The following article shows how to create a client PSE (Personal Security Environment) that can be used to connect to SAP cloud systems via WebSocket RFC.
Prerequisites #
- SAP Cloud API URL, e.g.,
https://my123456-api.s4hana.ondemand.com
. The correct URL is displayed in the API-URL field of the communication arrangement set up for communication scenario SAP_COM_0193. - Command line tool sapgenpse.exe. The tool can be downloaded as part of the SAP Cryptographic Library in the SAP Service Marketplace.
Creating a Client PSE #
Follow the steps below to create a client PSE file that trusts the server certificate of the SAP cloud system.
- Enter the SAP Cloud API URL in a browser of your choice.
- View the certificate in the browser.
Chrome: Navigate to View site information > Connection is secure > Certificate is valid.
Firefox: Click the pad lock icon left of the URL, navigate to Connection secure > More information, then click [View Certificate].
- Download the certificate chain from the browser. The certificate chain contains all certificates that are signed by the server certificate.
Chrome: Open the Details tab and click [Export…]. Make sure to save the file in the format Base64-encoded ASCII, certificate chain (*.pem;*.crt).
Firefox: Scroll to the Miscellaneous section of the certificate and in the download row, click PEM (chain).
-
Use the sapgenpse tool to create a client PSE file:
sapgenpse.exe gen_pse -p client.pse -v [Distinguished name]
Replace
[Distinguished name]
with the distinguished name of the server that runs the Xtract product, e.g.,"CN=COMPUTER.theobald.local, C=DE, S=BW, O=TS, OU=DEV"
. Optionally replaceclient.pse
with a custom file name for the .pse file. The tool creates its own repository in a standard path, unless the path is changed by the environment variable SECUDIR or by specifying an absolute path.
Warning! The PSE must be created without a password/pin, otherwise reading is not possible. -
Use the following command to add the certificate chain from step 3 to the client PSE:
sapgenpse.exe maintain_pk -a <[chain.pem]> -p <client.pse>
Replace
[chain.pem]
with the name of the downloaded .pem file, e.g.,s4hana-cloud-sap-chain.pem
.
Tip: For more information on how to use the sapgenpse.exe, run the command sapgenpse -h
.