Show TOC Start of Content Area

Background documentation General Information  Locate the document in its SAP Library structure

SSF uses digital signatures and digital envelopes to secure data. The digital signature uniquely identifies the signer, is not forgeable, and protects the integrity of the data. (Any changes in the data after being signed result in an invalid digital signature for the altered data.) A digital envelope makes sure that the contents of the data are only visible to the intended recipient.

Security Product

SSF requires the use of a security product to perform its functions. Per default, we deliver the SAP Security Library (SAPSECULIB) as the security provider. SAPSECULIB is a software solution with capabilities limited to digital signatures.

For support of crypto hardware (for example, smart cards or crypto boxes) or digital envelopes, we also offer the SAP Cryptographic Library, which is available for download on the SAP Service Marketplace.

Note

When installed, this library replaces the SAPSECULIB for the SSF functions, therefore, the security functions and measures that apply to the SAPSECULIB also apply to the SAP Cryptographic Library.

Alternatively, you can use a SAP-certified external security product. See the SAP Software Partner Program on the SAP Service Marketplace (SSF interface).

Security Measures

Regardless of your infrastructure, you need to take precautions in protecting the private keys. Each participant that uses the digital signatures and envelopes needs to own a key pair (public and private key). This includes system components such as the SAP system application servers, if they act as signers. For information about protecting the keys, see Protecting Keys.

Note

There are also laws in various countries that regulate the use of cryptography and digital signatures. These laws are currently controversial and may change. You need keep yourself informed on the impact these laws may have on your applications, and make sure that you are aware of any further developments.

Security Measures When Using the SAP Security Library

The SAPSECULIB is a part of each SAP Web AS ABAP system. At start-up, the application server makes sure it has own personal security environment (PSE), called the system PSE, for storing its security information. If no system PSE exists at start-up (for example, at the first start-up), the application server generates one.

This automated generation process makes sure that only the application server can access the system PSE and the key pair. To verify the access rights and for more information about protecting access to the key pair, see Protecting the Application Server’s Keys.

 

 

End of Content Area