GRC
HR
SCM
CRM
BI


Article

 

Do You Know Exactly Who’s Looking at Your Business Data? Secure Critical Business Information Using SAP NetWeaver’s Enhanced XML Encryption Capabilities

by Yonko Yonchev | SAPinsider

January 1, 2008

Maintaining the confidentiality of your business data is critically important. But -- until now -- XML encryption was only possible with SAP NetWeaver Process Integration. Step through a valuable sample business scenario to set up XML encryption in your system landscape with tools now available across the SAP NetWeaver stack.
 

Key Concept: XML Encryption

XML encryption is, at its core, a W3C-standard XML syntax used to encrypt confidential content in the SOAP envelope of a Web service message. The receiver of the message can then use the standards-compliant syntax to decrypt the encrypted XML message based on existing trust relationships with the message sender.

Ensuring not just a message's integrity, but also its confidentiality, when using enterprise services to communicate critical business information — credit card numbers or banking information, for example — requires XML encryption. To date, XML encryption could only be used if you employed SAP NetWeaver Process Integration (SAP NetWeaver PI, formerly known as SAP NetWeaver XI) in your system landscape.1

You could also ensure the integrity of service messages through XML signatures, but this typically did not meet the full security requirements of service-oriented business scenarios (see sidebar). What's more, it called for the configuration and deployment of additional system components — a deterrent for many resource-strapped IT departments.

Now, the tools to ensure your service messages' confidentiality are being made available across the SAP NetWeaver stack. SAP NetWeaver 7.1 includes XML encryption capabilities as standard application server functionality. And with the availability of SAP NetWeaver 7.0 support package 14, followed by an enhancement package for SAP ERP planned for later in 2008, you will also be able to natively provide enterprise services with XML encryption from the Application Server (AS) ABAP.2

Moreover, with the availability of new, intuitive Web browser-based interfaces for configuration environments, you can easily enhance service messages with XML encryption capabilities and ensure the confidential transmission of critical business information with enterprise services.

Note!
While this article does highlight some key issues for SAP ERP landscapes, it is not within its scope to look at the full breadth of planning and decision-making factors for setting up and evolving an entire system landscape.

Why Use XML Encryption?

Methods for encrypting messages transmitted through a network have been around for some time and have seen wide adoption. Secure Socket Layer (SSL), commonly used for banking transactions, is one such method; Secure Network Communication (SNC), which uses ABAP's remote function call (RFC) protocols for confidential connections, is another.

Mechanisms such as these, however, are designed as point-to-point solutions to the confidentiality question; in other words, the security elements that ensure confidentiality remain an indivisible part of the established communication channel between the message sender and receiver. The confidentiality of the communicated messages is therefore only ensured when the message is sent through that particular confidential communication channel.

In contrast, XML encryption adds the security information for confidentiality to the service message itself. When a sender transmits a service message, the security protection stays with that message and not with the communication channel used to send it. An immediate advantage here is that users can send confidential messages over unencrypted communication channels; this paves the way for securing business scenarios that use heterogeneous system infrastructures (see sidebar).

Securing Your Messages: Integrity vs. Confidentiality

It is essential to distinguish between the contributions that integrity and confidentiality bring to the security of service messages.

Guaranteeing a message's integrity ensures that message content is not changed during transfer. For enterprise services, this can be done by assigning XML signatures to a message — a function currently supported by SAP NetWeaver 7.0. If the message is somehow changed in transit, the signature will be invalidated, alerting the message receiver that someone has tampered with the message and it is no longer secure.

XML encryption — which this article will focus on — guarantees the confidentiality of the message, meaning that nobody except the message's sender and receiver will be able to read it.

Alone, neither solution provides one-stop shopping for message security, however. It is important to remember that encrypting a message for confidentiality will not ensure the integrity of that message — and vice versa. In fact, you'll need to use both security measures as a precaution against common security hazards, such as message replay attacks.

A Sample Scenario for Using XML Encryption

To demonstrate the concepts involved in setting up the use of XML encryption, let's consider a sample business scenario, depicted in Figure 1, which involves two business partners exchanging critical information.

Figure 1
Sample business scenario using XML encryption

Consider Business Partner A, who wants to consume a service — say, a credit card processing service — offered by Business Partner B. This service requires that all service requests and responses be confidential due to the sensitive nature of the information being transferred. Partner A should therefore consume the service by exchanging (sending as requests and receiving as responses) XML-encrypted SOAP messages with Partner B.

As mentioned previously, SAP NetWeaver Process Integration 7.0 is no longer a required component to use XML encryption. Business Partner B, however, can still choose to use it — or its successor SAP NetWeaver Process Integration 7.1 — to secure services from back-end systems that do not fully support XML encryption. Business Partner B could also use this platform as a single provisioning point for back-end service providers.3

It's important to note that the two partners can only communicate confidentially if they've first established a trust relationship.

Why XML Encryption Matters for Enterprise SOA

Web services and the open standards they use form the core communication technology of SAP's enterprise service-oriented architecture (enterprise SOA). Enterprise service messages carry important business information and logic, which means they require security protection guarantees.

XML encryption is one such protection guarantee for message confidentiality. The fact that it works at the service-message level allows it to meet interoperability requirements in service-oriented scenarios. Accordingly, the availability of XML encryption as a generic function of the SAP NetWeaver platform adds an essential building block for meeting security requirements in enterprise SOA scenarios.

Before You Begin: Establish a Trust Relationship

Before exchanging an XML-encrypted message, Business Partner B (the service provider) and Business Partner A (the service consumer) must establish a trust relationship by:

  1. Mutually exchanging their public keys

  2. Placing these keys in appropriate key storage locations

To perform these steps, SAP NetWeaver 7.0 systems use the Visual Administrator tool for AS Java key management, and transaction STRUST in AS ABAP.

But with SAP NetWeaver Composition Environment 7.1, the AS Java key storage tasks are performed with the Certificates and Keys key management function in SAP NetWeaver Administrator, a new tool available with SAP NetWeaver 7.1 (see sidebar).4

We'll look at this Certificates and Keys function for the trust configuration example in this article. To use this function, the sender and receiver systems must be enabled to use strong cryptographic mechanisms, as with other cryptography-intensive functions.5

Once you launch SAP NetWeaver Administrator, follow the menu path Configuration Management ? Security ? Certificates and Keys to get to the key storage administration area. The key storage will then open in a new browser window and show the key storage views, which group the keys that the SAP NetWeaver system can use for cryptographic operations by their specific functions (such as encryption or digital signature generation for service messages).

Two of these key storage views are important for XML encryption:

  • WebServiceSecurity contains the private key used to decrypt a message and its corresponding public key certificate. For AS ABAP, the corresponding Private Storage Environment (PSE) is WSSKEY.

  • WebServiceSecurity_Certs contains the partner public key certificates to encrypt service messages. As you will see later in this article, SAP NetWeaver Administrator configuration options enable you to choose an alternative keystore view. For AS ABAP, the corresponding certificate PSE is WSSCRT or System PSE, as configured.

New Tool Simplifies System Administration

SAP NetWeaver Administrator (NWA) is a new tool, available with SAP NetWeaver 7.1, for integrated system administration from a Web browser.

You can use the tool for administering single systems or system landscapes. To launch SAP NetWeaver Administrator, use the URL http://:/nwa.6

To configure a trust relationship, you must export the public key certificate of the message sender from the WebServiceSecurity view and import it into the WebServiceSecurity_Certs view on the message receiver (see Figure 2).7

Figure 2
Configuring a trust relationship for XML encryption in the key storage management functions of SAP NetWeaver Administrator

Keep in mind that during the service message exchange process, the service consumer and service provider will change roles as sender and receiver. Partner A will initially be the service request sender and Partner B the receiver, but the roles are then reversed for the message response. That is why, when encryption is required both for service requests and for service responses, you will have to establish a bidirectional trust relationship and perform the public key import and the export on both the service consumer and provider systems of Partners A and B, respectively.

Once you configure the appropriate trust relationship, you will be ready to use XML encryption for your service messages.

Note!
Any user executing an XML-encrypted service must be authorized to access the keystore views as a security precaution. To give users proper access, assign users roles that contain the actions keystore-view.WebService Security and keystore-view.WebServiceSecurity_Certs. You can do this using SAP NetWeaver Administrator's Identity Management functions.8

How to Set Up XML Encryption

XML encryption works on the basic premise that an application will expose its business methods as services in a service endpoint (SEI). A counterparty system can then consume those services through a logical port (LP) of a Web Service (WS) client application, which acts as an intermediary, or translator, between the native interfaces of the service consumer and the service provider. The LPs of the WS clients are created during the consumer application development process, and are based on standard Web Services Description Language (WSDL) documents generated by the service provider.

With SAP NetWeaver 7.1, the security configuration — including for XML encryption — for the service provider and consumer can be performed within the SOA Management function of SAP NetWeaver Administrator.

With the planned functionality enhancements for SAP NetWeaver 7.0, you will be able to use the configuration functions in a similar way. In addition, for AS ABAP-only systems, you will be able to use the transaction SOAMANAGER to directly access the configuration options.

Let's walk through the configuration of XML encryption for both the service provider (Business Partner B) and the service consumer (Business Partner A).

Enable XML Encryption for Business Partner B as the Service Provider

First, launch Web Services Configuration in SAP NetWeaver Administrator by navigating to SOA Management ? Business Management ? Web Services Administration, and choose Service Definition Name from the drop-down list at the top of the screen.

To set up security configurations, you'll then need to identify your service endpoints (see Figure 3). To do so, use the search function to find the service definition on the service provider and display its SEIs . You can also create a new SEI specifically for XML encryption through a wizard-supported setup (by clicking the Create Endpoint button ), or edit an existing endpoint to enable XML encryption.

Figure 3
Exposing a service with XML encryption

After selecting the SEI name , enable XML encryption for the endpoint by selecting the corresponding check boxes . In Figure 3, you can see that XML encryption is enabled both for the incoming request and for the outgoing response. Click the Details button to choose the trusted certificate to encrypt the outbound connection . From the displayed drop-down list, choose the Business Partner A certificate you imported during the trust configuration.

After you save your changes, you will be able to send the service with XML encryption.

Enable XML Encryption for Business Partner A as the Service Consumer

As a result of SAP NetWeaver's support for the WS-Security Policy standard, the logical port configuration will be automatically set up based on the security options defined by the service provider (Business Partner B). So once Business Partner A develops a service client application, it only needs to call up the logical port that uses XML encryption and, for our scenario, set up the trusted provider certificate to encrypt the service request.

The consumer logical port configuration can also be modified from SAP NetWeaver Administrator by following the menu path SOA Management ? Business Administration ? Web Services Administration. This time, however, choose the item Proxy Definition Name from the drop-down menu. Next, find the proxy definition for your service (see Figure 4). By selecting the service name from the proxy definition table , you can display the service consumer's logical ports , from which you can access the service's security settings. You can then choose the trusted certificate that will be used to encrypt the connection .

Figure 4
Consuming a service with XML encryption

Alternatively, you can edit an existing logical port or create a new one (just click the Create LP button ). For this case, however, Business Partner A cannot use automated synchronization for security configurations with the service provider, Business Partner B.

Once you complete these steps, the service consumer application will be able to send and receive XML-encrypted messages for the service you have chosen.

Summary

XML encryption is a security mechanism that allows you to ensure the confidentiality of important messages and information in enterprise SOA scenarios.

With SAP NetWeaver 7.1 and planned enhancement packages for SAP NetWeaver 7.0 and SAP ERP, XML encryption will be available as part of the core SAP NetWeaver application server functionality.

Remember, though, that XML encryption is only one piece of a complete security solution. To realize its potential as an end-to-end security mechanism in a business scenario, be sure to use XML encryption with complementary security methods, such as authentication, digital signatures, and appropriate authorization checking.

 



1 See the Security Strategies column "Ensure the Confidentiality of Your SOAP Message Content" in the January-March 2007 issue of SAP Insider (www.SAPinsideronline.com).

2 The SAP NetWeaver 7.1 platform is available with SAP NetWeaver Composition Environment 7.1 and SAP NetWeaver Process Integration 7.1. For information on the SAP release dates for enhancement packages and their functionality, visit the SAP Service Marketplace at http://service.sap.com.

3 I won't cover the use of SAP NetWeaver Process Integration in detail, though, as it is outside the scope of this article.

4 This article will focus mainly on the new functions for setting up trust for XML encryption in the Java server that underlies SAP NetWeaver Composition Environment. For more information on trust configuration in AS ABAP, refer to the SAP help portal documentation at http://help.sap.com/saphelp_nw70/helpdata/en/0e/fb993af7700577e10000000a11402f/frameset.htm.

5 The availability of strong cryptographic functions is subject to export regulations. For more information, contact your local SAP representative.

6 Consult the SAP NetWeaver 7.1 documentation for the full range of functions available with SAP NetWeaver Administrator.

7 For more information on establishing a trust relationship and exchanging public and private keys, see the Security Strategies column "Ensure the Confidentiality of Your SOAP Message Content" in the January-March 2007 issue of SAP Insider (www.SAPinsideronline.com).

8 For more information about Identity Management functions in SAP NetWeaver, see http://help.sap.com/saphelp_nwce10/helpdata/en/45/ec4aec1a383483e10000000a1553f6/frameset.htm.


Additional Resources

"Ensure the Confidentiality of Your SOAP Message Content: XML Encryption Using Web Services Security in SAP NetWeaver XI" a Security Strategies column by Peter McNulty, Paul Medaille, and Gerlinde Zibulski (SAP Insider, January-March 2007, www.SAPinsideronline.com)

The Developer's Guide to SAP NetWeaver Security by Martin Raepple, anticipated to begin shipping in April 2008 (SAP PRESS, http://store.sapinsider.wispubs.com)

The SAP Administration and Infrastructure 2008 conference in Orlando, March 26-28, for comprehensive coverage of SAP tools for security, monitoring, testing, and maintenance (www.sapadmin2008.com)

Yonko Yonchev (yonko.yonchev@sap.com) is a member of the Product Management Security team at SAP AG in Walldorf, Germany. Yonko joined SAP over three years ago, starting in the Product Management team at SAP Labs Bulgaria. He has worked on a variety of security topics including access control, single sign-on, Web service security, and Java and portal server security. Prior to joining SAP, he worked as a technical consultant in the US. Yonko holds an undergraduate degree in economics and an MBA with a management of information systems concentration from Bentley College.

An email has been sent to:






More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ