You are on page 1of 13

SAP Trust Center Services

CERTIFICATE
POLICY
OF THE SAP SERVICE
MARKETPLACE ROOT CA
Version 1.0

Copyright 2001 SAP AG. All rights reserved.


No part of this publication may be reproduced or transmitted
in any form or for any purpose without the express
permission of SAP AG. The information contained herein
may be changed without prior notice.
All information in this document is compiled with great care.
Neither SAP AG nor the author are liable for any damages or
disservice, that are in connection with the use of this
document.
Some software products marketed by SAP AG and its
distributors contain proprietary software components of
other software vendors.
Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint
and SQL Server are registered trademarks of Microsoft
Corporation.
IBM, DB2, OS/2, DB2/6000, Parallel Sysplex, MVS/ESA,
RS/6000, AIX, S/390, AS/400, OS/390, and OS/400 are
registered trademarks of IBM Corporation.

Citrix, the Citrix logo, ICA, Program Neighborhood,


MetaFrame, WinFrame, VideoFrame, MultiWin and other
Citrix product names referenced herein are trademarks of
Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered
trademarks of W3C, World Wide Web Consortium,
Massachusetts Institute of Technology.
JAVA is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business
Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE,
Management Cockpit, mySAP. com Logo and mySAP. com are
trademarks or registered trademarks of SAP AG in Germany
and in several other countries all over the world.
All other products mentioned are trademarks or registered
trademarks of their respective companies.

ORACLE is a registered trademark of ORACLE Corporation.


SAP AG

INFORMIX -OnLine for SAP and Informix Dynamic Server


TM are registered trademarks of Informix Software
Incorporated.
UNIX, X/Open, OSF/1, and Motif are registered trademarks
of the Open Group.

Neurottstrae 16
69190 Walldorf
Germany
T +49/1805/34 34 24
F +49/1805/34 34 20
www.sap.com

CONTENTS
1 Introduction 4
1.1 Overview 4
1.2 Community and Applicability 4
1.2.1 Service Marketplace Root Certification
Authority (SMP Root CA) 4
1.2.2 Certification Authority (CA) 4
1.2.3 Subscriber, End User or Certificate holder 4
1.2.4 Applicability 5
1.3 Contact Details 5
2 General Provisions 6
2.1 Obligations 6
2.1.1 SMP Root CA obligations 6
2.1.2 CA obligations 6
2.1.3 Subscriber obligations 6
2.2 Publication of SMP Root CA information 6
2.3 Access controls 6
2.4 Types of information to be kept confidential 6
3 Identification and Authentication 7
3.1 Initial Registration 7
3.2 Types of names 7
4 Operational Requirements 8
4.1 Application for CA-Certificate 8
4.2 Certificate Issuance for CA-Certificate 8
4.3 Certificate Acceptance of CA-Certificate 8
4.4 Security Audit Procedures 8
4.5 Records Archival 8
4.6 Compromise and Disaster Recovery 8
4.7 SMP Root CA Termination 8

5 Physical, Procedural and Personnel Security Controls 9


5.1 Physical Security Controls 9
5.2 Trusted roles 9
6 Technical Security Controls 10
6.1 SMP Root CA 10
6.2 Certification Authority 10
6.3 Key sizes 10
6.4 Private Key Protection 10
6.5 Other aspects of Key Pair Management 10
6.5.1 Public Key archival 10
6.5.2 Usage periods for the public and private keys 10
6.6 Computer Security Controls 10
7 Specification Administration 11
8 Certificate Profiles 12
8.1 Certificate Profile of the SMP Root CA 12
9 Bibliography 13
9.1 Abbreviations 13
9.2 Glossary 13
9.2.1 Certificate Policy (CP) 13
9.2.2 Subscriber 13
9.3 Literature & References 13

INTRODUCTION

This document describes the Certificate policy (CP) of the


Service Marketplace Root Certification Authority (hereafter
called SMP Root CA). The SMP Root CA issues certificates for
second level certification authorities (hereafter called CAs).
The structure of this SMP Root CA Policy is broadly based on
the Internet Standard X.509 Public Key Infrastructure
Certificate Policy and Certification Practice Statement
framework [RFC 2527]. Certain topics from RFC 2527, which
are not applicable to SMP Root CA certificate policy, are not
discussed here.

1.2 Community and Applicability


By issuing Root CA-Certificate and CA-Certificate(s) from the
SMP Root CA, every subscriber can check the validity of all
certificates issued by the CAs of the SMP Root CA, which is
part of this PKI. The Root-CA is the common trust anchor for
all subscribers within this PKI.
The following diagram shows components, which are
relevant in the context of this policy:
SMP Root CA

1.1 Overview
The hierarchy of the SMP Public Key Infrastructure (hereafter
called SMP PKI) is shown in the figure below:
Self-signed
Root CA-Certificate

SMP Root CA

Certification of
CA Certificate

CA

.......

Certification of
subscriber Certificate

Issues CA-Certificates

SAProuter CA

..........

Issues
SAProuter-Certificates

R1 ..... Rn

Figure 1: Hierarchy of the SMP PKI

The hierarchy of the SMP PKI is based on two levels. The


uppermost level indicates the SMP Root CA of the SAP Service
Marketplace (which refers to this CP). The second level
consists of certification authorities, which are certified by the
SMP Root CA and have their own CPs. The only certification
authority currently working at the second level is SAProuter
CA, subsequent certification authorities are at present not
planed but may follow in the near future.The second level
CAs will be certified from the SMP Root CA. The subscriber
certificates (e.g. SAP router certificates) will be issued and
managed from the corresponding CA.

Subscriber

Figure 2: Components of the SMP PKI

1.2.1 Service Marketplace Root Certification Authority


(SMP Root CA)
The SMP Root CA issues its certificate itself (SMP Root CACertificate), so that it can be used as trust anchor. In addition
to this the SMP Root CA issues CA-Certificates. The SMP
Root CA will be operated by SAP AG.
1.2.2 Certification Authority (CA)
The certification authority gets its certificate from the SMP
Root CA. The CAs issue certificates for subscribers.
1.2.3 Subscriber, End User or Certificate holder
The certificates of subscribers will be issued from the
corresponding CA. The subscribers of the SMP Root CA are at
present SAP routers.
4

1.2.4 Applicability
The SMP Root CA-Certificates can be used to sign CACertificates.
1.3 Contact Details
The department of Global Solution Services of SAP AG,
Germany, operates the SMP Root CA of the SAP Trust Center
Services.

SAP AG
Global Solution Services
Trust Center Services
Raiffeisenring
68789 St. Leon-RotGermany
E-Mail: security@sap.com
URL:http://service.sap.com/TCS

GENERAL PROVISIONS

2.1 Obligations
2.1.1 SMP Root CA obligations

2.1.3 Subscriber obligations


The corresponding CA defines the subscriber (e.g. at present
SAP routers) obligations.

The SMP Root CA has the following obligations:


The SMP Root CA generates a key pair for issuing the self

signed certificate (SMP Root CA-Certificate). The


generation of the key pair is done in a secure environment.
The SMP Root CA generates a key pair for the CAs. The
generation of key pair is done in a secure medium.
The SMP Root CA validates and confirms information
contained in the CA-Certificate request.
After generation of the key pair for CA the SMP Root CA
issues CA-Certificate.
The SMP Root CA publishes the fingerprint of the SMP
Root CA-Certificate periodically e.g. in SAPs customer
magazine SAP Info.net, SAPs customer service website
(http://service.sap.com/TCSRootCert).
The SMP Root CA is obliged to make available all relevant
documents and records to the SAP Trust Center Services on
demand for auditing purposes.

2.1.2 CA obligations

2.2 Publication of SMP Root CA


information
The fingerprint of SMP Root CA-Certificate is published

periodically in the SAPs customer magazine SAPinfo.net,


SAPs customer service website
(http://service.sap.com/TCSRootCert).
Additionally the SMP Root CA can also publish CACertificates and fingerprints on request.
2.3 Access controls
Only persons responsible for the SAP Trust Center systems have
access to the SMP Root CA, in order to prevent unauthorized use.
2.4 Types of information to be kept
confidential
The following types of information are kept confidential:

The CA has the following obligations:

SMP Root CA application record, whether approved or

The CA issues subscriber certificates.


The CA must follow rules and regulations defined by the

CA application records, whether approved or disapproved.


Created audit trail records.
Contingency planning and disaster recovery plans for the

SMP Root CA.


On demand CA is obliged to make available all relevant
documents and records to the SMP Root CA.
The CA is responsible for its own security measures.

disapproved.

SMP Root CA.


Security measures controlling the operations of CA- hardware

and software, and the administration of certificate services.

IDENTIFICATION AND AUTHENTICATION

3.1 Initial Registration

3.2 Types of names

The initial registration for certification authorities assures


secure measures. The subscriber (i.e. authorized system
administrator) applying for CA-Certificate must identify and
register herself as per rules.

All the SMP Root CA- and CA-Certificates contain distinguished


names based on X.509 for Version 3. The SMP Root CA verifies
the conformity of the TCS Naming conventions.

OPERATIONAL REQUIREMENTS

4.1 Application for CA-Certificate

4.5 Records Archival

In order to get the CA-Certificate, an applicant must apply for


the certificate to the SMP Root CA.

Records should contain e.g. documentation of actions and

4.2 Certificate Issuance for CACertificate


After successful identification and confirmation of required data,
CA-Certificate can be issued. If identification of the CA-Certificateapplicant is unsuccessful the certificate request will be rejected and
the applicant will be informed.
All certificates begin their operational period on the date of issue.
4.3 Certificate Acceptance of CACertificate
After receiving the CA-Certificate, the CA is obliged to check
the contents and functionality of the issued certificate.
4.4 Security Audit Procedures
Audit procedures of the SMP Root CA are performed

regularly. The CAs of the SMP Root CA are required to


maintain their own secure audit procedures.
Depending on the type of records and the frequency with
which the relevant activity takes place, audit logs are
processed during CA operation.

information that relate to each certificate request to the


creation, issuance, use and expiration of each CA-Certificate.
Any kind of records associated with SMP Root CA- and CACertificates must be retained as per rules and regulations
after the date a certificate is expired.
The archive containing all-important records must be
protected from unauthorized access.
As a task of security audit the archive will be checked on
integrity, correctness of operations and access control.
4.6 Compromise and Disaster Recovery
The SAP Trust Center must maintain a disaster recovery plan
for the event of a disaster that might threaten the functionality
and trustworthiness of SMP Root CA. The disaster recovery
plan must be reviewed and updated periodically in order to suit
the current requirements. The disaster recovery plan for CAs
must be maintained individually from the corresponding CA.
4.7 SMP Root CA Termination
The termination of SMP Root CA is possible under certain
circumstances. The termination of SMP Root CA must be
planed and appropriate notice will be given to minimize
disruption to customer and relying parties.

PHYSICAL, PROCEDURAL AND PERSONNEL SECURITY


CONTROLS

5.1 Physical Security Controls


The physical security measures taken by SAP TCS are in
compliance with industry standard.
The SMP Root CA of the SAP Trust Center Services is

operated in a secure environment at SAP.


The physical access to the system issuing certificates

requires separate access measures. The physical access to


the system should take place in the presence of at least two
authorized persons.
The SMP Root CA is equipped with backup power systems to
ensure continuous, uninterrupted access to electric power.
The SMP Root CA is equipped with primary and backup
ventilation/air conditioning systems to control temperature
and relative humidity.
The SMP Root CA is protected from flooding or other
damaging exposure to water.
The SMP Root CA is protected from fire or other damaging
exposure to flames or smoke.
The storage media of SMP Root CA holding backups of
critical system data or any other sensitive information must

be protected from water, fire or other environmental


disasters. There must be an access control to the storage
media in order to prevent unauthorized use and access of
sensitive information.
The waste disposal is handled appropriately in order to
prevent unauthorized use of data.
In case of disaster, backup measures are able to take over
functions of the SMP Root CA within a short time.
5.2 Trusted roles
A role-based model is implemented in the TCS. Only certain
employees of SAP (e.g. system administrator, security officer) who
are authorized in the sense of this role-based model are considered
to have access to or control over SMP Root CAs operations.
The role-based model supports the Multiple-Eyes principle,
which allows security relevant operations only in the presence
of a minimum of two persons.

TECHNICAL SECURITY CONTROLS

6.1 SMP Root CA


The SMP Root CA uses one key pair, which is used only for

certificate signing. The SMP Root CA generates an RSA-key


pair for itself. The key generation is done in a secure
environment. After generation the private key of the SMP
Root CA must be saved in a secure environment.
In case of expiration of associated certificate, loss,
compromise or suspected compromise of the private key of
the SMP Root CA, the new key pair will be generated.

6.2 Certification Authority

multiple trusted personnel. Reasonable measures are taken


to protect the system physically in order to prevent
unauthorized use of the system and associated private key.
The activation of private key of each CA is done from the
corresponding CA.
The SMP Root CA is responsible for the deactivation of its
own private key.
The SMP Root CA is responsible for destruction and
disposal of its own private key, when it is no longer required
for active use.
Each CA is responsible to destroy and dispose its private key
when it is no longer required for active use.

The SMP Root CA generates key pair for the second level

CAs in a secure environment. At present the SMP Root CA


generates key pair for the SAProuter CA.
The private key of the CA is delivered securely from the SMP
Root CA.
As SMP Root CA generates key pair for CA, public key
delivery to the SMP Root CA is not necessary.

6.5 Other aspects of Key Pair


Management

6.3 Key sizes

6.5.2 Usage periods for the public and private keys


The operational period for SMP Root CA key pair is the same
as the validity period for the associated certificate.

The key lengths are sufficient to protect from conceivable attacks:


The key pair of SMP Root CA is min. 1024 Bits long.
The key pair of CAs is min. 1024 Bits long.

6.4 Private Key Protection


The private key of the SMP Root CA is protected from loss,

disclosure, modification and misuse.


The private key of CA has to be protected from the
corresponding CA.
The private key of the SMP Root CA will not be archived
after expiry.
Activating the SMP Root CA private key requires the
participation of multiple trusted personnel.
Before the activation of the private key of SMP Root CA the
CA-Administrators authenticate to the system. The
activation of private key requires the participation of

6.5.1 Public Key archival


The public key and certificate of the SMP Root CA within the
framework of this policy will be archived.

The active lifetime for the SMP Root CAs public and private
key is restricted to 10 years.
6.6 Computer Security Controls
To assure computer security of the operating system of the
SMP Root CA, specific security controls should be
implemented. Due to security reasons the SMP Root CA is
maintained off-line. The configuration of and access control
to the SMP Root CA systems is strictly controlled and limited
to authorized persons only.

10

SPECIFICATION ADMINISTRATION

This section specifies how this particular certificate policy will


be maintained.
This CP may change from time to time. Any such changes

are made only if needed by the TCS. Any changes made in


CP will be published as a new version of CP.

Publication of changes and notices of withdrawal will be

made accordingly.
Only authorized persons of the SAP Trust Center Services

must approve this CP and any subsequent changes to it.

11

CERTIFICATE PROFILES

This section describes certificate profiles of the SMP Root CA


relevant certificates issued by the SAP Trust Center. The
certificate profiles in SAP Trust Center Services are based on
X.509v3 and PKIX. The certificate contains the following basic
fields and indicated prescribed values or value constraints.
8.1 Certificate Profile of the SMP Root CA
The following table describes certificate profile of the SMP Root CA:
Field

Constant

Description

SignatureAlgorithm
Version

SHA-1/RSA Algorithm OID 1.3.14.3.2.29

The signature algorithm of the certificate is SHA-1/RSA.

Version 3

This X.509-certificate has version 3.

SerialNumber

Serial Number

Signature

SHA-1/RSA
Algorithm OID: 1.3.14.3.2.29

Issuer

CN=SMP Root CA
OU= Service Marketplace
O=SAP
C=DE

The name of the certificate-issuer is SMP Root CA.

Validity

NotBefore 18.07.2000
NotAfter 18.07.2010

This certificate is valid for 10 years.

Subject

CN=SMP Root CA
OU=Service Marketplace
O=SAP
C=DE

The certificate holder is SMP Root CA.

subjectPublicKeyInfo

Algorithm = RSA (1024 Bits)


Algorithm OID: 1.2.840.113549.1.1.1

This field contains information about certificate holders


public key. The RSA public key is 1024 bits long.

KeyUsage

(CRITICAL) digitalSignature, nonRepudiation,


keyEncipherment, dataEncipherment, keyCertSign, cRLSign

The key pair can be used to sign certificates.

SubjectAlternativeName

URL: http://service.sap.com/TCS

This extension field contains URL of the certificate holder.

7Basic Constraints

Subject Type=CA
Path Length Constraint=None
Allowed to act as a CA!

This field specifies that the SMP Root CA is allowed


to act as CA.

The serialNumber of the certificate is meant for the


identification of the certificate.
The signature algorithm used to sign the certificate is
SHA-1/RSA.

Table 1: Certificate profile of the SMP Root CA

12

BIBLIOGRAPHY

9.1 Abbreviations

9.3 Literature & References

C
CA
CN
CP
O
OU
RSA
SHA
SMP
SMP Root CA

[Bie2000]
Biester, J.; Bauspiess, F.; Fell, H.: SPHINX Technische
Grundlagen, Tailoring MTTv2, 2000.

TCS

Country
Certification Authority
Common Name
Certificate Policy
Organization
Organizational Unit
Rivest, Shamir und Adleman
Secure Hash Algorithm
SAP Service Marketplace
SAP Service Marketplace Root Certification
Authority
Trust Center Services

9.2 Glossary
9.2.1 Certificate Policy (CP)
The CP describes a security policy for issuing certificates and
maintaining certificate status information. This includes e.g.
the operation of the CA, as well as guidelines for users for the
requesting, using, and handling of certificates and keys.
A named set of rules that indicate the applicability of a
certificate to a particular community and/or class of
application with common security requirements. (RFC 2527)
9.2.2 Subscriber
These are entities (in this case a system) that have been issued
certificates within the PKI.

[Gut2000]
Gutmann, P.: X.509 Style Guide, 2000.
http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
[ITU97]
ITU-T X.509: Information Technology Open Systems
Interconnection
The directory: Authentication Framework, 1997.
[RFC2527]
Chokhani, S.; Ford, W.: Internet X.509 Public Key
Infrastructure Certificate Policy and Certification Practices
Framework, 1999.
[RFC3280]
Housley, R.; Ford, W.; Polk, W.; Solo, D.: "Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile", 2002.
[Web2000]
N.N.: WebTrust Program for Certification Authorities, 2000.
http://www.cica.ca/cica/cicawebsite.nsf/public/SPWTpdf/$file/e
CertAuth.pdf

13

You might also like