Certificados Criptografia SAP
-
Upload
thiarllisb -
Category
Documents
-
view
248 -
download
0
Transcript of Certificados Criptografia SAP
-
7/22/2019 Certificados Criptografia SAP
1/20
PRINT FROM SAP HELP PORTAL
Document:Trust Manager
URL:http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4c/5bdb17f85640f1e10000000a42189c/frameset.htm
Date created:September 05, 2013
2013 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors. National product specifications m ay vary. These materials are provided by SAP AG and its affiliated companies (" SAP Group") for
informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional w arranty. SAP and other SAP products and services mentioned herein as wel l as their respective logos are trademarks or
registered trademarks of SAP AG in Germany and other countri es. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information
and notices.
Note
This PDF document contains the selec ted topic and its subtopics (max. 150) in the selec ted structure.Subtopics from other structures are not included.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 1 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4c/5bdb17f85640f1e10000000a42189c/frameset.htmhttp://help.sap.com/ -
7/22/2019 Certificados Criptografia SAP
2/20
Trust Manager
Use
Establishing solid trust relationships is vital to the success of your business transactions, especially with the use of the Internet, where company borders are not
transparent. Therefore, many SAP applications rely on the use of public-key technology to establish the trust infrastructure that is necessary for successful
business relationships.
Public-Key Technology Support with the AS ABAP
Examples of public-key technology support with SAP NetWeaver Application Server (AS) ABAP include the following:System digital signatures
At start-up, each AS ABAP is supp lied with a public and private key pair certificate that is stored in its own system Personal Security Environment (PSE). The
AS ABAP can therefore produce its own digital signatures using the public-key information contained in its system PSE. Other systems can then verify the
system's digital signature, which guarantees the integrity and authenticity of a document that has been digitally signed by the system.
Example
For example, you can use logon tickets for user authentication on the AS ABAP. The AS ABAP digitally signs the user's logon ticket after successful
authentication. Instead of re-authenticating the user with a user ID and password, other systems can allow the user access after verifying the AS ABAP's
digital signature provided with the user's logon ticket.
Supp ort for Secure Network Communications
For the SAP protocols DIAG and RFC, the Secure Network Communications (SNC) interface provides secure communication. SNC uses an external security
product to secure communications, whereby the SAP Cryptographic Library is provided as a default product for server-to-server communications within an SAP
system landscape.
When using the SAP Cryptographic Library, the system also stores the corresponding public and private key pair in the SNC PSE.
Support for the Secure Sockets Layer (SSL) Protocol
The AS ABAP supports the Secure Sockets Layer (SSL) protocol, which provides security when using Internet protocols such as HTTP. The security provided
includes encrypted communications as well as authentication between the communication partners. In this case, the application server must also possess a
public and private key pair to use for SSL communications.
Web Services Security (WS-Security)
Web services support digital signatures and encryption for Simple Object Access Protocol (SOAP) messages. In this case, the public and private keys used
by the Web services are stored in corresponding PSEs.
Secure Store and Forward Mechanisms (SSF)
SAP systems support the use of an external security product using the SSF mechanisms. By using SSF, applications can support the use of digital
signatures and document encryption in their processing.
Certificate revocation checks
The AS ABAP enables applications that check digital signatures and encrypt data to check certificate revocation lists for certificates that have been revoked
by Certification Authorities (CAs). This ensures that the AS ABAP only accepts certificates that are valid and current.
E-mails with digital signature and encryption with S/MIMEThe signature and encryption feature that is embedded in the AS ABAP enables you to send and receive e-mails with signature and/or encryption. You can
configure S/MIME in the trust manager.
Managing the Public-Key Information Using the Trust Manager
To manage the public-key information necessary for these and other scenarios, use the trust manager. The trust manager performs the PSE and certificate
maintenance functions such as generating key pairs, creating certificate requests to be signed by a CA, and maintaining the list of trusted CAs that the server
accepts.
Prerequisites
You have an understanding of public-key technology and the terminology listed under Terminology and Abbreviations.
To create SSL, SNC, or WS-Security PSEs, you must have installed the SAP Cryptographic Library.
For more information, see Configuring the AS ABAP for Supporting SSLand Installing the SAP Cryptographic Library (SAP Web AS).
Integration
Use the trust manager to maintain the public-key information for the types of PSEs used by SAP applications. For example:
System PSE
SNC PSE, if you use the SAP Cryptographic Library as the security product.
PSEs used for SSL-protected communications
SSL server PSEs
SSL client PSEs
WS-Security PSEs
S/MIME PSEs
Arbitrary file PSEs
PSEs used by SSF applications that use the SAP Security Library or SAP Cryptographic Library as the security product. You cannot use the trust manager to
maintain PSEs for SSF applications that use a different security product.
SSF applications are applications for which the security information is specified in the table SSFARGS. They include the SSF default application and various
applications that use specific information, for example, the HTTP Content Server or the AS ABAP application for using logon tickets.
NoteYou can store SSF application PSEs in the following locations:
In the database, whereby a copy of the PSE is distributed to the system's application servers.
In the file system, where it can be accessed at the operating system level. (The PSE must be located in a globally accessible directory.)
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 2 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/49/236897BF5A1902E10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/49/23501EBF5A1902E10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/BC/7A9B3AD94E8A3DE10000000A11402F/frameset.htm -
7/22/2019 Certificados Criptografia SAP
3/20
Activities
The trust manager provides functions for:
Generating key pairs and corresponding certificate requests
Importing the certificate request response into a PSE
PSE maintenance (for example, creating, displaying, and deleting PSEs, as well as monitoring the status of PSEs)
Maintaining a PSE's certificate list
Generating a verification PSE (a PSE that can only be used to verify the subject's digital signature)
Assigning a PIN to PSEs, which also creates credentials for the server so that the server can access a protected PSE at runtime
Distributing a PSE to the individual application servers
Importing PSEs (PKCS#12, PKCS#8, and PSE) and exporting PSEs (PKCS#12)
Importing, parsing, and exporting certificates
Checking certificates against certificate revocation lists (CRL) and manually changing the certificate status.
Configuring e-mails with S/MIME for digital signatures and/or encryption.
Example
Use the trust manager to generate key pairs for the application servers that are to support SSL. You can then have the system create the corresponding certificate
requests, which you send to a CA to be signed.
Once you have received a response from the CA, use the trust manager to import the signed public-key certificate into the system's SSL server PSE.
You can also use the trust manager to maintain the list of trusted CAs (certificate list) from which you accept public-key certificates to use for the SSL connection.
More Information
For more information about using public-key technology with the AS ABAP see the following:
Public-Key Technology
SSF User's Guide
Using the SAP Cryptographic Library for SNC
Secure E-Mails with Digital Signature and Encryption with S/MIME
Getting Started with the Trust Manager
Prerequisites
To maintain SSF PSEs that use the SAP Security Library or the SAP Cryptographic Library as the security product, you must first maintain the applications in
transaction SSFA.
The SAP Cryptographic Library must be installed, for the nodes for the SSL, SNC, and WS-Security PSEs to appear.
Structure
The Trust Manager Screen
The figure below depicts the sections of the trust manager screen (transaction STRUST).
Figure 1: Sections of the Trust Manager Screen
PSE Status
In the Trust Managerscreen, the PSE status frame (left frame) displays the PSEs defined for the system. The table below lists the PSE status icons and their
meaning.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 3 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/FF/B1789D7782471587785DD476421C6F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/32/431C3AADDA4F25E10000000A11402F/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/53/251A355D0C4D78E10000009B38F83B/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4C/6269C8C72271D0E10000000A15822B/frameset.htm -
7/22/2019 Certificados Criptografia SAP
4/20
You can check the status of the PSE on each of the servers of the cluster.
For more information, see Checking the Local Status of Distributed PSEs.
PSE MaintenanceThe PSE maintenance section (upper right) displays the PSE information about the PSE that you selected.
Certificate
The certificate section (lower right) displays certificate information about a certificate that you selected or imported.
Note
The PSE maintenance section and the certificate section are independent of one another. If you display a PSE in the PSE maintenance section, the trust
manager does not automatically display the server's certificate in the certificate section.
For more information, see Selecting Certificates.
Selecting Certificates
Context
Use certificate section to maintain certificate lists. Once selected or imported, the certificate appears in the Certificatesection. Use the Certificatesection as a
"clipboard"for certificates. Once a certificate appears in the Certificate section, you can perform operations on the certificate.
Procedure
1. Start the trust manager (transactionSTRUST).
2. Find the certificate you want to work with.
The certificates are either in a PSE or you must import them from a source.
PSE certificates
1. Double-click a PSE.
2. Double-click a certificate.
Imported certificates
1. In the Certificatesection, choose .
2. Enter data as required.
Results
The system displays the certificate in the Certificatesection. The certificate may or may not be associated with the PSE displayed in the PSE maintenance
section.
Example
You double-click a PSE to load it into the PSE maintenance section. Then you import a certificate from the file system. The certificate is not in the certificate list
of the PSE until you add it to the certificate list. You can double-click another PSE to load it into the PSE maintenance section, without affecting the certificate
displayed in the Certificatesection.
PSE TypesYou can maintain the following PSE types using the trust manager:
System PSE
SNC PSE
SSL Server PSEs
SSL Client PSEs
WS-Security PSEs
File PSE
SSF Application PSEs
System PSE
Definition
Personal security environment for the AS ABAP to use for digital signature functions.
UseThe AS ABAP uses its system PSE to create and verify digital signatures. However, it cannot use the system PSE for encrypting information.
Structure
Icon Description
PSE exists for distribution to all application servers
PSE does not exist in the database
PSE that exists as a file
The PSE is defined as a file, but does not exist
Link to the system PSE
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 4 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/30/31683AB81FD846E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/0E/31683AB81FD846E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/45/45AA02E620507BE10000000A1553F6/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/61/76893A9B323778E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/EC/30683AB81FD846E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/A0/09213C73FE337BE10000000A114084/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/CA/30683AB81FD846E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/2B8D79A95B4BD58EB1AE3F5E3CF014/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/9A/29683AAF1B5957E10000000A11402F/content.htm -
7/22/2019 Certificados Criptografia SAP
5/20
The system PSE contains the system's security information including its public and private key pair and the corresponding certificate list.
Integration
The system PSE is created during the system's installation process and stored in the file $(DIR_INSTANCE)/sec/SAPSYS.pse. When creating the system PSE,
the system creates a single PSE and distributes it to all of its application servers.
SNC PSESNC PSE
Definition
The application server's PSE for securing communications using Secure Network Communications (SNC) when you use the SAP Cryptographic Library as the
security product.
Use SNC to protect connections where the SAP protocols are used, for example, RFC and DIAG. (Note however, you cannot use the SAP Cryptographic Library
on client components such as SAP GUI for Windows.)
Use SSL to protect HTTP connections.
Structure
The SNC PSE contains the server's security information to use for securing the SNC connection. This information includes the server's public and private key and
the corresponding certificate list.
Integration
When you create the SNC PSE, the system generates a single PSE for the system that is distributed to all of the application servers. The system stores the PSE
in the file $(DIR_INSTANCE)/sec/SAPSNCS.pse.
SSL Server PSEs
Definition
The application server's PSE for securing HTTP communications using the SSL protocol (HTTPS connections) when the application server is the server
component for the communication.
Note
If the AS ABAP also communicates as a client component, then it uses one of the SSL client PSEs when establishing the HTTPS connection.
Use
You can set up different SSL server PSEs to use for different connections. These are referred to as SSL server identities. Each SSL identity possesses its own
SSL server PSE. There is a standard identity that uses the standard SSL server PSE.
Structure
This PSE contains the application server's security information including its key pair and its corresponding certificate list. The certificate list contains the list of
Certification Authorities (CAs) that the server trusts. The SSL server PSE's certificate list should be quite restrictive and contain only those public-key certificates
from the CAs that the server accepts.
Integration
When you create an SSL server PSE for an identity, the system generates a default PSE. Alternatively you can create individual SSL server PSEs for specific
servers. The system then distributes the PSEs to the application servers accordingly. The application servers that are not assigned an individual SSL server PSE
receive the default SSL server PSE for the identity.
The standard SSL server PSE is stored in the file $(DIR_INSTANCE)/sec/SAPSSLS.pse on each application server. Each additional SSL server PSE is stored in
the file $(DIR_INSTANCE)/sec/SAPSSLS_.pse.
SSL Client PSEsSSL Client PSEs
Definition
The application server's PSEs to use for securing communications with the SSL protocol when the application server is the client component for the
communication.
Use
There are three different types of SSL client PSEs that the server can use:
Anonymous SSL Client PSE
The application server uses the anonymous SSL client PSE to connect to other Web servers where only server-side authentication is used. It does not use it for its
own authentication.
Standard SSL Client PSE
The SAP Web AS uses the standard SSL client PSE to authenticate itself on other Web servers when SSL client authentication is used and where no individual
SSL client PSE is specified to use for the connection.
Individual SSL Client PSEs
The SAP Web AS can also use additional individual SSL client PSEs for authenticating itself on other Web servers. By using these PSEs, you can specify
different "identities" for the application server to use for different services.
If the SAP Web AS communicates as the server component for the SSL connection, then it uses the SSL server PSE to establish the HTTPS connection.
Structure
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 5 of 20
-
7/22/2019 Certificados Criptografia SAP
6/20
The SSL client PSEs contain the application server's security information, which includes the public and private key pair to use for the particular identity and the
corresponding certificate list.
Integration
When you create an SSL client PSE, the system creates a single PSE for the system that is distributed to all of the application servers. The system stores the
PSEs in the directory $(DIR_INSTANCE)/sec. The file names for the PSEs are:
Anonymous: SAPSSLA.pse
Standard: SAPSSLC.pse
Individual: SAPSSL.pse
WS-Security PSEs
Definition
The application server's PSEs to use for WS-Security (digital signatures and encryption).
Use
You can set up different WS-Security PSEs to use for different Web services. These are referred to as WS-Security identities. Each WS-Security identity
possesses its own PSE. There is a standard identity that uses the standard WS-Security PSE.
Note
WS-Security PSEs use only the Rivest-Shamir-Adleman (RSA) algorithm.
Structure
This PSE contains the application server's security information including its key pair and its corresponding certificate list. The certificate list contains the list of
Certification Authorities (CAs) that the server trusts when using the Web service(s) that use this PSE.
Integration
When you create a WS-Security PSE, the system creates a single PSE that is distributed to all of the application servers.
The standard WS-Security PSE is stored in the file $(DIR_INSTANCE)/sec/SAPWSSE.pse. Each additional WS-Security PSE is stored in the file
$(DIR_INSTANCE)/sec/SAPWSSE_.pse.
File PSE
File PSEDefinition
An arbitrary PSE that is stored locally in a file.
Use
A file PSE contains security information (key pair and certificate list) that is stored in a local file in the file system. The file PSE can be used for creating and
verifying digital signatures, but not for encryption.
SSF Application PSEsSSF Application PSEs
Definition
PSEs that are specified to be used for SSF applications.
Use
The various SSF applications may use different PSEs to obtain the security information that they need. For example, the HTTP Content Server uses a differentPSE than the SAP Web AS uses to sign logon tickets.
Integration
The various SSF applications are defined in SSF Customizing using the transaction SSFA. An SSF application may also use the SSF default PSE. When
defining an SSF application PSE in transaction SSFA, you specify that the PSE should either be stored in the database and distributed to the application servers
or stored as a file in the file system with no distribution.
You can maintain any of the SSF application PSEs that use the SAP Security Library or the SAP Cryptographic Library using the trust manager, including the
SSF default PSE.
For more information on maintaining the SSF applications, see the SSF User's Guide.
Creating PSEs and Maintaining the PSE Infrastructure
Use
Use the functions described below to maintain the PSE infrastructure, which includes creating, replacing, or deleting the various PSEs, and checking their status.
Prerequisites
The PSE is one of the following:
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 6 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/53/251A355D0C4D78E10000009B38F83B/frameset.htm -
7/22/2019 Certificados Criptografia SAP
7/20
System PSE
SNC PSE (if the SAP Cryptographic Library is used as the security product)
SSL server PSE (if the SAP Cryptographic Library is used as the security product)
SSL client PSE (if the SAP Cryptographic Library is used as the security product)
WS-Security PSE (if the SAP Cryptographic Library is used as the security product)
S/MIME identity PSE (if the SAP Cryptographic Library is used as the security product)
File PSE
SSF application PSE (for app lications that use the SAP Security Library or SAP Cryptographic Lib rary as the security product)
ProcedureTo access the trust manager, use the transaction STRUST. The following functions for maintaining the PSE infrastructure are then available from the Trust Managerscreen.
Note
The context menu (right mouse button) only shows the functions that are active for the PSE that you select.
Checking the Local Status of Distributed PSEsChecking the Local Status of Distributed PSEs
You can check the local status of distributed PSEs as follows:
To check the local status of a PSE that has been distributed to individual application servers, expand the PSE node. The system automatically initiates the
status check .
To refresh the status of a single PSE, select the PSE and choose Checkfrom the context menu.To refresh the status of all expanded PSE nodes, choose the menu item PSE Check All PSEs.
The status of the locally stored PSE is indicated as follows:
Function Choose What you should knowCheck the status of a single PSE Context menu: Check This function only applies to PSEs that are stored
in the database and distributed to the application
servers.
The PSE node must be expanded to be checked.
Expanding the node also automatically initiates the
check.
For more information, see Checking the Local
Status of Distributed PSEs.Create a PSE Context menu: Create This function creates a PSE and initiates
distribution (if app licable).
See also Creating or Replacing a PSE.
Distribute a PSE Context menu: Distribute This function distributes the selected PSE to the
system's application servers. Depending on the
PSE type, the sys tem distributes either a single
PSE to all servers (for example, the system PSE),
or it distributes a server-dependent PSE (the SSL
server PSE).
Replace a PSE Context menu: Replace This function generates a new PSE and distributes
it automatically to the servers.
Delete a PSE Context menu: Delete If the PSE is stored in the database and
distributed, then the local copies of the PSE are
also deleted.
Change PSEs Context menu: Change For the SSL server PSE only:
Create new PSEs or assign existing PSEs onindividual servers where a PSE is missing (forexample, if you have installed a newapplication server for the system).Change the current configuration (for example,reassign which servers receive individual PSEsand which receive the default PSE).
Import a PSE Menu: PSE Import Import a PSE from the file system.
Export a PSE Menu: PSE Export Export a PSE to the file system.
Save a PSE as a different PSE Menu: PSE Save As... You can save a PSE as:
The system PSEAn SSF app lication PSEA file PSE (export)
Check the status of all local PSEs (for all
expanded nodes)
Menu: PSE Check All PSEs This function also only applies to PSEs that are
stored in the database and distributed to the
application servers.
For more information, see Checking the Local
Status of Distributed PSEs.
Distribute all PSEs Menu: PSE Distribute All PSEs This function distributes all of the PSEs to the
system's application servers.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 7 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/9A/29683AAF1B5957E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/59/6B653A0C52425FE10000000A114084/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/9A/29683AAF1B5957E10000000A11402F/content.htm -
7/22/2019 Certificados Criptografia SAP
8/20
To display the status message, choose the application server (double-click). The status message is then displayed in the SAP GUI's message bar.
The system uses the SAP Cryptographic Library per default. If the SAP Cryptographic Library has not been installed, then it uses the SAP Security Library,
which is delivered with the SAP System. If neither library is accessible, then the error message SAPSECULIB not found occurs.
Creating or Replacing a PSE
Use
Use the procedure below to create or replace a PSE. For example, you may have to replace a PSE when the public-key certificate contained in the PSE is about
to expire.
Note
We recommend using the report SSFALRTEXP to automatically receive a system log message and alert in CCMS for certificates contained in the various
PSEs that are about to expire. Alternatively, we also provide the report SSF_ALERTCERTEXPIRE that you can use manually or plan as a background job. For
more information, see SAP Note 572035.
Prerequisites
You know the syntax for the server's Distinguished Name (DN). For more information, see the tables below.
Distinguished Name Parts
Requirements for the Server's D istinguished Name per PSE Type
When Using the SAP CA
If you use the SAP CA as the issuing CA, then the rest of the Distinguished Name (not the CN part) must be:
Icon Meaning Possible Status Messages Possible Actions to Correct Errors
Status of the PSE has not yet been
checked
None Not applicable
PSE OK Local PSE OK Not applicable
Error in the attempt to check the PSE RFC connection fai led Test and repair the RFC connection.
PSE is corrupt Local PSE does not match PSE in
database
Redistribute the database PSE.
SAPSECULIB not found Reinstall the SAP Cry ptographic
Library or the SAP Security Library.
Error in the tes t s ignature Reins tall the SAP Cryptographic
Library or the SAP Security Library.
Unknown status Redistribute the database PSE.
DN Part Definition Exam les
CN Common Name OU Organizational Unit (optional) Department name
O Organization Company name
C Country USA: US
Germany: DE
PSE Re uirementSystem PSE Default Distinguished Name: CN=
If no system PSE exists when the application server is started, then the
system automatically creates the public-key certificate for the system PSE
using the Distinguished Name CN=. If you replace this PSE, you can
freely choose the new Distinguished Name.
SNC PSE The Distinguished Name must correspond to snc/identity/as
The Distinguished Name used for the SNC PSE's public-key certificate mustmatch the Distinguished Name part of the server's SNC name (without the p:),
which is sp ecified in the application server's profile parameter snc/identity/as.
SSL Server PSE CN part of Distinguished Name: CN=
The Common Name (CN) part of the Distinguished Name for the SSL server
PSE's public-key certificate must correspond to the fully qualified host name
that users will use to access the application server, for example,
CN=host123.mycompany.com.
Anonymous SSL Client PSE Distinguished Name: CN=anonymous
The system automatically uses the Distinguished Name CN=anonymous for
the anonymous SSL client PSE's public-key certificate. You cannot change
this name. In addition, the application server cannot use this identity to
authenticate itself.
All Other PSEs Distinguished Name: No special requirements
You can freely choose the Distinguished Name for the public-key certificates
stored in the rest of the PSEs.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 8 of 20
-
7/22/2019 Certificados Criptografia SAP
9/20
OU=I-, OU=SAP Web Application Server, O=SAP Trust Community, C=DE
For the first OU (Organizational Unit) part, you specify your customer number only. The SAP CA automatically extends the OU part to include your company
name.
Procedure
From the Trust Manager screen:
1. Select the desired PSE node.
2. Using the context menu, choose Create (if no PSE exists) or Replace.
The PSE dialog appears.
3. Enter the components of the system's D istinguished Name in the corresponding fields. If you use a reference to a CA name space, the system automaticallyincludes those components of the CA's Distinguished Name in the newly generated name. See the table and examples below.
4. Choose Enter.
Note
If you are creating an SSL server PSE, then the system generates a default system-wide Distinguished Name and then provides you with a list of
possible server-specific names. For each application server, you can then choose to use either the server-specific Distinguished Name or you can use
the system-wide name. For more information, see Creating the SSL Server PSE.
Distinguished Name Parts
Tip
Example 1: Reference to the SAP CA Name Space
The following example uses the input provided and a reference to the SAP CA name space:
Name =MY1Org. (opt.): = I0120007965 (default)
Company = SAP Web Application Server (default)
CA Reference = O=SAP Trust Community, C=DE (default)
The trust manager then generates a pub lic-key certificate with the Distinguished Name CN=MY1, OU=I0120007 965, O U=SAP Web Application Server,
O=SAP Trust Community, C=DE.
Example 2: No reference to a CA Name Space
The following example does not use a reference to a CA name space.
Input:
Name =MY1
Company =MyCompany
Country = US
The Distinguished Name is then CN=MY1, O=MyCompany, C=US.
Result
The system creates a new public and private key pair and self-signed public-key certificate that are stored in the PSE. If the PSE is stored in the database and
should be distributed, then the system automatically distributes the PSE to the individual application servers.
Field DN Part In ut CommentName CN For example,.
Org. (opt.) OU For example, the department name.
Input is optional.
Default=.
Comp./Org. OU
O
If you use a reference to a CA name
space, the system uses the input for
this field as an additional OU part.
Otherwise, it uses this entry for the O
part.
The default entry is the OU part when
using the SAP CA: SAP Web
Application Server.
Use the toggle function (
) to activate or deactivate the reference
to a CA name space.
Country C Input is only available if you do not
use a reference to a CA name space.
CA Not applicable Input is available if you use a
reference to a CA.
Enter the CA's name space. The
default entry is the name space for the
SAP CA (O=SAP Trust Community,
C=DE).
The server or system's D istinguished
Name is then generated using this
extension. See the examples below.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 9 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/49/2371ABBF5A1902E10000000A42189C/frameset.htm -
7/22/2019 Certificados Criptografia SAP
10/20
Maintaining PSEs
Use
To maintain a specific PSE, select the PSE with a double-click. The PSE information appears in the PSE maintenance section (upper right).
Caution
All changes only apply after saving the data.
Activities
Having PSE Certificates Signed by a CA
Creating Verification PSEs
Protecting PSEs with Passwords
Having PSE Certificates Signed by a CA
Context
Self-signed certificates can be easier to implement, such as configuring trust between a few components. Other scenarios might require you to have the PSE
certificate trusted by a multitude of browsers. In such cases, have your PSE certificates signed by a certificate authority (CA).
A certificate request and corresponding response belong to a specific key pair and PSE. You can therefore only import the response into the PSE for which the
request was generated.
For example, if you generate a new PSE after you have already sent a certificate request to a CA, then the response you receive is invalid and cannot be
imported into the new PSE.
Procedure
1. Start the trust manager (transactionSTRUST).
2. Select a PSE.
3. Choose PSE Create Certificate Request
4. Save the request and send it to a CA.
5. After receiving the certificate request response from the CA, choose PSE Import Certificate Response .
Note
The certificate request response must be in the format PKCS#7 certificate chain, which contains the certificates of both the requester and the issuing
CA. However, if the response contains only the requester's certificate in PEM (Privacy Enhanced Mail) format and no CA certificate, then the system
builds the correct format. The root certificate of the issuing CA must exist in the certificate store.
For more information, see Maintaining Certificates in the Database.
6. Save your entries.
Results
The new certificate does not automatically appear in the Certificatesection. However, the text (Self-Signed)should disappear from the PSE maintenance section.
To view the certificate, select the certificate in the Ownerfield with a double-click in the Own Certificatesection. The certificate appears in the Certificatesection.
Creating Verification PSEs
Context
This function generates a verification PSE for the selected PSE that contains the PSE's own certificate and the certificates you select from the certificate list.
You can then distribute and use this verification PSE to verify the digital signatures created by the corresponding certificate owners.
For example, with this function you can export the public-key certificate and the certificate list and import the verification PSE into other systems so they can
accept logon tickets from your system.
Procedure
1. Start the trust manager (transactionSTRUST).
2. Select a PSE.
3. Choose PSE Create Verification PSE
Protecting PSEs with Passwords
Context
Use this procedure to further protect a personal security environment (PSE) from unauthorized access. You can only maintain a password-protected PSE with the
trust manager after providing the password. The system uses this password to create encrypted credentials for the server.
Caution
If you forget the password, you can no longer maintain the PSE using the trust manager.
Procedure
1. Start the trust manager (transactionSTRUST).
2. Select a PSE.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 10 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/10/63393C3EB3036BE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/ED/3F280CD4A34869952AD9236474C913/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4F/A9B9D6BCA54E5B92D73F6142679BD0/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/3B/6E89FCDA784B6C8D645740F644A602/content.htm -
7/22/2019 Certificados Criptografia SAP
11/20
3. Choose the Passwordpushbutton.
4. Enter data as required.
5. Save your entries.
Adding Certificates to PSE Certificate Lists
Context
The certificate list contains the corresponding public-key certificates for the issuing CAs that the server should accept. For example, for the system to accept
certificates signed by the SAP CA, the system PSE's certificate list must contain the SAP CA's public-key certificate.
Caution
All changes only apply after saving the data.
Procedure
1. Start the trust manager (transactionSTRUST).
2. Select a certificate.
For more information, see Selecting Certificates.
3. Double-click a PSE.
4. Choose theAdd to Certificate Listpushbutton.
5. Save your entries.
Maintaining the PSE Certificate List
Use
The certificate list contains the corresponding public-key certificates for the issuing CAs that the server should accept. For example, for the system to accept
certificates signed by the SAP CA, the system PSE's certificate list must contain the SAP CA's public-key certificate.
Not only can you add and remove certificates from the certificate list, but you can maintain the revocation status of the certificates, too.
Caution
All changes only apply after saving the data.
Adding the SAP CA Certificate to PSE Certificate Lists
Procedure
1. Start the trust manager (transactionSTRUST).2. Select a PSE by double-clicking.
3. Choose Certificate SAP Portal CA (DSA)
4. Choose theAdd to Certificate Listpushbutton.
5. Save your entries.
Certificate Revocation
Use
SAP NetWeaver Application Server (AS) ABAP enables applications that check digital signatures and encrypt data to check certificate revocation lists for
certificates that have been revoked by certificate authorities (CA). This ensures that the AS ABAP only accepts certificates that are valid and current.
For more information, see Certificate Revocation.
Enabling Certificate Revocation
Prerequisites
You know which certificate authority (CA) issues the CRLs you want to check.
You know which CRL profile your applications use to check the CRLs.
Context
Before SAP NetWeaver Application Server (AS) ABAP can check for revoked certificates in certificate revocation lists (CRLs), you must make sure the AS
ABAP is configured to perform such checks.
Procedure
...
1. Ensure the SSF Certificate RevocationPSE exists.
1. Start the trust manager (transactionSTRUST).
2. Check if the SSF Certificate RevocationPSE appears in the PSE status list.
If the PSE does not appear there, do the following:
1. In the Change View "Application-Specific SSF Parameters"screen (transaction SSFA), add the Certificate Revocation( CREVOC) app lication.For more information, see Maintaining Application-Specific Information.
2. In the trust manager, create the PSE.
For more information, see Creating or Replacing a PSE.
2. Add the publ ic-key signing certificate for the CAs that sign the CRLs you want your applications to check, to the SSF Certificate RevocationPSE.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 11 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/59/6B653A0C52425FE10000000A114084/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/B8/821FFADADD11D2A60A0000E835363F/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/ED/BE4AA366824F48AB22F1E1CDB23C18/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/2B8D79A95B4BD58EB1AE3F5E3CF014/content.htm -
7/22/2019 Certificados Criptografia SAP
12/20
For more information, seeAdding Certificates to PSE Certificate Lists.
3. Configure the CRL profiles used by your appl ications to be active.
For more information, see Configuring Profiles for Certificate Revocation.
Checking the Revocation Status of Certificates
Context
Use this procedure to check how the revocation check function of the trust manager evaluates a certificate with a given profile.
Procedure1. Start the trust manager (transaction STRUST).
2. Select a certificate so that it appears in the Certificatearea of the screen.
3. Choose Certificate Check Block Status .
4. Choose a profile.
Only active p rofiles appear in the list.
5. Choose the Checkpushbutton.
Results
The revocation check returns a status. When an application performs the status check, the application determines if it accepts the certificate or not. If accepted,
the application continues to perform whatever operation it is designed to do: verify digital signatures or encrypt data. If not accepted, the application should throw
an exception. How the application handles the exception depends on the application. See the table below.
Blocking CertificatesContext
Use this procedure to designate certificates untrustworthy for your SAP NetWeaver Application Server (AS) ABAP, before the expiration date set by the certificate
authority (CA). Once declared untrustworthy, you block the AS ABAP from accepting the certificate even if the CA still considers the certificate valid. Reasons to
block certificates include the following:
Security was compromised and someone has access to a user's private key.
You want to replace a certificate with a new one before the old one has expired
For more information, see Certificate Revocation.
AS ABAP enables you to either block individual certificates by issuer, subject, and serial number or block all certificates from a given issuer with a given subject
that were issued before a given date.
Procedure
1. Start the trust manager (transactionSTRUST).
2. Select a certificate.
For more information, see Selecting Certificates.3. Choose Certificate Block Manually .
4. Determine if you want to block only this particular certificate or all certificates for this issuer and subject issued before the date and time you enter.
5. Save your entries.
Results
Next time the certificate revocation check checks this certificate, it returns a failure to the application calling the check, as long as the profile the application uses
is active.
You can undo the blocking of the certificate.
For more information, see Changing the Revocation Status of Certificates.
Changing the Block Status of Certificates
Context
Use this procedure to undo the manual revocation of a certificate. You can change the status of any entry in the Certificate Status List. You can even undo the
revocation of a certificate declared by a certificate authority, but it only applies to checks made on this cluster. Or you can remove the blocking of a range of
certificates from the Blocking List for Certificate Ranges.
Procedure
...
Status Description Certificate Acceptance
GOOD When a certificate does not appear in any certificate
revocation list (CRL), this is the result.
Certificate is accepted.
REVOKED The certificate appears either in the manualrevocation list or in the CRL of the CA.
Certificate is not accepted.
UNKNOWN The revocation check has a source for the CRL, but
cannot reach it: network error or file not found. The
validity of the certificate depends on if the Strictflag
of the profile is set or not.
If the profile is strict, the certificate is not
accepted.
If the profile is not strict, the certificate is
accepted.
HOLD CAs list certificates in CRLs with the value HOLD, to
indicate that the CA does not want to permanently
revoke the certificate. The CA may remove the
certificate from the revocation list in the future.
Certificate is not accepted.
UNCHECKED The profile used to check the certificate is not
active. The system does not perform a certificate
revocation check.
Certificate is accepted.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 12 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/5BD07F66E04A93AE06E55DE631F059/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/2B8D79A95B4BD58EB1AE3F5E3CF014/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/ED/BE4AA366824F48AB22F1E1CDB23C18/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/78/C208E2F3304DA0B0CE64DC105A2EF6/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/79/8E9421E00B4DC1ADE3D4199AC60837/content.htm -
7/22/2019 Certificados Criptografia SAP
13/20
1. Start the trust manager (transactionSTRUST).
2. Choose Environment Certificate Block Management .
3. Choose .
4. Determine if you want to change the block status of a single certificate or the revocation of a range of certificates for a given issuer, sub ject and released
before a given date and time.
For a single certificate, choose the Certificate Status Listtab.
Select a certificate and choose .
Since the certificate no longer appears in the local status list the revocation check considers the certificate valid unless it finds the certificate in a CRL
source.
For a range of certificates choose the Blocking List for Certificate Rangestab.Select a range of certificates and choose .
5. Save your entries.
Configuring Profiles for Certificate Revocation
Context
The certificate revocation function requires a profile to determine how it interprets the certificate status. Most important, a profile must be active, otherwise the
revocation check always accepts the certificate no matter the revocation status. The profiles also include a source list, enabling the certificate revocation check to
download the latest certificate revocation list (CRL).
This procedure is required for enabling certificate revocation checks.
For more information, see Enabling Certificate Revocation.
Procedure
1. Start the trust manager (transactionSTRUST).
2. Choose Environment Certificate Block Management .3. Choose the Profiletab.
4. Select an existing profile or add a row to create a new one.
Note
Most applications already have their own profile in the list. You only need to create a new profile if you develop your own applications.
For more information, see Including Certificate Revocation Checks in Applications.
5. Enter data as required.
6. Edit the source lis t for the profile or reference the default source list.
You can also edit the default source list.
7. Save your entries.
Results
Once configured, you can perform a customizing transport of profiles or the default source list to other systems.
For more information, see Transporting Profiles for Certificate Revocation.
Transporting Profiles for Certificate Revocation
Context
To use profiles for certificate revocation on other SAP systems, SAP NetWeaver Application Server (AS) ABAP enables you to use the transport system.
The AS ABAP can transport the following information:
Name
Description
Configuration options
Profile source list
Note
If the profile you transport is configured to use the default source list, the profile retains this configuration in the target system. The transported profile then
uses the default source list of the target system. You can transport the default source list, too, but you overwrite the default source list of the target system.
The customizing request is client specific.
Procedure
1. Start the trust manager (transactionSTRUST).
2. Choose Environment Certificate Block Management
3. Choose profiles.
4. Choose .
5. Enter data as required.
6. Save your entries.
Next Steps
Change and Transport System
Checking the CRL CachePrerequisites
The certificate revocation check has checked the CRL of a certificate, which either listed a CRL distribution point within the certificate itself or the certificate has a
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 13 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/48/C4300FCA5D581CE10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/BA/4772AFCCB54CC981DA8FE17BBB91B9/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/80/763B395FB44737AC5818A28A818222/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/AC/1443CE9FCC4C23867CFA829189B549/content.htm -
7/22/2019 Certificados Criptografia SAP
14/20
URL source defined in the source list for the issuer. The source list is part of the profile.
For more information, see Configuring Profiles for Certificate Revocation.
Context
Use the certificate revocation list (CRL) cache to examine the CRLs downloaded by the certificate revocation check.
Procedure
1. Start the trust manager (transactionSTRUST).
2. Choose Environment Certificate Revocation Configuration .
3. Choose the CRL Cachetab.
Results
You can view information about the CRL, identifying the issuer and its serial number. You can also see when the certificate authority (CA) plans to update the
CRL.
To download a new copy of the CRL, choose the Update Selected CRLpushbutton.
To examine the CRL in detail, choose the Save Selected CRL to pushbutton.
Once you download the CRL to your filesystem, you can inspect the complete list of revoked certificates, version, distribution point, and other information.
Including Certificate Revocation Checks in Applications
Context
You can add certificate revocation checks to your own custom applications.
Procedure
1. Create a profile for certificate revocation.
The profile name must begin with Z. All other profile names are reserved for SAP. System administrators can configure how the certificate revocation check
manages certificate by changing the profile configuration.
2. Call the certificate revocation ( STRUSTCRT_ CHECK_ CERTIFICATE) function module when you need to verify signatures or encrypt data.
The relevant building blocks are in SECFfor verification and encryption and STRUSTfor the certificate revocation check.
3. Add the name of the profile to be transported with your app lication. When encrypting data and verifying signatures, you must include a parameter that
identifies the profile for your application. Each application is intended to use its own profiles.
4. In the target system, make sure the profile is active.
Next Steps
Configuring Profiles for Certificate Revocation
Creating Additional Identities
Use
Use this procedure to create additional identities to use for SSL server PSEs, SSL client PSEs, and WS-Security PSEs.
Procedure
From the Trust Manager screen:
1. Choose Environment Identities.
The Change View: Identities maintenance screen appears. The table contains entries for the standard PSEs for this PSE type.
2. Choose New Entries.
The New Entries: Overview of New Entries maintenance screen appears.
3. Enter the PSE's information (Identity and Description) in the app ropriate columns.
4. Save the data.
5. Go Back.
Result
You return to the Trust Manager screen. An entry for each identity for this PSE type appears in the PSE status section.
Maintaining Certificates in the DatabaseMaintaining Certificates in the Database
Use
You can maintain a list of CA root certificates in the database. You can then import these certificates into the various PSEs to specify which CA's the server
should trust. The system also uses the certificates stored in the database to build the correct format for certificate request responses that exist in PEM format
instead of the required PKCS#7 certification chain format.
Procedures
See the following:
Adding a Certificate to the Database
Removing a Certificate From the Database
Retrieving a Certificate From the Database
Deactivating Certificates in the Database
Adding Certificates to PSE Certificate Lists
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 14 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/21/D73A3C91CD136AE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/CC/D53A3C91CD136AE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/9E/D53A3C91CD136AE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/63393C3EB3036BE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/78/C208E2F3304DA0B0CE64DC105A2EF6/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/78/C208E2F3304DA0B0CE64DC105A2EF6/content.htm -
7/22/2019 Certificados Criptografia SAP
15/20
Context
The certificate list contains the corresponding public-key certificates for the issuing CAs that the server should accept. For example, for the system to accept
certificates signed by the SAP CA, the system PSE's certificate list must contain the SAP CA's public-key certificate.
Caution
All changes only apply after saving the data.
Procedure1. Start the trust manager (transactionSTRUST).
2. Select a certificate.
For more information, see Selecting Certificates.
3. Double-click a PSE.
4. Choose theAdd to Certificate Listpushbutton.
5. Save your entries.
Adding the SAP CA Certificate to PSE Certificate Lists
Procedure
1. Start the trust manager (transactionSTRUST).
2. Select a PSE by double-clicking.
3. Choose Certificate SAP Portal CA (DSA)
4. Choose theAdd to Certificate Listpushbutton.
5. Save your entries.
Adding a Certificate to the DatabaseAdding a Certificate to the Database
Use
Use this procedure to add a certificate to the system's list of certificates in the database. For example, you can add a CA's root certificate so that you can then
easily import into the various PSE's certificate lists.
Prerequisites
You have access to the certificate, for example, the certificate exists as a file in your file system.
Procedure
From the trust manager (transaction STRUST):
1. In the certificate section, choose
Import certificate.
2. The Import Certificate dialog appears.
3. Select the certificate from its source (for example, from the file system) and choose Enter.4. The certificate appears in the certificate section.
5. Choose
Export certificate.
6. Select the Database tabstrip .
7. Enter a name, category, for example, Root CA, and description for the certificate in the corresponding fields.
8. Choose Enter.
Result
The certificate is added to the list of certificates in the database.
Removing a Certificate From the DatabaseRemoving a Certificate From the Database
From the Trust Manager screen:
1. Choose Certificate Database.
2. The View Maintenance for the Certificate Database screen appears.
3. Select the certificates that you want to remove from the list of certificates.
4. Choose Delete.
5. Save the data.
Retrieving a Certificate From the DatabaseRetrieving a Certificate From the Database
Use
Use this procedure to retrieve a certificate from the certificate store, for example, so that you can import it into a PSE's certificate list.
Procedure
From the Trust Manager screen:
1. In the certificate section, choose
Import certificate.
2. The Import certificate dialog appears.
3. Select the Database tabstrip.
4. Select the certificate from the certificate database and choose Enter.
The certificate appears in the certificate section.
Result
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 15 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/2B8D79A95B4BD58EB1AE3F5E3CF014/content.htm -
7/22/2019 Certificados Criptografia SAP
16/20
The certificate is available for additional functions. For example, you can use the
Add certificate function to import the certificate into a PSE's certificate list.
Deactivating Certificates in the DatabaseDeactivating Certificates in the Database
Use
For the trust manager to be able to import a certificate request response, the response must exist in the correct format, PKCS#7 certificate chain, which contains
both the requester's signed public-key certificate and the issuing CA's root certificate. If intermediate CA's are also used, then their public-key certificates must
also be included in the response.
However, if your certificate request response contains only the requester's certificate, then the trust manager automatically builds the PKCS#7 certificate chain
format as necessary using this certificate and the issuing CA's root certificate. A prerequisite for this procedure is that the CA's root certificate must exist in the
certificate store. If the CA's root certificate does not exist or is deactivated, then an error occurs when importing the response.
The trust manager cannot build the correct format if intermediate CAs are used.
You may want to deactivate a certificate in the certificate store so that the system does not use the certificate to build the PKCS#7 certificate chain format from the
certificate request response. This may be necessary, for example, if the certificate store contains multiple entries for a CA where the Distinguished Names are
identical. In this case, deactivate those entries that are not to be used for building the correct format for the response.
Procedure
From the Trust Manager screen:
1. Choose Certificate Database.
2. The View Maintenance for the Certificate Database screen appears.
3. Select the Inactive indicator for those certificates that you want to deactivate.
4. Save the data.
ResultThe certificates that you deactivate are not used to build the certificate request responses.
Example
The certificate store contains the following entries:
Certificate Store
In the case of MYCA, all three CAs have the same Distinguished Name. We have therefore deactivated the entries for the myCA User CA and the myCA Test
CA. The system then uses the public-key certificate belonging to the myCA Server CA for building certificate request responses from the myCA.
ExampleFor an example ab out how to use the trust manager for a configuration scenario, see Configuring the SAP Web AS for Supporting SSL.
Terminology and Abbreviationscertificate list
Certification Authority (CA)
credentials
logon ticket
Personal Security Environment (PSE)
private key
public key
public -key certificate
public-key infrastructure (PKI)
public -key technologySAP Cryptographic Lib rary (SAPCRYPTOLIB)
SAP Security Library (SAPSECULIB)
Secure Sockets Layer (SSL) Protocol
Secure Store & Forward (SSF)
Short name Category Distinguished Name Inactive Description
SAPTRUST Server Certificate CN=Server CA, OU=Server,
O=SAP Trust Community,
C=DE
SAP Server CA
SAPTRUST User Certificate CN=SAP Passport CA,
O=SAP Trust Community,
C=DE
SAP Passport CA
SAP_WP Server Certificate CN=mySAP.com Workplace
CA (dsa), O=mySAP.com
Workplace, C=DE
SAP Workplace CA (DSA)
MYCA Server Certificate CN=myCA, O=myCompany,
C=US
myCA Server CA
MYCA User Certificate CN=myCA, O=myCompany,
C=US
X myCA User CA
MYCA Test Certificate CN=myCA, O=myCompany,
C=US
X myCA Test CA
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 16 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/49/23501EBF5A1902E10000000A42189C/frameset.htm -
7/22/2019 Certificados Criptografia SAP
17/20
SSO Personal Security Environment (SSO PSE)
system PSE
verification PSE
Secure E-Mails with Digital Signature and Encryption withS/MIME
Concept
You want to send and/or receive signed and/or encrypted e-mails from an AS ABAP to a user. You can use the signature and encryption feature that is embedded
in the AS ABAP. To be able to send and receive e-mails with signature and encryption, you must configure S/MIME in the trust manager. For more information,
see Configuring E-Mails with S/MIME (AS ABAP E-Mail Server).
If you exchange e-mails with an external e-mail client, for example Microsoft Outlook or Mozilla Thunderbird, you have to make sure that your e-mail client is
configured accordingly. For more information, see Configuring E-Mails with S/MIME (3rd-Party E-Mail Client).
Caution
When you send digitally signed or encrypted e-mails, keep in mind that the e-mail subjects are always transmitted in clear text.
Note
You have made the relevant SAPconnect settings for encryption and/or signature. For more information, see Sending and Receiving E-Mails Securely.
Configuring E-Mails with S/MIME (AS ABAP E-Mail Server)
Use
You want to send and/or receive signed and/or encrypted e-mails with the AS ABAP's e-mail server (S/MIME Version 2, IETF standard RFC 2311). To do this,
you must make sure that S/MIME identities exist in the trust manager. The AS ABAP server uses the system e-mail address (not a user e-mail address). You
need one S/MIME identity per system e-mail address. The S/MIME identity is a container for the private and public key. The private key of the Personal Security
Environment (PSE) is used to digitally sign e-mails. The PSE contains the signature certificate with the private key for digitally signed e-mails. Moreover, for
verifying signatures, the AS ABAP server must have a trust relationship with the Certification Authority (CA) of the sender. It can be established with the
respective CA certificates acting as trust anchors.
Prerequisites
To make sure that e-mails are marked to be signed and/or encrypted, you must set the respective parameters in SAPconnect. For more information, see Sending
and Receiving E-Mails Securely .
Procedure
This section describes how to configure S/MIME for sending and receiving signed e-mails.
1. Decide which S/MIME identities you want to use. You have the following options:
Standard S/MIME identity
Custom S/MIME identities (for more information, see Creating Custom S/MIME Identities )
2. Import a PSE into the trust manager. By default, the trust manager displays the default S/MIME identity in the side p anel on the left. The S/MIME PSE has the
icon with the description S/MIME Standardor with the name you chose when you created your custom S/MIME identities.
Note
An ABAP app lication server is currently not able to generate an S/MIME PSE. You must generate a PSE for S/MIME with third-party tools and import it
into the trust manager. For more information, see Generating an S/MIME PSE .
To import your PSE for S/MIME, perform the following steps:
1. Start the trust manager (transactionSTRUST).
2. Choose PSE Import and import the PSE from the file system.
3. Choose PSE Save as... . A dialog box appears, on which you can save PSEs in different formats.
4. To save your PSE as an S/MIME identity, choose S/MIME.
5. Enter the name of your STRUST identity.
6. Choose .
If you use Standardas your description in the side panel on the left side, the system now displays SMIME Standardinstead of SMIME Standard
. In the section Own Certificate , you see the subject of the imported PSE. Double-clicking the certificate displays the details of the certificate. In most
cases, the e-mail address is disp layed as the subject alternative name and, in some cases, as the subject.
Note
Remember that you need one PSE per e-mail address.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 17 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/8B/5543649A484B1C9F7048ECF2CD60BD/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/E8/D8D66954E7472BB5C94E69BFE7F995/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4A/25775009071D0FE10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4A/25775009071D0FE10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/04/7838AE01A141C6ADFBEA38ADF5960D/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/D2/7C5672BE474525B7AED5559524A282/content.htm -
7/22/2019 Certificados Criptografia SAP
18/20
As of now, it is possible to sign the certificate of the sender. To verify the signature of the sender, the AS ABAP server needs a certificate from the sender's
Certification Authority (CA) as a trust anchor.
1. Import the CA certificate by choosing Certificate Import .
2. Add your CA certificate to the certificate lis t of the S/MIME PSE by choosing theAdd to Certificate Listpushbutton. The owner of the certificate appears in the
Certificate Listsection.
3. Save your changes.
Result
You are now able to use an AS ABAP e-mail server to send and receive signed e-mails with S/MIME.
More Information
If you want to send and/or receive encrypted e-mails, see Configuring S/MIME Encryption for E-Mails .
For more information on PSEs, see Importing a PKCS#12 File .
Creating Custom S/MIME Identities
Use
You can create custom S/MIME identities, for example, if you want to create separate e-mail addresses for several employee groups in your business (for
example, sales, consulting, HR etc.), for several systems, or for different scenarios.
ProcedureTo create a custom S/MIME identity, proceed as follows:
1. Call the trust manager in transaction STRUST.
2. Choose Environment S/MIME Identities .
3. Choose the New Entriesbutton.
4. In the table, enter an S/MIME identity name. The logical name is automatically entered when an S/MIME PSE is imported and saved. The system enters the
e-mail address from the CA certificate in the Logical Namecolumn.
5. (Optional) If you want to use a specific hash algorithm for signatures, p erform the following steps:
1. Scroll to the left to get to the SSF Hash Algorithmcolumn and choose the hash algorithm in the F4 help.
2. Save your entries.
6. (Optional): If you want to use a specific enc ryption method, you can change these values. Proceed as follows:.
1. Scroll to the left to get to the Encryption Algorithmcolumn and choose the encryption algorithm in the F4 help.
2. Save your entries.
Note
If you do not choose any values for the signing and/or encryption algorithm, the system uses the algorithm that is determined in the RFC 2311
standard.
The SAP Cryptographic Library determines which hash and encryption algorithms are available.
7. Save your entries.
8. Return to the trust manager by choosing .
More Information
For more information, see Configuring Secure E-Mails with S/MIME (AS ABAP E-Mail Server) .
Generating an S/MIME PSE
ProcedureIn an SAP system. you cannot currently generate PSEs with an e-mail address in the certificate. For this reason, you must use third-party tools to do so. We
recommend that you follow the procedure in the example below. It describes how you generate an S/MIME PSE and the corresponding CA certificate with the
third-party tool OpenSSL. For more information, see the documentation on the OpenSSL Web site.
Example
1. Download OpenSSLfrom the OpenSSL Web site.
2. Install the OpenSSLbinary files.
3. Use OpenSSLto generate a P12 key pair file for the required e-mail address together with the corresponding CA certificate. For more information, see the
OpenSSLdocumentation.
4. Use SAPGENPSEto convert the generated P12 file to a PSE file. Use the following command:
sapgenpse import_p12 -p .pse .p12
For more information, see Creating PSEs and Maintaining the PSE Infrastructure .
Note
Remember that you need one PSE per e-mail address.
The required S/MIME PSE including e-mail address is now available. Import the PSE into the S/MIME identity in the trust manager (transaction STRUST).
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 18 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/D4/085E3A1D589804E10000000A114084/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/D2/7C5672BE474525B7AED5559524A282/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/0D/9CE63BAB134B39A52E340255D7650C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/BE/93A0202C25482EADB02FC51081213C/content.htm -
7/22/2019 Certificados Criptografia SAP
19/20
More Information
For more information, see Trust Manager.
Configuring S/MIME Encryption for E-Mails
Use
To send and/or receive encrypted e-mails with S/MIME, you must exchange the e-mail certificates between the AS ABAP server and the communication partner.
There are several options for exchanging these certificates:
Sending signed e-mails to one another. By default, a signed e-mail already includes the encryption certificate.
Manual import
Prerequisites
If you only want to send encrypted e-mails, you can ignore the prerequisites. If, however, you want to receive encrypted e-mails, you must fulfill the following
prerequisites:
You have created S/MIME identities in the trust manager.
You have imported the required CA certificates and PSEs. In Configuring E-Mails with S/MIME (AS ABAP E-Mail Server), you find more information about the
creation of S/MIME PSEs with a trust anchor.
Procedure
Option 1: When you and your communication partner send signed e-mails to one another, the AS ABAP automatically imports the encryption certificate to its
address book.Option 2: To manually import the encryption certificate, perform the following steps:
1. Start the trust manager (transactionSTRUST).
2. Choose Certificate Import .
3. Select the Filetab.
4. Choose the certificate file in the relevant path.
5. Choose Open.
6. Choose (Input). The content of the certificate is now disp layed in the Certificatesection.
7. Choose Certificate Export .
8. Select the tab for the address book.
9. Choose (Input). This includes your certificate in the address book.
Option 3:
The SMIME enhancement spot contains the SMIME_EMAIL BAdI, which enables you to influence the certificate retrieval and selection process:
You need the certificate of a communication partners e-mail address that is not stored in the address book of the trust manager. In this case, you derive your own
implementation class from the default implementation class of this BAdI. You overwrite/redefine the CERTIFICATE_RETRIEVAL method with your own
implementation to find a certificate that is associated with an e-mail address of the communication partner. For example, an LDAP server can provide this e-mailaddress.
When you implement the BAdI method CERTIFICATE_SELECTION, you can resolve ambiguity concerning certificate usage. This occurs if there are several
identical certificates for the same e-mail address. The period of validity of a certificate might have expired, a CRL might prevent you from using it, or the key
usage has the wrong type.
For more information, see the system documentation in the SMIME enhancement spot in Enhancements (transaction SE20), and the relevant BAdI methods in
interface IF_BADI_SMIME_EMAIL and in the default implementation class CL_SMIME_EMAIL_BADI_DEFAULT.
Configuring E-Mails with S/MIME (3rd-Party E-Mail Client)
Use
This document describes how you can make sure that e-mails that are signed or encrypted with S/MIME can be sent and received by a third-party e-mail client.
The AS ABAP server has the CA certificates that signed the PSE certificate in the trust manager (transaction STRUST) as trust anchors. The AS ABAP server
and the e-mail client must exchange their CA certificates so that they recognize one another as trusted authorities. When you import the CA certificate of the AS
ABAP server and the CA certificate of the third party e-mail client into the certificate list of the S/MIME PSE, you establish the trust anchors.
Prerequisites
You have imported the S/MIME PSE in the trust manager.
Procedure
Example
In the following example, we describe how you configure two third-party e-mail clients, Microsoft Outlook and Mozilla Thunderbird. You must execute this
procedure for the CA certificate of the PSE and for the CA certificate of your third-party e-mail client.
1. Start the trust manager (transactionSTRUST).
2. Select your S/MIME PSE.
3. Choose Certificate Import
4. Select the Filetab.5. Enter or select the path and the format and choose the certificate file you want to import.
6. To import the certificate, choose . The trust manager disp lays the content of your CA certificate in the Certificatesection.
7. Choose theAdd to Certificate Listpushbutton.
The CA certificate appears in the certificate list.
PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.
Page 19 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/D2/7C5672BE474525B7AED5559524A282/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4C/5BDB17F85640F1E10000000A42189C/content.htm -
7/22/2019 Certificados Criptografia SAP
20/20
8. Choose .
Note
Perform the same steps for the CA certificate of your third-party e-mail client.
If you use Microsoft Outlook, you must import the CA certificate into your Internet Explorer.
1. Choose Internet options.
2. Select the tab where you can access the certificates, for example, the Contenttab.
3. Go to the certificates.
4. Go to the tab with the trusted root certification authorities.
5. Follow the Internet Explorer procedure to import your CA certificate file that was generated by the PSE. For more information, see the Microsoft Outlook
documentation.
If you use Mozilla Thunderbird, import the CA certificate into the secure storage of Mozilla Thunderbird as described in the Mozilla Thunderbird documentation.
When Mozilla Thunderbird asks you whether you trust this CA to identify e-mail users, confirm this.
Assume that the AS ABAP sends a s igned e-mail with the certificate signature to the respective e-mail client.
To ensure encryption, you need to import the certificate for encryption from the signed e-mail into your Microsoft Outlook address book. To do this, proceed as
follows:
1. Open the received signed e-mai l that contains the certificate signature for encryption in Microsoft Outlook.
2. From the context menu of the e-mail address , choose to add the address to your Outlook contacts.
3. Save your changes and close the window.
Example
To ensure encryption, you need to import the certificate for encryption from the signed e-mail into the Mozilla Thunderbird certificate manager. To do this,
proceed as follows:
1. Open the received signed e-mail that contains the certificate signature for encryp tion in Mozilla Thunderbird.
2. Mozilla Thunderbird automatically adds the sender's certificate to the certificate manager.
3. Save your entries.