PKI in SAP - DFN-CERT · PKI in SAP Stefanie García Laule SAP AG ... Invoice S/MIME PKCS#7 (XML...

15
1 PKI in SAP Stefanie García Laule SAP AG SAP AG 2001, Title of Presentation, Speaker Name 2

Transcript of PKI in SAP - DFN-CERT · PKI in SAP Stefanie García Laule SAP AG ... Invoice S/MIME PKCS#7 (XML...

1

PKI in SAP

Stefanie García Laule

SAP AG

�SAP AG 2001, Title of Presentation, Speaker Name 2

����������� �����������������������

�������� �!���"�#�$���"�%&!

' "(!�)�*� ' "�)�!,+.-�!

/10 �,2��435 �!�� &0 ' �0�6�"�#�

78"�)�"�� $�* ' "�)�!�$�����0� �2

2

�SAP AG 2001, Title of Presentation, Speaker Name 3

������������������������ �������� ���

• NTLM• LDAP bind• Radius• ....

������������������������ ��"!�#"���$� &%���'�!��(���)�������*��� +

�,%�-�-���.���! &%���'�!��������������*���

0/������"!�#12

+�����"!�#"��#"� �(!+��#3�"���

•User ID / password• X.509 certificates

�SAP AG 2001, Title of Presentation, Speaker Name 4

����������������������

~~~~~~~~

X.509 Digital Certificate (SAP Passport)4

SSL client authentication

Logon ticket4

Digitally signed by Web Application Server

Pluggable Authentication Service (PAS)

4Use external authentication mechanisms

~~~~~~~~

3

�SAP AG 2001, Title of Presentation, Speaker Name 5

����������1��������

The logon ticket contains public information:�

User ID�

Validity period�

Issuing system�

Digital signature

Therefore we can offer a library which can be linked to other systems. These systems can verify the user’s logon ticket and use the stored information for their own logon.

�SAP AG 2001, Title of Presentation, Speaker Name 6

Digitally signed logon t icket�Via encrypted channel

~~~~~~~~

Webserver

WGate

AGate

SSL* SNC* SNC

Webserver

Hash(PW)

User ID / PW User ID / PW User ID / PW

~~~~~~~~ ~~~~

~~~~ ~~~~~~~~

*SSL (Secure Sockets Layer) and SNC (Secure Network Communications) are used to secure the communication path between the Web browser and the SAP System.

���1���(�� �,��������8�������� �

ITSserver

4

�SAP AG 2001, Title of Presentation, Speaker Name 7

������� � �� � �4���&�������������� ����� �����

Computer AssociateseTrust Single Sign-OnTM

CyberSafeTrustBroker Security Solution

for R/3TM

Deutsche TelekomT-SecureTM

Entrust TechnologiesEntrust/SNCTM

iT_SecurityiT_SEC_nodeTM

NECSecureWare /

Authentication Plug-In for SAP R/3TM

RSA SecurityKeon Agent v. 4.5 for R/3TM

SECUDE GmbHSECUDE for R/3TM

SHYM TechnologyPKEnableTM

UniSecuritySecuTrustTM

Windows NT SSPIavailable with SAP software

(sncgss32.dll)authentication only

SAP Crypto Library

�SAP AG 2001, Title of Presentation, Speaker Name 8

X.509 Client Certificate (SAP Passport)�SSL client authentication

���1���(���������� �����(�������5�������� ������ ���

Webserver

WGate

AGate

SSL SNC SNC

Webserver

WindowsNT

Server4.0

User ID

ITSserver

SSL with mutual authentication

5

�SAP AG 2001, Title of Presentation, Speaker Name 9

���"��� ��������� � �������������������� ����������� ��� � �

~~~~~~~~

�Authentication using an external authentication service

� Windows NTLM protocol� Windows User ID / password checking using the domain

controller� LDAP bind� Radius / SecureID� ...� ...

�After authentication, the user is issued a logon ticket for use with SAP Services

�SAP AG 2001, Title of Presentation, Speaker Name 10

���"��� ��������� � �������������������� �����������

Webserver

+WGate

ITS

AGate

4

4

Web ApplicationServer

2 sapextauth

User ID

User IDSAP

System user ID

4SAP

System user ID

55

https://host1.mycompany.com/scripts/wgate/<service>/!

https://host1.mycompany.com/scripts/wgate/sapwa/!

6

SNC

1

External Authenti-

cationServer

User external ID mappingtable (USREXTID)

2

Authentication(user ID and password) 3

Authentication

~~~~~~~~ ~~~~

~~~~

6

�SAP AG 2001, Title of Presentation, Speaker Name 11

����������� �����������������������

�������������� ���������

� ������� � ��������

���������! "�#������ � ��%$��� #�

&'��������� � �����#�����(���

�SAP AG 2001, Title of Presentation, Speaker Name 12

�(������ � ���).� ��� �+* �-,��&� ������������ � �������� � � �

.0/21�3�465�1�798;:<1�7>=?5@�4<8?3�:65<7>A;B#A

CD.�EF6521�46G�H<G�7>A24E<=?GI1�:6J

.0H<H6JK7>8;:<1�7>=?5.L8<8;4?A�A

Certificate Smart card Radius

Single sign-on

Account aggregation

Impersonation

Ticketing

User name/password

7

�SAP AG 2001, Title of Presentation, Speaker Name 13

���&� �������(�� ���� �,������ �1��������

Step 1:Verify the digital signature provided with the logon ticket.

Component system

1

~~~~~~~~

3

SSO Access Control List

Web Application Server <SID> <client>

2

Step 2:Check the Access Control List that contains the names of trusted Web ApplicationServers and check the validity time.

Step 3:Logon using the user ID which is stored in the logon ticket. No password neccessary.

�SAP AG 2001, Title of Presentation, Speaker Name 14

� ���4�& ) � ���4� � ,������� � �1���( � �,������ �1�������� ��� �� ���&���

The non-SAP component must:�

Verify the Web Application Server’s digital signature � Use the SSO shared library

�Make sure the ticket has been issued by the designated Web Application Server � Maintain an ACL

�Map the User IDs

Availability:�

www.sap.com/miniapps > Development Zone

8

�SAP AG 2001, Title of Presentation, Speaker Name 15

����������� �����������������������

�������� �!���"�#�$���"�%&!

' "(!�)�*� ' "�)�!,+.-�!

/10 �,2��435 �!�� &0 ' �0�6�"�#�

78"�)�"�� $�* ' "�)�!�$�����0� �2

�SAP AG 2001, Title of Presentation, Speaker Name 16

9�: �<;1� =��,1>4��?@?A=����CB

SAP Trust Center

ServiceSAP Trust Center Service

Company BCompany ATrust

9

�SAP AG 2001, Title of Presentation, Speaker Name 17

Log on using SAP user ID and password and initiate the SAP Passport request

1

Specify naming convention and trigger key generation2

Send approved certificate request4

Log on using the SAP Passport6

Web browser generates key pair and sends the SAP Passport request

3

SAP Trust CenterService

Webbrowser

Portal Server

Verifies naming conventionsand issues certificate

5

9�: �<;1� =��,1>4��� ��� 9 �&����������������������(?���� ����������� �

Note: Available at GA date

�SAP AG 2001, Title of Presentation, Speaker Name 18

����������� �����������������������

�������� �!���"�#�$���"�%&!

' "(!�)�*� ' "�)�!,+.-�!

/10 �,2��435 �!�� &0 ' �0�6�"�#�

78"�)�"�� $�* ' "�)�!�$�����0� �2

10

�SAP AG 2001, Title of Presentation, Speaker Name 19

�4��� ���1���&�� � ��� B 9 ���������� � ��=�?���� �

“ Document content”

Sign Verify

CA Trust

Internet

(Register)

Private keyPublic key

• Document unchanged• Identity of the signer• Legal certainty

�SAP AG 2001, Title of Presentation, Speaker Name 20

9 � ��=���� 9 ���������&��������� � 9 9 ���� � �&����� ���

Application server signs (SAPSECULIB)

Signing in SAP GUI for Windows front end (Software Partner Program SPP)

Signing in Web browser (IE: ActiveX-Control, Netscape: Java-Script)

SS

F-A

PI

ABAPABAPABAP

Applications using digital signatures

Process Planning

HTTP Content Server

Public Sector

11

�SAP AG 2001, Title of Presentation, Speaker Name 21

��� � ��������( ���8������ � � 9 ��������=������<�( : ��� �(�����������,�

Very important!To be legally binding, certain requirements must be met.

1. Create document(application)

2. Show document(application / SSF >= Rel. 6.10)

3. Create signature(SSF >= Rel. 4.0)

�SAP AG 2001, Title of Presentation, Speaker Name 22

9 ���&��( � � ����=�? ��� � �(������� ���8���,� �,���

12

�SAP AG 2001, Title of Presentation, Speaker Name 23

�1���&�� � ��� B 9 ������ ��� � ��=�?���� �<�( �� � � ����� ����� ���(��

IDOCTYPE: Invoice

S/MIMEPKCS#7(XML signature)

Conversion in

XML / EDIFACT

Create

signature

For example, invoices in

IDOC format

SAP application

Business Connector

�SAP AG 2001, Title of Presentation, Speaker Name 24

� � ����� ���( ���8������ � ��� B 9 ������ � � � �&=�? ��� �

IDOCTYPE: Invoice

S/MIMEPKCS#7(XML signature)

For example, invoices in

IDOC format

SAP application

Verification of digital

signature

Conversion intoIDOC

Business Connector

Archive

1

2

3

13

�SAP AG 2001, Title of Presentation, Speaker Name 25

� � ����� ���( ���8������ � ��� B 9 ������ � � � �&=�? ��� �

Return to sender with

message

MIMEfile

Archive

2PDF

MIME file contains the electronic invoice in PKCS#7 (XML with

digital signature and certificate) and PDF

format.

XML

PKCS#7

Business Connector

Verify digital signature

Verif ication OK?

YesNo

Convert XML into IDOC and send to SAP

Systemand

archivePKCS#7 and

PDF

IDOC

PKCS#7

�SAP AG 2001, Title of Presentation, Speaker Name 26

���&� � � ������������� � �1���&�� � � 9 ������� =����

Return to sender with

messageArchive

1

XML

PKCS#7

Verify digital signature

Is the certif icate revoked by CA?

Convert XML into IDOC and send to SAP System

andarchive PKCS#7 and PDFIDOC

SN= ..SN= ..

Is the signature value OK?2

No

Yes

Yes

No

OCSPClientCRLs

14

�SAP AG 2001, Title of Presentation, Speaker Name 27

���&� � � ����������� ���&� � ��� � ��������� �

1. Certificate Revocation List (CRL)

CA

Trust Center Service

Issue CRLs

Customer landscape

...

SN= ..SN= ..

SN= ..SN= ..

SN= ..SN= ..

SN= ..SN= ..

Revocation List

1

23

Is the digital certificate valid?

Authentication / digital signature

�SAP AG 2001, Title of Presentation, Speaker Name 28

���&� � � ����������� ���&� � ��� � ��������� ���

2. OCSP Responder (Online Certificate Status Protocol)

CA

Trust Center Service

Issue CRLs

Customer landscape

...

SN= ..SN= ..

2

1

Is the digital certificate valid?

Authentication / digital signature

OCSP

Res-ponder

? ?Yes /No

Yes /No

3

15

�SAP AG 2001, Title of Presentation, Speaker Name 29

���&� � � ����������� ���&� � ��� � ��������� ��� �

3. OCSP Responder & CRLs

CA

Trust Center Service

Issue CRLs

Customer landscape

...

SN= ..SN= ..

3

2

Is the digital certificate valid?

Authentication / digital signature

OCSP

Res-ponder

?

Yes /No

4

1

SN= ..SN= ..

�SAP AG 2001, Title of Presentation, Speaker Name 30

����������� ���� ��������� ���������� ������ ������������� !�

Stefanie García LauleSAP AG

"$#&%'")(+*�,+-/.10325476�8�9:(;0<(�=:*+('>)(+?�8E-Mail: [email protected]: http://service.sap.com/Security

@BADC�EGF&HJILKDE M