Scribd
Upload
193 views

Sim 208

X.509 certificate auto-enrollment in Microsoft Active Directory outlines ESS scenarios. ESS Jane Doe "i have too many passwords!" "i forgot my username" How Does a PKI Address these issues?

Uploaded by

jatinashra
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
193 views

Sim 208

X.509 certificate auto-enrollment in Microsoft Active Directory outlines ESS scenarios. ESS Jane Doe "i have too many passwords!" "i forgot my username" How Does a PKI Address these issues?

Uploaded by

jatinashra
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 62

SIM208

SSO for SAP NetWeaver Leveraging


X.509 Certificate Auto Enrollment
in Microsoft Active Directory

André Fischer, Strategic Alliance Microsoft, SAP AG


Carsten Boennen, Strategic Alliance Microsoft, SAP AG
Disclaimer

This presentation outlines our general product direction and should not be
relied on in making a purchase decision. This presentation is not subject to
your license agreement or any other agreement with SAP. SAP has no
obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This
presentation and SAP's strategy and possible future developments are
subject to change and may be changed by SAP at any time for any reason
without notice. This document is provided without a warranty of any kind,
either express or implied, including but not limited to, the implied warranties
of merchantability, fitness for a particular purpose, or non-infringement. SAP
assumes no responsibility for errors or omissions in this document, except if
such damages were caused by SAP intentionally or grossly negligent.

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 2


Agenda

1. Why using a PKI for SSO?


2. Active Directory Certificate Services
2.1. Technical Overview
2.2. Walkthrough: Auto Enrollment and Credential Roaming
2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming - Overview
3. SSO Scenarios Leveraging X.509 Certificates
3.1. Web Browser and NW BC
3.2. .NET Web Services Clients
3.3. SAPGUI
4. Certificate Services @ SAP
4.1. Lessons learned from SAP’s implementation project

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 3


What the User Wants …

Authentication to SRM ERP


local desktop

Workflow CRM

Access
Internet ESS

Authenticate Groupware ...


only once
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 4
What is the Reality?

Workflow SRM

ERP

jdo
e1

e
CRM

o
23

jd
jdo
e1 e
23 j do

Group- jane.doe@company,com ESS


doejan
ware
Jane Doe

“I have too many passwords!”


! “I forgot my username”

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 5


How Does a PKI Address these Issues?

Microsoft Active Directory


X.509-enabled SAP Systems
with an
Enterprise CA
ESS

SRM
1
Workflow
3

2
ERP
Jane Doe
ESS

1 Jane Doe logs on at her desktop to Microsoft Active Directory

2 After verifying Jane‘s identity, the Microsoft CA issues an X.509 certificate to Jane

3 Jane can use her X.509 certificate as a login for Single Sign-On at any SAP System
supporting X.509 certificates
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 6
What the Administrator Wants …

„ Central user management


„ Single point of administration
„ Assign user rights in various applications with one keystroke
„ Lock or delete users centrally
„ Central user repository
„ Avoid redundant user information

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 7


Learning Objective

As a result of this lecture session, you will


„ Understand the benefits of using a PKI infrastructure to achieve SSO for an SAP
System landscape
„ Learn how to leverage Microsoft Active Directory to roll out X.509 certificates
automatically
„ Know about the key figures from SAP’s implementation

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 8


Central User Management using
SAP NetWeaver Identity Management 7.0
IDM should be triggered Business process relies on
by identity business appropriate user and role
processes and data assignments in systems
e.g. Order2Cash
Identity virtualization and
e.g. on-boarding identity as service through
Data standard interfaces Approval
HR Workflows
HR
Integration
SAP NetWeaver Central Identity store
Definition and rule- Identity
based assignment of Management
meta roles Distribution of users
and role assignments
for SAP and non-SAP
Identity Mgmt.
systems
monitoring & Audit
Microsoft
Legacy
App.
Exchange
SAP FI SAP HR SAP ERP SAP SAP Web Server
ABAP ABAP ABAP Java Portal App.
Java Operating
SAP XI Databases Systems
ABAP UME UME
Java
Microsoft Active Directory
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 9
Definition of Single Sign-On (SSO)

Wikipedia defines Single Sign-On as:

Single sign-on (SSO) is a method of access control


that enables a user to authenticate once and
gain access to the resources of multiple
software systems*.

* http://en.wikipedia.org/wiki/Single_sign-on

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 10


Basic Architectural Pattern for Single Sign-On
(SSO)

„ Issuing Authority: A system entity that Issuing


issues security-related information Authority
Trust
about individual users. Usually this Relationship
includes at least identity information
about the user (e.g. a user name or 1
E-Mail address)
2
„ Relying Party: A system entity that
decides to take an action based on
the security information provided by 3 Relying
User
the Issuing Authority. The Relying 4 Party
Party must have a trust relationship
with the Issuing Authority 1. User authenticates at Issuing Authority and request the
security data that is required to access a protected
„ User: A natural person who makes resource at the Relying Party
use of a system and its resources
2. Issuing Authority responds with the security information
about the user
3. User authenticates with the issued data at the Relying
Party to access a protected resource
4. Relying Party authenticates the user based on the
security information issued by the Issuing Authority and
sends response
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 11
Important Characteristics of Single Sign-On
Technologies and Standards
Domain A
„ Cross-Domain
Is it possible to use the SSO technology only SSO

within a security domain (i.e. the corporate


Intranet) or can it be used across different Domain B
SS
domains (e.g. in a B2B scenario)? O

„ Cross-Platform
Which platforms are supported by the SSO
Platform SSO Platform
technology? Is it a widely adopted standard in
the industry or a vendor-specific technology? A B

„ User Agent
Which type of user agent (e.g. Web Browser,
SSO
Web Service Consumer, Mobile Clients, NW BC,
SAPGUI) is supported by the SSO technology?

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 12


NetWeaver Application Server – User Agents

Web Browser, Web Service


NW Business Client Consumer

HTTP(S) SOAP/XML
Internet Communication Manager

Application Server

SAP J2EE
SAP GUI
ABAP DIAG
Engine RFC
External Systems
RFC

Operating System

DB Server

Database System

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 13


Single Sign-On Technologies Supported by
SAP as a Service Provider

SAP Logon
SAP stack User Agent X.509 Kerberos SAML 1.1
Tickets

SAP NW SAPGUI/
Yes (1) Yes (2) Yes No
AS ABAP RFC

Web Browser /
Yes No Yes Yes (4,9)
SAP NW BC

.NET Web Service Yes No (3) Yes Yes (5,8)

SAP NW Web Browser /


Yes Yes Yes Yes (4,6)
AS JAVA SAP NW BC

.NET Web Service Yes No (3) Yes Yes (5,7)

(1) 3rd party SNC product needed (5) WS-Security SAML Token Profile (HoK)
(2) SAP NW AS ABAP has to run on Windows (6) as of NW 04 JAVA
(3) Only a workaround available described in a (7) as of NW 7.11 SP1 JAVA
SDN whitepaper (8) as of NW 7.01 SP1 and NW 7.11 SP1 ABAP
(4) SAML Browser/Artifact Profile (9) as of NW 7.1 ABAP
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 14
Agenda

1. Why using a PKI for SSO?


2. Active Directory Certificate Services
2.1. Technical Overview
2.2. Walkthrough: Auto Enrollment and Credential Roaming
2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming - Overview
3. SSO Scenarios Leveraging X.509 Certificates
3.1. Web Browser and NW BC
3.2. .NET Web Services Clients
3.3. SAPGUI
4. Certificate Services @ SAP
4.1. Lessons learned from SAP’s implementation project

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 15


Active Directory Certificate Services

„ Part of Windows Server 2003 and Windows Server 2008

„ Easy deployment of certificates throughout the enterprise


using MS-Active Directory

„ No per-certificate fees or per-user PKI licenses

„ Allows centralized user security management

„ Cross-Platform SSO for example with SAP components

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 16


Certificate Server Architecture

„ CertSrv receives requests


via DCOM
„ CertSrv Operates in two
modes: Enterprise and
Standalone
„ In Enterprise mode AD is
used for Certificate
Templates publishing
certificates and CRLs and
clients use the templates to
create specific requests
„ CertSrv uses CryptoAPI for
cryptographic operations

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 17


Active Directory Certificate Services –
Certificate Auto Enrollment

„ Automatic enrollment of certificates to users and computers that are members of


an Active Directory

„ Activated and managed by a domain-based Group Policy

„ Available since Windows Server 2003 ….

…. So why has it not been used so far ?

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 18


Problems with Auto Enrollment of X.509
Certificates in the Past

Boundary conditions / Requirements:


„ X.509 certificates should be available for a user on any machine in a domain

Alternatives available so far:


„ Smart Cards
„ Roaming Profiles

Drawbacks of using Smart Cards or Roaming Profiles


„ High deployment costs

„ High costs of maintenance

Æ Solution: Credential Roaming

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 19


Certificate Enrollment and Credential Roaming
on Multiple Computers

Active Directory replication


Active Directory
User Object
Active Directory
User Object
credential credential
roaming roaming

certificate enrollment User‘s


Credential
User‘s Store „My“
Credential
Store „My“

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 20


Credential Roaming Releases

Front-end Comments
operating system
Windows Server
2003 SP1 +
Software Update

Windows XP SP2 +
Software Update

VISTA Credential Roaming allows also secure storage of


stored user names and password

Windows Server Credential Roaming allows also secure storage of


2008 stored user names and password

Source: Microsoft TechNet

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 21


Active Directory – Requirements

Domain Controller Windows Server Windows Server


2003 SP1 or later 2008

Schema Update is required if ƒ Yes ƒ Not required


the current schema version is
lower than 34

Administrative Template ƒ Yes ƒ Not Required


(ADM) import into Group
Policy is required

Active Directory Security ƒ Yes ƒ Not required


Descriptor property settings
must be applied manually

Source: Microsoft TechNet


© SAP 2008 / SAP TechEd 08 / SIM208 / Page 22
Client Certificate Storage in Microsoft Active
Directory 2003 SP1

Common Current user Other users


Name or domain
administrator

ms- Read/Write Not visible and


PKIDPAPI no access
MasterKeys

ms- Read/Write Not visible and


PKIAccount no access
Credentials

ms- Read/Write Not visible and


PKIRoaming no access
TimeStamp

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 23


Where can Client Credential Roaming be
Used?

„ Intranet Scenario
„ All users have to be domain members
„ All Client PC’s have to be domain members

„ SAP acts as service provider

„ Other scenarios might require different technologies such as SAML


„ Federation
„ Impersonation

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 24


Benefits of Using Client Credential Roaming

„ Central secure storage of X.509 certificates in Microsoft Active Directory


„ High availability because data is stored on each domain controller
„ High performance because data is retrieved from a local domain controller rather than
from a central server

„ Only small amount of data (digital certificates and private keys) has to be roamed

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 25


Agenda

1. Why using a PKI for SSO?


2. Active Directory Certificate Services
2.1. Technical Overview
2.2. Walkthrough: Auto Enrollment and Credential Roaming
2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming - Overview
3. SSO Scenarios Leveraging X.509 Certificates
3.1. Web Browser and NW BC
3.2. .NET Web Services Clients
3.3. SAPGUI
4. Certificate Services @ SAP
4.1. Lessons learned from SAP’s implementation project

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 26


Walkthrough
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 27
Walkthrough – Administrator‘s View
Create User in Active Directory

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 28


Walkthrough – Administrator‘s View
Checking Auto Enrollment Process

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 29


Walkthrough – User's View
Logon to Workstation

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 30


Walkthrough – User's View
Logon Process

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 31


Walkthrough – User's View
Certificates Stored in Users Certificate Store

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 32


Walkthrough – User's View
Certificate Services Client-Credential Roaming

„ X.509 certificates are stored in the users „Personal“ store on each computer the
user logs on

„ Here: 172.16.14.136 and 172.16.14.139

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 33


Agenda

1. Why using a PKI for SSO?


2. Active Directory Certificate Services
2.1. Technical Overview
2.2. Walkthrough: Auto Enrollment and Credential Roaming
2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming -
Overview
3. SSO Scenarios Leveraging X.509 Certificates
3.1. Web Browser and NW BC
3.2. .NET Web Services Clients
3.3. SAPGUI
4. Certificate Services @ SAP
4.1. Lessons learned from SAP’s implementation project

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 34


Configuration Steps in Microsoft Active
Directory 2008 - Overview

„ Add Role Active Directory Certificate Services to a server


„ Enterprise Root CA

„ Configure Certificate Template

„ Configure CA to issue the Auto enrolled User certificate

„ Establish Group Policy for auto enrollment of domain users

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 35


Add Active Directory Certificate Services
Server Role in Windows Server 2008

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 36


Microsoft Active Directory: Establishing Auto
Enrollment for User Certificates

Certificate Templates
„ Define the format and content of a
certificate
„ Define how incoming certificate
requests are handled
„ Define the certificates issued by
enterprise CAs
„ Arestored in the Configuration
Naming container of Active Directory
„ How to configure
„ Tool: MMC Snap-In Certificate
Templates
„ Duplicate User template
„ Check: Publish in Active Directory

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 37


Configure an Enterprise CA to Issue the Auto
Enrolled User Certificate

„ Tool: MMC Snap-In Certification Authority


„ Select Certificate Template to Issue

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 38


Establishing Policy for Auto Enrollment of
Domain Users and Credential Roaming

„ Group Policy
Settings

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 39


Restrict Private Key Export

„ PKCS#12-Export of private key


can be restricted
„ Settings valid for Certificate
Template used

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 40


Agenda

1. Why using a PKI for SSO?


2. Active Directory Certificate Services
2.1. Technical Overview
2.2. Walkthrough: Auto Enrollment and Credential Roaming
2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming - Overview
3. SSO Scenarios Leveraging X.509 Certificates
3.1. Web Browser and NW BC
3.2. .NET Web Services Clients
3.3. SAPGUI
4. Certificate Services @ SAP
4.1. Lessons learned from SAP’s implementation project

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 41


SSO Scenario Web Browser / NW BC:
X.509 Client Certificates Based Authentication

„ Authentication occurs using SSL


with mutual authentication
Portal
BSP pages
„ User possesses a public /
private key pair and
public-key certificate issued by a
Certificate Authority (CA)

Web ITS
SL
S
L Dynpro
SS
Access
ABAP
SSL

Web Other...
Dynpro
X.509 Client Certificate JAVA
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 42
Authentication and SSL With X.509
Certificates

„ Mutualauthentication between Alice and the server


„ The SSL – Process:

Client sends „Hello“-message to server


Server sends his certificate and asks for client cert.

sends his certificate , encrypted secret key


and list of supported crypto algorithms
Sends back confirmation

Alice
Private Session established Private
Public …using symmetric encryption Public
Secret Secret

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 43


Configuring SAP NW AS ABAP 7.0 to Accept
Client Certificate Authentication – Overview

„ Configure SSL support

„ Set profile parameter

icm/HTTPS/verify_client

„ Import the issuing CA’s root


certificate

„ Maintain user mapping in table


USREXTID

„ Transaction EXTID_DN

„ CERTMAP service
/sap/bc/bsp/sap/certmap

More details on:

http://help.sap.com

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 44


Configuring the J2EE Engine to Accept Client
Certificate Authentication – Overview

Key Storage Service


„ Import Certificate Authority’s (CA) root certificate as a certificate entry in the
TrustedCAs view

SSL Provider Service


„ Request or require client certificates for authentication
„ Import CA root certificate in Trusted Certification Authorities list

Security Provider Service


„ Adjust login module stacks to accept client certificates using ClientCertLoginModule
and CertPersisterLoginModule (optional)

Result: Client Certificates can be used to authenticate users

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 45


J2EE Engine:
Options for Client Certificate Authentication

„ Using Stored Certificate Mappings


„ As of minimum versions:
„ SAP NetWeaver 6.40 SP16
„ SAP NetWeaver 7.0 SP7
„ Using Rules Based on Client Certificates Subject Names

„ Using Rules Based on Client Certificate V3 Extensions

„ Using Rules to Filter Client Certificates

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 46


Agenda

1. Why using a PKI for SSO?


2. Active Directory Certificate Services
2.1. Technical Overview
2.2. Walkthrough: Auto Enrollment and Credential Roaming
2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming - Overview
3. SSO Scenarios Leveraging X.509 Certificates
3.1. Web Browser and NW BC
3.2. .NET Web Services Clients
3.3. SAPGUI
4. Certificate Services @ SAP
4.1. Lessons learned from SAP’s implementation project

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 47


SSO Scenario: Web Services
Benefits of WS-Security

End-to-End security
WS Consumer
via EAI WS Provider

WS-Security
SSL with mutual
authentication
WS Consumer
direct call
X.509 cannot be federated EAI Server
since the private key would
have to be accessible on the SSL Termination
EAI Server

-> SAML or SAP Logon Tickets are a solution


© SAP 2008 / SAP TechEd 08 / SIM208 / Page 48
Authentication and SSO for Enterprise
Services
Authentication can occur with mechanisms that are available with:
Ö the transport (HTTP protocol)
Ö the message (SOAP)
Message level mechanisms build on transport level
Ö authentication levels not mutually exclusive
Setup at service provider – inherit at service consumer
Ö WS Security Policy WSDL Extensions

Supported Mechanisms:
Username Token Profiles
Service Consumer

Service

Service Provider
Message Level
X.509 Certificate Token Profiles
Application

Application
SAML Token Profiles*

User ID and Password


Service
X.509 Client Certificates (no rules!)
Transport Level
Logon Tickets

*supported with SAP NetWeaver Java 7.1


© SAP 2008 / SAP TechEd 08 / SIM208 / Page 49
SSO and User Identity Propagation for
Services
User Identity propagation with standard platform solutions recommended to:
„ Secure Authentication of end users accessing enterprise services

„ Authorize user access to service resources based on user‘s own role and
permission assignments

„ Audit user access to remote service provider resources

Propagate user WSS SAML Token Profiles 1


Identity SSO tickets

Authenticate WSS X.509 Certificate Token Profile 1


consumer
X.509 client certificate
system

Authenticate WSS Username Token Profile 1


Service User User ID and Password
1supported for WS Protocols only, SAML token profiles (sender vouches subject) supported with NW AS
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 50 Java 7.1 and NW AS ABAP 7.0 SP 14 and higher
Agenda

1. Why using a PKI for SSO?


2. Active Directory Certificate Services
2.1. Technical Overview
2.2. Walkthrough: Auto Enrollment and Credential Roaming
2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming - Overview
3. SSO Scenarios Leveraging X.509 Certificates
3.1. Web Browser and NW BC
3.2. .NET Web Services Clients
3.3. SAPGUI
4. Certificate Services @ SAP
4.1. Lessons learned from SAP’s implementation project

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 51


SSO Scenario: SAPGUI
Using SNC and an External Security Product

SAPGUI SAP NW AS ABAP

SNC SNC
SSO and
GSS-API V2 encryption
GSS-API V2

SNC_LIB SNC_LIB
3rd party SNC Library 3rd party SNC Library

Certificate
Key Store

Microsoft certificate
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 52
container
Example of X.509 Certificates with SNC
Solutions: SECUDE signon&secure Client

SECUDE signon&secure Client allows to use different security tokens:


„ Software key files (PSE or PKCS#12/PFX)
„ Smartcards (PKCS#11)
„ Microsoft certificate containers (CSP)

Microsoft certificate containers are


„ Security tokens accessible via the Microsoft Crypto API
„ Containers may be imported software keys (PFX), provided by Microsoft built-in Cryptographic
Service Providers (CSPs)
„ Or smartcards with own vendor CSPs (Siemens, A.E.T., SECUDE, …)

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 53


SECUDE signon&secure Client:
Automatic Certificate Selection

Get a
ll
user
SNC_LIB PSE
PSE certifi
SNC_LIB c
Service
Service s from ate
MY
store

he
ll t r
Ca filte

Filter
Filter patterns
patterns from
from
SNC_LIB
SNC_LIB Group Policy:
Group Policy:
Exact
Exact match
match

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 54


SECUDE signon&secure Client:
Interactive Certificate Selection

t a l l us er
Ge
e r ti fi cates
c Y
f r om M
SNC_LIB PSE
PSE store
SNC_LIB e
Service
Service ll th
a
C ter
fil

Filter
Filter patterns
patterns from
from
Group Policy:
Group Policy:
More
More than
than one
one

SNC_LIB
SNC_LIB

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 55


Agenda

1. Why using a PKI for SSO?


2. Active Directory Certificate Services
2.1. Technical Overview
2.2. Walkthrough: Auto Enrollment and Credential Roaming
2.3. Configuring Active Directory for Auto Enrollment and Credential Roaming - Overview
3. SSO Scenarios Leveraging X.509 Certificates
3.1. Web Browser and NW BC
3.2. .NET Web Services Clients
3.3. SAPGUI
4. Certificate Services @ SAP

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 56


Certificate Services @ SAP

Current Project:
„ Migration of SAP’s internal PKI infrastructure to
Microsoft Certificate Services

Key Figures:
„ Planned Rollout Q4/2008
„ Migration of an existing RootCA
„ More than 30.000 user’s

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 57


Further Information

Î SAP Public Web:


SAP Developer Network (SDN): www.sdn.sap.com
Business Process Expert (BPX) Community: www.bpx.sap.com
Î Microsoft Public Web:
Microsoft TechNet: technet.microsoft.com
Î Related SAP Education and Certification Opportunities
http://www.sap.com/education/

Î Related Workshops/Lectures at SAP TechEd 2007


SIM265, Configuring J2EE and SAP NetWeaver Portal UME
Authentication , Hands-on (2 hours)
SIM206, Single Sign-On in Heterogeneous System Landscapes and
SAML, Lecture (1 hour)
SIM207, Towards Interoperable SSO for Web Services, Lecture (2
hours)
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 58
Building Your Business with
SDN Subscriptions

SDN Subscriptions offers developers and consultants like you,


an annual license to the complete SAP NetWeaver platform
software, related services, and educational content, to keep
you at the top of your profession.

SDN Software Subscriptions: (currently available in U.S. and Germany)


„A one year low cost, development, test, and commercialization
license to the complete SAP NetWeaver software platform
„ Automatic notification for patches and updates
„ Continuous learning presentations and demos to build
expertise in each of the SAP NetWeaver platform components
„ A personal SAP namespace

SAP NetWeaver Content Subscription: (available globally)


Starter Kit
„ An online library of continuous learning content to help build skills.

To learn more or to get your own SDN Subscription, visit us at the


Community Clubhouse or at www.sdn.sap.com/irj/sdn/subscriptions
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 59
SDN Subscriptions Program

The SDN Subscriptions Program introduces the SAP NetWeaver,


Development Subscription for individual developers. Available for purchase
in Germany and the United States.
Subscription gives you one year access to …
„ SAP NetWeaver platform software, patches, and updates
„ Development license for SAP NetWeaver to evaluate, develop and test
„ Standard software maintenance
„ Online sessions from SAP TechEd
„ Access to SAP Enterprise Services Workplace for testing
„ Premium presence in forums

Purchase the SAP NetWeaver, Development Subscription today at


the SAP Community Clubhouse, or online at
https://www.sdn.sap.com/irj/sdn/devsub
Visit us at the Community Clubhouse, show us you are a subscriber,
and get a gift!
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 60
Thank you!

© SAP 2008 / SAP TechEd 08 / SIM208 / Page 61


Feedback
Please complete your session evaluation.
Be courteous — deposit your trash,
and do not take the handouts for the following session.

Thank You !
© SAP 2008 / SAP TechEd 08 / SIM208 / Page 62

You might also like