Skip to Content
author's profile photo Former Member
Former Member

Backup a certificate including private key in SAP R3

Dear SDN'ers,

We recently had a problem in our SAP R3 environment (after a database restore) which had the effect that we lost our instance PSE. The instance PSE still existed. We therefore had to recreate the instant PSE and also request a re-issue of the Verisign certificate.

Has anyone encountered a similar problem after a restore? How can I backup and restore the certificate including the private key. This way we wouldn't require any reissue of certifcates.

Do I need to make use of the SAPGENPSE tool? I had a look at note 578377. Is there another note?

Hope to hear your reactions soon.



Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Posted on Jan 22, 2007 at 08:44 AM

    That cannot be - <b>an ABAP system stores the PSE</b> (Personal Security Environment, a kind of keystore containing the certificate and the corresponding private key) <b>in the database</b> (tables SSF_PSE_D and SSF_PSE_H). At system startup a copy of the database content is written to the file system and used for operation.

    Therefore, when performing a database recovery / restore the PSEs will be restored as well. Maybe you have to run transaction STRUST and perform the operation "distribute" if you have performed an online database recovery / restore (to notify the work processes to replace the PSE files, if required).

    Regards, Wolfgang

    Add a comment
    10|10000 characters needed characters exceeded

    • I can only provide you a rough skeleton (not a reliable step-by-step instruction that can be followed blindly).

      <u>Create a file backup of a PSE:</u>

      1. choose PSE from the list (by double-click)

      2. choose menu item "PSE" -> "Export": a file selector occurs (rest: self-explaining)

      <u>Restoring a PSE file</u> is only slightly less intuitive:

      1. choose menu item "PSE" -> "Import": a file selector occurs

      2. if import was successful, content of the PSE will be displayed (on the right side)

      3. choose menu item "PSE" -> "Save As" : choose PSE you want to replace (be careful to choose the right one!) and confirm

      Regards, Wolfgang

  • Posted on Jan 22, 2007 at 08:57 AM

    2nd remark: since you are talking of a "VeriSign certificate" you are most likely referring to a "SSL server certificate". That certificate is usually stored in the "SSL Server" PSE. Since the ICM process is caching that PSE file you need to restart the ICM (e.g. by using ABAP transaction SMICM) on <u>each</u> application server instance <u>after</u> any changes to the PSE (using ABAP transaction STRUST) in order to make them effective immediately.

    Regards, Wolfgang

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.