Secure Store and Forward (SSF) mechanisms provide you with the means to secure data and documents in SAP Systems as independent data units. By using SSF functions, you can "wrap" data and digital documents in secure formats before they are saved on data carriers or transmitted over (possibly) insecure communication links. The data must not remain within the SAP System; if you save the data in a secure format in the SAP System, it remains in its secured format even if you export it out of the system.

SSF mechanisms use digital signatures and digital envelopes to secure digital documents. The digital signature uniquely identifies the signer, is not forgeable, and protects the integrity of the data. Any changes in the data after being signed result in an invalid digital signature for the altered data. The digital envelope makes sure that the contents of data are only visible to the intended recipient(s).

The SSF mechanisms are useful in those application areas where an increased level of security exists pertaining to:

• The specific and unique identification of persons or components (for example, in work flow processes)
• Non-repudiation or proof of obligation (for example, when signing paperless contracts)
• Authenticity and integrity of data (for example, saving audit logs)
• The sending or storing of confidential data

SSF requires the use of a third-party security product to provide its functions. As the default provider, we deliver the SAP Security Library (SAPSECULIB) with SAP Systems. The SAPSECULIB, however, is limited to providing digital signatures only. For digital envelopes, encryption, or crypto hardware (for example, smart cards or crypto boxes), you need to use a SAP-certified external security product. For a product to be certified by SAP, it must support the PKCS#7 standard data format. For information about supported products, see the SAP Complementary Software Program (http://www.sap.com/csp).

To effectively use the SSF mechanisms, you need to have an established public-key infrastructure (PKI). The PKI makes sure that you can validate and trust the digital signatures, certificates, and Certification Authorities (CAs). A PKI is often, although not necessarily, supported by the external security products that are available on the market. Although SAP Systems do not provide a PKI directly, they do support PKIs provided by various security products.

Depending on the security product that you use, you can establish the use of a PKI in one of many ways. You may want to create your own PKI and CA that you link to your customers, or you and your customers may want to agree on a common Trust Center. A common Trust Center is a third-party instance that both you and your customers can trust to validate and authenticate your PKI participants. Using a common Trust Center can solve many of the currently open questions regarding the establishment of a PKI.