pki in sap - dfn-cert · pki in sap stefanie garcía laule sap ag ... invoice s/mime pkcs#7 (xml...
Post on 27-Jul-2018
230 Views
Preview:
TRANSCRIPT
1
PKI in SAP
Stefanie García Laule
SAP AG
�SAP AG 2001, Title of Presentation, Speaker Name 2
����������� �����������������������
�������� �!���"�#�$���"�%&!
' "(!�)�*� ' "�)�!,+.-�!
/10 �,2��435 �!�� &0 ' �0�6�"�#�
78"�)�"�� $�* ' "�)�!�$�����0� �2
2
�SAP AG 2001, Title of Presentation, Speaker Name 3
������������������������ �������� ���
• NTLM• LDAP bind• Radius• ....
������������������������ ��"!�#"���$� &%���'�!��(���)�������*��� +
�,%�-�-���.���! &%���'�!��������������*���
0/������"!�#12
+�����"!�#"��#"� �(!+��#3�"���
•User ID / password• X.509 certificates
�SAP AG 2001, Title of Presentation, Speaker Name 4
����������������������
~~~~~~~~
X.509 Digital Certificate (SAP Passport)4
SSL client authentication
Logon ticket4
Digitally signed by Web Application Server
Pluggable Authentication Service (PAS)
4Use external authentication mechanisms
~~~~~~~~
3
�SAP AG 2001, Title of Presentation, Speaker Name 5
����������1��������
The logon ticket contains public information:�
User ID�
Validity period�
Issuing system�
Digital signature
Therefore we can offer a library which can be linked to other systems. These systems can verify the user’s logon ticket and use the stored information for their own logon.
�SAP AG 2001, Title of Presentation, Speaker Name 6
Digitally signed logon t icket�Via encrypted channel
~~~~~~~~
Webserver
WGate
AGate
SSL* SNC* SNC
Webserver
Hash(PW)
User ID / PW User ID / PW User ID / PW
~~~~~~~~ ~~~~
~~~~ ~~~~~~~~
*SSL (Secure Sockets Layer) and SNC (Secure Network Communications) are used to secure the communication path between the Web browser and the SAP System.
���1���(�� �,��������8�������� �
ITSserver
4
�SAP AG 2001, Title of Presentation, Speaker Name 7
������� � �� � �4���&�������������� ����� �����
Computer AssociateseTrust Single Sign-OnTM
CyberSafeTrustBroker Security Solution
for R/3TM
Deutsche TelekomT-SecureTM
Entrust TechnologiesEntrust/SNCTM
iT_SecurityiT_SEC_nodeTM
NECSecureWare /
Authentication Plug-In for SAP R/3TM
RSA SecurityKeon Agent v. 4.5 for R/3TM
SECUDE GmbHSECUDE for R/3TM
SHYM TechnologyPKEnableTM
UniSecuritySecuTrustTM
Windows NT SSPIavailable with SAP software
(sncgss32.dll)authentication only
SAP Crypto Library
�SAP AG 2001, Title of Presentation, Speaker Name 8
X.509 Client Certificate (SAP Passport)�SSL client authentication
���1���(���������� �����(�������5�������� ������ ���
Webserver
WGate
AGate
SSL SNC SNC
Webserver
WindowsNT
Server4.0
User ID
ITSserver
SSL with mutual authentication
5
�SAP AG 2001, Title of Presentation, Speaker Name 9
���"��� ��������� � �������������������� ����������� ��� � �
~~~~~~~~
�Authentication using an external authentication service
� Windows NTLM protocol� Windows User ID / password checking using the domain
controller� LDAP bind� Radius / SecureID� ...� ...
�After authentication, the user is issued a logon ticket for use with SAP Services
�SAP AG 2001, Title of Presentation, Speaker Name 10
���"��� ��������� � �������������������� �����������
Webserver
+WGate
ITS
AGate
4
4
Web ApplicationServer
2 sapextauth
User ID
User IDSAP
System user ID
4SAP
System user ID
55
https://host1.mycompany.com/scripts/wgate/<service>/!
https://host1.mycompany.com/scripts/wgate/sapwa/!
6
SNC
1
External Authenti-
cationServer
User external ID mappingtable (USREXTID)
2
Authentication(user ID and password) 3
Authentication
~~~~~~~~ ~~~~
~~~~
6
�SAP AG 2001, Title of Presentation, Speaker Name 11
����������� �����������������������
�������������� ���������
� ������� � ��������
���������! "�#������ � ��%$��� #�
&'��������� � �����#�����(���
�SAP AG 2001, Title of Presentation, Speaker Name 12
�(������ � ���).� ��� �+* �-,��&� ������������ � �������� � � �
.0/21�3�465�1�798;:<1�7>=?5@�4<8?3�:65<7>A;B#A
CD.�EF6521�46G�H<G�7>A24E<=?GI1�:6J
.0H<H6JK7>8;:<1�7>=?5.L8<8;4?A�A
Certificate Smart card Radius
Single sign-on
Account aggregation
Impersonation
Ticketing
User name/password
7
�SAP AG 2001, Title of Presentation, Speaker Name 13
���&� �������(�� ���� �,������ �1��������
Step 1:Verify the digital signature provided with the logon ticket.
Component system
1
~~~~~~~~
3
SSO Access Control List
Web Application Server <SID> <client>
2
Step 2:Check the Access Control List that contains the names of trusted Web ApplicationServers and check the validity time.
Step 3:Logon using the user ID which is stored in the logon ticket. No password neccessary.
�SAP AG 2001, Title of Presentation, Speaker Name 14
� ���4�& ) � ���4� � ,������� � �1���( � �,������ �1�������� ��� �� ���&���
The non-SAP component must:�
Verify the Web Application Server’s digital signature � Use the SSO shared library
�Make sure the ticket has been issued by the designated Web Application Server � Maintain an ACL
�Map the User IDs
Availability:�
www.sap.com/miniapps > Development Zone
8
�SAP AG 2001, Title of Presentation, Speaker Name 15
����������� �����������������������
�������� �!���"�#�$���"�%&!
' "(!�)�*� ' "�)�!,+.-�!
/10 �,2��435 �!�� &0 ' �0�6�"�#�
78"�)�"�� $�* ' "�)�!�$�����0� �2
�SAP AG 2001, Title of Presentation, Speaker Name 16
9�: �<;1� =��,1>4��?@?A=����CB
SAP Trust Center
ServiceSAP Trust Center Service
Company BCompany ATrust
9
�SAP AG 2001, Title of Presentation, Speaker Name 17
Log on using SAP user ID and password and initiate the SAP Passport request
1
Specify naming convention and trigger key generation2
Send approved certificate request4
Log on using the SAP Passport6
Web browser generates key pair and sends the SAP Passport request
3
SAP Trust CenterService
Webbrowser
Portal Server
Verifies naming conventionsand issues certificate
5
9�: �<;1� =��,1>4��� ��� 9 �&����������������������(?���� ����������� �
Note: Available at GA date
�SAP AG 2001, Title of Presentation, Speaker Name 18
����������� �����������������������
�������� �!���"�#�$���"�%&!
' "(!�)�*� ' "�)�!,+.-�!
/10 �,2��435 �!�� &0 ' �0�6�"�#�
78"�)�"�� $�* ' "�)�!�$�����0� �2
10
�SAP AG 2001, Title of Presentation, Speaker Name 19
�4��� ���1���&�� � ��� B 9 ���������� � ��=�?���� �
“ Document content”
Sign Verify
CA Trust
Internet
(Register)
Private keyPublic key
• Document unchanged• Identity of the signer• Legal certainty
�SAP AG 2001, Title of Presentation, Speaker Name 20
9 � ��=���� 9 ���������&��������� � 9 9 ���� � �&����� ���
Application server signs (SAPSECULIB)
Signing in SAP GUI for Windows front end (Software Partner Program SPP)
Signing in Web browser (IE: ActiveX-Control, Netscape: Java-Script)
SS
F-A
PI
ABAPABAPABAP
Applications using digital signatures
Process Planning
HTTP Content Server
Public Sector
11
�SAP AG 2001, Title of Presentation, Speaker Name 21
��� � ��������( ���8������ � � 9 ��������=������<�( : ��� �(�����������,�
Very important!To be legally binding, certain requirements must be met.
1. Create document(application)
2. Show document(application / SSF >= Rel. 6.10)
3. Create signature(SSF >= Rel. 4.0)
�SAP AG 2001, Title of Presentation, Speaker Name 22
9 ���&��( � � ����=�? ��� � �(������� ���8���,� �,���
12
�SAP AG 2001, Title of Presentation, Speaker Name 23
�1���&�� � ��� B 9 ������ ��� � ��=�?���� �<�( �� � � ����� ����� ���(��
IDOCTYPE: Invoice
S/MIMEPKCS#7(XML signature)
Conversion in
XML / EDIFACT
Create
signature
For example, invoices in
IDOC format
SAP application
Business Connector
�SAP AG 2001, Title of Presentation, Speaker Name 24
� � ����� ���( ���8������ � ��� B 9 ������ � � � �&=�? ��� �
IDOCTYPE: Invoice
S/MIMEPKCS#7(XML signature)
For example, invoices in
IDOC format
SAP application
Verification of digital
signature
Conversion intoIDOC
Business Connector
Archive
1
2
3
13
�SAP AG 2001, Title of Presentation, Speaker Name 25
� � ����� ���( ���8������ � ��� B 9 ������ � � � �&=�? ��� �
Return to sender with
message
MIMEfile
Archive
2PDF
MIME file contains the electronic invoice in PKCS#7 (XML with
digital signature and certificate) and PDF
format.
XML
PKCS#7
Business Connector
Verify digital signature
Verif ication OK?
YesNo
Convert XML into IDOC and send to SAP
Systemand
archivePKCS#7 and
IDOC
PKCS#7
�SAP AG 2001, Title of Presentation, Speaker Name 26
���&� � � ������������� � �1���&�� � � 9 ������� =����
Return to sender with
messageArchive
1
XML
PKCS#7
Verify digital signature
Is the certif icate revoked by CA?
Convert XML into IDOC and send to SAP System
andarchive PKCS#7 and PDFIDOC
SN= ..SN= ..
Is the signature value OK?2
No
Yes
Yes
No
OCSPClientCRLs
14
�SAP AG 2001, Title of Presentation, Speaker Name 27
���&� � � ����������� ���&� � ��� � ��������� �
1. Certificate Revocation List (CRL)
CA
Trust Center Service
Issue CRLs
Customer landscape
...
SN= ..SN= ..
SN= ..SN= ..
SN= ..SN= ..
SN= ..SN= ..
Revocation List
1
23
Is the digital certificate valid?
Authentication / digital signature
�SAP AG 2001, Title of Presentation, Speaker Name 28
���&� � � ����������� ���&� � ��� � ��������� ���
2. OCSP Responder (Online Certificate Status Protocol)
CA
Trust Center Service
Issue CRLs
Customer landscape
...
SN= ..SN= ..
2
1
Is the digital certificate valid?
Authentication / digital signature
OCSP
Res-ponder
? ?Yes /No
Yes /No
3
15
�SAP AG 2001, Title of Presentation, Speaker Name 29
���&� � � ����������� ���&� � ��� � ��������� ��� �
3. OCSP Responder & CRLs
CA
Trust Center Service
Issue CRLs
Customer landscape
...
SN= ..SN= ..
3
2
Is the digital certificate valid?
Authentication / digital signature
OCSP
Res-ponder
?
Yes /No
4
1
SN= ..SN= ..
�SAP AG 2001, Title of Presentation, Speaker Name 30
����������� ���� ��������� ���������� ������ ������������� !�
Stefanie García LauleSAP AG
"$#&%'")(+*�,+-/.10325476�8�9:(;0<(�=:*+('>)(+?�8E-Mail: Security@sap.comURL: http://service.sap.com/Security
@BADC�EGF&HJILKDE M
top related