Show TOC

General InformationLocate this document in the navigation structure

SSF uses digital signatures and digital envelopes to secure data.

The digital signature uniquely identifies the signer, is not forgeable, and protects the integrity of the data. (Any changes in the data after being signed result in an invalid digital signature for the altered data.) A digital envelope makes sure that the contents of the data are only visible to the intended recipient.

Security Product

SSF requires the use of a security product to perform its functions. Per default, we deliver the SAP Cryptographic Library as the security provider. For more information, see SAP Note 1848999 Information published on SAP site..

For support of cryptographic hardware (for example, smart cards or hardware security modules) or digital envelopes, you need to use an external security product. SAP offers SAP Single Sign-On in addition to external security products offered by our partners.

For SAP-certified partner products, see the SAP Software Partner Program on the SAP Service Marketplace (SSF interface).

Security Measures

Regardless of your infrastructure, you must take precautions to protect the private keys. Each participant that uses the digital signatures and envelopes needs to own a key pair (public and private key). This includes system components such as the SAP system application servers, if they act as signers.

For information about protecting the keys, see Protecting Keys.

Note

There are also laws in various countries that regulate the use of cryptography and digital signatures. These laws are subject to change and local variations. You must keep yourself informed on the impact these laws may have on your applications, and make sure that you are aware of any further developments.

Security Measures When Using the SAP Security Library

The SAP Cryptographic Library is a part of each AS ABAP system. At start-up, the application server makes sure it has own personal security environment (PSE), called the system PSE, for storing its security information. If no system PSE exists at start-up (for example, at the first start-up), the application server generates one.

This automated generation process makes sure that only the application server can access the system PSE and the key pair.

To verify the access rights and for more information about protecting access to the key pair, see Protecting the Application Server's Keys.