created by Deepika Paturu on Jun 6, 2013 11:33 AM, last modified by Deepika Paturu on Jun
6, 2013 2:47 PM
Version 2
inShare
Tweet
SNOTE is used for implementing the SAP notes in the system. SAP notes are small
corrections delivered by SAP before releasing the support package. All the SAP notes will be
included in the next support package release. The SAP notes which contain the correction
instructions can be implemented in the system using the SNOTE and there can FAQ notes
also which do not contain the correction instructions but are informative notes. The notes can
be edited by SAP after releasing to the customers and when the SAP note is edited by SAP,
new version of the SAP note will be released.
Few notes will be released to specific customers and they are called pilot release notes and
they will be accessible and can be implemented by only those customers.
Note Implementation :
Before implementing the note in the system, please read the note completing and understand
if it is valid for your system. Few notes contain the manual steps to be performed in the
system before implementing the note. Please check the note and implement the preimplementation steps manually in the system before implementing the note in the system and
post implementation steps manually after the implementation of the note.
Please refer the steps specified below for implementing the note in the system using SNOTE.
After downloading the note, please goto SAP NOTE browser ctrl+F9 and enter the note
number to check the implementation status of the note. The note can be implemented in the
system if the "can be implemented" status is available. Please click on Implement SAP Note
ctrl+F1 for implementing the note.
Different Implementation status available in SNOTE for particular SAP note downloaded in
the system.
Can be Implemented - Note is valid for your system release and support package level and
can be implemented in the system.
Incompletely Implemented - The note is partially implemented in the system and still some
correction instructions of the note need to be implemented in the system.
Obsolete - The note is already delivered with the support package implemented in the system.
Obsolete Version Implemented - Either newer version of the note is released by the SNOTE
or the system is upgraded to the higher version of the support package level.
The note log can be useful to check the implementation of the note and information about the
version and date and time of the note implementation in the system
Following are the two important notes which need to be implemented in all the system
depending on the basis releases. These notes contain the corrections for many known issues
with the SNOTE.
To be fair, X.509 certificates can be used to do these things for more than just people - theyre
heavily used by software applications or computers to do this amongst themselves as well.
Anyway, just keep in mind when I say person in this article, it can mean any of these.
Lets look at these two use cases a little more closely.
Identity Verification
So weve said that an X.509 certificate can be used to verify a persons identity so you can
trust that they really are who they say they are.
In this use case, you can think of an X.509 certificate as similar to a national passport. And as
with national passports, you are very careful about who would ever have access to it - you
would never give your passport away to anyone else. It uniquely identifies you and only you.
Because of this uniqueness, the government uses passports to verify who you are - you
present it as a way of proving that you are a citizen of your country.
X.509 certificates act kind of like a digital passport of sorts - it contains information about
you and only you. And just as a national government acts as an authority for issuing and
validating passports, something similar, called a Certificate Authority (CA), exists for X.509
certificates.
A Certificate Authority is a 3rd party trusted by both you and anyone who might verify your
identity. That is, when you use your X.509 certificate with someone who needs to verify your
identity, you both trust that a certain Certificate Authority has validated your identity.
Because the 3rd party trusts that the CA verified you, they in turn trust that your X.509
certificate really represents you and only you.
There are well-known global and public Certificate Authorities, such as Verisign and
Digicert. But a Certificate Authority can also be any party that both you and the person
verifying you agree to as trusted. Many companies have their own private Certificate
Authorities used to verify employee identities, for example.
X.509 cryptography
Ok, great - we now know about asymmetric (public/private) key cryptography. What does
that have to do with X.509 certificates? Well, an X.509 certificate is composed of two chunks
of information:
As you can see, your public key is included in the X.509 certificate. This way, anyone who
gets your certificate can both verify your identity (via a Certificate Authority) and encrypt
data for your eyes only with the included public key.
8. The CA sends this newly created X.509 certificate back to the person who
was verified.
After this final step, the user has their validated X.509 certificate that they can use as
necessary.
To use X.509 client certificates for WS consumer authentication on the AS Java you
also have to enable the use of SSL on the AS Java and the AS ABAP. More
information: Using SSL on the AS Java and Using the Secure Socket Layer Protocol
with the AS ABAP.
Procedure
1. Configure a WS Service Endpoint for Providing a Web Service
1. In SAP NetWeaver Administrator, choose SOA Management Application and
Scenario Communication Single Service Administration Service Definitions .
2. Find the service for the service endpoint that you want to configure, and select it.
3. On the Configumation tab page, select the service endpoint to be configured.
choose the PSE and the private key corresponding to the X.509 client
certificate to use for consuming the WS.
o For an AS ABAP:
choose the PSE and the private key corresponding to the X.509 client
certificate to use for consuming the WS.
standard XML syntax with which authenticaiton data is included in the SOAP header, and
allows the interoperability of security between WS-supported systems that are based on
different programming languages.
Security Aspects
With authentication at SOAP message level, you can use end-to-end authentication that is
adjusted to the security requirements of the WS communication. With SAP NetWeaver, you
can use multiple types of WS authentication mechanisms at document level and strong
message authentication options based on WS-Security, such as XML signatures, XML
encryption, SOAP message age, and error reports.
Authentication at message level on its own does not offer a point-to-point solution to
protect the overall security of the WS interactions between systems. However, the
reliability of SOAP messages at the lower level of the HTTP connection protocol
allows you to extend the security at SOAP level with security solutions at HTTP
transport level. You can, for example, use HTTPS as a protected connection channel
that uses the SSL security level for transport level security.
WS SecureConversation
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/aea404ac5a3206e10000000a42189c/co
ntent.htm
This standard specified by OASIS for Web Services security describes how signatures and
encryption are used to protect SOAP messages with X.509 certificates. With the defined
security mechanism, a consumer can send a signed and encrypted message to a recipient. He
or she uses the public key of the server to encrypt and the private key of the client to sign.
WS SecureConversation
Defines how the provider and consumer communicate without using asymmetric
encryption, since symmetric encryption saves time
Ensures unbroken communication, since the key is in the SOAP header (there is no
need, for example, to interrupt communication with a reverse proxy)
Defines how a security context can be set up and shared and how to derive session
keys
If not only one, but rather a number of messages are exchanged, it is more efficient for the
communication partners to build and share a security context. Also, only public-key
cryptography is used to negotiate symmetric keys.
SecureConversation can be created using SSL or asymmetric signature and encryption or
using symmetric signature and encryption.
More information: WS Security XML Signature/Encryption
SAP is initially using the security context primarily to allow WS-ReliableMessaging to reuse
a security context, so that the server can contact the client.
Prerequisites
To use WS-Security XML signatures and encryption with X.509 certificates, you need
to enable the use of cryptographic functions for the AS ABAP system. More
information: Digital Signatures and Encryption
Both the consumer and provider systems have an SSL trust relationship.
More information:
o