08-05-2008 3:01 PM
Hi all,
The following scenario we have.
NW 7.0 ABAP system <ssl-> external company.
SSL enabled on ABAP side( and on external system ), system profiles and so on.
Transaction strust run and PSE's created.
Now to the question !
Is it enough if we send our companys root CA to the external company
and they send their root CA to us that we import thru transaction strust ?
Or, do we have to create a certificate request from the ABAP system, send it
to our CA to get it signed. Import the Certificate respons we get back to ABAP system.
Also send the root CA plus certificate respons from our server to external company ?
And vice versa from external.
I am a little bit confused and searched thru the help.sap.com, sdn, google and so on.
Don't understand if we need to exhange root ca's only or also specific certificates for
the servers.
What i have done before is when setting up internally at the company ABAP to Portal is
to have certificate requests signed, imported the certificate respons to each system and
also exchange them between the systems. I thought this was the wa to do it for above
scenario also.
Or ?
So far i have no errors or so i just want to understand the concept and hope that the gurus
in this forum can help me.
Br.
John
08-06-2008 1:45 PM
It is enough to exchange root CA's (make sure that they're not changed by comparing the SHA1 hash, though). All certificates issued by one CA are then automatically trusted at the other party.
Please feel free to ask any other PKI related question you might have!
08-06-2008 2:09 PM
Hi,
Thanks for the info and quick answer, then maybe i was on the right track anyway. Just a follow up question.
If i understand you correctly this means that our company trusts anything that comes from the external company and vice versa.
Correct ?
Of course we are restricting access by issuing x509 certificates also and by firewall settings and so on, but is my conclusion correct ?
If so, that would mean if we would make integration from our same SAP system to another system at the same external company, we would not need to get any certificates from them. We have their root CA certificate allready then. And can use our root CA certificate allready sent.
Correct ?
Br
John
08-06-2008 3:18 PM
Yes. You basically trust the mapping effort. If someone uses a certificate issued to "John Doe" and certified by "Company B" and you trust the root certificate of "Company B", then you assume that this someone is really "John Doe" (this is skimping a little bit on the details though).
This is the authentication part (i.e. who is this someone). However, this says nothing about the authorization part (i.e. what is John Doe allowed to do). If John Doe is not allowed to do anything, using the certificate won't help him.
So, it is important to keep in mind the difference between authentication and authorization: Authentication is who you are and authorization is what you are allowed to do.
Of course, using a firewall may give you additional security especially if both parties have static IP addresses.