excel of Java PSEs, sort the PSEs by SUBJECT, ISSUER, and SERIALNO.For each OWN-CERTIFICATE in the Excel of ABAP PSEs, note any systems with CERTIFICATE matchingSUBJECT, ISSUER, and SERIALNO. These Java systems have imported the public key of the ABAP PSE.Therefore, these systems are also receiving systems as identified by the SID.



You should now have a complete work list of SAP NetWeaver AS for Java systems with CERTIFICATES thatmatch an SAP NetWeaver AS for ABAP system with an OWN-CERTIFICATE with identical SUBJECT, ISSUER,and SERIALNO. This document refers to this list as the List of Java receiving systems.

5. For these systems, import the new public-key certificate from the issuing system as indicated in step 2 ofsection 2.2 below.

For your convenience, here again is an overview of the complete process for replacing key pairs for cryptographicfunctions from the introduction of this document. Included are the names of the work lists you need for thedifferent steps of the overview procedure.1. Create keys with identical names on the system that issues signatures.

CautionDo not use the new keys for signatures, yet!

List of ABAP OWN-CERTIFICATEs2. Export the public keys of the new keys.

List of ABAP OWN-CERTIFICATEs.3. Import the new keys into all receiving systems.

List of ABAP receiving systemsList of Java receiving systems

4. On the key issuing systems, create a backup of the old PSEs.List of ABAP systems with OWN-CERTIFICATES.

5. On the key issuing systems, switch to the new keys for signatures.List of ABAP systems with OWN-CERTIFICATES.

6. Test your business processes.7. Remove the old keys from the issuing and receiving systems.

List of ABAP systems with OWN-CERTIFICATES.List of ABAP receiving systemsList of Java receiving systems

NoteThe public-key certificates from the old may have been imported into other systems such as SAP HANAor third-party systems. Import the new public-key certificate into these systems as well. For moreinformation, see the product documentation for your system.

Instructions for Key ReplacementTool-Supported PSE Replacement


2 Tool-Supported PSE Replacement

For SAP NetWeaver AS for ABAP, we provide tools to support PSE replacement. To use tool-supported PSEreplacement, implement the SAP Note 2068693.The replacement process uses two reports for SAP NetWeaver AS for ABAP: one report on the issuing system andone on the receiving system. SAP Solution Manager provides support for generating work lists for which systemsneed PSE replacement.For more information, see 1.3 above.An overview of the process is as follows:1. Create replacement PSEs on issuing SAP NetWeaver AS for ABAP systems and export the corresponding

public keys.2. Import the public keys to receiving systems.3. Activate the replacement PSEs and test the business process.4. Delete the old PSEs and corresponding public-key certificates.

Be sure to archive the old PSEs before removing them from the system.

2.1 Creating Replacement PSEs on SAP NetWeaver AS forABAP

Report REPLACE_DSA_PSE enables you to generate inactive replacement PSEs. Before you activate the PSE,export the public-key certificate of the new PSE and import the certificate into systems that trusted the old PSE.

Prerequisites

x You have installed the current SAP Cryptographic Library.If you do not have a current version of the SAP Cryptographic Library, REPLACE_DSA_PSE shows thefollowing icon under Action 1: (You need a new SAPCRYPTOLIB /CommonCryptoLib).

For more information about the SAP Cryptographic Library, see SAP Note 1848999.x You have implemented the correction instructions in SAP Note 2068693.x You have authorizations to use Trust Manager (transactionSTRUST).x You have created a backup of the old PSE just in case you run into problems during testing. Archive the old

PSE in case you ever need to restore the old environment in the future.

CautionIf you do not have a backup of the old PSE and delete it, there is no way to recover or validate informationprotected by the cryptographic function.



NoteIf you use signatures that must be validated over a long period of time, such as for FDA compliance,create an image of the relevant systems. The archived PSEs and system data serve to preservation theevidence that the documents had been signed by those PSEs at that point in time.

Procedure

1. On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).The report displays the PSEs with keys that need replacing.

Icon Description

Is not a self-signed certificate. You should considerreplacing this PSE, but requires additional effort. Youmust have your certificate signed by a certificationauthority (CA).

The old PSE is still active and in use. Replace the PSEwith a new PSE.

One of two statesx This PSE has been replaced or does not need

replacement. You have completed the process.x You have replaced the PSE, but have not deleted

the old PSE yet. Finish your testing. Be sure youhave archived the old PSE. The old PSE is still inthe database. For housekeeping purposes youcan delete the old PSE.

There are minor inconsistencies in the system. Youmust enter the PIN before the report can determinethe status of the PSE.

2. For each PSE, choose (Generate new keypair).This generates a new key pair for the PSE.

3. Choose (Download new certificate) to save the new public key to the file system.Import the public-key certificate to the receiving system.For more information, see documentation of the receiving system.To assist you with importing new public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693includes REPLACE_DSA_CERTIFICATES, which enables you to import these certificates.



2.2 Importing Public Keys on SAP NetWeaver AS for ABAP

Report REPLACE_DSA_CERTIFICATES enables you to import public-keys for existing trust relationships.Importing the public keys is an important prerequisite before switching to the new PSE and testing the businessprocess.

Prerequisites

x You have downloaded the public key from the issuing system.x You have authorizations to use Trust Manager (transactionSTRUST).x You have implemented SAP Note 2068693.

Procedure

1. On the receiving system, start report REPLACE_DSA_CERTIFICATES in ABAP: Program Execution(transaction SA38).The report displays the PSEs with public keys in their certificate lists that need replacing.

Icon Description

Nothing has been done yet. You should import therelevant public-key certificate.

Old and new public-key certificates are in thecertificate list. Finish testing the business process,archive the old public key, and then delete the oldpublic-key.

The PSE has the new public-key certificate in itscertificate list. You have completed the process.

There are minor inconsistencies in the system. Youmust enter the PIN before the report can determinethe status of the PSE.

2. For each PSE, choose (Import new certificate).

2.3 Testing the Business Processes

Activate the replacement PSE and test whether your business processes still work.



Prerequisites

x You have generated replacements PSEs.x You have imported the public-key certificates of the replacement PSEs into the receiving systems.

Procedure

1. On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).2. Choose (Switch from old to new PSE) to use the new certificates.3. Thoroughly test the affected business processes.

If you encounter a problem during your testing, choose (Switch from new to old PSE) to go back to theprevious configuration.

2.4 Deleting the Old PSEs and Public Keys

Once you are convinced that your business processes are correctly configured, you can remove the old PSEs fromthe issuing system and the old public-key certificates from the receiving system.

NoteDepending on the scenarios that use the PSE, you may need to consider how to validate signatures madeby the old PSE that are still in the system. Once the old public key has been deleted, the system can nolonger validate signatures made by the old PSE. Consider the national laws, which mandate audits ofdocuments signed by your business processes.If you use signatures that must be validated over a long period of time, such as for FDA compliance, savearchive the PSE and create an image of the relevant systems. The archived PSEs and system data serveto preservation the evidence that the documents had been signed by those PSEs at that point in time.For the reasons mentioned above, the report REPLACE_DSA_PSE requires you to save a copy of the oldPSE before you delete it.

Prerequisites

Be sure you have archived the old PSE. With the old PSE you can export the public key and recover oldersignatures.

Procedure

1. On the issuing system, start report REPLACE_DSA_PSE in ABAP: Program Execution (transaction SA38).2. Choose (Finally: delete old PSE).

The report requires you to save a copy of the old PSE before deleting it.3. On the receiving system, delete the old public-key certificate.



Depending on what scenarios you have running in your system landscape you may have to delete the publickeys on a variety of different systems. The scenario descriptions in the sections that follow provide additionalinformation.To assist you with deleting old public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693includes report REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates.

1. On the receiving system, start report REPLACE_DSA_CERTIFICATES in ABAP: Program Execution(transaction SA38).

The report displays the PSEs with public keys in their certificate lists that need replacing.2. Choose .


Instructions for Key ReplacementScenario Specific Instructions and Manual Procedures

3 Scenario Specific Instructions and ManualProcedures

This section provides information about various scenarios in SAP landscapes. Each scenario providesrecommendations for replacing PSEs as well as manual procedures for the replacement process. Manualreplacement can be a laborious process. We recommend using the tool-supported process for SAP NetWeaverAS for ABAP, where possible.For more information, see 2 Tool-Supported PSE Replacement.The following are scenarios that use DSA signatures:x Logon tickets and authentication assertion ticketsx Secure URLs for Content Serverx SAP Passportsx E-Learningx System Signatures for SSF Signaturesx Custom Development Using SSF Functionsx ITS Applet Handling

3.1 Scenario Logon Tickets and Authentication AssertionTickets

SAP servers sign and issue logon tickets to users that log on. The users client then presents these tickets to othersystems, which accept the signature on the logon ticket, as long as trust has been established. To establish trustan administrator must have installed the public key of the ticket issuing system in the ticket receiving system.Authentication assertion tickets are used for server-to-server connections. With authentication assertion tickets,another system is the client instead of a user. Otherwise the principles remain the same.SAP HANA does not issue logon tickets, but it can issue authentication assertion tickets. SAP HANA has thecapability to issue assertion tickets from SAP HANA 1.0 SP7 and higher. SAP NetWeaver AS for ABAP issues bothtypes of tickets.For SAP NetWeaver AS for ABAP, we provide a number of tools to make switching keys easier. For moreinformation, see 2 above. Otherwise you must repeat this procedure for every client in your SAP NetWeaver ASfor ABAP.

3.1.1 Creating New Keys with Identical Names

Create new key pairs to replace the old key pairs.



3.1.1.1 Creating Duplicate PSE on SAP NetWeaver AS forABAP

Procedure

1. Start Trust Manager (transaction STRUST).2. Switch to Edit mode .3. Double-click the System PSE. This is the default PSE used to sign logon tickets.4. Create a backup of the System PSE.

Choose PSE > Export.5. In the Own Certificate section, double-click the subject.6. Copy the subject of the certificate to a temporary file.7. From the context menu of the File PSE, choose Create.8. Choose (Revise DN).9. Enter the subject of the old certificate in the DN field. Keep the algorithm and key length.10. Save your entries.11. Double-click the system PSE.12. For every certificate in the certificate list of the PSE, double-click the certificate subject in the list and choose

(Export Certificate), saving each certificate to a separate .cer file.13. Double-click File PSE and open the file PSE you just saved in step 10 above.14. For every certificate you saved in step 12 above, choose (Import Certificate) and Add to Certificate List to

the file PSE you opened in step 13 above.15. Choose (Save) to save the file PSE.

3.1.1.2 Creating Duplicate PSE on SAP HANA

On SAP HANA the PSE is typically named saplogon.pse or saplogonSign.pse.

Prerequisites

Log on as the SID admin (adm) user.

Procedure

1. Determine if your SAP HANA system has any DSA PSEs.1. View what PSEs are in your system:

Enter the following command:dir $SECUDIR



This command lists the contents of the following directory:/usr/sap//HDB//sec

NoteIn a cluster environment, check every cluster node.

2. Change to the SAP HANA trust store directory:cd $SECUDIRThis should be the following directory:/usr/sap//HDB//sec

NoteIn a cluster environment, you must check every node in the cluster.

3. For each PSE in this directory view the PSE attributes by entering the following command../sapgenpse get_my_name p The following is an example of the result:No SSO for USER "" with PSE file "$SECUDIR/saplogon.pse"

Subject : CN=MYSAPSSOIssuer : CN=MYSAPSSOSerialno: 20:14:07:17:13:13:01KeyInfo : DSA, 1024-bitValidity - NotBefore: Thu Jul 17 14:13:01 2014 (140717131301Z) NotAfter: Fri Jan 1 01:00:01 2038 (380101000001Z)

If KeyInfo reveals a key of type DSA, make sure you have a current version of the SAP Cryptographic Libraryand replace the key pair.

2. Create a new PSE, using the same data as the original PSE for assertion tickets../sapgenpse gen_pse a DSA s 1024 p saplogonSign_new.pse CN=.,OU=, O=, C=

3. Export any certificates within the logon certificate trust store saplogonSign.pse../sapgenpse maintain_pk -l PEMlist p saplogonSign.pseThe output appears a one or more binary large objects (BLOB).

4. Import the certificates to the new PSE../sapgenpse maintain_pk m -p saplogonSign_new.pse

3.1.2 Exporting the Public Keys to the Receiving Systems

So that the receiving systems can verify the signatures of the new private keys, the receiving systems need a copyof the public keys.



3.1.2.1 Exporting the Public Keys from SAP NetWeaver ASfor ABAP

This procedure requires you to log on to SAP NetWeaver AS for ABAP, save the public key to the file system, andimport that file in a new system.

Procedure

1. Start Trust Manager (transaction STRUST).2. Double-click File PSE and open the new file PSE.3. Double-click the Subject under Own Certificate.4. In the Certificate section, choose (Export Certificate).5. Save the public key certificate to the file system or a network share.6. Copy the certificate to a network share or the file system of the receiving system.7. Import the public key certificate to the receiving system.

For more information, see documentation of the receiving system.

3.1.2.2 Exporting the Public Keys from SAP HANA

Procedure

1. Export the public-key certificate from the SAP HANA trust store, using the following command:./sapgenpse export_own_cert -p saplogonSign.pse

2. Save the public key certificate to the file system or a network share.3. Copy the certificate to a network share or the file system of the receiving system.4. Import the public key certificate to the receiving system.

For more information, see documentation of the receiving system.

3.1.3 Start Using the New Private Keys

Once you have completed this step, you have completed the most critical part of this security note. Create abackup of the old private keys just in case you run into problems during testing. Archive the old private keys incase you ever need to restore the old environment in the future.



3.1.3.1 Switching to the New Private Keys on SAPNetWeaver AS for ABAP

Procedure

1. Start Trust Manager (transaction STRUST).2. Switch to Edit mode .3. Double-click File PSE and open the new file PSE.4. Choose PSE > Save As and choose System PSE.

3.1.3.2 Switching to the New Private Keys on SAP HANA

Procedure

1. Rename the old PSE.For example, rename the file from saplogonSign.pse to saplogonSign_old.pse. Archive the old PSE incase you ever need to restore the system or problems occur during testing.


2. Rename the new PSE.For example, rename the file from saplogonSign_new.pse to saplogonSign.pse.In a cluster environment, every node uses the same PSE. Copy the same PSE to every node in the cluster.

3.1.4 Testing the New Key Pairs

Procedure

Thoroughly test the affected systems. Log on to the ticket issuing system and then logon on to all systems thataccept this log on ticket.If you encounter a problem during testing, you can restore the old private key on the issuing system.

3.1.5 Delete the Old Public Keys

Once your remove the old public keys, receiving systems will no longer be able to validate signatures issued withthe old private key.



3.1.5.1 Deleting the Old Public Keys on SAP NetWeaver ASfor ABAP

To assist you with deleting old public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693includes REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates. Use the followingprocedure to manually remove the public keys.

Procedure

1. Start Trust Manager (transaction STRUST).2. Switch to Edit mode .3. Double-click System PSE.4. Select the old public key from the certificate list.5. Choose (Delete selected certificates).

3.1.5.2 Deleting Old Public Keys on SAP HANA

1. Change to the SAP HANA trust store directory:cd $SECUDIRThis should be the following directory:/usr/sap//HDB//sec


2. List the certificates in the certificate list of the PSE../sapgenpse maintain_pk l -p saplogonSign.pse

3. Note the certificate numbers of the public keys to delete.4. Delete the public keys in the certificate list.

./sapgenpse maintain_pk d -p saplogonSign.pse

3.2 Scenario Secure URLs for Content Server

The content server of SAP NetWeaver AS for ABAP uses the system PSE by default. If you created a PSE just forthe content server (HTTP Content Server), replace the certificate for the content server PSE.We recommend you used tool-supported replacement of keys.For more information, see 2 Tool-Supported PSE Replacement.If you choose to replace the keys manually, use the following procedures in every client of the system.



3.2.1 Creating New Keys with Identical Names

Create new key pairs to replace the old key pairs.

Procedure

1. Start Trust Manager (transaction STRUST).2. Switch to Edit mode .3. Double-click the content server PSE.

The default PSE used by the content server is the system PSE. If you created your own PSE for the contentserver, choose the HTTP Content Server PSE.

4. Create a backup of the content server PSE.Choose PSE > Export.

5. In the Own Certificate section, double-click the subject.6. Copy the subject of the certificate to a temporary file.7. From the context menu of the File PSE, choose Create.8. Choose (Revise DN).9. Enter the subject of the old certificate in the DN field. Keep the algorithm and key length.10. Save your entries.11. Double-click the content server PSE.12. For every certificate in the certificate list of the PSE, double-click the certificate subject in the list and choose

(Export Certificate), saving each certificate to a separate .cer file.13. Double-click File PSE and open the file PSE you just saved in step 10 above.14. For every certificate you saved in step 12 above, choose (Import Certificate) and Add to Certificate List to

the file PSE you opened in step 13 above.15. Choose (Save) to save the file PSE.

3.2.2 Exporting the Public Keys to the Receiving Systems

So that the receiving systems can verify the signatures of the new private keys, the receiving systems need a copyof the public keys.This procedure requires you to log on to SAP NetWeaver AS for ABAP.

Procedure

1. Start Display Content Repositories: Overview (transaction OAC0).2. For each content repository, double-click the name of the repository.3. Choose (Send certificate).4. Activate the new certificate on the target content repository.



o If the target system is SAP NetWeaver AS ABAP or supports the administration interface, choose the CSADMIN pushbutton and activate the new certificate.For more information, see Certificates.

o If the target system does not support the administration interface, log on to the target system andactivate the new certificate.For more information, see the documentation of the target content repository.

3.2.3 Using the New Private Keys

Once you have completed this step, you have completed the most critical part of this security note. Create abackup of the old private keys just in case you run into problems during testing. Archive the old private keys incase you ever need to restore the old environment in the future.

Procedure

1. Start Trust Manager (transaction STRUST).2. Switch to Edit mode .3. Double-click File PSE and open the new file PSE.4. Choose PSE > Save As.. and choose the content server PSE.

The default PSE used by the content server is the system PSE. If you created your own PSE for the contentserver, choose the HTTP Content Server PSE.

3.2.4 Testing the New Key Pairs

Procedure

Thoroughly test the affected systems. If you encounter a problem during testing, you can restore the old privatekey on the issuing system. The following is an example of an error message that occurs in report RSCMST whentrust has not been established between systems. Otherwise the message appears in the logs of SAP ContentServer.HTTP/1.1 401 (Unauthorized)X-ErrorDescription: "Security SsfVerify failed rc=5, , PSE=C:\ProgramFiles\SAP\Content Server\Security\REPOSITORY.pse,"

3.2.5 Deleting the Old Public Keys

Once your remove the old public keys, receiving systems will no longer be able to validate signatures issued withthe old private key.



To assist you with deleting old public-key certificates on SAP NetWeaver AS for ABAP, SAP Note 2068693includes report REPLACE_DSA_CERTIFICATES, which enables you to delete these certificates. Use the followingprocedure to manually remove the public keys.

Procedure

1. Start Display Content Repositories: Overview (transaction OAC0).2. For each content repository, double-click the name of the repository.3. Delete the old certificate on the target content repository.

o If the target system is SAP NetWeaver AS ABAP or supports the administration interface, choose the CSADMIN pushbutton and delete the old certificate.For more information, see Certificates.

o If the target system does not support the administration interface, log on to the target system and deletethe old certificate.For more information, see the documentation of the target content repository.

Instructions for Key ReplacementChecking for Compliance


4 Checking for Compliance

You can use the information stored in SAP Solution Manager to determine if SAP NetWeaver Application Serverfor ABAP systems in your landscape are compliant with changes you made in your landscape. For this example,we assume that you want to ensure all PSEs were created with a current version of SAP Cryptographic Library inthe year 2000 or later. To do this, you create a template from a source system, configure a target system basedon the source system template, and then run the compliance check for a set of systems connected to SAPSolution Manager.

4.1 Choosing a Template for Compliance Checks

Create a source system template from which you can create a target system template for the compliance check.The source system template includes the PSE_CERT configuration store, which has information about PSEs of themonitored systems.

Procedure


2. Choose the Root Cause Analysis tab.3. Choose Configuration Validation.4. On the Target System Maintenance tab, choose Create.5. Under the Source System section, enter selection criteria to find a system to use as a template and choose

Display Selection.6. Under Select Source Systems, select a system to use as a template.7. Under Select Config Stores, filter the results for PSE_CERT.8. Select a configuration store and choose Create from selected Stores.9. Enter a system ID under which you will store the source system template.

You will use this template for the configuration check later in a following procedure.10. Save your entries.You have created a source system template for defining a target system template for compliance checks.



4.2 Configuring the Target System Template for ComplianceChecks

Once you have a source system template, you can create a target system template. In the target system templateyou define configuration store values that lead to compliance and a counter example that does not lead tocompliance.

Procedure


2. Choose the Root Cause Analysis tab.3. Choose Configuration Validation.4. On the Target System Maintenance tab, choose Edit.5. Enter the name of the source system template you created in the previous procedure.

For more information, see 4.1 above.6. Choose Display selection.7. Under Config Stores of Target System:, choose the Store Name PSE_CERT.8. Delete the content of the comparison store.

Choose (Select all entries) and then (Delete selected).9. Choose (Add an empty entry to the Target System).10. Except for the SERIALNO field, set the operator to Contains and the value to *. Set operator and value of the

SERIALNO field to Contains and 0A20* respectively.The result should appear as follows in the figure below.

11. Choose Apply changes and choose (Save).12. Choose (Add an empty entry to the Target System).13. Except for the VALID_TO field, set the operator to Contains and the value to *. Set operator and value of the

VALID_TO field to Contains and Non_Compliant respectively.The result should appear as follows in the figure below.



14. Choose Apply changes and choose (Save).You have created a target system template to use as a reference system in the compliance check.

4.3 Executing Compliance Checks

SAP Solution Manager collects data on PSEs stored in SAP NetWeaver AS systems. You can generate a list ofthese PSEs and check their compliance against a target system template.

Procedure

1. In SAP Solution Manager, start SAP Solution Manager: Work Centers (transaction SM_WORKCENTER).2. Choose the Root Cause Analysis tab.3. Choose Configuration Validation.4. On the Report Execution tab, choose Reporting Templates.5. Under the Choose Reference System section, on the Select Reference System tab, choose the name of the

target system template you created in the previous procedure.For more information, see 4.2 above.

6. On the Operator validation tab, choose the 0CONFIG_STORE_TABLE_VIEWER configuration operators report.7. Choose the Start operator validation reporting pushbutton.8. In the Configuration Validation Viewer, enter the required data.

o In the Config Store field, enter PSE_CERT.o In the Comparison List field, select the list you prepared for SAP NetWeaver AS for ABAP systems.

9. Choose the Validate pushbutton.You now have a list of PSE certificates. The final column indicates whether the PSE is compliant or not. For thosePSE which are not compliant, go through the process to replace the PSE.

www.sap.com/contactsap

2014 SAP AG or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in anyform or for any purpose without the express permission of SAP AG.The information contained herein may be changed without priornotice.Some software products marketed by SAP AG and its distributorscontain proprietary software components of other softwarevendors.National product specifications may vary.These materials are provided by SAP AG and its affiliatedcompanies (SAP Group) for informational purposes only, withoutrepresentation or warranty of any kind, and SAP Group shall not beliable for errors or omissions with respect to the materials. The onlywarranties for SAP Group products and services are those that areset forth in the express warranty statements accompanying suchproducts and services, if any. Nothing herein should be construed asconstituting an additional warranty.SAP and other SAP products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks ofSAP AG in Germany and other countries. Please seewww.sap.com/corporate-en/legal/copyright/index.epx#trademarkfor additional trademark information and notices.

instructions for key replacement

Documents