Setting Up Keys and Certificates - SAP Help Portal Up Keys and Certificates SAP Backend Systems on...
Transcript of Setting Up Keys and Certificates - SAP Help Portal Up Keys and Certificates SAP Backend Systems on...
Configuration Guide
Document Version: 1.0 – Final
Date: July 8, 2016
CUSTOMER
Setting Up Keys and Certificates
SAP Backend Systems on the SAP Pharma Network
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2
Typographic Conventions
Type Style Description
Example Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example Emphasized words or expressions.
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they are
surrounded by body text, for example, SELECT and INCLUDE.
Example Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example Exact user entry. These are words or characters that you enter in the system exactly as they
appear in the documentation.
<Example> Variable user entry. Angle brackets indicate that you replace these words and characters with
appropriate entries to make entries in the system.
EXAMPLE Keys on the keyboard, for example, F2 or ENTER .
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 3
Document History
Version Status Date Change
1.0 Final 2016-07-08 First release
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 4
Table of Contents
1 About This Document ............................................................................................. 5 1.1 Purpose and Scope .......................................................................................................................... 5 1.2 Target Audience ............................................................................................................................... 5 1.3 Glossary ........................................................................................................................................... 5 1.4 Related Information .......................................................................................................................... 6
2 Introduction ............................................................................................................. 7
3 TLS and MLS Best Practices ................................................................................ 10 3.1 Certification Authorities ................................................................................................................... 11
4 Procuring Certificates ........................................................................................... 12
5 Configuring Security and Web Service Communication ...................................... 14 5.1 Applying Security Configuration Settings for Your SAP ERP System ............................................. 14 5.2 Enabling Certificate-based Communication .................................................................................... 14 5.3 Exporting the Participant Client Certificate ..................................................................................... 15 5.4 Adding Certificates Provided by SAP ............................................................................................. 15 5.5 Adding a Distinguished Name to a Technical User ......................................................................... 16
6 Important Disclaimers and Legal Information ..................................................... 17 6.1 Coding Samples ............................................................................................................................. 17 6.2 Accessibility .................................................................................................................................... 17 6.3 Gender-Neutral Language .............................................................................................................. 17 6.4 Internet Hyperlinks .......................................................................................................................... 17
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5
1 About This Document
1.1 Purpose and Scope
This document provides an overview of keys and certificates used by SAP ERP systems in communications on the
SAP Pharma Network.
1.2 Target Audience
This document is for members of the technical implementation team involved in integration and onboarding to the
SAP Pharma Network, including:
Implementation and integration teams
System Administrators
Information Security Officers
Network Administrators
BASIS Administrators
1.3 Glossary
Term Abbreviation Definition
Certification Authority CA A certificate authority or certification
authority is an entity that issues
digital certificates. A digital
certificate certifies the ownership of
a public key by the named subject
of the certificate. In the SAP
Pharma Network integration
scenario, any certificate must be
signed by an SAP-Trusted CA.
See the SAP Pharma Network
Onboarding Guide for a list of
trusted authorities.
Distinguished Name DN A DN is a fully qualified path of
names that trace the entry back to
the root of a tree. In the SAP
Pharma Network this is used to link
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6
Term Abbreviation Definition
a TLS or MLS Certificate to a
specific ERP participant system.
Message Level Security MLS Security protocol which signs and/or
encrypts message content
Transport Layer Security TLS Security protocol which enables a
secure communication channel
between an ERP system and the
SAP Pharma Network for message
transfer.
Web Service WS Software available over the Internet
that uses a standardized XML
messaging system. Web services
are initiated on the ERP system to
facilitate data transmission to the
SAP Pharma Network using TLS
and MLS.
1.4 Related Information
Introduction to the SAP Pharma Network
SAP Pharma Network Onboarding Guide
SAP Pharma Network Configuration Guides for SAP Backend Systems
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7
2 Introduction
During data transfer over a network or between a client and server, files can be encrypted. Messages are encrypted
and sent. When they reach their destination, they are decrypted to make the data useable. To authenticate that data
is from a trustworthy source, digital keys and certificates are put in place on each end of the transmission channel. A
TLS/MLS key pair consists of a private key and a public certificate.
The authentication process is commonly known as a TLS/SSL handshake. The following diagram shows how a TLS
handshake functions. In this diagram, the client represents the SAP ERP system and the server represents the SAP
Pharma Network Load Balancer.
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 8
Client Server
Client issues secure session request
Server sends X.509 certificate containing server s public key
Client authenticates certificate against list of known CAs (if CA is unknown, browser can give user option to accept
certificate at user s risk).
Client generates random symmetric key and encrypts it using server s public key
Client and server now both know the symmetric key and encrypt end-user data using symmetric key for duration of session
The following table summarizes Transport and Message Level Security.
Security Protocol Explanation Implementation
Transport Layer Security (TLS) A cryptographic protocol designed
to provide communications security
over a computer network. The
primary goal of the TLS protocol is
to provide privacy and data integrity
between two communicating
computer applications, for example
between a client (ERP/PI) and a
server such as the SAP Pharma
Network Load balancer.
Ensures all transferred messages
are authenticated by a key pair in
place at each end of a message
communication channel. SAP and a
customer exchange certificates
which are put in place to allow
secure message transfer. From a
TLS perspective, it is mandatory
that all customer provided TLS keys
are signed by a SAP trusted
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9
Security Protocol Explanation Implementation
Certification Authority, see Pharma
Network Onboarding Guide for a list
of trusted authorities.
Message Layer Security (MLS) Ensures the integrity and privacy of
individual messages, regardless of
the network. Through mechanisms
such as encryption and signing
using public and private keys, the
message is protected even if it is
sent over an unprotected transport
layer such as plain HTTP.
TLS provides a secure channel for
data to pass through. MLS provides
an additional layer of security to
encrypt message content.
MLS requires a public and private
key pair to ensure the source and
endpoints are trustworthy.
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10
3 TLS and MLS Best Practices
This section describes SAP's best practices with regards to using TLS and MLS on the SAP Pharma Network.
When using transport-level and message-level security, the SAP Pharma Network requires two different key pairs for
these two use-cases.
Recommendation
SAP strongly recommends:
o Public keys signed with SHA-2, rather than SHA-1
o Length of asymmetric keys at least 2048 Bits
o Expiration time of three years for public keys
For transport layer security, CA-issued certificates are mandatory. For message layer security, CA-issued certificates
are recommended, although self-signed certificates can be used.
The following table outlines key requirements and SAP best practices for TLS and MLS in the SAP Pharma Network
Test and Productive environments.
Note
Keys used in the Test environment cannot be used in the Production environment.
Environment TLS/
MLS
Minimum
Requirement
SAP Best Practice
Test TLS TLS keys signed by a
SAP trusted CA
compatible with
standards and
algorithms supported by
the SAP Pharma
Network, with a valid
expiry date and suitable
EKU configuration.
TLS keys signed by a SAP trusted CA
compatible with standards algorithms
supported by the SAP Pharma Network, with
a valid expiry date and suitable EKU
configuration.
Test MLS MLS keys are self-
signed.
MLS keys have a validity date, compatible
with standards and algorithms supported by
the SAP Pharma Network and signed by a
CA.
Production TLS TLS keys signed by a
SAP trusted CA
compatible with those
standards and
algorithms supported by
the SAP Pharma
Network, with a valid
TLS keys signed by a SAP trusted CA
compatible with those standards and
algorithms supported by the SAP Pharma
Network, with a valid expiry date and suitable
EKU configuration, differing from keys used
by the customer in TEST onboarding.
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11
Environment TLS/
MLS
Minimum
Requirement
SAP Best Practice
expiry date and suitable
EKU configuration,
differing from keys used
by the customer in Test
onboarding.
Production MLS MLS keys have a
validity date, compatible
with standards and
algorithms supported by
the SAP Pharma
Network.
MLS keys have a validity date, compatible
with standards and algorithms supported by
the SAP Pharma Network and signed by a
CA.
3.1 Certification Authorities
All TLS and MLS authentication requirements are governed by SAP approved Certification Authorities (CA).
As such all keys and certificates must be signed by the relevant CA for authentication to take place, and message
processing to proceed on the SAP Pharma Network.
Note
All TLS keys that you provide to SAP must be signed by a CA.
Depending on the onboarding environment, MLS keys may need to be signed by a CA. For an updated list of SAP
authorized Certification Authorities, please contact the SAP Pharma Network Onboarding Team.
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12
4 Procuring Certificates
This section describes how to procure SSL Certificates for an ERP system for use on the SAP Pharma Network. The
following figure shows the process:
Create (Self Signed) Certificate
in relevant PSE (Client or Server)
Modify distinguished name (DN) string with relevant information
Save Self-Signed Certificate RSA Key pair
(Public and Private) generated
Create certificate request, which is a
composite of the Public Key and DN in Base64
format. This is known as the Certificate Signing
Request (CSR)
Certificate installed on system after system successfully installs certificate by having
signature of certificate (generated in part by
the CA using the public key) matched by private
key
Certificate Validated and Installed on ERP
CA validates the CN portion of the DN string (the FQDN/IP) to prove ownership of requestor
CA carries out the administrative steps –
seeks contact from designated contact person via email or
other means.
CA Generates Signed Certificate
Figure 1: Key and Certificate Process
There are a number of prerequisites and recommendations to procure certificates including:
All TLS Keys must be signed by a SAP trusted Certification Authority. See the SAP Pharma Network
Onboarding Guide.
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 13
In relation to MLS keys, the signing algorithm (digest and encryption algorithms) must be one of the following:
SHA512/RSA, SHA384/RSA, SHA256/RSA, SHA224/RSA, SHA/RSA, RIPEMD128/RSA, RIPEMD160/RSA,
MD5/RSA, MD2/RSA, RIPEMD160 and MGF1/RSA-ISO9796-2-2-3, SHAandMGF1/RSA-ISO9796-2-2-3,
SHA256withDSA, SHA224withDSA, SHA/DSA.
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14
5 Configuring Security and Web Service
Communication
5.1 Applying Security Configuration Settings for Your
SAP ERP System
Use
For all SAP systems based on AS ABAP that connect to the SAP Pharma Network, perform the configuration tasks
described in the document Secure Configuration SAP NetWeaver Application Server.
Procedure
Access the activity using the following navigation option:
Web Path https://support.sap.com/securitynotes -> White Papers -> Secure Configuration
SAP NetWeaver Application Server ABAP
Read the document, and follow the implementation instructions.
Result
You improve the security of your AS ABAP system.
5.2 Enabling Certificate-based Communication
Use
In this activity, you enable an HTTP over SSL (HTTPS) connection between your SAP ERP system and the SAP
Pharma Network.
Prerequisites
Read the documents listed below, and follow the configuration instructions. Normally you work with your system
administrator for these tasks.
Establishing Trust
Configuring the SAP Web AS for Supporting SSL
Configuring the AS ABAP to Use X.509 Client Certificates
Configuring the Web Service Runtime
Note
To perform the following steps, you need information from the SAP Pharma Network Onboarding team.
Please contact the team.
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15
5.3 Exporting the Participant Client Certificate
Procedure
1. Access the transaction by choosing the navigation option:
Transaction Code STRUST
2. Double click SSL client SSL Client (Standard).
3. Double click the Owner field under the Own Certificate section.
4. Choose the Export certificate button under the section Certificate.
5. Specify the file path on your local computer and select Base64.
6. Specify a file name (ending with .crt). Then click Open.
7. Choose Input.
8. Choose Allow when asked for security.
Result
The participant client certificate has been exported to your local computer.
5.4 Adding Certificates Provided by SAP
1. Access the transaction by choosing navigation option:
Transaction Code STRUST
2. Double click SSL client SSL Client (Standard).
3. Under section Certificate choose the button Import Certificate and search for the certificate provided by SAP on
your local disk. This is SAP Pharma Network BigIP server root certificate.
During the onboarding process, the contact person at SAP provided you with the certificate. You stored the
certificate locally on your computer.
4. Choose Input.
5. Choose Allow when asked for security.
6. Logon to Client 000 with administration authorization user.
7. Access the transaction by choosing navigation option:
Transaction Code STRUST
8. Double click SSL server Standard.
9. Under section Certificate, choose the button Import Certificate and search for the certificate (PHARMA
NETWORK client root certificate, provided by SAP) on your local disk.
During the onboarding process, the contact person at SAP provided you with the certificate. You stored the
certificate locally on your computer.
10. Choose Input.
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 16
11. Choose Allow when asked for security.
Result
The certificates provided by SAP have been imported into your SAP ERP system.
5.5 Adding a Distinguished Name to a Technical User
Note
This is only applicable in a Push/Push communication pattern.
In a Push/Push communication, a message is pushed, that is, sent from an ERP system to the SAP Pharma
Network. The SAP Pharma Network pushes the response to the message to the ERP system. In this
scenario, the distinguished name is an authentication measure on the ERP side.
Use
This step assigns a system user name mapped to the certificate used to log on (Mapping of Distinguished Names
defined in X.509 client certificates).
Procedure
Access the activity using the following navigation options:
IMG Path SAP NetWeaver Application Server System Administration Management of
External Security Systems Maintain External Identifications for Users External
Identification for Users (Type DN)
Transaction
Code
SPRO
On Change View "Assignment of External ID to Users": Overview, choose New Entries (F5).
On New Entries: Details of Added Entries, make the following entries:
Field name User action and values Comment
External ID Your server root certification Must be your
server root
certification
which sends to
the SAP Pharma
Network
User The user ID must be mapped.
Min. date Define the minimum date
permitted for the validity of the
certificate.
Activated Checked
Choose Save.
SAP Pharma Network Configuration Guide CUSTOMER
Setting Up Keys and Certificates
Configuration Guide – Version: 1.0 – Final
July 8, 2016
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 17
6 Important Disclaimers and Legal
Information
6.1 Coding Samples
Any software coding and/or code lines/strings ("Code") included in this documentation are only examples and are not
intended to be used in a productive system environment. The Code is only intended to better explain and visualize
the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code
given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages
were caused by SAP intentionally or by SAP's gross negligence.
6.2 Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the
date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software
products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not
apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any
direct or indirect contractual obligations of SAP.
6.3 Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly
with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members
of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP
reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation
remains comprehensible.
6.4 Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint
about where to find related information. SAP does not warrant the availability and correctness of this related
information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful
misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).
www.sap.com/contactsap
© 2016 SAP SE or an SAP affiliate company. All rights reserved.