Documente Academic
Documente Profesional
Documente Cultură
Document Information
Customer: Project: Analyzed By: Required By: Approved By: Developer: Reviewed By: ContiTech Mexicana Jesus Arturo Hernandez Santana ContiTech Mexicana Business Area: Process: Requirement: Version No: Version date: Required Date: Review date: Basis Digital Certificate configuration 01 - User Manual 16/Jan/2012
Distribution List
From Jesus Arturo Hernandez Santana To Guido Dobravsky Frank Sndermann Nadine Hucke Action* Approve Approve Inform Date 16/Jan/2012 Due Date Department/Company CreateIT Department/Company ContiTech Mexicana ContiTech AG CreateIT
* Action Types: Approve, Review, Inform, Archive, Action required, Attend Meeting, Other (specify)
Version Control
Ver. No. 01 Version Date 16/Jan/2012 Reviewed by Description User Manual Filename USR-MAN-Certificate Configuration-V116Jan2012
Document Purpose
Provide detailed information about the right use of the application, in order to clarify the functionality to the final user.
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 1 of 17
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 2 of 17
1.1 Access
Banco de Mexicos web page. Access in ternet, no login is required; main page can be found in http://www.banxico.org.mx/indexEn.html SAP System. Access by SAP GUI, a special BASIS access is required. SAP System Server. Access by remote administration tool, User administrator access is required.
1.3 Final
Describe the process to log out the app or primary system. Attach the screenshots showing the buttons and fields used within the process described.
Use Cases
Detailed the different use cases possible using the application and describe the functions of each use case. Attach the screenshots showing the buttons and fields used within the process described.
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 3 of 17
In the standardized algorithm, the following steps are performed for each certificate in the path, starting from the trust anchor. If any check fails on any certificate, the algorithm terminates and path validation fails. (This is an explanatory summary of the scope of the algorithm, not a rigorous reproduction of the detailed steps.) The public key algorithm and parameters are checked. The current date/time is checked against the validity period of the certificate. The revocation status is checked, whether by CRL, OCSP, or some other mechanism, to ensure the certificate is not revoked. The issuer name is checked to ensure that it equals the subject name of the previous certificate in the path. Name constraints are checked, to make sure the subject name is within the permitted subtrees list of all previous CA certificates and not within the excluded subtrees list of any previous CA certificate. The asserted Certificate Policy OIDs are checked against the permissible OIDs as of the previous certificate, including any policy mapping equivalencies asserted by the previous certificate. Policy constraints and basic constraints are checked, to ensure that any explicit policy requirements are not violated and that the certificate is a CA certificate, respectively. This step is crucial in preventing some man in the middle attacks. The path length is checked to ensure that it does not exceed any maximum path length asserted in this or a previous certificate. The key usage extension is checked to ensure that is allowed to sign certificates. Any other critical extensions are recognized and processed.
If this procedure reaches the last certificate in the chain, with no name constraint or policy violations or any other error condition, then the certificate path validation algorithm terminates successfully.
2.2.1
The following example is to find the complete certification path for a Productive certificate, this will be done by using certificates provided in the SAP note 1300880 and . The list of certificates is: AC1_Sat (Provided by Banxicos web page) AC2_Sat (Provided by Banxicos web page) AR_SAT (Provided by Banxicos web page) 00001000000200025416 (Provided by the Finance department of ContiTech Mexicana)
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 4 of 17
The text in the red box says that the issuer of the certificate cannot be found. On the general information tab of the subject certificate, we can see to whom it was issued for (CONTITECH MEXICANA SA DE CV) and who issued the certificate (A.C. del Servicio de Administracin Tributaria):
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 5 of 17
If we check the Details tab, we can see more information about the issuer of the certificate:
On the Issuer section, we can see that the responsible person of issuing the certificate is Celia Guillermina Garca Guerra, as well as other information.
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 6 of 17
It seems that both certificates are the same but if we go to the Details section and check the Subject section:
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 7 of 17
The following procedure will find the complete certification path for a Test certificate following the procedure stated by the SAP note 1300880. The list of certificates is: aaa010101aaa_csd_01 AC_Pba ARCBanxico_pruebas (Provided by SAP Note) (Provided by SAP Note) (Provided by SAP Note)
As long as we havent completed the certification path, the subject certificate will keep showing a screen as the following when we open the certificate (by double clicking it):
The text in the red box says that the issuer of the certificate cannot be found. On the general information tab of the subject certificate, we can see to whom it was issued for (Matriz SA) and who issued the certificate (A.C. de pruebas):
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 8 of 17
If we check the Details tab, we can see more information about the issuer of the certificate:
On the Issuer section, we can see that the responsible person of issuing the certificate is Hctor Ornelas Arciga, as well as other information.
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 9 of 17
We can see that the Issued to name is exactly the same than the one shown in the General tab view of the subject certificate, now we have to find the certificate of the Agencia Registradora Central. If we open the certificate ARCBanxico_pruebas, we can see the following information:
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 10 of 17
We now see that the issuer and the target are the same, this means that we have found the root certificate. The final test for the certification path will be to install the certificates and check the certification path tab of the subject certificate:
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 11 of 17
2.2.3
Once we have detected the correct certificates, we have to execute the procedure as described in the SAP Note 1300880, but we will use only the necessary certificates. For example, for a test certificate we will only use the following files: aaa010101aaa_csd_01.cer aaa010101aaa_csd_01.key AC_Pba.cer ARCBanxico_pruebas.cer The procedure is:
rem convert key from DER to PEM openssl pkcs8 -inform DER -in aaa010101aaa_CSD_01.key -passin pass:a0123456789 -outform PEM -out CSD_01.key.pem -passout pass:a0123456789 rem convert certs from DER to PEM openssl x509 -inform DER -in aaa010101aaa_CSD_01.cer -outform PEM -out CSD_01.cer.pem openssl x509 -inform DER -in AC_Pba.cer -outform PEM -out AC_Pba.cer.pem openssl x509 -inform DER -in ARCBanxico_pruebas.cer -outform PEM -out ARCBanxico_pruebas.cer.pem rem append cert and key into one file copy CSD_01.key.pem+CSD_01.cer.pem+ AC_Pba.cer.pem+ ARCBanxico_pruebas.cer.pem CSD_01_chain.pem rem convert pem file to pkcs12 openssl pkcs12 -in CSD_01_chain.pem -passin pass:a0123456789 -export -out CSD_01.p12 -name SAT -passout pass:a0123456789
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 12 of 17
There is one restriction about the creation of the PSE file for SAP, this is the file name as described in the SAP Note 1300880.
No PIN must be entered and the result must not have any red status line. In Q83 system, the result was an error like to following:
One way to double check the PSE configuration is to execute the report RSBDCOS0 and then execute the following statement to check the user under which the application server runs:
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 13 of 17
The result shows that the user under which the application server runs is q83adm, also we could see that that no readable credentials are available for the user q83adm:
Thus, credentials are still not assigned or they were assigned incorrectly; to correct this situation you have to execute a statement like the following in the current report: sapgenpse seclogin p <path and PSE file name>.pse -x <PIN> -o <User ID> For Q83 the statement should look as the following: sapgenpse seclogin p /usr/sap/Q83/DVEBMGS87/sec/ SAPMXDI_Q83_175.pse x a0123456789 -o q83adm After executing this statement you can check again with: sapgenpse seclogin l 2>&1 The system should say that there is one readable credential; for example in our system it says:
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 14 of 17
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 15 of 17
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 16 of 17
Sign
Address: ThyssenKrupp Mexinox CreateIT, S.A. de C.V., Av. Eugenio Garza Sada No. 300, Lomas del Tecnolgico, C.P. 78211,
San Luis Potos, SLP, Mxico Phone: +52 (444) 835 60 25 Internet: www.create-it.com.mx Created by: Mara Jos Torres Becerril
Page 17 of 17