Certificados Criptografia SAP

7/22/2019 Certificados Criptografia SAP

1/20

PRINT FROM SAP HELP PORTAL

Document:Trust Manager

URL:http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4c/5bdb17f85640f1e10000000a42189c/frameset.htm

Date created:September 05, 2013

2013 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary

software components of other software vendors. National product specifications m ay vary. These materials are provided by SAP AG and its affiliated companies (" SAP Group") for

informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only

warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein

should be construed as constituting an additional w arranty. SAP and other SAP products and services mentioned herein as wel l as their respective logos are trademarks or

registered trademarks of SAP AG in Germany and other countri es. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information

and notices.

Note

This PDF document contains the selec ted topic and its subtopics (max. 150) in the selec ted structure.Subtopics from other structures are not included.

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 1 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4c/5bdb17f85640f1e10000000a42189c/frameset.htmhttp://help.sap.com/


2/20

Trust Manager

Use

Establishing solid trust relationships is vital to the success of your business transactions, especially with the use of the Internet, where company borders are not

transparent. Therefore, many SAP applications rely on the use of public-key technology to establish the trust infrastructure that is necessary for successful

business relationships.

Public-Key Technology Support with the AS ABAP

Examples of public-key technology support with SAP NetWeaver Application Server (AS) ABAP include the following:System digital signatures

At start-up, each AS ABAP is supp lied with a public and private key pair certificate that is stored in its own system Personal Security Environment (PSE). The

AS ABAP can therefore produce its own digital signatures using the public-key information contained in its system PSE. Other systems can then verify the

system's digital signature, which guarantees the integrity and authenticity of a document that has been digitally signed by the system.

Example

For example, you can use logon tickets for user authentication on the AS ABAP. The AS ABAP digitally signs the user's logon ticket after successful

authentication. Instead of re-authenticating the user with a user ID and password, other systems can allow the user access after verifying the AS ABAP's

digital signature provided with the user's logon ticket.

Supp ort for Secure Network Communications

For the SAP protocols DIAG and RFC, the Secure Network Communications (SNC) interface provides secure communication. SNC uses an external security

product to secure communications, whereby the SAP Cryptographic Library is provided as a default product for server-to-server communications within an SAP

system landscape.

When using the SAP Cryptographic Library, the system also stores the corresponding public and private key pair in the SNC PSE.

Support for the Secure Sockets Layer (SSL) Protocol

The AS ABAP supports the Secure Sockets Layer (SSL) protocol, which provides security when using Internet protocols such as HTTP. The security provided

includes encrypted communications as well as authentication between the communication partners. In this case, the application server must also possess a

public and private key pair to use for SSL communications.

Web Services Security (WS-Security)

Web services support digital signatures and encryption for Simple Object Access Protocol (SOAP) messages. In this case, the public and private keys used

by the Web services are stored in corresponding PSEs.

Secure Store and Forward Mechanisms (SSF)

SAP systems support the use of an external security product using the SSF mechanisms. By using SSF, applications can support the use of digital

signatures and document encryption in their processing.

Certificate revocation checks

The AS ABAP enables applications that check digital signatures and encrypt data to check certificate revocation lists for certificates that have been revoked

by Certification Authorities (CAs). This ensures that the AS ABAP only accepts certificates that are valid and current.

E-mails with digital signature and encryption with S/MIMEThe signature and encryption feature that is embedded in the AS ABAP enables you to send and receive e-mails with signature and/or encryption. You can

configure S/MIME in the trust manager.

Managing the Public-Key Information Using the Trust Manager

To manage the public-key information necessary for these and other scenarios, use the trust manager. The trust manager performs the PSE and certificate

maintenance functions such as generating key pairs, creating certificate requests to be signed by a CA, and maintaining the list of trusted CAs that the server

accepts.

Prerequisites

You have an understanding of public-key technology and the terminology listed under Terminology and Abbreviations.

To create SSL, SNC, or WS-Security PSEs, you must have installed the SAP Cryptographic Library.

For more information, see Configuring the AS ABAP for Supporting SSLand Installing the SAP Cryptographic Library (SAP Web AS).

Integration

Use the trust manager to maintain the public-key information for the types of PSEs used by SAP applications. For example:

System PSE

SNC PSE, if you use the SAP Cryptographic Library as the security product.

PSEs used for SSL-protected communications

SSL server PSEs

SSL client PSEs

WS-Security PSEs

S/MIME PSEs

Arbitrary file PSEs

PSEs used by SSF applications that use the SAP Security Library or SAP Cryptographic Library as the security product. You cannot use the trust manager to

maintain PSEs for SSF applications that use a different security product.

SSF applications are applications for which the security information is specified in the table SSFARGS. They include the SSF default application and various

applications that use specific information, for example, the HTTP Content Server or the AS ABAP application for using logon tickets.

NoteYou can store SSF application PSEs in the following locations:

In the database, whereby a copy of the PSE is distributed to the system's application servers.

In the file system, where it can be accessed at the operating system level. (The PSE must be located in a globally accessible directory.)


Page 2 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/49/236897BF5A1902E10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/49/23501EBF5A1902E10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/BC/7A9B3AD94E8A3DE10000000A11402F/frameset.htm


3/20

Activities

The trust manager provides functions for:

Generating key pairs and corresponding certificate requests

Importing the certificate request response into a PSE

PSE maintenance (for example, creating, displaying, and deleting PSEs, as well as monitoring the status of PSEs)

Maintaining a PSE's certificate list

Generating a verification PSE (a PSE that can only be used to verify the subject's digital signature)

Assigning a PIN to PSEs, which also creates credentials for the server so that the server can access a protected PSE at runtime

Distributing a PSE to the individual application servers

Importing PSEs (PKCS#12, PKCS#8, and PSE) and exporting PSEs (PKCS#12)

Importing, parsing, and exporting certificates

Checking certificates against certificate revocation lists (CRL) and manually changing the certificate status.

Configuring e-mails with S/MIME for digital signatures and/or encryption.

Example

Use the trust manager to generate key pairs for the application servers that are to support SSL. You can then have the system create the corresponding certificate

requests, which you send to a CA to be signed.

Once you have received a response from the CA, use the trust manager to import the signed public-key certificate into the system's SSL server PSE.

You can also use the trust manager to maintain the list of trusted CAs (certificate list) from which you accept public-key certificates to use for the SSL connection.

More Information

For more information about using public-key technology with the AS ABAP see the following:

Public-Key Technology

SSF User's Guide

Using the SAP Cryptographic Library for SNC

Secure E-Mails with Digital Signature and Encryption with S/MIME

Getting Started with the Trust Manager

Prerequisites

To maintain SSF PSEs that use the SAP Security Library or the SAP Cryptographic Library as the security product, you must first maintain the applications in

transaction SSFA.

The SAP Cryptographic Library must be installed, for the nodes for the SSL, SNC, and WS-Security PSEs to appear.

Structure

The Trust Manager Screen

The figure below depicts the sections of the trust manager screen (transaction STRUST).

Figure 1: Sections of the Trust Manager Screen

PSE Status

In the Trust Managerscreen, the PSE status frame (left frame) displays the PSEs defined for the system. The table below lists the PSE status icons and their

meaning.


Page 3 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/FF/B1789D7782471587785DD476421C6F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/32/431C3AADDA4F25E10000000A11402F/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/53/251A355D0C4D78E10000009B38F83B/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4C/6269C8C72271D0E10000000A15822B/frameset.htm


4/20

You can check the status of the PSE on each of the servers of the cluster.

For more information, see Checking the Local Status of Distributed PSEs.

PSE MaintenanceThe PSE maintenance section (upper right) displays the PSE information about the PSE that you selected.

Certificate

The certificate section (lower right) displays certificate information about a certificate that you selected or imported.

Note

The PSE maintenance section and the certificate section are independent of one another. If you display a PSE in the PSE maintenance section, the trust

manager does not automatically display the server's certificate in the certificate section.

For more information, see Selecting Certificates.

Selecting Certificates

Context

Use certificate section to maintain certificate lists. Once selected or imported, the certificate appears in the Certificatesection. Use the Certificatesection as a

"clipboard"for certificates. Once a certificate appears in the Certificate section, you can perform operations on the certificate.

Procedure

1. Start the trust manager (transactionSTRUST).

2. Find the certificate you want to work with.

The certificates are either in a PSE or you must import them from a source.

PSE certificates

1. Double-click a PSE.

2. Double-click a certificate.

Imported certificates

1. In the Certificatesection, choose .

2. Enter data as required.

Results

The system displays the certificate in the Certificatesection. The certificate may or may not be associated with the PSE displayed in the PSE maintenance

section.

Example

You double-click a PSE to load it into the PSE maintenance section. Then you import a certificate from the file system. The certificate is not in the certificate list

of the PSE until you add it to the certificate list. You can double-click another PSE to load it into the PSE maintenance section, without affecting the certificate

displayed in the Certificatesection.

PSE TypesYou can maintain the following PSE types using the trust manager:

System PSE

SNC PSE

SSL Server PSEs

SSL Client PSEs

WS-Security PSEs

File PSE

SSF Application PSEs

System PSE

Definition

Personal security environment for the AS ABAP to use for digital signature functions.

UseThe AS ABAP uses its system PSE to create and verify digital signatures. However, it cannot use the system PSE for encrypting information.

Structure

Icon Description

PSE exists for distribution to all application servers

PSE does not exist in the database

PSE that exists as a file

The PSE is defined as a file, but does not exist

Link to the system PSE


Page 4 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/30/31683AB81FD846E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/0E/31683AB81FD846E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/45/45AA02E620507BE10000000A1553F6/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/61/76893A9B323778E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/EC/30683AB81FD846E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/A0/09213C73FE337BE10000000A114084/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/CA/30683AB81FD846E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/2B8D79A95B4BD58EB1AE3F5E3CF014/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/9A/29683AAF1B5957E10000000A11402F/content.htm


5/20

The system PSE contains the system's security information including its public and private key pair and the corresponding certificate list.

Integration

The system PSE is created during the system's installation process and stored in the file $(DIR_INSTANCE)/sec/SAPSYS.pse. When creating the system PSE,

the system creates a single PSE and distributes it to all of its application servers.

SNC PSESNC PSE

Definition

The application server's PSE for securing communications using Secure Network Communications (SNC) when you use the SAP Cryptographic Library as the

security product.

Use SNC to protect connections where the SAP protocols are used, for example, RFC and DIAG. (Note however, you cannot use the SAP Cryptographic Library

on client components such as SAP GUI for Windows.)

Use SSL to protect HTTP connections.

Structure

The SNC PSE contains the server's security information to use for securing the SNC connection. This information includes the server's public and private key and

the corresponding certificate list.

Integration

When you create the SNC PSE, the system generates a single PSE for the system that is distributed to all of the application servers. The system stores the PSE

in the file $(DIR_INSTANCE)/sec/SAPSNCS.pse.

SSL Server PSEs

Definition

The application server's PSE for securing HTTP communications using the SSL protocol (HTTPS connections) when the application server is the server

component for the communication.

Note

If the AS ABAP also communicates as a client component, then it uses one of the SSL client PSEs when establishing the HTTPS connection.

Use

You can set up different SSL server PSEs to use for different connections. These are referred to as SSL server identities. Each SSL identity possesses its own

SSL server PSE. There is a standard identity that uses the standard SSL server PSE.

Structure

This PSE contains the application server's security information including its key pair and its corresponding certificate list. The certificate list contains the list of

Certification Authorities (CAs) that the server trusts. The SSL server PSE's certificate list should be quite restrictive and contain only those public-key certificates

from the CAs that the server accepts.

Integration

When you create an SSL server PSE for an identity, the system generates a default PSE. Alternatively you can create individual SSL server PSEs for specific

servers. The system then distributes the PSEs to the application servers accordingly. The application servers that are not assigned an individual SSL server PSE

receive the default SSL server PSE for the identity.

The standard SSL server PSE is stored in the file $(DIR_INSTANCE)/sec/SAPSSLS.pse on each application server. Each additional SSL server PSE is stored in

the file $(DIR_INSTANCE)/sec/SAPSSLS_.pse.

SSL Client PSEsSSL Client PSEs

Definition

The application server's PSEs to use for securing communications with the SSL protocol when the application server is the client component for the

communication.

Use

There are three different types of SSL client PSEs that the server can use:

Anonymous SSL Client PSE

The application server uses the anonymous SSL client PSE to connect to other Web servers where only server-side authentication is used. It does not use it for its

own authentication.

Standard SSL Client PSE

The SAP Web AS uses the standard SSL client PSE to authenticate itself on other Web servers when SSL client authentication is used and where no individual

SSL client PSE is specified to use for the connection.

Individual SSL Client PSEs

The SAP Web AS can also use additional individual SSL client PSEs for authenticating itself on other Web servers. By using these PSEs, you can specify

different "identities" for the application server to use for different services.

If the SAP Web AS communicates as the server component for the SSL connection, then it uses the SSL server PSE to establish the HTTPS connection.

Structure


Page 5 of 20


6/20

The SSL client PSEs contain the application server's security information, which includes the public and private key pair to use for the particular identity and the

corresponding certificate list.

Integration

When you create an SSL client PSE, the system creates a single PSE for the system that is distributed to all of the application servers. The system stores the

PSEs in the directory $(DIR_INSTANCE)/sec. The file names for the PSEs are:

Anonymous: SAPSSLA.pse

Standard: SAPSSLC.pse

Individual: SAPSSL.pse

WS-Security PSEs

Definition

The application server's PSEs to use for WS-Security (digital signatures and encryption).

Use

You can set up different WS-Security PSEs to use for different Web services. These are referred to as WS-Security identities. Each WS-Security identity

possesses its own PSE. There is a standard identity that uses the standard WS-Security PSE.

Note

WS-Security PSEs use only the Rivest-Shamir-Adleman (RSA) algorithm.

Structure

This PSE contains the application server's security information including its key pair and its corresponding certificate list. The certificate list contains the list of

Certification Authorities (CAs) that the server trusts when using the Web service(s) that use this PSE.

Integration

When you create a WS-Security PSE, the system creates a single PSE that is distributed to all of the application servers.

The standard WS-Security PSE is stored in the file $(DIR_INSTANCE)/sec/SAPWSSE.pse. Each additional WS-Security PSE is stored in the file

$(DIR_INSTANCE)/sec/SAPWSSE_.pse.

File PSE

File PSEDefinition

An arbitrary PSE that is stored locally in a file.

Use

A file PSE contains security information (key pair and certificate list) that is stored in a local file in the file system. The file PSE can be used for creating and

verifying digital signatures, but not for encryption.

SSF Application PSEsSSF Application PSEs

Definition

PSEs that are specified to be used for SSF applications.

Use

The various SSF applications may use different PSEs to obtain the security information that they need. For example, the HTTP Content Server uses a differentPSE than the SAP Web AS uses to sign logon tickets.

Integration

The various SSF applications are defined in SSF Customizing using the transaction SSFA. An SSF application may also use the SSF default PSE. When

defining an SSF application PSE in transaction SSFA, you specify that the PSE should either be stored in the database and distributed to the application servers

or stored as a file in the file system with no distribution.

You can maintain any of the SSF application PSEs that use the SAP Security Library or the SAP Cryptographic Library using the trust manager, including the

SSF default PSE.

For more information on maintaining the SSF applications, see the SSF User's Guide.

Creating PSEs and Maintaining the PSE Infrastructure

Use

Use the functions described below to maintain the PSE infrastructure, which includes creating, replacing, or deleting the various PSEs, and checking their status.

Prerequisites

The PSE is one of the following:


Page 6 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/53/251A355D0C4D78E10000009B38F83B/frameset.htm


7/20

System PSE

SNC PSE (if the SAP Cryptographic Library is used as the security product)

SSL server PSE (if the SAP Cryptographic Library is used as the security product)

SSL client PSE (if the SAP Cryptographic Library is used as the security product)

WS-Security PSE (if the SAP Cryptographic Library is used as the security product)

S/MIME identity PSE (if the SAP Cryptographic Library is used as the security product)

File PSE

SSF application PSE (for app lications that use the SAP Security Library or SAP Cryptographic Lib rary as the security product)

ProcedureTo access the trust manager, use the transaction STRUST. The following functions for maintaining the PSE infrastructure are then available from the Trust Managerscreen.

Note

The context menu (right mouse button) only shows the functions that are active for the PSE that you select.

Checking the Local Status of Distributed PSEsChecking the Local Status of Distributed PSEs

You can check the local status of distributed PSEs as follows:

To check the local status of a PSE that has been distributed to individual application servers, expand the PSE node. The system automatically initiates the

status check .

To refresh the status of a single PSE, select the PSE and choose Checkfrom the context menu.To refresh the status of all expanded PSE nodes, choose the menu item PSE Check All PSEs.

The status of the locally stored PSE is indicated as follows:

Function Choose What you should knowCheck the status of a single PSE Context menu: Check This function only applies to PSEs that are stored

in the database and distributed to the application

servers.

The PSE node must be expanded to be checked.

Expanding the node also automatically initiates the

check.

For more information, see Checking the Local

Status of Distributed PSEs.Create a PSE Context menu: Create This function creates a PSE and initiates

distribution (if app licable).

See also Creating or Replacing a PSE.

Distribute a PSE Context menu: Distribute This function distributes the selected PSE to the

system's application servers. Depending on the

PSE type, the sys tem distributes either a single

PSE to all servers (for example, the system PSE),

or it distributes a server-dependent PSE (the SSL

server PSE).

Replace a PSE Context menu: Replace This function generates a new PSE and distributes

it automatically to the servers.

Delete a PSE Context menu: Delete If the PSE is stored in the database and

distributed, then the local copies of the PSE are

also deleted.

Change PSEs Context menu: Change For the SSL server PSE only:

Create new PSEs or assign existing PSEs onindividual servers where a PSE is missing (forexample, if you have installed a newapplication server for the system).Change the current configuration (for example,reassign which servers receive individual PSEsand which receive the default PSE).

Import a PSE Menu: PSE Import Import a PSE from the file system.

Export a PSE Menu: PSE Export Export a PSE to the file system.

Save a PSE as a different PSE Menu: PSE Save As... You can save a PSE as:

The system PSEAn SSF app lication PSEA file PSE (export)

Check the status of all local PSEs (for all

expanded nodes)

Menu: PSE Check All PSEs This function also only applies to PSEs that are

stored in the database and distributed to the

application servers.

For more information, see Checking the Local

Status of Distributed PSEs.

Distribute all PSEs Menu: PSE Distribute All PSEs This function distributes all of the PSEs to the

system's application servers.


Page 7 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/9A/29683AAF1B5957E10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/59/6B653A0C52425FE10000000A114084/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/9A/29683AAF1B5957E10000000A11402F/content.htm


8/20

To display the status message, choose the application server (double-click). The status message is then displayed in the SAP GUI's message bar.

The system uses the SAP Cryptographic Library per default. If the SAP Cryptographic Library has not been installed, then it uses the SAP Security Library,

which is delivered with the SAP System. If neither library is accessible, then the error message SAPSECULIB not found occurs.

Creating or Replacing a PSE

Use

Use the procedure below to create or replace a PSE. For example, you may have to replace a PSE when the public-key certificate contained in the PSE is about

to expire.

Note

We recommend using the report SSFALRTEXP to automatically receive a system log message and alert in CCMS for certificates contained in the various

PSEs that are about to expire. Alternatively, we also provide the report SSF_ALERTCERTEXPIRE that you can use manually or plan as a background job. For

more information, see SAP Note 572035.

Prerequisites

You know the syntax for the server's Distinguished Name (DN). For more information, see the tables below.

Distinguished Name Parts

Requirements for the Server's D istinguished Name per PSE Type

When Using the SAP CA

If you use the SAP CA as the issuing CA, then the rest of the Distinguished Name (not the CN part) must be:

Icon Meaning Possible Status Messages Possible Actions to Correct Errors

Status of the PSE has not yet been

checked

None Not applicable

PSE OK Local PSE OK Not applicable

Error in the attempt to check the PSE RFC connection fai led Test and repair the RFC connection.

PSE is corrupt Local PSE does not match PSE in

database

Redistribute the database PSE.

SAPSECULIB not found Reinstall the SAP Cry ptographic

Library or the SAP Security Library.

Error in the tes t s ignature Reins tall the SAP Cryptographic

Library or the SAP Security Library.

Unknown status Redistribute the database PSE.

DN Part Definition Exam les

CN Common Name OU Organizational Unit (optional) Department name

O Organization Company name

C Country USA: US

Germany: DE

PSE Re uirementSystem PSE Default Distinguished Name: CN=

If no system PSE exists when the application server is started, then the

system automatically creates the public-key certificate for the system PSE

using the Distinguished Name CN=. If you replace this PSE, you can

freely choose the new Distinguished Name.

SNC PSE The Distinguished Name must correspond to snc/identity/as

The Distinguished Name used for the SNC PSE's public-key certificate mustmatch the Distinguished Name part of the server's SNC name (without the p:),

which is sp ecified in the application server's profile parameter snc/identity/as.

SSL Server PSE CN part of Distinguished Name: CN=

The Common Name (CN) part of the Distinguished Name for the SSL server

PSE's public-key certificate must correspond to the fully qualified host name

that users will use to access the application server, for example,

CN=host123.mycompany.com.

Anonymous SSL Client PSE Distinguished Name: CN=anonymous

The system automatically uses the Distinguished Name CN=anonymous for

the anonymous SSL client PSE's public-key certificate. You cannot change

this name. In addition, the application server cannot use this identity to

authenticate itself.

All Other PSEs Distinguished Name: No special requirements

You can freely choose the Distinguished Name for the public-key certificates

stored in the rest of the PSEs.


Page 8 of 20


9/20

OU=I-, OU=SAP Web Application Server, O=SAP Trust Community, C=DE

For the first OU (Organizational Unit) part, you specify your customer number only. The SAP CA automatically extends the OU part to include your company

name.

Procedure

From the Trust Manager screen:

1. Select the desired PSE node.

2. Using the context menu, choose Create (if no PSE exists) or Replace.

The PSE dialog appears.

3. Enter the components of the system's D istinguished Name in the corresponding fields. If you use a reference to a CA name space, the system automaticallyincludes those components of the CA's Distinguished Name in the newly generated name. See the table and examples below.

4. Choose Enter.

Note

If you are creating an SSL server PSE, then the system generates a default system-wide Distinguished Name and then provides you with a list of

possible server-specific names. For each application server, you can then choose to use either the server-specific Distinguished Name or you can use

the system-wide name. For more information, see Creating the SSL Server PSE.

Distinguished Name Parts

Tip

Example 1: Reference to the SAP CA Name Space

The following example uses the input provided and a reference to the SAP CA name space:

Name =MY1Org. (opt.): = I0120007965 (default)

Company = SAP Web Application Server (default)

CA Reference = O=SAP Trust Community, C=DE (default)

The trust manager then generates a pub lic-key certificate with the Distinguished Name CN=MY1, OU=I0120007 965, O U=SAP Web Application Server,

O=SAP Trust Community, C=DE.

Example 2: No reference to a CA Name Space

The following example does not use a reference to a CA name space.

Input:

Name =MY1

Company =MyCompany

Country = US

The Distinguished Name is then CN=MY1, O=MyCompany, C=US.

Result

The system creates a new public and private key pair and self-signed public-key certificate that are stored in the PSE. If the PSE is stored in the database and

should be distributed, then the system automatically distributes the PSE to the individual application servers.

Field DN Part In ut CommentName CN For example,.

Org. (opt.) OU For example, the department name.

Input is optional.

Default=.

Comp./Org. OU

O

If you use a reference to a CA name

space, the system uses the input for

this field as an additional OU part.

Otherwise, it uses this entry for the O

part.

The default entry is the OU part when

using the SAP CA: SAP Web

Application Server.

Use the toggle function (

) to activate or deactivate the reference

to a CA name space.

Country C Input is only available if you do not

use a reference to a CA name space.

CA Not applicable Input is available if you use a

reference to a CA.

Enter the CA's name space. The

default entry is the name space for the

SAP CA (O=SAP Trust Community,

C=DE).

The server or system's D istinguished

Name is then generated using this

extension. See the examples below.


Page 9 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/49/2371ABBF5A1902E10000000A42189C/frameset.htm


10/20

Maintaining PSEs

Use

To maintain a specific PSE, select the PSE with a double-click. The PSE information appears in the PSE maintenance section (upper right).

Caution

All changes only apply after saving the data.

Activities

Having PSE Certificates Signed by a CA

Creating Verification PSEs

Protecting PSEs with Passwords

Having PSE Certificates Signed by a CA

Context

Self-signed certificates can be easier to implement, such as configuring trust between a few components. Other scenarios might require you to have the PSE

certificate trusted by a multitude of browsers. In such cases, have your PSE certificates signed by a certificate authority (CA).

A certificate request and corresponding response belong to a specific key pair and PSE. You can therefore only import the response into the PSE for which the

request was generated.

For example, if you generate a new PSE after you have already sent a certificate request to a CA, then the response you receive is invalid and cannot be

imported into the new PSE.

Procedure


2. Select a PSE.

3. Choose PSE Create Certificate Request

4. Save the request and send it to a CA.

5. After receiving the certificate request response from the CA, choose PSE Import Certificate Response .

Note

The certificate request response must be in the format PKCS#7 certificate chain, which contains the certificates of both the requester and the issuing

CA. However, if the response contains only the requester's certificate in PEM (Privacy Enhanced Mail) format and no CA certificate, then the system

builds the correct format. The root certificate of the issuing CA must exist in the certificate store.

For more information, see Maintaining Certificates in the Database.

6. Save your entries.

Results

The new certificate does not automatically appear in the Certificatesection. However, the text (Self-Signed)should disappear from the PSE maintenance section.

To view the certificate, select the certificate in the Ownerfield with a double-click in the Own Certificatesection. The certificate appears in the Certificatesection.

Creating Verification PSEs

Context

This function generates a verification PSE for the selected PSE that contains the PSE's own certificate and the certificates you select from the certificate list.

You can then distribute and use this verification PSE to verify the digital signatures created by the corresponding certificate owners.

For example, with this function you can export the public-key certificate and the certificate list and import the verification PSE into other systems so they can

accept logon tickets from your system.

Procedure


2. Select a PSE.

3. Choose PSE Create Verification PSE

Protecting PSEs with Passwords

Context

Use this procedure to further protect a personal security environment (PSE) from unauthorized access. You can only maintain a password-protected PSE with the

trust manager after providing the password. The system uses this password to create encrypted credentials for the server.

Caution

If you forget the password, you can no longer maintain the PSE using the trust manager.

Procedure


2. Select a PSE.


Page 10 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/10/63393C3EB3036BE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/ED/3F280CD4A34869952AD9236474C913/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4F/A9B9D6BCA54E5B92D73F6142679BD0/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/3B/6E89FCDA784B6C8D645740F644A602/content.htm


11/20

3. Choose the Passwordpushbutton.



Adding Certificates to PSE Certificate Lists

Context

The certificate list contains the corresponding public-key certificates for the issuing CAs that the server should accept. For example, for the system to accept

certificates signed by the SAP CA, the system PSE's certificate list must contain the SAP CA's public-key certificate.

Caution


Procedure


2. Select a certificate.



4. Choose theAdd to Certificate Listpushbutton.


Maintaining the PSE Certificate List

Use



Not only can you add and remove certificates from the certificate list, but you can maintain the revocation status of the certificates, too.

Caution


Adding the SAP CA Certificate to PSE Certificate Lists

Procedure

1. Start the trust manager (transactionSTRUST).2. Select a PSE by double-clicking.

3. Choose Certificate SAP Portal CA (DSA)



Certificate Revocation

Use

SAP NetWeaver Application Server (AS) ABAP enables applications that check digital signatures and encrypt data to check certificate revocation lists for

certificates that have been revoked by certificate authorities (CA). This ensures that the AS ABAP only accepts certificates that are valid and current.

For more information, see Certificate Revocation.

Enabling Certificate Revocation

Prerequisites

You know which certificate authority (CA) issues the CRLs you want to check.

You know which CRL profile your applications use to check the CRLs.

Context

Before SAP NetWeaver Application Server (AS) ABAP can check for revoked certificates in certificate revocation lists (CRLs), you must make sure the AS

ABAP is configured to perform such checks.

Procedure

...

1. Ensure the SSF Certificate RevocationPSE exists.


2. Check if the SSF Certificate RevocationPSE appears in the PSE status list.

If the PSE does not appear there, do the following:

1. In the Change View "Application-Specific SSF Parameters"screen (transaction SSFA), add the Certificate Revocation( CREVOC) app lication.For more information, see Maintaining Application-Specific Information.

2. In the trust manager, create the PSE.

For more information, see Creating or Replacing a PSE.

2. Add the publ ic-key signing certificate for the CAs that sign the CRLs you want your applications to check, to the SSF Certificate RevocationPSE.


Page 11 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/59/6B653A0C52425FE10000000A114084/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/B8/821FFADADD11D2A60A0000E835363F/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/ED/BE4AA366824F48AB22F1E1CDB23C18/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/2B8D79A95B4BD58EB1AE3F5E3CF014/content.htm


12/20

For more information, seeAdding Certificates to PSE Certificate Lists.

3. Configure the CRL profiles used by your appl ications to be active.

For more information, see Configuring Profiles for Certificate Revocation.

Checking the Revocation Status of Certificates

Context

Use this procedure to check how the revocation check function of the trust manager evaluates a certificate with a given profile.

Procedure1. Start the trust manager (transaction STRUST).

2. Select a certificate so that it appears in the Certificatearea of the screen.

3. Choose Certificate Check Block Status .

4. Choose a profile.

Only active p rofiles appear in the list.

5. Choose the Checkpushbutton.

Results

The revocation check returns a status. When an application performs the status check, the application determines if it accepts the certificate or not. If accepted,

the application continues to perform whatever operation it is designed to do: verify digital signatures or encrypt data. If not accepted, the application should throw

an exception. How the application handles the exception depends on the application. See the table below.

Blocking CertificatesContext

Use this procedure to designate certificates untrustworthy for your SAP NetWeaver Application Server (AS) ABAP, before the expiration date set by the certificate

authority (CA). Once declared untrustworthy, you block the AS ABAP from accepting the certificate even if the CA still considers the certificate valid. Reasons to

block certificates include the following:

Security was compromised and someone has access to a user's private key.

You want to replace a certificate with a new one before the old one has expired

For more information, see Certificate Revocation.

AS ABAP enables you to either block individual certificates by issuer, subject, and serial number or block all certificates from a given issuer with a given subject

that were issued before a given date.

Procedure



For more information, see Selecting Certificates.3. Choose Certificate Block Manually .

4. Determine if you want to block only this particular certificate or all certificates for this issuer and subject issued before the date and time you enter.


Results

Next time the certificate revocation check checks this certificate, it returns a failure to the application calling the check, as long as the profile the application uses

is active.

You can undo the blocking of the certificate.

For more information, see Changing the Revocation Status of Certificates.

Changing the Block Status of Certificates

Context

Use this procedure to undo the manual revocation of a certificate. You can change the status of any entry in the Certificate Status List. You can even undo the

revocation of a certificate declared by a certificate authority, but it only applies to checks made on this cluster. Or you can remove the blocking of a range of

certificates from the Blocking List for Certificate Ranges.

Procedure

...

Status Description Certificate Acceptance

GOOD When a certificate does not appear in any certificate

revocation list (CRL), this is the result.

Certificate is accepted.

REVOKED The certificate appears either in the manualrevocation list or in the CRL of the CA.

Certificate is not accepted.

UNKNOWN The revocation check has a source for the CRL, but

cannot reach it: network error or file not found. The

validity of the certificate depends on if the Strictflag

of the profile is set or not.

If the profile is strict, the certificate is not

accepted.

If the profile is not strict, the certificate is

accepted.

HOLD CAs list certificates in CRLs with the value HOLD, to

indicate that the CA does not want to permanently

revoke the certificate. The CA may remove the

certificate from the revocation list in the future.

Certificate is not accepted.

UNCHECKED The profile used to check the certificate is not

active. The system does not perform a certificate

revocation check.

Certificate is accepted.


Page 12 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/5BD07F66E04A93AE06E55DE631F059/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/2B8D79A95B4BD58EB1AE3F5E3CF014/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/ED/BE4AA366824F48AB22F1E1CDB23C18/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/78/C208E2F3304DA0B0CE64DC105A2EF6/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/79/8E9421E00B4DC1ADE3D4199AC60837/content.htm


13/20


2. Choose Environment Certificate Block Management .

3. Choose .

4. Determine if you want to change the block status of a single certificate or the revocation of a range of certificates for a given issuer, sub ject and released

before a given date and time.

For a single certificate, choose the Certificate Status Listtab.

Select a certificate and choose .

Since the certificate no longer appears in the local status list the revocation check considers the certificate valid unless it finds the certificate in a CRL

source.

For a range of certificates choose the Blocking List for Certificate Rangestab.Select a range of certificates and choose .


Configuring Profiles for Certificate Revocation

Context

The certificate revocation function requires a profile to determine how it interprets the certificate status. Most important, a profile must be active, otherwise the

revocation check always accepts the certificate no matter the revocation status. The profiles also include a source list, enabling the certificate revocation check to

download the latest certificate revocation list (CRL).

This procedure is required for enabling certificate revocation checks.

For more information, see Enabling Certificate Revocation.

Procedure


2. Choose Environment Certificate Block Management .3. Choose the Profiletab.

4. Select an existing profile or add a row to create a new one.

Note

Most applications already have their own profile in the list. You only need to create a new profile if you develop your own applications.

For more information, see Including Certificate Revocation Checks in Applications.


6. Edit the source lis t for the profile or reference the default source list.

You can also edit the default source list.


Results

Once configured, you can perform a customizing transport of profiles or the default source list to other systems.

For more information, see Transporting Profiles for Certificate Revocation.

Transporting Profiles for Certificate Revocation

Context

To use profiles for certificate revocation on other SAP systems, SAP NetWeaver Application Server (AS) ABAP enables you to use the transport system.

The AS ABAP can transport the following information:

Name

Description

Configuration options

Profile source list

Note

If the profile you transport is configured to use the default source list, the profile retains this configuration in the target system. The transported profile then

uses the default source list of the target system. You can transport the default source list, too, but you overwrite the default source list of the target system.

The customizing request is client specific.

Procedure


2. Choose Environment Certificate Block Management

3. Choose profiles.

4. Choose .



Next Steps

Change and Transport System

Checking the CRL CachePrerequisites

The certificate revocation check has checked the CRL of a certificate, which either listed a CRL distribution point within the certificate itself or the certificate has a


Page 13 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/48/C4300FCA5D581CE10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/BA/4772AFCCB54CC981DA8FE17BBB91B9/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/80/763B395FB44737AC5818A28A818222/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/AC/1443CE9FCC4C23867CFA829189B549/content.htm


14/20

URL source defined in the source list for the issuer. The source list is part of the profile.

For more information, see Configuring Profiles for Certificate Revocation.

Context

Use the certificate revocation list (CRL) cache to examine the CRLs downloaded by the certificate revocation check.

Procedure


2. Choose Environment Certificate Revocation Configuration .

3. Choose the CRL Cachetab.

Results

You can view information about the CRL, identifying the issuer and its serial number. You can also see when the certificate authority (CA) plans to update the

CRL.

To download a new copy of the CRL, choose the Update Selected CRLpushbutton.

To examine the CRL in detail, choose the Save Selected CRL to pushbutton.

Once you download the CRL to your filesystem, you can inspect the complete list of revoked certificates, version, distribution point, and other information.

Including Certificate Revocation Checks in Applications

Context

You can add certificate revocation checks to your own custom applications.

Procedure

1. Create a profile for certificate revocation.

The profile name must begin with Z. All other profile names are reserved for SAP. System administrators can configure how the certificate revocation check

manages certificate by changing the profile configuration.

2. Call the certificate revocation ( STRUSTCRT_ CHECK_ CERTIFICATE) function module when you need to verify signatures or encrypt data.

The relevant building blocks are in SECFfor verification and encryption and STRUSTfor the certificate revocation check.

3. Add the name of the profile to be transported with your app lication. When encrypting data and verifying signatures, you must include a parameter that

identifies the profile for your application. Each application is intended to use its own profiles.

4. In the target system, make sure the profile is active.

Next Steps

Configuring Profiles for Certificate Revocation

Creating Additional Identities

Use

Use this procedure to create additional identities to use for SSL server PSEs, SSL client PSEs, and WS-Security PSEs.

Procedure


1. Choose Environment Identities.

The Change View: Identities maintenance screen appears. The table contains entries for the standard PSEs for this PSE type.

2. Choose New Entries.

The New Entries: Overview of New Entries maintenance screen appears.

3. Enter the PSE's information (Identity and Description) in the app ropriate columns.

4. Save the data.

5. Go Back.

Result

You return to the Trust Manager screen. An entry for each identity for this PSE type appears in the PSE status section.

Maintaining Certificates in the DatabaseMaintaining Certificates in the Database

Use

You can maintain a list of CA root certificates in the database. You can then import these certificates into the various PSEs to specify which CA's the server

should trust. The system also uses the certificates stored in the database to build the correct format for certificate request responses that exist in PEM format

instead of the required PKCS#7 certification chain format.

Procedures

See the following:

Adding a Certificate to the Database

Removing a Certificate From the Database

Retrieving a Certificate From the Database

Deactivating Certificates in the Database

Adding Certificates to PSE Certificate Lists


Page 14 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/21/D73A3C91CD136AE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/CC/D53A3C91CD136AE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/9E/D53A3C91CD136AE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/63393C3EB3036BE10000000A11402F/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/78/C208E2F3304DA0B0CE64DC105A2EF6/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/78/C208E2F3304DA0B0CE64DC105A2EF6/content.htm


15/20

Context



Caution


Procedure1. Start the trust manager (transactionSTRUST).






Adding the SAP CA Certificate to PSE Certificate Lists

Procedure


2. Select a PSE by double-clicking.

3. Choose Certificate SAP Portal CA (DSA)



Adding a Certificate to the DatabaseAdding a Certificate to the Database

Use

Use this procedure to add a certificate to the system's list of certificates in the database. For example, you can add a CA's root certificate so that you can then

easily import into the various PSE's certificate lists.

Prerequisites

You have access to the certificate, for example, the certificate exists as a file in your file system.

Procedure

From the trust manager (transaction STRUST):

1. In the certificate section, choose

Import certificate.

2. The Import Certificate dialog appears.

3. Select the certificate from its source (for example, from the file system) and choose Enter.4. The certificate appears in the certificate section.

5. Choose

Export certificate.

6. Select the Database tabstrip .

7. Enter a name, category, for example, Root CA, and description for the certificate in the corresponding fields.

8. Choose Enter.

Result

The certificate is added to the list of certificates in the database.

Removing a Certificate From the DatabaseRemoving a Certificate From the Database


1. Choose Certificate Database.

2. The View Maintenance for the Certificate Database screen appears.

3. Select the certificates that you want to remove from the list of certificates.

4. Choose Delete.

5. Save the data.

Retrieving a Certificate From the DatabaseRetrieving a Certificate From the Database

Use

Use this procedure to retrieve a certificate from the certificate store, for example, so that you can import it into a PSE's certificate list.

Procedure


1. In the certificate section, choose

Import certificate.

2. The Import certificate dialog appears.

3. Select the Database tabstrip.

4. Select the certificate from the certificate database and choose Enter.

The certificate appears in the certificate section.

Result


Page 15 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/70/2B8D79A95B4BD58EB1AE3F5E3CF014/content.htm


16/20

The certificate is available for additional functions. For example, you can use the

Add certificate function to import the certificate into a PSE's certificate list.

Deactivating Certificates in the DatabaseDeactivating Certificates in the Database

Use

For the trust manager to be able to import a certificate request response, the response must exist in the correct format, PKCS#7 certificate chain, which contains

both the requester's signed public-key certificate and the issuing CA's root certificate. If intermediate CA's are also used, then their public-key certificates must

also be included in the response.

However, if your certificate request response contains only the requester's certificate, then the trust manager automatically builds the PKCS#7 certificate chain

format as necessary using this certificate and the issuing CA's root certificate. A prerequisite for this procedure is that the CA's root certificate must exist in the

certificate store. If the CA's root certificate does not exist or is deactivated, then an error occurs when importing the response.

The trust manager cannot build the correct format if intermediate CAs are used.

You may want to deactivate a certificate in the certificate store so that the system does not use the certificate to build the PKCS#7 certificate chain format from the

certificate request response. This may be necessary, for example, if the certificate store contains multiple entries for a CA where the Distinguished Names are

identical. In this case, deactivate those entries that are not to be used for building the correct format for the response.

Procedure


1. Choose Certificate Database.

2. The View Maintenance for the Certificate Database screen appears.

3. Select the Inactive indicator for those certificates that you want to deactivate.

4. Save the data.

ResultThe certificates that you deactivate are not used to build the certificate request responses.

Example

The certificate store contains the following entries:

Certificate Store

In the case of MYCA, all three CAs have the same Distinguished Name. We have therefore deactivated the entries for the myCA User CA and the myCA Test

CA. The system then uses the public-key certificate belonging to the myCA Server CA for building certificate request responses from the myCA.

ExampleFor an example ab out how to use the trust manager for a configuration scenario, see Configuring the SAP Web AS for Supporting SSL.

Terminology and Abbreviationscertificate list

Certification Authority (CA)

credentials

logon ticket

Personal Security Environment (PSE)

private key

public key

public -key certificate

public-key infrastructure (PKI)

public -key technologySAP Cryptographic Lib rary (SAPCRYPTOLIB)

SAP Security Library (SAPSECULIB)

Secure Sockets Layer (SSL) Protocol

Secure Store & Forward (SSF)

Short name Category Distinguished Name Inactive Description

SAPTRUST Server Certificate CN=Server CA, OU=Server,

O=SAP Trust Community,

C=DE

SAP Server CA

SAPTRUST User Certificate CN=SAP Passport CA,

O=SAP Trust Community,

C=DE

SAP Passport CA

SAP_WP Server Certificate CN=mySAP.com Workplace

CA (dsa), O=mySAP.com

Workplace, C=DE

SAP Workplace CA (DSA)

MYCA Server Certificate CN=myCA, O=myCompany,

C=US

myCA Server CA

MYCA User Certificate CN=myCA, O=myCompany,

C=US

X myCA User CA

MYCA Test Certificate CN=myCA, O=myCompany,

C=US

X myCA Test CA


Page 16 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/49/23501EBF5A1902E10000000A42189C/frameset.htm


17/20

SSO Personal Security Environment (SSO PSE)

system PSE

verification PSE

Secure E-Mails with Digital Signature and Encryption withS/MIME

Concept

You want to send and/or receive signed and/or encrypted e-mails from an AS ABAP to a user. You can use the signature and encryption feature that is embedded

in the AS ABAP. To be able to send and receive e-mails with signature and encryption, you must configure S/MIME in the trust manager. For more information,

see Configuring E-Mails with S/MIME (AS ABAP E-Mail Server).

If you exchange e-mails with an external e-mail client, for example Microsoft Outlook or Mozilla Thunderbird, you have to make sure that your e-mail client is

configured accordingly. For more information, see Configuring E-Mails with S/MIME (3rd-Party E-Mail Client).

Caution

When you send digitally signed or encrypted e-mails, keep in mind that the e-mail subjects are always transmitted in clear text.

Note

You have made the relevant SAPconnect settings for encryption and/or signature. For more information, see Sending and Receiving E-Mails Securely.

Configuring E-Mails with S/MIME (AS ABAP E-Mail Server)

Use

You want to send and/or receive signed and/or encrypted e-mails with the AS ABAP's e-mail server (S/MIME Version 2, IETF standard RFC 2311). To do this,

you must make sure that S/MIME identities exist in the trust manager. The AS ABAP server uses the system e-mail address (not a user e-mail address). You

need one S/MIME identity per system e-mail address. The S/MIME identity is a container for the private and public key. The private key of the Personal Security

Environment (PSE) is used to digitally sign e-mails. The PSE contains the signature certificate with the private key for digitally signed e-mails. Moreover, for

verifying signatures, the AS ABAP server must have a trust relationship with the Certification Authority (CA) of the sender. It can be established with the

respective CA certificates acting as trust anchors.

Prerequisites

To make sure that e-mails are marked to be signed and/or encrypted, you must set the respective parameters in SAPconnect. For more information, see Sending

and Receiving E-Mails Securely .

Procedure

This section describes how to configure S/MIME for sending and receiving signed e-mails.

1. Decide which S/MIME identities you want to use. You have the following options:

Standard S/MIME identity

Custom S/MIME identities (for more information, see Creating Custom S/MIME Identities )

2. Import a PSE into the trust manager. By default, the trust manager displays the default S/MIME identity in the side p anel on the left. The S/MIME PSE has the

icon with the description S/MIME Standardor with the name you chose when you created your custom S/MIME identities.

Note

An ABAP app lication server is currently not able to generate an S/MIME PSE. You must generate a PSE for S/MIME with third-party tools and import it

into the trust manager. For more information, see Generating an S/MIME PSE .

To import your PSE for S/MIME, perform the following steps:


2. Choose PSE Import and import the PSE from the file system.

3. Choose PSE Save as... . A dialog box appears, on which you can save PSEs in different formats.

4. To save your PSE as an S/MIME identity, choose S/MIME.

5. Enter the name of your STRUST identity.

6. Choose .

If you use Standardas your description in the side panel on the left side, the system now displays SMIME Standardinstead of SMIME Standard

. In the section Own Certificate , you see the subject of the imported PSE. Double-clicking the certificate displays the details of the certificate. In most

cases, the e-mail address is disp layed as the subject alternative name and, in some cases, as the subject.

Note

Remember that you need one PSE per e-mail address.


Page 17 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/8B/5543649A484B1C9F7048ECF2CD60BD/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/E8/D8D66954E7472BB5C94E69BFE7F995/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4A/25775009071D0FE10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4A/25775009071D0FE10000000A42189C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/04/7838AE01A141C6ADFBEA38ADF5960D/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/D2/7C5672BE474525B7AED5559524A282/content.htm


18/20

As of now, it is possible to sign the certificate of the sender. To verify the signature of the sender, the AS ABAP server needs a certificate from the sender's

Certification Authority (CA) as a trust anchor.

1. Import the CA certificate by choosing Certificate Import .

2. Add your CA certificate to the certificate lis t of the S/MIME PSE by choosing theAdd to Certificate Listpushbutton. The owner of the certificate appears in the

Certificate Listsection.

3. Save your changes.

Result

You are now able to use an AS ABAP e-mail server to send and receive signed e-mails with S/MIME.

More Information

If you want to send and/or receive encrypted e-mails, see Configuring S/MIME Encryption for E-Mails .

For more information on PSEs, see Importing a PKCS#12 File .

Creating Custom S/MIME Identities

Use

You can create custom S/MIME identities, for example, if you want to create separate e-mail addresses for several employee groups in your business (for

example, sales, consulting, HR etc.), for several systems, or for different scenarios.

ProcedureTo create a custom S/MIME identity, proceed as follows:

1. Call the trust manager in transaction STRUST.

2. Choose Environment S/MIME Identities .

3. Choose the New Entriesbutton.

4. In the table, enter an S/MIME identity name. The logical name is automatically entered when an S/MIME PSE is imported and saved. The system enters the

e-mail address from the CA certificate in the Logical Namecolumn.

5. (Optional) If you want to use a specific hash algorithm for signatures, p erform the following steps:

1. Scroll to the left to get to the SSF Hash Algorithmcolumn and choose the hash algorithm in the F4 help.


6. (Optional): If you want to use a specific enc ryption method, you can change these values. Proceed as follows:.

1. Scroll to the left to get to the Encryption Algorithmcolumn and choose the encryption algorithm in the F4 help.


Note

If you do not choose any values for the signing and/or encryption algorithm, the system uses the algorithm that is determined in the RFC 2311

standard.

The SAP Cryptographic Library determines which hash and encryption algorithms are available.


8. Return to the trust manager by choosing .

More Information

For more information, see Configuring Secure E-Mails with S/MIME (AS ABAP E-Mail Server) .

Generating an S/MIME PSE

ProcedureIn an SAP system. you cannot currently generate PSEs with an e-mail address in the certificate. For this reason, you must use third-party tools to do so. We

recommend that you follow the procedure in the example below. It describes how you generate an S/MIME PSE and the corresponding CA certificate with the

third-party tool OpenSSL. For more information, see the documentation on the OpenSSL Web site.

Example

1. Download OpenSSLfrom the OpenSSL Web site.

2. Install the OpenSSLbinary files.

3. Use OpenSSLto generate a P12 key pair file for the required e-mail address together with the corresponding CA certificate. For more information, see the

OpenSSLdocumentation.

4. Use SAPGENPSEto convert the generated P12 file to a PSE file. Use the following command:

sapgenpse import_p12 -p .pse .p12

For more information, see Creating PSEs and Maintaining the PSE Infrastructure .

Note

Remember that you need one PSE per e-mail address.

The required S/MIME PSE including e-mail address is now available. Import the PSE into the S/MIME identity in the trust manager (transaction STRUST).


Page 18 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/D4/085E3A1D589804E10000000A114084/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/D2/7C5672BE474525B7AED5559524A282/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/0D/9CE63BAB134B39A52E340255D7650C/frameset.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/BE/93A0202C25482EADB02FC51081213C/content.htm


19/20

More Information

For more information, see Trust Manager.

Configuring S/MIME Encryption for E-Mails

Use

To send and/or receive encrypted e-mails with S/MIME, you must exchange the e-mail certificates between the AS ABAP server and the communication partner.

There are several options for exchanging these certificates:

Sending signed e-mails to one another. By default, a signed e-mail already includes the encryption certificate.

Manual import

Prerequisites

If you only want to send encrypted e-mails, you can ignore the prerequisites. If, however, you want to receive encrypted e-mails, you must fulfill the following

prerequisites:

You have created S/MIME identities in the trust manager.

You have imported the required CA certificates and PSEs. In Configuring E-Mails with S/MIME (AS ABAP E-Mail Server), you find more information about the

creation of S/MIME PSEs with a trust anchor.

Procedure

Option 1: When you and your communication partner send signed e-mails to one another, the AS ABAP automatically imports the encryption certificate to its

address book.Option 2: To manually import the encryption certificate, perform the following steps:


2. Choose Certificate Import .

3. Select the Filetab.

4. Choose the certificate file in the relevant path.

5. Choose Open.

6. Choose (Input). The content of the certificate is now disp layed in the Certificatesection.

7. Choose Certificate Export .

8. Select the tab for the address book.

9. Choose (Input). This includes your certificate in the address book.

Option 3:

The SMIME enhancement spot contains the SMIME_EMAIL BAdI, which enables you to influence the certificate retrieval and selection process:

You need the certificate of a communication partners e-mail address that is not stored in the address book of the trust manager. In this case, you derive your own

implementation class from the default implementation class of this BAdI. You overwrite/redefine the CERTIFICATE_RETRIEVAL method with your own

implementation to find a certificate that is associated with an e-mail address of the communication partner. For example, an LDAP server can provide this e-mailaddress.

When you implement the BAdI method CERTIFICATE_SELECTION, you can resolve ambiguity concerning certificate usage. This occurs if there are several

identical certificates for the same e-mail address. The period of validity of a certificate might have expired, a CRL might prevent you from using it, or the key

usage has the wrong type.

For more information, see the system documentation in the SMIME enhancement spot in Enhancements (transaction SE20), and the relevant BAdI methods in

interface IF_BADI_SMIME_EMAIL and in the default implementation class CL_SMIME_EMAIL_BADI_DEFAULT.

Configuring E-Mails with S/MIME (3rd-Party E-Mail Client)

Use

This document describes how you can make sure that e-mails that are signed or encrypted with S/MIME can be sent and received by a third-party e-mail client.

The AS ABAP server has the CA certificates that signed the PSE certificate in the trust manager (transaction STRUST) as trust anchors. The AS ABAP server

and the e-mail client must exchange their CA certificates so that they recognize one another as trusted authorities. When you import the CA certificate of the AS

ABAP server and the CA certificate of the third party e-mail client into the certificate list of the S/MIME PSE, you establish the trust anchors.

Prerequisites

You have imported the S/MIME PSE in the trust manager.

Procedure

Example

In the following example, we describe how you configure two third-party e-mail clients, Microsoft Outlook and Mozilla Thunderbird. You must execute this

procedure for the CA certificate of the PSE and for the CA certificate of your third-party e-mail client.


2. Select your S/MIME PSE.

3. Choose Certificate Import

4. Select the Filetab.5. Enter or select the path and the format and choose the certificate file you want to import.

6. To import the certificate, choose . The trust manager disp lays the content of your CA certificate in the Certificatesection.


The CA certificate appears in the certificate list.


Page 19 of 20
http://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/D2/7C5672BE474525B7AED5559524A282/content.htmhttp://help.sap.com/saphelp_nw70ehp3/helpdata/en-us/4C/5BDB17F85640F1E10000000A42189C/content.htm


20/20

8. Choose .

Note

Perform the same steps for the CA certificate of your third-party e-mail client.

If you use Microsoft Outlook, you must import the CA certificate into your Internet Explorer.

1. Choose Internet options.

2. Select the tab where you can access the certificates, for example, the Contenttab.

3. Go to the certificates.

4. Go to the tab with the trusted root certification authorities.

5. Follow the Internet Explorer procedure to import your CA certificate file that was generated by the PSE. For more information, see the Microsoft Outlook

documentation.

If you use Mozilla Thunderbird, import the CA certificate into the secure storage of Mozilla Thunderbird as described in the Mozilla Thunderbird documentation.

When Mozilla Thunderbird asks you whether you trust this CA to identify e-mail users, confirm this.

Assume that the AS ABAP sends a s igned e-mail with the certificate signature to the respective e-mail client.

To ensure encryption, you need to import the certificate for encryption from the signed e-mail into your Microsoft Outlook address book. To do this, proceed as

follows:

1. Open the received signed e-mai l that contains the certificate signature for encryption in Microsoft Outlook.

2. From the context menu of the e-mail address , choose to add the address to your Outlook contacts.

3. Save your changes and close the window.

Example

To ensure encryption, you need to import the certificate for encryption from the signed e-mail into the Mozilla Thunderbird certificate manager. To do this,

proceed as follows:

1. Open the received signed e-mail that contains the certificate signature for encryp tion in Mozilla Thunderbird.

2. Mozilla Thunderbird automatically adds the sender's certificate to the certificate manager.


Certificados Criptografia SAP

Documents

Transcript of Certificados Criptografia SAP