Using the SAP Cryptographic Library for SNC

Use

The SAP Cryptographic Library is the default security product delivered by SAP for performing encryption functions in SAP Systems. For example, you can use it for providing Secure Network Communications (SNC) between various SAP server components or for using the Secure Sockets Layer (SSL) protocol with the SAP Web Application Server. This documentation describes using the SAP Cryptographic Library for SNC. For more information about using the library for SSL, see the documentation for the SAP Web Application Server Security.

You can only use the SAP Cryptographic Library for SNC between server components. If you want to use SNC for frontend components (for example, SAP GUI for Windows), then you must purchase an SNC-certified partner product.

Integration

When using the SAP Cryptographic Library for SNC, the following information is necessary for the communication infrastructure:

?     The server and its communication partners must be configured for using SNC as described in the SNC User's Guide.

?     The server must possess a public and private key pair and public-key certificate, which is stored in the server's Personal Security Environment (PSE). Although you may obtain a certificate from a trusted Certification Authority (CA), for easier administration we currently recommend using a certificate that is signed by the server itself (self-signed). This documentation refers only to configuring the server when using a self-signed certificate.

?     At run-time, the server must have active credentials. This is accomplished by using the configuration tool to "open" the server's PSE.

?     The server must be able to verify its communication partner's identity. This is accomplished by importing the partner's public-key certificate into the server's own certificate list. As an alternative, you can use the same PSE for all server components. For examples of these scenarios, see:

0     Scenario 1: Using a Single PSE for All Components

0     Scenario 2: Using Individual PSEs for Components

Prerequisites

You must be able to receive the SAP Cryptographic Library according to the German export regulations.

The distribution of the SAP Cryptographic Library is subject to and controlled by German export regulations and is not available to all customers. In addition, the library may be subject to local regulations of your own country that may further restrict the import, use and (re-)export of cryptographic software. If you have any further questions on this issue, contact your local SAP subsidiary.

Additional Information

Although we primarily use the Internet Transaction Server (ITS) AGate and SAP System application server as examples throughout this document, the information applies to any server component that uses the SAP Cryptographic Library as the SNC product. For more information about individual scenarios or any connection-specific configurations, see the following documentation:

?     SNC User's Guide

The SNC User's Guide is available on the SAP Service Marketplace at http://service.sap.com/security in the Technical Track ®  Secure Network Communications.

?     Trust Manager: Using the Trust Manager

?     ITS Administration Guide: Setting Up Network Security