Configuration Guide SAP Information Collaboration Hub for Life Sciences Document Version: 1.1 Released to Customer Date: Non-SAP Backend System on SAP Information Collaboration Hub for Life Sciences
Typographic Conventions Type Style Example Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Textual cross-references to other documents. Example EXAMPLE Example Example <Example> EXAMPLE Emphasized words or expressions. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER. 2017 SAP SE or an SAP affiliate company. All rights reserved. 2
Document History Version Status Date Change 1.0 Final 2016-09-07 First release 1.1 Released 2017-09-18 Released to customer with rename to ICHLS (Hub) 2017 SAP SE or an SAP affiliate company. All rights reserved. 3
Table of Contents 1 About This Document... 5 1.1 Purpose and Scope... 5 1.2 Target Audience... 5 1.3 Glossary... 5 1.4 Related Information... 6 2 Introduction... 7 3 Client Keystore... 8 4 Keys Contained in the Keystore... 9 5 Important Disclaimers and Legal Information... 10 5.1 Coding Samples... 10 5.2 Accessibility... 10 5.3 Gender-Neutral Language... 10 5.4 Internet Hyperlinks... 10 2017 SAP SE or an SAP affiliate company. All rights reserved. 4
1 About This Document 1.1 Purpose and Scope This document describes how to establish a client keystore for SAP Information Collaboration Hub for Life Sciences integration. The SAP Information Collaboration Hub for Life Sciences is referred to as the Hub in this document. This document is for non-sap backend systems only. 1.2 Target Audience This document is for the technical implementation team involved in integration and onboarding with the Hub, including: Implementation and integration teams System Administrators Information Security Officers Network Administrators 1.3 Glossary Term Abbreviation Definition Certificate Authority CA Entity that issues electronic documents that verify a digital entity's on the internet. In a Pharma Network integration scenario, any participant provided with a client certificate must be signed by an SAP-Trusted CA. Keystore Self-contained collection of certificates and keys that are actively used in the establishment of connectivity to the Hub Message Level Security MLS Summarizes the security settings that can be applied to protect the content of a message. Depending on the chosen standard, message level security can imply digitally signing or verifying, and 2017 SAP SE or an SAP affiliate company. All rights reserved. 5
Term Abbreviation Definition encrypting and decrypting the content of a message. Onboarding Process of connecting a participant to the Hub. Onboarding covers all tasks necessary to configure the connection and data exchange between a participant system and the Hub. Participant Company or organization that onboards to the Hub Transport Layer Security TLS Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both referred to as SSL, are cryptographic protocols that provide communications security over a computer network. Tenant Represents the resources of the cloud-based integration platform of the Hub allocated to a participant. X.509 Standard for a public key infrastructure (PKI) to manage digital certificates and public-key encryption. Key part of the Transport Layer Security protocol used to secure web and e-mail communication. Web Service Service offered by an electronic device to another electronic device, communicating with each other using the World Wide Web. In the Hub integration scenario, Web Services are the preferred integration method. 1.4 Related Information Introduction to the SAP Information Collaboration Hub for Life Sciences SAP Information Collaboration Hub for Life Sciences Administrator Guide SAP Information Collaboration Hub for Life Sciences Configuration Guides for non-sap backend systems 2017 SAP SE or an SAP affiliate company. All rights reserved. 6
2 Introduction This document assumes that: The server keystore relates to Transport Layer Security (TLS) authentication with the Hub Keys used for Message Level Security (MLS) are stored in a separate keystore 2017 SAP SE or an SAP affiliate company. All rights reserved. 7
3 Client Keystore The client keystore contains the necessary certificates to allow a participant system to authenticate with the Hub. The following figure shows the process. When a participant system makes a web service call to the Hub, the participant system and the Load Balancer in the Hub mutually authenticate. 1. The Load Balancer provides its client certificate to the participant system. 2. The participant system validates the certificate. The participant system has the client certificate stored in its keystore. 3. The Load Balancer validates that the certificate is an X.509 certificate whose root is signed by one of the SAP Trusted Certificate Authorities. 4. Once mutual authentication succeeds, the Load Balancer passes the request and the client certificate of the participant system to the Hub tenant. 5. The Hub authorizes the request. During onboarding, the participant client certificate is persisted to the runtime of the tenant. 2017 SAP SE or an SAP affiliate company. All rights reserved. 8
4 Keys Contained in the Keystore The following table shows details of the relevant keys and certificates, including ownership. Key Owner Format Purpose Client Private Key Participant X.509/SSL The private key is coupled with the corresponding Client Public Key. Client Public Key Participant X.509/SSL The public key is passed during the web service call, so that the Load Balancer can validate the root client certificate, and it is also passed to the tenant for authorization. This key is provided by the participant to the SAP Onboarding Team who add the key to the tenant access control list/runtime. This allows for the authorization step, shown in the above figure. Client Chain and Root Certificates Hub Load Balancer Root Certificate Participant X.509/SSL The keystore must hold the corresponding chain and root client certificates that are provided by the participant s Certificate Authority (CA). SAP X.509/SSL The Load Balancer root certificate is used to validate the SAP Load Balancer. The Load Balancer passes its client certificate to the calling system using the root certificate to validate the incoming SAP Load Balancer certificate. This certificate is provided to the participant during onboarding. 2017 SAP SE or an SAP affiliate company. All rights reserved. 9
5 Important Disclaimers and Legal Information 5.1 Coding Samples Any software coding and/or code lines/strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. 5.2 Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of wilful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP. 5.3 Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. 5.4 Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer). 2017 SAP SE or an SAP affiliate company. All rights reserved. 10
www.sap.com/contactsap 2017 SAP SE or an SAP affiliate company. All rights reserved.