Skip to content

Create a Client PSE to connect to SAP Cloud Systems

The following article shows how to create a client PSE (Personal Security Environment) that can be used to connect to SAP cloud systems via WebSocket RFC.

Prerequisites

  • SAP Cloud API URL, e.g., https://my123456-api.s4hana.ondemand.com. The correct URL is displayed in the API-URL field of the communication arrangement set up for communication scenario SAP_COM_0193.
  • Command line tool sapgenpse.exe. The tool can be downloaded as part of the SAP Cryptographic Library in the SAP Service Marketplace.

Creating a Client PSE

Follow the steps below to create a client PSE file that trusts the server certificate of the SAP cloud system.

  1. Enter the SAP Cloud API URL in a browser of your choice.

  2. View the certificate in the browser.

    Navigate to View site information > Connection is secure > Certificate is valid.
    sap-cloud-view-certificate-chrome

    Click the pad lock icon left of the URL, navigate to Connection secure > More information, then click [View Certificate].
    sap-cloud-view-certificate

  3. Download the certificate chain from the browser. The certificate chain contains all certificates that are signed by the server certificate.

    Open the Details tab and click [Export...].
    Make sure to save the file in the format Base64-encoded ASCII, certificate chain (*.pem;*.crt).
    sap-cloud-download-certificate

    Scroll to the Miscellaneous section of the certificate and in the download row, click PEM (chain).
    sap-cloud-download-certificate

  4. Use the sapgenpse tool to create a client PSE file: 

    sapgenpse.exe gen_pse -p client.pse -v [Distinguished name]
    Replace [Distinguished name] with the distinguished name of the server that runs the Xtract product, e.g., "CN=COMPUTER.theobald.local, C=DE, S=BW, O=TS, OU=DEV". Optionally, replace client.pse with a custom file name for the .pse file.
    The tool creates its own repository in a standard path, unless the path is changed by the environment variable SECUDIR or by specifying an absolute path.

    Warning

    Restricted Access The PSE must be created without a password/pin, otherwise reading is not possible. Make sure not to secure the PSE.

  5. Use the following command to add the certificate chain from step 3 to the client PSE:

    sapgenpse.exe maintain_pk -a <[chain.pem]> -p <client.pse>
    Replace [chain.pem] with the name of the downloaded .pem file, e.g., s4hana-cloud-sap-chain.pem. For more information on how to use the sapgenpse.exe, run the command sapgenpse -h.

The .pse file can now be used to connect ERPConnect to the SAP cloud, see SAP Connection - WebSocket RFC.