USR MAN Certificate Configuration V1 16jan2012

ThyssenKrupp Mexinox CreateIT User Manual
Document Information
Customer: Project: Analyzed By: Required By: Approved By: Developer: Reviewed By: ContiTech Mexicana Jesus Arturo Hernandez Santana ContiTech Mexicana Business Area: Process: Requirement: Version No: Version date: Required Date: Review date: Basis Digital Certificate configuration 01 - User Manual 16/Jan/2012
Distribution List
From Jesus Arturo Hernandez Santana To Guido Dobravsky Frank Sndermann Nadine Hucke Action* Approve Approve Inform Date 16/Jan/2012 Due Date Department/Company CreateIT Department/Company ContiTech Mexicana ContiTech AG CreateIT
* Action Types: Approve, Review, Inform, Archive, Action required, Attend Meeting, Other (specify)
Version Control
Ver. No. 01 Version Date 16/Jan/2012 Reviewed by Description User Manual Filename USR-MAN-Certificate Configuration-V116Jan2012
Document Purpose
Provide detailed information about the right use of the application, in order to clarify the functionality to the final user.
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 1 of 17

Content
1 Application Use Guide ..........................................................................................................................3 1.1 Access ................................................................................................................... 3 1.2 << Modules / Procedures / Etc. >> ......................................................................... 3 1.3 Final ...................................................................................................................... 3 2 Use Cases ..............................................................................................................................................3 2.1 Digital Certificates concepts....................................................................................... 3 2.1.1 Certification Path ............................................................................................. 3 2.1.2 Certification path validation algorithm ................................................................. 4 2.2 Digital Certificates configuration ................................................................................. 4 2.2.1 Find out the correct Certification Path for Productive Certificate .............................. 4 2.2.2 Find out the correct Certification Path for Test Certificate ....................................... 8 2.3 Testing Phase ........................................................................................................13 3 Signatures ........................................................................................................................................... 17
Page 2 of 17

1 Application Use Guide
The objective of this document is to explain how the digital certificates are used and when they should be used to configure the digital certificate within SAP.
1.1 Access
Banco de Mexicos web page. Access in ternet, no login is required; main page can be found in http://www.banxico.org.mx/indexEn.html SAP System. Access by SAP GUI, a special BASIS access is required. SAP System Server. Access by remote administration tool, User administrator access is required.
1.2 << Modules / Procedures / Etc. >>

Describe each module of the app. Find enclosed in this section, the screenshots after having logged in and the screenshots of each module showing the buttons and fields used within the process described. Describe the process of how to save the changes or procedures made using the app and attach the screenshots showing the buttons and fields used within the process described.
1.3 Final
Describe the process to log out the app or primary system. Attach the screenshots showing the buttons and fields used within the process described.
Use Cases
Detailed the different use cases possible using the application and describe the functions of each use case. Attach the screenshots showing the buttons and fields used within the process described.
2.1 Digital Certificates concepts

2.1.1 Certification Path A path starts with the Subject certificate (ContiTech Mexicanas certificate) and proceeds through a number of intermediate certificates (SATs certificate) up to a trusted root certificate (BANXICOs certificate). If any of them is missing then the certification path is not complete. As several certificates might exist for Banxico and SAT authorities, the certification path must be correct, otherwise, at the end in the SAP system, the certificate will not work. It is recommended that the certification path is validated in a bottom up procedure. In Mexico, the Certificate for ContiTech Mexicana was issued by the Tax authorities known as SAT, furthermore, the SATs certificate was issued by the Banco de Mexico, whom is the root certification authority.
Page 3 of 17

2.1.2 Certification path validation algorithm
In the standardized algorithm, the following steps are performed for each certificate in the path, starting from the trust anchor. If any check fails on any certificate, the algorithm terminates and path validation fails. (This is an explanatory summary of the scope of the algorithm, not a rigorous reproduction of the detailed steps.) The public key algorithm and parameters are checked. The current date/time is checked against the validity period of the certificate. The revocation status is checked, whether by CRL, OCSP, or some other mechanism, to ensure the certificate is not revoked. The issuer name is checked to ensure that it equals the subject name of the previous certificate in the path. Name constraints are checked, to make sure the subject name is within the permitted subtrees list of all previous CA certificates and not within the excluded subtrees list of any previous CA certificate. The asserted Certificate Policy OIDs are checked against the permissible OIDs as of the previous certificate, including any policy mapping equivalencies asserted by the previous certificate. Policy constraints and basic constraints are checked, to ensure that any explicit policy requirements are not violated and that the certificate is a CA certificate, respectively. This step is crucial in preventing some man in the middle attacks. The path length is checked to ensure that it does not exceed any maximum path length asserted in this or a previous certificate. The key usage extension is checked to ensure that is allowed to sign certificates. Any other critical extensions are recognized and processed.
If this procedure reaches the last certificate in the chain, with no name constraint or policy violations or any other error condition, then the certificate path validation algorithm terminates successfully.
2.2 Digital Certificates configuration

Three certificates are needed in order to be able to configure the final certificate in SAP: Banxico. Downloaded from Banco de Mexicos web page; this certifcate is considered as the root certifcate. SAT. Downloaded from Banco de Mexicos web page; this certificate is considered as an intermediate certificate. ContiTech Mexicana. Requested by the Finance area of ContiTech Mexicana; this is the certificate at the end of the certification path. Find out the correct Certification Path for Productive Certificate
2.2.1
The following example is to find the complete certification path for a Productive certificate, this will be done by using certificates provided in the SAP note 1300880 and . The list of certificates is: AC1_Sat (Provided by Banxicos web page) AC2_Sat (Provided by Banxicos web page) AR_SAT (Provided by Banxicos web page) 00001000000200025416 (Provided by the Finance department of ContiTech Mexicana)
Page 4 of 17

As long as we havent completed the certification path, the subject certificate will keep showing a screen as the following when we open the certificate (by double clicking it):
The text in the red box says that the issuer of the certificate cannot be found. On the general information tab of the subject certificate, we can see to whom it was issued for (CONTITECH MEXICANA SA DE CV) and who issued the certificate (A.C. del Servicio de Administracin Tributaria):
Page 5 of 17
If we check the Details tab, we can see more information about the issuer of the certificate:
On the Issuer section, we can see that the responsible person of issuing the certificate is Celia Guillermina Garca Guerra, as well as other information.
Page 6 of 17

Now we have to find the intermediate certificate for A.C. del Servicio de Administracin Tributaria, we have two options as described by SAP Note 1300880, thus if we open both certificates (AR1 and AR2) we can see the following:
It seems that both certificates are the same but if we go to the Details section and check the Subject section:
Page 7 of 17

Here we see the difference, the responsible person of issuing the certificate are different, Cesar Luis Perales Tellez and Fernando Martinez Coss. It is evident also that they dont match the responsible person in the ContiTechs certificate Celia Guillermina Garca Guerra, the Tax authorities are responsible for providing the correct SAT certificate so they must be asked to give the correct certificate based on the check points of this example. 2.2.2 Find out the correct Certification Path for Test Certificate
The following procedure will find the complete certification path for a Test certificate following the procedure stated by the SAP note 1300880. The list of certificates is: aaa010101aaa_csd_01 AC_Pba ARCBanxico_pruebas (Provided by SAP Note) (Provided by SAP Note) (Provided by SAP Note)
As long as we havent completed the certification path, the subject certificate will keep showing a screen as the following when we open the certificate (by double clicking it):
The text in the red box says that the issuer of the certificate cannot be found. On the general information tab of the subject certificate, we can see to whom it was issued for (Matriz SA) and who issued the certificate (A.C. de pruebas):
Page 8 of 17
If we check the Details tab, we can see more information about the issuer of the certificate:
On the Issuer section, we can see that the responsible person of issuing the certificate is Hctor Ornelas Arciga, as well as other information.
Page 9 of 17

Now we have to find the intermediate certificate for A.C. de pruebas, we have one option included in the SAP Note 1300880, the certificate AC_Pba that if we open it we can see the following:
We can see that the Issued to name is exactly the same than the one shown in the General tab view of the subject certificate, now we have to find the certificate of the Agencia Registradora Central. If we open the certificate ARCBanxico_pruebas, we can see the following information:
Page 10 of 17
We now see that the issuer and the target are the same, this means that we have found the root certificate. The final test for the certification path will be to install the certificates and check the certification path tab of the subject certificate:
Page 11 of 17

After installing all three certificates we can see the following:
2.2.3
Configure a Certificate in SAP
Once we have detected the correct certificates, we have to execute the procedure as described in the SAP Note 1300880, but we will use only the necessary certificates. For example, for a test certificate we will only use the following files: aaa010101aaa_csd_01.cer aaa010101aaa_csd_01.key AC_Pba.cer ARCBanxico_pruebas.cer The procedure is:
rem convert key from DER to PEM openssl pkcs8 -inform DER -in aaa010101aaa_CSD_01.key -passin pass:a0123456789 -outform PEM -out CSD_01.key.pem -passout pass:a0123456789 rem convert certs from DER to PEM openssl x509 -inform DER -in aaa010101aaa_CSD_01.cer -outform PEM -out CSD_01.cer.pem openssl x509 -inform DER -in AC_Pba.cer -outform PEM -out AC_Pba.cer.pem openssl x509 -inform DER -in ARCBanxico_pruebas.cer -outform PEM -out ARCBanxico_pruebas.cer.pem rem append cert and key into one file copy CSD_01.key.pem+CSD_01.cer.pem+ AC_Pba.cer.pem+ ARCBanxico_pruebas.cer.pem CSD_01_chain.pem rem convert pem file to pkcs12 openssl pkcs12 -in CSD_01_chain.pem -passin pass:a0123456789 -export -out CSD_01.p12 -name SAT -passout pass:a0123456789
And the PSE conversion must look as the following:

rem convert pkcs12 file to pse sapgenpse import_p12 -p CSD_01.pse -x a0123456789 -z a0123456789 CSD_01.p12
Page 12 of 17

Credentials assignation is:
sapgenpse seclogin -p CSD_01.pse -x a0123456789
There is one restriction about the creation of the PSE file for SAP, this is the file name as described in the SAP Note 1300880.
2.3 Testing Phase

The most important test is to check the credentials assignation (described in SAP Note 1300880), if the credentials were not assigned correctly, the system will not be able to sign any digital invoice. The tests start as follows, the example was taken from a real case from system Q83. Execute report ZSSF_TEST_PSE (attached to SAP Note 800240) with transaction SE38, parameters must be the following:
No PIN must be entered and the result must not have any red status line. In Q83 system, the result was an error like to following:
One way to double check the PSE configuration is to execute the report RSBDCOS0 and then execute the following statement to check the user under which the application server runs:
Page 13 of 17
The result shows that the user under which the application server runs is q83adm, also we could see that that no readable credentials are available for the user q83adm:
Thus, credentials are still not assigned or they were assigned incorrectly; to correct this situation you have to execute a statement like the following in the current report: sapgenpse seclogin p <path and PSE file name>.pse -x <PIN> -o <User ID> For Q83 the statement should look as the following: sapgenpse seclogin p /usr/sap/Q83/DVEBMGS87/sec/ SAPMXDI_Q83_175.pse x a0123456789 -o q83adm After executing this statement you can check again with: sapgenpse seclogin l 2>&1 The system should say that there is one readable credential; for example in our system it says:
Page 14 of 17
Page 15 of 17
Page 16 of 17

3 Signatures
V. 01 - User Manual 16/Jan/2012 Document Version Date Revision (optional) Document Signatures Jesus Arturo Hernandez Santana
Sign
Page 17 of 17

USR MAN Certificate Configuration V1 16jan2012

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

USR MAN Certificate Configuration V1 16jan2012

Încărcat de

Drepturi de autor:

Formate disponibile

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

1.2 << Modules / Procedures / Etc. >>

2.1 Digital Certificates concepts

ThyssenKrupp Mexinox CreateIT User Manual

2.2 Digital Certificates configuration

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

Configure a Certificate in SAP

And the PSE conversion must look as the following:

ThyssenKrupp Mexinox CreateIT User Manual

2.3 Testing Phase

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

ThyssenKrupp Mexinox CreateIT User Manual

S-ar putea să vă placă și