Upload
duckman784
View
124
Download
9
Tags:
Embed Size (px)
Citation preview
1
Release 1.0
Business Process Blueprinting Security Guide
2
Copyright
© Copyright 2011 SAP AG. All rights reserved. SAP Library document classification: PUBLIC No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
3
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
4
Icons in Body Text
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different
types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Typographic Conventions
Type Style Description
Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation.
Example text Emphasized words or phrases in body text, graphic titles, and table titles.
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
5
Contents
Introduction .................................................................................................................................................. 6
Before You Start ............................................................................................................................................ 7
Technical System Landscape ......................................................................................................................... 8
User Administration and Authentication ...................................................................................................... 9
User Management .................................................................................................................................... 9
Authorizations ............................................................................................................................................ 11
Network and Communication Security ...................................................................................................... 12
Communication Channel Security ........................................................................................................... 13
Communication Destinations .................................................................................................................. 13
Data Storage Security ................................................................................................................................. 14
Security Logging and Tracing ..................................................................................................................... 14
6
Introduction
This guide does not replace the daily operations handbook that we recommend customers to
create for their specific productive operations.
Target Audience
Developers
Technology consultants
System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical
Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software
life cycle, whereas the Security Guide provides information that is relevant for all life cycle.
Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands
on security are also on the rise. When using a distributed system, you need to be sure that your data and
processes support your business needs without allowing unauthorized access to critical information. User
errors, negligence, or attempted manipulation on your system should not result in loss of information or
processing time. To assist you in securing the access to business functionality with Business process
Blueprinting, we provide this Security Guide.
About this Document The Security Guide provides an overview of the security-relevant information that applies to Business
process Blueprinting.
Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You Start
This section contains information about why security is necessary, how to use this document and references to other Security Guides that build the foundation for this Security Guide.
● Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by Business process Blueprinting tool.
● User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
7
○ Recommended tools to use for user management.
○ User roles and types that are required by the Business Process Blueprinting tool.
● Authorizations
This section provides an overview of the authorization concept that applies to Business Process Blueprinting tool.
● Network and Communication Security
This section provides an overview of the communication paths used by Business Process Blueprinting tool and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.
● Data Storage Security
This section provides an overview of any critical data that is used by Business Process Blueprinting tool and the security mechanisms that apply.
● Security Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant information of the Business Process Blueprinting tool.
Before You Start
Business Process Blueprinting is based on the SAP NetWeaver Application Server for ABAP Server
technology (AS ABAP). Therefore, the corresponding security guides also apply to Business Process
Blueprinting. Pay particular attention to the most relevant sections and to specific restrictions as
indicated in the table below.
Application Security guide
SAP Netweaver AS ABAP SAP NetWeaver Application Server ABAP
Security Guide
A complete list of all the available SAP Security Guides can be found at the SAP Service Marketplace under the quick link securityguide.
Additional Information
The following table lists special topics for security and their relevant quick links.
Content SAP Service Marketplace Address
8
Security service.sap.com/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
Released platforms service.sap.com/platforms
Network security service.sap.com/securityguide
SAP Solution Manager service.sap.com/solutionmanager
Technical System Landscape
The figure below shows an overview of the technical system landscape for Business Process
Blueprinting.
For more information about the technical system landscape, see the resources listed in the table below.
System Role
Solution Composer
Solution composer allows data exchange between Solution Manager and Business Process Blueprinting. It synchronizes data between the client and server.
SAP Solution SAP Solution Manager is a centralized support and system management suite from
9
Manager where you receive the content.
BPR SAP Solution Manager stores content of the offered SAP solutions in form of realized
business scenarios, business processes and process steps in Business process
Repository.
User Administration and Authentication
The Business process Blueprinting uses the user management and authentication mechanisms provided
with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore,
the security recommendations and guidelines for user administration and authentication as described in
the SAP NetWeaver Application Server ABAP Security Guide [SAP Library] also apply to the Business
Process Blueprinting tool.
This authentication mechanism is based on the basic authentication feature of the HTTP. We recommend that you use Secure Socket Layer (SSL), since this will encrypt all information exchanged between the client and server.
In addition to these guidelines, we include information about user administration and authentication that
specifically applies to the Business Process Blueprinting tool in the following topics:
User Management User management for the Business process Blueprinting tool uses the mechanisms provided with the
SAP NetWeaver Application Server ABAP, for example tools, user types, and password policies. For an
overview of how these mechanisms apply for the Business Process Blueprinting tool, see the sections
below. In addition, we provide a list of the standard users required for operating the Business Process
Blueprinting tool.
User Administration Tools
Business Process Blueprinting tool uses UME (User Management Engine) as its data source for user management data.
For the server related components, no replication of user data is required as we maintain it in the same system for SAP Solution Manager as well as for Solution Composer.
User Management Tools
Tool Detailed Description
SAP NetWeaver Administrator
To set up an administrator user
User maintenance (transaction SU01)
To create users
10
User Types It is often necessary to specify different security policies for different types of users. For example, your
policy may specify that individual users who perform tasks interactively have to change their passwords
on a regular basis, but not those users under which background processing jobs run.
There are the following types of users in Business Process Blueprinting tool.
Dialog users are used for SAP GUI for Windows.
System users are used for background processing and communication within a system (Such as
RFC users)
Technical users are used for communication between Solution composer and SAP Solution
Manager.
For more information about user types, see User Types in the Security Guide for SAP NetWeaver AS
ABAP.
Overview of roles and User Types
System Role Type Default Password
Description
SAP Solution Manager
/SOCO/FABRIC_USER
Dialog user
yes Installed by
the
authorized
user
administrator
/SOCO/FABRIC_ADMIN
System user
yes Installed by
the
authorized
user
administrator
SAP_BC_WEBSERVICE_ADMIN
System user
yes Installed by
the
authorized
user
administrator
SAP_BC_WEBSERVICE_ADMIN_TEC
System user
yes Installed by
the
authorized
user
administrator
SAP_BC_WEBSERVICE_CONFIGURATOR
System user
yes Installed by
the
11
authorized
user
administrator
Note
When the user enters the credentials in the Business Process Blueprinting tool to connect to the server,
the data gets transported by Client Encryption framework and this data will be verified with the user
credentials stored in RFC destination.
Authorizations
The following table provides the information about the application specific roles.
Role Description
/SOCO/FABRIC_ USER Basic access to Solution Composer Foundation
/SOCO/FABRIC_ ADMIN
Full access to Solution Composer Foundation
The following table provides the information about SAP standard admin roles.
Role Description
SAP_BC_WEBSERVICE_ADMIN
Administration authorizations for Web Services in AS ABAP
SAP_BC_WEBSERVICE_ADMIN_TEC
● Role for technical administrator of Web services.
● Monitoring sequences, messages, logging, tracing.
● Monitoring of payload for component SAP_BASIS.
● Administration of tracing and logging, RFC.
● Defining, executing Web Services.
● Administration of the Internet Communication Framework.
● Administration of the RFC destination.
12
● Administration of the Task Watcher and the Event Handler.
SAP_BC_WEBSERVICE_CONFIGURATOR
Administration authorizations for the properties of the Web service at runtime.
● /SOCO/FABRIC_ADMIN and /SOCO/FABRIC_USER are the roles which are provided along with the application.
● The user is mapped to the application specific roles or SAP standard admin roles based on the user’s need.
● The authorization information comes from ABAP authorization objects.
Note
The Business Process Blueprinting tool uses the authorization concept provided by SAP
NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP
NetWeaver AS Security Guide ABAP also apply to the Business Process Blueprinting tool.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based
on roles. For role maintenance, use the profile generator (transaction PFCG) when using ABAP
technology and the User Management Engine’s user administration console when using Java.
Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to
support the communication necessary for your business needs without allowing unauthorized access. A
well-defined network topology can eliminate many security threats based on software flaws (at both the
operating system and application level) or network attacks such as eavesdropping. If users cannot log on
to your application or database servers at the operating system or database layer, then there is no way
for intruders to compromise the machines and gain access to the backend system’s database or files.
Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit
well-known bugs and security holes in network services on the server machines.
The network topology for the Business Process Blueprinting tool is based on the topology used by the
SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP
NetWeaver Security Guide also apply to the Business Process Blueprinting tool. Details that specifically
apply to the Business Process Blueprinting tool are described in the following topics:
● Communication Channel Security
This topic describes the communication paths and protocols used by the Business Process Blueprinting tool.
● Network Security
This topic describes the recommended network topology for the Business Process Blueprinting tool. It shows the appropriate network segments for the various client and server components and
13
where to use firewalls for access protection. It also includes a list of the ports needed to operate the Business Process Blueprinting tool.
● Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security [SAP Library]
● Security Aspects for Connectivity and Interoperability [SAP Library]
Communication Channel Security
● The communication between the SAP Solution Manager and the Solution Composer happens through web service APIs and RFC.
● The data that is communicated between the client and the application server are application data, overhead data, security logs and trace files and it happens through HTTP REST. HTTPS is used when a secure connection or data protection is required.
● User credentials entered in the client while connecting to the server are encrypted by the client side encryption framework for security purpose.
The following table provides an overview of the communication channels and the technology used
in each case:
Communication between…
Technology used for communication
Type of Data Transferred
Data Requiring Special Protection
Business Process Blueprinting tool and Solution composer
Hypertext Transfer Protocol (HTTP), Secure Hypertext Transfer Protocol (HTTPS)
Application data, overhead data, security logs, trace files
User name and password
SAP Solution Manager and Solution composer
Web service APIs Application data No
Solution composer and BPR
SOAP Application data No
Communication Destinations
The communication between client and server happens through HTTP or HTTPS connection which is established on the tool via preference page .
Webservice configuration is used for the communication between Solution composer and SAP Solution Manager.
AISOCO_SOLMAN_PROJECT RFC destination which accesses BPR (Business Process Repository) content from SAP Solution Manager is delivered along with the application.
14
Note
The package context in which Business Process Blueprinting users work will have an attribute on that
package with the value of the RFC destination to identify that it is in this Business Process Blueprinting
context that the SAP Solution Manager connection has to be established.
Data Storage Security
● The system data is stored in the SAP database. Configuration file is stored in File System. It contains the connection details which is used by the client to connect to the server.
● A part of data is stored in the database when the client connects to the SAP Solution Manager for the first time. Subsequently the data gets stored whenever the user accesses the content from the client or the server.
● Read, write, modify and delete accesses are the access types provided to the users along with the application. The user can use these access types based on their needs.
● Cookies are used to store the data such as SAP context and path at the frontend. These data will be available till the session exists.
Security Logging and Tracing
● The application log and trace security relevant information with respect to the
client is stored in the client workspace.
server is stored in the server database.
Note
Using transaction code ‘slg1‘ you can analyse the server related logs.
● You can configure the log on attempts in the server using standard sap transactions for which admin has the access.
● You can configure the Severity level by navigating through Change preferences Tracing and Logging Severity.
● The information written for the severity levels are :
Severity
Details
FATAL
Announces that the application cannot recover from error.
The severe situation causes a fatal termination.
ERROR Announces that the application can recover from error.
15
However, it cannot fulfill the required task due to the error.
WARNING
Announces that the application can recover from an
anomaly and fulfill the required task. However, it needs
attention from developer/operator.
INFO
Informational text, mostly for echoing what is performed.
PATH
For tracing the execution flow. It is used, for example, in the
context of entering and leaving a method, looping and
branching operations.
ALL
For debugging purposes, with extensive and low level
information.
NONE To deactivate logging / tracing.