Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Risks involved in importing Certificates

Former Member
0 Kudos

Hello Everybody,

I just wish to understandwhat are the risks involved while importing a certificate into an ABAP system.

Or what are the things that should be considered from security point of view while importing a certificate.

Certificates could be another ABAP system certificate, Java system certificate or third party ones like google maps etc..

Thanks so much for suggesting this.

Warm Regards,

Pradeep

Edited by: Pradeep Cherian on Feb 9, 2012 1:27 PM

1 ACCEPTED SOLUTION

martin_voros
Active Contributor
0 Kudos

Hi,

when you import a certificate you create trust relationship between your system and any other system that presents same certificate or certificate signed by that certificate. By default SAP system does not trust any certificates which is great. Not like all web browsers. You have to be really sure that you want to trust that certificate.

Cheers

6 REPLIES 6

martin_voros
Active Contributor
0 Kudos

Hi,

when you import a certificate you create trust relationship between your system and any other system that presents same certificate or certificate signed by that certificate. By default SAP system does not trust any certificates which is great. Not like all web browsers. You have to be really sure that you want to trust that certificate.

Cheers

0 Kudos

Hi Martin,

Thanks a lot for your answer.

However, my question is more from a security risk point of view that what are the potential risks that I should consider

while importing such a certificate.

I know that certificate import deals with the authentication part. However, if the user doesn't have any authorisation in the system at all, the user will be unable to do anything in the system right?

Any suggestions?

Thanks and Regards, Pradeep

0 Kudos

It depends on whether the client networks are only allowed to use SSL ports to access the servers anyway and whether the proxies between the two filter unwanted URL requests to services which are only really intended to be internal to the server network.

It is normally much easier and managable to catch this at the proxy than make a theatre out of certificate management for applications at the back end system.

You will often find that certificates are "self signed" by the servers and once handed out you should consider this to the relative risk of the imported certificates.

If a targeted misuse can call internal functions and services which return information, then they can find out about problems in your applications and details of your infrastructure. They could read monitor logs and trace files.

Unless you are a strong believer in having to maintain an armada of certificates and communicate / transport them to all the communication partners, I would recommends concentrating on the proxy tools and capabilities to achieve a high level of security with a relatively low level of effort.

Cheers,

Julius

0 Kudos

> You will often find that certificates are "self signed" by the servers and once handed out you should consider this to the relative risk of the imported certificates.

Not sure why people don't like self-signed certificates. Last year we saw CA level certificates in wild. So self-signed certificates provides better security if you can verify certificate. Obviously, this does not scale.

Cheers

0 Kudos

> Not sure why people don't like self-signed certificates. Last year we saw CA level certificates in wild. So self-signed certificates provides better security if you can verify certificate. Obviously, this does not scale.

Well, self signed certificates may be OK for connections between servers inside the same company network but when you start to speak about web browsers, the talk is soon over !

Regards,

Olivier

0 Kudos

Yes it is the scaling out side of the group of servers who are meant to trust each other which would be the problem you run into.

Or, as Olivier might have meant to phrase it: Handing your self-signed certificate out to business parter servers which are not in your server network is comparable to importing it into the web browsers in the client network.

Cheers,

Julius