FAQs on Security Collaboration

What are trusted systems?

Trusted systems are systems with a relationship of trust between them. For example, if you have set up a trusted relationship between system A and system B, so that system A trusts system B, a user that has logged onto system A can start a transaction in system B without entering a password but using the user ID from system A. (This is important since a user ID and password in an RFC destination means that all connections result in the same user ID connecting.)

What is the difference between ITSEC and Common Criteria certification?

SAP R/3 has been evaluated and certified according to the international ITSEC standard (Information Technology Security Evaluation Criteria). The evaluation was successfully completed in function class "F-C2" and evaluation level E2 medium. The ITSEC standard evolved from the US standard TCSEC (Trusted Computer System Evaluation Criteria, "Orange Book"). ITSEC security certificates are recognized in the following countries: Germany, Finland, France, Greece, Great Britain, Itlay, Netherlands, Norway, Portugal, Sweden, Switzerland, and Spain. For further information on ITSEC and the SAP evaluation, please have a look at the SAP Service Marketplace: http://service.sap.com/securitycertification.

Security standards are constantly evolving. The latest standard is Common Criteria 2.1. This developed from ITSEC, TCSEC, CTCPEC, and FC (Federal Criteria for Information Technology Security). Common Criteria certificates up to evaluation level EAL 4 are recognized in many major countries, among them the US, Canada, Israel, Australia, and many European countries. Common Criteria corresponds to the ISO/IEC 15408 standard. For further information on this, please visit http://csrc.nist.gov/cc/.

Assurance level comparison:

CC EAL3 corresponds to

• ITSEC E2 (Europe)
• TCSEC C2 (USA)
• CTCPEC T3 (Canada)

CC EAL4 corresponds to:

• ITSEC E3 (Europe)
• TCSEC B1 (USA)
• CTCPEC T4 (Canada)

The question for SAP is if a security certification of our products makes sense from a business point of view. The effort to undergo certification is very high, and internal as well as external costs are considerable. For an EAL4 certification, there are source code reviews in addition to the general evaluation procedure and a high volume of documentation that is needed. This process would take at least a year for a single SAP product.

What does the certification ITSEC E2 medium (SAP's security certification) mean?

SAP has received the ITSEC security certificate from the German Federal Office for Security in Information Technology (Bundesamt für Sicherheit in der Informationstechnik (BSI)).

SAP R/3 4.0B has been evaluated according to the Information Technology Security Evaluation Criteria (ITSEC) Version 2.1, June 1991 and the IT Security Evaluation Manual (ITSEM) Version 1.0, September 1993. The evaluation result was E2/Medium.

The certificate is recognized in the following countries: Germany, Finland, France, Great Britain, Italy, Holland, Norway, Portugal, Sweden, Switzerland, and Spain.

The ITSEC classification F-C2, E2 corresponds to the US TCSEC (Orange Book) classification C2. You can find further information on the ITSEC certification here in the SAP Service Marketplace and in SAP Note 0077462.

Where can I find information about partners?

See the partner directory on the SAP Service Marketplace using the quick link Softwarepartner (SMP login required) or find our security partners at quick link security, folder security partners.

Can specific transactions be allowed or disallowed on the backend?

This should be administrated through a qualified authorization concept. All transactions you wish to give to a user should be integrated into a role using the Profile Generator (transaction PFCG). More information is provided by the training course ADM940 (SAP Authorization Concept).

What security-related training courses are there?

ADM940 (CA940) SAP Authorization Concept

ADM950 Secure SAP System Management

ADM960 Security in SAP System Environments

ADM102 (BC305) Advanced System Administration, chapters about CUA, CCMS and auditing

HR940 Configuration Master Data in HCM

In addition to the training offered by SAP, there are a variety of partners providing training in fields like Public Key Infrastructures and directory integration.

Where can I find more information about mySAP Technology for Security?

Use the quick links Security and Securityguide on the SAP Service Marketplace (SMP login required). You can also use the general e-mail Service@sap.com. See also: composite SAP Note 30724.

Which Quick Links on the SAP Service Marketplace (http://service.sap.com) are relevant for Security?

Security (Information and literature about all security topics)

TCS (Information about the SAP Trust Center Service)

AIS (Information about SAP's Audit Information System)

Securityguide (Download the SAP Security Guide)

Systemmanagement (Computer Center Management System (CCMS); a tool for System Monitoring and Alert Management)

Securityconsulting(Consulting services from SAP concerning security)

Is there information available on a security review by SAP (costs, benefit, and so on)?

Refer to SAP Deutschland AG&Co.KG´s (SAP LGD) Security Consulting service (quick link Securityconsulting on the SAP Service Marketplace).

Which signature formats are supported with the Secure Store and Forward Interface (SSF)?

PKCS#7 for the ABAP stack

PKCS#7 , XML and S/MIME Version 2 for the Java stack

Are qualified electronic signatures as defined in the european signature law with the Secure Store and Forward (SSF) Interface supported?

No, because SSF does not support online verification for revocation of certificates (OCSP) nor Certification Revocation Lists (CRL).

Are smartcards for authentication and digital signatures supported?

Companies often want to use the same SmartCard for entering the company building, logging on to the computer, and for digital signatures. SAP supports this possibility in principle. Authentication for a SAP system can be performed using an X.509 certificate. If a logon to an SAP system with a SmartCard using a web browser is desired, the customer must ensure that the certificate on the SmartCard is sent to the browser using Microsoft CAPI (Internet Explorer) or PKCS#11 (Netscape / Mozilla). An external security product that supports MS-CAPI or PKCS#11 is required to do this. If a logon to an SAP R/3 system with a SmartCard using the SAP GUI for Windows is desired, Secure Network Communication (SNC) must be installed between the front end and the back end. The external security product must therefore support SNC.

If you wish to create digital signatures using cryptographic hardware, you need to make use of an external security product . Note that neither SAPSeculib/SAPCryptolib nor the SSF Library for Java can be used in this case, since they do not support any cryptographic hardware. As a consequence, only signatures in PKCS#7 format on the SAP NetWeaver AS ABAP are supported if you are using cryptographic hardware.