Mobapp Sysmon Guide

Administrator's GuideSAP System Monitoring 1.0.0

Target Audience

n System Administratorsn Technical Consultants

CUSTOMERDocument version: 1.1.0 11/06/2012

Document History

Caution

Before you start the implementation, make sure you have the latest version of this document. Youcan find the latest version at the following location: http://service.sap.com/instguides.

The following table provides an overview of the most important document changes.

Version Date Description

1.1.0 11/6/2012 Enhanced for initial version of SAP System Monitoring on devices running iOS

1.0.0 9/28/2012 Document created for SAP System Monitoring version 1.0.0

2/64 CUSTOMER 11/06/2012

Table of Contents

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 71.1 History of Changes . . . . . . . . . . . . . . . . . . . . . . 71.2 SAP System Monitoring . . . . . . . . . . . . . . . . . . . . 71.3 About This Document . . . . . . . . . . . . . . . . . . . . 81.4 Useful Links . . . . . . . . . . . . . . . . . . . . . . . . 81.5 Related Guides . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 2 Specific Information on SAP System Monitoring . . . . . . . . . 112.1 Technical System Landscape . . . . . . . . . . . . . . . . . . 112.2 Installation of the System Landscape . . . . . . . . . . . . . . . 112.2.1 Installation Sequence . . . . . . . . . . . . . . . . . . . . . 112.2.2 Post Installation . . . . . . . . . . . . . . . . . . . . . . . 122.3 Security Aspects of SAP System Monitoring . . . . . . . . . . . . . 142.3.1 Authorizations . . . . . . . . . . . . . . . . . . . . . . . 152.3.2 Data Storage Security . . . . . . . . . . . . . . . . . . . . . 152.4 Business Configuration of SAP System Monitoring . . . . . . . . . . 16

Chapter 3 Generic Information on Mobile Applications in SAP Solution Manager 173.1 Generic Mobile System Landscape . . . . . . . . . . . . . . . . 173.1.1 Technical System Landscape . . . . . . . . . . . . . . . . . . 173.1.2 Deployment Scenarios . . . . . . . . . . . . . . . . . . . . 183.1.3 Products in Mobile System Landscapes . . . . . . . . . . . . . . . 203.2 Generic Installation Information . . . . . . . . . . . . . . . . . 213.2.1 Information Available in SAP Service Marketplace . . . . . . . . . . 213.2.2 Further Documentation . . . . . . . . . . . . . . . . . . . . 223.2.3 Installation Preparation . . . . . . . . . . . . . . . . . . . . 223.2.3.1 Software Prerequisites . . . . . . . . . . . . . . . . . . . . . 223.2.3.2 Software Download . . . . . . . . . . . . . . . . . . . . . 223.2.4 Installation . . . . . . . . . . . . . . . . . . . . . . . . . 233.2.4.1 Initial Installation . . . . . . . . . . . . . . . . . . . . . . 243.2.4.1.1 Main Installation Steps . . . . . . . . . . . . . . . . . . . . 243.2.4.1.2 Installation Sequence . . . . . . . . . . . . . . . . . . . . . 253.2.4.2 Follow-On Installation . . . . . . . . . . . . . . . . . . . . 263.2.5 Post Installation . . . . . . . . . . . . . . . . . . . . . . . 273.2.5.1 Configuring the Application Back End . . . . . . . . . . . . . . 28

11/06/2012 CUSTOMER 3/64

3.2.5.2 Configuring SAP NetWeaver Gateway . . . . . . . . . . . . . . . 283.2.5.3 Configuring Sybase Unwired Platform . . . . . . . . . . . . . . . 303.2.5.4 Configuring Sybase Relay Server . . . . . . . . . . . . . . . . . 313.2.5.5 Connecting SAP Solution Manager with SAP NetWeaver Gateway . . . . 313.2.5.6 Connecting SAP NetWeaver Gateway with Sybase Unwired Platform . . . . 313.2.5.7 Creating Users and Assigning Authorizations . . . . . . . . . . . . 313.2.5.8 Registering Users and Mobile Application in Sybase Unwired Platform . . . 323.2.5.9 Installing the Mobile Application on the Device . . . . . . . . . . . 333.2.5.10 Steps for the End User to Get the Mobile Application Running . . . . . . 343.3 Generic Security Information . . . . . . . . . . . . . . . . . . 353.3.1 Before You Start . . . . . . . . . . . . . . . . . . . . . . . 353.3.2 User Administration and Authentication . . . . . . . . . . . . . . 363.3.2.1 User Management . . . . . . . . . . . . . . . . . . . . . . 373.3.2.1.1 User Management Concept . . . . . . . . . . . . . . . . . . 373.3.2.1.2 User Administration Tools . . . . . . . . . . . . . . . . . . . 393.3.2.1.3 User Types . . . . . . . . . . . . . . . . . . . . . . . . . 393.3.2.2 User Authentication Mechanism . . . . . . . . . . . . . . . . . 393.3.2.2.1 User Authentication . . . . . . . . . . . . . . . . . . . . . 393.3.2.2.2 Steps to Enable Mobile Application Users to Change Their Passwords . . . 403.3.2.3 Authorizations . . . . . . . . . . . . . . . . . . . . . . . 413.3.3 Session Security Protection . . . . . . . . . . . . . . . . . . . 433.3.4 Network and Communication Security . . . . . . . . . . . . . . 433.3.5 Communication Channel Security . . . . . . . . . . . . . . . . 443.3.6 Network Security . . . . . . . . . . . . . . . . . . . . . . 463.3.7 Internet Communication Framework Security . . . . . . . . . . . 473.3.8 Data Storage Security . . . . . . . . . . . . . . . . . . . . . 483.3.8.1 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . 483.3.8.2 Data Protection . . . . . . . . . . . . . . . . . . . . . . . 483.3.8.3 Management of Mobile Applications with Impacts on Security . . . . . . 493.3.9 Services for Security Lifecycle Management . . . . . . . . . . . . . 503.3.9.1 Security Chapter in the EarlyWatch Alert (EWA) Report . . . . . . . . 503.3.9.2 Security Optimization Service (SOS) . . . . . . . . . . . . . . . 513.3.9.3 Security Configuration Validation . . . . . . . . . . . . . . . . 513.3.9.4 Security in the RunSAP Methodology / Secure Operations Standard . . . . 513.3.9.5 More Information . . . . . . . . . . . . . . . . . . . . . . 523.4 Generic Information on Operating a Mobile Application System Landscape . 523.4.1 Monitoring of Mobile Applications . . . . . . . . . . . . . . . . 523.4.2 Monitoring of SAP Solution Manager . . . . . . . . . . . . . . . 533.4.3 Data Consistency . . . . . . . . . . . . . . . . . . . . . . 533.4.4 Management of SAP Solution Manager . . . . . . . . . . . . . . 533.4.5 Software Change Management . . . . . . . . . . . . . . . . . 543.4.6 Support Desk Management . . . . . . . . . . . . . . . . . . 54

4/64 CUSTOMER 11/06/2012

3.4.6.1 Remote Support Setup . . . . . . . . . . . . . . . . . . . . 543.4.6.2 Problem Message Handover . . . . . . . . . . . . . . . . . . 553.5 Generic Update Information . . . . . . . . . . . . . . . . . . 553.5.1 Updating the Mobile System Landscape . . . . . . . . . . . . . . 55

Chapter A Reference . . . . . . . . . . . . . . . . . . . . . . . . . 57A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . 57

11/06/2012 CUSTOMER 5/64

6/64 CUSTOMER 11/06/2012

1 Introduction

1 Introduction

1.1 History of Changes

The Administrators Guide is regularly updated on SAP Service Marketplace athttp://service.sap.com/instguides .

Caution

Make sure you have the latest version of the Administrators Guide by checking SAP ServiceMarketplace immediately before starting the installation.

The following table provides an overview of the most important changes that were made in thelatest versions.

Document Version Important Changes

1.1.0 (November 06, 2012) Enhanced for initial version of SAP SystemMonitoringon devices running iOS

1.0.0 (September 28, 2012) Document created for SAP System Monitoringversion 1.0.0

1.2 SAP System Monitoring

With the SAP System Monitoring mobile app for Android, you can monitor availability, performance,and exceptions of important systems in the landscape anywhere and anytime. This app connects tothe SAP Solution Manager application management solution and allows administrators to checkalerts and monitor metrics right from their mobile devices.

Key Features

n Display status overview for technical systems, instances, databases, and hostsn Drill down to single metrics and eventsn Display overview of alerts for technical systems, instances, databases, and hostsn Get alert details for deep-dive analysis of certain symptoms

11/06/2012 CUSTOMER 7/64

1 Introduction1.3 About This Document

Note

To use SAP System Monitoring with your business data, you must be a user of the SAP SolutionManager application management solution, with mobile services enabled by your IT department.You can try it first with sample data.

Disclaimer

SAP does not warrant that the software and/or its features as described in this abstract will be availablewithout interruption or permanently. SAP draws your attention to the fact that such availability issubject to the sole discretion of the operator of the app store. The operator of the app store may, atany time and without notice, restrict, interrupt, or prevent use of the software, or delete the softwarefrom your mobile device, or require SAP to do any of the foregoing actions.

1.3 About This Document

This document is the starting point for the implementation of the SAP System Monitoring. Itcontains implementation information as well as security and operation information, and is dividedinto the following main sections:

n Introductionn Specific information on SAP System Monitoring:l Technical system landscapel Installation and configuration (post installation) of the system landscapel Security aspects of SAP System Monitoringl Business configuration of SAP System Monitoring

n Generic information relevant for all mobile applications in SAP Solution Manager

Note

You can find the most current version of this document on SAP Service Marketplace athttp://service.sap.com/instguides. We strongly recommend that you use the documentavailable there. The guide will be updated according to updates of the software.

1.4 Useful Links

The following table lists useful links on SAP Help Portal and on SAP Service Marketplace:

Content Location

General Information on SAP Solution Manager http://service.sap.com/solutionmanager

8/64 CUSTOMER 11/06/2012

1 Introduction1.5 Related Guides

Content Location

General Information on Mobile Applications in SAPSolution Manager

https://service.sap.com/instguides SAPComponents SAP Mobile Applications SAP SolutionManager

Information about creating error messages http://service.sap.com/message

SAP Notes search http://service.sap.com/notes

SAP Software Distribution Center (software downloadand ordering of software)

http://service.sap.com/swdc

SAPOnline Knowledge Products (OKPs) role-specificLearning Maps

http://service.sap.com/rkt

SAP Business Maps - information about applicationsand business scenarios

http://service.sap.com/businessmaps

Sizing, calculation of hardware requirements - suchas CPU, disk and memory resource - with the QuickSizer tool

http://service.sap.com/quicksizer

Released platforms and technology-related topicssuch as maintenance strategies and language support

http://service.sap.com/platforms

To access the Platform Availability Matrix directly,enter http://service.sap.com/pam.

Network security http://service.sap.com/securityguide

High Availability http://www.sdn.sap.com/irj/sdn/ha

Performance http://service.sap.com/performance

Information about Support Package Stacks, latestsoftware versions and patch level requirements

http://service.sap.com/sp-stacks

Information about Unicode technology http://www.sdn.sap.com/irj/sdn/i18n

1.5 Related Guides

You can find more information about SAP Solution Manager in the following documents:

Title Location

Master Guide SAP Solution Manager http://service.sap.com/instguides SAPComponents SAP Solution Manager in section 1 Planning.

Installation Guides http://service.sap.com/instguides SAPComponents SAP Solution Manager in section 2 Installation.

11/06/2012 CUSTOMER 9/64

1 Introduction1.5 Related Guides

Title Location

Solution Operations Guides SAP Solution Manager http://service.sap.com/instguides SAPComponents SAP Solution Manager in section 4 Operations.

Security Guide SAP Solution Manager http://service.sap.com/securityguide SAPComponents SAP Solution Manager in section 4 Operations.

10/64 CUSTOMER 11/06/2012

2 Specific Information on SAP System Monitoring

2 Specific Information on SAP SystemMonitoring

2.1 Technical System Landscape

The SAP System Monitoring mobile application is available for mobile devices running iOS orAndroid operating systems.The mobile application can be deployed in all available deployment scenarios, see Deployment Scenarios[page 18] in the generic part of this guide. Note that for Android mobile devices, the direct accessscenario is only supported for mobile devices running Android 4 operating system or higher.For the product versions, see Products in Mobile System Landscapes [page 20] in the generic part of this guide.

IntegrationThe application shows technical systems available in the Technical Monitoring Work Center in SAPSolution Manager. The systems are displayed per SAP Solution Manager system groups as definedfor the user in System Monitoring. Users can also add technical systems to their favorites. Favoritesystems are shown in the system group My Systems. Users can add a system to the favorite system groupor remove one by pressing the system entry in the system list.The application displays system components (also called managed objects), which comprise thetechnical system object, system instances, databases, and hosts. Users can drill down to singlemonitoring metrics and events.For technical systems and managed objects, the application shows alerts and alert details. For eachalert type, only the last alert instance is displayed. Users can confirm alerts (either the single alertinstance or all alerts of the alert type) from the mobile device.

2.2 Installation of the System Landscape

2.2.1 Installation Sequence

For a description of the installation sequence, see Installation Sequence in the generic part of this guide.

11/06/2012 CUSTOMER 11/64

2 Specific Information on SAP System Monitoring2.2 Installation of the System Landscape

2.2.2 Post Installation

You can find out how you carry out the post installation for SAP NetWeaver Gateway and SybaseUnwired Platform in the generic part of this guide. For SAP System Monitoring, you require thefollowing specific information:

n SAP NetWeaver GatewayTo access SAP Solution Manager data, you need to activate the following OData Service in theSAP NetWeaver Gateway: TECHMON

n Sybase Unwired PlatformWhen configuring Sybase Unwired Platform, consider the following settings:l Application ID

The value for the required Application ID is com.sap.solman.sysmonitoring.l Application Endpoint

The value for the application endpoint ishttp://:/sap/opu/odata/AIGW/TECHMON.

l Authenticationu iOS: Basic authentication is supported. You can define a security configuration with a name

of your choice. In addition, manual authentication is supported.uAndroid: Manual authentication is supported.

l User registrationThe following user registration methods are supported:u iOS: You can register the users manually on the Sybase Unwired Platform or use the

automatic registration.uAndroid: You register the users manually on the Sybase Unwired Platform.For more information, see Registering Users and Mobile Application in Sybase Unwired Platform [page 32]in the generic part of this guide.

Configuration of the Android Mobile Applications Connected to Sybase Unwired Platform

Depending on the deployment scenario, provide the users with the information listed below forsetting up the connectivity of the mobile device. For more information, see Steps for the End User to Getthe Mobile Application Running [page 34] in the generic part of this guide.The connection mode defines how the connection is routed to the back-end system.In the Mode Settings, you can also activate the demo mode using demo data to take a tour of the mobileapplication.

Sybase Unwired Platform Connectivity

n SUP ServerHost name or IP address of Sybase Unwired Platform

n SUP Server PortPort of Sybase Unwired Platform

12/64 CUSTOMER 11/06/2012

2 Specific Information on SAP System Monitoring2.2 Installation of the System Landscape

n Farm IDFarm ID of Sybase Unwired Platform

n SUP UserName of SUP user in Sybase Control Center

n SUP PasswordPassword of the SUP user

n UserName of the user which calls the SAP Solution Manager system

n PasswordPassword of the user which calls the SAP Solution Manager system

n Use HTTPSType of protocol

Additionally, the user can set an application passcode to protect the mobile application fromunauthorized use.The parameters are provided at first logon and in the settings menu of the mobile application.

Configuration of the Android Mobile Applications Connected to SAP NetWeaver Gateway

Depending on the deployment scenario and authentication mechanism, provide the users with theinformation listed below for setting up the connectivity of the mobile device. For more information,see Steps for the End User to Get the Mobile Application Running [page 34] in the generic part of this guide.The connection mode defines how the connection is routed to the back-end system.In the Mode Settings, you can also activate the demo mode using demo data to take a tour of the mobileapplication.

Gateway Connectivity

n Server NameHost name or IP address of SAP Solution Manager system

n PortPort number or service name

n UserName of the user which calls the SAP Solution Manager system

n PasswordPassword of the user which calls the SAP Solution Manager system

n Service NameService name that uniquely identifies a versioned service group

n Service URLBase URL of the service

n Use HTTPSType of protocol

11/06/2012 CUSTOMER 13/64

2 Specific Information on SAP System Monitoring2.3 Security Aspects of SAP System Monitoring

Additionally, the user can set an application passcode to protect the mobile application fromunauthorized use.The parameters are provided at first logon and in the settings menu of the mobile application.

Configuration of the iOS Mobile Application

Depending on the deployment scenario and authentication mechanism, provide the users with theinformation listed below for setting up the connectivity of the mobile device. For more information,see Steps for the End User to Get the Mobile Application Running [page 34] in the generic part of this guide. Theconnection mode defines how the connection is routed to the back-end system. The connectionmode settings for iPhone and iPad also provide a demo mode using demo data to take a tour ofthe mobile application.

n User ID and initial passwordn Server or Server Name

Name of Sybase Unwired Platform or Sybase Relay Servern Port

Port of Sybase Unwired Platform or Sybase Relay Servern Company ID

Company ID as defined on Sybase Unwired Platformn SUP User or Mobile User

Mobile User as defined on Sybase Unwired Platformn Activation Code

Code for the first logon to Sybase Unwired Platformn Security Configuration (Basic authentication only)

Security configuration as defined on Sybase Unwired Platformn Gateway connection information, if required: similar to the Sybase Unwired Platform connection

information

Additionally, the user can set an application passcode to protect the mobile application fromunauthorized use.The parameters are provided at first logon and in the settings menu of the mobile application. OniPhone and iPad, the Delete User function can be used to unregister the user from the device andfrom Sybase Unwired Platform.

2.3 Security Aspects of SAP System Monitoring

The following security aspects are relevant for the SAP System Monitoring mobile application:

n For the fundamental security aspects of mobile applications, see the Generic Security Information[page 35] section.

n For SAP System Monitoring, see the sections User Management, Authorizations, and Data Storage Securitybelow.

14/64 CUSTOMER 11/06/2012

2 Specific Information on SAP System Monitoring2.3 Security Aspects of SAP System Monitoring

2.3.1 Authorizations

Standard Roles

The table below shows the standard role to be assigned in SAP Solution Manager. It is required inaddition to the roles and authorizations, such as the technical role for SAP NetWeaver Gateway,described in the generic part of this guide.

Standard Role for SAP System Monitoring

Role Description

SAP_SM_L1_COMP Technical composite role that includes all theauthorizations required to display System Monitoringdata from SAP Solution Manager

For more information, see the security guide for SAP Solution Manager 7.1 on SAP Help Portalat http://help.sap.com/solutionmanager71 Security Information SAP Service MarketplaceOperations Security Guide SAP Solution Manager 7.1 , section Scenario-Specific Guide: Technical Monitoring.

2.3.2 Data Storage Security

Mobile applications access data and functions in the back end via the OData channel. While they donot replicate a large volume of data on the device, some data does have to be stored there. Data on amobile device has to be handled with special care, as it is exposed to additional risks. As the deviceis carried around by the mobile application user, it could be lost or stolen. Furthermore, attackersmight find new ways of compromising mobile devices, despite the ongoing efforts of vendors ofmobile devices to make them more secure. This section provides information about the data on themobile device and the actions that can be triggered via SAP System Monitoring:

n Data transferred to the device:System, instance, host details, metric values, and alert details

n Data persistently stored on the device:l Customizing datal User ID, password, and technical settings

n Data temporarily buffered on the device:Incident messages details

n Actions triggered via the mobile application:l Confirming alertsl Adding systems to and removing systems from user favorites (relevant only in the context

of the mobile applications)

11/06/2012 CUSTOMER 15/64

2 Specific Information on SAP System Monitoring2.4 Business Configuration of SAP System Monitoring

In addition to the data mentioned above, certain configuration and authentication data is also storedon the device. For a description of this data and information about the measures that are applied toprotect it, see Data Storage Security [page 48] in the generic part of this guide.With the iOS version of SAP System Monitoring, you can use the Sybase Unwired Platform DataVault for additional security.

2.4 Business Configuration of SAP System Monitoring

With SAP SystemMonitoring, you canmonitor availability, performance, and exceptions of importantsystems in the landscape. The data, such as metrics, events, and alerts, is provided by your SAPSolution Manager System Monitoring application.

Note

There is no special customizing for the SAP System Monitoring mobile application. The mobileapplication is based on the same customizing as the SAP Solution Manager System Monitoringapplication.

Procedure

1. Configure SAP Solution Manager, including the following:n Activate Gateway Services in the System Preparation configuration scenario, in the Configure

Connectivity > Configure Gateway step.n For monitoring and alerting, configure the Managed Systems configuration scenario.n Configure the SAP Solution Manager Technical Monitoring > System Monitoring

configuration scenario.

Note

To display systems in the mobile application: In the SAP Solution Manager Technical Monitoringwork center, refresh the queries (personal object worklist, POWL queries) for the system groups.

16/64 CUSTOMER 11/06/2012

3 Generic Information on Mobile Applications in SAP Solution Manager

3 Generic Information on MobileApplications in SAP Solution Manager

3.1 Generic Mobile System Landscape

3.1.1 Technical System Landscape

The following figure shows a schematic system landscape for mobile applications in SAP SolutionManager. Depending on the deployment scenario, the mobile application, or the operating system,there are variations to the system landscape. For more information about the application-specificsystem landscape, see Technical System Landscape in the application-specific part of this guide.

Figure 1: Schematic System Landscape for Mobile Applications in SAP Solution Manager

For the different deployment scenarios that are represented in this figure, see Deployment Scenarios[page 18].

11/06/2012 CUSTOMER 17/64

3 Generic Information on Mobile Applications in SAP Solution Manager3.1 Generic Mobile System Landscape

IntegrationCommunication between the different software components in the mobile system landscape usesdifferent communication channels.Provided that the required settings have been made during the installation, communication betweenthe components in the mobile system landscape proceeds as follows:

n A request for an OData service is sent from the mobile application on the device to the back end,and its response is sent from the back end to the mobile application.

n The request channel from the SAP NetWeaver Gateway system to SAP Solution Manager relieson a trusted RFC connection. Consequently, the user name must be the same in both systems.SAP Solution Manager provides a general device application programming interface (GDAPI) thatsome of the mobile applications can use to handle the connection to SAP NetWeaver Gateway.

n The request channel between the Sybase Unwired Platform and the SAP NetWeaver Gatewaysystem relies on the HTTP(S) protocol. The Sybase Unwired Platform server sends the usercredentials to the SAP NetWeaver Gateway system for authentication.

n The request channel between the mobile application and Sybase Unwired Platform relies onSUP Messaging Channel, which is an HTTP-based protocol. The data exchange between theclient and Sybase Unwired Platform is secure, since the data is encrypted at content level usingsymmetric key encryption.For more information about communication encryption, see Communication Channel Security [page 44]in the generic part of this guide.

3.1.2 Deployment Scenarios

The system landscape for mobile applications in SAP Solution Manager can be set up according tothe following deployment scenarios:

n Access via Sybase Unwired Platform scenariol SAP NetWeaver Gateway as central hub scenario

For a productive environment with multiple back ends, we recommend to deploy SAPNetWeaver Gateway on a stand-alone server, separated from the application back-end systems.Thus, the deployment is better able to scale, and the SAP NetWeaver Gateway is moreindependent of SAP Solution Manager, for example, regarding updates.To use this scenario, configure the connection between SAP NetWeaver Gateway and SAPSolution Manager and activate the OData services in SAP NetWeaver Gateway.

l Embedded system scenarioSAP NetWeaver Gateway, with all its runtime components, and SAP Solution Manager sharethe same system. Therefore, SAP NetWeaver Gateway is already connected to SAP SolutionManager.

18/64 CUSTOMER 11/06/2012


Note

If activities differ depending on the scenario, this is marked accordingly in this guide.

For more information about configuring the scenarios, see Configuring SAP NetWeaver Gateway[page 28] in the generic part of this guide.Formore information about the SAPNetWeaver Gateway deployment scenarios, see SAP Library forSAP NetWeaver Gateway 2.0 SP04 on SAP Help Portal at http://help.sap.com/nwgateway20Application Help Support Package 04 SAP NetWeaver Gateway SAP NetWeaver Gateway Master GuideDeployment Options .

n Direct SAP NetWeaver Gateway access scenarioIn this scenario, the mobile device connects directly to SAP NetWeaver Gateway at thecustomer site, instead of connecting via Sybase Unwired Platform or Relay Server. Toavoid direct connection between the Internet and the SAP NetWeaver Gateway or the SAPSolution Manager system, only deploy this scenario for intranet use, that is, only if themobile devices are connected via your intranet.In this scenario, the SAP NetWeaver Gateway can be either deployed as central hub or as embeddedsystem.

Note

In this scenario, the security functionality that Sybase Unwired Platform would provide is notavailable.

Note

Limitation: For Android mobile devices, the direct access scenario is only supported with AndroidOS 4 or higher. That is, for mobile devices using the Android version 2.x and 3.x, this deploymentscenario is not available.

Caution

To protect the confidentiality of the transferred data, such as logon data, create a secureconnection from SAP NetWeaver Gateway to the mobile device using HTTPS.Note that for using HTTPS, the SAP Solution Manager systemmust hold a TLS certificate that themobile devices running the mobile application recognize as valid.

Figure Schematic System Landscape for Mobile Applications in SAP Solution Manager shows the differentdeployment scenarios.

Note

It depends on the deployment scenario which products are in the mobile system landscape. Thatis, even if a product is mentioned in the generic part of this guide, it might not be available in yourdeployment scenario.

11/06/2012 CUSTOMER 19/64


Note

Generally, you must secure the communication channels. To make it difficult for unauthorizedpersons to obtain sensitive data passing through the channel between SAP NetWeaver Gateway andthe consumer server, secure the communication channels using means such as the following:

n Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Network Communications(SNC)

n Designated network segments for communication pathwaysn Security schemes that defend against denial-of-service attacks

3.1.3 Products in Mobile System Landscapes

Depending on the deployment scenario, the system landscape for mobile applications in SAP SolutionManager can contain the following products:

n SAP Solution Manager 7.1 SP06SAP SolutionManager acts as back-end system in the mobile system landscape. It provides businessdata and functions that can be accessed by using variousmeans, among others, mobile applications.

n SAP NetWeaver Gateway 2.0 SP04The SAP NetWeaver Gateway system uses OData services to provide back-end data and functions,and processes HTTP(S) requests for OData services. For more information, see SAP Library forSAP NetWeaver Gateway 2.0 on SAP Help Portal at http://help.sap.com/nwgateway20Application Help Support Package 04 SAP NetWeaver Gateway SAP NetWeaver Gateway Master GuideSAP NetWeaver Gateway and OData .

n SAP NetWeaver Gateway 2.0 SP04 Add-On IW_BEPAn SAP NetWeaver Gateway component, IW_BEP (Back-End Enablement and Event Provisioning),deployed on the application back-end system, establishes the communication between the SAPNetWeaver Gateway system and the application back end for the purpose of OData provisioning.For more information, see SAP Library for SAP NetWeaver Gateway 2.0 on SAP Help Portal athttp://help.sap.com/nwgateway20 Application Help Support Package 04 SAP NetWeaver

Gateway SAP NetWeaver Gateway Developer Guide OData Channel Backend OData Channel .n Sybase Unwired Platform 2.1.3

The Sybase Unwired Platform bridges the Internet and the intranet. For more information, seeSybase products at http://www.sybase.com Products Mobile Enterprise Sybase UnwiredPlatform .

n Relay ServerThe Relay Server enables secure communication between mobile devices andback-end servers through a web server. For more information, see Sybase products athttp://sybooks.sybase.com Sybase Unwired Platform Sybase Unwired Platform

Fundamentals Unwired Platform Runtime Runtime Landscape Relay Server .

20/64 CUSTOMER 11/06/2012

3 Generic Information on Mobile Applications in SAP Solution Manager3.2 Generic Installation Information

n SAP Mobile ApplicationThe mobile application exposes business data and functions. For more information, see theapplication-specific part of this guide.

3.2 Generic Installation Information

These sections provide instructions on how to install a mobile application in SAP Solution Manager.It provides notes on all of the steps and settings relevant for the general deployment of a mobileapplication in SAP Solution Manager.

Note

Before you start the installation, note the following:

n If you are installing a mobile application in SAP Solution Manager for the first time, you areadvised to familiarize yourself first with the technical concepts of a mobile system landscape inSAP Solution Manager. For more information, see Generic Mobile System Landscape [page 17] in thegeneric part of this guide.

n For specific instructions on how to configure the individual SAP mobile applications, see theapplication-specific part of this guide in addition to this generic part.

n Ensure that you have read the information in section Information Available in SAP Service Marketplace[page 21].

3.2.1 Information Available in SAP Service Marketplace

Information on the following areas is available in the SAP Service Marketplace.

Description Internet Address More Information

SAP Notes http://service.sap.com/notes -

Security http://service.sap.com/security For more information, see GenericSecurity Information [page 35] in thegeneric part of this guide.

Installation Information http://service.sap.com/instguidesFor more information, seeSAP Components SAP Mobile

Applications .

Software Download http://service.sap.com/swdc For more information, seeInstallations and Upgrades Browse

Our Download Catalog SAP MobileSolutions .

11/06/2012 CUSTOMER 21/64


3.2.2 Further Documentation

In addition to this document, you need the following documentation to install and operate mobileapplications in SAP Solution Manager:

Description Internet Address

SAP Library of SAP NetWeaver Gateway 2.0 SP04 http://help.sap.com/nwgateway20 ApplicationHelp Support Package 04 SAP NetWeaver Gateway

Information on Sybase products http://www.sybase.com

Sybase product documentation http://sybooks.sybase.com

3.2.3 Installation Preparation

3.2.3.1 Software Prerequisites

Your application back-end system must have the following SAP NetWeaver release:

n NW 702 SP11

3.2.3.2 Software Download

You download the software components from SAP Service Marketplace. You can also download themobile applications from an app store.Access the download area in SAP Service Marketplace at http://service.sap.com/swdcInstallations and Upgrades and, depending on the deployment scenario, download the followingsoftware components:

1. SAP NetWeaver Gateway componentsThe SAP NetWeaver Gateway 2.0 SP04 components are available for download and installationfrom the SAP Service Marketplace. In the download catalog, choose SAP Mobile Platform SAPNetWeaver Gateway SAP NetWeaver Gateway 2.0 Installation and Upgrade Downloads . The downloadobject contains all SAP NetWeaver Gateway server components and back-end components suchas IW_BEP 200 (Backend Enablement and Event Provisioning).

22/64 CUSTOMER 11/06/2012


Note

n For more information about the hardware and software requirements for downloading andinstalling the SAP NetWeaver Gateway components, see Installation Prerequisites and Installing SAPNetWeaver Gateway Components in SAP Library for SAP NetWeaver Gateway 2.0 SP04 on SAP HelpPortal at http://help.sap.com/nwgateway20 Application Help Support Package 04 SAPNetWeaver Gateway SAP NetWeaver Gateway Installation Guide .

n For IW_BEP, refer to the Optional Installation Components section.n In addition, see Software Prerequisites [external document] in the generic part of this guide.

2. Sybase Unwired Platform

Note

The following settings only apply in the access via Sybase Unwired Platform scenario.

n Sybase Unwired Platform is available for download and installation from the SAP ServiceMarketplace. In the download catalog, choose SAP Mobile Platform Sybase Unwired Platform .

Note

The hardware and software requirements for Sybase Unwired Platform can also be found inthe download area.

3. SAP Mobile ApplicationThe mobile applications in SAP Solution Manager are available for download and installation fromthe SAP Service Marketplace or linked in SAP Service Marketplace to the corresponding app store.For mobile devices running the Android operating system, download the mobile application fromSAP Service Marketplace or on Google Play at https://play.google.com/store.

3.2.4 Installation

This section provides installation instructions on how to build the infrastructure for mobileapplications in SAP Solution Manager.If an infrastructure already exists for mobile applications in SAP Solution Manager, you can skip InitialInstallation [page 24] and proceed with Follow-On Installation [page 26].

Note

For information about the minimum hardware requirements of each component, see thecorresponding installation guide.

11/06/2012 CUSTOMER 23/64


3.2.4.1 Initial Installation

3.2.4.1.1 Main Installation Steps

If you are installing a mobile system landscape for the first time, depending on the deploymentscenario, follow these main steps for an installation.

Note

Make sure that you import the newest SPAM/SAINT update before starting the installation. For moreinformation about how to update the transaction, see SAP Library for SAP NetWeaver 7.0 EHP2 onSAP Help Portal at http://help.sap.com/nw702 Application Help SAP Library SAP NetWeaver7.0 EHP 2 SAP NetWeaver SAP NetWeaver by Key Capability Solution Life Cycle Management by KeyCapability Software Life Cycle Management Software Maintenance Add-On Installation Tool Importing aSPAM/SAINT Update . For more information about transaction SAINT, see SAP Note 504134.

1. To create SAP NetWeaver Gateway content with OData Channel, install optional componentIW_BEP (Back-End Enablement and Event Provisioning). For more information, see OptionalInstallation Components in SAP Library for SAP NetWeaver Gateway 2.0 SP04 on SAP Help Portal athttp://help.sap.com/nwgateway20 Application Help Support Package 04 SAP NetWeaver

Gateway SAP NetWeaver Gateway Installation Guide Installing SAP NetWeaver Components .2. Construct the SAP NetWeaver Gateway 2.0 SP04 infrastructure, which consists of several server

components. Perform the following steps:n Install SAP NetWeaver Gateway 2.0 SP04 as described in section Software in SAP Library for SAP

NetWeaver Gateway 2.0 SP04 on SAP Help Portal at http://help.sap.com/nwgateway20Application Help Support Package 04 SAP NetWeaver Gateway SAP NetWeaver Gateway InstallationGuide Installation Prerequisites .

n Install WEBCUIF 700 and upgrade it to WEBCUIF 701 in your system landscape. WEBCUIF 701 is aprerequisite for SAP NetWeaver Gateway component IW_FND 250, which needs to be installedin a later step.

n In addition, install the following SAP NetWeaver Gateway components as describedin SAP Library for SAP NetWeaver Gateway 2.0 SP04 on SAP Help Portal athttp://help.sap.com/nwgateway20 Application Help Support Package 04 SAP NetWeaver

Gateway SAP NetWeaver Gateway Installation Guide Installing SAP NetWeaver Gateway Components :l GW_CORE 200

l IW_FND 250

3.

Note

The following settings only apply in the access via Sybase Unwired Platform scenario.

Construct the Sybase Unwired Platform 2.1.3 infrastructure. This includes the Sybase UnwiredPlatform with the optional component and data exchange technology Relay Server. For more

24/64 CUSTOMER 11/06/2012


information about how to install Sybase components and technology, see the Sybase productdocumentation at http://sybooks.sybase.com under Sybase Unwired Platform 2.1 .

4. Once you have installed and configured the infrastructure, you can install and configure themobile applications on the devices.

Caution

As a prerequisite, all post installation steps have to be executed first before you can make thenecessary settings and operate the mobile application. For more information, see Post Installation[page 27] in the generic part of this guide.

Note

For more information about installing the mobile application on the device, see Installing theMobile Application on the Device [page 33].

3.2.4.1.2 Installation Sequence

For a detailed overview of the installation steps, see Main Installation Steps [page 24] in the generic part ofthis guide.The following tables show the installation sequence:

SAP Solution Manager System

1 Installation of SAP SolutionManager 7.1 SP06

For detailed information, seehttp://help.sap.com/solutionmanager71

Installation and Upgrade Information .

2 Installation of SAP NetWeaverGateway components IW_BEPand IW_FND

For detailed information, seeSAP Library for SAP NetWeaverGateway 2.0 on SAP Help Portal athttp://help.sap.com/nwgateway20

Installation and Upgrade InformationInstallation Guide Installing SAPNetWeaver Components

Note

The following table only applies if SAP NetWeaver Gateway is deployed as central hub.

11/06/2012 CUSTOMER 25/64


SAP NetWeaver Gateway Server

1 Installation of SAP NetWeaverGateway 2.0 SP04


Installation and Upgrade InformationInstallation Guide

2 Installation of SAP NetWeaverGateway component IW_FND


Installation and Upgrade InformationInstallation Guide Installing SAPNetWeaver Components

Note

The following tables only apply in a scenario where SUP Server and Relay Server are deployed.

Sybase Unwired Platform Server

1 Installation of Sybase UnwiredPlatform 2.1.3

For more information, see theSybase product documentation athttp://sybooks.sybase.com

Sybase Unwired Platform SybaseUnwired Platform 2.1 ESD #3 .

Relay Server

1 Installation of Relay Server For more information, see theSybase product documentation athttp://sybooks.sybase.com

Sybase Unwired Platform 2.1Installation Guide for Runtime 2.1System Deployment System DeploymentOverview Relay Server Deployment .

3.2.4.2 Follow-On Installation

If this is a follow-on installation, the infrastructure for the mobile application and the back end isalready prepared.

26/64 CUSTOMER 11/06/2012


Note

Make sure that you have carried out all steps in section Initial Installation [page 24] when you installan additional mobile application. Ensure that you have read the relevant section for the userconcept and security settings. For more information, see Generic Security Information [page 35] in thegeneric part of this guide.

You only need to carry out some of the steps listed in section Main Installation Steps [page 24] in thegeneric part of this guide:

1. When the infrastructure and the back end have been installed and configured, perform the postinstallation steps for the infrastructure.

Caution

As a prerequisite, all post installation steps have to be performed first before you can configureand operate the mobile application.

2. Install and configure the mobile application on the devices.

3.2.5 Post Installation

After you have installed the relevant components in your mobile system landscape, you can startconfiguring and enabling the technical communication between the various components. Dependingon the deployment scenario, the main steps are as follows:

n Configuring the Application Back End [page 28]n Configuring SAP NetWeaver Gateway [page 28]n Configuring Sybase Unwired Platform [page 30]n Configuring Sybase Relay Server [page 31]n Connecting SAP Solution Manager with SAP NetWeaver Gateway [page 31]n Connecting SAP NetWeaver Gateway with Sybase Unwired Platform [page 31]n Creating Users and Assigning Authorizations [page 31]n Registering Users and Mobile Application in Sybase Unwired Platform [page 32]n Installing the Mobile Application on the Device [page 33]n Steps for the End User to Get the Mobile Application Running [page 34]

Note

Before you start configuring each component, you need to be aware of the user concept in themobile system landscape. To obtain an overview of the user concept in the mobile system landscape,see User Administration and Authentication [page 36] in the generic part of this guide.

11/06/2012 CUSTOMER 27/64


3.2.5.1 Configuring the Application Back End

To configure the application back-end system, perform the following steps:

n Settings for the mobile applicationsFor more information about configuring the application back-end system for the mobileapplications, see Post Installation in the application-specific part of this guide.

n Configuration for IW_BEP (OData Channel)For more information about the OData Channel settings for the SAP NetWeaver Gatewaycomponent IW_BEP, see Configuring SAP NetWeaver Gateway [page 28].

3.2.5.2 Configuring SAP NetWeaver Gateway

After you have installed SAP NetWeaver Gateway, you have to configure the SAP NetWeaver Gatewaysystem and configure the settings for OData Channel.

Note

For information about the configuration of the complete SAP NetWeaver Gatewaycomponent, see SAP Library for SAP NetWeaver Gateway 2.0 SP04 on SAP Help Portal athttp://help.sap.com/nwgateway20 Application Help Support Package 04 SAP NetWeaver

Gateway SAP NetWeaver Gateway Configuration Guide .

Prerequisites

n You have carried out the required installation steps for the SAP NetWeaver Gateway componentsas described in the Main Installation Steps section of this guide.

n In the access via Sybase Unwired Platform deployment scenario, the usage of Sybase UnwiredPlatform is mandatory. If your system landscape differs from this deployment scenario, you haveto adjust the gateway settings according to your scenario.

ProcedureOnly the following gateway services and components are used in the mobile system landscape ofSAP Solution Manager:

n OData Servicesn Back-End Enablement and Event Provisioning (IW_BEP 200)n Framework component IW_FND 250

Consequently, you have to execute the following activities:

1. Activating SAP NetWeaver Gatewayn Embedded system scenario:

28/64 CUSTOMER 11/06/2012


You activate the gateway in the SAP Solution Manager Configuration System Preparation scenarioin the Configure Gateway step.Furthermore, all SAP Solution Manager services are activated in this step.

n SAP NetWeaver Gateway as central hub scenario:You activate a service that is specific for your mobile application from the SAP SolutionManager system. This activation stores the relationship between the service, the system alias,and the related model. For more information, see SAP NetWeaver Gateway Configuration GuideOData Channel Configuration Activating SAP NetWeaver Gateway .

2. Connection settings: SAP NetWeaver Gateway to SAP Solution Manager (only in the caseof a SAP NetWeaver Gateway as central hub scenario)You must configure settings for SAP NetWeaver Gateway components and define how thesesettings interface with your existing SAP Solution Manager system (back-end system). Make thesesettings in Customizing for SAP Solution Manager under SAP Solution Manager Implementation GuideSAP Customizing Implementation Guide SAP NetWeaver Gateway .

3. Settings for OData Channel on the SAP NetWeaver Gateway system (only in the case of aSAP NetWeaver Gateway as central hub scenario)When using OData Channel, you retrieve your data from a back-end system, meaning an SAPSolution Manager system where you define your service. For more information, see SAPNetWeaver Gateway Configuration Guide OData Channel Configuration Settings for OData Channel ServiceDevelopment on the Hub System Activate and Maintain Services .

Note

When activating the ICF node, choose Standard Mode and node type ODATA (with green traffic lights).For more information, see the release notes in SAP Library for SAP NetWeaver Gateway 2.0 on SAPHelp Portal at http://help.sap.com/nwgateway20 Whats New Release Notes Release Notes .

4. Users and Authorizations for SAP NetWeaver GatewayFor SAP NetWeaver Gateway, you have to set up roles and assign users to them. For moreinformation about the users and authorizations to maintain, see SAP NetWeaver GatewayConfiguration Guide OData Channel Configuration User, Developer and Administrator Authorizations .However, you have to consider only the following templates and roles:Rolesn SAP NetWeaver Gateway Administrator Rolen SAP NetWeaver Gateway User RoleTemplatesn Framework Templatesl SAP NetWeaver Gateway Framework Administrator:/IWFND/RT_ADMINl SAP NetWeaver Gateway User: /IWFND/RT_GW_USER

n OData Channel Templates

11/06/2012 CUSTOMER 29/64


l OData Channel Administrator: /IWBEP/RT_MGW_ADMl OData Channel Developer: /IWBEP/RT_MGW_DEVl OData Channel User: /IWBEP/RT_MGW_USR

n Support Templatesl Read-only role for SAP NetWeaver Gateway supportability:/IWFND/GW_SUPPORT_ROl Read-only role for SAP NetWeaver Gateway supportability: /IWBEP/GW_SUPPORT_RO

5. Supported Languages in SAP NetWeaver GatewayMake the settings for supported languages. For more information, see SAP NetWeaver GatewayConfiguration Guide Basic Configuration Settings Language Settings .

Note

You should note the following requirements:n Both systems, Gateway and client, must provide the same default language, for example,

English.n Both systems provide the same logon languages. If this is not the case, ensure that the gateway

system has a subset of the languages of the back-end system.

3.2.5.3 Configuring Sybase Unwired Platform

Note

This section only applies in the access via Sybase Unwired Platform scenario.

After installing, you configure the Sybase Unwired Platform. To make yourself familiar with theconfiguration settings and the configuration of the authentication method, see the Sybase productdocumentation at http://sybooks.sybase.com Sybase Unwired Platform 2.1 ESD #3For more information about the authentication options and the configuration settings, see UserAuthentication [page 39] and Registering Users and Mobile Application in Sybase Unwired Platform [page 32] inthe generic part of this guide.To use basic authentication, each mobile application must be assigned a security configuration. Asecurity configuration defines the mechanisms used for securing Sybase Unwired Platform. You haveto create or configure the required security configuration.For more information see the Sybase product documentation at http://sybooks.sybase.comSybase Unwired Platform 2.1 ESD #3

n Sybase Control Center for Sybase Unwired Platform Administer Security Configurations Creating a SecurityConfiguration Security Providers

n Security Security Reference Security Provider Configuration Properties

For application-specific settings on the Sybase Unwired Platform, see Post Installation in theapplication-specific part of this guide.

30/64 CUSTOMER 11/06/2012


3.2.5.4 Configuring Sybase Relay Server

Note


After installing, you configure the Sybase Relay Server. For more information, see the Sybase productdocumentation at http://sybooks.sybase.com Sybase Unwired Platform SybaseControl Center for Sybase Unwired Platform Administer Relay Server .

3.2.5.5 Connecting SAP Solution Manager with SAPNetWeaver Gateway

Note

This section only applies if SAP NetWeaver Gateway is deployed as central hub.

In the SAP NetWeaver Gateway, connect SAP Solution Manager to trusted RFC destinations. Formore information, see Configuring SAP NetWeaver Gateway [page 28] in the generic part of this guide.

3.2.5.6 Connecting SAP NetWeaver Gateway with SybaseUnwired Platform

Note

This section only applies if SAP NetWeaver Gateway is deployed as central hub and in the access viaSybase Unwired Platform scenario.

In the SAP NetWeaver Gateway system, create a trusted RFC destination. For more information, seeConfiguring SAP NetWeaver Gateway [page 28] in the generic part of this guide.

3.2.5.7 Creating Users and Assigning Authorizations

Note

It is important that you understand the user concept in the mobile system landscape. To obtain anoverview of the user concept in the mobile system landscape, see User Administration and Authentication[page 36] in the generic part of this guide.

n You have to create users in the SAP NetWeaver Gateway and in SAP Solution Manager. For moreinformation about creating users, see User Management [page 37] in the generic part of this guide.

11/06/2012 CUSTOMER 31/64


n You have to apply user authentication settings. For more information about user authentication,see User Authentication [page 39] in the generic part of this guide.

n Mobile application users need dedicated authorizations in the Gateway and, depending on theapplication, in SAP Solution Manager. For more information about authorization settings, seeAuthorizations [page 41] in the generic part of this guide.

3.2.5.8 Registering Users and Mobile Application in SybaseUnwired Platform

Note


The Sybase Unwired Platform must possess the information about the application and the relateddevice and user IDs. For this reason, you have to register the application and configure it for theregistration of the users and devices.There are two methods for registering users: manual and automatic.

n With automatic registration, each user is registered when they log on to the mobile applicationwith valid credentials.

n With manual registration, you need to create all mobile users manually on Sybase UnwiredPlatform.

The advantage of manual registration is that you can define a whitelist of the users that are allowed touse the application. However, mind that manual registration can be a very time-consuming task.Automatic registration is more convenient, but allows every user that possesses valid credentials toaccess the application.Not every application supports both registrationmethods. For more information about the supportedregistration methods and the required credentials and connection data, see the application-specificpart of this guide.

PrerequisitesYou have performed the basic configuration tasks on Sybase Unwired Platform and decided about theauthentication method you want to use. For more information, see User Authentication [page 39] andConfiguring Sybase Unwired Platform [page 30] in the generic part of this guide.If automatic user creation shall be supported, you must have created an Application ConnectionTemplate that enables automatic application connection registration. If there are many users, the useof Application Connection Templates is recommended for manual configuration also. For moreinformation, see the Sybase product documentation at http://sybooks.sybase.com SybaseUnwired Platform 2.1 ESD #3 Administer Applications Application Connection Templates .

32/64 CUSTOMER 11/06/2012


Procedure

1. Register the mobile application.a) In Sybase Control Center, enter the name of the mobile application. For the application ID of the

mobile application, see Post Installation in the application-specific part of this guide.b) Select the Configure Additional Settings checkbox to make further settings.c) For the proxy settings, enter the following data:n For Property, choose Application Endpoint from the selection menu.n For Value, enter the Gateway URL for the application. The URL is generated in the

Gateway when the corresponding service is activated. For the Gateway URL, see PostInstallation in the application-specific part of this guide.

d) Save your entries.Formore information, see the Sybase product documentation at http://sybooks.sybase.comSybase Unwired Platform 2.1 ESD #3 System Administration Application and User Management OverviewApplication Creation .

2. Register mobile users for a device and for a mobile application.If your security configuration requires you to manually register users on Sybase Unwired Platforminstead of automatically registering them during first access, you need to enter a mobile userfor each mobile application and for each mobile device. For example, if you use two mobileapplications on the same mobile device, you need to register two mobile users.

More InformationFor more information about registering the application and user on the Sybase Control Center forUnwired Platform, see the Sybase product documentation at http://sybooks.sybase.com SybaseUnwired Platform Sybase Unwired Platform 2.1 ESD #3 :

n Application and User Management Overview Application Creation Manually Creating ApplicationsSetting General Application Properties

n Sybase Control Center for Sybase Unwired Platform Administer Applications Setting Up Applicationand User Connections

3.2.5.9 Installing the Mobile Application on the Device

The users install the mobile application on their devices.For more information about installing the mobile application, see SAP Library for Mobile Apps in SAPSolution Manager on SAP Help Portal at http://help.sap.com/solutionmanager SAP SolutionManager Mobile Apps Installing the Mobile App on the Device .

11/06/2012 CUSTOMER 33/64


3.2.5.10 Steps for the End User to Get the Mobile ApplicationRunning

Note

Before using the mobile application in productive mode, the users can try out the application inthe demo mode. In the demo mode, the application displays demo data only, and no furtherconfiguration is required.

After users have successfully installed the mobile application on the device, to provide the connectionsettings, they have to perform some additional steps when starting the mobile application for thefirst time.Not all the steps are mandatory. The settings that the user has to specify depend on different factorssuch as the following:

n Deployment scenarion Configuration on the Sybase Unwired Platform server, if used, like security configuration or type

of user registration.n Type and operating system of the mobile application

If you do not provide the users with instructions on how to configure the mobile application,ensure the following:

n The setup of Sybase Unwired Platform matches the default values in the mobile application.n The server name is known to the users.n The user name and the initial password are known to the users.

Otherwise, provide the users with instructions about the configuration settings.

Note

For more information about the specific settings of the mobile application, see the Post Installationsection in the application-specific part of this guide.For more information about configuring the mobile application and the required connection data,in the application-specific part of this guide, in the Post Installation section, see Configuration of the MobileApplication.

Application activation without additional settings is only possible if you use automatic userregistration and if the SUP configuration matches the default settings in the application. For moreinformation, see Registering Users and Mobile Application in Sybase Unwired Platform [page 32] in the genericpart of this guide. For more information about the authentication options, see User Authentication[page 39] in the generic part of this guide.The user must perform the following steps:

1. The user starts the application.2. The user navigates to the configuration mode.

34/64 CUSTOMER 11/06/2012

3 Generic Information on Mobile Applications in SAP Solution Manager3.3 Generic Security Information

3. The user enters the connection data.4. The user enters the relevant user and password to log on to SAP Solution Manager.

Note

For basic authentication with SAP NetWeaver Gateway password, this is to be carried out onlyafter the users have changed their initial password on the Gateway system, see User Authentication[page 39] and Steps to Enable Mobile Application Users to Change Their Password [page 40] in the genericpart of this guide.

Caution

Before you connect the mobile application on your device with Sybase Unwired Platform, ensurethat you are aware of the security sections in the generic part of this guide, see in particularCommunication Channel Security [page 44], to protect your data against attacks.

5. The user enters the application passcode, if required.The application passcode is used to protect the application from unauthorized usage and forstoring secure-relevant data, such as passwords, in the secure storage (data vault). For moreinformation about the data vault, see Data Protection [page 48] in the generic part of this guide. Theapplication passcode implementation is application-specific. That is, some applications do notsupport the application passcode. For the other applications, it is eithermandatory or configurable.

6. If you have provided the users with instructions, the users make further configuration settings.These settings depend on the mobile application.

Finally, the device changes to the first screen of the mobile application with back-end data. The nexttime the user starts the application, only the application passcode is needed (if required).

3.3 Generic Security Information

3.3.1 Before You Start

The mobile applications in SAP Solution Manager are built from several components. Therefore,the corresponding component security guides also apply to the mobile applications in SAP SolutionManager. Note the most relevant sections or specific restrictions as indicated in the table below.

11/06/2012 CUSTOMER 35/64


Fundamental Security Guides

Security Guide Location

Security Guide of SAP Solution Manager See SAP Library for SAP SolutionManager 7.1 on SAP Help Portal athttp://help.sap.com/solutionmanager71 Security

Information SAP Service Marketplace OperationsSecurity Guide SAP Solution Manager 7.1 .

SAP NetWeaver Gateway Security Guide See SAP Library for SAP NetWeaverGateway 2.0 SP04 on SAP Help Portal athttp://help.sap.com/nwgateway20 Application

Help Support Package 04 SAP NetWeaver GatewaySAP NetWeaver Gateway Security Guide .

Sybase Unwired Platform See the Sybase product documentation athttp://sybooks.sybase.com Sybase Unwired

Platform Sybase Unwired Platform 2.1 ESD #3 Security .

For a complete list of the available SAP Security Guides, see SAP Service Marketplace athttp://service.sap.com/securityguide.

3.3.2 User Administration and Authentication

The mobile applications use the user management and authentication mechanisms provided withthe SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP, and withSAP Solution Manager, as well as with Sybase Unwired Platform.Therefore, the security recommendations and guidelines for user administration and authenticationas described in the SAP NetWeaver Application Server ABAP Security Guide and in the Security Guidefor SAP Solution Manager also apply to the mobile applications.

Note

You can find these guides in SAP Library for SAP NetWeaver and SAP Solution Manager on SAPHelp Portal at:

n http://help.sap.com/nw702 Application Help SAP Library SAP NetWeaver EHP2 SAPNetWeaver Administrators Guide SAP NetWeaver Security Guide Security Guides for SAP NetWeaverAccording to Usage Types SAP NetWeaver Application Server ABAP Security Guide .

n http://help.sap.com/solutionmanager71 Security Information Security Guide (SAP ServiceMarketplace) 4 Operations Security Guide SAP Solution Manager 7.1

Mobile applications provide access to back-end functions from outside the corporate network. Thisresults in additional challenges, such as how to authenticate the user via the mobile device. Thefollowing topics include information about user administration and authentication that specifically

36/64 CUSTOMER 11/06/2012


applies to the mobile applications in SAP SolutionManager and differs in specific aspects from the SAPNetWeaver Application Server ABAP:

n User Management [page 37]This topic describes the user management concept and lists the tools used for user managementand the types of users required.

n User Data SynchronizationYou can use the Central User Administration (CUA) or your existing Identity Management systemto ensure the users on SAP NetWeaver Gateway and in the back end match. These users needto have the same user name in both systems.

n User Authentication [page 39]This topic describes user authentication for SAP Solution Manager mobile applications.

3.3.2.1 User Management

User management for the mobile applications uses the mechanisms provided with the SAP NetWeaverApplication Server ABAP, for example, tools, user types, and password policies. For an overview ofhow these mechanisms apply to the mobile applications and what additional mechanisms theyneed, see the sections below.

3.3.2.1.1 User Management Concept

The mobile applications are based on the following user management concept:

n Users in the Back-End System (SU01, PFCG)The existing users are used in the back-end system. The authorizations required for a particularmobile application are provided using a PFCG role delivered for each mobile application. For moreinformation, see Authorizations [page 41] in the generic part of this guide.For authorizations that the mobile applications require, see the Authorizations section in theapplication-specific part pf this guide.

Note

If you enable users who only ever access the back end usingmobile applications, you should createthese users without a password. This protects them against attacks that exploit incorrect/insecurepassword handling (these users are unlikely to change the initial password if they do not actuallyneed to).

n Users in SAP NetWeaver Gateway (SU01, PFCG)The mobile application users also need a user in SAP NetWeaver Gateway. They must have thesame user name as the users in the back end. The user requires certain authorizations that allow

11/06/2012 CUSTOMER 37/64


the services of the mobile application to be triggered in the back end. If you copy the users fromthe back-end users, note the following recommendations:

Recommendation

l If you use basic authentication to authenticate the requests from the mobile device on SAPNetWeaver Gateway, you can copy the back-end password or set an initial password. Werecommend setting an individual, initial password. The mobile user has to change thepassword before using the mobile application and then store the new password on the mobiledevice.

For information about basic authentication, see User Authentication [page 39] in the generic part ofthis guide.For more information about authorization settings in the SAP NetWeaver Gatewaysystem, see Authorizations [page 41] in the generic part of this guide.For more information about encryption of users, see Data Protection [page 48] in the generic part ofthis guide.The same recommendations apply if you prefer to create the users from scratch.

Caution

If a device is lost or stolen, users in SAP NetWeaver Gateway need to be locked, see Management ofMobile Applications with Impacts on Security [page 49] in the generic part of this guide.

n User and Device Registration on Sybase Unwired PlatformOn Sybase Unwired Platform, mobile application users and their devices are registered for specificmobile applications. Registration can be done manually or automatically (in a self-service mode).For the available registration methods of the mobile application, see the application-specific part ofthis guide.For more information, see Registering Users and Mobile Application in Sybase Unwired Platform [page 32] andthe Sybase product documentation at http://sybooks.sybase.com Sybase Unwired Platform 2.1ESD #3 System Administration Application and User Management Overview .

Note

Sybase Unwired Platform authenticates users, but no separate user master data needs to bemaintained on the Sybase Unwired Platform.

Caution

If a device is lost or stolen, users and devices need to be unregistered on Sybase Unwired Platform,see Management of Mobile Applications with Impacts on Security [page 49] in the generic part of this guide.

n User on the Mobile DeviceThe mobile application user provides the back-end credentials together with other settings.

38/64 CUSTOMER 11/06/2012


3.3.2.1.2 User Administration Tools

The table below shows the tools used for user management and user administration with the mobileapplications.

Tool Detailed Description Prerequisites

User and role maintenancewith SAP NetWeaver AS ABAP(transactions SU01, PFCG)

For more information, see SAPLibrary for SAP NetWeaver 7.0EHP2 on SAP Help Portal athttp://help.sap.com/nw702

Application Help SAP LibrarySAP NetWeaver 7.0 EHP2 SAPNetWeaver SAP NetWeaverby Key Capability SecurityIdentity Management User and RoleAdministration of AS ABAP .

3.3.2.1.3 User Types

The mobile applications only require users of type individual user. These are dialog users and they areused for mobile applications in general. Specific (such as consumer-facing) applications may defineother user types in SAP NetWeaver Gateway and the back end such as internet users or service usersfor anonymous access. If so, this is mentioned in the application-specific part of this guide.For more information about these user types, see SAP Library for SAP NetWeaver 7.0 EHP2 on SAPHelp Portal at http://help.sap.com/nw702 Application Help SAP Library SAP NetWeaver 7.0EHP 2 SAP NetWeaver Administrators Guide SAP NetWeaver Security Guide Security Guides for SAPNetWeaver According to Usage Types Security Guide for Usage Type AS SAP NetWeaver Application Server ABAPSecurity Guide User Authentication User Types .

3.3.2.2 User Authentication Mechanism

3.3.2.2.1 User Authentication

The mobile applications in SAP Solution Manager support the following authentication mechanisms:

Manual Authentication

With manual authentication, the administrator manually registers the user in Sybase UnwiredPlatform, and assigns an activation code. To authenticate the mobile application, the user enters theactivations code in the mobile application settings.

11/06/2012 CUSTOMER 39/64


Basic Authentication with SAP NetWeaver Gateway Password

With this mechanism, the mobile user can store the Gateway user name and password on the device.For information about the security mechanisms that are used to protect the data, see Data Protection[page 48] in the generic part of this guide.You can copy the back-end users if new users have to be created in SAP NetWeaver Gateway.

Recommendation

We recommend not copying the back-end password but to set an individual, initial password instead.

The mobile user has to change the password before using the mobile application and afterwardsstore the new password on the mobile device. For more information about how the initial passwordchange can be organized, see Steps to Enable Mobile Application Users to Change Their Password [page 40] inthe generic part of this guide.

Note

You can force users to have to change their passwords after a set period of time (profile parameterlogin/password_expiration_time). To change expired passwords requires the same steps as changingthe initial password. In this case, back-end access does not work any longer. The user must logout and log on again with the new password.

3.3.2.2.2 Steps to Enable Mobile Application Users to ChangeTheir Passwords

Recommendation

We recommend that you disable the calling of the OData service with an initial password. Formore information, see SAP Library for SAP NetWeaver Gateway 2.0 SP04 on SAP Help Portal athttp://help.sap.com/nwgateway20 Application Help Support Package 04 SAP NetWeaver

Gateway SAP NetWeaver Gateway Configuration Guide Basic Configuration Settings Initial Login and referto the section Changing the Authentication Mechanism for ICF Nodes Accessed by Mobile Devices.

As a mobile application user, choose one of the following options to change the initial password:

n If you are used to working with SAP GUI as well, the easiest way of changing the initial passwordis to log on to the Gateway once and follow the dialog for changing the password. The changedpassword can then be entered on the mobile device.

n If you do not have access to SAP NetWeaver Gateway via SAP GUI, proceed as follows:On SAP NetWeaver Gateway system, you can change the password via a browser application witha special ICF node delivered by Gateway. For more information, see SAP NetWeaver GatewayConfiguration Guide Basic Configuration Settings Initial Login and refer to the section Using an ICF Node

40/64 CUSTOMER 11/06/2012


for Changing Passwords. With this option you have the advantage of being able to display additionalinformation on the redirectURL to the mobile application users.

3.3.2.3 Authorizations

The mobile applications use the authorization concept provided by SAP NetWeaver AS ABAP and SAPSolution Manager. Therefore, the recommendations and guidelines for authorizations as described inthe SAP NetWeaver AS Security Guide ABAP and Security Guide SAP Solution Manager also applyto the mobile applications.The SAP NetWeaver authorization concept assigns authorizations to users based on roles. For rolemaintenance, use the profile generator (transaction PFCG) on the AS ABAP.

Note

For more information about how to create roles, see SAP Library for SAP NetWeaver 7.0 EHP2 on SAPHelp Portal at http://help.sap.com/nw702 Application Help SAP Library SAP NetWeaver 7.0EHP 2 SAP NetWeaver SAP NetWeaver by Key Capability Security Identity Management User and RoleAdministration of AS ABAP Configuration of User and Role Administration Role Administration .

Role and Authorization Concept for Mobile Applications

The authorization concept has two aspects:

n Authorizations on SAP NetWeaver Gateway: Each user who installs the mobile application ontheir mobile device must be authorized in SAP NetWeaver Gateway. In addition, each mobileapplication delivers an OData Service for accessing the back-end functions and data. The user onthe SAP NetWeaver Gateway needs the authorizations to trigger this OData service.

n Authorizations in the back-end system: The user in the back end needs the authorizations toaccess the OData service in the back end and all authorizations needed for the business processesrelated to them. SAP delivers a role with these business authorizations for each mobile application.

Depending on the system landscape scenario, the steps for setting up roles and authorizations partlydiffer.

Note

There are no further authorization checks on the Sybase Unwired Platform or the mobile device.

Authorization Settings in the SAP NetWeaver Gateway System

To enable the user to access SAP NetWeaver Gateway, do the following:

n Assign the authorizations of authorization template /IWFND/RT_GW_USER to the user whoinstalls the mobile application on their mobile device. For more information, see the Customizing

11/06/2012 CUSTOMER 41/64


in SAP NetWeaver Gateway OData Channel Configuration User Settings Define Role for SAPNetWeaver Gateway User .

n For reporting and workflow functions, assign the authorizations of authorization templates/IWCNT/RT_USER_REP and /IWCNT/RT_USER_WF to the user. For more information, see theCustomizing in SAP NetWeaver Gateway OData Channel Configuration User Settings EnhanceRole for SAP NetWeaver Gateway SAP System User .

To trigger the OData service used by a mobile application in the back end, a role with the S_SERVICEauthorization object (Check at Start of External Services) with the corresponding service name has to becreated and assigned to the user on SAP NetWeaver Gateway.

1. Activation of the OData service:n Embedded system scenario:

In the SAP Solution Manager Configuration System Preparation scenario, in the Configure Gatewaystep, make sure that the gateway services are activated.

n SAP NetWeaver Gateway as central hub scenario:While configuring SAP NetWeaver Gateway, you activate the application-specific OData service.For more information, see Configuring SAP NetWeaver Gateway [page 28] in the generic part ofthis guide.You need the name of the activated service to maintain the authorization (see theapplication-specific part of this guide).

2. In transaction PFCG, create a service-specific or mobile application-specific role with authorizationobject S_SERVICE (Check at Start of External Services). Do not specify further authorization values, butexit authorization maintenance. On the menu tab, insert a node into the role menu by choosingAuthorization Default TADIR Service. Enter the following values:n R3TRn IWSGn Then generate the profile in authorization maintenance.

3. Assign the new role to the mobile application user.

Authorization Settings in the Back-End System

n Embedded system scenario:Assign role SAP_SM_GATEWAY_ACTIVATION to your administration user, for instanceSOLMAN_ADMIN. For more information, see the HELP section for the according step in transactionSOLMAN_SETUP and the security guide for SAP NetWeaver Gateway 2.0 SP04 on SAP Help Portalat: http://help.sap.com/nwgateway20 Application Help Support Package 04 SAP NetWeaverGateway SAP NetWeaver Gateway Security Guide .

n SAP NetWeaver Gateway as central hub scenario:Perform the following activities in the SAP back-end system:1. Create a technical (service agnostic) role.

42/64 CUSTOMER 11/06/2012


l When you enter the authorization maintenance for the role, use the role template/IWBEP/RT_MGW_USR. It contains the authorization for OData Channel RFC function group/IWBEP/FGR_MGW_CLIENT_IF.

l Add authorization object S_RFCACL (authorization for a trusted RFC destination betweenSAP NetWeaver Gateway and SAP back-end systems).

l Maintain the correct authorization values.l Generate the profile.

2. Assign this technical role to the mobile application users.3. Copy the application-specific SAP role(s) with the business authorizations (see the

application-specific part of this guide) into the customer namespace and maintain theauthorization values correctly.Alternatively, create a customer role based on SU22 entries of the SAP R3TR/IWSV back-endservice (S_SERVICE).

4. Assign the new role(s) to the mobile application users.

3.3.3 Session Security Protection

To increase security and prevent access to the security session cookie(s), we recommend activatingsecure session management. We also highly recommend using SSL or TLS to protect the networkcommunications where these security-relevant cookies are transferred.

Session Security Protection on the AS ABAP

To activate session security on the AS ABAP, set the corresponding profile parameters and activatethe session security for the client(s) using the transaction SICF_SESSIONS. For more information,a list of the relevant profile parameters, and detailed instructions, see Activating HTTP Security SessionManagement on AS ABAP in the AS ABAP security documentation.

3.3.4 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needsto support the communication necessary for your business needs without allowing unauthorizedaccess. A well-defined network topology can eliminate many security threats based on software flaws(at both the operating system level and application level) or network attacks such as eavesdropping. Ifusers cannot log on to your application or database servers at the operating system or database layer,then there is no way intruders can compromise the machines and gain access to the back-end systemsdatabase or files. Additionally, if users are not able to connect to the server LAN (local area network),they cannot exploit well-known bugs and security holes in network services on the server machines.The network topology for the back-end part of the mobile applications is based on the topology used

11/06/2012 CUSTOMER 43/64


by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations describedin the SAP NetWeaver Security Guide also apply to the mobile applications. Details that specificallyapply to the mobile applications are described as follows:

n Communication Channel Security [page 44]This topic describes the communication paths and protocols used by the mobile applications.

n Network Security [page 46]This topic describes the recommended network topology for the mobile applications.

n Section Communication Channels and Destinations in the SAP Solution Manager Security Guide on theSAP Service Marketplace at http://service.sap.com/securityguide SAP Components SAPSolution Manager in section 4 Operations.

n Communication DestinationsThe information is needed for the various communication paths, for example, which users areused for which communications.For more information, see the following sections in the SAP NetWeaver Security Guide in SAPLibrary for SAP NetWeaver 7.0 EHP2 on SAP Help Portal at http://help.sap.com/nw702Application Help SAP Library SAP NetWeaver 7.0 EHP2 SAP NetWeaver Administrators GuideSAP NetWeaver Security Guide :l Network and Communication Securityl Security Guides for Connectivity and Interoperability Technologies

3.3.5 Communication Channel Security

The table below shows the communication channels used by the mobile applications, the protocolused for the connection, and the type of data transferred.

CommunicationPath Protocol Used Type of Data TransferredData Requiring SpecialProtection

Front-end client using themobile device to SybaseUnwired Platform

SUP Messaging Channel,Open Data Protocol

Data for authenticatingthe mobile device userapplication data

All data transferredbetween mobile deviceand Sybase UnwiredPlatform has to beencrypted.

44/64 CUSTOMER 11/06/2012


CommunicationPath Protocol Used Type of Data TransferredData Requiring SpecialProtection

Sybase Unwired Platformto SAP NetWeaverGateway

Open Data Protocol,HTTP/HTTPS

Data for authenticatingthe mobile device userapplication data

Data for authenticatingthe mobile deviceuser, application data(depending on individualsecurity requirementsand criticality of the data)

SAP NetWeaver Gatewayto back end

RFC Application data(authentication viatrusted RFC)

Application data(depending on individualsecurity requirementsand criticality of the data)

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTPconnections are protected using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS)protocol. SOAP connections are protected with Web services security.

Recommendation

We strongly recommend using secure protocols (SSL, TLS, SNC) whenever possible.

Communication Encryption

The Sybase Unwired Platform messaging channel provides encrypted communication between themobile application on the mobile device and the Sybase Unwired Platform server in the corporateintranet. This communication is routed through the Relay Server. For this to work, the public key ofthe Sybase Unwired Platform messaging server has to be initially distributed once from the SybaseUnwired Platform server to the mobile application on the device by secure means to be protectedagainst man-in-the-middle attacks.

n Instruct all users of mobile applications tomake the first connection of themobile application withthe Sybase Unwired Platform server within the trusted intranet, that is, from inside the corporatenetwork (over the local network, wireless LAN, or VPN). The first connection takes place after themobile application user has entered the technical settings and starts the application (onboarding).

n Make sure that the network traffic of the first connection is not routed through the public Internet.This is usually ensured by using the address of the Relay Server defined in the server settings of themobile application, provided an outbound port is open between the corporate network and theDMZ network to enable secure communication (and no forward proxy setting is involved).

n To ensure that mobile applications only connect to the intended Sybase Unwired Platformserver, and not to a spoof one, the public key of the Sybase Unwired Platform messaging serverreceived during the first connection is persisted on the device and never changed or reset duringsubsequent requests, regardless of whether the mobile applications connect from within thecorporate network or from public networks. To connect to a different Sybase Unwired Platformserver, end users need to uninstall and reinstall the mobile app

Documents

Mobapp Sysmon Guide