GRC
HR
SCM
CRM
BI


Article

 

Security Features of the SAP Web Application Server

by Jurgen Schneider | SAPinsider

October 1, 2001

by Jurgen Schneider SAPinsider - 2001 (Volume 2), October (Issue 4)
 

With SAP Web Application Server Release 6.10, SAP introduced a powerful Internet application platform that is at the core of all major SAP solutions (including mySAP CRM 3.0, and the upcoming releases of mySAP APO and mySAP BW), and that can also be seamlessly integrated with mySAP Workplace and mySAP Marketplace solutions. The new SAP Web Application Server is also a component in its own right, providing a complete web application development and deployment platform, while retaining full support for all proven SAP programming models.1

     To satisfy the requirements of dynamic and collaborative web applications, and to act as a server for browser-based applications in various intranet and Internet scenarios, such an application platform also requires strong integrated security functions. The number and severity of hacking attempts and attacks from inside and outside company networks is on the rise, and security has become a major concern for web applications. In my previous article,2 I gave a general overview of security issues to be considered when it comes to SAP systems. In this article, I provide further information and details on how the security functions integrated with the SAP Web Application Server help to protect your e-business applications on this platform.

Secure Communications

One of the new features of the SAP Web Application Server is native support for HTTP, which means that standard web browsers and peer servers can use standard web protocols to establish end-to-end connections, and communicate data directly with the application server process. This is facilitated via the Internet Communications Manager (ICM) process, which is an extension of the existing SAP application server runtime environment. In addition to the traditional SAP communication protocols DIAG (used by the SAP GUI) and RFC (SAP Remote Function Call), the ICM also natively supports SMTP for electronic Internet mail and HTTPS, the standard Internet protocol for secure web communications, as shown in Figure 1.

Figure 1 The Internet Communications Manager (ICM) Component of the SAP Web Application Server

     With HTTPS, HTTP protocol data is carried over the Secure Sockets Layer (SSL) protocol, an additional layer in the communication system that provides services for strong cryptographic authentication and encryption. The SSL protocol has been an Internet standard for years now, and is widely accepted among security experts as a foundation for strong security for Internet communications.

     HTTPS can be easily switched on in the SAP Web Application Server. There are basically four steps for system administrators to complete:

  1. Download the SAPCRYPTOLIB program library from the SAP Service Marketplace (http://service. sap.com/ocs-download), which contains the implementation of the cryptographic algorithms used by the SSL protocol and the SSL protocol implementation itself.3 Add the library to your SAP Web Application Server installation (detailed installation documentation is contained in the SAPCRYPTOLIB download package).

  2. Generate an SSL cryptographic key pair (private and public keys) for your SAP Web Application Server using dialog transaction STRUST. Have the public key signed by a trust center, resulting in an X.509 server certificate for your SAP Web Application Server installation.

  3. Activate HTTPS by configuring the appropriate profile parameters and communication port, and restart the system.

  4. Change any web links (URLs) pointing to your application from http://… to https://… as desired (the application logic itself does not need to be modified).

     The positioning of your HTTPS-enabled SAP Web Application Server in your company network depends on customer requirements. You can run your application in your intranet only, behind your firewall systems, or place the SAP Web Application Server inside your Demilitarized Zone (DMZ) - i.e., between your external and internal firewalls - where it can be accessed from the Internet. Any access via HTTPS will be strongly authenticated, and request/response data is encrypted using one of several available strong encryption schemes as defined in the SSL protocol standard. To provide further protection against direct protocol attacks on the server system, you can use a reverse-proxy in front of the SAP Web Application Server. A special TCP/IP-level proxy, with access and content filtering and blocking options, is currently planned as an extension for Release 6.20 of the SAP Web Application Server.

     If backend communications via the traditional SAP Remote Function Call (RFC) is required, you can set up secure RFCs using SAP's Secure Network Communications (SNC) option. A default SNC library for securing server-to-server communications is provided by the SAPCRYPTOLIB package as well.

Service-Level Access Control

For each of the web services and applications provided on your SAP Web Application Server, you can decide which should be activated and which should be deactivated (use dialog transaction SICF). Once a service is deactivated, any web request for that service is automatically blocked and rejected in the runtime system of the SAP Web Application Server. Only activate those services you want to provide; keep all others deactivated in your productive server.

     You can also determine whether a service is set as "anonymous," or ask for user authentication. For an anonymous service, you configure a technical service user. Your web application will then always run under this service user.

     For those services that ask for user authentication, the user's identity is determined by the runtime system, using several different options for user authentication, before program control is passed to the application.

User and Role Management

In addition to the familiar user and role management functions in SAP systems, the SAP Web Application Server 6.10 comes with an option for direct integration of SAP user management with your corporate directory service. User information and role assignments can be initialized and periodically synchronized with user data in your corporate directory via the standard Lightweight Directory Access Protocol (LDAP).

     To adapt the data schema as it is used for users and roles by the SAP Web Application Server to the data schema as it exists in your corporate directory, synchronization functions can be customized to define the mapping between various parts of the SAP user master records and the attributes used in the LDAP Directory (use dialog transaction LDAPMAP). This provides the means for centralized user and role management, and integration of an SAP Web Application Server installation into your existing application system landscape (both SAP and non-SAP applications).

     If your web application will need to support a very large number of users, all with identical authorizations (as required, for example, by an Internet shop application), applications running on the SAP Web Application Server can benefit from the concept of the reference user. A reference user is a technical user in the system who is assigned mainly role and authorization information - and is without the ability to logon. So for each large group of users that share identical roles, you can create a reference user with appropriate role assignments, then point to the correct reference user in each individual user's master data. This leads to smaller, "lightweight" user records for your individual users, and significantly simplifies the maintenance of role assignments.

Trust Management

The SAP Web Application Server 6.10 provides comprehensive support for trust management, especially in these areas:

  • SSL Server and Client identity: You can run your web application server system under a single SSL identity, or use different SSL certificates for each server. When the system acts as an SSL client to other web servers, you can run anonymous SSL clients or use the system's default SSL client identity. Further extensions, planned for Release 6.20, can even support multiple SSL client identities.

  • User authentication and single sign-on: Users can be authenticated via a wide range of possible authentication options, such as user ID/password (basic authentication), X.509 digital certificates (SSL client authentication), and Pluggable Authentication Services (PAS). With PAS, X.509 digital certificates, and the SAP Logon Ticket mechanism, users enjoy a variety of options for single sign-on.4

  • Trust Center Registration Authority (RA) function: The SAP Web Application Server features a fully integrated Registration Authority (RA) function for easy user certificate enrollment. When connected to a Trust Center service over the Internet,5 users that have been authenticated by your SAP Web Application Server installation can automatically receive their individual X.509 digital certificate, which is directly installed in the browser. This function considerably simplifies your entry into the world of PKI (public key infrastructure).

Application Security

Applications running on the SAP Web Application Server, such as Business Server Page (BSP) applications, can continue to use the well-known authority check command to protect privileged actions and data access. Such access is then checked against the user's role and authorization data by the runtime system to allow or reject the access.

     There is also substantial support for the use of digital signatures over the web, and for document encryption via the Secure Store & Forward (SSF) interface.

More Information

For more information on SAP Web Application Server security, visit http://service.sap.com/security or send an e-mail to security@sap.com.


 

Dr. Jürgen Schneider has been involved in the design and implementation of SAP security functions since 1996. Since 1998, he has been the Development Manager for Security in SAP Technology Development. He can be reached at j.schneider@sap.com.

 


1 See the overview article "From 'SAP Basis' to 'SAP Web Application Server' - It's Much More Than Just a Name Change!" by Dr. Franz-Josef Fritz in the Jul/Aug/Sep 2001 issue of SAP Insider, available at the SAP Insider online archives at www.SAPinsider.com.

2 See my article "SAP System Security in the Intranet and Internet" in the Apr/May/Jun 2001 issue of SAP Insider, available at the SAP Insider online archives at www.SAPinsider.com.

3 Due to German export restrictions for software providing strong encryption, the SAPCRYPTOLIB package is only provided via a controlled web download. The download is readily available for non-military SAP customers residing in Europe, the United States, Canada, and many other countries. However, for some countries and for customers doing military business, a special export permission is required from the German export authority, which usually can be obtained in two to three weeks upon request. In this case, please contact your local SAP country sales organization.

4 See my article "Single Sign-On with SAP Systems" in the Jul/Aug/Sep issue of SAP Insider, available at the SAP Insider online archives at www.SAPinsider.com.

5 As an example, see http://service.sap.com/tcs for the SAP Trust Center Service.

An email has been sent to:






More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ