The following article shows how to create a client PSE (Personal Security Environment) that can be used to connect to SAP cloud systems via WebSocket RFC.

Prerequisites #

  • SAP Cloud API URL, e.g., https://my123456-api.s4hana.ondemand.com. The correct URL is displayed in the API-URL field of the communication arrangement set up for communication scenario SAP_COM_0193.
  • Command line tool sapgenpse.exe. The tool can be downloaded as part of the SAP Cryptographic Library in the SAP Service Marketplace.

Creating a Client PSE #

Follow the steps below to create a client PSE file that trusts the server certificate of the SAP cloud system.

  1. Enter the SAP Cloud API URL in a browser of your choice.
  2. View the certificate in the browser.
    Chrome: Navigate to View site information > Connection is secure > Certificate is valid.
    Firefox: Click the pad lock icon left of the URL, navigate to Connection secure > More information, then click [View Certificate].
    sap-cloud-view-certificate
  3. Download the certificate chain from the browser. The certificate chain contains all certificates that are signed by the server certificate.
    Chrome: Open the Details tab and click [Export…]. Make sure to save the file in the format Base64-encoded ASCII, certificate chain (*.pem;*.crt).
    Firefox: Scroll to the Miscellaneous section of the certificate and in the download row, click PEM (chain).
    sap-cloud-download-certificate
  4. Use the sapgenpse tool to create a client PSE file:

     sapgenpse.exe gen_pse -p <client.pse> -v [Distinguished name]
    

    Replace [Distinguished name] with the distinguished name of the server that runs the Xtract product, e.g., "CN=COMPUTER.theobald.local, C=DE, S=BW, O=TS, OU=DEV". The tool creates its own repository in a standard path, unless the path is changed by the environment variable SECUDIR or by specifying an absolute path.
    Warning! The PSE must be created without a password/pin, otherwise reading is not possible.

  5. Use the following command to add the certificate chain from step 3 to the client PSE:

     sapgenpse.exe maintain_pk -a <[chain.pem]> -p <client.pse>
    

    Replace [chain.pem] with the name of the downloaded .pem file, e.g., s4hana-cloud-sap-chain.pem.

Tip: For more information on how to use the sapgenpse.exe, run the command sapgenpse -h.