Create SAP Router Certificate 23-Jun-2015

Creating the certificate request

1. As user <snc_adm> set the environment variables SNC_LIB and SECUDIR:

   UNIX	SECUDIR = <directory_of_SAProuter> SNC_LIB = <path_to_libsecude>/<name_of_sapcrypto_library>
   Windows NT, 2000, XP or higher	SECUDIR = <directory_of_SAProuter> SNC_LIB = <drive>:\<path_to_libsecude>\ntia64\sapcrypto.dll or SNC_LIB = <drive>:\<path_to_libsecude>\ntintel\sapcrypto.dll or SNC_LIB = <drive>:\<path_to_libsecude>\nt-x86_64\sapcrypto.dll
   Note	After configuring the variables in Windows, you have to reboot this server before you continue.

2. Change to http://service.sap.com/saprouter-sncadd. From the list of SAProuters registered to your installation, choose the relevant "Distinguished Name".
3. Generate the certificate Request with the command:
   sapgenpse get_pse -v -r certreq -p local.pse "<Distinguished Name>"
   Example:
   sapgenpse get_pse -v -r certreq -p local.pse "CN=example, OU=0000123456, OU=SAProuter, O=SAP, C=DE"
   Alternatively use the two commands:
   sapgenpse get_pse -v -noreq -p local.pse "<Distinguished Name>"
sapgenpse get_pse -v -onlyreq -r certreq -p local.pse
   You will be asked twice for a PIN here. Please choose a PIN and document it, you have to enter it identically both times. Then you will have to enter the same PIN every time you want to use this PSE.
4. Display the output file "certreq" and with copy & paste (including the BEGIN and END statement) insert the certificate request into the text area of the same form on the SAP Service Marketplace from which you copied the Distinguished Name.
5. In response you will receive the certificate signed by the CA in the Service Marketplace. Copy & paste the text to a new local file named "srcert", which must be created in the same directory as the sapgenpse executable.
6. With this in turn you can install the certificate in your SAProuter by calling:
   sapgenpse import_own_cert -c srcert -p local.pse
7. Now you will have to create the credentials for the SAProuter with the same program (if you omit -O <user_for_SAProuter>, the credentials are created for the logged in user account).
   sapgenpse seclogin -p local.pse -O <user_for _SAProuter>
   Note: The account of the service user should always be entered in full <domainname>\<username>
8. This will create a file called "cred_v2" in the same directory as "local.pse"
   For increased security please check that the file can only be accessed by the user running the SAProuter.

   Do not allow any other access (not even from the same group)!
   On UNIX this will mean permissions being set to 600 or even 400!
   On Windows check that the permissions are granted only to the user the service is running as!
9. Check if the certificate has been imported successfully with the following command:
   sapgenpse get_my_name -v -n Issuer
   The name of the Issuer should be:
   CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE
10. If this is not the case, delete the files "cred_v2"and "local.pse" and start over at item 3. If the output still does not match please open a customer message at component XX-SER-NET stating the actions you have taken so far and the output of the commands 3.,6.,7. and 9.

 

 

========================================

 

Please do the following:
- Follow the steps in SAP Note 2131531 - New Root Certification
Authority for saprouter certificates
- Download the latest SAP Crypto COMMONLIB 8 and SAProuter version as
720 as described under
https://support.sap.com/remote-support/help/installing-saprouter.html
-> Downloading necessary software components from SAP Support Portal
- On your SAProuter, delete your existing PSE file and old certificate
file (local.pse, cred_v2)
- Go to the
https://support.sap.com/remote-support/saprouter/saprouter-certificates.html
- Click on "Apply Now!"
- Follow the steps detailed in the documentation
https://support.sap.com/remote-support/help/installing-saprouter.html
-> Creating the certificate request

 

====================================================================================

 

 

c:\usr\sap\saprouter>sapgenpse get_pse -v -r certreq -p local.pse
Got absolute PSE path "C:\usr\sap\saprouter\local.pse".
Please enter PSE PIN/Passphrase: ****
Please reenter PSE PIN/Passphrase: ****

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

get_pse: Distinguished name of PSE owner: CN=SAPROUTER, OU=000011111, OU=SAProu
ter, O=SAP, C=DE
 Supplied distinguished name: "CN=SAPROUTER, OU=000011111, OU=SAProuter, O=SAP,
 C=DE"
 Creating PSE with format v2 (default)
 succeeded.
 certificate creation... ok
 PSE update... ok
 PKRoot... ok
Generating certificate request... ok.

c:\usr\sap\saprouter>sapgenpse import_own_cert -c srcert -p local.pse
Please enter PSE PIN/Passphrase: ****
CA-Response successfully imported into PSE "C:\usr\sap\saprouter\local.pse"

c:\usr\sap\saprouter>
C:\usr\sap\saprouter>sapgenpse seclogin -p local.pse -O livenews
 running seclogin with USER="livenews"
 creating credentials for user "SAPROUTER\livenews" (yourself)...
Please enter PSE PIN/Passphrase: ****
 Adjusting credentials and PSE ACLs to include "SAPROUTER\livenews"...
 Oh, you supplied your own name explicitly ... ok.
   C:\usr\sap\saprouter\cred_v2  ... ok.
   C:\usr\sap\saprouter\local.pse  ... ok.
 Added SSO-credentials for PSE "C:\usr\sap\saprouter\local.pse"

C:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer
 Opening PSE "C:\usr\sap\saprouter\local.pse"...
 PSE (v2) open ok.
 Retrieving my certificate... ok.
 Getting requested information... ok.
SSO for USER "livenews"
  with PSE file "C:\usr\sap\saprouter\local.pse"
Issuer     : CN=SAProuter CA, OU=SAProuter, O=SAP Trust Community II, C=DE