SAP Trust Center Service
advertisement
SAP Trust Center Services An Overview on SAP Passports Martin Rink, SAP Trust Center Services Key benefits of SAP Trust Center Services Enabling secure collaborative business scenarios to SAP customers by using asymmetric cryptography and digital certificates Allowing customers to perform Single Sign-On to all internal and external systems No administration for individual SAP Passport enrollment is necessary as the registration and authentication processes are fully automated Providing secure access to current and future marketplaces / web services on the Internet SAP Trust Center Services are based on international standards (e.g. X509, PKCS,...) Being part of the SAP Trust Community, that is founded on SAP's existing customer base SAP AG 2003, Title of Presentation, Speaker Name / 2 Client Certificates - Current Situation Digital Certificates provide a high level of security SAP solutions support the usage of digital certificates To set up and run a PKI (Public Key Infrastructure) often is very expensive Set up the of PKI (Ongoing costs) Enrollment process Costs for certificates (if hosted solution) SAP Trust Center Services SAP AG 2003, Title of Presentation, Speaker Name / 3 What is a Trust Center? A Trust Center expresses Trust in the Relationship person digital ID (= Pair of keys; one of them public one of them private) by issuing a certificate containing - the name of the person - its public key Hans Meier SAP AG IT Purchasing 0x1a4c77... ... - additional information SAP AG 2003, Title of Presentation, Speaker Name / 4 Digital Certificate Your „Digital Identity Card“ on the web: SAP Passport Subject Public Key Info Issuer (CA) Validity Version Serial Number Extended Attributes e.g. Email, Address, Job Position CA Digital Signature: Defines binding between identity and unique public key Belongs to individual or system Digitally signed by Certification Authority (CA) Unique with respect to CA and serial number Contains public part of cryptographic key pair Private key is NOT included and has to be stored in a secure place SAP Passport is compliant to X.509 SAP AG 2003, Title of Presentation, Speaker Name / 5 Where does the Trust come from? 3 Parties involved: TRUST 3. „O.k., Ann, here is your certificate!“ (Certification Authority) Ann 2. „I checked her, She is really Ann!“ (Registration Authority) 1. „I do have this public key and my name is Ann!“ Private key SAP AG 2003, Title of Presentation, Speaker Name / 6 Trust in SAP Solutions / SAP Community Use of existing trust relationships! 3. „O.k., Ann, here is your SAP Passport!“ (Certification Authority) = SAP Trust Center Services SAP Trust Center Ann Enterprise Portal 2. „I know her, Ann works with me!“ (Registration Authority) = Customer 1. „I do have this public key and my name is Ann!“ = Employee Private key SAP AG 2003, Title of Presentation, Speaker Name / 7 SAP Passports - Positioning Focus on User Authentication and Single Sign-On step-up migration from passwords user registration delegated to customer Easy Certificate Enrollment certificate request authorized by customer’s IT infrastructure (SAP solution) Software-based Browser Certificates users may have several certificates (with the same subject name) e.g. PC, Laptop,... protection of private keys is subject to OS and Web browser Hardware-based Certificates To enhance security, hardware tokens can be used Globally Unique Digital Identity (SAP Passport) users can identify themselves on Intranet and Internet (Marketplace) SAP AG 2003, Title of Presentation, Speaker Name / 8 SAP Trust Center Services Strong focus on easy enrollment process SAP solutions contain RA (Registration Authority) Zero client installation (when using software based certificates) Support of hardware token (for creation and storage of certificates) to enhance the level of security SAP Trust Center Services are free of charge for SAP customers An additional contract between customer and SAP is needed SAP AG 2003, Title of Presentation, Speaker Name / 10 Authentication Process: Digital Certificates User Authentication User presents his certificate to Web server during SSL handshake Web server verifies the user certificate and that the user possesses the corresponding private key User Mapping Portal Server extracts user information from certificate Mapping of portal users to enterprise application users X.509 Certificate X.509 Certificate Extract User Information ~~~~ ~~~~ Logon Ticket SSL SAP AG 2003, Title of Presentation, Speaker Name / 11 Portal Server User ID Mapping SSL Corporate LDAP Directory Portal LDAP Directory Secure Communication: Between Client and Portal Secure, encrypted communication between client and Portal Server Support of industry-standard security protocol Secure Sockets Layer (SSL) Confidentiality Authenticity Integrity X.509 Certificate X.509 Certificate SSL SAP AG 2003, Title of Presentation, Speaker Name / 12 Portal Server Secure Communication: Between Portal and Application Servers Secure Sockets Layer (SSL) If HTTP is used to call the application Secure Network Communications (SNC) If SAP-specific protocols such as DIAG and RFC are deployed SSL/SNC Services Confidentiality Authenticity RFC Integrity SNC SAP HTTP Portal Server SAP AG 2003, Title of Presentation, Speaker Name / 13 SSL 3rd Party System SAP Passport Enrollment Process with mySAP Enterprise Portal 5 Verifies naming conventions and issue certificate 4 1 SAP Trust Center Services Send approved request Log on using user ID and password and initiate the SAP Passport request 2 Specify naming convention and trigger key generation 3 Generate keys and send the SAP Passport request 6 Log on using the SAP Passport SAP AG 2003, Title of Presentation, Speaker Name / 14 Enterprise Portal Registration Authority Prerequisites for Using X.509 Client Certificates For this scenario, your system must meet the following prerequisites: Set up the Registration Authority in SAP Enterprise Portal 5.0 (available as of SP3). Registration Authority currently not available in SAP Enterprise Portal 6.0 Users have obtained valid SAP Passports (X.509 client certificates) from SAP Trust Center Services. The Portal Web server is configured to communicate using SSL. The Portal Web server is configured to accept client certificates. The Portal Web server is configured to trust the Certification Authority (CA) that issued the user certificates. SAP AG 2003, Title of Presentation, Speaker Name / 15 SAP Solutions with Registration Authority SAP EP as of EP 5.0 (SP3) EP 6.0 does not yet include a Registration Authority SAP Workplace SAP Web Application Server + SAP ITS Most current SAP Solutions have a RA included and can be used to deploy SAP Passports SAP AG 2003, Title of Presentation, Speaker Name / 16 INTRANET Scenarios of Usage - example ~~~~ ~~~~ ~~~~ ~~~~ ~~~~ ~~~~ INTERNET SAP Enterprise Portal INTERNET SAP Service Marketplace http://service.sap.com SW based ~~~~ certificate ~~~~ Hardware based certificate SAP AG 2003, Title of Presentation, Speaker Name / 17 Scenarios of Usage Support of software-based certificates ~~~~ ~~~~ Support of hardware based certificates -> to raise level of security Easy enrollment process in both scenarios Broad usage of SAP Passports via Intra- and Internet in SAP Solutions on business Partner‘s Enterprise Portal On any Marketplace over the Internet (if X.509 certificates are supported, e.g. SAP Service Marketplace) SAP AG 2003, Title of Presentation, Speaker Name / 18 SAP Passports on SAP Service Marketplace SAP Service Marketplace supports the usage of SAP Passports Single Sign-On (Numerous Web server available, due to logon balancing) Easy and secure log on using SAP Passports Usage of „customer‘s“ SAP Passport (already used in a customers solution) Mapping of the „customer‘s“ SAP Passport to the existing UserID Only one client certificate is needed Issue of a SAP Passport for Service Marketplace users Registration Authority is located in SAP Service Marketplace SAP AG 2003, Title of Presentation, Speaker Name / 19 SAP Passport – How to get started Registration Administrator Company that wants to use SAP Trust Center Services 3. Customer nominates the Registration Administrator 4. Customer signs the contract 1. Requests for Terms and Conditions 5. Customer sends CR to SAP 2. SAP sends contract 6. SAP returns signed RA certificate Users SAP AG 2003, Title of Presentation, Speaker Name / 20 7. SAP Passports can be used How to use SAP Passports 1. Customer wants to use SAP Passports and requests for Terms and Conditions (http://service.sap.com/tcs -> request for proposal or mailto:security@sap.com) 2. SAP sends Terms and Conditions to customer 3. Customer nominates Registration Administrator 4. Customer sends the signed contract to SAP 5. Customer sends Certificate Request (for RA) to SAP (via Service Marketplace or SAP Net R/3 Frontend – component BC-SEC) 6. SAP returns signed certificate to customer, that is imported in the Registration Authority 7. The Customer can setup RA and start the enrollment of SAP Passports For testing of SAP Passports no contract is necessary SAP AG 2003, Title of Presentation, Speaker Name / 21 Why is a contract needed to use SAP Passports? SAP wants to earn money? -> No, this service is free of charge for SAP‘s customers SAP wants to raise the trustworthiness of SAP Passports Registration of users (Mapping of person to public key) is done on customer side (within SAP solution) A Registration Administrator is nominated to administer the SAP System. They are the responsible person to authorize SAP Passport Requests Customer confirms to apply security rules in his company A contract ensures: high and common level of trustworthy for SAP Passports the basis of the SAP Trust Community SAP AG 2003, Title of Presentation, Speaker Name / 22 Summary SAP Trust Center Services enable collaborative business SAP Trust Center Services offer a high level of security ... Combined with high usability Automatic processes help to reduce costs SAP Passports are free of charge and ready to use More related information can be found here: http://service.sap.com/tcs SAP AG 2003, Title of Presentation, Speaker Name / 23
