Digital Signatures and Encryption

Purpose

Secure Store and Forward (SSF) mechanisms provide you with the means to secure data and documents in SAP Systems as independent data units. By using SSF functions, you can "wrap" data and digital documents in secure formats before they are saved on data carriers or transmitted over (possibly) insecure communication links. The data must not remain within the SAP System; if you save the data in a secure format in the SAP System, it remains in its secured format even if you export it out of the system.

SSF mechanisms use digital signatures and digital envelopes to secure digital documents. The digital signature uniquely identifies the signer, is not forgeable, and protects the integrity of the data. Any changes in the data after being signed result in an invalid digital signature for the altered data. The digital envelope makes sure that the contents of data are only visible to the intended recipient(s).

The SSF mechanisms are useful in those application areas where an increased level of security exists pertaining to:

·        The specific and unique identification of persons or components (for example, in work flow processes)

·        Non-repudiation or proof of obligation (for example, when signing paperless contracts)

·        Authenticity and integrity of data (for example, saving audit logs)

·        The sending or storing of confidential data

By using the SSF mechanisms in SAP applications, you can replace paper documents and handwritten signatures with automated work flow processes and digital documents that are secured with digital signatures and digital envelopes.

Implementation Considerations

SSF mechanisms are available in SAP Systems as of Release 4.0.

You use the SSF mechanisms if you are using an application in the SAP System that has implemented digital signatures or digital envelopes.

There are a number of applications that currently use the SSF mechanisms to provide data protection, for example:

·        Production Planning - Process Industry

·        Product Data Management

·        SAP ArchiveLink - SAP content server HTTP interface 4.5

With time, more and more applications will use SSF for their security purposes.

Constraints

Third-Party Security Product

SSF requires the use of a third-party security product to provide its functions. As the default provider, we deliver the SAP Security Library (SAPSECULIB) with SAP Systems. The SAPSECULIB, however, is limited to providing digital signatures only. For digital envelopes, encryption, or crypto hardware (for example, smart cards or crypto boxes), you need to use a external security product. SAP provides the SAP Cryptographic Library free of charge, or you can use a certified partner product.

The SAP Cryptographic Library is available for download on the SAP Service Marketplace at service.sap.com/downloads. Note however, that this library underlies German export regulations and is therefore not available to all customers.

For information about supported products, see the SAP-certified partners (www.sap.com/softwarepartner).

Public-Key Infrastructure

To effectively use the SSF mechanisms, you need to have an established public-key infrastructure (PKI). The PKI makes sure that you can validate and trust the digital signatures, certificates, and Certification Authorities (CAs). A PKI is often, although not necessarily, supported by the external security products that are available on the market. Although SAP Systems do not provide a PKI directly, they do support PKIs provided by various security products.

Depending on the security product that you use, you can establish the use of a PKI in one of many ways. You may want to create your own PKI and CA that you link to your customers, or you and your customers may want to agree on a common Trust Center. A common Trust Center is a third-party instance that both you and your customers can trust to validate and authenticate your PKI participants. Using a common Trust Center can solve many of the currently open questions regarding the establishment of a PKI.

Laws and Regulations

There are also laws in various countries that regulate the use of cryptography and digital signatures. These laws are currently controversial and may change. You need to keep yourself informed on the impact these laws may have on your applications, and make sure that you are aware of any further developments.

Examples of SAP Applications That Use the SSF Functions

The following SAP applications are examples of areas that use digital signatures to meet their requirements:

·        Quality Management

Ў        When saving inspection results for an inspection lot

Ў        When making and changing the usage decision for an inspection lot

·        Production Planning for Process Industries

Ў        When completing a work step in the process industries sheet

Ў        When accepting invalid values within input validations

Ў        When approving a batch record

·        SAP ArchiveLink Content Server HTTP interface 4.5

Ў        When authenticating a request to access the archive