Exchanging Public-Key Certificates
Use
To be able to communicate using SNC, the SAP system application server must be able to identify the IRC server and vice versa. This identification process takes place using the information stored in the server’s PSE. Therefore, to make sure that the two servers can identify each other, you can either use a single PSE for both servers, or you can create individual ones.
If you use a single PSE for both servers, then both servers possess the same Distinguished Name and key pair and therefore share the same identity. You do not need to perform any additional steps.
However, if you use individual PSEs, you must exchange the servers’ public-key certificates so that they can identify each other. See the procedure below.
Prerequisites
- The environment variable SECUDIR is set on both servers.
- The application server also possesses a PSE to use for SNC.
Procedure
-
Import the IRC Server’s public-key certificate into the
application server’s SNC PSE.
Use the configuration tool’s command maintain_pk.
sapgenpse maintain_pk –a <cert_file> -p <PSE_Name> -x <PIN>
Otherwise from SAP Application server using STRUST tcode select certificate-> import->select IACM public key certificate and import.
Once imported add the certificate to ACL.
-
Export the SAP application server’s public-key certificate.
Use the trust manager (STRUST).
STRUST:
Otherwise, use the configuration tool’s command export_own_cert.
sapgenpse export_own_cert –o SAPSNC.crt -p SAPSNC.pse -x sappin
Ex: sapgenpse export_own_cert –o SAPSNC.crt –p SAPSNC.pse –x sappin