SAP Trust Center Services

CERTIFICATE POLICY
OF THE SAPROUTER CERTIFICATE
Version 1.0

 Copyright 2001 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. All information in this document is compiled with great care. Neither SAP AG nor the author are liable for any damages or disservice, that are in connection with the use of this document. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of Microsoft Corporation. IBM, DB2, OS/2, DB2/6000, Parallel Sysplex, MVS/ESA, RS/6000, AIX, S/390, AS/400, OS/390, and OS/400 are registered trademarks of IBM Corporation. ORACLE is a registered trademark of ORACLE Corporation. INFORMIX -OnLine for SAP and Informix Dynamic Server TM are registered trademarks of Informix Software Incorporated. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. JAVA is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP. com Logo and mySAP. com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.

SAP AG

Neurottstrae 16 69190 Walldorf Germany T +49/1805/34 34 24 F +49/1805/34 34 20

www.sap.com

CONTENTS
1 Introduction 4 1.1 Overview 4 1.2 Community and Applicability 4 1.2.1 Service Marketplace Root CA (SMP Root CA) 4 1.2.2 SAProuter Certification Authority (SAProuter CA) 4 1.2.3 Subscriber 4 1.2.4 Registration Authority (RA) 5 1.2.5 Applicability 5 1.3 Contact Details 5 2 General Provisions 6 2.1 Obligations 6 2.1.1 SAProuter CA obligations 6 2.1.2 RA obligations 6 2.1.3 Subscriber obligations 6 2.2 Publication of SMP Root CA information 6 2.3 Types of information to be kept confidential 6 3 Identification and Authentication 7 3.1 Initial Registration 7 3.1.1 Types of names 7 3.1.2 Authentication of Subscriber 7 4 Operational Requirements 8 4.1 Application for SAProuter-Certificate 8 4.2 Certificate Issuance for SAProuter 8 4.3 Security Audit Procedures 8 4.4 Records Archival 8 4.5 Compromise and Disaster Recovery 8 4.6 SAProuter CA Termination 8 5 Physical, Procedural and Personnel Security Controls 9 5.1 Physical Security Controls 9 5.2 Trusted roles 9 6 Technical Security Controls 10 6.1 SAProuter CA 10 6.2 SAProuter 10 6.3 Key sizes 10 6.4 Private Key Protection 10 6.5 Other aspects of Key Pair Management 10 6.5.1 Public Key archival 10 6.5.2 Usage periods for the public and private keys 10 6.6 Computer Security Controls 10 7 Specification Administration 11 8 Certificate Profiles 12 8.1 Certificate Profile of the SMP Root CA 12 8.2 Certificate Profile of the SAProuter CA 13 8.3 Certificate Profile of the SAProuter Certificate 14 9 Bibliography 15 9.1 Abbreviations 15 9.2 Glossary 15 9.2.1 Certificate Policy (CP) 15 9.2.2 Subscriber 15 9.2.3 Trust Manager 15 9.3 Literature 15

INTRODUCTION
1.2 Community and Applicability The following diagram shows components, which are relevant in the context of this policy:
SAP's secure Data Center

This document describes the certificate policy (CP) of the SAProuter-Certificate, which is issued by the SAP Router Certification Authority (hereafter called SAProuter CA) at the SAP Trust Center Services (TCS). The SAProuter CA issues SAProuter-Certificates for the SAP routers, in order to authenticate SAP routers during network communication. The SAProuter-Certificate must be explicitly used only for the purpose of authentication of the SAProuter. The structure of this policy is broadly based on the international Internet Standard X.509 Public Key Infrastructure Certificate Policy and Certification Practice Statement framework [RFC 2527]. Certain topics covered in RFC 2527, which are not applicable to this specific policy are not discussed here. 1.1 Overview The hierarchy of the SAProuter-Certificate Public Key Infrastructure (hereafter called SAProuter-Certificate PKI) is shown in the figure below:
Self-signed Root CA-Certificate

SMP Root CA
Browser 3

SAProuter CA
2 Send approved certificate request

Subscriber pulls certificate

End User Subscriber (Browser)

RA for SAProuter CA
SAP-Service Marketplace

Log on and send generated public key with certificate request

Figure 2: Components of the SAProuter CA

1.2.1 Service Marketplace Root CA (SMP Root CA) The SMP Root CA issues its Root CA-Certificate itself, therefore used as trust anchor. The SMP Root CA issues and manages SAProuter CA-Certificate. Trust Center Services of SAP AG will operate the SMP Root CA. 1.2.2 SAProuter Certification Authority (SAProuter CA) The SAProuter Certification Authority issues and manages SAProuter-Certificates to the SAProuters of SAP Trust Centers internal and external customers on request. The SAProuter CA will be operated by SAP AG. 1.2.3 Subscriber The subscribers of this policy are the authorized system administrators of the SAP Trust Centers internal and external customers all over the world, who want to use their SAProuters in a secure medium. The SAProuter CA will issue the authentication certificates of SAProuters. The subscribers use these SAProuter-Certificates for authentication during network communication with SAProuters.

SMP Root CA
Issues SAProuter CA-Certificate

SAProuter CA
Issues SAProuter certificates R1 .....

Rn

Figure 1: Hierarchy of the SAProuter-Certificate PKI

The hierarchy of SAProuter-Certificate PKI consists of two levels, which contains the Service Marketplace Root Certification Authority (hereafter called SMP Root CA) and the SAProuter CA.

1.2.4 Registration Authority (RA) The Registration Authority (RA) of the SAProuter CA is situated in the SAP Service Marketplace infrastructure. Each RA possesses an RA-Certificate issued by mySAP.com Workplace CA (for detailed information refer to the [CP: RA-Certificate02]). The RA of the SAProuter CA will be operated by SAP AG. 1.2.5 Applicability The SAProuter-Certificates can be used only for SAProuter authentication during secure network communication.

1.3 Contact Details The department of Global Solution Services of SAP AG, Germany, operates the SAProuter CA of the SAP Trust Center Services. SAP AG Global Solution Services Trust Center Services Raiffeisenring 68789 St. Leon-RotGermany E-Mail: security@sap.com URL: http://service.sap.com/TCS

GENERAL PROVISIONS
The subscriber must protect its private key from

2.1 Obligations 2.1.1 SAProuter CA obligations The SAProuter CA has the following obligations:
The SAProuter CA verifies the signature of the RA,

unauthorized use.
The subscriber is not allowed to distribute keys and

certificates for unauthorized use. 2.2 Publication of SMP Root CA information The fingerprint of SMP Root CA-Certificate is listed as obligation in the SAPs customer magazine SAPinfo.net, SAPs customer service website (http://service.sap.com/TCS). Access controls Only persons responsible for the SAP Trust Center systems have access to the SAProuter CA, in order to prevent unauthorized use. 2.3 Types of information to be kept confidential The following types of information are kept confidential within TCS: SAProuter application record, whether approved or disapproved. Created audit trail records. Contingency planning and disaster recovery plans. Security measures controlling the operations of SAProuter CA -hardware and software, and the administration of certificate service. Information marked as confidential within the framework of issuing SAProuter-Certificates.

included in the SAProuter certificate request. The SAProuter CA issues certificates for SAProuters of SAP Trust Centers internal and external customers on request. These requests must be approved and signed by the RA of the SAProuter CA situated in the SAP Service Marketplace. The SAProuter CA is obliged to make available all relevant documents and records to the SAP Trust Center Services on demand for audit purposes. 2.1.2 RA obligations The RA has the following obligations:
The RA validates and confirms the correctness of the

applicants identity, legitimacy and data to apply for the SAProuter-Certificate. The RA also verifies Distinguished Name contained in the certificate request. The RA is also authorized to reject SAProuter-CertificateRequest, e.g. if the applicant is not entitled to the SAProuter-Certificate or given distinguished name is incorrect. RA is obliged to follow rules and regulations given by the SAP Trust Center Services. 2.1.3 Subscriber obligations The subscriber has the following obligations:
The subscriber (here authorized system administrator of

SAProuter) generates its own key pair.

After generating key pair, the requestor of the SAProuter-

Certificate (here authorized system administrator) must securely send the public key within the certificate request to the RA. The subscriber must include necessary information in the certificate request.

This is an automated process defined by the application in the SAP Service Marketplace.

IDENTIFICATION AND AUTHENTICATION

RA verifies the conformity of the Distinguished Name to the TCS Naming Conventions. 3.1.2 Authentication of Subscriber The subscriber authenticates herself to the SMP with her SUser and password. The RA approves the certificate request after confirming the correctness and uniqueness of distinguished name of the SAProuter (seeking certificate).

3.1 Initial Registration The authorized system administrator of the SAProuter does initial registration of the SAProuter (seeking certificate) in the SAP Service Marketplace. 3.1.1 Types of names All the SAProuter-Certificates issued from the SAProuter CA contain distinguished names based on X.509 Version 3. The

OPERATIONAL REQUIREMENTS
4.4 Records Archival
Records can contain e.g. documentation of actions and

4.1 Application for SAProuterCertificate In order to get the SAProuter-Certificate, the subscriber must log on and authenticate herself to the SMP. The SMP requests required data (System-ID, Installation-Nr.) for SAProuter from the R/3 system. The R/3 system sends required data to the SMP. The SMP displays an HTML page containing the received data from R/3 system in the browser. The subscriber selects the SAProuter, for whom the certificate can be issued. The certificate request is generated and sent to the RA. 4.2 Certificate Issuance for SAProuter After successful identification and confirmation of required data of the SAProuter by the RA, the SAProuter CA can issue the SAProuter-Certificate. If the identification of the SAProuter is unsuccessful an error message will be displayed in HTML. All certificates begin their operational period on the date of issue. 4.3 Security Audit Procedures
Audit procedures of the SAProuter CA are performed

information that relate to each certificate request to the creation, issuance, use and expiration of each SAProuterCertificate and SAProuter CA certificate. Any kind of records associated with a SAProuter CA Certificate is retained as per rules and regulations, after the date a certificate is expired. The archives containing all-important records are protected from unauthorized access. As a part of security audit the archive will be checked on integrity, correctness of operations and access control. 4.5 Compromise and Disaster Recovery The SAP Trust Center Services maintains a disaster recovery plan for the event of a disaster that might threaten the functionality and trustworthiness of SAProuter CA. The disaster recovery plan is reviewed and updated periodically in order to suit the current requirements. 4.6 SAProuter CA Termination

regularly.
Depending on the type of records and the frequency with

which the relevant activity takes place, audit logs are processed during CA operation. Electronic audit logs are protected to maintain its integrity and confidentiality.

The termination of SAProuter CA is possible. The termination of SAProuter CA will be planned and appropriate notice will be given to minimize disruption to customer and relying parties.

PHYSICAL, PROCEDURAL AND PERSONNEL SECURITY CONTROLS

5.2 Trusted roles A role-based model is implemented in TCS. Only specific employees of SAP (e.g. system administrator, security officer, RA-Administrator) who are authorized in the sense of this role-based model are considered to have access to or control over SAProuter CAs Operations. The role-based model supports the Multiple-Eyes principle, which allows security relevant operations only in the presence of a minimum of two persons.

5.1 Physical Security Controls The physical security measures taken by SAP TCS are in compliance with industry standard.
The SAProuter CA of the SAP Trust Center Services is

operated in a secure environment at SAP.

The physical access to the system issuing certificates

requires separate access measures. The physical access to the system takes place in the presence of at least two authorized persons. The SAProuter CA is equipped with backup power systems to ensure continuous, uninterrupted access to electric power. The SAProuter CA is equipped with primary and backup ventilation/air conditioning systems to control temperature and relative humidity. The SAProuter CA is protected from flooding or other damaging exposure to water. The SAProuter CA is protected from fire or other damaging exposure to flames or smoke. The storage media of SAProuter CA holding backups of critical system data or any other sensitive information is protected from water, fire or other environmental disasters. There is an access control to the storage media in order to prevent unauthorized use and access of sensitive information. The waste disposal is handled appropriately in order to prevent unauthorized use of data. In case of disaster, backup measures are able to take over functions of SAProuter CA within a short time.

TECHNICAL SECURITY CONTROLS

Before the activation of the private key of SAProuter CA

6.1 SAProuter CA
The SMP Root CA generates key pair for the SAProuter

CA. The SAProuter CA must use only one key pair, which is used only for SAProuter-certificate signing. After generation the private key of the SAProuter CA is saved in a secure medium. In case of loss, compromise or suspected compromise of the private key of the SAProuter CA, the new key pair will be generated as mentioned above. The private key of the SAProuter CA is delivered in a secure medium. 6.2 SAProuter
The key generation for SAProuter-Certificate takes place

the CA-Administrators authenticate to the CA system. The activation of CAs private key requires the participation of multiple trusted personnel. Reasonable measures are taken to protect the system physically in order to prevent unauthorized use of the system and associated private key. The SAProuter CA is responsible for the deactivation of its own private key. The SAProuter CA is responsible for destruction and disposal of its private key, when it is no longer required for active use. Deleting the private key from SAProuter CAs Personal Security Environment will destroy the private key. 6.5 Other aspects of Key Pair Management 6.5.1 Public Key archival The public key and certificate of the SAProuter CA within the framework of this policy will be archived after it is expired. 6.5.2 Usage periods for the public and private keys The operational period for key pair is the same as the validity period for the associated certificate. The active lifetime for the SAProuter CAs public and private key is restricted to 10 years. 6.6 Computer Security Controls To assure computer security of the operating system of the SAProuter CA specific security controls must be implemented. The SAProuter CA is on-line and can be accessed via the Internet using HTTPS only by the RA of the SAProuter CA. The configuration of and access control to the network security devices are strictly controlled and limited to authorized persons only.

in the Trust Manager in the SAProuter.

The key pair generation for SAProuter-Certificate is done

in the Trust Manager in the SAProuter, no delivery to the certificate issuer is required. An applicant of the SAProuter-Certificate must deliver the public key for the SAProuter-Certificate securely to the RA (via application in the SAP Service Marketplace). The RA signs the certificate request, so that the SAProuter CA can check the integrity of the public key. 6.3 Key sizes The key lengths are sufficient to protect from conceivable attacks:
The key pair of SAProuter CA is min. 1024 Bits long, The key pair of SAProuter-Certificate is min. 512 Bits long.

6.4 Private Key Protection

The private key of the SAProuter CA is protected in the

Software-Personal Security Environment. The private key of the SAProuter has to be protected by the subscriber. The private key of SAProuter CA will not be archived after expiry.

10

SPECIFICATION ADMINISTRATION
Publication of changes and notices of withdrawal will be

This section specifies how this particular certificate policy will be maintained.
This CP may change from time to time. Any such changes

made accordingly.
Only authorized persons of the SAP Trust Center Services

are made only if needed by the TCS. Any changes made in CP will be published as a new version of CP.

must approve this CP and any subsequent changes to it.

11

CERTIFICATE PROFILES

This section describes certificate profiles of the SAProuter relevant certificates issued by the SAP Trust Center. All certificate profiles in SAP Trust Center Services are based on X.509v3 and PKIX. The certificate must contain the following basic fields and indicated prescribed values or value constraints. 8.1 Certificate Profile of the SMP Root CA The following table describes certificate profile of the SMP Root CA:
Field SignatureAlgorithm Version SerialNumber Signature Issuer Validity Subject SubjectPublicKeyInfo KeyUsage SubjectAlternativeName BasicConstraints Constant
SHA-1/RSA Algorithm OID 1.3.14.3.2.29 Version 3 Serial Number SHA-1/RSA Algorithm OID: 1.3.14.3.2.29 CN=SMP Root CA OU= Service Marketplace O=SAP C=DE NotBefore 18.07.2000 NotAfter 18.07.2010 CN=SMP Root CA OU=Service Marketplace O=SAP C=DE Algorithm = RSA (1024 Bits) Algorithm OID: 1.2.840.113549.1.1.1 (CRITICAL) digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign URL: http://service.sap.com/TCS Subject Type=CA Path Length Constraint=None Allowed to act as a CA!

Description
The signature algorithm of the certificate is SHA-1/RSA. This X.509-certificate has version 3. The serialNumber of the certificate is meant for the identification of the certificate. The signature algorithm used to sign the certificate is SHA1/RSA. The name of the certificate-issuer is SMP Root CA.

This certificate is valid for 10 years.

The certificate holder is SMP Root CA. This field contains information about certificate holders public key. The RSA public key is 1024 bits long. The key pair can be used to sign certificates.

The extension field contains the URL of the SMP Root CA.

This field specifies that the SMP Root CA is allowed to act as CA.

Table 1: Certificate profile of the SMP Root CA

12

8.2 Certificate Profile of the SAProuter CA The following table describes certificate profile of the SAProuter CA:
Field SignatureAlgorithm Version SerialNumber Signature Constant
SHA-1/RSA OID 1.3.14.3.2.29 Version 3 Serial Number SHA-1/RSA Algorithm OID: 1.3.14.3.2.29 CN=SMP Root CA OU= Service Marketplace O=SAP C=DE NotBefore 18.07.2000 NotAfter 18.07.2005 CN=SAProuter CA OU=SAProuter O=SAP C=DE Algorithm = RSA (1024 Bits) Algorithm OID: 1.2.840.113549.1.1.1 Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment, Certificate Signing, Off-line CRL Signing, CRL Signing URL=http://service.sap.com/TCS Subject Type=CA Path Length Constraint=None

Description
The signature algorithm of the certificate is SHA-1/RSA. This X.509-certificate has version 3. The serialNumber of the certificate is meant for the identification of the certificate. This should be unique for each certificate issued by the CA. The signature algorithm used to sign the certificate is SHA-1/RSA.

Issuer

The name of the certificate-issuer is SMP Root CA.

Validity

This certificate is valid for 5 years.

Subject

The certificate holder is SAProuter CA.

subjectPublicKeyInfo KeyUsage IssuerAlternativeName Basic Constraints

This field contains information about certificate holders public key. The RSA public key is 1024 bits long. The key pair can be used to sign certificates. This field contains URL of the SAProuter CA. This field specifies that the SAProuter CA is allowed to act as CA.

Table 2: Certificate profile of the SAProuter CA

13

8.3 Certificate Profile of the SAProuter Certificate The following table describes the certificate profile of the SAProuter certificate:
Field SignatureAlgorithm Version SerialNumber Signature Issuer Validity Content
Algorithm sha1WithRSAEncryption, NULL Version 3 Serial Number Algorithm sha1WithRsaEncryption, NULL Algorithm OID: 1.2.840.113549.1.1.5 CN=SAPRouter CA OU= SAProuter O=SAP C=DE NotBefore (e.g. 15.07.2002) NotAfter (e.g. 15.07.2003) CN=SAProuter Name e.g. stl-do-all OU=Customer number e.g. 0000496345 OU=SAProuter O=SAP C=DE Algorithm RSAEncryption Algorithm OID: 1.2.840.113549.1.1.1 Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, keyCertSign, CRLSign CA = 0

Description
The signature algorithm of the certificate is SHA-1/RSA. This X.509-certificate has version 3. The serialNumber of the certificate is meant for the identification of the certificate. The signature algorithm used to sign the certificate is SHA1/RSA. The name of the certificate-issuer is SAProuter CA.

The SAProuter certificate is valid for 1 year.

Subject

The certificate holder is stl-do-all.

SubjectPublicKeyInfo KeyUsage BasicConstraints

This field contains information about certificate holders public key. The RSA public key is 1024 bits long. The key pair can be used for authentication. This field specifies that the holder of SAProuter is not allowed to act as CA.

Table 3: Certificate profile of the SAP Router Certificate

14

BIBLIOGRAPHY
9.3 Literature [CP: RA-Certificate02] SAP AG: Certificate Policy of RA Certificate for SAP Router,2002. [CP: Root CA-Certificate02] SAP AG: Certificate Policy of the Service Marketplace Root CA, 2002. [Gut2000] Gutmann, P.: X.509 style Guide, 2000. http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt [ITU97] ITU-T X.509: Information Technology Open Systems Interconnection The directory: Authentication Framework, 1997. [RFC 2527] Chokhani, S.; Ford, W.: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, 1999. [RFC 3280] Housley, R.; Ford, W.; Polk, W.; Solo, D.: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", 2002. Country Certification Authority Common Name Certificate Policy Organization Organizational Unit Registration Authority Rivest, Shamir und Adleman Secure Hash Algorithm SAP Service Marketplace SAP Service Marketplace Root Certification Authority Trust Center Services

9.1 Abbreviations C CA CN CP O OU RA RSA SHA SMP SMP Root CA TCS

9.2 Glossary 9.2.1 Certificate Policy (CP) The CP describes a security policy for issuing certificates and maintaining certificate status information. This includes e.g. the operation of the SAProuter CA, as well as guidelines for users for requesting, using, and handling of certificates and keys. A named set of rules that indicate the applicability of a certificate to a particular community and/or class of application with common security requirements (RFC 2527). 9.2.2 Subscriber These are entities (in this case SAProuter) that have been issued SAProuter-Certificates from the SAProuter CA. 9.2.3 Trust Manager The TrustManager can be used to maintain the public key information for the Personnel Security Environments (e.g. system PSE) used by the SAP applications. The TrustManager provides functions for generating key pairs and corresponding certificate requests.

15