The IT-Services of the Leibniz University in Hannover, Germany are operating a shared SAP ERP (German Site) system for 18 universities in Lower Saxony. About 3000 users can access this service using a SmartCard-HSM equipped with a X.509 certificate. The certificate is issued by the DFN-PKI, a public trusted service for the science community. SAP is configured to use client certificates for authentication, with OpenSC as cryptographic middleware.
Recently the IT-Services migrated the smart card management from a home-grown system to a dedicated instance of the PKI-as-a-Service Portal. With the new portal, the full card and certificate life-cycle is managed in a cloud based system, removing the need to personalize cards centrally and shipping them to various locations in Germany.
Today smart cards are distributed to users by the local administration before a certificate is issued. Once issued to the SAP user, he can access the portal and request a certificate. Access to the portal is protected by the 2FA function build into the SmartCard-HSM.
The new workflow is fully managed using the portal, which various approval steps, requesting the certificate from the DFN-PKI, approving the request, certificate production, delivery and eventually revocation.
When the certificate is about to expire, a workflow is started to renew the certificate. Still the card remains in the hand of the user, as all card related operations (key generation, certificate storing) are done remotely using the Remote Application Management over HTTP (RAMOverHTTP) feature of the PKI-as-a-Service Portal.
A great benefit of using the portal, is that in case of a locked PIN, no new card needs to be issued. Instead the portal starts a workflow and after approval by a designated role, the PIN can be unblocked and set remotely.
The connection to the DFN-PKI was implemented as microservice in the portal using the SOAP API provided by the DFN-PKI. The connector is Open Source, and like other parts of the PKI-as-a-Service portal can be found in the CDN.