Dr. Jürgen Schneiderr,
Nobody can afford to run business applications without appropriate security measures in place. The risks — exposure of confidential data, identity theft, or service unavailability due to malicious attacks against the security and stability of your systems — are too high. On the Internet, such attacks are happening daily. Automatic tools scan your systems for open communication ports, try to install malicious programs, or damage your applications using specially crafted requests or by flooding your servers. Every company must be aware that the port scanners, network sniffers, and vulnerability detection tools at work in your intranet could also be used by the wrong people to exploit your internal network's security weaknesses to their advantage — or to simply cause you trouble. Even if your network is protected, your users are still receiving emails, visiting foreign Web sites, and downloading documents. If no care is taken, these innocent acts could activate and spread viruses throughout your environment.
In the world we're living in, services and tools for secure application development and system administration are crucial elements of any application
software technology platform. Security must be built into an application right from the start, during design and development, configured appropriately at
installation and deployment time, and enforced and monitored permanently during daily operation.1 There are many facets to tightening up security in any environment, and all of them have to be protected to keep the bad guys out while letting the good folks continue working efficiently.
This article provides an overview of the security services and tools provided with the SAP NetWeaver
technology platform — and not just for system administrators. If you are an application developer, an IT manager, or simply a user of SAP business application software, you are affected somewhere along the way by SAP's security offerings. Let's take a brief look at the complete security offering included in SAP NetWeaver.2
Securing the Infrastructure Supporting Your SAP Applications
The security of any SAP application is, of course, partly dependent on an infrastructure: the hardware and operating systems of the Web application and database servers, the desktop, and the frontend computers, along with the network and communication services that form a distributed system.
Platform and network security for SAP applications is mainly provided by using our hardware and software partners' capabilities, such as the operating system, file system, and database security. However, the multi-tier architecture of SAP application software supports installation of components in different network zones to support perimeter security (see Figure 1). By deploying partner solutions, access to frontend computers can also be protected by hardware tokens such as smartcards.
|Network Security, Secure Communications, and the SAP Web Dispatcher
Now, with SAP NetWeaver, there are two additional options to enforce security at the communications level — options that you should consider mandatory for productive installations:
- SAP Web Dispatcher
- SAP Cryptographic Library and Toolkit for secure communications
The SAP Web Dispatcher is an
application-level reverse proxy for HTTP-based Web communications.3 Its main function is to represent a "first line of defense" for Web requests destined for SAP applications. It is usually placed in the "demilitarized zone" behind an external firewall system. Web requests arriving at the SAP Web Dispatcher are verified and, if blocking, filtering, and syntax criteria are met, routed to an SAP application server according to the load balancing protocol. The SAP Web Dispatcher also provides protection against denial of service attacks via request flooding.4
As Figure 1 also shows, every communication path set up between components of a distributed SAP system supports secure communications, including strong server and client authentication as well as integrity and confidentiality protection of the data using encryption. To switch-on secure communications for the classical SAP protocols Dynamic Information and Action Gateway (DIAG) and Remote Function Call (RFC), as well as for HTTP (the standard Web protocol), customers need to download and install the SAP Cryptographic Library and the SAP Java Cryptography Toolkit from the SAP Service Marketplace.5
For the classical SAP protocols, secure communications are supported via an Internet standard, the Generic Security Services (GSS) API Version 2. The SAP Cryptographic Library provides an implementation of GSS API Version 2 that customers can use to secure their server-to-server communication paths. To include SAP frontends for secure communications, a certified SAP partner solution is required.
For secure Web communications, the SAP Cryptographic Library includes an implementation of the Secure Sockets Layer (SSL) protocol (another Internet standard), which is supported by every commercial Web browser today. When HTTP is run over SSL (called HTTPS), the Web server and optionally the Web client are authenticated using X.509 digital certificates, and all communications are protected by strong encryption.
Controlling User Access
Not every system and application in your IT landscape needs to be accessed by everybody. So for each system and application, you need to know who your users are. Of course, you want to make access as simple as possible for these users, but at the same time, you also need to provide strong protection against unauthorized access. Internal controls, such as user account and identity management, strong authentication and single sign-on, and service-level access criteria are the key services to achieve this goal.
For each service made available for user access with SAP NetWeaver as the platform, you can decide whether it runs anonymously or requires user authentication upon access. If user authentication is specified for a service, both the ABAP and Java runtimes in SAP NetWeaver try to find and verify the required authentication information in the incoming request or to trigger corresponding authentication protocols. If authentication fails, the request is rejected. User authentication can also be triggered programmatically by an application that allows anonymous access but later asks for a user's identity.
The SAP NetWeaver platform offers user ID, password, and X.509 digital certificates6 with SSL-based authentication as default options (see Figure 2). For both the ABAP and the Java runtime, interfaces for pluggable authentication exist, allowing customers to plug in a partner-provided authentication module. In this case, the authenticated user is mapped to a user account known to SAP user management by either the authentication module or by mapping information provided to the SAP user management services.
|SAP Single Sign-On Solutions
||Single Sign-On Mechanism
||SAP User ID and Password
SAP Logon Ticket
Security Assertions Markup Language (SAML)
||X.509 Digital Certificates (SAP Trust Center)
SNC Product Logon
Pluggable Authentication Service (PAS)
SNC Single Sign-On
External or combined with SAP Logon Ticket
Windows or combined with SAP Logon Ticket
||X.509 Digital Certificates (external PKI)
|Authentication and Single Sign-On with SAP NetWeaver
To provide single sign-on (SSO), the SAP Logon Ticket mechanism can be switched on. In all "people-centric" solutions from SAP, such as SAP Enterprise Portal or mySAP CRM interfaces, the SAP Logon Ticket is an authentication token created by the SAP system where the initial user authentication took place. The Logon Ticket is stored in the user's frontend (i.e., the Web browser) as a nonpersistent cookie. For security reasons, it should always be used over secure connections.
In the newest ABAP and Java runtime releases provided with SAP NetWeaver, authentication assertions according to the Security Assertions Markup Language (SAML) standard are also accepted for single sign-on. Other SSO mechanisms — for example, X.509 digital certificates only, or leveraging the SSO services provided by Microsoft Windows environments or by partner solutions — can also be configured for initial user authentication and can be combined with the SAP Logon Ticket if required (for example, to access SAP backend systems).
To determine a user's identity, the user and identity management services in SAP NetWeaver store authentication information, such as password hash values and certificate mappings, linked to technical user accounts.
In addition, authorization information such as permission and role data is associated with a user account. A
user can have multiple technical user accounts — for instance, one in SAP Enterprise Portal and another in SAP backend systems. Besides technical account data, SAP systems also hold various attribute information belonging to identities, such as personalization and address data.
The ABAP runtime of SAP NetWeaver uses the relational database to store and manage user accounts (see Figure 3). Optionally, user account and attribute data can be synchronized periodically with an LDAP directory.7 In addition, Central User Administration (CUA) is provided for the ABAP environment using SAP Application Link Enabling (ALE) technology. ABAP user management services can be accessed from the SAP GUI or via BAPIs.
|User Management for the ABAP Runtime
The Java runtime of SAP NetWeaver also includes a User Management Engine (UME) with a flexible persistence management layer, a supporting relational database, an LDAP directory, or an ABAP user management system as persistence options (see Figure 4). The UME services can be accessed via the Visual Administrator, (the administration tool for SAP Web AS Java), from a Web-based administration tool, or programmatically via Java APIs.
|User Management for the Java Runtime
Altogether, the identity management services of SAP NetWeaver allow standalone operation of ABAP and Java-based applications, as well as
flexible integration into existing corporate directories and administration processes.
Safeguarding Business Processes
Very often, collaborative business processes happen not between users, but between IT systems and applications in an automated, asynchronous fashion. This form of cooperation requires message-based interaction, where each message carries integrity, authenticity, and identity information. Each message also requires confidentiality protection for the contained data.8 So SAP NetWeaver and SAP Exchange Infrastructure provide strong document and message protection mechanisms in addition to transport-level security. Adherence to open standards is of prime importance here to establish trust between partners and to achieve platform interoperability.
Message protection uses public key technology as illustrated in Figure
5. With SAP NetWeaver, XML messages can be protected against
modification using digital signatures according to the XML Signature standard.
Support for Public Key Cryptography Standards (PKCS) is provided as well.9
To support the required key and trust management processes, key storage
and digital certificate administration tools are available for both the
ABAP and Java runtimes.
|XML Signature and XML Encryption: Message-Level Protection
Mechanisms in SAP NetWeaver
Standard Web services are another important element of secure collaboration these days. By using XML message security services, SAP NetWeaver supports Web services security according to the WS-Security standards in both language runtimes (ABAP and Java).
Security During Application Development
The development environments of SAP NetWeaver — the ABAP Workbench (dialog transaction SE80) and the SAP NetWeaver Developer Studio — give security APIs full access to leverage the security services and tools included in the SAP NetWeaver platform.
To develop secure applications with SAP NetWeaver, both the ABAP and the Java programming and runtime
environments offer APIs to:
- Access authenticated user and
- Enforce access control and
- Protect data and documents with digital signatures and encryption
- Check for viruses and malicious content
- Write audit trail data
Throughout the platform, a role-based authorization approach is taken. Users can have several roles assigned to them. A role carries a bag of permissions, which are checked by object services by declaration or programmatically. In the ABAP environment, application programmers can use authorization objects and the language statement "authority-check" to enforce authorization. In the Java environment, both Java 2 Platform, Enterprise Edition (J2EE) container-based security and the Java 2 Platform, Standard Edition (J2SE) authorization model using Java permissions are fully supported.11
The new release of SAP NetWeaver (NetWeaver '04) will include, for the first time, an API to attach scan engines from SAP partners. Using this API and a corresponding partner product enables scanning for viruses and active content from within applications to further improve application and document security. Look for more information on this in a future issue of SAP Insider.
In addition, both the ABAP and the Java runtime environments of SAP NetWeaver feature auditing and logging services. For ABAP applications, the Audit Information System (AIS) has been provided for years to help customers conduct internal and external audits of their SAP systems. Similar support for the Java environment and further extensions of the auditing capabilities are planned.
To gain more insight into SAP NetWeaver's comprehensive platform for secure application development and operation, you can begin simply by using and applying the functionality described here in your own applications and administration efforts. There are plenty of resources to help you in SAP NetWeaver's extensive support and documentation.
Future work on SAP security services as part of SAP NetWeaver will concentrate on extended identity management functions, such as identity federation using open protocols, extensions to Web services security as defined by standards, and further centralization of key security administration processes to further reduce total cost of ownership. Also, with the new interfaces in SAP NetWeaver, intrusion detection and prevention will be better supported with the help of partner solutions. Finally, powerful auditing capabilities using an Enterprise Services Architecture (ESA) approach for distributed business processes will stay on the agenda of the SAP business application platform.12
For more details, see the security sections of the online SAP Help Portal
at http://help.sap.com. For timely security
information and updates, visit http://service.sap.com/security.
And send any security questions and concerns by email to email@example.com.
my article "The Security Behind Your SAP Systems: The Secure Software Lifecycle at SAP" in
the April-June 2003 issue of SAP Insider (www.SAPinsider.com).
2 For details on particular aspects of security for SAP environments, see my articles in previous issues of SAP Insider on topics such as secure communications (July-September 2003), user and authorization management (January-March 2002 and July-September 2002), and single sign-on (July-September 2001). For SAP's own set of security standards and approach to trusted computing see my article in the April-June 2003 issue of SAP Insider (www.SAPinsider.com).
3 The SAP Web Dispatcher is an optional offering in SAP NetWeaver; similar components (reverse proxies) provided as open source or by SAP partners can be used here as well. Some protection of this kind should be incorporated into your infrastructure.
my article "Achieving Network Security and Secure Load Balancing with the SAP Web Dispatcher" in
the October-December 2002 issue of SAP Insider (www.SAPinsider.com).
5 Full documentation for installation of both the library and the toolkit are available at the SAP Service Marketplace. Because of export regulations in Germany, separate download of the crypto library is required (see http://service.sap.com/swcenter => Download => SAP
6 X.509 digital certificate-based user authentication requires a Public Key Infrastructure and a Trust Center to issue user certificates. Along with other providers, SAP also offers its own Trust Center
services via the SAP Service Marketplace (see http://service.sap.com/tcs).
7 An increasing number of SAP customers set up
corporate directories accessed via the standardized Lightweight Directory Access Protocol (LDAP). Various SAP partner products have been certified for interoperability with the LDAP synchronization services in SAP NetWeaver. See http://service.sap.com/security
=> Security Partners for more details.
8 Confidentiality protection using the XML Encryption standard is planned for SAP NetWeaver '05.
9 For more on PKCS, see www.rsasecurity.com/ rsalabs/pkcs/.
more information on Web service security,
see my article "Developing and Deploying Secure Web Services with SAP NetWeaver" in
the January-March 2004 issue of SAP Insider (www.SAPinsider.com).
my previous articles "J2EE Security Architecture Implementation with the SAP J2EE Engine" in the January-March 2003 issue and "Build Security into Your J2EE Application Development Process with SAP NetWeaver Development Studio" in
the October-December 2003 issue of SAP Insider (www.SAPinsider.com).
12 See "When Does a Web Service
Become an Enterprise Service? An Introduction to the Principles of Enterprise
Services Architecture (ESA)" by Franz-Josef
Fritz in this issue of SAP
Dr. Jürgen Schneider has
been involved in the design and implementation
of SAP security functions since 1996. From
1998 to 2003, he was the Development Manager
for SAP Web Application Server Security in
Development. In 2003, he was appointed Vice
President for Security and Identity Management
in the SAP NetWeaver platform. He can be
reached at firstname.lastname@example.org.