You are on page 1of 23

SAP NetWeaver Identity Management 7.

0 SPS 1

SAP NetWeaver Identity Management Security Guide


Document Version 1.00 Dezember 2007

SAP AG Neurottstrae 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Copyright 2007 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. These materials are subject to change without notice. These Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. Disclaimer UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Documentation on SAP Service Marketplace Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. You can find this documentation at
service.sap.com/securityguide

and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.

Typographic Conventions
Type Style Example Text Represents Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table titles. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.

Icons
Icon Meaning Caution Example Note Recommendation Syntax

EXAMPLE TEXT

Example text

Example text

<Example text>

EXAMPLE TEXT

Contents
1 INTRODUCTION................................................................................................................ 1 1.1 1.2 1.3 2 Target Audience ........................................................................................................ 1 Why Is Security Necessary? ..................................................................................... 1 About this Document................................................................................................. 2 1.3.1 Overview of the Main Sections....................................................................... 2 Important SAP Notes ................................................................................................ 3 Additional Information ............................................................................................... 3 External security information..................................................................................... 3 Architecture ............................................................................................................... 4 Usage 5 Identity Center database logins and roles................................................................. 6 Admin login................................................................................................................ 6 Run-time login ........................................................................................................... 7 Monitoring login ......................................................................................................... 7 Workflow login ........................................................................................................... 7 4.5.1 Using SecurID ................................................................................................ 7 Binding database users to operating system ............................................................ 7 Virtual Directory Server Login ................................................................................... 8 Integration into Single Sign-On Environments .......................................................... 8 4.8.1 Use ................................................................................................................. 8 4.8.2 Configuring the Identity Center for use with SAP Logon Tickets ................... 8 HTTP security (SSL) ................................................................................................. 8 Database connectivity security.................................................................................. 8 Identity Center: Repository security .......................................................................... 9 Virtual Directory Server: LDAP security .................................................................... 9 Virtual Directory Server: Web Services security ....................................................... 9 Securing AS ABAP connections ............................................................................... 9 Firewall settings......................................................................................................... 9 AS ABAP connections............................................................................................. 10 AS Java connections............................................................................................... 10

BEFORE YOU START....................................................................................................... 3 2.1 2.2 2.3

TECHNICAL SYSTEM LANDSCAPE ............................................................................... 4 3.1 3.2

USER ADMINISTRATION AND AUTHENTICATION ....................................................... 6 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8

NETWORK AND COMMUNICATION SECURITY ............................................................ 8 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9

5.10 External applications credentials............................................................................. 10

DATA STORAGE SECURITY ......................................................................................... 10 6.1 6.2 Use ...................................................................................................................... 10 Identity Center encryption ....................................................................................... 11 6.2.1 Runtime components and configuration UI keys.ini ..................................... 11 6.2.2 Workflow keys.ini.......................................................................................... 11 6.2.3 The encrypted data....................................................................................... 12 6.2.4 Maintaining the keys.ini file .......................................................................... 12 Password provisioning ............................................................................................ 13 Virtual Directory Server Keystores .......................................................................... 13 Configuration files.................................................................................................... 13 Configuration UI ...................................................................................................... 13 Dispatcher ............................................................................................................... 14 Event agent server .................................................................................................. 14 Workflow.................................................................................................................. 14

6.3 6.4 6.5 6.6 6.7 6.8 6.9

6.10 Monitoring................................................................................................................ 14 6.11 Virtual Directory Server configuration file................................................................ 14 7 IDENTITY CENTER WEB SERVER SECURITY AND PHP ........................................... 15 7.1 7.2 7.3 7.4 7.5 8 8.1 8.2 8.3 8.4 8.5 9 Extensions............................................................................................................... 15 Session security ...................................................................................................... 15 Additional PHP configuration .................................................................................. 16 Cross-site scripting.................................................................................................. 16 Restricting access to internal files........................................................................... 16 The Identity Center configuration UI ....................................................................... 17 Monitoring web interface ......................................................................................... 17 Possible configuration vulnerability ......................................................................... 17 Disaster recovery .................................................................................................... 17 Backup .................................................................................................................... 17

OTHER SECURITY-RELEVANT INFORMATION .......................................................... 17

APPENDIX ....................................................................................................................... 18 9.1.1 Security check list for the Identity Center ..................................................... 18 9.1.2 Security check list for the Virtual Directory Server ....................................... 18

Introduction Target Audience

December 2007

Introduction
This guide does not replace the daily operations handbook that we recommend customers to create for their specific productive operations.

1.1

Target Audience
Technology consultants System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.

1.2

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. The SAP NetWeaver Identity Management will have a central role in managing accounts and access rights in other applications. Any unauthorized changes to data in the Identity Management solution may therefore also affect other applications. To assist you in securing the identity management solution, we provide this Security Guide.

SAP NetWeaver Identity Management - Identity Center

Introduction About this Document

December 2007

1.3

About this Document

The Security Guide provides an overview of the security-relevant information that applies to the SAP NetWeaver Identity Management, abbreviated Identity Management. This product consists of the components Identity Center and Virtual Directory Server.

1.3.1

Overview of the Main Sections

The Security Guide comprises the following main sections: Before You Start This section contains information about why security is necessary, how to use this document and references to other Security Guides that build the foundation for this Security Guide. Technical System Landscape This section provides an overview of the technical components and communication paths that are used by the Identity Management. User Administration and Authentication This section provides an overview of the following user administration and authentication aspects:
{ { {

User types that are required by the Identity Management. Standard users that are delivered with Identity Management. Overview of the user synchronization strategy, if several components or products are involved.

Integration into Single Sign-On Environments This section provides an overview of how integration into Single Sign-On environments is possible.

Network and Communication Security This section provides an overview of the communication paths used by the Identity Management and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

Data Storage Security This section provides an overview of any critical data that is used by the Identity Management and the security mechanisms that apply.

Configuration files This section describes how the configuration files are secured. Identity Center web server security and PHP This section describes how the web server for Monitoring/Workflow is secured. Other Security-Relevant Information This section contains information about:
{ {

Disaster recovery Backup

Appendix This section provides a security check list.

SAP NetWeaver Identity Management - Identity Center

Before You Start Important SAP Notes

December 2007

2
2.1

Before You Start


Important SAP Notes

The most important SAP Notes that apply to the security of the SAP NetWeaver Identity Management are shown in the table below. Important SAP Notes SAP Note Number 1069458 Title SAP NetWeaver Identity Management 7.0 Identity Center

2.2

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below. Quick Links to Additional Information Content Security Security Guides SAP NetWeaver Security Guide: The sections about SAP logon tickets and Secure Network Communications contain relevant information Related SAP Notes Released platforms Network security service.sap.com/notes service.sap.com/platforms service.sap.com/network service.sap.com/securityguide Quick Link on the SAP Service Marketplace service.sap.com/security service.sap.com/securityguide

2.3

External security information


http://www.php.net/download-docs.php See the documentation for the database system. http://www.oracle.com/technology/deploy/security/databasesecurity/pdf/twp_security_db_database_10gr2.pdf http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

The following documents contain relevant security information for important external systems: PHP Manual, section IV Security Microsoft SQL Server Oracle Database 10g Release 2 Security Setting up Tomcat for SSL

SAP NetWeaver Identity Management - Identity Center

Technical System Landscape Architecture

December 2007

3
3.1

Technical System Landscape


Architecture
External repositories
LDAP ABAP Java etc Active Dir SAP HR WebServices SiteMinder etc

The figure below shows an overview of the technical system landscape for the SAP NetWeaver Identity Management.
External applications

App specific

LDAP/WebServices

Web AS (Java)
VDS HTTP/S

Apache/PHP
Monitoring Workflow

MMC
Admin UI

DSE DSE Dispatcher (VB) (VB)

DSE DSE DSE (VB) (VB) (VB)


<<Starts>>

LDAP

Web AS (Java) DSE DSE DSE (Java) (Java) (Java)


VDS

dB protocol Config Logs Config Logs

File system
Stored procedures

File system

Logs

Audit

IdS

IC database

The Identity Center database is used to hold all information about managed users and corresponding account information. All communication between the applications and the database uses the database libraries. In addition, external repositories are accessed from the Identity Center and Virtual Directory Server, to create user accounts and manage access rights. Which systems are accessed, depends on each specific implementation.

The separate components have different installation jobs, and although it is possible to install everything (including the database) on the same server, different servers will be used in a production environment. The Virtual Directory Server uses separate configuration files, which may be stored in the database. The default logging for the Virtual Directory Server is logging to the file system, but the logging is done using Log4j, meaning that the logging is configurable. To achieve high availability, as well as load balancing, the Identity Center solution should be installed on multiple servers. The database should be clustered. Workflow and Monitoring should be stored in separate web server clusters. At least two servers should be installed with the runtime components. Virtual Directory Server may also be installed on these same or separate servers. For more information about the technical system landscape, see the resources listed in the table below.

SAP NetWeaver Identity Management - Identity Center

Technical System Landscape Usage More Information about the Technical System Landscape Topic Install guides Guide/Tool

December 2007

SAP NetWeaver Identity Management Identity Center Installation Overview (incl. referenced installation guides for each component SAP NetWeaver Identity Management Virtual Directory Server Installation and initial configuration

Monitoring & cleanup Staging Disaster recovery

SAP NetWeaver Identity Management Identity Center Implementation Guide: Monitoring and cleanup SAP NetWeaver Identity Management Identity Center Implementation Guide: Staging environment SAP NetWeaver Identity Management Identity Center Implementation Guide: Disaster Recovery

3.2

Usage

The Identity Management is used to manage accounts and access rights in other applications. Information about all users and the corresponding accounts are held in the Identity Center database. The Data Synchronization Engine (Java and VB) and the Virtual Directory Server are used to manage the users in the target systems, and therefore need enough access rights to be able to create and delete accounts and give and revoke access rights. The system administrators will use the Monitoring interface to monitor the operations of the system. This interface gives access to logs and audits, but also to the identity store data, showing information about users and accounts. Although it is not possible to change data from the Monitoring interface, some data may be considered sensitive, and this should be considered when giving access to the management application. Only the admin user has access to the identity store.

SAP NetWeaver Identity Management - Identity Center

User Administration and Authentication Identity Center database logins and roles

December 2007

4
4.1

User Administration and Authentication


Identity Center database logins and roles

When a new Identity Center database is created, a number of database roles and logins are also created, as described in this section. If required, additional database logins can be created, and given access rights, by assigning roles. This has to be done using the corresponding database administrator tool. In the list of roles and users below, all start with mxmc_, this is the default prefix when installing the Identity Center database. If a database is installed with a different prefix, all roles and user are created accordingly. Role <None> Login mxmc_oper Description This user is the owner of the database, and has full access to all tables. It should only be used for database upgrades. This role has to be used when creating a solution. It has all the necessary access rights for creating tasks, jobs and other objects in the database. It is also used by the administrator in the monitoring interface. mxmc_user_role mxmc_user This role has mostly read access to the database, and can be used to inspect the configuration. This role is only used by the runtime components, and has a very limited access to the database. This role is only used by the Workflow interface, and has the necessary access rights for doing all the provisioning operations.

mxmc_admin_role

mxmc_admin

mxmc_rt_role

mxmc_rt

mxmc_prov_role

mxmc_prov

On Microsoft SQL server, users are created in addition to logins. The users are created in the database context, and has the same name as the login, followed by _u, for example mxmc_admin_u.

4.2

Admin login

The SAP NetWeaver Identity Management Identity Center Getting Started describes how to add an Identity Center to the configuration UI, using the connection wizard. For security reasons, the optional parameter Allow password saving should not be checked for the Admin user. In this case, the user will be prompted for the password, every time connecting to the database. If several people are using the configuration UI, separate logins should be created for each user. The mxmc_admin or mxmc_user role can be used, depending on the access required.

SAP NetWeaver Identity Management - Identity Center

User Administration and Authentication Run-time login

December 2007

4.3

Run-time login

The run-time (RT) connection string must (unless the RT login is bound to an operating system login) have the Allow password saving set, as this is running as a background process, and there is no user to provide the password. If using an operating system login, the service must be running at this user.

4.4 4.5

Monitoring login Workflow login

When stating the Monitoring interface, the mxmc_admin or mxmc_user login must be used.

The Workflow web application logs in using the mxmc_prov user. This is stored in an encrypted connection string in the Workflow configuration file. In the login screen in the Workflow, the user selects the identity store to log into, and provides user name and password. The attribute MSKEYVALUE holds the user name and the attribute MX_PASSWORD holds MD5 encrypted password. Users are created either by workflow tasks, or by data being synchronized from other applications, using the synchronization mechanisms of the Identity Center.

4.5.1

Using SecurID

The document RSA Secured Implementation Guide Administrative Interoperability found in the folder \RSA SecurID in the installation kit of the Identity Center describes how to configure provisioning with SecurID. Information about secure log-in to the web server is described in documentation found on http://www.rsa.com. The Workflow also supports a number of other authentication methods: CA SiteMinder CAMS Kerberos LDAP Server RSA ClearTrust RSA SecurID SAML Windows User defined

4.6

Binding database users to operating system

On Microsoft Windows it is possible to bind a Microsoft SQL Server database login to a Microsoft Windows login. This will avoid storing passwords in the connection string. For details on how to do this, and how to define the connection strings, see the documentation for the Microsoft SQL Server.

SAP NetWeaver Identity Management - Identity Center

Network and Communication Security Virtual Directory Server Login

December 2007

4.7

Virtual Directory Server Login

The Virtual Directory Server authenticates the users against a table of users in the Virtual Directory Server configuration file, which holds the login name (which may be a DN, but this is not a requirement) in addition to an MD5 encrypted password. The Virtual Directory Server architecture allows for plugging in external authentication.

4.8
4.8.1

Integration into Single Sign-On Environments


Use

The Identity Management supports the Single Sign-On (SSO) mechanisms provided by the SAP Web Application Server. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP Web Application Server Security Guide also apply to the Identity Management. The supported mechanisms are listed below. SAP logon tickets The Identity Management supports the use of logon tickets for SSO when using a Web browser as the frontend client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket. You can find more information under SAP Logon Tickets in the SAP Web Application Server Security Guide.

4.8.2

Configuring the Identity Center for use with SAP Logon Tickets

Configuration of the authentication method in the Identity Center, is done for each identity store. In the "Workflow" tab of the identity store, select SAP Logon Tickets". For further details, see the section Integrating Identity Center Workflow in the SAP NetWeaver Portal in the document SAP NetWeaver Identity Management Identity Center: Installing Identity Center Workflow.

5
5.1

Network and Communication Security


HTTP security (SSL)

Please see the architecture figure on page 4.

Security between the end user and the web application is done by securing the web server, and is outside the scope of Identity Center security.

5.2

Database connectivity security

All connections between the components and the database uses standard database protocols, and are defined using database connection strings. To secure these, please use the secure connection strings, as defined by the database.

SAP NetWeaver Identity Management - Identity Center

Network and Communication Security Identity Center: Repository security

December 2007

5.3

Identity Center: Repository security

Communication with the repositories uses either LDAP, database or application specific communication. The communication options are defined for each job connecting to the given repository. The LDAP protocol supports simple authentication, SSL, NTLM or Kerberos. For database connections, either JDBC or OLEDB connection strings are used, and security is handled by the corresponding database library. For application specific communication, security must be considered in each case.

5.4

Virtual Directory Server: LDAP security

The Virtual Directory Server supports SSL for incoming LDAP requests. This requires setting up a keystore, holding a private key. The sections Maintaining keystore references and Maintaining deployments in the help system for the Virtual Directory Server contains more details.

5.5

Virtual Directory Server: Web Services security

The Virtual Directory Server uses Apache Tomcat for handling incoming web services requests. To set up secure web services, please see the Apache Tomcat documentation. The Virtual Directory Server supports client side and server side authentication. If only server side is required, then you need only ONE keystore (holding a private key). If client side authentication is required, then you will typically have one more keystore where all trusted certificates will be stored. On server side, Virtual Directory Server will have a pair of keystores for each of the backends that requires SSL The following link describes how to set up Tomcat with SSL: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

5.6

Securing AS ABAP connections

Connections to AS ABAP systems use the Java Connector (JCo), which uses Remote Function Calls (RFC). These connections can be secured using Secure Network Communications (SNC). For more information, see the SNC documentation on the Help Portal at http://help.sap.com/saphelp_nw70/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frame set.htm and the document Provisioning Framework for SAP Systems: Connectivity available on the SAP Developer Network at https://www.sdn.sap.com/irj/sdn/security.

5.7

Firewall settings

Firewall must be open to allow database communication between the components and the database. Firewall must be open to allow the runtime components and Virtual Directory Server to communication with external applications. Ports depend on communication protocol. There are no specific requirements regarding firewall in the solution, but it is important to protect the systems from unauthorized access.

SAP NetWeaver Identity Management - Identity Center

Data Storage Security AS ABAP connections

December 2007

5.8

AS ABAP connections

Connection to AS ABAP applications uses the RCF/JCo, and can be secured using Secure Network Communication (SNC)

5.9

AS Java connections

Connections to AS Java applications, the HTTP protocol is used, and can be secured using SSL.

5.10 External applications credentials


Make sure to set up procedures for handling password changes of the accounts in the external applications being used by the Identity Center and the Virtual Directory Server, as this will also require changes in the configuration. For the Identity Center, the passwords should always be stored in a repository definition. For the Virtual Directory Server, the passwords are stored in the single source definitions.

6
6.1

Data Storage Security


Use
Connection strings, used to connect to the Identity Center database or other repositories. These are always encrypted. Passwords, which are stored in configurations. These are always encrypted. Job constants and global constants can be encrypted if desired. Any attribute value within the identity store can be encrypted if desired, using 3DES or MD5. MD5 is used for the MX_PASSWORD attribute. All other attributes are in clear, unless modified in the installation. When an attribute is encrypted, so are all historic values for the given attribute. However, changing the encryption setting on an existing attribute does not change any values in the identity store.

The Identity Center provides encryption to protect various information in the system. The following information can be encrypted:

SAP NetWeaver Identity Management - Identity Center

10

Data Storage Security Identity Center encryption

December 2007

6.2

Identity Center encryption


Standard. This is a built-in proprietary with a hardcoded password. This does not provide very high security, and is scrambling of data, more than encryption. 3DES. This uses the 3DES algorithm for encryption information.

It is recommended that 3DES encryption is used. The encryption algorithm to be used is defined in the Tools/Options dialog in the configuration UI, and has two options:

Since the encrypted values must be accessible by runtime components without human intervention, the encryption keys are stored in a file in the file system, called keys.ini. This file must be accessible by the Workflow and all runtime engines in the system. Also make sure that you do not use the default keys.ini which is installed by the Workflow, but that the keys are updated.

The keys.ini file must be protected using file system protection, to ensure unauthorized access. The file must be accessible by the service user running the dispatcher and the user running the Workflow at the web server.

6.2.1

Runtime components and configuration UI keys.ini

For the runtime components and configuration UI, the keys.ini file is stored in the following directory: <installation directory>\KEY\keys.ini In a default installation, this will be: C:\Program Files\SAP\IdM\Identity Center \KEY\keys.ini

This file is not installed by the installation job.

6.2.2

Workflow keys.ini

For the Workflow, the reference to the keys.ini file is found in the configuration file, which is stored in: <installation directory>\config\config.xml

The Workflow installation installs a default keys.ini file, and the reference to this file is added to the config.xml file. The default keys.ini file should be changed in a production environment.

SAP NetWeaver Identity Management - Identity Center

11

Data Storage Security Identity Center encryption

December 2007

6.2.3

The encrypted data

The keys.ini file can hold any number of 3DES keys. Only one of the keys is used for encryption. The other keys are old keys, which are kept in the keys.ini file, to be able to decrypt older data. When data is encrypted using 3DES, the result is prefixed by {DES3} followed by the key number used when encryption. Then the encrypted data is stored as base64. Below is a sample of encrypted data: {DES3}7:7d081564e69f342d81174fc8c6f19ce9 This data is encrypted using key number 7. Data encrypted with the internal (proprietary algorithm) is prefixed with {crypt}.

6.2.4

Maintaining the keys.ini file

It is important that all components encrypting and decrypting data use the same set of encryption keys. This section describes how to maintain the keys.ini file in a multi-server environment.

6.2.4.1

Setting up the initial key

Start by creating a new keys.ini file using a text editor. The format of the file is shown below. The file which is installed with the Workflow can be used as a template for this, but make sure to change the actual keys. The simplest way of generating a new key, is to enter the key using a text editor.

This must be exactly 48 Hex characters. Below is a sample of the contents of the file: [KEYS] KEY001=78664478B8AA7899FF1009887837FFEDCCBAA77897DDA009 [CURRENT] KEY=KEY001 Then copy this file to all servers running Workflow, runtime components or configuration UI. Any encryption is now done using key number 1, and the encrypted data is prefixed with {DES3}:1.

6.2.4.2

Adding a new key

After some time (dictated by the security policy of your organization), a new key should be added. [KEYS] KEY001=78664478B8AA7899FF1009887837FFEDCCBAA77897DDA009 KEY002=7749487289BBCBD9A9E9F888D9E8F900A98F7D543A4566B6 [CURRENT] KEY=KEY001 Leave the current key set to 1, and then distribute the file to all relevant locations, as described above. Now all applications are able to decrypt data, which in the future will be encrypted with key number 2.

SAP NetWeaver Identity Management - Identity Center

12

Data Storage Security Password provisioning

December 2007

After the file is distributed, update the current key to key number 2, and distribute the file again. [KEYS] KEY001=78664478B8AA7899FF1009887837FFEDCCBAA77897DDA009 KEY002=7749487289BBCBD9A9E9F888D9E8F900A98F7D543A4566B6 [CURRENT] KEY=KEY002 Any new encryptions are now performed using key number 2, while old data which are still encrypted using key number 1 can be decrypted.

6.3

Password provisioning

The MX_PASSWORD attribute is encrypted using the one-way MD5 algorithm. However, if the Identity Center is to do password provisioning, i.e. updating passwords in target systems, a two way encrypted password must also be saved. This is done using the attribute MX_ENCRYPTED_PASSWORD, where the password is saved using two-way encryption. A job updating a target system will be able to decrypt the password, and update the target system. The following recommendations apply: Ensure that history is not kept for MX_ENCRYPTED_PASSWORD. Ensure that the MX_ENCRYPTED_PASSWORD attribute is deleted when the password has been updated in all target systems.

6.4

Virtual Directory Server Keystores

The Virtual Directory Server uses keystores for holding private and public keys, which are used for various purposes. To set up an SSL connection over LDAP, the Virtual Directory Server needs a private key, which is stored in a keystore. Information about the keystore, including the password to access the private key, is stored in the Virtual Directory Server configuration file. The Virtual Directory Server configuration file must be encrypted to protect from unauthorized access to the keystore passwords.

6.5

Configuration files

The configuration files used by the Identity Center will in most cases contain a connection string, which is used when the application connects to the Identity Center database.

6.6

Configuration UI

The configuration data for the configuration UI, is stored in the file <install dir>\EMSConfig.xml. It contains an encrypted connection string. By default, the allow password saving is not set by the connection wizard, and if so the connection string will not contain a password, and should not pose a security risk. If you choose allow password saving, the encrypted connection string will contain the password. It is also possible to create a database user, which is bound to a Microsoft Windows account, and use this for login. In this case, the connection string will not contain any sensitive information. Consult the database documentation for information about how this is done.

SAP NetWeaver Identity Management - Identity Center

13

Data Storage Security Dispatcher

December 2007

6.7

Dispatcher

When creating a new dispatcher, the dispatcher .prop file contains the connection string to the database. The key MC_JDBCURL holds the encrypted connection string.

6.8

Event agent server

When creating a new event agent server, the .prop file contains the connection string to the database. The key MC_JDBCURL holds the encrypted connection string.

6.9

Workflow

The Workflow config file (<inst dir>\configs\config.xml) contains the password for connecting to the database.

After installation of the Workflow, the password is not encrypted. See the document SAP NetWeaver Identity Management Identity Center: Installing Identity Center Workflow.

6.10 Monitoring
The Monitoring config file does not contain any connection string or password.

6.11 Virtual Directory Server configuration file


The Virtual Directory Server uses an XML based configuration file for storing the configuration. All passwords used to connect to other applications are scrambled, using the standard encryption algorithm, as 3DES is not implemented in the Virtual Directory Server. It is therefore essential to protect the Virtual Directory Server configuration files. The passwords used for authentication by the Virtual Directory Server (i.e. to authenticate incoming requests) are hashed using MD5. Any global constants can be encrypted. The Virtual Directory Server stores the configuration in an .xml file. One Virtual Directory Server installation may run multiple configurations, each stored in a different file. As the configuration files contain information to connect to external applications, it is essential that the file system security is used to protect these configuration files from unauthorized access. It is possible to store the Virtual Directory Server configuration in a database table. In this case, the connection string for connecting to the database is stored in tile file <installation directory>\.vsssettings. This connection string is scrambled, so it is essential to protect this file using file system security.

SAP NetWeaver Identity Management - Identity Center

14

Identity Center web server security and PHP Extensions

December 2007

7
7.1

Identity Center web server security and PHP


Extensions

The Monitoring and Workflow applications use PHP. The default PHP installation adds a lot of extensions which are not needed, and should be removed. The following extensions are needed as a minimum: Mssql or OCI8 XSL LDAP MCRYPT

The following configuration options should be turned off in the php.ini file, as they are not used, and may be a security risk: display_errors display_startup_errors expose_php

7.2
Option

Session security
Description If turned on, cookies will only be sent over secure networks (SSL) Use these setting to increase the security of the session ID. This setting can be used to validate that the source of the incoming session.

Consider using the following options to improve session security: session.cookie_secure session.entropy_file session.entropy_length session.referer_check

For details see PHP Manual, section IV Security, http://www.php.net/download-docs.php.

SAP NetWeaver Identity Management - Identity Center

15

Identity Center web server security and PHP Additional PHP configuration

December 2007

7.3
Option

Additional PHP configuration


Description Limits the files that can be opened by PHP to the specified directory tree. Enables the URL-aware fopen wrappers that enable accessing URL object like files. If turned on, all EGPCS (Environment, GET, POST, Cookie, Server) variables are registered in the global scope. Controls where script errors are written. The default is to display them on the screen. Should be set to a file that is writeable for the Internet Guest Account.

This section contains PHP settings that should be turned off. open_basedir allow_url_fopen register_globals

error_log

For details see PHP Manual, http://www.php.net/download-docs.php.

7.4

Cross-site scripting

To avoid cross-site scripting, there are limitations on the use of HTML tags in the Workflow web interface. In general, HTML in fields and attributes will be quoted, with the following exceptions. There is a configurable list of tags that are allowed (e.g. <b>, </b>, <i>, </i>). HTML tags in header and footer fields are allowed. Specifically:
{ { {

Identity Center header fields 1 through 3. Identity Store Welcome page header and trailer Task header and trailer

Care should be taken if using HTML code in these fields, especially if the fields contain attribute references. Note that Identity Center header field 4, which default contains the text Logged in as %DISPLAYNAME% is protected for this reason.

7.5

Restricting access to internal files

Access to internal files in the web server may information leaks. Thus, it is recommended to restrict access to the folders with the internal files. If using Microsoft Internet Information Services, this refers to the common folder. To restrict access to the files located in this folder: 1. Open the Internet Information Services Manager and view the properties of Web sites/Default Web Site/Workflow/common. 2. Select the "Directory Security" tab and choose "Edit" in the Anonymous access and authentication control" group box to open the "Authentication Methods" dialog box. 3. Make sure that "Anonymous access" is disabled.

SAP NetWeaver Identity Management - Identity Center

16

Other Security-Relevant Information The Identity Center configuration UI

December 2007

8
8.1

Other Security-Relevant Information


The Identity Center configuration UI

The Identity Center configuration UI (Microsoft Management Console snap-in) is intended for implementation of a solution. It should not be made available in a production environment, unless there are very good reasons to use it. Logs and other information can be accessed using the Monitoring interface.

8.2

Monitoring web interface

The Monitoring web interface is not intended for external use. It must be installed in an internal network and be available only for system administrators.

8.3

Possible configuration vulnerability

When configuring an attribute for a task, it is possible to define a default value. This default value can contain a call to a PHP function, $FUNCTION.<php_function>$$. Provided access to custom_functions.php, this could pose a vulnerability.

8.4

Disaster recovery

For setting up a DR solution, please see the document SAP NetWeaver Identity Management Identity Center Implementation Guide: Disaster recovery.

8.5

Backup

All configuration information and data is stored in the Identity Center database. This database should be backed up according to the organization's backup policy.

SAP NetWeaver Identity Management - Identity Center

17

Appendix Backup

December 2007

Appendix
Security check list for the Identity Center
Encryption algorithm set to 3DES (Verify in the configuration UI) Keys.ini file updated, and distributed to all relevant systems. Keys.ini file protected by file system. Database security enabled where relevant. External application security enabled where relevant. Web server security Disable unnecessary PHP extensions Enable PHP session security as defined in the organization's security policy Disable the PHP settings open_basedir, allow_url_fopen and
register_globals

9.1.1

If password provisioning is being used: No history for MX_ENCRYPTED_PASSWORD MX_ENCRYPTED_PASSWORD deleted after provisioning is done

9.1.2

Security check list for the Virtual Directory Server

Protect the Virtual Directory Server configuration file(s) from unauthorized access If applicable: Set up secure communication from clients to the Virtual Directory Server If applicable: Set up secure communication to repositories

SAP NetWeaver Identity Management - Identity Center

18