Академический Документы
Профессиональный Документы
Культура Документы
Icon Meaning
Caution
Example
Note
Typographic Conventions
2
Security Guide SAP NW PI, B2B add-on 1.0
Contents
Icons in Body Text ....................................................................................................................................2
Typographic Conventions ........................................................................................................................2
Contents ...................................................................................................................................................3
Introduction .....................................................................................................................................4
Target Audience ...................................................................................................................................4
Why Is Security Necessary? .................................................................................................................4
About this Document ............................................................................................................................4
Communication ...............................................................................................................................7
Message-Level Security .......................................................................................................................7
Network and Transport Security ...........................................................................................................9
Adapter Specific Security Configurations .......................................................................................... 11
3
Security Guide SAP NW PI, B2B add-on 1.0
Introduction
The Security Guide provides an overview of the security-relevant information that applies to the
SAP NetW eaver Process Integration business-to-business add-on 1.0.
This guide does not replace the administration or operation guides that are available for
productive operations.
Target Audience
Technology consultants
Security consultants
System administrators
4
Security Guide SAP NW PI, B2B add-on 1.0
For a list of security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace at
http://service.sap.com/securitynotes.
Configuration
You can find a summary of the configuration steps for implementing security for the different
adapters of the SAP NetWeaver Process Integration Business-to-business add-on in the
respective configuration guides of the respective components.
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Content Quick Link on SAP Service Marketplace or SDN
Security http://sdn.sap.com/irj/sdn/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes http://service.sap.com/notes
http://service.sap.com/securitynotes
Released platforms http://service.sap.com/pam
Network security http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
SAP NetW eaver http://sdn.sap.com/irj/sdn/netweaver
5
Security Guide SAP NW PI, B2B add-on 1.0
The technical system landscape of the product is described in the SAP NetWeaver Process
Integration Security Guide. The adapters for the B2B communication protocols and the
modules are the technical components comprised within the Business-to-business add-on.
These components follow the standard principles for adapters and modules defined by
Process Integration architecture.
For more information about the technical system landscape, see the resources listed in the
table below.
Topic Guide/Tool Quick Link on SAP Service Marketplace or SDN
SAP Master Guide http://service.sap.com/instguides
NetW eaver
Master Guide
SAP Security http://help.sap.com/saphelp_nwpi711/helpdata/en
NetW eaver Guide
Process /8c/2ec59131d7f84ea514a67d628925a9/frameset.htm
Integration
Security Guide
6
Security Guide SAP NW PI, B2B add-on 1.0
Communication
The primary purpose of a PI landscape is to enable business partners and applications to
exchange XML messages (business documents). The exchange of documents is realized by
enabling business communication between business systems, Integration Servers and Adapter
Engines. Also in addition to message communication, technical communication occurs between
the various components of the PI system architecture. These two communication categories are
described in the PI Security guide.
The B2B add-on adds additional communication scenarios to the business communication
category. The adapters enable PI to communicate with external business partners using
protocols like X.400, AS2 and OFTP.
The business communication can be secured on transport level and on message level.
• The section Network and Transport Security describes how these communications can
be secured on transport level by encryption and digital signature mechanisms.
Message-Level Security
Message-level security allows you to digitally sign or encrypt documents exchanged between
business partners. It improves communication-level security by adding security features that
are particularly important for inter-enterprise communication. Message-level security is
recommended and sometimes a prerequisite for inter-enterprise communication.
A digital signature authenticates the business partner signing the message and
ensures data integrity of the business document carried by a message.
o Non-repudiation of origin
The sender signs a message so that the receiver can prove that the
sender actually sent the message.
o Non-repudiation of receipt
The receiver signs a receipt message back to the sender so that the
original sender can prove that the receiver actually received the
original message.
Message-level security relies on public and private x.509 certificates maintained in the AS
Java keystore, where each certificate is identified by its alias name and the keystore view
where it is stored. Certificates are used in the following situations:
When signing a message, the sender signs it with its private key and attaches its
certificate containing the public key to the message.
The receiver then verifies the digital signature of the message with the sender's
certificate attached to the message. There are two alternative trust models to verify the
authenticity of the sender's public certificate:
7
Security Guide SAP NW PI, B2B add-on 1.0
o In the direct trust model, the signer's public key certificate is compared with
the locally maintained, expected public key certificate of the partner.
Therefore, the direct trust model requires offline exchange of public key
certificates, which can be self-signed or issued by a CA.
o In the hierarchical trust model, the signer's public key certificate is validated
by a locally maintained public certificate of the CA that issued the signer's
public certificate. In addition, the subject name and the issuer of the signer's
certificate are compared with the expected partner's identity configured in a
receiver agreement on the receiver side.
When encrypting a message, the sender encrypts with the public key of the receiver
(also verifying the correctness of the receiver's certificate by using the public key of
the certificate's root CA).
More information
For more information on how to configure message-level security settings in the
Integration Directory, see:
o Defining the Integrated Configuration (for local message processing using the
Advanced Adapter Engine or the Advanced Adapter Engine Extended)
Certificate Store
The table below summarizes the message-level security features of these protocols and adapters.
8
Security Guide SAP NW PI, B2B add-on 1.0
Certificate Trust Model Hierarchical trust Direct trust model Not applicable
model,
For an overview of supported security mechanisms on transport level, refer to the table below.
Communication Ports
If you want to configure process integration (PI) landscape, you must know the network
addresses, the ports, and further information such as Internet addresses. With this information
you are able to define rules for the security components of the network (such as firewalls and
proxies).
According to the technical system landscape, there is several kinds of components within a PI
landscape. These components can be partitioned into different network zones in many ways.
Simple Landscape
A simple landscape, for instance, may consist of all central components located within the
same network zone and of some sender or receiver components located externally. This
implies that all internal technical communication such as exchange profile access or cache
refresh takes place internally.
For messaging components, you have to distinguish between push and pull modes. In push
mode, the message is sent to the Integration Server triggered by an external sender. In pull
mode, the message is written to a data store by the sender and actively fetched by the
messaging component. This mode is implemented in technical adapters like the Mail, JMS, or
JDBC adapter.
For push mode protocols and adapters, the following ports and addresses are used for
incoming messages.
9
Security Guide SAP NW PI, B2B add-on 1.0
The adapter running in the Advanced Adapter Engine in a technical pull mode is associated
with a data store, to which messages are written or from which messages are read.
Consequently, both read and write requests are incoming requests for this message store, and
its ports and protocols are therefore relevant for network configuration.
X.400 X.400 Server Read/write access to X.400 message transfer agent (MTA) is
configured via P7 protocol. A predefined TCP/IP port is published
by the MTA for network access.
The X400 adapter supports SOCKS proxy as a network intermediary for security
implementation using network zones. The proxy is typically deployed in the DMZ network
zone. The adapter communicates with the SOCKS proxy using TCP/IP network protocol. The
AS2 adapter supports an http proxy.
10
Security Guide SAP NW PI, B2B add-on 1.0
OFTP
The security for OFTP adapter can be configured at three levels.
The transport security is only used when TCP/IP protocol is chosen for
communication between peers. TLS protocol is used for enabling security.
Session Level
File Level
The file security mechanism provides file signing, compression and encryption.
AS2
For a secure communication, a private and public key as well as each partner’s public key are
required. Certificates and private keys used by the adapter must be securely stored in the key
store of the Java web application server.
11
Security Guide SAP NW PI, B2B add-on 1.0
X400
For a secure communication, the network level security must be chosen for communication
between the adapter and the server. SSL protocol is used to realize the network security.
The certificate of the X400 MTA server is available from the service provider when SSL
protocol is chosen.
The certificate used must be securely stored in the key store of the Java web application
server. The trusted CAs view of the keystore is used to store the certificate.
Certificates published by the X.400 service provider for SSL channel access may
expire at regular periods. It is advised to find the certificate updates as published by
the service provider and update the trusted CAs view of the keystore with the new
certificates.
12
Security Guide SAP NW PI, B2B add-on 1.0
To allow anonymous login, apply the latest patch of the AS2 adapter from the Service Market
Place.
Procedure
1. Enter the URL format “http:<localhost:port>/nwa/auth” in the Web browser
2. Choose the Configuration tab page
3. On the Security tab page choose the Authentication and Single Sign-On
4. In the Component menu bar choose the Login Modules
5. To create a new login module, choose the Create pushbutton
6. In the New Login Module dialog box, enter the details for the parameters as mentioned in the
table below:
Parameter Details
Display Name ZAS2LoginModule
Class Name com.sap.aii.adapter.as2.servlet.auth.AS2LoginModule
7. To add the new login module, choose the Create push button.
8. To add options to the newly created login module do as follows:
a. Select “ZAS2LoginModule” login module
b. On the Login Module Options tab page, choose the Edit pushbutton and then choose
the Add pushbutton
c. Add two options to the login module as mentioned in the table below:
Name Value
Option 1 AS2.Anonymous.User AS2_ANONYMOUS
Option 2 AS2.Enable true (keep this to true to allow 3rd
party anonymous login else change
it to false.)
d. To save the changes, choose the Save pushbutton.
13
Security Guide SAP NW PI, B2B add-on 1.0
9. On the Authentication and Single Sign-On tab page, choose the icon
10. In the Policy Configuration Name column enter *AS2* and in Type column enter Web, and
then press ENTER.
11. Select the policy configuration name displayed in the table that is ending with “AS2” and
choose the Edit pushbutton
12. In the Login Modules table choose Add pushbutton
13. In the Login Module Name column, select ZAS2LoginModule
14. In the Flag column, select Sufficient
15. To move the ZAS2LoginModule up the stack, choose the Move Up pushbutton
16. To save the changes made to the policy configuration, choose the Save pushbutton.
17. On the SAP NetWeaver Administrator Web page, choose Identity Management
18. In the Identity Management application, create a new user called “AS2_ANONYMOUS”.
19. Create a new role as “ZAS2_SERVICE_USER” and assign the action AS2Deliverage to the
role
20. Then assign this new role to the user “AS2_ANONYMOUS” and the system is ready to accept
anonymous login.
If you have already created such a role before to enable other authenticated users to access
the inbound AS2 URL, then you can also use this existing role.
14
Security Guide SAP NW PI, B2B add-on 1.0
User Management
All components of Business-to-business add-on that run on SAP NetWeaver Application Server
(AS) use the solutions and tools of the underlying AS for user management, administration,
authorizations, and authentication. The list and use of the solutions and tools are described in
the SAP NetW eaver Process Integration Security Guide, and also the authorization concept to
secure the system is described here.
User Types
The following two user types cover the following main scenarios for authentication
and authorization.
Dialog User
Dialog users are required for interactive work with the PI tools.
Dialog user represents a human user (as opposed to service user), who logs on through the
various user interfaces of the different components of SAP NetW eaver PI, as, for example,
the Enterprise Services Repository, Integration Directory, and System Landscape Directory.
In user management of AS ABAP, this user type has the technical type A.
Service User
Service user enables secure communication between adapters and external trading
partner’s components. The service user is important for message exchange. For more
information on creating service user, see Creating Service Users.
In user management of AS ABAP, this user type has the technical type B.
Specific authorizations are defined as UME roles in User Management Engine of AS Java for
the business-to-business add-on product.
Application URL
15
Security Guide SAP NW PI, B2B add-on 1.0
EDI XML
For 7.11 systems, go to
Converter
http://<host>:<port>/webdynpro/dispatcher/sap.com/converter~maintain~m
aintenan ce-app/Maintenance
For 7.30/7.31 systems, go to
http://<host>:<port>/webdynpro/resources/sap.com/converter~maintain~m
aintenan
OFTP Log For 711 Systems, go to
ce-app/Maintenance
Viewer http://<host>:<port>/webdynpro/dispatcher/sap.com/oftp2~log~web/Lo
gViewer#
The user roles that are mentioned in the table above grantees the user to perform
tasks only for user defined control keys. It is not recommended to assign a single
user with multiple privileges.
UME Actions
The permissions granted for a UME role are specified by the UME actions that are assigned them.
16
Security Guide SAP NW PI, B2B add-on 1.0
developer or the administrator into UME roles. The administrator then assigns
these roles to the users.
More information on the authorization concept: Permissions, Actions, and UME Roles
To find out which actions are assigned to a UME role, perform the following steps:
1. Start Java User Management and enter http ://< host> :< port>/useradmin
and then choose User Management.
2. Enter authentication credentials and logon.
3. Choose Role in the drop-down box for Search Criteria.
4. Choose Create Role and enter a role name in the Unique Name
field.
5. Choose the Assigned Actions tab.
6. To find out details of an action, copy the name of the action role and
paste it into the search criteria field
7. Choose Go.
17
www.sap.com/contactsap
Security Guide SAP NW PI, B2B add-on 1.0