SAP Trust Center Services An Overview on SAP Passports Martin Rink, SAP Trust Center Services

SAP Trust Center Services

An Overview on SAP Passports

Martin Rink, SAP Trust Center Services

SAP AG 2003, Title of Presentation, Speaker Name / 2

Key benefits of SAP Trust Center Services

Enabling secure collaborative business scenarios to SAP customers by using asymmetric cryptography and digital certificates

Allowing customers to perform Single Sign-On to all internal and external systems

No administration for individual SAP Passport enrollment is necessary as the registration and authentication processes are fully automated

Providing secure access to current and future marketplaces / web services on the Internet

SAP Trust Center Services are based on international standards (e.g. X509, PKCS,...)

Being part of the SAP Trust Community, that is founded on SAP's existing customer base


Client Certificates - Current Situation

Digital Certificates provide a high level of security

SAP solutions support the usage of digital certificates

To set up and run a PKI (Public Key Infrastructure) often is very expensive

Set up the of PKI (Ongoing costs) Enrollment process Costs for certificates (if hosted solution)



A Trust Center expresses Trust in the Relationship

person digital ID

(= Pair of keys;

one of them public

one of them private)

by issuing a certificate containing

- the name of the person

- its public key

- additional information

What is a Trust Center?

Hans Meier

0x1a4c77......

SAP AGIT Purchasing


Digital Certificate

Your „Digital Identity Card“ on the web: SAP Passport

Defines binding between identity and unique public key

Belongs to individual or system

Digitally signed by Certification Authority (CA)

Unique with respect to CA and serial number

Contains public part of cryptographic key pair

Private key is NOT included and has to be stored in a secure place

SAP Passport is compliant to X.509

Subject

Public Key Info

Issuer (CA)

Validity

Version

Serial Number

Extended Attributes

e.g. Email,

Address,

Job Position

CA Digital Signature:


Where does the Trust come from?

3 Parties involved:

Private key

1. „I do have thispublic key and my name is Ann!“

2. „I checked her,She is really Ann!“

(Registration Authority)

3. „O.k., Ann, here isyour certificate!“

(Certification Authority)

Ann

TRUST


SAP Trust Center

Trust in SAP Solutions / SAP Community

Private key

1. „I do have this public key and my name is Ann!“= Employee

2. „I know her,Ann works with me!“(Registration Authority)= Customer

3. „O.k., Ann, here isyour SAP Passport!“(Certification Authority)= SAP Trust Center Services

Ann

Use of existing trust relationships!

Enterprise Portal


SAP Passports - Positioning

Focus on User Authentication and Single Sign-On step-up migration from passwords user registration delegated to customer

Easy Certificate Enrollment certificate request authorized by customer’s IT infrastructure

(SAP solution)

Software-based Browser Certificates users may have several certificates (with the same subject name)

e.g. PC, Laptop,... protection of private keys is subject to OS and Web browser

Hardware-based Certificates To enhance security, hardware tokens can be used

Globally Unique Digital Identity (SAP Passport) users can identify themselves on Intranet and Internet (Marketplace)



Strong focus on easy enrollment process

SAP solutions contain RA (Registration Authority)

Zero client installation (when using software based certificates)

Support of hardware token (for creation and storage of certificates) to enhance the level of security

SAP Trust Center Services are free of charge for SAP customers

An additional contract between customer and SAP is needed


Authentication Process: Digital Certificates

User Authentication User presents his certificate to Web server during SSL handshake Web server verifies the user certificate and that the user

possesses the corresponding private key

User Mapping Portal Server extracts user information from certificate Mapping of portal users to enterprise application users

PortalServer

Extract UserInformation

~~~~~~~~

CorporateLDAP

Directory

Logon Ticket

PortalLDAP

DirectorySSL SSL

User ID Mapping

X.509Certificate

X.509Certificate


Secure Communication: Between Client and Portal

Secure, encrypted communication between client and Portal Server

Support of industry-standard security protocol Secure Sockets Layer (SSL)

Confidentiality Authenticity Integrity

PortalServer

SSL

X.509Certificate

X.509Certificate


Secure Communication: Between Portal and Application Servers

Secure Sockets Layer (SSL) If HTTP is used to call the application

Secure Network Communications (SNC) If SAP-specific protocols such as DIAG and RFC are deployed

SSL/SNC Services Confidentiality Authenticity Integrity

SNC

PortalServer 3rd Party

SystemSSL

RFC

HTTP

SAP


Log on using user ID and password and initiate the SAP Passport request

1

Specify naming convention and trigger key generation

2

Log on using the SAP Passport6

Generate keys and send the SAP Passport request

3

Verifies naming conventionsand issue certificate

5

SAP Passport Enrollment Process with mySAP Enterprise Portal

SAP Trust Center

Services

Enterprise Portal

Registration Authority

Send approved request4


Prerequisites for Using X.509 Client Certificates

For this scenario, your system must meet the following prerequisites:

Set up the Registration Authority in SAP Enterprise Portal 5.0 (available as of SP3). Registration Authority currently not available in SAP Enterprise Portal 6.0

Users have obtained valid SAP Passports (X.509 client certificates) from SAP Trust Center Services.

The Portal Web server is configured to communicate using SSL.

The Portal Web server is configured to accept client certificates.

The Portal Web server is configured to trust the Certification Authority (CA) that issued the user certificates.


SAP Solutions with Registration Authority

SAP EP as of EP 5.0 (SP3) EP 6.0 does not yet include a Registration Authority

SAP Workplace

SAP Web Application Server + SAP ITS

Most current SAP Solutions have a RA included and can be used to deploy SAP Passports


Scenarios of Usage - example

INTERNET

~~~~~~~~

~~~~~~~~

~~~~~~~~

INT

ER

NE

TIN

TR

AN

ET

SAP Enterprise Portal

~~~~~~~~

SW based certificate

Hardware based certificate

SAP Service Marketplacehttp://service.sap.com


Scenarios of Usage

Support of software-based certificates

Support of hardware based certificates -> to raise level of security

Easy enrollment process in both scenarios

Broad usage of SAP Passports via Intra- and Internet in SAP Solutions on business Partner‘s Enterprise Portal On any Marketplace over the Internet (if X.509 certificates are

supported, e.g. SAP Service Marketplace)

~~~~~~~~


SAP Passports on SAP Service Marketplace

SAP Service Marketplace supports the usage of SAP Passports

Single Sign-On (Numerous Web server available, due to logon balancing)

Easy and secure log on using SAP Passports

Usage of „customer‘s“ SAP Passport (already used in a customers solution)

Mapping of the „customer‘s“ SAP Passport to the existing User-ID

Only one client certificate is needed

Issue of a SAP Passport for Service Marketplace users

Registration Authority is located in SAP Service Marketplace


Company that wants to use SAP Trust Center Services

1. Requests for Terms and Conditions

2. SAP sendscontract

4. Customer signs the contract

Users

SAP Passport – How to get started

5. Customer sends CRto SAP

6. SAP returns signed RA certificate

7. SAP Pass-ports can be used

3. Customer nominates the Registration Administrator

Registration Administrator


How to use SAP Passports

1. Customer wants to use SAP Passports and requests for Terms and Conditions (http://service.sap.com/tcs -> request for proposal or mailto:[email protected])

2. SAP sends Terms and Conditions to customer

3. Customer nominates Registration Administrator

4. Customer sends the signed contract to SAP

5. Customer sends Certificate Request (for RA) to SAP (via Service Marketplace or SAP Net R/3 Frontend – component BC-SEC)

6. SAP returns signed certificate to customer, that is imported in the Registration Authority

7. The Customer can setup RA and start the enrollment of SAP Passports

For testing of SAP Passports no contract is necessary


Why is a contract needed to use SAP Passports?

SAP wants to earn money?-> No, this service is free of charge for SAP‘s customers

SAP wants to raise the trustworthiness of SAP Passports Registration of users (Mapping of person to public key) is done

on customer side (within SAP solution) A Registration Administrator is nominated to administer the SAP

System. They are the responsible person to authorize SAP Passport Requests

Customer confirms to apply security rules in his company

A contract ensures: high and common level of trustworthy for SAP Passports the basis of the SAP Trust Community


Summary

SAP Trust Center Services enable collaborative business

SAP Trust Center Services offer a high level of security

... Combined with high usability

Automatic processes help to reduce costs

SAP Passports are free of charge and ready to use

More related information can be found here:

http://service.sap.com/tcs

Documents

SAP Trust Center Services An Overview on SAP Passports Martin Rink, SAP Trust Center Services