Hierarchy
⤷ PY-DE (Application Component) Germany
⤷ PC01 (Package) HR Payroll: Germany
IMG Activity
ID | PAY_DE_B2A_FIN_110 | Set Up Encryption for ELSTER |
Transaction Code | S_PL0_86000092 | (empty) |
Created on | 20040301 | |
Customizing Attributes | PAY_DE_B2A_FIN_000 | Data Exchange with Financial Administration |
Customizing Activity |
Document
Document Class | SIMG | Hypertext: Object Class - Class to which a document belongs. |
Document Name | PAY_DE_B2A_FIN_110 |
Setting Up the SAP Cryptolib
It is necessary to encrypt data for exchange with the clearing houses of the tax authorities. Data is encrypted using PKCS#7, which is provided by the SAP Cryptographic Library (SAPCryptolib). To be able to use the SAPCryptolib to exchange data with the clearing houses, you have to carry out the following steps.
- Installing the SAP Cryptolib
For information related to the installation, see SAP Note 662340 (SSF Encryption Using the SAPCryptolib). Carry out the installation as described in the section Installing the SAPCryptolib. Note that you have to set the profile parameters as follows:
Parameter Name User-Defined Value System Default Value
ssf/name SAPSECULIB
ssf/ssf_md_alg SHA1
ssf/ssf_symencr_alg TRIPLE-DES DES_CBC
ssf/ssfapi_lib <Menu path for SAPCryptolib>
sec/libsapsecu <Menu path for SAPCryptolib>
Example:
Parameter Name User-Defined Value System Default Value
ssf/name SAPSECULIB
ssf/ssf_md_alg SHA1
ssf/ssf_symencr_alg TRIPLE-DES DES_CBC
ssf/ssfapi_lib D:\usr\sap\L9C\D10\exe\sapcrypto.dll
sec/libsapsecu D:\usr\sap\L9C\D10\exe\sapcrypto.dll
The profile parameters have to be set in the instance profile. The profile parameters are case-sensitive.
You then have to restart the relevant application server to activate the profile parameters and load the library.
The points listed after Installing the SAPCryptolib in the SAP Note 662340 are for your information only. The additional steps that are specific to HR are described below:
- HR-specific follow-on steps
The steps listed below require the sapgenpse tool, which is contained in the SAPCryptolib. You can use the tool to carry out various administrative tasks for the SAPCryptolib, at command line level.
- Create a separate key pair (PSE file)
- A key pair is required to encrypt and decrypt the income tax data. The key pair consists of a private key and a public key. On the tax authorities side, a 2048-bit RSA key is required.
- You have to enter the following data when creating the key:
- a) File name: The employers key pair is stored in a file with the extension .pse. Third-party public keys that are read subsequently are also stored in this PSE file.
- b) PIN: Used for access protection for the key pair in the PSE file. It has to be entered as confirmation when the key is administered.
- c) Distinguished Name (DN): Used to identify the key pair and contains information about your company. Some of the components it contains are:
- CN = Common Name
- OU = Organizational Unit
- O = Organization
- C = Country
- Specify the individual components for your companys DN by entering the following command in the command line:
- sapgenpse gen_pse -p <file name>.pse -s 2048 -x <PIN> "<Distinguished Name>"
- Example:
- sapgenpse gen_pse -p elster_1.pse -s 2048 -x 123456 "CN=ELSTER Pay, OU=Payroll, O=Model inc., C=DE"
- Note:
- sapgenpse -h gives you an overview of the permitted parameters. The extension get_pse in this case is synonymous with gen_pse.
- Read the clearing houses public key to the PSE file.
- To find the clearing houses public key, go to the SAP Service Marketplace, choose quick link hrde then the menu item Elster@SAP. http://service.sap.com/HRDE
- Copy the file with the clearing houses key to the PSE file created previously.
- Enter the following command in the command line:
- sapgenpse maintain_pk -a <file name>.cer -p <file name>.pse -x <PIN>
- Example:
- sapgenpse maintain_pk -a clearingstelle.cer -p elster_1.pse -x 123456
- If you use more than one application server, copy the PSE file to the $DIR_INSTANCE/sec directory on each server. Store a backup copy of the PSE file in another location.
- Create credentials for the PSE file
- You store credentials so that the application server can access the PSE at runtime. In the process, a file named cred_v2 is created in the PSE files directory. You have to create the credentials separately on each application server. Credentials are valid only in the directory in which they were created. If you copy or move the cred_v2 file, this causes an error in accessing the PSE file.
- To create credentials, proceed as follows:
- - Log on to the application server as <sid>adm. (User under which the SAP system runs.)
- - Navigate to the $DIR-EXECUTABLE directory.
- - Enter the following command:
- Windows operating system:
- sapgenpse seclogin -p <file name>.pse -x [PIN] -O [<Windows_Domain>\]SAPService<SID>
- Unix operating system:
- sapgenpse seclogin -p <file name>.pse -x [PIN] -O <sid>adm
- The -O parameter is case-sensitive.
- For additional information about the individual parameters, use the sapgenpse seclogin h command.
- Example:
- sapgenpse seclogin -p elster_1.pse -x 123456 -O SAPDOMAIN\ADMSAP
You still have to edit the PSE file name in the Maintain Constants IMG activity.
You can test the SAPCryptolib function with electronic tax returns (ELSTER) using the RPUTX8D0 report. For more information about error detection, see SAP Note 725508.
Business Attributes
ASAP Roadmap ID | 204 | Establish Functions and Processes |
Mandatory / Optional | 2 | Optional activity |
Critical / Non-Critical | 2 | Non-critical |
Country-Dependency | I | Valid for countries specified |
Maintenance Objects
Maintenance object type |
History
Last changed by/on | SAP | 20040311 |
SAP Release Created in | 500 |