View
27
Download
1
Category
Preview:
DESCRIPTION
this is an overview on how to do sap passport
Citation preview
SAP Trust Center Services
An Overview on SAP Passports
Martin Rink, SAP Trust Center Services
SAP AG 2003, Title of Presentation, Speaker Name / 2
Key benefits of SAP Trust Center Services
Enabling secure collaborative business scenarios to SAP customers by using asymmetric cryptography and digital certificates
Allowing customers to perform Single Sign-On to all internal and external systems
No administration for individual SAP Passport enrollment is necessary as the registration and authentication processes are fully automated
Providing secure access to current and future marketplaces / web services on the Internet
SAP Trust Center Services are based on international standards (e.g. X509, PKCS,...)
Being part of the SAP Trust Community, that is founded on SAP's existing customer base
SAP AG 2003, Title of Presentation, Speaker Name / 3
Client Certificates - Current Situation
Digital Certificates provide a high level of security
SAP solutions support the usage of digital certificates
To set up and run a PKI (Public Key Infrastructure) often is very expensive
Set up the of PKI (Ongoing costs) Enrollment process Costs for certificates (if hosted solution)
SAP Trust Center Services
SAP AG 2003, Title of Presentation, Speaker Name / 4
A Trust Center expresses Trust in the Relationship
person digital ID
(= Pair of keys;
one of them public
one of them private)
by issuing a certificate containing
- the name of the person
- its public key
- additional information
What is a Trust Center?
Hans Meier
0x1a4c77......
SAP AGIT Purchasing
SAP AG 2003, Title of Presentation, Speaker Name / 5
Digital Certificate
Your „Digital Identity Card“ on the web: SAP Passport
Defines binding between identity and unique public key
Belongs to individual or system
Digitally signed by Certification Authority (CA)
Unique with respect to CA and serial number
Contains public part of cryptographic key pair
Private key is NOT included and has to be stored in a secure place
SAP Passport is compliant to X.509
Subject
Public Key Info
Issuer (CA)
Validity
Version
Serial Number
Extended Attributes
e.g. Email,
Address,
Job Position
CA Digital Signature:
SAP AG 2003, Title of Presentation, Speaker Name / 6
Where does the Trust come from?
3 Parties involved:
Private key
1. „I do have thispublic key and my name is Ann!“
2. „I checked her,She is really Ann!“
(Registration Authority)
3. „O.k., Ann, here isyour certificate!“
(Certification Authority)
Ann
TRUST
SAP AG 2003, Title of Presentation, Speaker Name / 7
SAP Trust Center
Trust in SAP Solutions / SAP Community
Private key
1. „I do have this public key and my name is Ann!“= Employee
2. „I know her,Ann works with me!“(Registration Authority)= Customer
3. „O.k., Ann, here isyour SAP Passport!“(Certification Authority)= SAP Trust Center Services
Ann
Use of existing trust relationships!
Enterprise Portal
SAP AG 2003, Title of Presentation, Speaker Name / 8
SAP Passports - Positioning
Focus on User Authentication and Single Sign-On step-up migration from passwords user registration delegated to customer
Easy Certificate Enrollment certificate request authorized by customer’s IT infrastructure
(SAP solution)
Software-based Browser Certificates users may have several certificates (with the same subject name)
e.g. PC, Laptop,... protection of private keys is subject to OS and Web browser
Hardware-based Certificates To enhance security, hardware tokens can be used
Globally Unique Digital Identity (SAP Passport) users can identify themselves on Intranet and Internet (Marketplace)
SAP AG 2003, Title of Presentation, Speaker Name / 10
SAP Trust Center Services
Strong focus on easy enrollment process
SAP solutions contain RA (Registration Authority)
Zero client installation (when using software based certificates)
Support of hardware token (for creation and storage of certificates) to enhance the level of security
SAP Trust Center Services are free of charge for SAP customers
An additional contract between customer and SAP is needed
SAP AG 2003, Title of Presentation, Speaker Name / 11
Authentication Process: Digital Certificates
User Authentication User presents his certificate to Web server during SSL handshake Web server verifies the user certificate and that the user
possesses the corresponding private key
User Mapping Portal Server extracts user information from certificate Mapping of portal users to enterprise application users
PortalServer
Extract UserInformation
~~~~~~~~
CorporateLDAP
Directory
Logon Ticket
PortalLDAP
DirectorySSL SSL
User ID Mapping
X.509Certificate
X.509Certificate
SAP AG 2003, Title of Presentation, Speaker Name / 12
Secure Communication: Between Client and Portal
Secure, encrypted communication between client and Portal Server
Support of industry-standard security protocol Secure Sockets Layer (SSL)
Confidentiality Authenticity Integrity
PortalServer
SSL
X.509Certificate
X.509Certificate
SAP AG 2003, Title of Presentation, Speaker Name / 13
Secure Communication: Between Portal and Application Servers
Secure Sockets Layer (SSL) If HTTP is used to call the application
Secure Network Communications (SNC) If SAP-specific protocols such as DIAG and RFC are deployed
SSL/SNC Services Confidentiality Authenticity Integrity
SNC
PortalServer 3rd Party
SystemSSL
RFC
HTTP
SAP
SAP AG 2003, Title of Presentation, Speaker Name / 14
Log on using user ID and password and initiate the SAP Passport request
1
Specify naming convention and trigger key generation
2
Log on using the SAP Passport6
Generate keys and send the SAP Passport request
3
Verifies naming conventionsand issue certificate
5
SAP Passport Enrollment Process with mySAP Enterprise Portal
SAP Trust Center
Services
Enterprise Portal
Registration Authority
Send approved request4
SAP AG 2003, Title of Presentation, Speaker Name / 15
Prerequisites for Using X.509 Client Certificates
For this scenario, your system must meet the following prerequisites:
Set up the Registration Authority in SAP Enterprise Portal 5.0 (available as of SP3). Registration Authority currently not available in SAP Enterprise Portal 6.0
Users have obtained valid SAP Passports (X.509 client certificates) from SAP Trust Center Services.
The Portal Web server is configured to communicate using SSL.
The Portal Web server is configured to accept client certificates.
The Portal Web server is configured to trust the Certification Authority (CA) that issued the user certificates.
SAP AG 2003, Title of Presentation, Speaker Name / 16
SAP Solutions with Registration Authority
SAP EP as of EP 5.0 (SP3) EP 6.0 does not yet include a Registration Authority
SAP Workplace
SAP Web Application Server + SAP ITS
Most current SAP Solutions have a RA included and can be used to deploy SAP Passports
SAP AG 2003, Title of Presentation, Speaker Name / 17
Scenarios of Usage - example
INTERNET
~~~~~~~~
~~~~~~~~
~~~~~~~~
INT
ER
NE
TIN
TR
AN
ET
SAP Enterprise Portal
~~~~~~~~
SW based certificate
Hardware based certificate
SAP Service Marketplacehttp://service.sap.com
SAP AG 2003, Title of Presentation, Speaker Name / 18
Scenarios of Usage
Support of software-based certificates
Support of hardware based certificates -> to raise level of security
Easy enrollment process in both scenarios
Broad usage of SAP Passports via Intra- and Internet in SAP Solutions on business Partner‘s Enterprise Portal On any Marketplace over the Internet (if X.509 certificates are
supported, e.g. SAP Service Marketplace)
~~~~~~~~
SAP AG 2003, Title of Presentation, Speaker Name / 19
SAP Passports on SAP Service Marketplace
SAP Service Marketplace supports the usage of SAP Passports
Single Sign-On (Numerous Web server available, due to logon balancing)
Easy and secure log on using SAP Passports
Usage of „customer‘s“ SAP Passport (already used in a customers solution)
Mapping of the „customer‘s“ SAP Passport to the existing User-ID
Only one client certificate is needed
Issue of a SAP Passport for Service Marketplace users
Registration Authority is located in SAP Service Marketplace
SAP AG 2003, Title of Presentation, Speaker Name / 20
Company that wants to use SAP Trust Center Services
1. Requests for Terms and Conditions
2. SAP sendscontract
4. Customer signs the contract
Users
SAP Passport – How to get started
5. Customer sends CRto SAP
6. SAP returns signed RA certificate
7. SAP Pass-ports can be used
3. Customer nominates the Registration Administrator
Registration Administrator
SAP AG 2003, Title of Presentation, Speaker Name / 21
How to use SAP Passports
1. Customer wants to use SAP Passports and requests for Terms and Conditions (http://service.sap.com/tcs -> request for proposal or mailto:security@sap.com)
2. SAP sends Terms and Conditions to customer
3. Customer nominates Registration Administrator
4. Customer sends the signed contract to SAP
5. Customer sends Certificate Request (for RA) to SAP (via Service Marketplace or SAP Net R/3 Frontend – component BC-SEC)
6. SAP returns signed certificate to customer, that is imported in the Registration Authority
7. The Customer can setup RA and start the enrollment of SAP Passports
For testing of SAP Passports no contract is necessary
SAP AG 2003, Title of Presentation, Speaker Name / 22
Why is a contract needed to use SAP Passports?
SAP wants to earn money?-> No, this service is free of charge for SAP‘s customers
SAP wants to raise the trustworthiness of SAP Passports Registration of users (Mapping of person to public key) is done
on customer side (within SAP solution) A Registration Administrator is nominated to administer the SAP
System. They are the responsible person to authorize SAP Passport Requests
Customer confirms to apply security rules in his company
A contract ensures: high and common level of trustworthy for SAP Passports the basis of the SAP Trust Community
SAP AG 2003, Title of Presentation, Speaker Name / 23
Summary
SAP Trust Center Services enable collaborative business
SAP Trust Center Services offer a high level of security
... Combined with high usability
Automatic processes help to reduce costs
SAP Passports are free of charge and ready to use
More related information can be found here:
http://service.sap.com/tcs
Recommended