With SAP Web Application Server Release 6.10, SAP introduced a powerful
Internet application platform that is at the core of all major SAP solutions
(including mySAP CRM 3.0, and the upcoming releases of mySAP APO and mySAP
BW), and that can also be seamlessly integrated with mySAP Workplace and
mySAP Marketplace solutions. The new SAP Web Application Server is also
a component in its own right, providing a complete web application development
and deployment platform, while retaining full support for all proven SAP
To satisfy the requirements of dynamic
and collaborative web applications, and to act as a server for browser-based
applications in various intranet and Internet scenarios, such an application
platform also requires strong integrated security functions. The number
and severity of hacking attempts and attacks from inside and outside company
networks is on the rise, and security has become a major concern for web
applications. In my previous article,2 I gave
a general overview of security issues to be considered when it comes to
SAP systems. In this article, I provide further information and details
on how the security functions integrated with the SAP Web Application
Server help to protect your e-business applications on this platform.
One of the new features of the SAP Web Application Server is native support
for HTTP, which means that standard web browsers and peer servers can
use standard web protocols to establish end-to-end connections, and communicate
data directly with the application server process. This is facilitated
via the Internet Communications Manager (ICM) process, which is an extension
of the existing SAP application server runtime environment. In addition
to the traditional SAP communication protocols DIAG (used by the SAP GUI)
and RFC (SAP Remote Function Call), the ICM also natively supports SMTP
for electronic Internet mail and HTTPS, the standard Internet protocol
for secure web communications, as shown in Figure 1.
||The Internet Communications Manager (ICM) Component of the
SAP Web Application Server
With HTTPS, HTTP protocol data is carried
over the Secure Sockets Layer (SSL) protocol, an additional layer
in the communication system that provides services for strong cryptographic
authentication and encryption. The SSL protocol has been an Internet standard
for years now, and is widely accepted among security experts as a foundation
for strong security for Internet communications.
HTTPS can be easily switched on in the
SAP Web Application Server. There are basically four steps for system
administrators to complete:
- Download the SAPCRYPTOLIB program library from the SAP Service Marketplace
sap.com/ocs-download), which contains the implementation of
the cryptographic algorithms used by the SSL protocol and the SSL protocol
implementation itself.3 Add the library to your SAP Web Application
Server installation (detailed installation documentation is contained
in the SAPCRYPTOLIB download package).
- Generate an SSL cryptographic key pair (private and public keys)
for your SAP Web Application Server using dialog transaction STRUST.
Have the public key signed by a trust center, resulting in an X.509
server certificate for your SAP Web Application Server installation.
- Activate HTTPS by configuring the appropriate profile parameters
and communication port, and restart the system.
- Change any web links (URLs) pointing to your application from
http://… to https://… as desired (the application
logic itself does not need to be modified).
The positioning of your HTTPS-enabled SAP
Web Application Server in your company network depends on customer requirements.
You can run your application in your intranet only, behind your firewall
systems, or place the SAP Web Application Server inside your Demilitarized
Zone (DMZ) - i.e., between your external and internal firewalls - where
it can be accessed from the Internet. Any access via HTTPS will be strongly
authenticated, and request/response data is encrypted using one of several
available strong encryption schemes as defined in the SSL protocol standard.
To provide further protection against direct protocol attacks on the server
system, you can use a reverse-proxy in front of the SAP Web Application
Server. A special TCP/IP-level proxy, with access and content filtering
and blocking options, is currently planned as an extension for Release
6.20 of the SAP Web Application Server.
If backend communications via the traditional
SAP Remote Function Call (RFC) is required, you can set up secure RFCs
using SAP's Secure Network Communications (SNC) option. A default SNC
library for securing server-to-server communications is provided by the
SAPCRYPTOLIB package as well.
Service-Level Access Control
For each of the web services and applications provided on your SAP Web
Application Server, you can decide which should be activated and which
should be deactivated (use dialog transaction SICF). Once a service is
deactivated, any web request for that service is automatically blocked
and rejected in the runtime system of the SAP Web Application Server.
Only activate those services you want to provide; keep all others deactivated
in your productive server.
You can also determine whether a service
is set as "anonymous," or ask for user authentication. For an
anonymous service, you configure a technical service user. Your web application
will then always run under this service user.
For those services that ask for user authentication,
the user's identity is determined by the runtime system, using several
different options for user authentication, before program control is passed
to the application.
User and Role Management
In addition to the familiar user and role management functions in SAP
systems, the SAP Web Application Server 6.10 comes with an option for
direct integration of SAP user management with your corporate directory
service. User information and role assignments can be initialized and
periodically synchronized with user data in your corporate directory via
the standard Lightweight Directory Access Protocol (LDAP).
To adapt the data schema as it
is used for users and roles by the
SAP Web Application Server to the data schema as it exists in your corporate
directory, synchronization functions can be customized to define the mapping
between various parts of the SAP user master records and the attributes
used in the LDAP Directory (use dialog transaction LDAPMAP). This provides
the means for centralized user and role management, and integration of
an SAP Web Application Server installation into your existing application
system landscape (both SAP and non-SAP applications).
If your web application will need to support
a very large number of users, all with identical authorizations (as required,
for example, by an Internet shop application), applications running on
the SAP Web Application Server can benefit from the concept of the reference
user. A reference user is a technical user in the system who is assigned
mainly role and authorization information - and is without the ability
to logon. So for each large group of users that share identical roles,
you can create a reference user with appropriate role assignments, then
point to the correct reference user in each individual user's master
data. This leads to smaller, "lightweight" user records for
your individual users, and significantly simplifies the maintenance of
The SAP Web Application Server 6.10 provides comprehensive support for
trust management, especially in these areas:
- SSL Server and Client identity: You can run your web application
server system under a single SSL identity, or use different SSL certificates
for each server. When the system acts as an SSL client to other web
servers, you can run anonymous SSL clients or use the system's default
SSL client identity. Further extensions, planned for Release 6.20, can
even support multiple SSL client identities.
- User authentication and single sign-on: Users can be authenticated
via a wide range of possible authentication options, such as user ID/password
(basic authentication), X.509 digital certificates (SSL client authentication),
and Pluggable Authentication Services (PAS). With PAS, X.509 digital
certificates, and the SAP Logon Ticket mechanism, users enjoy a variety
of options for single sign-on.4
- Trust Center Registration Authority (RA) function: The SAP Web Application
Server features a fully integrated Registration Authority (RA) function
for easy user certificate enrollment. When connected to a Trust Center
service over the Internet,5
users that have been authenticated by your SAP Web Application Server
installation can automatically receive their individual X.509 digital
certificate, which is directly installed in the browser. This function
considerably simplifies your entry into the world of PKI (public key
Applications running on the SAP Web Application Server, such as Business
Server Page (BSP) applications, can continue to use the well-known authority
check command to protect privileged actions and data access.
Such access is then checked against the user's role and authorization
data by the runtime system to allow or reject the access.
There is also substantial support for the
use of digital signatures over the web, and for document encryption via
the Secure Store & Forward (SSF) interface.
For more information on SAP Web Application Server security, visit http://service.sap.com/security
or send an e-mail to email@example.com.
Dr. Jürgen Schneider has been
involved in the design and implementation of SAP security functions since
1996. Since 1998, he has been the Development Manager for Security in SAP
Technology Development. He can be reached at firstname.lastname@example.org.
See the overview article "From 'SAP Basis' to 'SAP Web Application Server'
- It's Much More Than Just a Name Change!" by Dr. Franz-Josef Fritz in
the Jul/Aug/Sep 2001 issue of SAP Insider, available at the SAP Insider
online archives at www.SAPinsider.com.
See my article "SAP System Security in the Intranet and Internet" in the
Apr/May/Jun 2001 issue of SAP Insider, available at the SAP Insider online
archives at www.SAPinsider.com.
Due to German export restrictions for software providing strong encryption,
the SAPCRYPTOLIB package is only provided via a controlled web download.
The download is readily available for non-military SAP customers residing
in Europe, the United States, Canada, and many other countries. However,
for some countries and for customers doing military business, a special
export permission is required from the German export authority, which
usually can be obtained in two to three weeks upon request. In this case,
please contact your local SAP country sales organization.
See my article "Single Sign-On with SAP Systems" in the Jul/Aug/Sep issue
of SAP Insider, available at the SAP Insider online archives at www.SAPinsider.com.
As an example, see http://service.sap.com/tcs
for the SAP Trust Center Service.