Beruflich Dokumente
Kultur Dokumente
Document: Trust Manager URL: http://help.sap.com/saphelp_nw70ehp3/helpdata/en/4c/5bdb17f85640f1e10000000a42189c/frameset.htm Date created: September 05, 2013
2013 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Note This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.
Page 1 of 20
Trust Manager
Use
Establishing solid trust relationships is vital to the success of your business transactions, especially with the use of the Internet, where company borders are not transparent. Therefore, many SAP applications rely on the use of public-key technology to establish the trust infrastructure that is necessary for successful business relationships. Public-Key Technology Support with the AS ABAP Examples of public-key technology support with SAP NetWeaver Application Server (AS) ABAP include the following: System digital signatures At start-up, each AS ABAP is supplied with a public and private key pair certificate that is stored in its own system Personal Security Environment (PSE). The AS ABAP can therefore produce its own digital signatures using the public-key information contained in its system PSE. Other systems can then verify the system's digital signature, which guarantees the integrity and authenticity of a document that has been digitally signed by the system.
Example
For example, you can use logon tickets for user authentication on the AS ABAP. The AS ABAP digitally signs the user's logon ticket after successful authentication. Instead of re-authenticating the user with a user ID and password, other systems can allow the user access after verifying the AS ABAP's digital signature provided with the user's logon ticket. Support for Secure Network Communications For the SAP protocols DIAG and RFC, the Secure Network Communications (SNC) interface provides secure communication. SNC uses an external security product to secure communications, whereby the SAP Cryptographic Library is provided as a default product for server-to-server communications within an SAP system landscape. When using the SAP Cryptographic Library, the system also stores the corresponding public and private key pair in the SNC PSE. Support for the Secure Sockets Layer (SSL) Protocol The AS ABAP supports the Secure Sockets Layer (SSL) protocol, which provides security when using Internet protocols such as HTTP. The security provided includes encrypted communications as well as authentication between the communication partners. In this case, the application server must also possess a public and private key pair to use for SSL communications. Web Services Security (WS-Security) Web services support digital signatures and encryption for Simple Object Access Protocol (SOAP) messages. In this case, the public and private keys used by the Web services are stored in corresponding PSEs. Secure Store and Forward Mechanisms (SSF) SAP systems support the use of an external security product using the SSF mechanisms. By using SSF, applications can support the use of digital signatures and document encryption in their processing. Certificate revocation checks The AS ABAP enables applications that check digital signatures and encrypt data to check certificate revocation lists for certificates that have been revoked by Certification Authorities (CAs). This ensures that the AS ABAP only accepts certificates that are valid and current. E-mails with digital signature and encryption with S/MIME The signature and encryption feature that is embedded in the AS ABAP enables you to send and receive e-mails with signature and/or encryption. You can configure S/MIME in the trust manager. Managing the Public-Key Information Using the Trust Manager To manage the public-key information necessary for these and other scenarios, use the trust manager. The trust manager performs the PSE and certificate maintenance functions such as generating key pairs, creating certificate requests to be signed by a CA, and maintaining the list of trusted CAs that the server accepts.
Prerequisites
You have an understanding of public-key technology and the terminology listed under Terminology and Abbreviations. To create SSL, SNC, or WS-Security PSEs, you must have installed the SAP Cryptographic Library. For more information, see Configuring the AS ABAP for Supporting SSLand Installing the SAP Cryptographic Library (SAP Web AS).
Integration
Use the trust manager to maintain the public-key information for the types of PSEs used by SAP applications. For example: System PSE SNC PSE, if you use the SAP Cryptographic Library as the security product. PSEs used for SSL-protected communications SSL server PSEs SSL client PSEs WS-Security PSEs S/MIME PSEs Arbitrary file PSEs PSEs used by SSF applications that use the SAP Security Library or SAP Cryptographic Library as the security product. You cannot use the trust manager to maintain PSEs for SSF applications that use a different security product. SSF applications are applications for which the security information is specified in the table SSFARGS. They include the SSF default application and various applications that use specific information, for example, the HTTP Content Server or the AS ABAP application for using logon tickets.
Note
You can store SSF application PSEs in the following locations: In the database, whereby a copy of the PSE is distributed to the system's application servers. In the file system, where it can be accessed at the operating system level. (The PSE must be located in a globally accessible directory.)
Page 2 of 20
Activities
The trust manager provides functions for: Generating key pairs and corresponding certificate requests Importing the certificate request response into a PSE PSE maintenance (for example, creating, displaying, and deleting PSEs, as well as monitoring the status of PSEs) Maintaining a PSE's certificate list Generating a verification PSE (a PSE that can only be used to verify the subject's digital signature) Assigning a PIN to PSEs, which also creates credentials for the server so that the server can access a protected PSE at runtime Distributing a PSE to the individual application servers Importing PSEs (PKCS#12, PKCS#8, and PSE) and exporting PSEs (PKCS#12) Importing, parsing, and exporting certificates Checking certificates against certificate revocation lists (CRL) and manually changing the certificate status. Configuring e-mails with S/MIME for digital signatures and/or encryption.
Example
Use the trust manager to generate key pairs for the application servers that are to support SSL. You can then have the system create the corresponding certificate requests, which you send to a CA to be signed. Once you have received a response from the CA, use the trust manager to import the signed public-key certificate into the system's SSL server PSE. You can also use the trust manager to maintain the list of trusted CAs (certificate list) from which you accept public-key certificates to use for the SSL connection.
More Information
For more information about using public-key technology with the AS ABAP see the following: Public-Key Technology SSF User's Guide Using the SAP Cryptographic Library for SNC Secure E-Mails with Digital Signature and Encryption with S/MIME
Structure
The Trust Manager Screen The figure below depicts the sections of the trust manager screen (transaction STRUST).
PSE Status In the Trust Managerscreen, the PSE status frame (left frame) displays the PSEs defined for the system. The table below lists the PSE status icons and their meaning.
Page 3 of 20
Icon
Description PSE exists for distribution to all application servers PSE does not exist in the database PSE that exists as a file The PSE is defined as a file, but does not exist Link to the system PSE
You can check the status of the PSE on each of the servers of the cluster. For more information, see Checking the Local Status of Distributed PSEs. PSE Maintenance The PSE maintenance section (upper right) displays the PSE information about the PSE that you selected. Certificate The certificate section (lower right) displays certificate information about a certificate that you selected or imported.
Note
The PSE maintenance section and the certificate section are independent of one another. If you display a PSE in the PSE maintenance section, the trust manager does not automatically display the server's certificate in the certificate section. For more information, see Selecting Certificates.
Selecting Certificates
Context
Use certificate section to maintain certificate lists. Once selected or imported, the certificate appears in the Certificatesection. Use the Certificatesection as a "clipboard"for certificates. Once a certificate appears in the Certificate section, you can perform operations on the certificate.
Procedure
1. Start the trust manager (transaction STRUST). 2. Find the certificate you want to work with. The certificates are either in a PSE or you must import them from a source. PSE certificates 1. Double-click a PSE. 2. Double-click a certificate. Imported certificates 1. In the Certificatesection, choose 2. Enter data as required. .
Results
The system displays the certificate in the Certificatesection. The certificate may or may not be associated with the PSE displayed in the PSE maintenance section.
Example
You double-click a PSE to load it into the PSE maintenance section. Then you import a certificate from the file system. The certificate is not in the certificate list of the PSE until you add it to the certificate list. You can double-click another PSE to load it into the PSE maintenance section, without affecting the certificate displayed in the Certificatesection.
PSE Types
You can maintain the following PSE types using the trust manager: System PSE SNC PSE SSL Server PSEs SSL Client PSEs WS-Security PSEs File PSE SSF Application PSEs
System PSE
Definition
Personal security environment for the AS ABAP to use for digital signature functions.
Use
The AS ABAP uses its system PSE to create and verify digital signatures. However, it cannot use the system PSE for encrypting information.
Structure
Page 4 of 20
The system PSE contains the system's security information including its public and private key pair and the corresponding certificate list.
Integration
The system PSE is created during the system's installation process and stored in the file $(DIR_INSTANCE)/sec/SAPSYS.pse. When creating the system PSE, the system creates a single PSE and distributes it to all of its application servers.
SNC PSE
SNC PSE Definition The application server's PSE for securing communications using Secure Network Communications (SNC) when you use the SAP Cryptographic Library as the security product. Use SNC to protect connections where the SAP protocols are used, for example, RFC and DIAG. (Note however, you cannot use the SAP Cryptographic Library on client components such as SAP GUI for Windows.) Use SSL to protect HTTP connections. Structure The SNC PSE contains the server's security information to use for securing the SNC connection. This information includes the server's public and private key and the corresponding certificate list. Integration When you create the SNC PSE, the system generates a single PSE for the system that is distributed to all of the application servers. The system stores the PSE in the file $(DIR_INSTANCE)/sec/SAPSNCS.pse.
Note
If the AS ABAP also communicates as a client component, then it uses one of the SSL client PSEs when establishing the HTTPS connection.
Use
You can set up different SSL server PSEs to use for different connections. These are referred to as SSL server identities. Each SSL identity possesses its own SSL server PSE. There is a standard identity that uses the standard SSL server PSE.
Structure
This PSE contains the application server's security information including its key pair and its corresponding certificate list. The certificate list contains the list of Certification Authorities (CAs) that the server trusts. The SSL server PSE's certificate list should be quite restrictive and contain only those public-key certificates from the CAs that the server accepts.
Integration
When you create an SSL server PSE for an identity, the system generates a default PSE. Alternatively you can create individual SSL server PSEs for specific servers. The system then distributes the PSEs to the application servers accordingly. The application servers that are not assigned an individual SSL server PSE receive the default SSL server PSE for the identity. The standard SSL server PSE is stored in the file $(DIR_INSTANCE)/sec/SAPSSLS.pse on each application server. Each additional SSL server PSE is stored in the file $(DIR_INSTANCE)/sec/SAPSSLS_<Identity>.pse.
Page 5 of 20
Structure The SSL client PSEs contain the application server's security information, which includes the public and private key pair to use for the particular identity and the corresponding certificate list. Integration When you create an SSL client PSE, the system creates a single PSE for the system that is distributed to all of the application servers. The system stores the PSEs in the directory $(DIR_INSTANCE)/sec. The file names for the PSEs are: Anonymous: SAPSSLA.pse Standard: SAPSSLC.pse Individual: SAPSSL<name>.pse
WS-Security PSEs
Definition
The application server's PSEs to use for WS-Security (digital signatures and encryption).
Use
You can set up different WS-Security PSEs to use for different Web services. These are referred to as WS-Security identities. Each WS-Security identity possesses its own PSE. There is a standard identity that uses the standard WS-Security PSE.
Note
WS-Security PSEs use only the Rivest-Shamir-Adleman (RSA) algorithm.
Structure
This PSE contains the application server's security information including its key pair and its corresponding certificate list. The certificate list contains the list of Certification Authorities (CAs) that the server trusts when using the Web service(s) that use this PSE.
Integration
When you create a WS-Security PSE, the system creates a single PSE that is distributed to all of the application servers. The standard WS-Security PSE is stored in the file $(DIR_INSTANCE)/sec/SAPWSSE.pse. Each additional WS-Security PSE is stored in the file $(DIR_INSTANCE)/sec/SAPWSSE_<Identity>.pse.
File PSE
File PSE Definition An arbitrary PSE that is stored locally in a file. Use A file PSE contains security information (key pair and certificate list) that is stored in a local file in the file system. The file PSE can be used for creating and verifying digital signatures, but not for encryption.
Prerequisites
The PSE is one of the following:
Page 6 of 20
System PSE SNC PSE (if the SAP Cryptographic Library is used as the security product) SSL server PSE (if the SAP Cryptographic Library is used as the security product) SSL client PSE (if the SAP Cryptographic Library is used as the security product) WS-Security PSE (if the SAP Cryptographic Library is used as the security product) S/MIME identity PSE (if the SAP Cryptographic Library is used as the security product) File PSE SSF application PSE (for applications that use the SAP Security Library or SAP Cryptographic Library as the security product)
Procedure
To access the trust manager, use the transaction STRUST. The following functions for maintaining the PSE infrastructure are then available from the Trust Manager screen.
Note
The context menu (right mouse button) only shows the functions that are active for the PSE that you select.
Function
Check the status of a single PSE
Choose
Context menu: Check
Create a PSE
This function creates a PSE and initiates distribution (if applicable). See also Creating or Replacing a PSE.
Distribute a PSE
This function distributes the selected PSE to the system's application servers. Depending on the PSE type, the system distributes either a single PSE to all servers (for example, the system PSE), or it distributes a server-dependent PSE (the SSL server PSE).
This function generates a new PSE and distributes it automatically to the servers. If the PSE is stored in the database and distributed, then the local copies of the PSE are also deleted.
Change PSEs
PSE PSE
For the SSL server PSE only: Create new PSEs or assign existing PSEs on individual servers where a PSE is missing (for example, if you have installed a new application server for the system). Change the current configuration (for example, reassign which servers receive individual PSEs and which receive the default PSE). Import a PSE from the file system. Export a PSE to the file system. You can save a PSE as: The system PSE An SSF application PSE A file PSE (export) This function also only applies to PSEs that are stored in the database and distributed to the application servers. For more information, see Checking the Local Status of Distributed PSEs.
PSE Export
Check the status of all local PSEs (for all expanded nodes)
Menu:
Menu:
PSE
This function distributes all of the PSEs to the system's application servers.
Page 7 of 20
Icon
Meaning Status of the PSE has not yet been checked PSE OK Error in the attempt to check the PSE PSE is corrupt
Possible Status Messages None Local PSE OK RFC connection failed Local PSE does not match PSE in database SAPSECULIB not found Error in the test signature Unknown status
Possible Actions to Correct Errors Not applicable Not applicable Test and repair the RFC connection. Redistribute the database PSE. Reinstall the SAP Cryptographic Library or the SAP Security Library. Reinstall the SAP Cryptographic Library or the SAP Security Library. Redistribute the database PSE.
To display the status message, choose the application server (double-click). The status message is then displayed in the SAP GUI's message bar. The system uses the SAP Cryptographic Library per default. If the SAP Cryptographic Library has not been installed, then it uses the SAP Security Library, which is delivered with the SAP System. If neither library is accessible, then the error message SAPSECULIB not found occurs.
Note
We recommend using the report SSFALRTEXP to automatically receive a system log message and alert in CCMS for certificates contained in the various PSEs that are about to expire. Alternatively, we also provide the report SSF_ALERTCERTEXPIRE that you can use manually or plan as a background job. For more information, see SAP Note 572035.
Prerequisites
You know the syntax for the server's Distinguished Name (DN). For more information, see the tables below. Distinguished Name Parts
DN Part
CN OU O C
Definition
Common Name Organizational Unit (optional) Organization Country
Examples
<SID> Department name Company name USA: US Germany: DE
PSE
System PSE
Requirement
Default Distinguished Name: CN=<SID> If no system PSE exists when the application server is started, then the system automatically creates the public-key certificate for the system PSE using the Distinguished Name CN=<SID>. If you replace this PSE, you can freely choose the new Distinguished Name.
SNC PSE
The Distinguished Name must correspond to snc/identity/as The Distinguished Name used for the SNC PSE's public-key certificate must match the Distinguished Name part of the server's SNC name (without the p:), which is specified in the application server's profile parameter snc/identity/as.
CN part of Distinguished Name: CN=<fully_qualified_host_name> The Common Name (CN) part of the Distinguished Name for the SSL server PSE's public-key certificate must correspond to the fully qualified host name that users will use to access the application server, for example, CN=host123.mycompany.com.
Distinguished Name: CN=anonymous The system automatically uses the Distinguished Name CN=anonymous for the anonymous SSL client PSE's public-key certificate. You cannot change this name. In addition, the application server cannot use this identity to authenticate itself.
Distinguished Name: No special requirements You can freely choose the Distinguished Name for the public-key certificates stored in the rest of the PSEs.
When Using the SAP CA If you use the SAP CA as the issuing CA, then the rest of the Distinguished Name (not the CN part) must be:
Page 8 of 20
OU=I<customer_number>-<company_name>, OU=SAP Web Application Server, O=SAP Trust Community, C=DE For the first OU (Organizational Unit) part, you specify your customer number only. The SAP CA automatically extends the OU part to include your company name.
Procedure
From the Trust Manager screen: 1. Select the desired PSE node. 2. Using the context menu, choose Create (if no PSE exists) or Replace. The <Create/Replace> PSE dialog appears. 3. Enter the components of the system's Distinguished Name in the corresponding fields. If you use a reference to a CA name space, the system automatically includes those components of the CA's Distinguished Name in the newly generated name. See the table and examples below. 4. Choose Enter.
Note
If you are creating an SSL server PSE, then the system generates a default system-wide Distinguished Name and then provides you with a list of possible server-specific names. For each application server, you can then choose to use either the server-specific Distinguished Name or you can use the system-wide name. For more information, see Creating the SSL Server PSE. Distinguished Name Parts
Field
Name Org. (opt.)
DN Part
CN OU
Input
<Common_Name> <Organizational_Unit>
Comment
For example, <SID>. For example, the department name. Input is optional. Default=<installation_number>.
Comp./Org.
OU O
<Organizational_Unit> <Organization>
If you use a reference to a CA name space, the system uses the input for this field as an additional OU part. Otherwise, it uses this entry for the O part. The default entry is the OU part when using the SAP CA: SAP Web Application Server. Use the toggle function ( ) to activate or deactivate the reference to a CA name space.
Country CA
C Not applicable
<Country> <CA_Name_Space>
Input is only available if you do not use a reference to a CA name space. Input is available if you use a reference to a CA. Enter the CA's name space. The default entry is the name space for the SAP CA (O=SAP Trust Community, C=DE). The server or system's Distinguished Name is then generated using this extension. See the examples below.
Tip
Example 1: Reference to the SAP CA Name Space The following example uses the input provided and a reference to the SAP CA name space: Name = MY1 Org. (opt.): = I0120007965 (default) Company = SAP Web Application Server (default) CA Reference = O=SAP Trust Community, C=DE (default) The trust manager then generates a public-key certificate with the Distinguished Name CN=MY1, OU=I0120007965, OU=SAP Web Application Server, O=SAP Trust Community, C=DE. Example 2: No reference to a CA Name Space The following example does not use a reference to a CA name space. Input: Name = MY1 Company = MyCompany Country = US The Distinguished Name is then CN=MY1, O=MyCompany, C=US.
Result
The system creates a new public and private key pair and self-signed public-key certificate that are stored in the PSE. If the PSE is stored in the database and should be distributed, then the system automatically distributes the PSE to the individual application servers.
Page 9 of 20
Maintaining PSEs
Use
To maintain a specific PSE, select the PSE with a double-click. The PSE information appears in the PSE maintenance section (upper right).
Caution
All changes only apply after saving the data.
Activities
Having PSE Certificates Signed by a CA Creating Verification PSEs Protecting PSEs with Passwords
Procedure
1. 2. 3. 4. 5. Start the trust manager (transaction STRUST). Select a PSE. Choose PSE Create Certificate Request Save the request and send it to a CA. After receiving the certificate request response from the CA, choose
PSE
Note
The certificate request response must be in the format PKCS#7 certificate chain, which contains the certificates of both the requester and the issuing CA. However, if the response contains only the requester's certificate in PEM (Privacy Enhanced Mail) format and no CA certificate, then the system builds the correct format. The root certificate of the issuing CA must exist in the certificate store. For more information, see Maintaining Certificates in the Database. 6. Save your entries.
Results
The new certificate does not automatically appear in the Certificatesection. However, the text (Self-Signed)should disappear from the PSE maintenance section. To view the certificate, select the certificate in the Ownerfield with a double-click in the Own Certificatesection. The certificate appears in the Certificatesection.
Procedure
1. Start the trust manager (transaction STRUST). 2. Select a PSE. 3. Choose PSE Create Verification PSE
Caution
If you forget the password, you can no longer maintain the PSE using the trust manager.
Procedure
1. Start the trust manager (transaction STRUST). 2. Select a PSE.
Page 10 of 20
Caution
All changes only apply after saving the data.
Procedure
1. Start the trust manager (transaction STRUST). 2. Select a certificate. For more information, see Selecting Certificates. 3. Double-click a PSE. 4. Choose the Add to Certificate List pushbutton. 5. Save your entries.
Caution
All changes only apply after saving the data.
Certificate Revocation
Use
SAP NetWeaver Application Server (AS) ABAP enables applications that check digital signatures and encrypt data to check certificate revocation lists for certificates that have been revoked by certificate authorities (CA). This ensures that the AS ABAP only accepts certificates that are valid and current. For more information, see Certificate Revocation.
Context
Before SAP NetWeaver Application Server (AS) ABAP can check for revoked certificates in certificate revocation lists (CRLs), you must make sure the AS ABAP is configured to perform such checks.
Procedure
... 1. Ensure the SSF Certificate RevocationPSE exists. 1. Start the trust manager (transaction STRUST). 2. Check if the SSF Certificate RevocationPSE appears in the PSE status list. If the PSE does not appear there, do the following: 1. In the Change View "Application-Specific SSF Parameters" screen (transaction SSFA), add the Certificate Revocation( CREVOC) application. For more information, see Maintaining Application-Specific Information. 2. In the trust manager, create the PSE. For more information, see Creating or Replacing a PSE. 2. Add the public-key signing certificate for the CAs that sign the CRLs you want your applications to check, to the SSF Certificate RevocationPSE.
Page 11 of 20
For more information, see Adding Certificates to PSE Certificate Lists. 3. Configure the CRL profiles used by your applications to be active. For more information, see Configuring Profiles for Certificate Revocation.
Procedure
1. 2. 3. 4. Start the trust manager (transaction STRUST). Select a certificate so that it appears in the Certificatearea of the screen. Choose Certificate Check Block Status . Choose a profile. Only active profiles appear in the list. 5. Choose the Check pushbutton.
Results
The revocation check returns a status. When an application performs the status check, the application determines if it accepts the certificate or not. If accepted, the application continues to perform whatever operation it is designed to do: verify digital signatures or encrypt data. If not accepted, the application should throw an exception. How the application handles the exception depends on the application. See the table below. Status GOOD REVOKED UNKNOWN Description revocation list (CRL), this is the result. The certificate appears either in the manual revocation list or in the CRL of the CA. The revocation check has a source for the CRL, but cannot reach it: network error or file not found. The validity of the certificate depends on if the Strict flag of the profile is set or not. HOLD indicate that the CA does not want to permanently revoke the certificate. The CA may remove the certificate from the revocation list in the future. UNCHECKED The profile used to check the certificate is not active. The system does not perform a certificate revocation check. Certificate is accepted. If the profile is strict, the certificate is not accepted. If the profile is not strict, the certificate is accepted. Certificate is not accepted. Certificate Acceptance
CAs list certificates in CRLs with the value HOLD, to Certificate is not accepted.
Blocking Certificates
Context
Use this procedure to designate certificates untrustworthy for your SAP NetWeaver Application Server (AS) ABAP, before the expiration date set by the certificate authority (CA). Once declared untrustworthy, you block the AS ABAP from accepting the certificate even if the CA still considers the certificate valid. Reasons to block certificates include the following: Security was compromised and someone has access to a user's private key. You want to replace a certificate with a new one before the old one has expired For more information, see Certificate Revocation. AS ABAP enables you to either block individual certificates by issuer, subject, and serial number or block all certificates from a given issuer with a given subject that were issued before a given date.
Procedure
1. Start the trust manager (transaction STRUST). 2. Select a certificate. For more information, see Selecting Certificates. 3. Choose Certificate Block Manually . 4. Determine if you want to block only this particular certificate or all certificates for this issuer and subject issued before the date and time you enter. 5. Save your entries.
Results
Next time the certificate revocation check checks this certificate, it returns a failure to the application calling the check, as long as the profile the application uses is active. You can undo the blocking of the certificate. For more information, see Changing the Revocation Status of Certificates.
Procedure
...
Page 12 of 20
1. Start the trust manager (transaction STRUST). 2. Choose 3. Choose Environment . Certificate Block Management .
4. Determine if you want to change the block status of a single certificate or the revocation of a range of certificates for a given issuer, subject and released before a given date and time. For a single certificate, choose the Certificate Status List tab. Select a certificate and choose source. For a range of certificates choose the Blocking List for Certificate Ranges tab. Select a range of certificates and choose 5. Save your entries. . . Since the certificate no longer appears in the local status list the revocation check considers the certificate valid unless it finds the certificate in a CRL
Procedure
1. 2. 3. 4. Start the trust manager (transaction STRUST). Choose Environment Certificate Block Management . Choose the Profiletab. Select an existing profile or add a row to create a new one.
Note
Most applications already have their own profile in the list. You only need to create a new profile if you develop your own applications. For more information, see Including Certificate Revocation Checks in Applications. 5. Enter data as required. 6. Edit the source list for the profile or reference the default source list. You can also edit the default source list. 7. Save your entries.
Results
Once configured, you can perform a customizing transport of profiles or the default source list to other systems. For more information, see Transporting Profiles for Certificate Revocation.
Note
If the profile you transport is configured to use the default source list, the profile retains this configuration in the target system. The transported profile then uses the default source list of the target system. You can transport the default source list, too, but you overwrite the default source list of the target system. The customizing request is client specific.
Procedure
1. 2. 3. 4. 5. 6. Start the trust manager (transaction STRUST). Choose Environment Certificate Block Management Choose profiles. Choose . Enter data as required. Save your entries.
Next Steps
Change and Transport System
Page 13 of 20
URL source defined in the source list for the issuer. The source list is part of the profile. For more information, see Configuring Profiles for Certificate Revocation.
Context
Use the certificate revocation list (CRL) cache to examine the CRLs downloaded by the certificate revocation check.
Procedure
1. Start the trust manager (transaction STRUST). 2. Choose Environment Certificate Revocation Configuration . 3. Choose the CRL Cachetab.
Results
You can view information about the CRL, identifying the issuer and its serial number. You can also see when the certificate authority (CA) plans to update the CRL. To download a new copy of the CRL, choose the Update Selected CRLpushbutton. To examine the CRL in detail, choose the Save Selected CRL to pushbutton. Once you download the CRL to your filesystem, you can inspect the complete list of revoked certificates, version, distribution point, and other information.
Procedure
1. Create a profile for certificate revocation. The profile name must begin with Z. All other profile names are reserved for SAP. System administrators can configure how the certificate revocation check manages certificate by changing the profile configuration. 2. Call the certificate revocation ( STRUSTCRT_ CHECK_ CERTIFICATE) function module when you need to verify signatures or encrypt data. The relevant building blocks are in SECFfor verification and encryption and STRUSTfor the certificate revocation check. 3. Add the name of the profile to be transported with your application. When encrypting data and verifying signatures, you must include a parameter that identifies the profile for your application. Each application is intended to use its own profiles. 4. In the target system, make sure the profile is active.
Next Steps
Configuring Profiles for Certificate Revocation
Procedure
From the Trust Manager screen: 1. Choose Environment <PSE_Type> Identities. The Change View: <PSE_Type> Identities maintenance screen appears. The table contains entries for the standard PSEs for this PSE type. 2. Choose New Entries. The New Entries: Overview of New Entries maintenance screen appears. 3. Enter the PSE's information (Identity and Description) in the appropriate columns. 4. Save the data. 5. Go Back.
Result
You return to the Trust Manager screen. An entry for each identity for this PSE type appears in the PSE status section.
Context
The certificate list contains the corresponding public-key certificates for the issuing CAs that the server should accept. For example, for the system to accept certificates signed by the SAP CA, the system PSE's certificate list must contain the SAP CA's public-key certificate.
Caution
All changes only apply after saving the data.
Procedure
1. Start the trust manager (transaction STRUST). 2. Select a certificate. For more information, see Selecting Certificates. 3. Double-click a PSE. 4. Choose the Add to Certificate List pushbutton. 5. Save your entries.
2. 3. 4. 5.
Export certificate. 6. Select the Database tabstrip. 7. Enter a name, category, for example, Root CA, and description for the certificate in the corresponding fields. 8. Choose Enter. Result The certificate is added to the list of certificates in the database.
Page 15 of 20
The certificate is available for additional functions. For example, you can use the Add certificate function to import the certificate into a PSE's certificate list.
Example
For an example about how to use the trust manager for a configuration scenario, see Configuring the SAP Web AS for Supporting SSL.
Page 16 of 20
SSO Personal Security Environment (SSO PSE) system PSE verification PSE
Caution
When you send digitally signed or encrypted e-mails, keep in mind that the e-mail subjects are always transmitted in clear text.
Note
You have made the relevant SAPconnect settings for encryption and/or signature. For more information, see Sending and Receiving E-Mails Securely.
Prerequisites
To make sure that e-mails are marked to be signed and/or encrypted, you must set the respective parameters in SAPconnect. For more information, see Sending and Receiving E-Mails Securely .
Procedure
This section describes how to configure S/MIME for sending and receiving signed e-mails. 1. Decide which S/MIME identities you want to use. You have the following options: Standard S/MIME identity Custom S/MIME identities (for more information, see Creating Custom S/MIME Identities ) 2. Import a PSE into the trust manager. By default, the trust manager displays the default S/MIME identity in the side panel on the left. The S/MIME PSE has the icon with the description S/MIME Standard or with the name you chose when you created your custom S/MIME identities.
Note
An ABAP application server is currently not able to generate an S/MIME PSE. You must generate a PSE for S/MIME with third-party tools and import it into the trust manager. For more information, see Generating an S/MIME PSE . To import your PSE for S/MIME, perform the following steps: 1. Start the trust manager (transaction STRUST). 2. Choose 3. Choose PSE PSE Import and import the PSE from the file system. Save as... . A dialog box appears, on which you can save PSEs in different formats.
4. To save your PSE as an S/MIME identity, choose S/MIME . 5. Enter the name of your STRUST identity. 6. Choose . SMIME Standard instead of SMIME Standard If you use Standard as your description in the side panel on the left side, the system now displays
. In the section Own Certificate , you see the subject of the imported PSE. Double-clicking the certificate displays the details of the certificate. In most cases, the e-mail address is displayed as the subject alternative name and, in some cases, as the subject.
Note
Remember that you need one PSE per e-mail address.
Page 17 of 20
As of now, it is possible to sign the certificate of the sender. To verify the signature of the sender, the AS ABAP server needs a certificate from the sender's Certification Authority (CA) as a trust anchor. 1. Import the CA certificate by choosing Certificate List section. 3. Save your changes. Certificate Import . 2. Add your CA certificate to the certificate list of the S/MIME PSE by choosing the Add to Certificate List pushbutton. The owner of the certificate appears in the
Result
You are now able to use an AS ABAP e-mail server to send and receive signed e-mails with S/MIME.
More Information
If you want to send and/or receive encrypted e-mails, see Configuring S/MIME Encryption for E-Mails . For more information on PSEs, see Importing a PKCS#12 File .
Procedure
To create a custom S/MIME identity, proceed as follows: 1. Call the trust manager in transaction STRUST. 2. Choose Environment S/MIME Identities . 3. Choose the New Entries button. 4. In the table, enter an S/MIME identity name. The logical name is automatically entered when an S/MIME PSE is imported and saved. The system enters the e-mail address from the CA certificate in the Logical Namecolumn. 5. (Optional) If you want to use a specific hash algorithm for signatures, perform the following steps: 1. Scroll to the left to get to the SSF Hash Algorithmcolumn and choose the hash algorithm in the F4 help. 2. Save your entries. 6. (Optional): If you want to use a specific encryption method, you can change these values. Proceed as follows:. 1. Scroll to the left to get to the Encryption Algorithmcolumn and choose the encryption algorithm in the F4 help. 2. Save your entries.
Note
If you do not choose any values for the signing and/or encryption algorithm, the system uses the algorithm that is determined in the RFC 2311 standard. The SAP Cryptographic Library determines which hash and encryption algorithms are available. 7. Save your entries. 8. Return to the trust manager by choosing .
More Information
For more information, see Configuring Secure E-Mails with S/MIME (AS ABAP E-Mail Server).
Example
1. Download OpenSSLfrom the OpenSSL Web site. 2. Install the OpenSSLbinary files. 3. Use OpenSSLto generate a P12 key pair file for the required e-mail address together with the corresponding CA certificate. For more information, see the OpenSSLdocumentation. 4. Use SAPGENPSEto convert the generated P12 file to a PSE file. Use the following command: sapgenpse import_p12 -p <file_name>.pse <file_name>.p12 For more information, see Creating PSEs and Maintaining the PSE Infrastructure .
Note
Remember that you need one PSE per e-mail address. The required S/MIME PSE including e-mail address is now available. Import the PSE into the S/MIME identity in the trust manager (transaction STRUST).
Page 18 of 20
More Information
For more information, see Trust Manager .
Prerequisites
If you only want to send encrypted e-mails, you can ignore the prerequisites. If, however, you want to receive encrypted e-mails, you must fulfill the following prerequisites: You have created S/MIME identities in the trust manager. You have imported the required CA certificates and PSEs. In Configuring E-Mails with S/MIME (AS ABAP E-Mail Server), you find more information about the creation of S/MIME PSEs with a trust anchor.
Procedure
Option 1: When you and your communication partner send signed e-mails to one another, the AS ABAP automatically imports the encryption certificate to its address book. Option 2: To manually import the encryption certificate, perform the following steps: 1. Start the trust manager (transaction STRUST). 2. Choose Certificate Import . 3. Select the Filetab. 4. Choose the certificate file in the relevant path. 5. Choose Open. 6. Choose 7. Choose 9. Choose Option 3: The SMIME enhancement spot contains the SMIME_EMAIL BAdI, which enables you to influence the certificate retrieval and selection process: You need the certificate of a communication partners e-mail address that is not stored in the address book of the trust manager. In this case, you derive your own implementation class from the default implementation class of this BAdI. You overwrite/redefine the CERTIFICATE_RETRIEVAL method with your own implementation to find a certificate that is associated with an e-mail address of the communication partner. For example, an LDAP server can provide this e-mail address. When you implement the BAdI method CERTIFICATE_SELECTION, you can resolve ambiguity concerning certificate usage. This occurs if there are several identical certificates for the same e-mail address. The period of validity of a certificate might have expired, a CRL might prevent you from using it, or the key usage has the wrong type. For more information, see the system documentation in the SMIME enhancement spot in Enhancements (transaction SE20), and the relevant BAdI methods in interface IF_BADI_SMIME_EMAIL and in the default implementation class CL_SMIME_EMAIL_BADI_DEFAULT. (Input). The content of the certificate is now displayed in the Certificatesection. Certificate Export .
8. Select the tab for the address book. (Input). This includes your certificate in the address book.
Prerequisites
You have imported the S/MIME PSE in the trust manager.
Procedure Example
In the following example, we describe how you configure two third-party e-mail clients, Microsoft Outlook and Mozilla Thunderbird. You must execute this procedure for the CA certificate of the PSE and for the CA certificate of your third-party e-mail client. 1. Start the trust manager (transaction STRUST). 2. Select your S/MIME PSE. 3. Choose Certificate Import 4. Select the Filetab. 5. Enter or select the path and the format and choose the certificate file you want to import. 6. To import the certificate, choose . The trust manager displays the content of your CA certificate in the Certificatesection. 7. Choose the Add to Certificate List pushbutton. The CA certificate appears in the certificate list.
Page 19 of 20
8. Choose
Note
Perform the same steps for the CA certificate of your third-party e-mail client. If you use Microsoft Outlook, you must import the CA certificate into your Internet Explorer. 1. Choose Internet options. 2. Select the tab where you can access the certificates, for example, the Content tab. 3. Go to the certificates. 4. Go to the tab with the trusted root certification authorities. 5. Follow the Internet Explorer procedure to import your CA certificate file that was generated by the PSE. For more information, see the Microsoft Outlook documentation. If you use Mozilla Thunderbird, import the CA certificate into the secure storage of Mozilla Thunderbird as described in the Mozilla Thunderbird documentation. When Mozilla Thunderbird asks you whether you trust this CA to identify e-mail users, confirm this. Assume that the AS ABAP sends a signed e-mail with the certificate signature to the respective e-mail client. To ensure encryption, you need to import the certificate for encryption from the signed e-mail into your Microsoft Outlook address book. To do this, proceed as follows: 1. Open the received signed e-mail that contains the certificate signature for encryption in Microsoft Outlook. 2. From the context menu of the e-mail address, choose to add the address to your Outlook contacts. 3. Save your changes and close the window.
Example
To ensure encryption, you need to import the certificate for encryption from the signed e-mail into the Mozilla Thunderbird certificate manager. To do this, proceed as follows: 1. Open the received signed e-mail that contains the certificate signature for encryption in Mozilla Thunderbird. 2. Mozilla Thunderbird automatically adds the sender's certificate to the certificate manager. 3. Save your entries.
Page 20 of 20