Setting Up the SAP Cryptolib

It is necessary to encrypt data for exchange with the clearing houses of the tax authorities. Data is encrypted using PKCS#7, which is provided by the SAP Cryptographic Library (SAPCryptolib). To be able to use the SAPCryptolib to exchange data with the clearing houses, you have to carry out the following steps.

1. Installing the SAP Cryptolib

For information related to the installation, see SAP Note 662340 (SSF Encryption Using the SAPCryptolib). Carry out the installation as described in the section Installing the SAPCryptolib. Note that you have to set the profile parameters as follows:

Parameter Name     User-Defined Value    System Default Value

ssf/name     SAPSECULIB    

ssf/ssf_md_alg         SHA1

ssf/ssf_symencr_alg    TRIPLE-DES     DES_CBC

ssf/ssfapi_lib     <Menu path for SAPCryptolib>    

sec/libsapsecu     <Menu path for SAPCryptolib>    

Example:

Parameter Name     User-Defined Value    System Default Value

ssf/name     SAPSECULIB    

ssf/ssf_md_alg         SHA1

ssf/ssf_symencr_alg    TRIPLE-DES     DES_CBC

ssf/ssfapi_lib     D:\usr\sap\L9C\D10\exe\sapcrypto.dll   

sec/libsapsecu     D:\usr\sap\L9C\D10\exe\sapcrypto.dll   

The profile parameters have to be set in the instance profile. The profile parameters are case-sensitive.

You then have to restart the relevant application server to activate the profile parameters and load the library.

The points listed after Installing the SAPCryptolib in the SAP Note 662340 are for your information only. The additional steps that are specific to HR are described below:

1. HR-specific follow-on steps

   The steps listed below require the sapgenpse tool, which is contained in the SAPCryptolib. You can use the tool to carry out various administrative tasks for the SAPCryptolib, at command line level.

• Create a separate key pair (PSE file)
A key pair is required to encrypt and decrypt the income tax data. The key pair consists of a private key and a public key. On the tax authorities side, a 2048-bit RSA key is required.
You have to enter the following data when creating the key:
a) File name: The employers key pair is stored in a file with the extension .pse. Third-party public keys that are read subsequently are also stored in this PSE file.
b) PIN: Used for access protection for the key pair in the PSE file. It has to be entered as confirmation when the key is administered.
c) Distinguished Name (DN): Used to identify the key pair and contains information about your company. Some of the components it contains are:
CN = Common Name
OU = Organizational Unit
O = Organization
C = Country
Specify the individual components for your companys DN by entering the following command in the command line:
sapgenpse gen_pse -p <file name>.pse -s 2048 -x <PIN> "<Distinguished Name>"
Example:
sapgenpse gen_pse -p elster_1.pse -s 2048 -x 123456 "CN=ELSTER Pay, OU=Payroll, O=Model inc., C=DE"
Note:
sapgenpse -h gives you an overview of the permitted parameters. The extension get_pse in this case is synonymous with gen_pse.
• Read the clearing houses public key to the PSE file.
To find the clearing houses public key, go to the SAP Service Marketplace, choose quick link hrde then the menu item Elster@SAP. http://service.sap.com/HRDE
Copy the file with the clearing houses key to the PSE file created previously.
Enter the following command in the command line:
sapgenpse maintain_pk -a <file name>.cer -p <file name>.pse -x <PIN>
Example:
sapgenpse maintain_pk -a clearingstelle.cer -p elster_1.pse -x 123456
If you use more than one application server, copy the PSE file to the $DIR_INSTANCE/sec directory on each server. Store a backup copy of the PSE file in another location.
• Create credentials for the PSE file
You store credentials so that the application server can access the PSE at runtime. In the process, a file named cred_v2 is created in the PSE files directory. You have to create the credentials separately on each application server. Credentials are valid only in the directory in which they were created. If you copy or move the cred_v2 file, this causes an error in accessing the PSE file.
To create credentials, proceed as follows:
- Log on to the application server as <sid>adm. (User under which the SAP system runs.)
- Navigate to the $DIR-EXECUTABLE directory.
- Enter the following command:
Windows operating system:
sapgenpse seclogin -p <file name>.pse -x [PIN] -O [<Windows_Domain>\]SAPService<SID>
Unix operating system:
sapgenpse seclogin -p <file name>.pse -x [PIN] -O <sid>adm
The -O parameter is case-sensitive.
For additional information about the individual parameters, use the sapgenpse seclogin h command.
Example:
sapgenpse seclogin -p elster_1.pse -x 123456 -O SAPDOMAIN\ADMSAP

You still have to edit the PSE file name in the Maintain Constants IMG activity.

You can test the SAPCryptolib function with electronic tax returns (ELSTER) using the RPUTX8D0 report. For more information about error detection, see SAP Note 725508.