I’ll start this post with a compliment to SAP:

SAP ECC license files are impossible to break.

(Unless you have some supercomputers at your disposal and a few years to dedicate on bruteforcing SSL private keys, that are probably expired before you can break them)
(Unless[2] you reverse engineer and patch the server binaries, but then you wouldn’t be breaking the license check but rather disabling it)

Beginning with its ECC6 product version, the licensing system used to control the products’ allowed usage and installations uses public-key cryptography with digitally signed files.

A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, such that the sender cannot deny having sent the message (authentication and non-repudiation) and that the message was not altered in transit (integrity). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.

This way, it’s practically impossible to create a fake license key, because only SAP has the private keys.
So you won’t see any keygens around unless someone manages to sneak the private keys from inside SAP.

This is an example license file, generated for a trial NetWeaver ABAP system:

The LKEY field content is a base64 encoded and digitally signed text file containing some product license information:

The digital signature is done with the PKCS#7 algorythm (the same used for S/MIME email messages).
The digital signer for the NSP licenses is identified as “SAP Trust Community”:

(in this case “I0610000083” is the target installation number).

The signature verification used for the license files is done by the Application Server directly (not by ABAP code), and it uses a special PSE file named “LASVerify.pse”, that you can’t find in the server directories. It’s encrypted somewhere hidden and loaded into memory by the Application Server every time a license verification is performed.

For not being available in the server directories, it’s not possible to validate an SAP license file in ABAP without debugging the server binaries and extracting the PSE file. Therefore I’ll show you how to create your own certificate and sign a text file to be verified by ABAP code.

1 – Create a certificate

Using the instructions taken from the OpenSSL docs on certificates, we create a private/public key pair to sign our files.

The private key

Certificates are related to public key cryptography by containing a
public key. To be useful, there must be a corresponding private key
somewhere. With OpenSSL, public keys are easily derived from private
keys, so before you create a certificate or a certificate request, you
need to create a private key.

So we create a new private key:

The public key

You can create a self-signed certificate if you don’t want to deal
with a certificate authority, or if you just want to create a test
certificate for yourself. This is similar to creating a certificate
request, but creates a certificate instead of a certificate request.
This is NOT the recommended way to create a CA certificate, see
https://www.openssl.org/docs/apps/ca.html.

2 – Import the certificate into the SAP trusted store

Flash of genius yify torrent. In transaction STRUST, add the newly created certificate to the trusted certificate list:

1. Open the System PSE profile
2. Import the generated certificate (Certificate -> Import)
3. Press Add to Certificate List
4. Save

3 – Sign a file

Create a text file with some human readble contents in it:

We can use the OpenSSL S/MIME tool to sign the license file in PKCS#7 format using our certificate.

You’re going to get a binary signed file (signed.bin).

4 – Validate the signature in SAP

SSF Test Program

1. In transaction SE38, run report SSF02
2. Select the Verify function
3. In the Input data parameter, select the signed.bin file
4. Run, and press Verify

If you correctly added the certificate to STRUST, you should get a positive result with the signer information:

If you temper with the signed file, say, change something in the data section, the signature verification will fail.

ABAP Code

You can use the SSF_KRN_VERIFY function module to verify the signature. To do that, you must provide the path to a trusted certificates address book (.pse file).
In this example we use the system PSE (SAPSYS.pse).

That’s it. Now you know how to the license files are created and validated.