Trust Manager

Examples of public-key technology support with SAP NetWeaver Application Server ABAP (SAP NetWeaver Application Server ABAP) include:

• System digital signatures

  At start-up, each SAP NetWeaver Application Server ABAP is supplied with a public and private key pair certificate that is stored in its own system Personal Security Environment (PSE). SAP NetWeaver Application Server ABAP can therefore produce its own digital signatures using the public-key information contained in its system PSE. Other systems can then verify the system's digital signature, which guarantees the integrity and authenticity of a document that has been digitally signed by the system.

  Example

  For example, user authentication on SAP NetWeaver Application Server ABAP can occur using logon tickets. In this case, SAP NetWeaver Application Server ABAP digitally signs the user's logon ticket after successful authentication. Instead of re-authenticating the user with user ID and password, other systems can allow user access after verifying the digital signature of SAP NetWeaver Application Server ABAP provided with the user's logon ticket.

• Support for Secure Network Communications

  For the SAP protocols DIAG and RFC, secure communications is provided using the Secure Network Communications (SNC) interface. SNC uses SAP NetWeaver Single Sign-On or an external security product for securing the communications, whereby the SAP Cryptographic Library is provided as a default product for server-to-server communications within an SAP system landscape.

  When using the SAP Cryptographic Library, the system also stores the corresponding public and private key pair in the SNC PSE.

• Support for the Secure Sockets Layer (SSL) Protocol

  SAP NetWeaver Application Server ABAP supports the Secure Sockets Layer (SSL) protocol, which provides for security when using Internet protocols such as HTTP. The security provided includes encrypted communications as well as authentication between the communication partners. In this case, the application server must also possess a public and private key pair to use for the SSL communications.

• Web Services Security (WS-Security)

  Web services support digital signatures and encryption for the Simple Object Access Protocol (SOAP) messages. In this case, the public and private keys used by the web services are stored in corresponding PSEs.

• Secure Store and Forward Mechanisms (SSF)

  SAP systems support the use of an external security product using the SSF mechanisms. By using SSF, applications can support the use of digital signatures and document encryption in their processing.

To manage the public-key information necessary for these and other scenarios, you can use the trust manager. The trust manager performs the PSE and certificate maintenance functions such as generating key pairs, creating certificate requests to be signed by a Certification Authority (CA), and maintaining the list of trusted CAs that the server accepts.

Before using the trust manager for maintaining PSEs and managing certificates, you should have an understanding of public-key technology and the terminology provided under Terminology and Abbreviations .

For more information, see Configuring the AS ABAP for Supporting SSL.

You can use the trust manager to maintain the public-key information for the following types of PSEs used by the SAP applications. For example:

• System PSE

• SNC PSE, if you use the SAP Cryptographic Library as the security product.

• PSEs used for SSL-protected communications

  • SSL server PSEs

  • SSL client PSEs

• WS-Security PSEs

• Arbitrary file PSEs

• PSEs used by SSF applications that use the SAP Security Library or SAP Cryptographic Library as the security product. You cannot use the trust manager to maintain PSEs for SSF applications that use a different security product.

  SSF applications are applications whose security information is specified in the table SSFARGS. They include the SSF default application and various applications that use specific information, for example, the HTTP Content Server or the SAP NetWeaver Application Server application for using logon tickets.

  Note

  There are two different methods for storing the SSF application PSEs:

  • In the database, whereby a copy of the PSE is distributed to the system's application servers.

  • In the file system and can be accessed at the operating system level. (In this case, the PSE must be located in a globally accessible directory.)

The trust manager provides functions for:

• Generating key pairs and corresponding certificate requests

• Importing the certificate request response into a PSE

• PSE maintenance (for example, creating, displaying and deleting PSEs, as well as monitoring the status of PSEs)

• Maintaining a PSE's certificate list

• Generating a verification PSE (a PSE that can only be used to verify the subject's digital signature)

• Assigning a PIN to PSEs, which also creates credentials for the server so that the server can access a protected PSE at runtime

• Distributing a PSE to the individual application servers

• Importing and exporting PSEs

• Importing, parsing, and exporting certificates

You can use the trust manager to generate key pairs for those application servers that are to support SSL. You can then have the system create the corresponding certificate requests, which you then send to a CA to be signed.

Once you have received a response from the CA, you can use the trust manager to import the signed public-key certificate into the system's SSL server PSE.

You can also use the trust manager to maintain the list of trusted CAs (certificate list) from whom you will accept public-key certificates to use for the SSL connection.

For more information about using public-key technology with SAP NetWeaver Application Server ABAP, see:

• Public-Key Technology
• SSF User's Guide
• Using the SAP Cryptographic Library for SNC