For Netweaver 7.1 and above, SAP provide a Java class that you can use to check the Secure Store keyphrase. See SAP note 1895736 “Check if secure store keyphrase is correct”. However, in the older Netweaver 7.02, the Java check function does not exist.
In this post I provide a simple way to check the keyphrase without making any destructive changes in Netweaver AS Java 7.02.
Why Check the Keyphrase?
Being able to check the Netweaver AS Java Secure Store keyphrase is useful when setting up SAP ASE HADR. The Software Provisioning Manager requests the keyphrase when installing the companion database on the standby/DR server.
The Check Process
In NW 7.02, you can use the following method, to check that you have the correct keyphrase for the Secure Store. The method does not cause any outage or overwrite anything. It is completely non-destructive, so you can run it as many times as you need. I guess in a way it could also be used as a brute force method of guessing the keyphrase.
As the adm Linux user on the Java Central Instance, we first set up some useful variables:
setenv SLTOOLS /sapmnt/${SAPSYSTEMNAME}/global/sltools
setenv LIB ${SLTOOLS}/sharedlib
setenv IAIK ${SLTOOLS}/../security/lib/tools
Now we can call the java code that allows us to create a temporary Secure Store using the same keyphrase that we think is the real Secure Store keyphrase:NOTE : We change “thepw” for the keyphrase that we think is correct.
/usr/sap/${SAPSYSTEMNAME}/J*/exe/sapjvm_*/bin/java -classpath "${LIB}/tc_sec_secstorefs.jar:${LIB}/exception.jar:${IAIK}/iaik_jce.jar:${LIB}/logging.jar" com.sap.security.core.server.secstorefs.SecStoreFS create -s ${SAPSYSTEMNAME} -f /tmp/${SAPSYSTEMNAME}sec.properties -k /tmp/${SAPSYSTEMNAME}sec.key -enc -p "thepw"
The output of the command above is 2 files in the /tmp folder, called sec.key and sec.properties. If we now compare the checksum of the new temporary key file, to the current system Secure Store key file (in our case this is called SecStore.key):
cksum /sapmnt/${SAPSYSTEMNAME}/global/security/data/SecStore.key
cksum /tmp/${SAPSYSTEMNAME}Sec.key
If both the check sum values are the same, then you have the correct keyphrase.
You may also be interested in: