CP-SAPRouter
15
CERTIFICATE POLICY OF THE SAPROUTER CERTIFICATE Version 1.0 SAP Trust Center Services
-
Upload
huy-quoc-tran -
Category
Documents
-
view
81 -
download
3
Transcript of CP-SAPRouter
CERTIFICATE POLICY OF THE SAPROUTER CERTIFICATE Version 1.0
SAP Trust Center Services
2
© Copyright 2001 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
All information in this document is compiled with great care. Neither SAP AG nor the author are liable for any damages or disservice, that are in connection with the use of this document.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.
IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.
ORACLE® is a registered trademark of ORACLE Corporation.
INFORMIX® -OnLine for SAP and Informix® Dynamic Server TM are registered trademarks of Informix Software Incorporated.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP. com Logo and mySAP. com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.
All other products mentioned are trademarks or registered trademarks of their respective companies.
SAP AG Neurottstraße 16 69190 Walldorf Germany T +49/1805/34 34 24 F +49/1805/34 34 20 www.sap.com
3
CONTENTS
1 Introduction 4 1.1 Overview 4 1.2 Community and Applicability 4
1.2.1 Service Marketplace Root CA (SMP Root CA) 4 1.2.2 SAProuter Certification Authority
(SAProuter CA) 4 1.2.3 Subscriber 4 1.2.4 Registration Authority (RA) 5 1.2.5 Applicability 5
1.3 Contact Details 5
2 General Provisions 6 2.1 Obligations 6
2.1.1 SAProuter CA obligations 6 2.1.2 RA obligations 6 2.1.3 Subscriber obligations 6
2.2 Publication of SMP Root CA information 6 2.3 Types of information to be kept confidential 6
3 Identification and Authentication 7 3.1 Initial Registration 7
3.1.1 Types of names 7 3.1.2 Authentication of Subscriber 7
4 Operational Requirements 8 4.1 Application for SAProuter-Certificate 8 4.2 Certificate Issuance for SAProuter 8 4.3 Security Audit Procedures 8 4.4 Records Archival 8 4.5 Compromise and Disaster Recovery 8 4.6 SAProuter CA Termination 8
5 Physical, Procedural and Personnel Security Controls 9 5.1 Physical Security Controls 9 5.2 Trusted roles 9
6 Technical Security Controls 10 6.1 SAProuter CA 10 6.2 SAProuter 10 6.3 Key sizes 10 6.4 Private Key Protection 10 6.5 Other aspects of Key Pair Management 10
6.5.1 Public Key archival 10 6.5.2 Usage periods for the public and private keys 10
6.6 Computer Security Controls 10
7 Specification Administration 11
8 Certificate Profiles 12 8.1 Certificate Profile of the SMP Root CA 12 8.2 Certificate Profile of the SAProuter CA 13 8.3 Certificate Profile of the SAProuter Certificate 14
9 Bibliography 15 9.1 Abbreviations 15 9.2 Glossary 15
9.2.1 Certificate Policy (CP) 15 9.2.2 Subscriber 15 9.2.3 Trust Manager 15
9.3 Literature 15
4
1 INTRODUCTION
This document describes the certificate policy (CP) of the SAProuter-Certificate, which is issued by the SAP Router Certification Authority (hereafter called SAProuter CA) at the SAP Trust Center Services (TCS).
The SAProuter CA issues SAProuter-Certificates for the SAP routers, in order to authenticate SAP routers during network communication.
The SAProuter-Certificate must be explicitly used only for the purpose of authentication of the SAProuter.
The structure of this policy is broadly based on the international Internet Standard “X.509 Public Key Infrastructure Certificate Policy and Certification Practice Statement framework” [RFC 2527]. Certain topics covered in RFC 2527, which are not applicable to this specific policy are not discussed here.
1.1 Overview
The hierarchy of the SAProuter-Certificate Public Key Infrastructure (hereafter called SAProuter-Certificate PKI) is shown in the figure below:
Rn.....R1
SAProuter CA
IssuesSAProutercertificates
SMP Root CA
Self-signedRoot CA-Certificate
Issues SAProuterCA-Certificate
Figure 1: Hierarchy of the SAProuter-Certificate PKI
The hierarchy of SAProuter-Certificate PKI consists of two levels, which contains the Service Marketplace Root Certification Authority (hereafter called SMP Root CA) and the SAProuter CA.
1.2 Community and Applicability
The following diagram shows components, which are relevant in the context of this policy:
End User(Browser)SubscriberSAProuter CA Subscriber
pulls certificate
RA forSAProuter CA
SAP-Service Marketplace
Browser
Log on and sendgenerated public key
with certificate request
Send approvedcertificate request
SAP's secure Data Center
1
2
3
SMP Root CA
Figure 2: Components of the SAProuter CA
1.2.1 Service Marketplace Root CA (SMP Root CA) The SMP Root CA issues it’s Root CA-Certificate itself, therefore used as trust anchor. The SMP Root CA issues and manages SAProuter CA-Certificate. Trust Center Services of SAP AG will operate the SMP Root CA.
1.2.2 SAProuter Certification Authority (SAProuter CA)
The SAProuter Certification Authority issues and manages SAProuter-Certificates to the SAProuters of SAP Trust Center’s internal and external customers on request. The SAProuter CA will be operated by SAP AG.
1.2.3 Subscriber
The subscribers of this policy are the authorized system administrators of the SAP Trust Center’s internal and external customers all over the world, who want to use their SAProuters in a secure medium. The SAProuter CA will issue the authentication certificates of SAProuters. The subscribers use these SAProuter-Certificates for authentication during network communication with SAProuters.
5
1.2.4 Registration Authority (RA)
The Registration Authority (RA) of the SAProuter CA is situated in the SAP Service Marketplace infrastructure. Each RA possesses an RA-Certificate issued by mySAP.com Workplace CA (for detailed information refer to the [CP: RA-Certificate02]). The RA of the SAProuter CA will be operated by SAP AG.
1.2.5 Applicability
The SAProuter-Certificates can be used only for SAProuter authentication during secure network communication.
1.3 Contact Details
The department of Global Solution Services of SAP AG, Germany, operates the SAProuter CA of the SAP Trust Center Services.
SAP AG Global Solution Services Trust Center Services Raiffeisenring 68789 St. Leon-RotGermany E-Mail: [email protected] URL: http://service.sap.com/TCS
6
2 GENERAL PROVISIONS
2.1 Obligations
2.1.1 SAProuter CA obligations
The SAProuter CA has the following obligations:
• The SAProuter CA verifies the signature of the RA, included in the SAProuter certificate request.
• The SAProuter CA issues certificates for SAProuters of SAP Trust Center’s internal and external customers on request. These requests must be approved and signed by the RA of the SAProuter CA situated in the SAP Service Marketplace.
• The SAProuter CA is obliged to make available all relevant documents and records to the SAP Trust Center Services on demand for audit purposes.
2.1.2 RA obligations
The RA has the following obligations:
• The RA validates and confirms the correctness of the applicant’s identity, legitimacy and data to apply for the SAProuter-Certificate. The RA also verifies Distinguished Name contained in the certificate request.
• The RA is also authorized to reject SAProuter-Certificate-Request, e.g. if the applicant is not entitled to the SAProuter-Certificate or given distinguished name is incorrect.
• RA is obliged to follow rules and regulations given by the SAP Trust Center Services.
2.1.3 Subscriber obligations
The subscriber has the following obligations:
• The subscriber (here authorized system administrator of SAProuter) generates its own key pair.
• After generating key pair, the requestor of the SAProuter-Certificate (here authorized system administrator) must securely send the public key within the certificate request to the RA. ∗
• The subscriber must include necessary information in the certificate request.∗
∗ This is an automated process defined by the application in the SAP Service Marketplace.
• The subscriber must protect its private key from unauthorized use.
• The subscriber is not allowed to distribute keys and certificates for unauthorized use.
2.2 Publication of SMP Root CA information
The fingerprint of SMP Root CA-Certificate is listed as obligation in the SAP’s customer magazine “SAPinfo.net”, SAP’s customer service website (http://service.sap.com/TCS). Access controls
Only persons responsible for the SAP Trust Center systems have access to the SAProuter CA, in order to prevent unauthorized use.
2.3 Types of information to be kept confidential
The following types of information are kept confidential within TCS:
• SAProuter application record, whether approved or disapproved.
• Created audit trail records. • Contingency planning and disaster recovery plans. • Security measures controlling the operations of SAProuter
CA -hardware and software, and the administration of certificate service.
• Information marked as confidential within the framework of issuing SAProuter-Certificates.
7
3 IDENTIFICATION AND AUTHENTICATION
3.1 Initial Registration
The authorized system administrator of the SAProuter does initial registration of the SAProuter (seeking certificate) in the SAP Service Marketplace.
3.1.1 Types of names
All the SAProuter-Certificates issued from the SAProuter CA contain distinguished names based on “X.509” Version 3. The
RA verifies the conformity of the Distinguished Name to the TCS Naming Conventions.
3.1.2 Authentication of Subscriber
The subscriber authenticates herself to the SMP with her S-User and password. The RA approves the certificate request after confirming the correctness and uniqueness of distinguished name of the SAProuter (seeking certificate).
8
4 OPERATIONAL REQUIREMENTS
4.1 Application for SAProuter-Certificate
In order to get the SAProuter-Certificate, the subscriber must log on and authenticate herself to the SMP. The SMP requests required data (System-ID, Installation-Nr.) for SAProuter from the R/3 system. The R/3 system sends required data to the SMP. The SMP displays an HTML page containing the received data from R/3 system in the browser. The subscriber selects the SAProuter, for whom the certificate can be issued. The certificate request is generated and sent to the RA.
4.2 Certificate Issuance for SAProuter
After successful identification and confirmation of required data of the SAProuter by the RA, the SAProuter CA can issue the SAProuter-Certificate. If the identification of the SAProuter is unsuccessful an error message will be displayed in HTML.
All certificates begin their operational period on the date of issue.
4.3 Security Audit Procedures
• Audit procedures of the SAProuter CA are performed regularly.
• Depending on the type of records and the frequency with which the relevant activity takes place, audit logs are processed during CA operation.
• Electronic audit logs are protected to maintain its integrity and confidentiality.
4.4 Records Archival
• Records can contain e.g. documentation of actions and information that relate to each certificate request to the creation, issuance, use and expiration of each SAProuter-Certificate and SAProuter CA certificate.
• Any kind of records associated with a SAProuter CA Certificate is retained as per rules and regulations, after the date a certificate is expired.
• The archives containing all-important records are protected from unauthorized access.
• As a part of security audit the archive will be checked on integrity, correctness of operations and access control.
4.5 Compromise and Disaster Recovery
The SAP Trust Center Services maintains a disaster recovery plan for the event of a disaster that might threaten the functionality and trustworthiness of SAProuter CA. The disaster recovery plan is reviewed and updated periodically in order to suit the current requirements.
4.6 SAProuter CA Termination
The termination of SAProuter CA is possible. The termination of SAProuter CA will be planned and appropriate notice will be given to minimize disruption to customer and relying parties.
9
5 PHYSICAL, PROCEDURAL AND PERSONNEL SECURITY CONTROLS
5.1 Physical Security Controls
The physical security measures taken by SAP TCS are in compliance with industry standard.
• The SAProuter CA of the SAP Trust Center Services is operated in a secure environment at SAP.
• The physical access to the system issuing certificates requires separate access measures. The physical access to the system takes place in the presence of at least two authorized persons.
• The SAProuter CA is equipped with backup power systems to ensure continuous, uninterrupted access to electric power.
• The SAProuter CA is equipped with primary and backup ventilation/air conditioning systems to control temperature and relative humidity.
• The SAProuter CA is protected from flooding or other damaging exposure to water.
• The SAProuter CA is protected from fire or other damaging exposure to flames or smoke.
• The storage media of SAProuter CA holding backups of critical system data or any other sensitive information is protected from water, fire or other environmental disasters. There is an access control to the storage media in order to prevent unauthorized use and access of sensitive information.
• The waste disposal is handled appropriately in order to prevent unauthorized use of data.
• In case of disaster, backup measures are able to take over functions of SAProuter CA within a short time.
5.2 Trusted roles
A role-based model is implemented in TCS. Only specific employees of SAP (e.g. system administrator, security officer, RA-Administrator) who are authorized in the sense of this role-based model are considered to have access to or control over SAProuter CA’s Operations.
The role-based model supports the “Multiple-Eyes” principle, which allows security relevant operations only in the presence of a minimum of two persons.
10
6 TECHNICAL SECURITY CONTROLS
6.1 SAProuter CA
• The SMP Root CA generates key pair for the SAProuter CA. The SAProuter CA must use only one key pair, which is used only for SAProuter-certificate signing. After generation the private key of the SAProuter CA is saved in a secure medium.
• In case of loss, compromise or suspected compromise of the private key of the SAProuter CA, the new key pair will be generated as mentioned above.
• The private key of the SAProuter CA is delivered in a secure medium.
6.2 SAProuter
• The key generation for SAProuter-Certificate takes place in the Trust Manager in the SAProuter.
• The key pair generation for SAProuter-Certificate is done in the Trust Manager in the SAProuter, no delivery to the certificate issuer is required.
• An applicant of the SAProuter-Certificate must deliver the public key for the SAProuter-Certificate securely to the RA (via application in the SAP Service Marketplace). The RA signs the certificate request, so that the SAProuter CA can check the integrity of the public key.
6.3 Key sizes
The key lengths are sufficient to protect from conceivable attacks:
• The key pair of SAProuter CA is min. 1024 Bits long, • The key pair of SAProuter-Certificate is min. 512 Bits long.
6.4 Private Key Protection
• The private key of the SAProuter CA is protected in the Software-Personal Security Environment. The private key of the SAProuter has to be protected by the subscriber.
• The private key of SAProuter CA will not be archived after expiry.
• Before the activation of the private key of SAProuter CA the CA-Administrators authenticate to the CA system. The activation of CA’s private key requires the participation of multiple trusted personnel. Reasonable measures are taken to protect the system physically in order to prevent unauthorized use of the system and associated private key.
• The SAProuter CA is responsible for the deactivation of its own private key.
• The SAProuter CA is responsible for destruction and disposal of its private key, when it is no longer required for active use. Deleting the private key from SAProuter CA’s Personal Security Environment will destroy the private key.
6.5 Other aspects of Key Pair Management
6.5.1 Public Key archival
The public key and certificate of the SAProuter CA within the framework of this policy will be archived after it is expired.
6.5.2 Usage periods for the public and private keys
The operational period for key pair is the same as the validity period for the associated certificate. The active lifetime for the SAProuter CA’s public and private key is restricted to 10 years.
6.6 Computer Security Controls
To assure computer security of the operating system of the SAProuter CA specific security controls must be implemented.
The SAProuter CA is on-line and can be accessed via the Internet using HTTPS only by the RA of the SAProuter CA. The configuration of and access control to the network security devices are strictly controlled and limited to authorized persons only.
11
7 SPECIFICATION ADMINISTRATION
This section specifies how this particular certificate policy will be maintained.
• This CP may change from time to time. Any such changes are made only if needed by the TCS. Any changes made in CP will be published as a new version of CP.
• Publication of changes and notices of withdrawal will be made accordingly.
• Only authorized persons of the SAP Trust Center Services must approve this CP and any subsequent changes to it.
12
8 CERTIFICATE PROFILES
This section describes certificate profiles of the SAProuter relevant certificates issued by the SAP Trust Center. All certificate profiles in SAP Trust Center Services are based on X.509v3 and PKIX. The certificate must contain the following basic fields and indicated prescribed values or value constraints.
8.1 Certificate Profile of the SMP Root CA
The following table describes certificate profile of the SMP Root CA:
Field Constant Description
SignatureAlgorithm SHA-1/RSA Algorithm OID 1.3.14.3.2.29
The signature algorithm of the certificate is SHA-1/RSA.
Version Version 3 This X.509-certificate has version 3.
SerialNumber Serial Number The “serialNumber” of the certificate is meant for the identification of the certificate.
Signature SHA-1/RSA Algorithm OID: 1.3.14.3.2.29
The signature algorithm used to sign the certificate is SHA-1/RSA.
Issuer CN=SMP Root CA OU= Service Marketplace O=SAP C=DE
The name of the certificate-issuer is SMP Root CA.
Validity NotBefore 18.07.2000 NotAfter 18.07.2010 This certificate is valid for 10 years.
Subject CN=SMP Root CA OU=Service Marketplace O=SAP C=DE
The certificate holder is SMP Root CA.
SubjectPublicKeyInfo Algorithm = RSA (1024 Bits) Algorithm OID: 1.2.840.113549.1.1.1
This field contains information about certificate holder’s public key. The RSA public key is 1024 bits long.
KeyUsage (CRITICAL) digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
The key pair can be used to sign certificates.
SubjectAlternativeName URL: http://service.sap.com/TCS The extension field contains the URL of the SMP Root CA.
BasicConstraints Subject Type=CA Path Length Constraint=None Allowed to act as a CA!
This field specifies that the SMP Root CA is allowed to act as CA.
Table 1: Certificate profile of the SMP Root CA
13
8.2 Certificate Profile of the SAProuter CA
The following table describes certificate profile of the SAProuter CA:
Field Constant Description
SignatureAlgorithm SHA-1/RSA OID 1.3.14.3.2.29 The signature algorithm of the certificate is SHA-1/RSA.
Version Version 3 This X.509-certificate has version 3.
SerialNumber Serial Number The “serialNumber” of the certificate is meant for the identification of the certificate. This should be unique for each certificate issued by the CA.
Signature SHA-1/RSA Algorithm OID: 1.3.14.3.2.29 The signature algorithm used to sign the certificate is SHA-1/RSA.
Issuer CN=SMP Root CA OU= Service Marketplace O=SAP C=DE
The name of the certificate-issuer is SMP Root CA.
Validity NotBefore 18.07.2000 NotAfter 18.07.2005 This certificate is valid for 5 years.
Subject CN=SAProuter CA OU=SAProuter O=SAP C=DE
The certificate holder is SAProuter CA.
subjectPublicKeyInfo Algorithm = RSA (1024 Bits) Algorithm OID: 1.2.840.113549.1.1.1
This field contains information about certificate holder’s public key. The RSA public key is 1024 bits long.
KeyUsage Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment, Certificate Signing, Off-line CRL Signing, CRL Signing
The key pair can be used to sign certificates.
IssuerAlternativeName URL=http://service.sap.com/TCS This field contains URL of the SAProuter CA.
Basic Constraints Subject Type=CA Path Length Constraint=None This field specifies that the SAProuter CA is allowed to act as CA.
Table 2: Certificate profile of the SAProuter CA
14
8.3 Certificate Profile of the SAProuter Certificate
The following table describes the certificate profile of the SAProuter certificate:
Field Content Description SignatureAlgorithm Algorithm sha1WithRSAEncryption, NULL The signature algorithm of the certificate is SHA-1/RSA.
Version Version 3 This X.509-certificate has version 3.
SerialNumber Serial Number The “serialNumber” of the certificate is meant for the identification of the certificate.
Signature Algorithm sha1WithRsaEncryption, NULL Algorithm OID: 1.2.840.113549.1.1.5
The signature algorithm used to sign the certificate is SHA-1/RSA.
Issuer CN=SAPRouter CA OU= SAProuter O=SAP C=DE
The name of the certificate-issuer is SAProuter CA.
Validity NotBefore (e.g. 15.07.2002) NotAfter (e.g. 15.07.2003) The SAProuter certificate is valid for 1 year.
Subject
CN=SAProuter Name e.g. stl-do-all OU=Customer number e.g. 0000496345 OU=SAProuter O=SAP C=DE
The certificate holder is stl-do-all.
SubjectPublicKeyInfo Algorithm RSAEncryption Algorithm OID: 1.2.840.113549.1.1.1
This field contains information about certificate holder’s public key. The RSA public key is 1024 bits long.
KeyUsage Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, keyCertSign, CRLSign
The key pair can be used for authentication.
BasicConstraints CA = 0 This field specifies that the holder of SAProuter is not allowed to act as CA.
Table 3: Certificate profile of the SAP Router Certificate
15
9 BIBLIOGRAPHY
9.1 Abbreviations
C Country CA Certification Authority CN Common Name CP Certificate Policy O Organization OU Organizational Unit RA Registration Authority RSA Rivest, Shamir und Adleman SHA Secure Hash Algorithm SMP SAP Service Marketplace SMP Root CA SAP Service Marketplace Root Certification
Authority TCS Trust Center Services
9.2 Glossary
9.2.1 Certificate Policy (CP) The CP describes a security policy for issuing certificates and maintaining certificate status information. This includes e.g. the operation of the SAProuter CA, as well as guidelines for users for requesting, using, and handling of certificates and keys.
A named set of rules that indicate the applicability of a certificate to a particular community and/or class of application with common security requirements (RFC 2527).
9.2.2 Subscriber
These are entities (in this case SAProuter) that have been issued SAProuter-Certificates from the SAProuter CA.
9.2.3 Trust Manager
The TrustManager can be used to maintain the public key information for the Personnel Security Environments (e.g. system PSE) used by the SAP applications.
The TrustManager provides functions for generating key pairs and corresponding certificate requests.
9.3 Literature
[CP: RA-Certificate02] SAP AG: “Certificate Policy of RA Certificate for SAP Router”,2002.
[CP: Root CA-Certificate02] SAP AG: “Certificate Policy of the Service Marketplace Root CA”, 2002.
[Gut2000] Gutmann, P.: “X.509 style Guide”, 2000. http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
[ITU97] ITU-T X.509: Information Technology – Open Systems Interconnection – The directory: Authentication Framework, 1997.
[RFC 2527] Chokhani, S.; Ford, W.: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework”, 1999.
[RFC 3280] Housley, R.; Ford, W.; Polk, W.; Solo, D.: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", 2002.
