Secure E-Mail


SAP gives users the option of using another provider’s product for e-mail signatures and encryption, which is known as a Secure E-mail Proxy. To be able to connect a proxy of this kind to SAPconnect, the proxy itself must satisfy the prerequisites listed below.


When e-mails are sent, the encryption and signature security functions that are to be performed by a Secure E-mail Proxy, are requested by the SAP system through additional information stored in the e-mail header. The standard solution provided by SAP adds the extension [sign], [encrypt] or [sign encrypt] to the mail subject.

If you want to use a Secure E-mail Proxy that does not support this, you have the option of using other extensions in the subject line or using an additional header. This is done through the SAP Business Add-In SX_SECURE_EMAIL. For more information about this, see the documentation of this BAdI.


Implementation of an additional product – the Secure E-mail Proxy, which can encrypt, sign and validate e-mails. To be able to connect a Secure E-mail Proxy to SAPconnect, the proxy itself must be able to identify the additional header information described above, execute the requested security functions, and delete the header extension prior to sending the e-mail.

In the inbound scenario, a Secure E-mail Proxy has to delete any secure e-mail properties that may exist, and then send the e-mail to the SAP system in the conventional MIME format. The Secure E-mail Proxy gets the private and public keys needed for both the inbound and outbound scenarios from its own key management.


The following activities must be carried out to be able to send or receive encrypted or signed e-mails:

Connecting the Secure E-mail Proxy to SAPconnect

To connect the Secure E-mail Proxy to SAPconnect, proceed as follows:


       1.      Call transaction SCOT and enter the host and port of the Secure E-mail Proxy in the SMTP node.

Note that the proxy connection is only possible through the SMTP interface.

       2.      Execute report RSCONN05 and activate the required SAPconnect secure e-mail mode.

Doing this means that, in principle, it is now possible to encrypt and sign e-mails in the SAP system. This configuration does NOT mean that all outbound e-mails are automatically encrypted or signed.

Sending Encrypted and Signed E-Mails

If encrypting or signing e-mails has been activated in the SAP system, additional check boxes are displayed when sending an e-mail using the send screen of the Business Communication Service (BCS) or when sending a short message (transaction SO00). Users can use these to request these functions. The activated security functions can also be used by SAP applications.

You also have the option of maintaining user settings to preassign values for encryption and signatures. To do this, proceed as follows:


       1.      Under System ® User Profile® Own Data, go to the Parameters tab page and use input help to select the set-/get parameters BCSSIGN and BCSENCRYPT.

       2.      Either enter no value to deactivate it, or enter 'X' to activate it.

Receiving Encrypted and Signed E-Mails

On receiving an encrypted e-mail, the mail is decoded by the Secure E-mail Proxy and sent to the SAP system in the conventional MIME format.

On receiving a signed e-mail, the signature is validated and removed by the Secure E-mail Proxy, and the e-mail is then sent to the SAP system in the conventional MIME format.