Validity: valid since 19.01.2004
[1] Question: What are SSF and SNC?
[2] Question: Is there a difference between SAPCRYPTOLIB and SAPSECULIB?
[3] Question: Can I use SNC to encrypt data in the database?
[4] Question: What is a PSE?
[5] Question: Where is the PSE file even though I received the SAPSECULIB/SAPCRYPTOLIB?
[6] Question: What are credentials?
[7] Question: Which PIN is required by transaction 'STRUST'?
[8] Question: Which properties must the PIN have?
[9] Question: What is a certificate?
[10] Question: Can I use several different security toolkits on the same host?
[11] Question: Where do I find further documentation?
[12] Question: I cannot create a PSE using either transaction STRUST or PSEMAINT. What could be the possible reasons for this?
[13] Question: How do I determine the version of my Sapseculib/Sapcryptolib?
[1] Question: What are SSF and SNC?
Answer:
If you are using an external security product to support digital signatures and encryptions in SAP systems, you must install and configure Secure Store and Forward (SSF) on each of the front-end hosts and application servers. For more information, see note 86927.
Secure Network Communication (SNC) ensures security in communication via the CPI-C interface. SNC supports the security systems of other manufacturers. Saved partner authentication as well as saved data transferred are possible as a result. For more information, see note 66687.
[2] Question: Is there a difference between SAPCRYPTOLIB and SAPSECULIB?
Answer:
Yes.
With regard to SSF, SAPCRYPTOLIB and SAPSECULIB are the same, that is, you can use both SAPSECULIB and SAPCRYPTOLIB for SSF.
However, as SAPSECULIB does not contain any message encryption functions, you cannot use it for SNC.
SAPCRYPTOLIB is exclusively provided for this purpose.
For Sapseculib, see also the composite SAP note 354819.
CAUTION! You cannot use SAPCRYPTOLIB and SAPSECULIB simultaneously.
Note 578377 provides additional information on using the Sapcryptolib for digital signatures.
[3] Question: Can I use SNC to encrypt data in the database?
Answer:
No, SNC cannot be used to encrypt data in the database or in a backup.
[4] What is PSE?
Answer:
Personal Security Environment (PSE). Personal Security Environment is used to verify the digital signature of a signer. It contains the security information of the system. The digital signature also protects the integrity of the signed data and is the place where the public key information of a user or component is stored. It contains both the public (public key certificate and private address book) and private information (private key) of the owner. The public key certificate acts as a digital display that identifies a person or component. You use your public key certificate to identify yourself to other users. For more information, see the online documentation.
[5] Where is the PSE file even though I received the SAPSECULIB/SAPCRYPTOLIB?
Answer:
The PSE file must always be generated independently as it contains application-dependent data such as the system name, for example. the system name, contains.
[6] Question: What are credentials?
Answer:
A credential is an access authorization that often has a restricted validity period. This means that if a PSE is protected by a PIN or password, the credential makes it possible for the system to read the PSE nevertheless.
[7] Question: Which PIN is required by transaction 'STRUST'?
Answer:
Here, it may be a case that the PSE is corrupt or a PIN was assigned but it is unknown. A new PSE must be create in both cases.
[8] Question: Which properties must the PIN have?
Answer:
The PIN can be any length and may consist of figures and numbers.
[9] Question: What is a certificate?
Answer:
Public key certificates are used in R/3 to create and check the digital signatures of R/3 components.
[10] Question: Can I use several different security toolkits on the same host?
Answer:
A 'Security Toolkit' represents a system enhancement that is implemented in a function library. Only one library may be specified and therefore only one 'Security Toolkit' may be installed per host. This means that different application servers use different toolkits.
[11] Question: Where do I find further documentation?
Answer:
Additional help is available in the online documentation and in the SAP Marketplace:
http://service.sap.com/security with the link: Security in Detail
[12] Question: I cannot create a PSE using either transaction STRUST or PSEMAINT. What could be the possible reasons for this?
Answer:
1: Determine the version of the library used (see question 13), find out which versions are current, install a newer version if several errors have been eliminated between the existing and current versions.
2: There may be an inconsistency between the database and file system. In this case, you have two options:
a) First, use the SSFPSE_CHECK function module to run a comparison and then, if necessary, use SSFPSE_REMOVE to remove the old PSE from the database (as described in note 354819). You should then be able to create a new PSE.
b) Install and run the repair report ZREPAIR_SSF_PSE_H from note 515662.
3: The Security Toolkit may not be installed correctly or the profile parameters may be set incorrectly or the authorizations for accessing the library may be set incorrectly. The version used may also be unsuitable for your system architecture.
Usually, the Developer Traces dev_wX give fairly precise information (analyze with transaction ST11) on what failed when the library was initialized.
[13] Question: How do I determine the version of my Sapseculib/Sapcryptolib?
Answer:
Use the SSF02 report to determine the version. However, this only works if the Toolkit was installed correctly. It may be useful in some situations to maximize the window beforehand so that details of the version are not truncated too soon.
No comments:
Post a Comment