SSF Users Guide 46D en PDF
SSF Users Guide 46D en PDF
SSF Users Guide 46D en PDF
Digital Signatures
User's Guide
HELP.BCSECDISI
Release 4.6A
®
SSF User's Guide
Copyright
Copyright
Icons
Icon Meaning
Caution
Example
Note
Contents
Contents
Purpose
Secure Store and Forward (SSF) [SAP Library] mechanisms provide you with the means to
secure data and documents in SAP Systems as independent data units. By using SSF
functions, you can "wrap" data and digital documents in secure formats before they are saved
on data carriers or transmitted over (possibly) insecure communication links. The data must
not remain within the SAP System; if you save the data in a secure format in the SAP System,
then it remains in its secured format even if you export it out of the system.
SSF mechanisms use digital signatures [Page 4] and digital envelopes [Page 4] to secure
digital documents. The digital signature uniquely identifies the signer, is not forgeable, and
protects the integrity of the data. Any changes in the data after being signed result in an invalid
digital signature for the altered data. The digital envelope makes sure that the contents of
data are only visible to the intended recipient(s).
The SSF mechanisms are useful in those application areas where an increased level of
security exists pertaining to:
• The specific and unique identification of persons or components (for example, in work
flow processes)
• Non-repudiation or proof of obligation (for example, when signing paperless contracts)
• Authenticity and integrity of data (for example, saving audit logs)
• The sending or storing of confidential data
By using the SSF mechanisms in SAP applications, you can replace paper documents and
handwritten signatures with automated work flow processes and digital documents that are
secured with digital signatures and digital envelopes.
Implementation Considerations
SSF mechanisms are available in SAP Systems as of Release 4.0.
You use the SSF mechanisms if you are using an application in the SAP System that has
implemented digital signatures or digital envelopes.
There are a number of applications that currently use the SSF mechanisms to provide data
protection, for example:
• Production Planing - Process Industry
• Product Data Management
• SAP ArchiveLink - SAP content server HTTP interface 4.5
With time, more and more applications will use SSF for their security purposes.
Constraints
Third-Party Security Product
SSF requires the use of a third-party security product to provide its functions. As the default
provider, we deliver the SAP Security Library (SAPSECULIB) [Page 12] with SAP Systems.
The SAPSECULIB, however, is limited to providing digital signatures only. For digital
envelopes, encryption, or crypto hardware (for example, smart cards or crypto boxes), you
need to use a SAP-certified external security product. For a product to be certified by SAP, it
needs to support the PKCS#7 standard data format. For information on supported products,
see the SAP Complementary Software Program (http://www.sap.com/csp).
Public-Key Infrastructure
To effectively use the SSF mechanisms, you need to have an established public-key
infrastructure (PKI) [Page 4]. The PKI makes sure that you can validate and trust the digital
signatures, certificates, and Certification Authorities (CAs). A PKI is often, although not
necessarily, supported by the external security products that are available on the market.
Although SAP Systems do not provide a PKI directly, they do support PKIs provided by
various security products.
Depending on the security product that you use, you can establish the use of a PKI in one of
many ways. You may want to create your own PKI and CA that you link to your customers, or
you and your customers may want to agree on a common Trust Center. A common Trust
Center is another third-party instance that both you and your customers can trust to validate
and authenticate your PKI participants. Using a common Trust Center can solve many of the
currently open questions regarding the establishment of a PKI.
SSF uses an external security product to execute the functions for using digital signatures and
encryption in SAP Systems. To communicate with the external security product, the SAP
System needs to be able to access the product and its information. Therefore, the following
system infrastructure is necessary for using the SSF functions:
• Communication interface to the security product:
To communicate with the external security product on the front ends, the SAP
System uses the SSF RFC (Remote Function Call) server program ssfrfc.exe.
On the application server, the communication interface is included in the SAP
system kernel.
• Access to product-specific information:
The SAP System must also be able to access the product-specific information (for
example, the location of the library and the algorithms that the product uses). On
the front ends, this information needs to be located in either environment variables
or in the SSF initialization file ssfrfc.ini. On the application servers, this
information is contained in either profile parameters or environment variables.
• User SSF information:
In addition, the users that participate in the public-key infrastructure must also be
correctly maintained in the SAP System.
See the diagram below.
SSF_LIBRARY_PATH
SSF_MD_ALG
Security Product Infos SSF_SYMENCR_ALG
SSF_LIBRARY_PATH
SSF_MD_ALG User SSF Information
SSF_SYMENCR_ALG (in R/3 user address
information)
User SSF Information User X CN=UserX,O=SAP,C=DE
(determined by the
security product)
User X CN=UserX,O=SAP,C=DE
We describe the administration tasks necessary to establish this infrastructure in the rest of
the topics that follow.
Before performing the SSF administration tasks, you should be familiar with the following
terms and abbreviations:
• Certification Authority
A third-party instance that issues public-key certificates. The role of the
Certification Authority (CA) is to guarantee the identity of the certificate owner.
• credentials
User or component-specific information that allows the user or component to
access his or her security information. The credentials may be located, for
example, in a protected file in the file system. They often have a limited life span.
For example, the credential file for a user may be created when the user logs on to
the security product and deleted when he or she logs off.
• digital signature
Security mechanism for protecting digital data.
The digital signature serves the same function for the processing of digital data as
the handwritten signature serves for paper documents. It's purpose is to guarantee
that the individual (or component) that signs a digital document really is who he or
she claims to be. It also protects the integrity of signed data; if even one bit in
either the signed data or in the signature is changed, then the signature is invalid.
The digital signature is based on public-key cryptography. Each signer is provided
with a unique key pair consisting of a private key and a corresponding public key.
The signer creates his or her digital signature by using his or her private key. He or
she distributes the public key as desired. Recipients of signed data use the signer's
public key to verify his or her digital signatures.
For example, in electronic commerce, paperless contracts are closed without using
handwritten signatures.
• digital envelope
Type of security that protects a message from being viewed by anyone other than
the intended recipient(s).
A digital envelope is created using hybrid encryption. First, the message itself is
encrypted using symmetric encryption (meaning that the same key is used to
encrypt and decrypt the message). This key is then encrypted using public-key
encryption and sent or saved with the encrypted message. Only the intended
recipient of the message can decrypt the key that was used to encrypt the original
message, and therefore, decrypt the message.
• Personal Security Environment (PSE)
Secure location where a user or component's public-key information is stored. The
PSE for a user or component is typically located in a protected directory in the file
system or on a smart card. It contains both the public information (public-key
certificate and private address book) as well as the private information (private
key) for its owner. Therefore, only the owner of the information should be able to
access his or her PSE.
For example, the SAP Security Library (SAPSECULIB) stores the application
server's information in a PSE. In this case, the PSE contains both the private
address book for the SAP System as well as the SSF profile.
See also:
SAP library:
• BC - Security → Secure Store & Forward / Digital Signatures → Public-Key Technology
[SAP Library]
There are certain administration tasks involved when using the SSF functions. For example, if
you use an external security product, you need to install the product on all of the components
where the SSF information is needed. You also need to maintain the users who are to use the
digital signatures and digital envelopes.
The topics in this section describe the administrative tasks involved with using SSF in SAP
Systems. Administrative and maintenance tasks that apply to the SAPSECULIB are also
included. For information on tasks that apply to an external security product, you need to refer
to the security product's documentation.
See the following:
• For the standard installation tasks when using an external security product, see the
topics under Using SSF with an External Security Product [Page 7]:
− Installing/Configuring SSF: Front Ends [Page 8]
− Installing/Configuring SSF: Application Server [Page 9]
− Maintaining User SSF Information [Page 10]
• If you have maintained user SSF information in Release 4.0 or 4.5 and have upgraded
to a later release, then see the section Upgrading User SSF Information from Release
4.0/4.5 [Page 12].
• If you use different security products for different applications, then see the sections
Defining Default SSF Information for Applications [Page 17] and Maintaining
Application-Specific Information [Page 18].
• If you use the default security provider SAPSECULIB (digital signatures only), then you
do not need to perform any installation and configuration tasks. For information on the
SAPSECULIB, see the section Using the Default SSF Security Provider SAPSECULIB
[Page 12].
• To test the SSF installation, see Testing the SSF Installation [Page 20].
When using an external security product for providing digital signature and encryption support
in SAP Systems, you need to install and configure SSF on each of the frontend computers
(see Installing/Configuring SSF: Front Ends [Page 8]) and on the application servers (see
Installing/Configuring SSF: Application Server [Page 9]). On the front ends, you can specify
the SSF parameter values either in environment variables or in the SSF initialization file
ssfrfc.ini. On the application servers, you can use either profile parameters or
environment variables.
You can only use environment variables to define the SSF parameters as of
Release 4.5.
You also need to maintain user SSF information [Page 10] on the application server.
To test your SSF installation, see Testing the SSF Installation [Page 20].
1. Install the security product on each frontend computer where SSF functions are to be
used. Note the name and location of the security product's library.
SSF Parameters
Note that the parameter SSF_LIBRARY_PATH must contain both the path and
the filename of the SSF library.
1. Install the security product on each application server. Note the name and location of
the security product's library.
As of Release 4.5B, you can install up to three different security products. This
may be necessary if different applications use different security products.
Therefore, each product uses its own profile parameter set. Define the
parameters for the number of security products that you use. See also
Maintaining Application-Specific Information [Page 18].
The table below shows the application server profile parameters.
When an application server is started, the system always loads the security
product SAPSECULIB and assigns its information to the next available
ssf<x>/... parameter set.
As default, the system searches for the SAPSECULIB library (libssfso) in
the directory specified by the profile parameter DIR_LIBRARY. If necessary,
you can specify a different file name and location of the SAPSECULIB library
in the corresponding ssf<x>/ssfapi_lib parameter (or in the environment
variable SSF<x>_LIBRARY_PATH). If you do, then make sure that the
corresponding parameter ssf<x>/name (or environment variable
SSF<x>_NAME) contains the name SAPSECULIB.
3. To record SSF activites for trace functions, set the SSF_TRACE_LEVEL environment
variable to one of the following values:
The system records the trace information in the file dev_ssf<#> (where # is a
number assigned to each trace file).
4. Perform any application-specific tasks that may be required. Refer to the application's
documentation for more information.
Depending on your release, you need to maintain user SSF information in different ways.
• Release 4.0/4.5
In Release 4.0, you need to use the Customizing activity Maintain SSF-Information
for the User (Transaction O07C) to enter the user SSF information. See also:
− Information Specific to Release 4.0/4.5 [Page 29]
• Release 4.6 and higher
As of Release 4.6, you maintain the information in the standard user address
information. See:
− Maintaining User SSF Information: Release 4.6+ [Page 11]
• Upgrading from Release 4.0/4.5
If you have upgraded to Release 4.6 and have previously maintained user SSF
information with Transaction O07C, then you need to use the Customizing activity
Upgrade User SSF Information from Release 4.0/4.5 to migrate the SSF
information to the user address information. See also:
− Upgrading User SSF Information from Release 4.0/4.5 [Page 12]
Use
As of Release 4.6, the user SSF information is included in the standard user address
information.
To maintain the user SSF information, use the appropriate transaction as shown in the
following table:
Prerequisites
The security product has been installed and SSF has been configured on the application
server (see Installing/Configuring SSF: Application Server [Page 9]).
The location of the SSF RFC server program ssfrfc also needs to be defined as the RFC
destination SAP_SSFATGUI in Transaction SM59.
Procedure
1. Call one of the user address maintenance transactions.
2. In the user address information, choose Other communication.
3. Select the Communication type SSF.
4. Enter the following SSF information in the appropriate fields:
You can only maintain those fields that are available by the maintenance
transaction (see the column Available with Transaction in the table above).
Fields that are not applicable are not displayed. For example, the office
administrator, who uses Transaction SO12, cannot change the individual SSF
profile for a user.
5. Save the data.
In Release 4.6, we moved the user SSF information maintenance to the standard user
address maintenance. In the Releases 4.0 and 4.5, the user SSF information was stored in the
table TC70, and as of Release 4.6, the information is stored in the table ADR11.
If you have maintained user SSF information in either Release 4.0 or 4.5 and need to upgrade
to a later release, then see the Customizing activity Basis Components → System
Administration → Digital Signatures → Upgrade User SSF Information from Release 4.0/4.5.
This activity runs the report RSADRTC70TOADR11, which moves the user SSF information
from table TC70 to ADR11.
Note that this activity is client independent. It transfers the SSF information for users in all of
the SAP System clients.
We deliver SAP Systems with the default SSF security provider SAPSECULIB. The
SAPSECULIB provides functions for creating and verifying digital signatures used within the
SAP System. It does not provide support for digital envelopes, smart card authentication, or
crypto hardware. For complete SSF support, you need to use an external security product.
Normally, you do not have to perform any administrative tasks when using the SAPSECULIB
as the security provider. However, the information contained in the following topics may be
helpful in the case of problems or when monitoring the status of the SAPSECULIB
components.
Definition
The SAP Security Library (SAPSECULIB) is the default security provider for the SSF
mechanisms.
Use
The SAPSECULIB provides the functions for creating and verifying digital signatures within
SAP Systems.
Integration
The SAPSECULIB is included as part of the standard SAP System installation. During the
installation process, the system uses the SAPSECULIB to generate a Personal Security
Environment (PSE) [Page 4] for each application server, called the system PSE [Page 4]. The
application server can then use the information contained in the PSE to digitally sign
documents and verify other components' digital signatures.
In Release 4.5A, the system generates an individual system PSE for each
application server.
As of Release 4.5B, the system generates a single system PSE and distributes
it to all of the application servers.
The system PSE is created during the installation process and located in the following file in
the directory <instance directory>/sec:
• Release 4.5A SAPSECU.pse
• as of Release 4.5B SAPSYS.pse
When you upgrade from Release 4.5A to a later release, the system creates a
new system PSE with the name SAPSYS.pse, but does not remove or rename
the file SAPSECU.pse. Keep in mind that the system may need access to the
old PSE to verify digital signatures that were created before the upgrade.
Each time an application server is restarted, the system automatically makes sure that the
subdirectory sec exists and contains the system PSE for the server. In Release 4.5, if no
system PSE is found at system start, then the system automatically generates a new one. As
of Release 4.6, if a system PSE exists, then the system distributes the system PSE to the
application server. If no system PSE exists in the database, then the system generates a new
one for use by all of the application servers.
If you need to generate a new PSE for an application server after the installation process has
already been completed, then see the topic Maintaining the System PSE [Page 15].
Use
The system PSE maintenance is available as of Release 4.5B.
Use the PSE maintenance to maintain and monitor the system PSEs. You can perform the
following functions:
• Generate a new system PSE and distribute it to the application servers.
• Import a local PSE and distribute it as the system PSE to all application servers.
• Change the PIN (Personal Identification Number) that protects the system PSE.
• Create credentials [Page 4] for the system PSE.
Procedure
1. To access the PSE maintenance, use the Transaction PSEMAINT.
The PSE Management screen shows the status of all of the application servers'
PSEs.
The following statuses are possible:
− RFC
The status of the RFC connection to the application server can be one of the
following:
• ok
• contained errors
• in waiting
− PSE Status
The PSE and SSF status can be:
• PSE & SSF OK
This status indicates that a system PSE for the application server has been
installed and accessible.
• SSF error
This status indicates that an external security product has been installed
and that a system PSE exists on the application server; however, the
system PSE can not be accessed. The most common cause of this error is
that no credentials exist on the application server. Use the function Create
credentials to correct this error.
• PSE error
This error indicates that the version of the PSE on the application server
does not coincide with the version that is stored in the database. Use
Create PSE or Import PSE to correct this error.
2. Place the cursor on the application server where you want to execute the given
function and choose the corresponding menu option.
The following table shows the functions you can perform:
Use
Use this procedure to define a default set of SSF information to use for applications instead of
the system defaults.
The following table shows the system defaults.
Prerequisites
The name and location of the product's library must be specified in the profile parameter
ssf<x>/ssfapi_lib. The product's name must be defined in the profile parameter
ssf<x>/name.
Procedure
In the procedure Maintaining Application-Specific Information [Page 18], create or change the
Default entry in the Application dropdown list.
Result
The system uses the values that you specify in the Default entry as defaults for the SSF
information instead of the system defaults.
Use
Use this procedure to specify application-specific information, for example, if you use more
than one security product for using the SSF functions, or if you use the same product but
different SSF profiles [Page 4] or private address books [Page 4] for different applications.
For example, if you use the ArchiveLink II HTTP content server 4.5 interface,
which uses the SAPSECULIB as the security provider for signing archive
requests, and you use an external security product for creating digital
signatures in a different application, then you need to specify SSF information
for each application.
Prerequisites
The security products have been installed on each application server.
The SSF profile parameters (or environment variables) ssf<x>/name and
ssf<x>/ssfapi_lib contain the names of the security products and the names and
locations of the products' libraries.
Procedure
1. Call the Transaction SSFA to access the SSF information for specific applications.
If only one entry exists, the system displays the entry. Otherwise, it displays a table
containing all existing entries.
2. If an entry for the application already exists and you want to change it, select it and
choose Goto → Detail. Otherwise, to create an entry:
a. Choose Edit → New entries.
b. Select the application name from the dropdown list and press Return. (Choose or
create the entry Default to create a default entry for applications. See Defining
Default SSF Information for Applications [Page 17] for more information.)
The system displays the maintenance screen for the entry.
The information that you can maintain for an application is defined by the
application. Therefore, only those fields that are necessary for the application
are displayed.
If you leave a field blank, then the application uses the default value. The
default value is determined either in the default entry, or, if no default entry has
been defined, then the defaults are the system defaults. (See Defining Default
SSF Information for Applications [Page 17] for more information.) The currently
defined defaults are displayed in the lower section of the maintenance screen.
4. Select with certificate if:
a. Users' or components' certificates should be included with their digital signatures,
or
b. Certificates are to be used to verify digital signatures.
5. Select only dig. signature if the data that is signed is not to be included with the digital
signatures.
6. Save the data.
Use
After installing SSF, you can use the reports SSF01 and SSF02 to make sure that the security
product has been installed correctly. Use SSF01 to test the frontend installation and SSF02 to
test the installation on the application server.
Procedure
1. Call Transaction SE38.
2. Enter SSF01 in the Program field to test the SSF installation on the front ends; enter
SSF02 to test SSF on the application server.
3. Choose Program → Execute → Direct.
The system displays a selection field of possible functions that you can test.
4. Select the Version function.
5. If you want to test the version for a specific security product, enter the product's name
(as specified in the profile parameter ssf<x>/name) in the field Security product in the
Further options group.
The other options and fields are not relevant for this test.
6. Choose Program → Execute.
The system displays the results of the test. If the test was successful, then it
displays the return code SSF_API_OK and version information about the security
product. On the front end, it also displays the version of the SSF RFC server
program. If the system encountered an error, it displays the error information.
If you use the SAPSECULIB as the security provider, then the test on the front
end (report SSF01) will produce an error code. (SAPSECULIB is only installed
on the application server.)
SSF Parameters
SSF Parameters
The following parameters define the SSF configuration on the front ends and on the
application servers:
SSF Parameters
Parameter Description
SSF_LIBRARY_PATH [Page 24] Path and filename of the SSF library
SSF_MD_ALG [Page 24] Message Digest Algorithm
SSF_SYMENCR_ALG [Page 25] Symmetric Encryption Algorithm
SSF_TRACE_LEVEL [Page 26] Trace level for Recording SSF activities
SSF_NAME [Page 26] (as of Release 4.5B) Name of the security product
(application server only)
See the documentation on the individual parameters for their complete descriptions and
default values.
SSF Parameters
Note however, that you can only install multiple security products on the
application servers. You can only configure a single product on the front ends.
The SAP ArchiveLink II HTTP content server 4.5 interface uses the
SAPSECULIB as the security provider to create digitial signatures. In Quality
Management, an external security product <product> is used for signing
inspection lots. This product also uses a different hash algorithm for creating
digital signatures than the SAPSECULIB. The following application server profile
parameter definitions specify different values for each of these applications.
Product: SAPSECULIB
Parameter Value
ssf/ssfapi_lib Name and location of the SAPSECULIB library libssfso
ssf/name SAPSECULIB
ssf/ssf_md_alg MD5
Product: <product>
Parameter Value
ssf2/ssfapi_lib Name and location of the product's library
ssf2/name <product>
ssf2/ssf_md_alg SHA1
In addition, use Transaction SSFA to specify the <product> for the application quality
certificate handling. See Maintaining Application-Specific Information [Page 18] for
more information.
We describe the individual parameters in the topics that follow.
SSF_LIBRARY_PATH
SSF_LIBRARY_PATH
You can only define the parameters for additional products on the application
servers.
SSF_MD_ALG
SSF_MD_ALG
You can only define the parameters for additional products on the application
servers.
SSF_SYMENCR_ALG
You can only define the parameters for additional products on the application
servers.
SSF_TRACE_LEVEL
SSF_TRACE_LEVEL
You can only define the parameters for additional products on the application
servers.
In addition, SSF_TRACE_LEVEL is not defined as a profile parameter on the
application server. You can only specify its value with the environment
variable.
SSF_NAME
SSF_NAME
You can only define the parameters for additional products on the application
servers.
SSF_NAME is also only defined on the application server.
Definition
File that contains the SSF configuration on the frontend computers.
Use
You can use the SSF initialization file to configure the SSF parameters on the front ends.
As of Release 4.5, you can use either the SSF initialization file or environment
variables.
Syntax
The format for entering each parameter in the file is a line entry with the following syntax:
<SSF parameter>=<parameter value>
Certain maintenance tasks and SSF information has changed between the Releases 4.0, 4.5,
and 4.6. The user SSF information maintenance has moved to user address maintenance and
the use and syntax of the SSF initialization file has changed. See the following topics for more
information:
• Maintaining User SSF Information: Release 4.0/4.5 [Page 29]
• The SSF Initialization File in Release 4.0 [Page 30]
Prerequisites
The security product has been installed and SSF has been configured on the application
server (see Installing/Configuring SSF: Application Server [Page 9]).
The location of the SSF RFC server program ssfrfc also needs to be defined as the RFC
destination SAP_SSFATGUI in Transaction SM59.
Procedure
1. In Customizing for System Administration, choose Management of External Security
Systems → Secure Store and Forward (SSF) → Maintain SSF-Information for the
User (Transaction O07C).
2. Modify an existing entry by selecting the entry and choosing Goto → Details, or create
a new entry by choosing New entries.
The Change View "Digital signature: SSF information about user": Details screen
appears.
3. Enter the corresponding values:
S/R name SSF Signer/Recipient name The syntax of this name is determined
by the security product that you use.
Namespace Namespace where the user's For example, the user's information
information is valid. may be stored on a smart card, in a
(Release 4.0 only) local directory, or an X.500 directory.
See the input help (F4) for possible
entries.
Prof.name Profile name Specifies the profile where the user's
security information is stored. The
value of this parameter is determined
by the security product that you use.
This topic explains the few differences that you need to consider when using the SSF
initialization file in Release 4.0. See the topic The SSF Initialization File [Page 28] for general
information on using the file.
Index
Index