Skip to content

Create a Client PSE to connect to SAP Cloud Systems

The following article shows how to create a client PSE (Personal Security Environment) that can be used to connect to SAP cloud systems via WebSocket RFC.


  • SAP Cloud API URL, e.g., The correct URL is displayed in the API-URL field of the communication arrangement set up for communication scenario SAP_COM_0193.
  • Command line tool sapgenpse.exe. The tool can be downloaded as part of the SAP Cryptographic Library in the SAP Service Marketplace.

Creating a Client PSE

Follow the steps below to create a client PSE file that trusts the server certificate of the SAP cloud system.

  1. Enter the SAP Cloud API URL in a browser of your choice.
  2. View the certificate in the browser.

    Navigate to View site information > Connection is secure > Certificate is valid.

    Click the pad lock icon left of the URL, navigate to Connection secure > More information, then click [View Certificate].

  3. Download the certificate chain from the browser. The certificate chain contains all certificates that are signed by the server certificate.

    Open the Details tab and click [Export...].
    Make sure to save the file in the format Base64-encoded ASCII, certificate chain (*.pem;*.crt).

    Scroll to the Miscellaneous section of the certificate and in the download row, click PEM (chain).

  4. Use the sapgenpse tool to create a client PSE file:

    sapgenpse.exe gen_pse -p client.pse -v [Distinguished name]
    Replace [Distinguished name] with the distinguished name of the server that runs the Xtract product, e.g., "CN=COMPUTER.theobald.local, C=DE, S=BW, O=TS, OU=DEV". Optionally, replace client.pse with a custom file name for the .pse file.
    The tool creates its own repository in a standard path, unless the path is changed by the environment variable SECUDIR or by specifying an absolute path.


    Restricted Access The PSE must be created without a password/pin, otherwise reading is not possible. Make sure not to secure the PSE.

  5. Use the following command to add the certificate chain from step 3 to the client PSE:

    sapgenpse.exe maintain_pk -a <[chain.pem]> -p <client.pse>
    Replace [chain.pem] with the name of the downloaded .pem file, e.g., s4hana-cloud-sap-chain.pem. For more information on how to use the sapgenpse.exe, run the command sapgenpse -h.

The .pse file can now be used to connect ERPConnect to the SAP cloud, see SAP Connection - WebSocket RFC.