Show TOC Start of Content Area

Function documentation Trust Manager  Locate the document in its SAP Library structure

Use

Establishing solid trust relationships is vital to the success of your business transactions, especially with the use of the Internet where company borders become less transparent. Therefore, many applications in SAP Systems rely on the use of public-key technology to establish the trust infrastructure that is necessary for successful business relationships.

Public-Key Technology Support in SAP Systems

Examples of public-key technology support in SAP Systems include:

·        Secure Store and Forward Mechanisms (SSF)

Since Release 4.0, SAP Systems support the use of an external security product using the SSF mechanisms. By using SSF, applications can support the use of digital signatures and document encryption in their processing.

·        System PSE

At start-up, each SAP System is supplied with a public-key pair, which includes a public-key certificate, that is stored in its own system Personal Security Environment (PSE). The SAP System can therefore produce its own digital signatures using the public-key information contained in its system PSE. Other systems can then verify the system's digital signature, which guarantees the integrity and authenticity of a document that has been digitally signed by the system.

Example

For example, user authentication on the SAP Web Application Server (SAP Web AS) can occur using logon tickets. In this case, the SAP Web AS digitally signs the user's logon ticket after successful authentication. Instead of re-authenticating the user with user ID and password, other systems that the user accesses can allow the user access after verifying the SAP Web AS's digital signature provided with the user's logon ticket.

·        Support for the Secure Sockets Layer (SSL) Protocol

The SAP Web AS supports the Secure Sockets Layer protocol, which provides for authentication between communication partners and encrypted communications. In this case, the application server must also possess a public and private key pair to use for the SSL communications.

Managing the Public-Key Information Using the Trust Manager

To manage the public-key information necessary for these and other scenarios, you can use the trust manager. The trust manager performs the PSE and certificate maintenance functions such as generating key pairs, creating certificate requests to be signed by a Certification Authority (CA), and maintaining the list of trusted CAs that the server accepts.

Integration

You can use the trust manager to maintain the public-key information for the following types of PSEs used by the SAP applications. For example:

·        The system PSE

·        The server's PSE to use for Secure Network Communications (SNC) if you use the SAP Cryptographic Library as the security product.

·        PSEs used for SSL-protected communications

¡        The SSL server PSEs

¡        SSL client PSEs

·        Arbitrary file PSEs

·        PSEs used by SSF applications that use the SAP Security Library or SAP Cryptographic Library as the security product. You cannot use the trust manager to maintain PSEs for SSF applications that use a different security product.

SSF applications are applications whose security information is specified in the table SSFARGS. They include the SSF default application and various applications that use specific information, for example, the HTTP Content Server or the SAP Web AS application for using logon tickets.

Note

There are two different methods for storing the SSF application PSEs:

-         The PSE may be stored in the database, whereby a copy of the PSE is distributed to the system's application servers.

-         The PSE may be stored in the file system and can be accessed at the operating system level. (In this case, the PSE must be located in a globally accessible directory.)

Prerequisites

Before using the trust manager for maintaining PSEs and managing certificates, you should have an understanding of public-key technology and the terminology provided under Terminology and Abbreviations.

In addition, if you use the trust manager for creating SSL or SNC PSEs, then you must install and use the SAP Cryptographic Library. For more information, see Using the Secure Sockets Layer Protocol and Installing the SAP Cryptographic Library (SAP Web AS).

Features

The trust manager provides functions for:

·        Generating key pairs and corresponding certificate requests

·        Importing the certificate request response into a PSE

·        PSE maintenance (for example, creating, displaying and deleting PSEs, as well as monitoring the status of PSEs)

·        Maintaining a PSE's certificate list

·        Generating a verification PSE (a PSE that can only be used to verify the subject's digital signature)

·        Assigning a PIN to PSEs, which also creates credentials for the server so that the server can access a protected PSE at run-time

·        Distributing a PSE to the individual application servers

·        Importing and exporting PSEs

·        Importing, parsing, and exporting certificates

Example

SAP Web Application Server: SSL Support

You can use the trust manager to generate key pairs for those application servers that are to support SSL. You can then have the system create the corresponding certificate requests, which you then send to a CA to be signed.

Once you have received a response from the CA, you can use the trust manager to import the signed public-key certificate into the system's SSL server PSE.

You can also use the trust manager to maintain the list of trusted CA's (certificate list) from whom you will accept public-key certificates to use for the SSL connection.

Additional Information

For more information on using public-key technology in SAP Systems, see:

·        Public-Key Technology

·        SSF User's Guide

 

 

End of Content Area