Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL communication to external company - root CA ?

Former Member

‎08-05-2008 3:01 PM

0 Kudos

Hi all,

The following scenario we have.

NW 7.0 ABAP system <ssl-> external company.

SSL enabled on ABAP side( and on external system ), system profiles and so on.

Transaction strust run and PSE's created.

Now to the question !

Is it enough if we send our companys root CA to the external company

and they send their root CA to us that we import thru transaction strust ?

Or, do we have to create a certificate request from the ABAP system, send it

to our CA to get it signed. Import the Certificate respons we get back to ABAP system.

Also send the root CA plus certificate respons from our server to external company ?

And vice versa from external.

I am a little bit confused and searched thru the help.sap.com, sdn, google and so on.

Don't understand if we need to exhange root ca's only or also specific certificates for

the servers.

What i have done before is when setting up internally at the company ABAP to Portal is

to have certificate requests signed, imported the certificate respons to each system and

also exchange them between the systems. I thought this was the wa to do it for above

scenario also.

Or ?

So far i have no errors or so i just want to understand the concept and hope that the gurus

in this forum can help me.

Br.

John

3 REPLIES 3

Former Member

‎08-06-2008 1:45 PM

0 Kudos

It is enough to exchange root CA's (make sure that they're not changed by comparing the SHA1 hash, though). All certificates issued by one CA are then automatically trusted at the other party.

Please feel free to ask any other PKI related question you might have!

Former Member
In response to Former Member

‎08-06-2008 2:09 PM

0 Kudos

Hi,

Thanks for the info and quick answer, then maybe i was on the right track anyway. Just a follow up question.

If i understand you correctly this means that our company trusts anything that comes from the external company and vice versa.

Correct ?

Of course we are restricting access by issuing x509 certificates also and by firewall settings and so on, but is my conclusion correct ?

If so, that would mean if we would make integration from our same SAP system to another system at the same external company, we would not need to get any certificates from them. We have their root CA certificate allready then. And can use our root CA certificate allready sent.

Correct ?

Br

John

Former Member
In response to Former Member

‎08-06-2008 3:18 PM

0 Kudos

Yes. You basically trust the mapping effort. If someone uses a certificate issued to "John Doe" and certified by "Company B" and you trust the root certificate of "Company B", then you assume that this someone is really "John Doe" (this is skimping a little bit on the details though).

This is the authentication part (i.e. who is this someone). However, this says nothing about the authorization part (i.e. what is John Doe allowed to do). If John Doe is not allowed to do anything, using the certificate won't help him.

So, it is important to keep in mind the difference between authentication and authorization: Authentication is who you are and authorization is what you are allowed to do.

Of course, using a firewall may give you additional security especially if both parties have static IP addresses.