Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Error Deleting Entry from Certificate List

Former Member
0 Kudos
5,088

Good day,

I have a problem deleting an expired certificate from the Certificate List and the Access Control List (ACL).

When I run transaction strustsso2 and select the expired certificate, then select delete, it returns below error:

(Error occurred during deletion) Message no. TRUST035

Your support is highly appreciated

Jassem

1 ACCEPTED SOLUTION

sebastian_broll
Explorer
0 Kudos
581

hello jassem,

if you really want to remove a certain certificate from the PSE's certificate list, you may proceed as follows.

please do this ONLY, if the removing of certificates does not work from transaction STRUST.

the procedure requires SAPCRYPTOLIB to be installed, as it's commant line tool 'sapgenpse' is used.

first:

it's a good idea to have a safe copy of your PSE as well as all certificates contained - just in case that something goes wrong.

then:

open a shell or command prompt on your server and go to the directory where the PSEs are stored. assure that you are logged on with the correct user, and the environment variable SECUDIR is set correctly.

execute the command:

sapgenpse maintain_pk -l -p <file name of the PSE>

this command lists the certificates from the PSE"s certificate list, numbered with tags beginning with "1"

from the result, keep in memory the tag number of the certificate to remove.

now, execute the command

sapgenpse maintain_pk -d <tag number of cert to delete> -p <PSE file name>

this command will remove the certificate identified by the tag number.

please note, that this procedure is described in note 800240.

if this procedure does not work, you can also flush all certificates from the certificate list - keep in mind, that after re-importing the modified PSE into STRUST, you need to re-import the certificates into the PSE's certificate list that were not supposed to be deleted. (hopefully you stored safe copies of these certificates beforehand!)

the command to glush the certificate list is:

sapgenpse maintain_pk -f -p<PSE file name>

finally, you need to re-import the modified PSE into STRUST. copy the modified PSE to your workstation (PC) and proceed as described in knowledge base article 1473710 for PSE import.

regards,

sebastian

6 REPLIES 6

mvoros
Active Contributor
0 Kudos
581

Hi,

Have you checked SU53 for missing authorization? You can get your message after calling two FMs: SSFP_REMOVECERTIFICATE or SSFPSE_REMOVE. So if you have some basic debugging skills then you can put a break point at the start of each FM and see what error do you get. There are different reasons why it can fail.

Cheers

cris_hansen
Advisor
Advisor
0 Kudos
581

Hi Jassem,

As far as I know, you should delete the entire PSE and recreate it. In this case, removing the PSE also deletes the contained unique key pair. Replacing a PSE requires to freshly exchange certificates with communication partners as required by the applications using the PSE (certificates contained).

I hope this helps.

All the best,

Cristiano

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos
581

As far as I know, you should delete the entire PSE and recreate it. In this case, removing the PSE also deletes the contained unique key pair.

Caution: a PSE (Personal Security Environment) is like a keystore.

It contains a certificate and the corresponding private key (keypair) as well as a trust anchor list (aka "certificate list" / "private address book"). If you just want to remove an entry from the trust anchor list, you should not delete the entire PSE since you also loose your (own) certificate / keypair.

If you experience problems when performing PSE operations using transaction STRUST or STRUSTSSO2, then first check whether you are using an older version of SAPseculib or SAPcryptolib and consider to use the latest version of SAPcryptolib, if applicable. If this does not help to resolve the problem, then consider to file a bug report to SAP (message component BC-SEC-SSF).

Best regards,

Wolfgang

sebastian_broll
Explorer
0 Kudos
582

hello jassem,

if you really want to remove a certain certificate from the PSE's certificate list, you may proceed as follows.

please do this ONLY, if the removing of certificates does not work from transaction STRUST.

the procedure requires SAPCRYPTOLIB to be installed, as it's commant line tool 'sapgenpse' is used.

first:

it's a good idea to have a safe copy of your PSE as well as all certificates contained - just in case that something goes wrong.

then:

open a shell or command prompt on your server and go to the directory where the PSEs are stored. assure that you are logged on with the correct user, and the environment variable SECUDIR is set correctly.

execute the command:

sapgenpse maintain_pk -l -p <file name of the PSE>

this command lists the certificates from the PSE"s certificate list, numbered with tags beginning with "1"

from the result, keep in memory the tag number of the certificate to remove.

now, execute the command

sapgenpse maintain_pk -d <tag number of cert to delete> -p <PSE file name>

this command will remove the certificate identified by the tag number.

please note, that this procedure is described in note 800240.

if this procedure does not work, you can also flush all certificates from the certificate list - keep in mind, that after re-importing the modified PSE into STRUST, you need to re-import the certificates into the PSE's certificate list that were not supposed to be deleted. (hopefully you stored safe copies of these certificates beforehand!)

the command to glush the certificate list is:

sapgenpse maintain_pk -f -p<PSE file name>

finally, you need to re-import the modified PSE into STRUST. copy the modified PSE to your workstation (PC) and proceed as described in knowledge base article 1473710 for PSE import.

regards,

sebastian

0 Kudos
581

Thanks gentlemen for your support

I already have the required authorization assigned but yet it throws the same error. We've opened OSS note with SAP and the resolution was similar to Sebastian's post.

Thanks and Regards,

Jassem

Former Member
0 Kudos
581

Hi Guys,

We are facing the same issue while deleting the certificate from the System PSE through transaction strustsso2. We are trying to delete the certificate of the solman system.

sapgenpse is not available in the kernel, hence i would need to know the solution for removing the certificate through ABAP itself and not through sapgenpse at OS level.

Please help.

Regards,

Ragav