Security Guide

SAP NetWeaver Process Integration, business-to-business add-on 1.0

Target Audience
 System Administrators
 Security Consultants
 Technology Consultants
 Security Guide SAP NW PI, B2B add-on 1.0

Icons in Body Text

Icon Meaning
Caution
Example
Note

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen.
These include field names, screen titles,
pushbuttons labels, menu names, menu
paths, and menu options.
Cross-references to other documentation.
Example text Emphasized words or phrases in body text,
graphic titles, and table titles.
Exact user entry. These are words or characters
that you enter in the system exactly as they
appear in the documentation.
EXAMPLE TEXT Technical names of system objects. These
include report names, program names,
transaction codes, table names, and key concepts
of a programming language when they are
surrounded by body text, for example, SELECT
and INCLUDE.
Example text Output on the screen. This includes file and
directory names and their paths, messages,
names of variables and parameters, source text,
and names of installation, upgrade and database
tools.
<Example text> Variable user entry. Angle brackets indicate that
you replace these words and characters with
appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

2
 Security Guide SAP NW PI, B2B add-on 1.0

Contents
Icons in Body Text ....................................................................................................................................2
Typographic Conventions ........................................................................................................................2
Contents ...................................................................................................................................................3

Introduction .....................................................................................................................................4
Target Audience ...................................................................................................................................4
Why Is Security Necessary? .................................................................................................................4
About this Document ............................................................................................................................4

Before You Start .............................................................................................................................5

Fundamental Security Guides ..............................................................................................................5
Configuration ........................................................................................................................................5
Additional Information ...........................................................................................................................5

Technical System Landscape .........................................................................................................6

Communication ...............................................................................................................................7
Message-Level Security .......................................................................................................................7
Network and Transport Security ...........................................................................................................9
Adapter Specific Security Configurations .......................................................................................... 11

User Administration and Authentication....................................................................................... 13

Enabling AS2 to Support Anonymous Login ..................................................................................... 13

User Management ....................................................................................................................... 15

User Types ........................................................................................................................................ 15

3
 Security Guide SAP NW PI, B2B add-on 1.0

Introduction
The Security Guide provides an overview of the security-relevant information that applies to the
SAP NetW eaver Process Integration business-to-business add-on 1.0.

This guide does not replace the administration or operation guides that are available for
productive operations.

Target Audience
 Technology consultants
 Security consultants
 System administrators

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the
demands on security are also on the rise. In Business-to-Business (B2B) implementation scenarios,
you need to be sure that your data and processes supporting your business are secured from
unauthorized access. User errors, negligence, or attempted manipulation of your system should not
result in loss of information or processing time. In B2B scenarios, especially, non-repudiation
aspects of security play an important role and the systems must be configured to support the
features. These demands on security apply likewise to the SAP NetW eaver Process Integration,
business- to-business add-on .To assist you in securing your product, we provide this Security
Guide.

About this Document

This document is not included as part of the Installation Guides, Configuration Guides, Technical
Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the
software life cycle, whereas the Security Guides provide information that is relevant for all life cycle
phases.

4
 Security Guide SAP NW PI, B2B add-on 1.0

Before You Start

Fundamental Security Guides
The SAP NetW eaver Process Integration Business-to-business add-on is built from the SAP
NetW eaver Process Integration and SAP NetW eaver Web Application Server products. Therefore,
the corresponding Security Guides also apply to the SAP NetWeaver Process Integration
business- to-business add-on 1.0.

For a list of security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace at
http://service.sap.com/securitynotes.

Configuration
You can find a summary of the configuration steps for implementing security for the different
adapters of the SAP NetWeaver Process Integration Business-to-business add-on in the
respective configuration guides of the respective components.

Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Content Quick Link on SAP Service Marketplace or SDN
Security http://sdn.sap.com/irj/sdn/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes http://service.sap.com/notes

http://service.sap.com/securitynotes
Released platforms http://service.sap.com/pam
Network security http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
SAP NetW eaver http://sdn.sap.com/irj/sdn/netweaver

5
 Security Guide SAP NW PI, B2B add-on 1.0

Technical System Landscape

The principle architecture of SAP NetW eaver Process Integration, business-to-business add-on
integration landscape is described in the SAP NetWeaver Master Guide and in the SAP
NetWeaver Technical Infrastructure Guide on SAP Service Marketplace.

The technical system landscape of the product is described in the SAP NetWeaver Process
Integration Security Guide. The adapters for the B2B communication protocols and the
modules are the technical components comprised within the Business-to-business add-on.
These components follow the standard principles for adapters and modules defined by
Process Integration architecture.

For more information about the technical system landscape, see the resources listed in the
table below.
Topic Guide/Tool Quick Link on SAP Service Marketplace or SDN
SAP Master Guide http://service.sap.com/instguides
NetW eaver
Master Guide
SAP Security http://help.sap.com/saphelp_nwpi711/helpdata/en
NetW eaver Guide
Process /8c/2ec59131d7f84ea514a67d628925a9/frameset.htm
Integration
Security Guide

6
 Security Guide SAP NW PI, B2B add-on 1.0

Communication
The primary purpose of a PI landscape is to enable business partners and applications to
exchange XML messages (business documents). The exchange of documents is realized by
enabling business communication between business systems, Integration Servers and Adapter
Engines. Also in addition to message communication, technical communication occurs between
the various components of the PI system architecture. These two communication categories are
described in the PI Security guide.

The B2B add-on adds additional communication scenarios to the business communication
category. The adapters enable PI to communicate with external business partners using
protocols like X.400, AS2 and OFTP.

The business communication can be secured on transport level and on message level.

• The section Message-Level Security describes how these communications can be

secured by digitally signing or encrypting documents exchanged between business
partners.

• The section Network and Transport Security describes how these communications can
be secured on transport level by encryption and digital signature mechanisms.

Message-Level Security
Message-level security allows you to digitally sign or encrypt documents exchanged between
business partners. It improves communication-level security by adding security features that
are particularly important for inter-enterprise communication. Message-level security is
recommended and sometimes a prerequisite for inter-enterprise communication.

 A digital signature authenticates the business partner signing the message and
ensures data integrity of the business document carried by a message.

Signatures are used in two scenarios:

o Non-repudiation of origin

The sender signs a message so that the receiver can prove that the
sender actually sent the message.

o Non-repudiation of receipt

The receiver signs a receipt message back to the sender so that the
original sender can prove that the receiver actually received the
original message.

 Message-level encryption is required if message content needs to be confidential

not only on the communication lines but also in intermediate message stores.

Message-level security relies on public and private x.509 certificates maintained in the AS
Java keystore, where each certificate is identified by its alias name and the keystore view
where it is stored. Certificates are used in the following situations:

 When signing a message, the sender signs it with its private key and attaches its
certificate containing the public key to the message.

The receiver then verifies the digital signature of the message with the sender's
certificate attached to the message. There are two alternative trust models to verify the
authenticity of the sender's public certificate:

7
 Security Guide SAP NW PI, B2B add-on 1.0

o In the direct trust model, the signer's public key certificate is compared with
the locally maintained, expected public key certificate of the partner.
Therefore, the direct trust model requires offline exchange of public key
certificates, which can be self-signed or issued by a CA.

o In the hierarchical trust model, the signer's public key certificate is validated
by a locally maintained public certificate of the CA that issued the signer's
public certificate. In addition, the subject name and the issuer of the signer's
certificate are compared with the expected partner's identity configured in a
receiver agreement on the receiver side.

In general, the hierarchical trust model enables chains of certificates attached

to the message. In the hierarchical trust model, the sender and the receiver
only need to agree upon the CA and the subject name that the sender has
used in its certificate.

 When encrypting a message, the sender encrypts with the public key of the receiver
(also verifying the correctness of the receiver's certificate by using the public key of
the certificate's root CA).

The receiver decrypts with its private key certificate.

More information
 For more information on how to configure message-level security settings in the
Integration Directory, see:

o Defining Sender Agreements (for inbound message processing using the

Integration Server)

o Defining Receiver Agreements (for outbound message processing using the

Integration Server)

o Defining the Integrated Configuration (for local message processing using the
Advanced Adapter Engine or the Advanced Adapter Engine Extended)

 For an overview of the message-level security concepts supported by the

different adapters for inbound and outbound processing, see: Message
Security (Overview)

 Certificate Store

The table below summarizes the message-level security features of these protocols and adapters.

Message-Level Security Features

Features OFTP AS2 X.400

Messaging Advanced Adapter Advanced Adapter Advanced Adapter

component Engine Engine Engine
s
Signature Not applicable Not applicable Not applicable

Non-repudiation Not applicable Not applicable Not applicable

of origin

Non-repudiation Not applicable Not applicable Not applicable

of receipt

8
 Security Guide SAP NW PI, B2B add-on 1.0

Encryption Not applicable Not applicable Not applicable

Certificate Trust Model Hierarchical trust Direct trust model Not applicable
model,

Technology Cryptographic S/MIME Not applicable

Message Syntax

Network and Transport Security

Depending on the protocol used, all data (including passwords) is usually transmitted through
the network (intranet or Internet) in plain text. To maintain the confidentiality of this data, you
should apply transport-layer encryption for message exchange.

For an overview of supported security mechanisms on transport level, refer to the table below.

Transport Level Security Mechanisms for Messaging:

Features Transport protocol Transport security Authentication

mechanism

OFTP TCP/IP, ISDN SSL only in TCP/IP User/password,

server and client
certificate

AS2 HTTP and HTTPS HTTPS (SSL) User/password,

server and client
certificate

X400 TCP/IP SSL User/password,

server certificate

Transport-layer security is configured in the communication channel for the corresponding

adapter type in the Integration Directory.

Communication Ports
If you want to configure process integration (PI) landscape, you must know the network
addresses, the ports, and further information such as Internet addresses. With this information
you are able to define rules for the security components of the network (such as firewalls and
proxies).
According to the technical system landscape, there is several kinds of components within a PI
landscape. These components can be partitioned into different network zones in many ways.
Simple Landscape
A simple landscape, for instance, may consist of all central components located within the
same network zone and of some sender or receiver components located externally. This
implies that all internal technical communication such as exchange profile access or cache
refresh takes place internally.

For messaging components, you have to distinguish between push and pull modes. In push
mode, the message is sent to the Integration Server triggered by an external sender. In pull
mode, the message is written to a data store by the sender and actively fetched by the
messaging component. This mode is implemented in technical adapters like the Mail, JMS, or
JDBC adapter.
For push mode protocols and adapters, the following ports and addresses are used for
incoming messages.

9
 Security Guide SAP NW PI, B2B add-on 1.0

Ports and addresses for incoming messages:

Protocol/ Base Protocol Server Port Further Data

Adapter
OFTP TCP/IP
Port as configured in the sender
channel of the OFTP Adapter.
Default port is 3305 for TCP/IP, 6619
for SSL.
AS2 HTTP (S) Central or non-central AE; HTTP and URL Path : /AS2/auth/*
HTTPS port of the corresponding
AE.

The adapter running in the Advanced Adapter Engine in a technical pull mode is associated
with a data store, to which messages are written or from which messages are read.
Consequently, both read and write requests are incoming requests for this message store, and
its ports and protocols are therefore relevant for network configuration.

Adapter Data Store Read / Write Access protocol

X.400 X.400 Server Read/write access to X.400 message transfer agent (MTA) is
configured via P7 protocol. A predefined TCP/IP port is published
by the MTA for network access.

Landscape with Non-Central Advanced Adapter Engine

If a non-central Advanced Adapter Engine (ncAAE) is placed in a different network zone,

please refer to PI Security guide to obtain the list of ports to be opened between the ncAAE and
the other PI components, in addition to the messaging connections of the ncAAE.

Landscape with ISDN Router

The OFTP adapter supports ISDN protocol for network connectivity. ISDN connectivity is
provided by an ISDN router. The router is typically deployed in the DMZ network zone. The
OFTP adapter communicates with the ISDN router using TCP/IP network protocol. The RCAPI
application programming interface (API) must be implemented by the ISDN Router.

Mechanisms and ports:

Mechanism AEX to ISDN Router ISDN Router to AEX
RCAPI API access from OFTP TCP/IP address of the router Not applicable
Adapter and the RCAPI port

Landscape with SOCKs Proxy

The X400 adapter supports SOCKS proxy as a network intermediary for security
implementation using network zones. The proxy is typically deployed in the DMZ network
zone. The adapter communicates with the SOCKS proxy using TCP/IP network protocol. The
AS2 adapter supports an http proxy.

10
 Security Guide SAP NW PI, B2B add-on 1.0

Mechanisms and ports:

Mechanism AEX to Proxy Proxy to AEX

SOCKS proxy TCP/IP address of the proxy not applicable

and the proxy port

Reverse Proxy Not applicable Central or non-central AE; HTTP and

HTTPS port of the corresponding AE.

Adapter Specific Security Configurations

This section describes security-relevant aspects of adapters. Each adapter is configured by an
adapter-specific configuration for both the inbound (sender) side and the outbound (receiver)
side. You make these configuration settings in a sender agreement for the inbound side and a
receiver agreement for the outbound side, together with adapter-specific channels referenced in
the agreements.

OFTP
The security for OFTP adapter can be configured at three levels.

 Point to point transport level

The transport security is only used when TCP/IP protocol is chosen for
communication between peers. TLS protocol is used for enabling security.

 Session Level

The session level security enables secure symmetric key authentication. It is

especially useful when ISDN transport protocol is used for network
communication.

 File Level

The file security mechanism provides file signing, compression and encryption.

Use of point-to-point security is recommended when TCP/IP transport is used.

Use of session level security is always recommended irrespective of the choice of
transport. Additional information on security capabilities of the OFTP protocol can be
found in the document titled OFTP2 Implementation Guidelines (Doc Ref. No: OP06)
on the ODETTE website http://www.odette.org

AS2

For a secure communication, a private and public key as well as each partner’s public key are
required. Certificates and private keys used by the adapter must be securely stored in the key
store of the Java web application server.

In outbound communication, If HTTPS is used to secure network communication;

the certificate of the partner’s AS2 endpoint must be stored in the trusted CAs view
of the keystore.

11
 Security Guide SAP NW PI, B2B add-on 1.0

X400

For a secure communication, the network level security must be chosen for communication
between the adapter and the server. SSL protocol is used to realize the network security.
The certificate of the X400 MTA server is available from the service provider when SSL
protocol is chosen.

The certificate used must be securely stored in the key store of the Java web application
server. The trusted CAs view of the keystore is used to store the certificate.

Certificates published by the X.400 service provider for SSL channel access may
expire at regular periods. It is advised to find the certificate updates as published by
the service provider and update the trusted CAs view of the keystore with the new
certificates.

12
 Security Guide SAP NW PI, B2B add-on 1.0

User Administration and Authentication

The SAP NetWeaver Process Integration Business-to-business add-on uses the user
management and authentication mechanisms provided with the SAP NetWeaver platform, in
particular the SAP NetW eaver Application Server Java. Therefore, the security
recommendations and guidelines for user administration and authentication as described in the
SAP NetWeaver Application Server Java Security Guide and SAP NetW eaver Process
Integration Security Guide also apply to the product.

Enabling AS2 to Support Anonymous Login

You use this procedure to enable anonymous access to inbound AS2 URL.

To allow anonymous login, apply the latest patch of the AS2 adapter from the Service Market
Place.

Enabling anonymous access is not recommended unless additional security mechanisms

such as firewalls, application level gateways, content filters and/or network level IP filters have
to be installed to avoid network attacks on the system.

Procedure
1. Enter the URL format “http:<localhost:port>/nwa/auth” in the Web browser
2. Choose the Configuration tab page
3. On the Security tab page choose the Authentication and Single Sign-On
4. In the Component menu bar choose the Login Modules
5. To create a new login module, choose the Create pushbutton
6. In the New Login Module dialog box, enter the details for the parameters as mentioned in the
table below:
Parameter Details
Display Name ZAS2LoginModule
Class Name com.sap.aii.adapter.as2.servlet.auth.AS2LoginModule
7. To add the new login module, choose the Create push button.
8. To add options to the newly created login module do as follows:
a. Select “ZAS2LoginModule” login module
b. On the Login Module Options tab page, choose the Edit pushbutton and then choose
the Add pushbutton
c. Add two options to the login module as mentioned in the table below:
Name Value
Option 1 AS2.Anonymous.User AS2_ANONYMOUS
Option 2 AS2.Enable true (keep this to true to allow 3rd
party anonymous login else change
it to false.)
d. To save the changes, choose the Save pushbutton.

13
 Security Guide SAP NW PI, B2B add-on 1.0

9. On the Authentication and Single Sign-On tab page, choose the icon
10. In the Policy Configuration Name column enter *AS2* and in Type column enter Web, and
then press ENTER.
11. Select the policy configuration name displayed in the table that is ending with “AS2” and
choose the Edit pushbutton
12. In the Login Modules table choose Add pushbutton
13. In the Login Module Name column, select ZAS2LoginModule
14. In the Flag column, select Sufficient
15. To move the ZAS2LoginModule up the stack, choose the Move Up pushbutton
16. To save the changes made to the policy configuration, choose the Save pushbutton.
17. On the SAP NetWeaver Administrator Web page, choose Identity Management
18. In the Identity Management application, create a new user called “AS2_ANONYMOUS”.
19. Create a new role as “ZAS2_SERVICE_USER” and assign the action AS2Deliverage to the
role
20. Then assign this new role to the user “AS2_ANONYMOUS” and the system is ready to accept
anonymous login.

If you have already created such a role before to enable other authenticated users to access
the inbound AS2 URL, then you can also use this existing role.

14
 Security Guide SAP NW PI, B2B add-on 1.0

User Management
All components of Business-to-business add-on that run on SAP NetWeaver Application Server
(AS) use the solutions and tools of the underlying AS for user management, administration,
authorizations, and authentication. The list and use of the solutions and tools are described in
the SAP NetW eaver Process Integration Security Guide, and also the authorization concept to
secure the system is described here.

User Types
The following two user types cover the following main scenarios for authentication
and authorization.

Dialog User

Dialog users are required for interactive work with the PI tools.

Dialog user represents a human user (as opposed to service user), who logs on through the
various user interfaces of the different components of SAP NetW eaver PI, as, for example,
the Enterprise Services Repository, Integration Directory, and System Landscape Directory.

In user management of AS ABAP, this user type has the technical type A.

Service User

Service user enables secure communication between adapters and external trading
partner’s components. The service user is important for message exchange. For more
information on creating service user, see Creating Service Users.

In user management of AS ABAP, this user type has the technical type B.

UME Roles and Actions (AS Java)

Specific authorizations are defined as UME roles in User Management Engine of AS Java for
the business-to-business add-on product.

Applications and the corresponding URLs accessible to authenticated dialog users:

Application URL

Number Range For 7.11 systems, go to

Objects
http://<host>:<port>/webdynpro/dispatcher/sap.com/nro~maintenance/NR
OMaintenance

For 7.30/7.31 systems, go to

http://<host>:<port>/webdynpro/resources/sap.com/nro~maintenance/NRO
Maintenance

15
 Security Guide SAP NW PI, B2B add-on 1.0

EDI XML
For 7.11 systems, go to
Converter
http://<host>:<port>/webdynpro/dispatcher/sap.com/converter~maintain~m
aintenan ce-app/Maintenance
For 7.30/7.31 systems, go to
http://<host>:<port>/webdynpro/resources/sap.com/converter~maintain~m
aintenan
OFTP Log For 711 Systems, go to
ce-app/Maintenance
Viewer http://<host>:<port>/webdynpro/dispatcher/sap.com/oftp2~log~web/Lo
gViewer#

For 730/731 systems, go to

http://<host>:<port>/webdynpro/resources/sap.com/oftp2~log~web/LogView
er#

Assigning user roles for managing B2B application

User Role Description

SAP_PI_B2B_SUPERADMIN_J2EE This authorizes you complete access to perform all

actions on B2B components such as EDI content
manager, TPM and so on.

SAP_XI_CONTENT_ORGANIZER_J2EE This authorizes you only to import the EDI message

content and restricts the user from performing other
configurable tasks

SAP_XI_B2B_ADMINISTRATOR_J2EE This authorizes you to perform the entire tasks

available in the EDI content manager

SAP_XI_B2B_CONFIGURATOR_J2EE This authorizes you to perform configurable tasks

except importing

SAP_XI_ADMINISTRATOR_J2EE This authorizes you to perform actions such as display

modify and edit the payload

SAP_PI_B2B_TPM_ADMIN This authorizes you to perform all administrative

related tasks related to TPM system

SAP_PI_B2B_TPM_READONLY This authorizes you only to view the content in TPM

system

The user roles that are mentioned in the table above grantees the user to perform
tasks only for user defined control keys. It is not recommended to assign a single
user with multiple privileges.

UME Actions
The permissions granted for a UME role are specified by the UME actions that are assigned them.

Adapters deploy authorizations in Java EE security roles or user

management engine (UME) actions depending on the decision of the
developer. The JEE security roles and UME actions can be bundled by the

16
 Security Guide SAP NW PI, B2B add-on 1.0

developer or the administrator into UME roles. The administrator then assigns
these roles to the users.

More information on the authorization concept: Permissions, Actions, and UME Roles

Actions for Message Delivery

Action Type Description

AS2Deliverage UME Enables delivery of messages into the AS2

adapter.

Administrators are recommended to create distinct users for each

trading partner delivering messages to the AS2 adapter using HTTP(S)
network transport.

All the users corresponding to the trading partners must be assigned to a

common role specially created for this purpose. The newly created role must
be assigned the AS2Deliverage action. You have to create custom role to
assign specific actions to a user, perform the following steps to create a
custom role:
1. Start Java User Management and enter http ://< host> :< port>/useradmin
and then choose User Management.
2. Enter authentication credentials and logon.
3. Choose Role in the drop-down box for Search Criteria.
4. Choose Create Role and enter a role name in the Unique Name
field.
5. Choose the Assigned Actions tab.
6. Search for scheduler and choose the action names
AccessScheduler and ManageSchedulerIsolation.
7. Choose Add and Save.
8. Log out of the UME.

To find out which actions are assigned to a UME role, perform the following steps:

1. Start Java User Management and enter http ://< host> :< port>/useradmin
and then choose User Management.
2. Enter authentication credentials and logon.
3. Choose Role in the drop-down box for Search Criteria.
4. Choose Create Role and enter a role name in the Unique Name
field.
5. Choose the Assigned Actions tab.
6. To find out details of an action, copy the name of the action role and
paste it into the search criteria field
7. Choose Go.

17
 www.sap.com/contactsap
Security Guide SAP NW PI, B2B add-on 1.0

© 2014 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in
any form or for any purpose without the express permission of
SAP AG. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP AG and its

distributors contain proprietary software components of other
software vendors. National product specifications may vary.

These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not
be liable for errors or omissions with respect to the materials. The
only warranties for SAP Group products and services are those
that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as

well as their respective logos are trademarks or registered
18 trademarks of SAP AG in Germany and other countries.

Please see http://www.sap.com/corporate-en/legal/copyright/

index.epx for additional trademark information and notices.