Use

For the signature and encryption of the data, certificates are required for each sending company number. These certificates contain the private and public keys of the employer and the public key of the receiving offices of the clearing houses.

To create and manage the certificate, you use the sapgenpse tool, which is contained in the SAPCryptolib. You can use the tool to perform various administrative tasks for the SAPCryptolib, at command line level.

Activities

You must perform the following steps for the company numbers that appear as the sender:

Overview:

1. Creation of the certificate for a company number
2. Creation of credentials for the certificate
3. Creation and sending of a certificate request
4. Reading the certificate response
5. Reading the certificate list

Detailed description of the specific steps:

1. Creation of the certificate for a company number

   A key pair is required for the signature and encryption of data for the health insurance funds. The key pair consists of a private key and a public key. The ITSG requires a 2048-bit RSA key.

   You have to enter the following data when creating the key:

1. File name for the PSE:
   The employer's key pair is stored in a file with the extension .pse. Third-party public keys that are subsequently read are also stored in this PSE file.
   Name the file BNXXXXXXXX.pse, where XXXXXXXX stands for the company number.
Example:
Company number 12341672
BN12341672.pse
2. File name for the certificate request:
   The name should be identical to that of the PSE, but with the addition of _B64 and the file extension .p10. This file is required for step 3, creation and sending of a certificate request.
Example:
BN12341672_B64.p10
3. PIN:
   Used for access protection for the key pair in the PSE file. It has to be entered as confirmation when the key is administered. If a PIN is assigned, credentials for the PSE file must be created (step 2). The PSE can also be created without a PIN. In this case, you must ensure that the access to the directory with the PSE file is restricted accordingly as it is possible when you access the PSE to use this without any other authorization check.
4. Distinguished Name (DN):
   Used to identify the key pair and contains information about your company. Some of the components it contains are:
CN = Common Name
OU = Organizational Unit
O = Organization
C = Country

The structure of the DN is predefined by the ITSG.
o CN = Name of the employee responsible for the company number
o OU = BN + Company number
o OU = Company name
o O = ITSG TrustCenter for employer
o C = DE

Example:
Entries
Company number of employer: 12341672
First and last name of administrator: Erich Stainfels
Company name: Grufensholm AG
Distinguished Name:
CN=Erich Stainfels, OU=BN12341672, OU=Grufensholm AG, O=ITSG TrustCenter for employer, C=DE
Specify the components CN and OU for the DN of your company number.

To create the certificate, you enter the following command at the command line level:
sapgenpse gen_pse -p <Filename>.pse -r <Filename>_B64.p10 -s 2048 -x <PIN> "<Distinguished Name>"
Example:
sapgenpse gen_pse -p BN12341672.pse -r BN12341672_B64.p10 -s 2048 -x 123456 "CN=Erich Stainfels, OU=BN12341672, OU=Grufensholm AG, O=ITSG TrustCenter for employer, C=DE"

Note:
sapgenpse -h gives you an overview of the permitted parameters. The extension get_pse in this case is synonymous with gen_pse.
For an example of how to create a batch file, for example, for simpler creation of the certificates, see SAP Service Marketplace at service.sap.com/hrde and choose Related Themes -> Communication with Health Insurance Funds. If necessary, you must adapt the file for your operating system (script).
The user name, company name, company number, and an optional PIN for the PSE are required as the entry parameters.

Once you have created the certificate, you execute the first step of the report RPUSVKD0, step 1, #Status - Create Certificate (PSE File)#. If you entered a PIN when creating the PSE, it is also necessary to create the credentials for the certificate.

1. Creation of credentials for the certificate

   You store credentials so that the application server can access the PSE at runtime. In the process, a file named cred_v2 is created in the PSE file's directory. You have to create the credentials separately on each application server. Credentials are valid only in the directory in which they were created. If you copy or move the cred_v2 file, this causes an error in accessing the PSE file.

   To create credentials, proceed as follows:

• Log on to the application server as <sid>adm.
• Navigate to the $(DIR-EXECUTABLE) directory.
• Run the following command:
  
  For Windows:
  sapgenpse seclogin -p <path and file name>.pse -x <PIN> -O <sid>adm
  [<Windows_Domain>\]SAPService<SID>
  
  For UNIX:
  sapgenpse seclogin -p <path and file name>.pse -x [PIN] -O <sid>adm
  Comment: Parameter -O is case-sensitive.

  (SAP Note 662340 "SSF Encryption Using the SAPCryptolib", Maintaining the Server's Personal Security Environment, point 4)
  
  
  

2. Creation and sending of a certificate request

To participate in the electronic data exchange procedure with the health insurance funds, each participant (for each company number) requires a certificate for the encryption of the data. A certificate request for authorization by the ITSG must be created for the certificate. The certificate request and certificate response are authorized by the TrustCenter of the ITSG.

You can use the report RPUSVKD0 to enter the data for the certificate request, print the associated form, and create the file with the certificate request (steps 2 and 3). For more information, see the report documentation.

Send the documents required for the certificate request to the ITSG.

Further information:

For a detailed description in German of the process for issuing a certificate, see the homepage of the ITSG (www.itsg.de) under Produkte & Dienstleistungen -> TrustCenter.

1. Reading the certificate response

The certificate response is sent as an attachment of an e-mail to the sender of the certificate request or is made available on floppy disk. The certificate response (p7c file) must be saved in the logical directory path HR_DE_B2A_KK_ZERTRESPONSE.

Run the report RPUSVKD0, step 4 #Read Certificate Response (p7c File)#. The report reads the certificate response and sets the status #Certificate Response Read# for the PSE file.

1. Reading the certificate list

With the response from ITSG to the certificate request, a file is also provided to the customer with the public keys of the receiving offices (annahme-pkcs.agv). This file must be read in the PSE created in the first step.

Copy the file to the logical directory HR_DE_B2A_KK_ZERTLIST.

Run the report RPUSVKD0, step 5 #Read Certificate List (AGV File)#.

The program reads the file annahme-pkcs.agv and adds the certificate to the PSE file. At the same time, the status #Certificate List Read# is set for the PSE file.

Note:

For technical details (key lengths used, algorithms, and so on), see SAP Note 846817 (B2A: Technische Details Kommunikation Krankenkasse PKCS#7 (B2A: Technical Details for Communication with Health Insurance Funds PKCS#7)).

For help in the error search, see SAP Note 846813 (B2A: Fehlersuche Verschlüsselung PKCS#7 Krankenkassen (Error Search Encryption PKCS#7 Health Insurance Funds)).