Our Company is working with SAP Turkey to provide the e-Invoicing Solution for the Turkish SAP and Non-SAP customers (Details can be found via Note 1508509 - SAP e-Invoice Solution for Turkey). In Turkey, e-Invoicing process is managed by Turkish Revenue Administration (GIB). GIB offers two technical alternatives for sending and receiving invoices electronically:
- e-Invoice Portal
We created the solution over the NetWeaver 7.3 Process Intregration (PI). One of the prerequisites for the Integration is the SSL Certificate for the communication. Thus, each customer has to buy SSL Certificate for PI System.
During this period, each customer act different for SSL;
- Some asked us to apply and get the SSL certificate,
- Some gave us their wildcard certificate,
- Some applied their own and gave us the certificate
But, in each case, we had different start point. In some cases, we had only the certificate response file, in some they provided the PKCS#12 formatted certificate file.
We decided to use SSL in secure communication with a public CA Certificate between PI and GIB Systems as it dictated by GIB. Even the Communication Addresses and Ports are opened to GIB's IP Address and vice versa for high security.
In this process, I realized that our Basis and PI guys are a little bit confused with SSL, CA, PORT,...etc.
Then, I decided to organize a short workshop about SSL and installation methods to SAP systems. This blog will cover the first part which is "What is SSL?".
What is SSL?
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. Version 1.0 was never publicly released; version 2.0 was released in February 1995 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0". SSL version 3.0, released in 1996.
What is TLS?
SSL has become part of an overall security protocol known as Transport Layer Security (TLS). The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.
Since most protocols can be used either with or without TLS (or SSL) it is necessary to indicate to the server whether the client is making a TLS connection or not. There are two main ways of achieving this, one option is to use a different port number for TLS connections (for example port 443 for HTTPS). The other is to use the regular port number and have the client request that the server switch the connection to TLS using a protocol specific mechanism (for example STARTTLS for mail and news protocols).
SSL vs TLS
The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a difference between the two?
While SSL and TLS differ in ways that make them inoperable with each other, they are generally considered equal in terms of security. The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.
Both Internet security protocols ensure that your data is encrypted as it is transmitted across the Internet. They also both enable you to be sure that the server that you are communication with is the server you intend to contact and not some “middle man eavesdropper”. This is possible because servers that support SSL and TLS must have certificates issued to them by a trusted third party, like Verisign or Thawte. These certificates verify that the domain name they are issued for really belongs to the server. Your computer will issue warnings to you if you try to connect to a server and the certificate that it gets back is not trusted or doesn’t match the site you are trying to connect to.
If you are mostly concerned about your level of security, you can’t really go wrong choosing either SSL or TLS.
When should I choose TLS or SSL?
The main benefit in opting for TLS over SSL is that TLS was incepted as an open-community standard, meaning TLS is more extensible and will likely be more widely supported in the future with other Internet standards. TLS is even backwards compatible, possessing the ability to “scale down” to SSL if necessary to support secure client-side connections that only understand SSL.
Another more immediate benefit, however, is that TLS allows both secure and insecure connections over the same port, whereas SSL requires a designated secure-only port. For users connecting to an email server via POP or IMAP, this means that using TLS will allow you to opt for secure connections but easily switch to insecure connections if necessary without needing to change ports. This is not possible with SSL.
However, as discussed in the previous section, it really doesn’t matter which one is used in terms of security.
What is HTTPS?
Hypertext Transfer Protocol Secure (HTTPS) is a combination of Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol. It provides encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.
HTTPS should not be confused with the little-used Secure HTTP (S-HTTP). HTTPS and S-HTTP were both defined in the mid-1990s to address this need. Netscape and Microsoft supported HTTPS rather than S-HTTP, leading to HTTPS becoming the de facto standard mechanism for securing web communications.
While I prepare the second part of the series, please chekc out the Network and Communication Security in NetWeaver Platform via http://help.sap.com/saphelp_nw70ehp1/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm
I'll focus on the following subjects in the upcoming parts:
- What are the Certificates and Certificate Authorities (CA)
- Local vs Global CA
- Fundementals of Security Protocols for NetWeaver AS ABAP, AS Java and AS ABAP+Java