PRINT FROM SAP HELP PORTAL

Document: Trust Manager URL: http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4c/5bdb17f85640f1e10000000a42189c/frameset.htm Date created: September 05, 2013

2013 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Note This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 1 of 20

Trust Manager
Use
Establishing solid trust relationships is vital to the success of your business transactions, especially with the use of the Internet, where company borders are not transparent. Therefore, many SAP applications rely on the use of public-key technology to establish the trust infrastructure that is necessary for successful business relationships. Public-Key Technology Support with the AS ABAP Examples of public-key technology support with SAP NetWeaver Application Server (AS) ABAP include the following: System digital signatures At start-up, each AS ABAP is supplied with a public and private key pair certificate that is stored in its own system Personal Security Environment (PSE). The AS ABAP can therefore produce its own digital signatures using the public-key information contained in its system PSE. Other systems can then verify the system's digital signature, which guarantees the integrity and authenticity of a document that has been digitally signed by the system.

Example
For example, you can use logon tickets for user authentication on the AS ABAP. The AS ABAP digitally signs the user's logon ticket after successful authentication. Instead of re-authenticating the user with a user ID and password, other systems can allow the user access after verifying the AS ABAP's digital signature provided with the user's logon ticket. Support for Secure Network Communications For the SAP protocols DIAG and RFC, the Secure Network Communications (SNC) interface provides secure communication. SNC uses an external security product to secure communications, whereby the SAP Cryptographic Library is provided as a default product for server-to-server communications within an SAP system landscape. When using the SAP Cryptographic Library, the system also stores the corresponding public and private key pair in the SNC PSE. Support for the Secure Sockets Layer (SSL) Protocol The AS ABAP supports the Secure Sockets Layer (SSL) protocol, which provides security when using Internet protocols such as HTTP. The security provided includes encrypted communications as well as authentication between the communication partners. In this case, the application server must also possess a public and private key pair to use for SSL communications. Web Services Security (WS-Security) Web services support digital signatures and encryption for Simple Object Access Protocol (SOAP) messages. In this case, the public and private keys used by the Web services are stored in corresponding PSEs. Secure Store and Forward Mechanisms (SSF) SAP systems support the use of an external security product using the SSF mechanisms. By using SSF, applications can support the use of digital signatures and document encryption in their processing. Certificate revocation checks The AS ABAP enables applications that check digital signatures and encrypt data to check certificate revocation lists for certificates that have been revoked by Certification Authorities (CAs). This ensures that the AS ABAP only accepts certificates that are valid and current. E-mails with digital signature and encryption with S/MIME The signature and encryption feature that is embedded in the AS ABAP enables you to send and receive e-mails with signature and/or encryption. You can configure S/MIME in the trust manager. Managing the Public-Key Information Using the Trust Manager To manage the public-key information necessary for these and other scenarios, use the trust manager. The trust manager performs the PSE and certificate maintenance functions such as generating key pairs, creating certificate requests to be signed by a CA, and maintaining the list of trusted CAs that the server accepts.

Prerequisites
You have an understanding of public-key technology and the terminology listed under Terminology and Abbreviations. To create SSL, SNC, or WS-Security PSEs, you must have installed the SAP Cryptographic Library. For more information, see Configuring the AS ABAP for Supporting SSLand Installing the SAP Cryptographic Library (SAP Web AS).

Integration
Use the trust manager to maintain the public-key information for the types of PSEs used by SAP applications. For example: System PSE SNC PSE, if you use the SAP Cryptographic Library as the security product. PSEs used for SSL-protected communications SSL server PSEs SSL client PSEs WS-Security PSEs S/MIME PSEs Arbitrary file PSEs PSEs used by SSF applications that use the SAP Security Library or SAP Cryptographic Library as the security product. You cannot use the trust manager to maintain PSEs for SSF applications that use a different security product. SSF applications are applications for which the security information is specified in the table SSFARGS. They include the SSF default application and various applications that use specific information, for example, the HTTP Content Server or the AS ABAP application for using logon tickets.

Note
You can store SSF application PSEs in the following locations: In the database, whereby a copy of the PSE is distributed to the system's application servers. In the file system, where it can be accessed at the operating system level. (The PSE must be located in a globally accessible directory.)

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 2 of 20

Activities
The trust manager provides functions for: Generating key pairs and corresponding certificate requests Importing the certificate request response into a PSE PSE maintenance (for example, creating, displaying, and deleting PSEs, as well as monitoring the status of PSEs) Maintaining a PSE's certificate list Generating a verification PSE (a PSE that can only be used to verify the subject's digital signature) Assigning a PIN to PSEs, which also creates credentials for the server so that the server can access a protected PSE at runtime Distributing a PSE to the individual application servers Importing PSEs (PKCS#12, PKCS#8, and PSE) and exporting PSEs (PKCS#12) Importing, parsing, and exporting certificates Checking certificates against certificate revocation lists (CRL) and manually changing the certificate status. Configuring e-mails with S/MIME for digital signatures and/or encryption.

Example
Use the trust manager to generate key pairs for the application servers that are to support SSL. You can then have the system create the corresponding certificate requests, which you send to a CA to be signed. Once you have received a response from the CA, use the trust manager to import the signed public-key certificate into the system's SSL server PSE. You can also use the trust manager to maintain the list of trusted CAs (certificate list) from which you accept public-key certificates to use for the SSL connection.

More Information
For more information about using public-key technology with the AS ABAP see the following: Public-Key Technology SSF User's Guide Using the SAP Cryptographic Library for SNC Secure E-Mails with Digital Signature and Encryption with S/MIME

Getting Started with the Trust Manager

Prerequisites
To maintain SSF PSEs that use the SAP Security Library or the SAP Cryptographic Library as the security product, you must first maintain the applications in transaction SSFA. The SAP Cryptographic Library must be installed, for the nodes for the SSL, SNC, and WS-Security PSEs to appear.

Structure
The Trust Manager Screen The figure below depicts the sections of the trust manager screen (transaction STRUST).

Figure 1: Sections of the Trust Manager Screen

PSE Status In the Trust Managerscreen, the PSE status frame (left frame) displays the PSEs defined for the system. The table below lists the PSE status icons and their meaning.

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 3 of 20

Icon

Description PSE exists for distribution to all application servers PSE does not exist in the database PSE that exists as a file The PSE is defined as a file, but does not exist Link to the system PSE

You can check the status of the PSE on each of the servers of the cluster. For more information, see Checking the Local Status of Distributed PSEs. PSE Maintenance The PSE maintenance section (upper right) displays the PSE information about the PSE that you selected. Certificate The certificate section (lower right) displays certificate information about a certificate that you selected or imported.

Note
The PSE maintenance section and the certificate section are independent of one another. If you display a PSE in the PSE maintenance section, the trust manager does not automatically display the server's certificate in the certificate section. For more information, see Selecting Certificates.

Selecting Certificates
Context
Use certificate section to maintain certificate lists. Once selected or imported, the certificate appears in the Certificatesection. Use the Certificatesection as a "clipboard"for certificates. Once a certificate appears in the Certificate section, you can perform operations on the certificate.

Procedure
1. Start the trust manager (transaction STRUST). 2. Find the certificate you want to work with. The certificates are either in a PSE or you must import them from a source. PSE certificates 1. Double-click a PSE. 2. Double-click a certificate. Imported certificates 1. In the Certificatesection, choose 2. Enter data as required. .

Results
The system displays the certificate in the Certificatesection. The certificate may or may not be associated with the PSE displayed in the PSE maintenance section.

Example
You double-click a PSE to load it into the PSE maintenance section. Then you import a certificate from the file system. The certificate is not in the certificate list of the PSE until you add it to the certificate list. You can double-click another PSE to load it into the PSE maintenance section, without affecting the certificate displayed in the Certificatesection.

PSE Types
You can maintain the following PSE types using the trust manager: System PSE SNC PSE SSL Server PSEs SSL Client PSEs WS-Security PSEs File PSE SSF Application PSEs

System PSE
Definition
Personal security environment for the AS ABAP to use for digital signature functions.

Use
The AS ABAP uses its system PSE to create and verify digital signatures. However, it cannot use the system PSE for encrypting information.

Structure

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 4 of 20

The system PSE contains the system's security information including its public and private key pair and the corresponding certificate list.

Integration
The system PSE is created during the system's installation process and stored in the file $(DIR_INSTANCE)/sec/SAPSYS.pse. When creating the system PSE, the system creates a single PSE and distributes it to all of its application servers.

SNC PSE
SNC PSE Definition The application server's PSE for securing communications using Secure Network Communications (SNC) when you use the SAP Cryptographic Library as the security product. Use SNC to protect connections where the SAP protocols are used, for example, RFC and DIAG. (Note however, you cannot use the SAP Cryptographic Library on client components such as SAP GUI for Windows.) Use SSL to protect HTTP connections. Structure The SNC PSE contains the server's security information to use for securing the SNC connection. This information includes the server's public and private key and the corresponding certificate list. Integration When you create the SNC PSE, the system generates a single PSE for the system that is distributed to all of the application servers. The system stores the PSE in the file $(DIR_INSTANCE)/sec/SAPSNCS.pse.

SSL Server PSEs

Definition
The application server's PSE for securing HTTP communications using the SSL protocol (HTTPS connections) when the application server is the server component for the communication.

Note
If the AS ABAP also communicates as a client component, then it uses one of the SSL client PSEs when establishing the HTTPS connection.

Use
You can set up different SSL server PSEs to use for different connections. These are referred to as SSL server identities. Each SSL identity possesses its own SSL server PSE. There is a standard identity that uses the standard SSL server PSE.

Structure
This PSE contains the application server's security information including its key pair and its corresponding certificate list. The certificate list contains the list of Certification Authorities (CAs) that the server trusts. The SSL server PSE's certificate list should be quite restrictive and contain only those public-key certificates from the CAs that the server accepts.

Integration
When you create an SSL server PSE for an identity, the system generates a default PSE. Alternatively you can create individual SSL server PSEs for specific servers. The system then distributes the PSEs to the application servers accordingly. The application servers that are not assigned an individual SSL server PSE receive the default SSL server PSE for the identity. The standard SSL server PSE is stored in the file $(DIR_INSTANCE)/sec/SAPSSLS.pse on each application server. Each additional SSL server PSE is stored in the file $(DIR_INSTANCE)/sec/SAPSSLS_<Identity>.pse.

SSL Client PSEs

SSL Client PSEs Definition The application server's PSEs to use for securing communications with the SSL protocol when the application server is the client component for the communication. Use There are three different types of SSL client PSEs that the server can use: Anonymous SSL Client PSE The application server uses the anonymous SSL client PSE to connect to other Web servers where only server-side authentication is used. It does not use it for its own authentication. Standard SSL Client PSE The SAP Web AS uses the standard SSL client PSE to authenticate itself on other Web servers when SSL client authentication is used and where no individual SSL client PSE is specified to use for the connection. Individual SSL Client PSEs The SAP Web AS can also use additional individual SSL client PSEs for authenticating itself on other Web servers. By using these PSEs, you can specify different "identities" for the application server to use for different services. If the SAP Web AS communicates as the server component for the SSL connection, then it uses the SSL server PSE to establish the HTTPS connection. Structure

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 5 of 20

Structure The SSL client PSEs contain the application server's security information, which includes the public and private key pair to use for the particular identity and the corresponding certificate list. Integration When you create an SSL client PSE, the system creates a single PSE for the system that is distributed to all of the application servers. The system stores the PSEs in the directory $(DIR_INSTANCE)/sec. The file names for the PSEs are: Anonymous: SAPSSLA.pse Standard: SAPSSLC.pse Individual: SAPSSL<name>.pse

WS-Security PSEs
Definition
The application server's PSEs to use for WS-Security (digital signatures and encryption).

Use
You can set up different WS-Security PSEs to use for different Web services. These are referred to as WS-Security identities. Each WS-Security identity possesses its own PSE. There is a standard identity that uses the standard WS-Security PSE.

Note
WS-Security PSEs use only the Rivest-Shamir-Adleman (RSA) algorithm.

Structure
This PSE contains the application server's security information including its key pair and its corresponding certificate list. The certificate list contains the list of Certification Authorities (CAs) that the server trusts when using the Web service(s) that use this PSE.

Integration
When you create a WS-Security PSE, the system creates a single PSE that is distributed to all of the application servers. The standard WS-Security PSE is stored in the file $(DIR_INSTANCE)/sec/SAPWSSE.pse. Each additional WS-Security PSE is stored in the file $(DIR_INSTANCE)/sec/SAPWSSE_<Identity>.pse.

File PSE
File PSE Definition An arbitrary PSE that is stored locally in a file. Use A file PSE contains security information (key pair and certificate list) that is stored in a local file in the file system. The file PSE can be used for creating and verifying digital signatures, but not for encryption.

SSF Application PSEs

SSF Application PSEs Definition PSEs that are specified to be used for SSF applications. Use The various SSF applications may use different PSEs to obtain the security information that they need. For example, the HTTP Content Server uses a different PSE than the SAP Web AS uses to sign logon tickets. Integration The various SSF applications are defined in SSF Customizing using the transaction SSFA. An SSF application may also use the SSF default PSE. When defining an SSF application PSE in transaction SSFA, you specify that the PSE should either be stored in the database and distributed to the application servers or stored as a file in the file system with no distribution. You can maintain any of the SSF application PSEs that use the SAP Security Library or the SAP Cryptographic Library using the trust manager, including the SSF default PSE. For more information on maintaining the SSF applications, see the SSF User's Guide.

Creating PSEs and Maintaining the PSE Infrastructure

Use
Use the functions described below to maintain the PSE infrastructure, which includes creating, replacing, or deleting the various PSEs, and checking their status.

Prerequisites
The PSE is one of the following:

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 6 of 20

System PSE SNC PSE (if the SAP Cryptographic Library is used as the security product) SSL server PSE (if the SAP Cryptographic Library is used as the security product) SSL client PSE (if the SAP Cryptographic Library is used as the security product) WS-Security PSE (if the SAP Cryptographic Library is used as the security product) S/MIME identity PSE (if the SAP Cryptographic Library is used as the security product) File PSE SSF application PSE (for applications that use the SAP Security Library or SAP Cryptographic Library as the security product)

Procedure
To access the trust manager, use the transaction STRUST. The following functions for maintaining the PSE infrastructure are then available from the Trust Manager screen.

Note
The context menu (right mouse button) only shows the functions that are active for the PSE that you select.

Function
Check the status of a single PSE

Choose
Context menu: Check

What you should know

This function only applies to PSEs that are stored in the database and distributed to the application servers. The PSE node must be expanded to be checked. Expanding the node also automatically initiates the check. For more information, see Checking the Local Status of Distributed PSEs.

Create a PSE

Context menu: Create

This function creates a PSE and initiates distribution (if applicable). See also Creating or Replacing a PSE.

Distribute a PSE

Context menu: Distribute

This function distributes the selected PSE to the system's application servers. Depending on the PSE type, the system distributes either a single PSE to all servers (for example, the system PSE), or it distributes a server-dependent PSE (the SSL server PSE).

Replace a PSE Delete a PSE

Context menu: Replace Context menu: Delete

This function generates a new PSE and distributes it automatically to the servers. If the PSE is stored in the database and distributed, then the local copies of the PSE are also deleted.

Change PSEs

Context menu: Change

Import a PSE Export a PSE Save a PSE as a different PSE

Menu: Menu: Menu:

PSE PSE

Import Save As...

For the SSL server PSE only: Create new PSEs or assign existing PSEs on individual servers where a PSE is missing (for example, if you have installed a new application server for the system). Change the current configuration (for example, reassign which servers receive individual PSEs and which receive the default PSE). Import a PSE from the file system. Export a PSE to the file system. You can save a PSE as: The system PSE An SSF application PSE A file PSE (export) This function also only applies to PSEs that are stored in the database and distributed to the application servers. For more information, see Checking the Local Status of Distributed PSEs.

PSE Export

Check the status of all local PSEs (for all expanded nodes)

Menu:

PSE Check All PSEs

Distribute all PSEs

Menu:

PSE

Distribute All PSEs

This function distributes all of the PSEs to the system's application servers.

Checking the Local Status of Distributed PSEs

Checking the Local Status of Distributed PSEs You can check the local status of distributed PSEs as follows: To check the local status of a PSE that has been distributed to individual application servers, expand the PSE node. The system automatically initiates the status check. To refresh the status of a single PSE, select the PSE and choose Check from the context menu. To refresh the status of all expanded PSE nodes, choose the menu item PSE Check All PSEs. The status of the locally stored PSE is indicated as follows:

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 7 of 20

Icon

Meaning Status of the PSE has not yet been checked PSE OK Error in the attempt to check the PSE PSE is corrupt

Possible Status Messages None Local PSE OK RFC connection failed Local PSE does not match PSE in database SAPSECULIB not found Error in the test signature Unknown status

Possible Actions to Correct Errors Not applicable Not applicable Test and repair the RFC connection. Redistribute the database PSE. Reinstall the SAP Cryptographic Library or the SAP Security Library. Reinstall the SAP Cryptographic Library or the SAP Security Library. Redistribute the database PSE.

To display the status message, choose the application server (double-click). The status message is then displayed in the SAP GUI's message bar. The system uses the SAP Cryptographic Library per default. If the SAP Cryptographic Library has not been installed, then it uses the SAP Security Library, which is delivered with the SAP System. If neither library is accessible, then the error message SAPSECULIB not found occurs.

Creating or Replacing a PSE

Use
Use the procedure below to create or replace a PSE. For example, you may have to replace a PSE when the public-key certificate contained in the PSE is about to expire.

Note
We recommend using the report SSFALRTEXP to automatically receive a system log message and alert in CCMS for certificates contained in the various PSEs that are about to expire. Alternatively, we also provide the report SSF_ALERTCERTEXPIRE that you can use manually or plan as a background job. For more information, see SAP Note 572035.

Prerequisites
You know the syntax for the server's Distinguished Name (DN). For more information, see the tables below. Distinguished Name Parts

DN Part
CN OU O C

Definition
Common Name Organizational Unit (optional) Organization Country

Examples
<SID> Department name Company name USA: US Germany: DE

Requirements for the Server's Distinguished Name per PSE Type

PSE
System PSE

Requirement
Default Distinguished Name: CN=<SID> If no system PSE exists when the application server is started, then the system automatically creates the public-key certificate for the system PSE using the Distinguished Name CN=<SID>. If you replace this PSE, you can freely choose the new Distinguished Name.

SNC PSE

The Distinguished Name must correspond to snc/identity/as The Distinguished Name used for the SNC PSE's public-key certificate must match the Distinguished Name part of the server's SNC name (without the p:), which is specified in the application server's profile parameter snc/identity/as.

SSL Server PSE

CN part of Distinguished Name: CN=<fully_qualified_host_name> The Common Name (CN) part of the Distinguished Name for the SSL server PSE's public-key certificate must correspond to the fully qualified host name that users will use to access the application server, for example, CN=host123.mycompany.com.

Anonymous SSL Client PSE

Distinguished Name: CN=anonymous The system automatically uses the Distinguished Name CN=anonymous for the anonymous SSL client PSE's public-key certificate. You cannot change this name. In addition, the application server cannot use this identity to authenticate itself.

All Other PSEs

Distinguished Name: No special requirements You can freely choose the Distinguished Name for the public-key certificates stored in the rest of the PSEs.

When Using the SAP CA If you use the SAP CA as the issuing CA, then the rest of the Distinguished Name (not the CN part) must be:

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 8 of 20

OU=I<customer_number>-<company_name>, OU=SAP Web Application Server, O=SAP Trust Community, C=DE For the first OU (Organizational Unit) part, you specify your customer number only. The SAP CA automatically extends the OU part to include your company name.

Procedure
From the Trust Manager screen: 1. Select the desired PSE node. 2. Using the context menu, choose Create (if no PSE exists) or Replace. The <Create/Replace> PSE dialog appears. 3. Enter the components of the system's Distinguished Name in the corresponding fields. If you use a reference to a CA name space, the system automatically includes those components of the CA's Distinguished Name in the newly generated name. See the table and examples below. 4. Choose Enter.

Note
If you are creating an SSL server PSE, then the system generates a default system-wide Distinguished Name and then provides you with a list of possible server-specific names. For each application server, you can then choose to use either the server-specific Distinguished Name or you can use the system-wide name. For more information, see Creating the SSL Server PSE. Distinguished Name Parts

Field
Name Org. (opt.)

DN Part
CN OU

Input
<Common_Name> <Organizational_Unit>

Comment
For example, <SID>. For example, the department name. Input is optional. Default=<installation_number>.

Comp./Org.

OU O

<Organizational_Unit> <Organization>

If you use a reference to a CA name space, the system uses the input for this field as an additional OU part. Otherwise, it uses this entry for the O part. The default entry is the OU part when using the SAP CA: SAP Web Application Server. Use the toggle function ( ) to activate or deactivate the reference to a CA name space.

Country CA

C Not applicable

<Country> <CA_Name_Space>

Input is only available if you do not use a reference to a CA name space. Input is available if you use a reference to a CA. Enter the CA's name space. The default entry is the name space for the SAP CA (O=SAP Trust Community, C=DE). The server or system's Distinguished Name is then generated using this extension. See the examples below.

Tip
Example 1: Reference to the SAP CA Name Space The following example uses the input provided and a reference to the SAP CA name space: Name = MY1 Org. (opt.): = I0120007965 (default) Company = SAP Web Application Server (default) CA Reference = O=SAP Trust Community, C=DE (default) The trust manager then generates a public-key certificate with the Distinguished Name CN=MY1, OU=I0120007965, OU=SAP Web Application Server, O=SAP Trust Community, C=DE. Example 2: No reference to a CA Name Space The following example does not use a reference to a CA name space. Input: Name = MY1 Company = MyCompany Country = US The Distinguished Name is then CN=MY1, O=MyCompany, C=US.

Result
The system creates a new public and private key pair and self-signed public-key certificate that are stored in the PSE. If the PSE is stored in the database and should be distributed, then the system automatically distributes the PSE to the individual application servers.

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 9 of 20

Maintaining PSEs
Use
To maintain a specific PSE, select the PSE with a double-click. The PSE information appears in the PSE maintenance section (upper right).

Caution
All changes only apply after saving the data.

Activities
Having PSE Certificates Signed by a CA Creating Verification PSEs Protecting PSEs with Passwords

Having PSE Certificates Signed by a CA

Context
Self-signed certificates can be easier to implement, such as configuring trust between a few components. Other scenarios might require you to have the PSE certificate trusted by a multitude of browsers. In such cases, have your PSE certificates signed by a certificate authority (CA). A certificate request and corresponding response belong to a specific key pair and PSE. You can therefore only import the response into the PSE for which the request was generated. For example, if you generate a new PSE after you have already sent a certificate request to a CA, then the response you receive is invalid and cannot be imported into the new PSE.

Procedure
1. 2. 3. 4. 5. Start the trust manager (transaction STRUST). Select a PSE. Choose PSE Create Certificate Request Save the request and send it to a CA. After receiving the certificate request response from the CA, choose

PSE

Import Certificate Response .

Note
The certificate request response must be in the format PKCS#7 certificate chain, which contains the certificates of both the requester and the issuing CA. However, if the response contains only the requester's certificate in PEM (Privacy Enhanced Mail) format and no CA certificate, then the system builds the correct format. The root certificate of the issuing CA must exist in the certificate store. For more information, see Maintaining Certificates in the Database. 6. Save your entries.

Results
The new certificate does not automatically appear in the Certificatesection. However, the text (Self-Signed)should disappear from the PSE maintenance section. To view the certificate, select the certificate in the Ownerfield with a double-click in the Own Certificatesection. The certificate appears in the Certificatesection.

Creating Verification PSEs

Context
This function generates a verification PSE for the selected PSE that contains the PSE&apos;s own certificate and the certificates you select from the certificate list. You can then distribute and use this verification PSE to verify the digital signatures created by the corresponding certificate owners. For example, with this function you can export the public-key certificate and the certificate list and import the verification PSE into other systems so they can accept logon tickets from your system.

Procedure
1. Start the trust manager (transaction STRUST). 2. Select a PSE. 3. Choose PSE Create Verification PSE

Protecting PSEs with Passwords

Context
Use this procedure to further protect a personal security environment (PSE) from unauthorized access. You can only maintain a password-protected PSE with the trust manager after providing the password. The system uses this password to create encrypted credentials for the server.

Caution
If you forget the password, you can no longer maintain the PSE using the trust manager.

Procedure
1. Start the trust manager (transaction STRUST). 2. Select a PSE.

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 10 of 20

3. Choose the Passwordpushbutton. 4. Enter data as required. 5. Save your entries.

Adding Certificates to PSE Certificate Lists

Context
The certificate list contains the corresponding public-key certificates for the issuing CAs that the server should accept. For example, for the system to accept certificates signed by the SAP CA, the system PSE&apos;s certificate list must contain the SAP CA&apos;s public-key certificate.

Caution
All changes only apply after saving the data.

Procedure
1. Start the trust manager (transaction STRUST). 2. Select a certificate. For more information, see Selecting Certificates. 3. Double-click a PSE. 4. Choose the Add to Certificate List pushbutton. 5. Save your entries.

Maintaining the PSE Certificate List

Use
The certificate list contains the corresponding public-key certificates for the issuing CAs that the server should accept. For example, for the system to accept certificates signed by the SAP CA, the system PSE&apos;s certificate list must contain the SAP CA&apos;s public-key certificate. Not only can you add and remove certificates from the certificate list, but you can maintain the revocation status of the certificates, too.

Caution
All changes only apply after saving the data.

Adding the SAP CA Certificate to PSE Certificate Lists

Procedure
1. 2. 3. 4. 5. Start the trust manager (transaction STRUST). Select a PSE by double-clicking. Choose Certificate SAP Portal CA (DSA) Choose the Add to Certificate List pushbutton. Save your entries.

Certificate Revocation
Use
SAP NetWeaver Application Server (AS) ABAP enables applications that check digital signatures and encrypt data to check certificate revocation lists for certificates that have been revoked by certificate authorities (CA). This ensures that the AS ABAP only accepts certificates that are valid and current. For more information, see Certificate Revocation.

Enabling Certificate Revocation

Prerequisites
You know which certificate authority (CA) issues the CRLs you want to check. You know which CRL profile your applications use to check the CRLs.

Context
Before SAP NetWeaver Application Server (AS) ABAP can check for revoked certificates in certificate revocation lists (CRLs), you must make sure the AS ABAP is configured to perform such checks.

Procedure
... 1. Ensure the SSF Certificate RevocationPSE exists. 1. Start the trust manager (transaction STRUST). 2. Check if the SSF Certificate RevocationPSE appears in the PSE status list. If the PSE does not appear there, do the following: 1. In the Change View "Application-Specific SSF Parameters" screen (transaction SSFA), add the Certificate Revocation( CREVOC) application. For more information, see Maintaining Application-Specific Information. 2. In the trust manager, create the PSE. For more information, see Creating or Replacing a PSE. 2. Add the public-key signing certificate for the CAs that sign the CRLs you want your applications to check, to the SSF Certificate RevocationPSE.

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 11 of 20

For more information, see Adding Certificates to PSE Certificate Lists. 3. Configure the CRL profiles used by your applications to be active. For more information, see Configuring Profiles for Certificate Revocation.

Checking the Revocation Status of Certificates

Context
Use this procedure to check how the revocation check function of the trust manager evaluates a certificate with a given profile.

Procedure
1. 2. 3. 4. Start the trust manager (transaction STRUST). Select a certificate so that it appears in the Certificatearea of the screen. Choose Certificate Check Block Status . Choose a profile. Only active profiles appear in the list. 5. Choose the Check pushbutton.

Results
The revocation check returns a status. When an application performs the status check, the application determines if it accepts the certificate or not. If accepted, the application continues to perform whatever operation it is designed to do: verify digital signatures or encrypt data. If not accepted, the application should throw an exception. How the application handles the exception depends on the application. See the table below. Status GOOD REVOKED UNKNOWN Description revocation list (CRL), this is the result. The certificate appears either in the manual revocation list or in the CRL of the CA. The revocation check has a source for the CRL, but cannot reach it: network error or file not found. The validity of the certificate depends on if the Strict flag of the profile is set or not. HOLD indicate that the CA does not want to permanently revoke the certificate. The CA may remove the certificate from the revocation list in the future. UNCHECKED The profile used to check the certificate is not active. The system does not perform a certificate revocation check. Certificate is accepted. If the profile is strict, the certificate is not accepted. If the profile is not strict, the certificate is accepted. Certificate is not accepted. Certificate Acceptance

When a certificate does not appear in any certificate Certificate is accepted.

CAs list certificates in CRLs with the value HOLD, to Certificate is not accepted.

Blocking Certificates
Context
Use this procedure to designate certificates untrustworthy for your SAP NetWeaver Application Server (AS) ABAP, before the expiration date set by the certificate authority (CA). Once declared untrustworthy, you block the AS ABAP from accepting the certificate even if the CA still considers the certificate valid. Reasons to block certificates include the following: Security was compromised and someone has access to a user's private key. You want to replace a certificate with a new one before the old one has expired For more information, see Certificate Revocation. AS ABAP enables you to either block individual certificates by issuer, subject, and serial number or block all certificates from a given issuer with a given subject that were issued before a given date.

Procedure
1. Start the trust manager (transaction STRUST). 2. Select a certificate. For more information, see Selecting Certificates. 3. Choose Certificate Block Manually . 4. Determine if you want to block only this particular certificate or all certificates for this issuer and subject issued before the date and time you enter. 5. Save your entries.

Results
Next time the certificate revocation check checks this certificate, it returns a failure to the application calling the check, as long as the profile the application uses is active. You can undo the blocking of the certificate. For more information, see Changing the Revocation Status of Certificates.

Changing the Block Status of Certificates

Context
Use this procedure to undo the manual revocation of a certificate. You can change the status of any entry in the Certificate Status List . You can even undo the revocation of a certificate declared by a certificate authority, but it only applies to checks made on this cluster. Or you can remove the blocking of a range of certificates from the Blocking List for Certificate Ranges .

Procedure
...

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 12 of 20

1. Start the trust manager (transaction STRUST). 2. Choose 3. Choose Environment . Certificate Block Management .

4. Determine if you want to change the block status of a single certificate or the revocation of a range of certificates for a given issuer, subject and released before a given date and time. For a single certificate, choose the Certificate Status List tab. Select a certificate and choose source. For a range of certificates choose the Blocking List for Certificate Ranges tab. Select a range of certificates and choose 5. Save your entries. . . Since the certificate no longer appears in the local status list the revocation check considers the certificate valid unless it finds the certificate in a CRL

Configuring Profiles for Certificate Revocation

Context
The certificate revocation function requires a profile to determine how it interprets the certificate status. Most important, a profile must be active, otherwise the revocation check always accepts the certificate no matter the revocation status. The profiles also include a source list, enabling the certificate revocation check to download the latest certificate revocation list (CRL). This procedure is required for enabling certificate revocation checks. For more information, see Enabling Certificate Revocation.

Procedure
1. 2. 3. 4. Start the trust manager (transaction STRUST). Choose Environment Certificate Block Management . Choose the Profiletab. Select an existing profile or add a row to create a new one.

Note
Most applications already have their own profile in the list. You only need to create a new profile if you develop your own applications. For more information, see Including Certificate Revocation Checks in Applications. 5. Enter data as required. 6. Edit the source list for the profile or reference the default source list. You can also edit the default source list. 7. Save your entries.

Results
Once configured, you can perform a customizing transport of profiles or the default source list to other systems. For more information, see Transporting Profiles for Certificate Revocation.

Transporting Profiles for Certificate Revocation

Context
To use profiles for certificate revocation on other SAP systems, SAP NetWeaver Application Server (AS) ABAP enables you to use the transport system. The AS ABAP can transport the following information: Name Description Configuration options Profile source list

Note
If the profile you transport is configured to use the default source list, the profile retains this configuration in the target system. The transported profile then uses the default source list of the target system. You can transport the default source list, too, but you overwrite the default source list of the target system. The customizing request is client specific.

Procedure
1. 2. 3. 4. 5. 6. Start the trust manager (transaction STRUST). Choose Environment Certificate Block Management Choose profiles. Choose . Enter data as required. Save your entries.

Next Steps
Change and Transport System

Checking the CRL Cache

Prerequisites
The certificate revocation check has checked the CRL of a certificate, which either listed a CRL distribution point within the certificate itself or the certificate has a

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 13 of 20

URL source defined in the source list for the issuer. The source list is part of the profile. For more information, see Configuring Profiles for Certificate Revocation.

Context
Use the certificate revocation list (CRL) cache to examine the CRLs downloaded by the certificate revocation check.

Procedure
1. Start the trust manager (transaction STRUST). 2. Choose Environment Certificate Revocation Configuration . 3. Choose the CRL Cachetab.

Results
You can view information about the CRL, identifying the issuer and its serial number. You can also see when the certificate authority (CA) plans to update the CRL. To download a new copy of the CRL, choose the Update Selected CRLpushbutton. To examine the CRL in detail, choose the Save Selected CRL to pushbutton. Once you download the CRL to your filesystem, you can inspect the complete list of revoked certificates, version, distribution point, and other information.

Including Certificate Revocation Checks in Applications

Context
You can add certificate revocation checks to your own custom applications.

Procedure
1. Create a profile for certificate revocation. The profile name must begin with Z. All other profile names are reserved for SAP. System administrators can configure how the certificate revocation check manages certificate by changing the profile configuration. 2. Call the certificate revocation ( STRUSTCRT_ CHECK_ CERTIFICATE) function module when you need to verify signatures or encrypt data. The relevant building blocks are in SECFfor verification and encryption and STRUSTfor the certificate revocation check. 3. Add the name of the profile to be transported with your application. When encrypting data and verifying signatures, you must include a parameter that identifies the profile for your application. Each application is intended to use its own profiles. 4. In the target system, make sure the profile is active.

Next Steps
Configuring Profiles for Certificate Revocation

Creating Additional Identities

Use
Use this procedure to create additional identities to use for SSL server PSEs, SSL client PSEs, and WS-Security PSEs.

Procedure
From the Trust Manager screen: 1. Choose Environment <PSE_Type> Identities. The Change View: <PSE_Type> Identities maintenance screen appears. The table contains entries for the standard PSEs for this PSE type. 2. Choose New Entries. The New Entries: Overview of New Entries maintenance screen appears. 3. Enter the PSE's information (Identity and Description) in the appropriate columns. 4. Save the data. 5. Go Back.

Result
You return to the Trust Manager screen. An entry for each identity for this PSE type appears in the PSE status section.

Maintaining Certificates in the Database

Maintaining Certificates in the Database Use You can maintain a list of CA root certificates in the database. You can then import these certificates into the various PSEs to specify which CA's the server should trust. The system also uses the certificates stored in the database to build the correct format for certificate request responses that exist in PEM format instead of the required PKCS#7 certification chain format. Procedures See the following: Adding a Certificate to the Database Removing a Certificate From the Database Retrieving a Certificate From the Database Deactivating Certificates in the Database

Adding Certificates to PSE Certificate Lists

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved. Page 14 of 20

Context
The certificate list contains the corresponding public-key certificates for the issuing CAs that the server should accept. For example, for the system to accept certificates signed by the SAP CA, the system PSE&apos;s certificate list must contain the SAP CA&apos;s public-key certificate.

Caution
All changes only apply after saving the data.

Procedure
1. Start the trust manager (transaction STRUST). 2. Select a certificate. For more information, see Selecting Certificates. 3. Double-click a PSE. 4. Choose the Add to Certificate List pushbutton. 5. Save your entries.

Adding the SAP CA Certificate to PSE Certificate Lists

Procedure
1. 2. 3. 4. 5. Start the trust manager (transaction STRUST). Select a PSE by double-clicking. Choose Certificate SAP Portal CA (DSA) Choose the Add to Certificate List pushbutton. Save your entries.

Adding a Certificate to the Database

Adding a Certificate to the Database Use Use this procedure to add a certificate to the system's list of certificates in the database. For example, you can add a CA's root certificate so that you can then easily import into the various PSE's certificate lists. Prerequisites You have access to the certificate, for example, the certificate exists as a file in your file system. Procedure From the trust manager (transaction STRUST): 1. In the certificate section, choose Import certificate. The Import Certificate dialog appears. Select the certificate from its source (for example, from the file system) and choose Enter. The certificate appears in the certificate section. Choose

2. 3. 4. 5.

Export certificate. 6. Select the Database tabstrip. 7. Enter a name, category, for example, Root CA, and description for the certificate in the corresponding fields. 8. Choose Enter. Result The certificate is added to the list of certificates in the database.

Removing a Certificate From the Database

Removing a Certificate From the Database From the Trust Manager screen: 1. Choose Certificate Database. 2. The View Maintenance for the Certificate Database screen appears. 3. Select the certificates that you want to remove from the list of certificates. 4. Choose Delete. 5. Save the data.

Retrieving a Certificate From the Database

Retrieving a Certificate From the Database Use Use this procedure to retrieve a certificate from the certificate store, for example, so that you can import it into a PSE's certificate list. Procedure From the Trust Manager screen: 1. In the certificate section, choose Import certificate. 2. The Import certificate dialog appears. 3. Select the Database tabstrip. 4. Select the certificate from the certificate database and choose Enter. The certificate appears in the certificate section. Result

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 15 of 20

The certificate is available for additional functions. For example, you can use the Add certificate function to import the certificate into a PSE's certificate list.

Deactivating Certificates in the Database

Deactivating Certificates in the Database Use For the trust manager to be able to import a certificate request response, the response must exist in the correct format, PKCS#7 certificate chain, which contains both the requester's signed public-key certificate and the issuing CA's root certificate. If intermediate CA's are also used, then their public-key certificates must also be included in the response. However, if your certificate request response contains only the requester's certificate, then the trust manager automatically builds the PKCS#7 certificate chain format as necessary using this certificate and the issuing CA's root certificate. A prerequisite for this procedure is that the CA's root certificate must exist in the certificate store. If the CA's root certificate does not exist or is deactivated, then an error occurs when importing the response. The trust manager cannot build the correct format if intermediate CAs are used. You may want to deactivate a certificate in the certificate store so that the system does not use the certificate to build the PKCS#7 certificate chain format from the certificate request response. This may be necessary, for example, if the certificate store contains multiple entries for a CA where the Distinguished Names are identical. In this case, deactivate those entries that are not to be used for building the correct format for the response. Procedure From the Trust Manager screen: 1. Choose Certificate Database. 2. The View Maintenance for the Certificate Database screen appears. 3. Select the Inactive indicator for those certificates that you want to deactivate. 4. Save the data. Result The certificates that you deactivate are not used to build the certificate request responses. Example The certificate store contains the following entries: Certificate Store Short name SAPTRUST Category Server Certificate Distinguished Name CN=Server CA, OU=Server, O=SAP Trust Community, C=DE SAPTRUST User Certificate CN=SAP Passport CA, O=SAP Trust Community, C=DE SAP_WP Server Certificate CN=mySAP.com Workplace CA (dsa), O=mySAP.com Workplace, C=DE MYCA MYCA MYCA Server Certificate User Certificate Test Certificate CN=myCA, O=myCompany, C=US CN=myCA, O=myCompany, C=US CN=myCA, O=myCompany, C=US In the case of MYCA, all three CAs have the same Distinguished Name. We have therefore deactivated the entries for the myCA User CA and the myCA Test CA. The system then uses the public-key certificate belonging to the myCA Server CA for building certificate request responses from the myCA. X myCA Test CA X myCA User CA myCA Server CA SAP Workplace CA (DSA) SAP Passport CA Inactive Description SAP Server CA

Example
For an example about how to use the trust manager for a configuration scenario, see Configuring the SAP Web AS for Supporting SSL.

Terminology and Abbreviations

certificate list Certification Authority (CA) credentials logon ticket Personal Security Environment (PSE) private key public key public-key certificate public-key infrastructure (PKI) public-key technology SAP Cryptographic Library (SAPCRYPTOLIB) SAP Security Library (SAPSECULIB) Secure Sockets Layer (SSL) Protocol Secure Store & Forward (SSF)

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 16 of 20

SSO Personal Security Environment (SSO PSE) system PSE verification PSE

Secure E-Mails with Digital Signature and Encryption with S/MIME

Concept
You want to send and/or receive signed and/or encrypted e-mails from an AS ABAP to a user. You can use the signature and encryption feature that is embedded in the AS ABAP. To be able to send and receive e-mails with signature and encryption, you must configure S/MIME in the trust manager. For more information, see Configuring E-Mails with S/MIME (AS ABAP E-Mail Server). If you exchange e-mails with an external e-mail client, for example Microsoft Outlook or Mozilla Thunderbird, you have to make sure that your e-mail client is configured accordingly. For more information, see Configuring E-Mails with S/MIME (3rd-Party E-Mail Client).

Caution
When you send digitally signed or encrypted e-mails, keep in mind that the e-mail subjects are always transmitted in clear text.

Note
You have made the relevant SAPconnect settings for encryption and/or signature. For more information, see Sending and Receiving E-Mails Securely.

Configuring E-Mails with S/MIME (AS ABAP E-Mail Server)

Use
You want to send and/or receive signed and/or encrypted e-mails with the AS ABAP's e-mail server (S/MIME Version 2, IETF standard RFC 2311). To do this, you must make sure that S/MIME identities exist in the trust manager. The AS ABAP server uses the system e-mail address (not a user e-mail address). You need one S/MIME identity per system e-mail address. The S/MIME identity is a container for the private and public key. The private key of the Personal Security Environment (PSE) is used to digitally sign e-mails. The PSE contains the signature certificate with the private key for digitally signed e-mails. Moreover, for verifying signatures, the AS ABAP server must have a trust relationship with the Certification Authority (CA) of the sender. It can be established with the respective CA certificates acting as trust anchors.

Prerequisites
To make sure that e-mails are marked to be signed and/or encrypted, you must set the respective parameters in SAPconnect. For more information, see Sending and Receiving E-Mails Securely .

Procedure
This section describes how to configure S/MIME for sending and receiving signed e-mails. 1. Decide which S/MIME identities you want to use. You have the following options: Standard S/MIME identity Custom S/MIME identities (for more information, see Creating Custom S/MIME Identities ) 2. Import a PSE into the trust manager. By default, the trust manager displays the default S/MIME identity in the side panel on the left. The S/MIME PSE has the icon with the description S/MIME Standard or with the name you chose when you created your custom S/MIME identities.

Note
An ABAP application server is currently not able to generate an S/MIME PSE. You must generate a PSE for S/MIME with third-party tools and import it into the trust manager. For more information, see Generating an S/MIME PSE . To import your PSE for S/MIME, perform the following steps: 1. Start the trust manager (transaction STRUST). 2. Choose 3. Choose PSE PSE Import and import the PSE from the file system. Save as... . A dialog box appears, on which you can save PSEs in different formats.

4. To save your PSE as an S/MIME identity, choose S/MIME . 5. Enter the name of your STRUST identity. 6. Choose . SMIME Standard instead of SMIME Standard If you use Standard as your description in the side panel on the left side, the system now displays

. In the section Own Certificate , you see the subject of the imported PSE. Double-clicking the certificate displays the details of the certificate. In most cases, the e-mail address is displayed as the subject alternative name and, in some cases, as the subject.

Note
Remember that you need one PSE per e-mail address.

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 17 of 20

As of now, it is possible to sign the certificate of the sender. To verify the signature of the sender, the AS ABAP server needs a certificate from the sender's Certification Authority (CA) as a trust anchor. 1. Import the CA certificate by choosing Certificate List section. 3. Save your changes. Certificate Import . 2. Add your CA certificate to the certificate list of the S/MIME PSE by choosing the Add to Certificate List pushbutton. The owner of the certificate appears in the

Result
You are now able to use an AS ABAP e-mail server to send and receive signed e-mails with S/MIME.

More Information
If you want to send and/or receive encrypted e-mails, see Configuring S/MIME Encryption for E-Mails . For more information on PSEs, see Importing a PKCS#12 File .

Creating Custom S/MIME Identities

Use
You can create custom S/MIME identities, for example, if you want to create separate e-mail addresses for several employee groups in your business (for example, sales, consulting, HR etc.), for several systems, or for different scenarios.

Procedure
To create a custom S/MIME identity, proceed as follows: 1. Call the trust manager in transaction STRUST. 2. Choose Environment S/MIME Identities . 3. Choose the New Entries button. 4. In the table, enter an S/MIME identity name. The logical name is automatically entered when an S/MIME PSE is imported and saved. The system enters the e-mail address from the CA certificate in the Logical Namecolumn. 5. (Optional) If you want to use a specific hash algorithm for signatures, perform the following steps: 1. Scroll to the left to get to the SSF Hash Algorithmcolumn and choose the hash algorithm in the F4 help. 2. Save your entries. 6. (Optional): If you want to use a specific encryption method, you can change these values. Proceed as follows:. 1. Scroll to the left to get to the Encryption Algorithmcolumn and choose the encryption algorithm in the F4 help. 2. Save your entries.

Note
If you do not choose any values for the signing and/or encryption algorithm, the system uses the algorithm that is determined in the RFC 2311 standard. The SAP Cryptographic Library determines which hash and encryption algorithms are available. 7. Save your entries. 8. Return to the trust manager by choosing .

More Information
For more information, see Configuring Secure E-Mails with S/MIME (AS ABAP E-Mail Server).

Generating an S/MIME PSE

Procedure
In an SAP system. you cannot currently generate PSEs with an e-mail address in the certificate. For this reason, you must use third-party tools to do so. We recommend that you follow the procedure in the example below. It describes how you generate an S/MIME PSE and the corresponding CA certificate with the third-party tool OpenSSL. For more information, see the documentation on the OpenSSL Web site.

Example
1. Download OpenSSLfrom the OpenSSL Web site. 2. Install the OpenSSLbinary files. 3. Use OpenSSLto generate a P12 key pair file for the required e-mail address together with the corresponding CA certificate. For more information, see the OpenSSLdocumentation. 4. Use SAPGENPSEto convert the generated P12 file to a PSE file. Use the following command: sapgenpse import_p12 -p <file_name>.pse <file_name>.p12 For more information, see Creating PSEs and Maintaining the PSE Infrastructure .

Note
Remember that you need one PSE per e-mail address. The required S/MIME PSE including e-mail address is now available. Import the PSE into the S/MIME identity in the trust manager (transaction STRUST).

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 18 of 20

More Information
For more information, see Trust Manager .

Configuring S/MIME Encryption for E-Mails

Use
To send and/or receive encrypted e-mails with S/MIME, you must exchange the e-mail certificates between the AS ABAP server and the communication partner. There are several options for exchanging these certificates: Sending signed e-mails to one another. By default, a signed e-mail already includes the encryption certificate. Manual import

Prerequisites
If you only want to send encrypted e-mails, you can ignore the prerequisites. If, however, you want to receive encrypted e-mails, you must fulfill the following prerequisites: You have created S/MIME identities in the trust manager. You have imported the required CA certificates and PSEs. In Configuring E-Mails with S/MIME (AS ABAP E-Mail Server), you find more information about the creation of S/MIME PSEs with a trust anchor.

Procedure
Option 1: When you and your communication partner send signed e-mails to one another, the AS ABAP automatically imports the encryption certificate to its address book. Option 2: To manually import the encryption certificate, perform the following steps: 1. Start the trust manager (transaction STRUST). 2. Choose Certificate Import . 3. Select the Filetab. 4. Choose the certificate file in the relevant path. 5. Choose Open. 6. Choose 7. Choose 9. Choose Option 3: The SMIME enhancement spot contains the SMIME_EMAIL BAdI, which enables you to influence the certificate retrieval and selection process: You need the certificate of a communication partners e-mail address that is not stored in the address book of the trust manager. In this case, you derive your own implementation class from the default implementation class of this BAdI. You overwrite/redefine the CERTIFICATE_RETRIEVAL method with your own implementation to find a certificate that is associated with an e-mail address of the communication partner. For example, an LDAP server can provide this e-mail address. When you implement the BAdI method CERTIFICATE_SELECTION, you can resolve ambiguity concerning certificate usage. This occurs if there are several identical certificates for the same e-mail address. The period of validity of a certificate might have expired, a CRL might prevent you from using it, or the key usage has the wrong type. For more information, see the system documentation in the SMIME enhancement spot in Enhancements (transaction SE20), and the relevant BAdI methods in interface IF_BADI_SMIME_EMAIL and in the default implementation class CL_SMIME_EMAIL_BADI_DEFAULT. (Input). The content of the certificate is now displayed in the Certificatesection. Certificate Export .

8. Select the tab for the address book. (Input). This includes your certificate in the address book.

Configuring E-Mails with S/MIME (3rd-Party E-Mail Client)

Use
This document describes how you can make sure that e-mails that are signed or encrypted with S/MIME can be sent and received by a third-party e-mail client. The AS ABAP server has the CA certificates that signed the PSE certificate in the trust manager (transaction STRUST) as trust anchors. The AS ABAP server and the e-mail client must exchange their CA certificates so that they recognize one another as trusted authorities. When you import the CA certificate of the AS ABAP server and the CA certificate of the third party e-mail client into the certificate list of the S/MIME PSE, you establish the trust anchors.

Prerequisites
You have imported the S/MIME PSE in the trust manager.

Procedure Example
In the following example, we describe how you configure two third-party e-mail clients, Microsoft Outlook and Mozilla Thunderbird. You must execute this procedure for the CA certificate of the PSE and for the CA certificate of your third-party e-mail client. 1. Start the trust manager (transaction STRUST). 2. Select your S/MIME PSE. 3. Choose Certificate Import 4. Select the Filetab. 5. Enter or select the path and the format and choose the certificate file you want to import. 6. To import the certificate, choose . The trust manager displays the content of your CA certificate in the Certificatesection. 7. Choose the Add to Certificate List pushbutton. The CA certificate appears in the certificate list.

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 19 of 20

8. Choose

Note
Perform the same steps for the CA certificate of your third-party e-mail client. If you use Microsoft Outlook, you must import the CA certificate into your Internet Explorer. 1. Choose Internet options. 2. Select the tab where you can access the certificates, for example, the Content tab. 3. Go to the certificates. 4. Go to the tab with the trusted root certification authorities. 5. Follow the Internet Explorer procedure to import your CA certificate file that was generated by the PSE. For more information, see the Microsoft Outlook documentation. If you use Mozilla Thunderbird, import the CA certificate into the secure storage of Mozilla Thunderbird as described in the Mozilla Thunderbird documentation. When Mozilla Thunderbird asks you whether you trust this CA to identify e-mail users, confirm this. Assume that the AS ABAP sends a signed e-mail with the certificate signature to the respective e-mail client. To ensure encryption, you need to import the certificate for encryption from the signed e-mail into your Microsoft Outlook address book. To do this, proceed as follows: 1. Open the received signed e-mail that contains the certificate signature for encryption in Microsoft Outlook. 2. From the context menu of the e-mail address, choose to add the address to your Outlook contacts. 3. Save your changes and close the window.

Example
To ensure encryption, you need to import the certificate for encryption from the signed e-mail into the Mozilla Thunderbird certificate manager. To do this, proceed as follows: 1. Open the received signed e-mail that contains the certificate signature for encryption in Mozilla Thunderbird. 2. Mozilla Thunderbird automatically adds the sender's certificate to the certificate manager. 3. Save your entries.

PUBLIC 2013 SAP AG or an SAP affiliate company. All rights reserved.

Page 20 of 20