Use

In this Customizing activity, you store the PSE file that the system uses in the digital signature process in the required location.

You use the command line tool SAPGENPSE to generate a PSE file, which stores the keys securely.

Note: You cannot sign invoices digitally until you have performed all the steps in this Customizing activity and in the subsequent activities in this section.

Requirements

You have received the public key certificate and private key from the authorities as files that are password protected.

If the files that you receive from the authorities are not in the required Public Key Cryptography Standards format, PKCS#12, you must first convert the files into a single file in that format.

You have concatenated your legal private key, private certificate, and the relevant legal root certificate (issuer) to the productive PSE file. For more information, see SAP Note 1300880.

Standard settings

Activities

1. To convert the PKCS#12 file into a PSE file (which must follow a special naming convention - see Naming Convention for PSE File Name below), use the SAPGENPSE tool to import the file in PCKS#12 format using the command import_p12 as follows:
   
   sapgenpse import_p12 -p <targetPSEfilename>.pse -x <target password> -z <source password> <source PCKS#12 file name>.p12
   
   For example: sapgenpse import_p12 -p PSE.pse -x 12345 -z 98765 PKCS12.p12
   
   For more information, see SAP Library for SAP NetWeaver in SAP Help Portal at http://help.sap.com under SAP NetWeaver Library -> SAP NetWeaver by Key Capability -> Security -> Network and Transport Layer Security -> Using the SAP Cryptographic Library for SNC -> Configuring SNC for Using the SAPCRYPTOLIB Using SAPGENPSE -> Additional Functions -> Importing a PKCS#12 File.
2. Save the PSE file in the subdirectory sec, which is located in the instance directory $DIR_INSTANCE/sec on each server that you want to use to sign digital invoices.
   You cannot use automatic distribution functions to copy the PSE file to other servers.
3. To verify the system's ability to access the servers where the system stores the password for the PSE file, you use the SAPGENPSE tool on each server to create the server's credentials as follows:
   
   sapgenpse seclogin -p <targetPSEfilename>.pse -x <target password>
   
   In line with the example above for converting the PCKS#12 file into a PSE file, you would enter sapgenpse seclogin -p PSE.pse -x 12345
   
   For more information, see SAP Library for SAP NetWeaver in SAP Help Portal at http://help.sap.com under SAP NetWeaver Library -> SAP NetWeaver by Key Capability -> Security -> Network and Transport Layer Security -> Using the SAP Cryptographic Library for SNC -> Configuring SNC for Using the SAPCRYPTOLIB Using SAPGENPSE -> Creating the Server's Credentials Using SAPGENPSE.

Note: You must repeat steps two and three above for each server that you want to use to generate digital invoices. You must not copy a PSE file for which you created credentials from one server to another server; you must create credentials for the PSE file in the required directory on each server that you want to use for the digital signature process.
For example, if you use three different servers to sign invoices digitally, you must install the PSE file on each of the three servers. If you use only one of the servers to sign invoices digitally, you must install the PSE file on only that server. In this case, you must schedule the jobs that digitally sign invoices on that server.

Naming Convention for PSE File Name

The target PSE file name that you enter must use the following naming convention. Each part of the file name is separated using an underline and the name is case sensitive:

• Prefix: always SAPMXDI
• PSE name: you can freely choose the PSE name, although the entire file name must not exceed 132 characters
• Suffix: a combination of the client and file extension, for example, 100.pse

For example, you create the following PSE file for sales office 1: SAPMXDI_salesoffice01_100.pse

Example