usr man certificate configuration v1 16jan2012

ThyssenKrupp Mexinox CreateITUser Manual

Document InformationCustomer: ContiTech Mexicana Business Area: Basis

Project: Process: Digital Certificate configurationAnalyzed By: Jesus Arturo Hernandez Santana Requirement:Required By: ContiTech Mexicana Version No: 01 - User Manual

Approved By: Version date: 16/Jan/2012Developer: Required Date:

Reviewed By: Review date:

Distribution ListFrom Date Department/CompanyJesus Arturo Hernandez Santana 16/Jan/2012 CreateIT

To Action* Due Date Department/CompanyGuido Dobravsky Approve ContiTech MexicanaFrank Sündermann Approve ContiTech AGNadine Hucke Inform CreateIT

* Action Types: Approve, Review, Inform, Archive, Action required, Attend Meeting, Other (specify)

Version ControlVer. No.

Version Date Reviewed by Description Filename

01 16/Jan/2012 User Manual document.docx

Document Purpose

Provide detailed information about the right use of the application, in order to clarify the functionality to the final user.

Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnológico, C.P. 78211, San Luis Potosí, SLP, México

Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mxCreated by: María José Torres Becerril of 16


Content1 Application Use Guide.......................................................................................................................3

1.1 Access.....................................................................................................................31.2 << Modules / Procedures / Etc. >>...........................................................................31.3 Final.........................................................................................................................3

2 Use Cases...........................................................................................................................................32.1 Digital Certificates concepts........................................................................................3

2.1.1 Certification Path...............................................................................................32.1.2 Certification path validation algorithm..................................................................4

2.2 Digital Certificates configuration...................................................................................42.2.1 Find out the correct Certification Path for Productive Certificate...............................42.2.2 Find out the correct Certification Path for Test Certificate........................................8

2.3 Testing Phase..........................................................................................................123 Signatures........................................................................................................................................16




1 Application Use Guide

The objective of this document is to explain how the digital certificates are used and when they should be used to configure the digital certificate within SAP.

1.1 Access

Banco de Mexico’s web page. Access in ternet, no login is required; main page can be found in http://www.banxico.org.mx/indexEn.html

SAP System. Access by SAP GUI, a special BASIS access is required. SAP System Server. Access by remote administration tool, User administrator access is required.

1.2 << Modules / Procedures / Etc. >>Describe each module of the app. Find enclosed in this section, the screenshots after having logged in and the screenshots of each module showing the buttons and fields used within the process described. Describe the process of how to save the changes or procedures made using the app and attach the screenshots showing the buttons and fields used within the process described.

1.3 FinalDescribe the process to log out the app or primary system. Attach the screenshots showing the buttons and fields used within the process described.

2 Use CasesDetailed the different use cases possible using the application and describe the functions of each use case. Attach the screenshots showing the buttons and fields used within the process described.

2.1 Digital Certificates concepts

2.1.1 Certification Path

A path starts with the Subject certificate (ContiTech Mexicana’s certificate) and proceeds through a number of intermediate certificates (SAT’s certificate) up to a trusted root certificate (BANXICO’s certificate). If any of them is missing then the certification path is not complete.

As several certificates might exist for Banxico and SAT authorities, the certification path must be correct, otherwise, at the end in the SAP system, the certificate will not work.

It is recommended that the certification path is validated in a bottom up procedure.

In Mexico, the Certificate for ContiTech Mexicana was issued by the Tax authorities known as SAT, furthermore, the SAT’s certificate was issued by the Banco de Mexico, whom is the root certification authority.



http://www.banxico.org.mx/indexEn.html


2.1.2 Certification path validation algorithm

In the standardized algorithm, the following steps are performed for each certificate in the path, starting from the trust anchor. If any check fails on any certificate, the algorithm terminates and path validation fails. (This is an explanatory summary of the scope of the algorithm, not a rigorous reproduction of the detailed steps.)

The public key algorithm and parameters are checked. The current date/time is checked against the validity period of the certificate. The revocation status is checked, whether by CRL, OCSP, or some other mechanism, to ensure the

certificate is not revoked. The issuer name is checked to ensure that it equals the subject name of the previous certificate in

the path. Name constraints are checked, to make sure the subject name is within the permitted subtrees list of

all previous CA certificates and not within the excluded subtrees list of any previous CA certificate. The asserted Certificate Policy OIDs are checked against the permissible OIDs as of the previous

certificate, including any policy mapping equivalencies asserted by the previous certificate. Policy constraints and basic constraints are checked, to ensure that any explicit policy requirements

are not violated and that the certificate is a CA certificate, respectively. This step is crucial in preventing some man in the middle attacks.

The path length is checked to ensure that it does not exceed any maximum path length asserted in this or a previous certificate.

The key usage extension is checked to ensure that is allowed to sign certificates. Any other critical extensions are recognized and processed.

If this procedure reaches the last certificate in the chain, with no name constraint or policy violations or any other error condition, then the certificate path validation algorithm terminates successfully.

2.2 Digital Certificates configuration

Three certificates are needed in order to be able to configure the final certificate in SAP:

Banxico. Downloaded from Banco de Mexico’s web page; this certifícate is considered as the root certifícate.

SAT. Downloaded from Banco de Mexico’s web page; this certificate is considered as an intermediate certificate.

ContiTech Mexicana. Requested by the Finance area of ContiTech Mexicana; this is the certificate at the end of the certification path.

2.2.1 Find out the correct Certification Path for Productive Certificate

The following example is to find the complete certification path for a Productive certificate, this will be done by using certificates provided in the SAP note 1300880 and .

The list of certificates is:

AC1_Sat (Provided by Banxico’s web page)AC2_Sat (Provided by Banxico’s web page)AR_SAT (Provided by Banxico’s web page)00001000000200025416 (Provided by the Finance department of ContiTech Mexicana)

As long as we haven’t completed the certification path, the subject certificate will keep showing a screen as the following when we open the certificate (by double clicking it):




The text in the red box says that the issuer of the certificate cannot be found.

On the general information tab of the subject certificate, we can see to whom it was issued for (“CONTITECH MEXICANA SA DE CV”) and who issued the certificate (“A.C. del Servicio de Administración Tributaria”):




If we check the Details tab, we can see more information about the issuer of the certificate:

On the Issuer section, we can see that the responsible person of issuing the certificate is “Celia Guillermina García Guerra”, as well as other information.

Now we have to find the intermediate certificate for “A.C. del Servicio de Administración Tributaria”, we have two options as described by SAP Note 1300880, thus if we open both certificates (AR1 and AR2) we can see the following:




It seems that both certificates are the same but if we go to the Details section and check the Subject section:

Here we see the difference, the responsible person of issuing the certificate are different, “Cesar Luis Perales Tellez” and “Fernando Martinez Coss”.




It is evident also that they don’t match the responsible person in the ContiTech’s certificate “Celia Guillermina García Guerra”, the Tax authorities are responsible for providing the correct SAT certificate so they must be asked to give the correct certificate based on the check points of this example.

2.2.2 Find out the correct Certification Path for Test Certificate

The following procedure will find the complete certification path for a Test certificate following the procedure stated by the SAP note 1300880.

The list of certificates is:

aaa010101aaa_csd_01 (Provided by SAP Note)AC_Pba (Provided by SAP Note)ARCBanxico_pruebas (Provided by SAP Note)

As long as we haven’t completed the certification path, the subject certificate will keep showing a screen as the following when we open the certificate (by double clicking it):

The text in the red box says that the issuer of the certificate cannot be found.

On the general information tab of the subject certificate, we can see to whom it was issued for (“Matriz SA”) and who issued the certificate (“A.C. de pruebas”):




If we check the Details tab, we can see more information about the issuer of the certificate:

On the Issuer section, we can see that the responsible person of issuing the certificate is “Héctor Ornelas Arciga”, as well as other information.




Now we have to find the intermediate certificate for “A.C. de pruebas”, we have one option included in the SAP Note 1300880, the certificate AC_Pba that if we open it we can see the following:

We can see that the Issued to name is exactly the same than the one shown in the General tab view of the subject certificate, now we have to find the certificate of the “Agencia Registradora Central”.

If we open the certificate ARCBanxico_pruebas, we can see the following information:




We now see that the issuer and the target are the same, this means that we have found the root certificate.

The final test for the certification path will be to install the certificates and check the certification path tab of the subject certificate:




After installing all three certificates we can see the following:

2.2.3 Configure a Certificate in SAP

Once we have detected the correct certificates, we have to execute the procedure as described in the SAP Note 1300880, but we will use only the necessary certificates.

For example, for a test certificate we will only use the following files:

aaa010101aaa_csd_01.ceraaa010101aaa_csd_01.key

AC_Pba.cerARCBanxico_pruebas.cer

The procedure is:

rem convert key from DER to PEMopenssl pkcs8 -inform DER -in aaa010101aaa_CSD_01.key -passin pass:a0123456789 -outform PEM -out CSD_01.key.pem -passout pass:a0123456789rem convert certs from DER to PEMopenssl x509 -inform DER -in aaa010101aaa_CSD_01.cer -outform PEM -out CSD_01.cer.pemopenssl x509 -inform DER -in AC_Pba.cer -outform PEM -out AC_Pba.cer.pemopenssl x509 -inform DER -in ARCBanxico_pruebas.cer -outform PEM -out ARCBanxico_pruebas.cer.pemrem append cert and key into one filecopy CSD_01.key.pem+CSD_01.cer.pem+ AC_Pba.cer.pem+ ARCBanxico_pruebas.cer.pem CSD_01_chain.pemrem convert pem file to pkcs12openssl pkcs12 -in CSD_01_chain.pem -passin pass:a0123456789 -export -out CSD_01.p12 -name SAT -passout pass:a0123456789

And the PSE conversion must look as the following:

rem convert pkcs12 file to psesapgenpse import_p12 -p CSD_01.pse -x a0123456789 -z a0123456789 CSD_01.p12




Credentials assignation is:

sapgenpse seclogin -p CSD_01.pse -x a0123456789

There is one restriction about the creation of the PSE file for SAP, this is the file name as described in the SAP Note 1300880.

2.3 Testing Phase

The most important test is to check the credentials assignation (described in SAP Note 1300880), if the credentials were not assigned correctly, the system will not be able to sign any digital invoice.

The tests start as follows, the example was taken from a real case from system Q83.

Execute report ZSSF_TEST_PSE (attached to SAP Note 800240) with transaction SE38, parameters must be the following:

No PIN must be entered and the result must not have any red status line. In Q83 system, the result was an error like to following:

One way to double check the PSE configuration is to execute the report RSBDCOS0 and then execute the following statement to check the user under which the application server runs:




The result shows that the user under which the application server runs is q83adm, also we could see that that no readable credentials are available for the user q83adm:

Thus, credentials are still not assigned or they were assigned incorrectly; to correct this situation you have to execute a statement like the following in the current report:

sapgenpse seclogin –p <path and PSE file name>.pse -x <PIN> -o <User ID>

For Q83 the statement should look as the following:

sapgenpse seclogin –p /usr/sap/Q83/DVEBMGS87/sec/ SAPMXDI_Q83_175.pse –x a0123456789 -o q83adm

After executing this statement you can check again with:

sapgenpse seclogin –l 2>&1

The system should say that there is one readable credential; for example in our system it says:




3 Signatures

Document Version V. 01 - User ManualDate 16/Jan/2012Revision (optional)Document SignaturesJesus Arturo Hernandez Santana

Sign



usr man certificate configuration v1 16jan2012

Documents