Scribd Logo
Upload

Welcome to Scribd!

  • Trust Manager: Problems Importing Certificate Responses

    Uploaded by

    99srxg2bpb
    4 views4 pages

    Original Title

    508307_E_20221013

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views4 pages

    Trust Manager: Problems Importing Certificate Responses

    Uploaded by

    99srxg2bpb

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    2022-10-13 508307

    508307 - Trust Manager: Problems importing certificate


    responses
    Version 15 Type SAP Note
    Language English Master Language German
    Priority Correction with medium priority Category Program error
    Release Status Released for Customer Released On 28.10.2005
    Component BC-SEC-SSF ( Secure Store and Forward )

    Please find the original document at https://launchpad.support.sap.com/#/notes/ 508307

    Symptom

    • Transaction STRUST: Message TRUST037 (Certificate response could not be


    imported) or message TRUST057 (CA certificate is missing on database).

    • Program termination DATA_OFFSET_LENGTH_TOO_LARGE.

    • Missing pushbuttons "Creating certificate request" and "Import certificate


    response".

    Other Terms

    STRUST, PSE, SSL, certificate request, certificate response, TRUST037, TRUST057

    Reason and Prerequisites

    Invalid certificate response, old SAPSECULIB or SAPCRYPTOLIB or program error.

    Solution

    Import the latest versions of SAPSECULIB (note 354819) or SAPCRYPTOLIB (note


    397175, Support Package 10 at least). You can then import the certificate
    response in the following formats:

    • As PKCS#7 package with complete certificate upward path. The upward path
    includes the re-issued certificate, the certificate of the root CA and if
    necessary, the certificate of the intermediate CA.

    • As a file with several PEM-coded certificates that are enclosed between a "-
    ----BEGIN CERTIFICATE-----" header line and a "-----END CERTIFICATE-----"
    footer. In this case, the system automatically attempts to set up a complete
    certificate upwards path (unnecessary certificates are ignored). If
    certificates are missing, for example if you use an intermediate CA, you add
    other PEM coded certificates to the certificate response before the import.
    The complete response must look as follows when using an intermediate CA .
    -----BEGIN CERTIFICATE-----
    <Base64-coded contents of the re-issued certificate>
    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----
    <Base64-coded contents of the certificate of the intermediate CA>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    < Base64-coded contents of the certificate of the root CA>
    -----END CERTIFICATE-----

    © 2022 SAP SE or an SAP affiliate company. All rights reserved 1 of 4


    2022-10-13 508307

    As of Release 6.20, you can import the following additional format.

    • Individual PEM coded certificates if the respective root certificate exists


    in the database and you are not using an intermediate CA. You can display an
    overview of all existing root certificates by calling the 'Import
    certificate' function in the trust manager.

    In Release 6.10 and 6.20, you can implement the correction instructions or
    import a Support Package to eliminate an error in transaction STRUST that
    results in a short dump when you import large certificate responses in PKCS#7
    format. Furthermore, the "Create certificate request" and "Import certificate
    response" pushbuttons are no longer hidden.

    If importing the certificate response fails, this may be due to one of the
    following causes:

    • The certificate response does not match the selected PSE, that is, you have
    either selected the wrong PSE for importing the certificate response or you
    re-generated the PSE after generating the certificate request. In the second
    case, you must request a new certificate because the certificate response
    depends on the key pair of the PSE.

    • The certificate response consists of an individual certificate but the


    corresponding root certificate is missing in the database. In this case, you
    must first import the root certificate (for example, from a file) and then
    export it into the database. Caution: Importing certificate responses that
    consist of an individual certificate does not work if the certificate is
    created by an intermediate CA. In this case, you must import the complete
    certificate's upward path as a certificate response.

    • The certificate's upward path is incomplete or invalid. To determine the


    cause of the error more precisely, you can set the following environment
    variables for an application server:
    SECUDE_ERROR_TRCFILE=<complete path of a new text file>
    SECUDE_ERROR_TRCLEVEL=1
    Import of the certificate response again after starting the server. You
    should now find entries in the text file if certificates are missing or
    invalid.

    Software Components

    Software Component Release

    SAP_BASIS 610 - 640

    SAP_BASIS 700 - 700

    Correction Instructions

    © 2022 SAP SE or an SAP affiliate company. All rights reserved 2 of 4


    2022-10-13 508307
    Software Component From To Version Changed on ID

    SAP_BASIS 620 620 1 02.06.2003 16:41:29 0000564044

    SAP_BASIS 610 610 1 25.02.2004 14:30:17 0000305214

    SAP_BASIS 620 620 2 25.02.2004 15:22:10 0000305211

    Support Package

    Software Component Release Support Package

    SAP_BASIS 610 SAPKB61039

    SAP_BASIS 620 SAPKB62027

    SAP_BASIS 620 SAPKB62002

    SAP_BASIS 620 SAPKB62038

    This document refers to

    SAP Note/KBA Title

    834039 Certificate extension problems, Verisign (Japan)

    694290 SAP J2EE: react on expiration of VeriSign CA certificates

    518185 Trust Manager: Creating SSL certificates with complex DN

    510007 Additional considerations for setting up SSL on Application Server ABAP

    397175 SAP Cryptographic software - export control

    354819 Collective note SAPSECULIB

    1452833 Prerequisites for analyzing support messages on STRUST

    1178155 Replacing PSEs in productive SSL Servers

    1074447 STRUST: File import of certificate response fails

    This document is referenced by

    © 2022 SAP SE or an SAP affiliate company. All rights reserved 3 of 4


    2022-10-13 508307
    SAP Note/KBA Title

    2009483 PSE Management in Web Administration Interface of SAP Web Dispatcher

    1178155 Replacing PSEs in productive SSL Servers

    510007 Additional considerations for setting up SSL on Application Server ABAP

    397175 SAP Cryptographic software - export control

    1452833 Prerequisites for analyzing support messages on STRUST

    354819 Collective note SAPSECULIB

    1074447 STRUST: File import of certificate response fails

    834039 Certificate extension problems, Verisign (Japan)

    694290 SAP J2EE: react on expiration of VeriSign CA certificates

    518185 Trust Manager: Creating SSL certificates with complex DN

    Terms of use | Copyright | Trademark | Legal Disclosure | Privacy

    © 2022 SAP SE or an SAP affiliate company. All rights reserved 4 of 4

    You might also like