Upload
rajiv-baghel
View
215
Download
0
Embed Size (px)
Citation preview
8/3/2019 SAP Security - Day 1 1st Half_Anwar
1/112
Confidential Copyright IBM Corporation 2004
8/3/2019 SAP Security - Day 1 1st Half_Anwar
2/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Objectives
What is security ?
Security threats & measures to combat threats
Types of security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
3/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
A who's who
Security , Secured System, Threats,Safeguards
8/3/2019 SAP Security - Day 1 1st Half_Anwar
4/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
What is Security ?
Dictionary meaning
Freedom from risk or danger; safety.
In Other Words
The process of ensuring confidentiality,
integrity, and availability of computers,their programs, hardware devices, anddata.
8/3/2019 SAP Security - Day 1 1st Half_Anwar
5/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
A secure System and Threat
A secure System
It is a system which does exactly
what we want it to do and nothing
that we don't want it to do even
when someone else tries to make it
behave differently.
Threat
It is an act or event that has the
potential to cause a failure of
security .
8/3/2019 SAP Security - Day 1 1st Half_Anwar
6/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Why I am here and how do I achieve it ?
8/3/2019 SAP Security - Day 1 1st Half_Anwar
7/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
A security Consultant should know
Who could attack the system /
challenge the security of the
system
What
Why
From Whom
What To Secure
Why to Secure i.e.. Importance of the
Data/Article etc.
8/3/2019 SAP Security - Day 1 1st Half_Anwar
8/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Security Achieved By
Keeping Unauthorized Person out of the System
Keeping People out of Places Where They Should Not Be
Safeguarding the Data from Damage or Loss
http://images.google.co.in/imgres?imgurl=http://www.hse.gov.uk/workplacetransport/images/prohibition-unauth-2.gif&imgrefurl=http://www.hse.gov.uk/workplacetransport/safetysigns/prohibitoryunauthorised.htm&h=381&w=380&sz=8&hl=en&start=3&tbnid=m3N9nUi2NbyY5M:&tbnh=123&tbnw=123&prev=/images%3Fq%3Dunauthorised%26svnum%3D10%26hl%3Den%26lr%3Dhttp://images.google.co.in/imgres?imgurl=http://www.hse.gov.uk/workplacetransport/images/prohibition-unauth-2.gif&imgrefurl=http://www.hse.gov.uk/workplacetransport/safetysigns/prohibitoryunauthorised.htm&h=381&w=380&sz=8&hl=en&start=3&tbnid=m3N9nUi2NbyY5M:&tbnh=123&tbnw=123&prev=/images%3Fq%3Dunauthorised%26svnum%3D10%26hl%3Den%26lr%3Dhttp://images.google.co.in/imgres?imgurl=http://www.hse.gov.uk/workplacetransport/images/prohibition-unauth-2.gif&imgrefurl=http://www.hse.gov.uk/workplacetransport/safetysigns/prohibitoryunauthorised.htm&h=381&w=380&sz=8&hl=en&start=3&tbnid=m3N9nUi2NbyY5M:&tbnh=123&tbnw=123&prev=/images%3Fq%3Dunauthorised%26svnum%3D10%26hl%3Den%26lr%3Dhttp://www.swordsandarmor.com/images/Shield-Polished_With_Swords.GIF8/3/2019 SAP Security - Day 1 1st Half_Anwar
9/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
So, Do I understand ? .. I need to implement somesafeguards to avoid threats and thats how I achievemy security goals ?
. Lets see the big picture
8/3/2019 SAP Security - Day 1 1st Half_Anwar
10/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Threats Safe Guards Goals
1. Tampering2. Planting
3. Eves- Dropping4. Penetration5. Authorization Violation6. O/s Cracking
AccessControl
Firewall
Encryption
DigitalCertificate
SecurityMonitor
Anti-Virus
Confidentiality
Integrity
Availability
Obligation
O/SHardening
TheBIG
Picture ..
8/3/2019 SAP Security - Day 1 1st Half_Anwar
11/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Security - Under The Microscope .
8/3/2019 SAP Security - Day 1 1st Half_Anwar
12/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Organizational
Physical
Technical
Organizational Policies
MonitoringTraining
Disaster Plan
Server Facilities
BuildingFire Alarm
Camera
Program Level
O/S Level
N/W security
Database
Patches , O/S Hardening
(Authentication, O/S Hardening, Virus Guard,Spam Blocker)
(Authentication , Firewall , Encryption,Security Monitor)
(Authentication, Access Control)
Types Of Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
13/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
A known story with an extension
Lets recollect the Rabbit Tortoise story again.
Once the Tortoise won the run the Rabbit wants to
congratulate the tortoise and so the rabbit wants to
gift a piece of memento to the tortoise. The Rabbit
needs to carry the memento to the Tortoises home.
Our point of focus would be..1 . Is the rabbit secured at its own home?2. Is the tortoise secured at its own home?3. Is the memento secured ?4 . The road through which the rabbit needs to go,
is that secured ?
8/3/2019 SAP Security - Day 1 1st Half_Anwar
14/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
RememberAny computer is not secured
Security can be void if
The applications are not secured ( consider the
hands by which the rabbit carries the gift totortoise)
The O/S is not secured (the house of the rabbit orthe tortoise)
The database and data is not secured ( Thecontainer from where the rabbit takes the piece ofgift)
The network path is not secured ( the path throughwhich the rabbit needs to run)
If we co-relate the rabbit and the tortoise to our computer world
8/3/2019 SAP Security - Day 1 1st Half_Anwar
15/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Lets understand these challenges in ourknown terms and their safeguards
8/3/2019 SAP Security - Day 1 1st Half_Anwar
16/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Lets introduce Program Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
17/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Computer programs are the first line of defense in computer security,
since programs provide logical controls. Programs, however, aresubject to error, which can affect computer security.
A computer program is correct ifit meets the requirements for which itwas designed.
Correct
A program is complete ifit meets all requirements.
Complete
Finally, a program is exact ifit performs only those operations
specified by requirements.
Exact
http://www.amirsedighi.com:8080/webstart/content/42.jpg8/3/2019 SAP Security - Day 1 1st Half_Anwar
18/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Application Security Threat Flow
Identify Security Objectives
Application Overview
Decompose Application
Identify Threats
Identify Vulnerabilities
8/3/2019 SAP Security - Day 1 1st Half_Anwar
19/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Architecture
Test
Design
Implementation
Application Security
ApplicationSecurity
PathTraversal
Trojan
Deny OfService
AuthenticationError
Virus,
Spy ware
InjectionAttacks
CrossSiteScripting
Web
Defacement
8/3/2019 SAP Security - Day 1 1st Half_Anwar
20/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
My Program is Secured .. But is my O/S secured ?
8/3/2019 SAP Security - Day 1 1st Half_Anwar
21/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
How as operating system is build?
A kernelized operating system is designed in layers.The innermost layer provides direct access to thehardware facilities of the computing system andexports very primitive abstract objects to the next
layer. Lets visualize that ..
Operating systems, structured specifically, for security arebuilt in a kernelized manner.
IBM Gl b l S i
8/3/2019 SAP Security - Day 1 1st Half_Anwar
22/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Security of operating systems
OS Kernel
O/sHardening
O/S Patch
To avoid threats weapply different Patchesand Harden our O/S.
IBM Gl b l S i
8/3/2019 SAP Security - Day 1 1st Half_Anwar
23/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
The container story . Database damage
threats
IBM Gl b l S i
8/3/2019 SAP Security - Day 1 1st Half_Anwar
24/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Database Threats
DataOverwrite
DataLoss
ScrambledData
UnauthorizedChanges
ImproperChange/Alteration
of Data
UserConflict
Database
IBM Gl b l S i
8/3/2019 SAP Security - Day 1 1st Half_Anwar
25/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Why to Protect a Data Base Intelligent Threats
Data Base
inference
Customer Data
Age
Name
Aggregation
No Of Cust.
Unit Price
Total Market Share
IBM Global Ser ices
8/3/2019 SAP Security - Day 1 1st Half_Anwar
26/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Database Vulnerabilities
Basically database security can be broken down into the following key
points of interest.
Restricting Database AccessMainly into the network access of the system. Specifically
targeting Internet based databases, since they have beenthe most recent targets of attacks.
Table Access ControlProperly using Table access control will require the
collaboration of both system administrator anddatabase developer
Database Connections
Ensure that every connection uses it's own unique userto access the shared data
Server SecurityServer security is the process of limiting actual
access to the database server itself, The basic idea isthis, "You can't access what you can't see".
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
27/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Database Web-Security
Session security -- ensuring that data is notintercepted as it is broadcast over theInternet or Intranet
Server security -- ensuring security relating to the
actual data or private HTML files stored on theserver
User-authentication security -- ensuring loginsecurity that prevents unauthorized access to
information
For Web security, you must address three primary areas:
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
28/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Knock .. Knock can you save my data?
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
29/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Some Database Security Measures
Vendor-Specific Security
Server SecurityPublic and Private Key Security
Database Connections
Table Access Control
Dynamic Page Generation
KerberosUser-Authentication Security
Secure Sockets Layer (SSL) and S-HTTP
Session Security
Digital Signatures as PasswordsDatabase
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
30/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Huh !!
The rabbit is on the way .. but is it secured enough ?
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
31/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Network Security
Protection of networks and their services from unauthorized modification,
destruction, or disclosure, and provision of assurance that the networkperforms its critical functions correctly and there are no harmful side-
effects. Network security includes data integrity .
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
32/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Lets identify the rabbits dangers on the road ..
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
33/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
The Rabbits gift could have been stolen ,destroyed by any other animal / stranger on theroad
Lets see in our network world .
To safeguard
1 . The rabbit could hide2. The rabbit could run faster3 . The rabbit could fool them etc
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
34/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Common security attacks and their countermeasures
Finding a way into the networkFirewalls
Exploiting software bugs, bufferoverflows
Intrusion Detection Systems
Denial of Service Ingress filtering, IDS
TCP hijackingIPSec
Packet sniffing Encryption (SSH, SSL,HTTPS)
Social problemsEducation
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
35/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Attacks on Different Layers
IP Attacks
ICMP Attacks
Routing Attacks
Session Hijacking
Application Layer Attacks
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
36/112
IBM Global Services
Confidential Copyright IBM Corporation 2004
|
Visualize imagine you realize
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
37/112
G oba Se ces
Confidential Copyright IBM Corporation 2004
|
Web and Network Security Threats
Network Security Threats
Web Security Threats
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
38/112
Confidential Copyright IBM Corporation 2004
|
Is there anyone who can save me?
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
39/112
Confidential Copyright IBM Corporation 2004
|
Network Security Safeguards
Firewall Port Scan Router
Certificate Proxy Spam Blocker
Digital Cert Encryption
Antivirus IDS
Access Control Monitoring
Corporate Network
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
40/112
Confidential Copyright IBM Corporation 2004
|
SAP world and security
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
41/112
Confidential Copyright IBM Corporation 2004
|
Different Layer of Security With SAP Application
SAPAPPLICATION
SECURITY
NETWORKSECURITY
WORKSTATIONSECURITY
DATABASESECURITY
O/S SECURITY
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
42/112
Confidential Copyright IBM Corporation 2004
|
Security in an integrated system like SAP tries to achieve the following.
Authentication - Only legitimate users should be able to access the system
Authorization - Users should only be able to perform their designated
tasks
Integrity - Data integrity needs to be granted at all time
Privacy - Protection of data against unauthorised access
Obligation - Ensuring liability and legal obligation towardsstakeholders and shareholders including validation
8/3/2019 SAP Security - Day 1 1st Half_Anwar
43/112
Confidential Copyright IBM Corporation 2004
SAP Product Overview
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
44/112
Confidential Copyright IBM Corporation 2004
|
Objectives
Introduction to SAP
Netweaver What is ?
Netweaver Stack Introduction
Netweaver breakdown
SOA
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
45/112
Confidential Copyright IBM Corporation 2004
|
SAP Product Introduction - History
The 1970s: A Real-Time Vision
In 1972, five former IBM employees -- Dietmar Hopp, Hans-Werner Hector, Hasso
Plattner, Klaus Tschira, and Claus Wellenreuther -- launch a company called Systems,
Applications, and Products
Their vision: to develop standard application software for real-time business processing.
One year later, the first financial accounting software "R/1 system is complete."
"R" stands for real-time data processing.
By the end of the decade, intensive examination of SAP's IBM database and dialog
control system leads to the birth of SAP R/2.
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
46/112
Confidential Copyright IBM Corporation 2004
|
continued
The 1980s: Rapid Growth
The SAP R/2 system attains the high level of stability
Keeping in mind its multinational customers, SAP designs SAP R/2 to handle different
languages and currencies.
With the founding of subsidiaries in Denmark, Sweden, Italy, and the United States,
SAP's international expansion takes a leap forward.
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
47/112
Confidential Copyright IBM Corporation 2004
|
continued
The 1990s: A New Approach to Software and Solutions
SAP R/3 is unleashed on the market.
The client-server concept, uniform appearance of graphical interfaces, consistent use of
relational databases, and the ability to run on computers from different vendors meets
with overwhelming approval.
With SAP R/3, SAP ushers in a new generation of enterprise software -- from mainframe
computing to the three-tier architecture of database, application, and user interface.
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
48/112
Confidential Copyright IBM Corporation 2004
|
continued
The 2000s: Innovation for the New Millennium
With the Internet, the user becomes the focus of software applications. SAP developsmySAP Workplace and paves the way for the idea of an enterprise portal and role-specific access to information.
By 2005,
12 million users work each day with SAP solutions 100,600 installations worldwide
more than 1,500 partners
over 25 industry-specific business solutions
more than 33,200 customers in 120 countries
SAP Netweaver developed based on Services-Oriented Architecture (SOA)
Companies can integrate people, information, and processes within the company andbeyond.
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
49/112
Confidential Copyright IBM Corporation 2004
|
What is SOA ?
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
50/112
Confidential Copyright IBM Corporation 2004
|
SOA
Software architecture that defines the use of loosely coupled software services to
support the requirements of business processes and software users
Resources on a network in an SOA environment are made available as independent
services that can be accessed without knowledge of their underlying platform
implementation
SOA-based systems can therefore be independent of development technologies and
platforms (such as Java, .NET etc)
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
51/112
Confidential Copyright IBM Corporation 2004
|
Now let us take a look at some technical & operational challenges facing a
distributed system
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
52/112
Confidential Copyright IBM Corporation 2004
|
SAP NetWeaver
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
53/112
Confidential Copyright IBM Corporation 2004
|
How to address the integration challenge ?
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
54/112
Confidential Copyright IBM Corporation 2004
|
SAP NetWeaver
SAP NetWeaver integrates various different technological concepts and previous
platforms in a single solution
It is an open technology platform which offers a comprehensive set of technologies that
are natively integrated
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
55/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver People Integration
Multi-Channel Access
Portal Collaboration
People Integration brings together the right functionality and the rightinformation to the right people
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
56/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver People Integration Portal Sample View
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
57/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver People Integration -- Portal
The portal is the Web front-end component for SAP NetWeaver
It is a personalized, interactive gateway, providing employees, partners, suppliers and customers with asingle point of access.
The key capabilities of the portal within SAP NetWeaver are as follows:
Heterogeneous information integration Administrator & EUS
User management & Security support
Personalization
Ready-to-deploy business packages
Delegated administration
Multi-Channel Access
Portal Collaboration
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
58/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver People Integration Multi-Channel Access
Multi-Channel Access
Portal Collaboration
With multi-channel access, you can connect to enterprise systems through voice, mobile,or radio-frequency technology
Multi-channel access is delivered through Mobile Infrastructure
The key elements of SAP NetWeavers multi-channel access capabilities are
SAP NetWeaver Mobile,
SAP Auto-ID Infrastructure
SAP NetWeaver Voice, Message Interfaces (SMS, Fax, Email) and
Web-based GUI
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
59/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver People Integration Multi-Channel Access
NetWeaver Mobile comprises of various technical architectures used for enabling end-to-
end mobile business solutions targeting specific user roles and device platforms
SAP Auto-ID Infrastructure connects RFID data directly from auto-ID data-capture
sources, such as RFID readers, and integrates high-volume data directly into enterprise
applications in real-time
SAP NetWeaver provides standardized interfaces to link 3rd party communicationmanagement applications with business applications. It enables the integration of fax, sms
or email
Web-based GUI enables end-users to gain access to their enterprise business via a
Browser or Java User Interface
SAP NetWeaver Voice makes business processes accessible by any telephone, any time.
Users can interact with SAP backend systems using speech recognition or touch tones. It
is currently not part of a standard SAP NetWeaver shipment.
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
60/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver People Integration Collaboration
The collaboration capabilities delivered with SAP NetWeaver, are designed to enableindividuals, teams, and interest groups to work together closely towards a common goal.
The comprehensive set of collaboration tools and services allows users to share
relevant information, communicate online in real-time, plan with the help of a unified
calendar, and provide a single point of access to documents and resources.
Multi-Channel Access
Portal Collaboration
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
61/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Information Integration
Master Data Management
Business Intelligence Knowledge Management
Information Integration makes both structured and unstructuredinformation available in the enterprise in a consistent and accessiblemanner
Users demand ubiquitous access to information wherever it resides. Thatinformation must be served in a consistent manner and its integrity
guaranteed
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
62/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Information Integration Business Intelligence
Business Intelligence in NetWeaver is composed of the following parts:
Data warehousing, which forms the application-neutral foundation for BusinessIntelligence. SAP BW supports the complete data warehousing process, from dataintegration, data transformation, consolidation and cleansing to data provision foranalysis.
A business intelligence platform that serves as the technological infrastructure tosupport information access and comprehensive analytics.
Business intelligence suite that transforms data into insightful information and servesa wide variety of users for decision-making.
Master Data Management
Business Intelligence Knowledge Management
IBM Global Services
NetWeaver Information Integration Knowledge
8/3/2019 SAP Security - Day 1 1st Half_Anwar
63/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Information Integration KnowledgeManagement
Knowledge Management (KM) is the umbrella term for the management of unstructured information
that is, all kinds of documents
The Knowledge Management (KM) capabilities of SAP NetWeaver turn unstructured information into
organizational knowledge an essential function in this age of global e-business
The business challenge is to transform unstructured information into organizational knowledge by
structuring and classifying it in such a way that it becomes assessable and relevant to the
enterprise's knowledge workers
There is an urgent need to create a central point of access within the enterprise to manage
information and translate it into knowledge for success
Master Data Management
Business Intelligence Knowledge Management
IBM Global Services
NetWeaver Information Integration Master Data
8/3/2019 SAP Security - Day 1 1st Half_Anwar
64/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Information Integration Master DataManagement
Today, companies operating within heterogeneous IT landscapes are commonplace, and the demand
for streamlining communication within such an environment is great.
SAP Master Data Management (SAP MDM) - a key capability of SAP NetWeaver - enablesinformation integrity across the business network. It enables companies to store, augment, andconsolidate master data, while ensuring consistent distribution to all applications and systems withinthe IT landscape.
It leverages existing IT investments in business-critical data, delivering vastly reduced data
maintenance costs through effective data management.
By ensuring cross-system data consistency, SAP MDM accelerates the execution of businessprocesses, greatly improves decision-making and helps companies maintain their competitiveadvantage.
Master Data Management
Business Intelligence Knowledge Management
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
65/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Process Integration
Process Integration enables business processes to run seamlessly acrossheterogeneous IT landscapes.
Integration broker -- This capability enables XML/SOAP-based communication
between application components from various sources and vendors. It also enables you
to define software components, interfaces, mappings, and content-based routing rules.
This capability is delivered through SAP Exchange Infrastructure (XI)
Business process management -- With business process management, you can
model and drive processes in a dynamic IT environment. It allows you to combine
underlying applications into adaptive, end-to-end processes spanning the entire value
chain.
Integration Broker Business Process Management
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
66/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Process Integration -- XI
SAP NetWeaver Exchange Infrastructure:
Provides a technical infrastructure for XML-based message exchange in order to
connect SAP components with each other, as well as with non-SAP components
Delivers business-process and integration knowledge to the customer, in the form of
SAPs predefined integration scenarios
Provides an integrated toolset for building new integration scenarios by defining and
maintaining all integration-relevant information ("shared collaboration knowledge")
Integration Broker Business Process Management
IBM Global Services
NetWeaver Process Integration Business Process
8/3/2019 SAP Security - Day 1 1st Half_Anwar
67/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Process Integration Business ProcessManagement
BPM has three focuses to cater:
Collaboration Tasks, which is part of the Enterprise Portal Framework, to enable individuals to createlight-weight ad hoc process to optimize their day-to-day tasks and add transparency to what they aredoing in relation to their colleagues. This is what delivers the people empowerment.
SAP Business workflow, embedded within the SAP Web Application Server, which is used toautomate the business processes taking place within an SAP component and integrate the SAPusers with the business processes. This is what delivers the workflow empowermentwithin the
mySAP components.
Cross-Component BPM, which is part of SAP Exchange Infrastructure, drives and controls complexbusiness processes across business applications and enterprise boundaries This delivers the totalBusiness Process Empowermentin a heterogeneous system landscape.
Integration Broker Business Process Management
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
68/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Application Platform
The application platform of SAP NetWeaver is the SAP Web Application Server
It provides a complete infrastructure to develop, deploy and run platform-independent, robust and scalable Web Services and business applications.
To allow this flexibility, different technologies have been established
Java 2 Platform Enterprise Edition (J2EE)
ABAP
DB and OS Abstraction
DB and OS Abstraction
J2EE ABAP
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
69/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Application Platform SAP WAS
SAP Web Application Server (SAP Web
AS) is the application platform of SAP
NetWeaver, i.e. it provides the complete
infrastructure to develop, deploy and run all
SAP NetWeaver applications. The majorkey capability of SAP Web AS is the full
support for both the proven ABAP
technology and the innovative open source
internet-driven technologies Java, Java 2
Enterprise Edition (J2EE) and Web
Services.
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
70/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Application Platform ABAP
ABAP is the SAP Web Application Server programming language for business
applications
It contains all characteristics of an object-oriented programming language and at thesame time provides the benefits of a 4GL language: Many functions that are located
in libraries in other languages are contained as language elements, which make it
easier to check statistics and is beneficial for program performance.
8/3/2019 SAP Security - Day 1 1st Half_Anwar
71/112
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
72/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Application Platform Composite Application Framework
Composites aim at enabling efficient development of new
applications that are easily adopted by customers, and allow
flexibility in backend connectivity
The key characteristics of composite applications are:
- Model-driven architecture
- Reuse of existing assets
- Loose coupling to backend systems
- Adaptive user-centric process flow and user interfaces
Among the main features that SAP CAF provides are:
- Support for the three layers of a composite application
(services, user interfaces, and processes)
- Patterns and templates at all three levels to increase
development efficiency and application homogeneity
- Model- and code-generation-based methods using tools thatstore models in a proprietary metamodel repository
Compos
iteApplicationFramework(C
AF)
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
73/112
Confidential Copyright IBM Corporation 2004
|
Questions ?
8/3/2019 SAP Security - Day 1 1st Half_Anwar
74/112
Confidential Copyright IBM Corporation 2004
Introduction to SAP ProductSecurity
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
75/112
Confidential Copyright IBM Corporation 2004
|
Objectives
Why security & implications ?
What types of security ? NetWeaver Security
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
76/112
Confidential Copyright IBM Corporation 2004
|
Perfect Security ?
There is no perfect security
Needs to evolve with changing technologies & associated risks
Risk to a security attack can be minimized
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
77/112
Confidential Copyright IBM Corporation 2004
|
Why is Security necessary ?
With the increasing use of distributed systems and the Internet for managing business
data, the demands on security are also on the rise.
When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical
information.
User errors, negligence, or attempted manipulation on your system should not result inloss of information or processing time.
These demands on security apply likewise to the SAP NetWeaver platform.
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
78/112
Confidential Copyright IBM Corporation 2004
|
What to protect ?
There are various aspects to consider while considering the answer to the above
In the SAP environment, we should be able to reduce the risk of a security attack in the
entire NetWeaver stack
Broadly, we are looking at reducing security risks to the following NetWeaver layers:
People Integration
Process Integration
Information Integration
Application Platform
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
79/112
Confidential Copyright IBM Corporation 2004
|
People Integration Security Risks ?
Multi-Channel Access
Portal Collaboration
People Integration brings together the right functionality and the right informationto the right people. This module of the NetWeaver stack aims at providingseamless user experience, boundless collaboration functionality, and pervasiveaccess.
This functionality of this module of the NetWeaver stack is further broken downinto:
Portal InfrastructureCollaboration
Multi-Channel Access
We will investigate the security aspects to be considered for the above sub-components in forth coming slides.
IBM Global Services
N W P l S i
8/3/2019 SAP Security - Day 1 1st Half_Anwar
80/112
Confidential Copyright IBM Corporation 2004
|
NetWeaver Portal Security
The SAP NetWeaver Portal offers users a single point of access to all applications, information, andservices needed to accomplish their daily tasks. Links to back-end and legacy applications, self-
service applications, company intranet services, and Internet services are all readily available in the
users portal. Because the borders between company intranets and the Internet are blurring,
comprehensive security is vital to protect the companys business.
Below are the aspects to consider while aiming to secure enterprise portal:
- User administration & Authentication
- Authorizations
- Network & Communication Security
- Data Storage Security- Operating System Security
IBM Global Services
P l S i U Ad i i i & A h i i
8/3/2019 SAP Security - Day 1 1st Half_Anwar
81/112
Confidential Copyright IBM Corporation 2004
|
Portal Security - User Administration & Authentication
This section covers:
User Management
Authentication
Integration Into Single Sign-On Environments
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
82/112
Confidential Copyright IBM Corporation 2004
|
User Management
The SAP NetWeaver Portal uses the User Management Engine (UME) for user
management.
The UME can be configured to work with user management data from multiple data
sources, for example, an LDAP directory, database of the SAP NetWeaver Application
Server (AS) Java, or ABAP system.
The UME is integrated as a service of the Java AS.
IBM Global Services
U M t E i (UME)
8/3/2019 SAP Security - Day 1 1st Half_Anwar
83/112
Confidential Copyright IBM Corporation 2004
|
User Management Engine (UME)
What is the User Management Engine ?
IBM Global Services
U M t E i (UME)
8/3/2019 SAP Security - Day 1 1st Half_Anwar
84/112
Confidential Copyright IBM Corporation 2004
|
User Management Engine (UME)
The User Management Engine (UME) provides a centralized user management for all Java
applications. It can be configured to work with user management data from multiple data sources. It is
seamlessly integrated in the SAP NetWeaver Application Server (AS) Java as its default user store
and can be administrated using the administration tools of the AS Java.
In the figure, user data is stored in one or more data sources. Each type of data source has its own
persistence adapter. The persistence manager consults the persistence adapters when creating,reading, writing, and searching user management data. The application programming interface (API)
is a layer on top of the persistence manager.
In the persistence manager, you configure which data is written to or read from which data source, so
that the applications using the API do not have to know any details about where user management
data is stored.
IBM Global Services
P t l S it A th ti ti
8/3/2019 SAP Security - Day 1 1st Half_Anwar
85/112
Confidential Copyright IBM Corporation 2004
|
Portal Security - Authentication
Authentication provides a way of verifying the users identity before he or she is granted
access to the portal.
Several authentication mechanisms exist, some detailed below:
- Basic authentication (Userid & Password)
- Client Certificates
- Single Sign-on- Single Sign-On with Logon Tickets
- Single Sign-On with User-id & Password
IBM Global Services
Portal Security Authentication Basic Authentication
8/3/2019 SAP Security - Day 1 1st Half_Anwar
86/112
Confidential Copyright IBM Corporation 2004
|
Portal Security Authentication Basic Authentication
Basic Authentication is an HTTP standard method to use for authentication, whereby the
user provides a user ID and password for authentication.
SAP J2EE Engine uses Basic Authentication for applications that are set up to use
basic or form authentication.
When using basic authentication, the users information is passed to the server over the
HTTP connection in a header variable as a base-64 encoded string.
When using form-based authentication, the information is passed in the URL as an URL
parameter.
Since the above is not very secure, the user of SSL to secure is recommended which
then converts a HTTP request to HTTPS.
IBM Global Services
Portal Security Authentication Client Certificates
8/3/2019 SAP Security - Day 1 1st Half_Anwar
87/112
Confidential Copyright IBM Corporation 2004
|
Portal Security Authentication - Client Certificates
In addition to using SSL for encrypting connections, you can use SSL and X.509 client
certificates for authenticating client or user access requests to the J2EE Engine.
When using client certificates, authentication takes places transparently for the user with
the underlying SSL security protocol. Therefore, you can use authentication with client
certificates to integrate the J2EE Engine in a Single Sign-On environment.
Users need to receive their client certificates from a Certification Authority (CA) as partof a public-key infrastructure (PKI). If you do not have an established PKI then you can
use a Trust Center Service to obtain certificates.
IBM Global Services
Portal Security Authentication Single Sign On (SSO)
8/3/2019 SAP Security - Day 1 1st Half_Anwar
88/112
Confidential Copyright IBM Corporation 2004
|
Portal Security Authentication Single Sign-On (SSO)
SSO is a key feature of the SAP NetWeaver Portal that eases user interaction with the
many component systems available to the user in a portal environment. Once the user isauthenticated to the portal, he or she can use the portal to access external applications.
With SSO in the portal, the user can access different systems and applications without
having to repeatedly enter his or her user information for authentication.
The portal SSO mechanism is available in the following variants depending on security
requirements and the supported external applications:
- SSO with logon tickets
- SSO with user ID and password
Both variants eliminate the need for repeated logons to individual applications after the
initial authentication at the portal. Whereas SSO with logon tickets is based on a secureticketing mechanism, SSO with user ID and password forwards the users logon data
(user ID and password) to the systems that a user wants to call.
IBM Global Services
Portal Security Authentication Single Sign On (SSO)
8/3/2019 SAP Security - Day 1 1st Half_Anwar
89/112
Confidential Copyright IBM Corporation 2004
|
Portal Security Authentication Single Sign-On (SSO)
Single Sign-On With Login Tickets
Logon tickets represent the user credentials. The portal server issues a logon ticket to a user after
successful initial authentication
The logon ticket itself is stored as a cookie on the client and is sent with each request of that client.
It can then be used by external applications such as SAP systems to authenticate the portal user tothose external applications without any further user logons being required.
Logon tickets contain information about the authenticated user. They do not contain any passwords.
Specifically, logon tickets contain the following items:
- Portal user ID and one mapped user ID for external applications
- Authentication scheme
- Validity period
- Information identifying the issuing system
- Digital signature
When using logon tickets, one system must be the ticket-issuing system. This can either be the portal
or another system.
IBM Global Services
Portal Security Authentication Single Sign On
8/3/2019 SAP Security - Day 1 1st Half_Anwar
90/112
Confidential Copyright IBM Corporation 2004
|
Portal Security Authentication Single Sign-On
Single Sign-On With Userid & Password
The Single Sign-On (SSO) mechanism with user name and password provides an alternative for
applications that cannot accept and verify logon tickets.
With this SSO mechanism the portal server uses user mapping information provided by users or
administrators to give the portal user access to external systems. ]
The portal components connect to the external system with the users credentials.
Since the system sends the user's logon ID and password across the network, use a secure protocol
such as Secure Sockets Layer (SSL) for sending data.
IBM Global Services
Portal Security Authorization
8/3/2019 SAP Security - Day 1 1st Half_Anwar
91/112
Confidential Copyright IBM Corporation 2004
|
Portal Security - Authorization
Authorizations define which objects users can access and which actions they can
perform. The portal has an authorization concept that is implemented using the followingconcepts: Permissions
Security Zones
UME Actions
AuthRequirementproperty
Portal permissions define portal user access rights to portal objects in the PCD and are based onaccess control list (ACL) methodology.
Security Zones Control which portal components and portal services users can launch and are
defined in the development phase.
UME Actions the User Management Engine (UME) equivalent of portal permissions. The UMEverifies that users have the appropriate UME actions assigned to them before granting them access
to UME iViews and functions.
AuthRequirement property This is a master iView property used in EP 5.0 that defines which users
are authorized to access a master iView or Java iViews derived from a master iView.
IBM Global Services
Portal Security Authentication Portal Roles
8/3/2019 SAP Security - Day 1 1st Half_Anwar
92/112
Confidential Copyright IBM Corporation 2004
|
Portal Security Authentication Portal Roles
In the SAP NetWeaver Portal, roles are only indirectly linked to authorization.
Portal roles group together the portal content required by users with a certain role in the
company. In addition, the role structure defines the navigation structure that a user sees
in the portal.
Users and groups assigned to a role inherit the permissions of the role. By default this is
end user permission.
IBM Global Services
Portal Security Network & Communication Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
93/112
Confidential Copyright IBM Corporation 2004
|
Portal Security Network & Communication Security
The portal is dependent on the NetWeaver Application Server for Java for network
communication.
SAP systems are implemented as client-server frameworks built in three levels:
database server level, application server level and the presentation level (front ends).
The servers are the most vulnerable part of the network infrastructure and special care
should be taken to protect them from unauthorized access
IBM Global Services
Collaboration Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
94/112
Confidential Copyright IBM Corporation 2004
|
Collaboration Security
SAP Collaborationallows access to company-internal personal data, information, and
documents that may not be equally accessible to all portal users. Settings for datasecurity prevent unauthorized access and data manipulation.
Collaborationuses the user management and user authentication mechanisms in the
SAP NetWeaver platform, in particular those in the SAP Web Application Server (Java).
Therefore, the security recommendations and guidelines for user management and
authentication apply as described in the SAP Web Application Server security guide.
Collaboration uses the permissions concept provided by the SAP Web Application
Server (Java). Therefore, the security recommendations and guidelines for permissions
apply as described in the SAP Web Application Server (Java) security guide.
This permissions concept is based on roles that are valid throughout the portal, whichare assigned to the users.
IBM Global Services
Multi-Channel Access Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
95/112
Confidential Copyright IBM Corporation 2004
|
Multi-Channel Access Security
With multi-channel access, you can connect to enterprise systems through voice,
mobile, or radio-frequency technology.
Multi-channel access is delivered through Mobile Infrastructure.
The mobile device is threatened by the following potential dangers:
- Loss of the device
- Theft
- Unauthorized use by an unauthorized person
- Data manipulation in the file system
Authentication & Authorization procedures are discussed in the next few slides
IBM Global Services
Mobile Infrastructure Authentication
8/3/2019 SAP Security - Day 1 1st Half_Anwar
96/112
Confidential Copyright IBM Corporation 2004
|
Mobile Infrastructure Authentication
The user management of the SAP MI Client Component manages user IDs and local
logon passwords. The local logon password is used for local user authentication. It is
stored in coded form on the mobile device, and not in plain text. The number of possible
failed attempts can be restricted.
A second password, called the synchronization password, is used for synchronization
with the SAP MI Server Component (SAP NetWeaver AS).
You can change the passwords on the client side at any time. The data can, however,
only be synchronized successfully if the user ID and synchronization password for the
client have counterparts on the server. Users can change both passwords with the SAP
MI Client Component
IBM Global Services
Mobile Infrastructure Authentication
8/3/2019 SAP Security - Day 1 1st Half_Anwar
97/112
Confidential Copyright IBM Corporation 2004
|
Mobile Infrastructure Authentication
Authentication Using System Logon (Bypassing Local SAP MI Logon)
For mobile devices with only one user you can configure the device in such a way that the user does
not have to logon with the local logon password. The start page of the SAP MI Client Component
appears immediately as soon as the mobile device is started. Where this is the case, the user must be
able to identify him- or herself on the operating system.
Where this is the case, the user must be able to identify him- or herself on the operating system.
The authentication on the operating system is not technically linked to the SAP MI Client Component. It
is a conceptual, organizational prerequisite for working with the SAP MI Client Component.
When the user synchronizes with the SAP MI Server Component he or she has to use the
synchronization password. You cannot use this bypass option in conjunction with the handling option
local for the synchronization password. This results in a configuration conflict.
8/3/2019 SAP Security - Day 1 1st Half_Anwar
98/112
IBM Global Services
Mobile Infrastructure - Authorization
8/3/2019 SAP Security - Day 1 1st Half_Anwar
99/112
Confidential Copyright IBM Corporation 2004
|
Mobile Infrastructure Authorization
The security recommendations and guidelines for authorizations described in the SAP
NetWeaver Application Server Security Guide also apply, therefore, to SAP MI.
The authorization concept of the SAP NetWeaver AS is based on the assignment of
authorizations to users on the basis of roles. Use the profile generator (transaction
PFCG) for role maintenance on SAP NetWeaver AS ABAP and the user administration
console from the User Management Engine on SAP NetWeaver AS Java.
Access to data and applications on the SAP MI Client Component is controlled by user-
specific data filtering based on the SAP authorization concept.
IBM Global Services
Mobile Infrastructure Securing the Communication Channel
8/3/2019 SAP Security - Day 1 1st Half_Anwar
100/112
Confidential Copyright IBM Corporation 2004
|
Mobile Infrastructure Securing the Communication Channel
There are 2 communication paths to secure:
- From the SAP MI Client Component to the SAP NetWeaver AS ABAP and vice versa
Protocols include HTTP,SSL or HTTPS
Data transferred includes application data, control data for SAP Mobile Infrastructure,
synchronization password
Data requiring particular protection includes synchronization password, as it is copied from
the mobile device to the SAP NetWeaver AS ABAP with each HTTP request. Use of SSL orHTTPS is recommended
- From SAP NetWeaver AS ABAP to back-end system and vice versa
Protocols include RFC
Data type includes application data
IBM Global Services
Information Integration- Security Risks ?
8/3/2019 SAP Security - Day 1 1st Half_Anwar
101/112
Confidential Copyright IBM Corporation 2004
|
Information Integration Security Risks ?
Information Integration makes both structured and unstructured information
available in the enterprise in a consistent and accessible manner.
Users demand ubiquitous access to information wherever it resides. That
information must be served in a consistent manner and its integrity
guaranteed.
Security risk revolve around ensuring the integrity of data
IBM Global Services
Business Information Warehouse Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
102/112
Confidential Copyright IBM Corporation 2004
|
Business Information Warehouse Security
Why Is Security Necessary?
SAP NetWeaver BI serves to integrate, transform, and consolidate data fromall areas of an enterprise in order to provide this for analysis, interpretation anddistribution. This includes confidential corporate data, for example, personaldata from Personnel Administration. Decisions are made in all enterprise areasand target-oriented actions are determined on the basis of this data. For this
reason, security when accessing data and the ability to guarantee dataintegrity is of great importance.
The following examples show the dangers to which BI can be exposed:
- Attacks from the Internet or Intranet when using BEx Web functionality and Web
Services
- Infringement of data protection guidelines through unauthorized access to personaldata
IBM Global Services
BI Security - Authentication
8/3/2019 SAP Security - Day 1 1st Half_Anwar
103/112
Confidential Copyright IBM Corporation 2004
|
BI Security Authentication
The authentication process enables the identity of a user to be checked before this user gains accessto BI or BI data. SAP NetWeaver supports various authentication mechanisms.
Some of the authentication mechanisms include:
- Single Sign-On (SSO)
- Client Certificates
- SAP Logon Tickets
Single sign-on implies that once a user is authenticated with a username & password, the user then
has access to other SAP systems that are in the landscape
As an alternative to user authentication using a user ID and passwords, users using Internetapplications via the Internet Transaction Server (ITS) can also provide X.509 client certificates. Inthis case, user authentication is performed on the Web Server using the Secure Sockets LayerProtocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid inaccordance with the authorization concept in the SAP system.
BI supports SAP logon tickets. To make Single Sign-On available for several systems, users canissue an SAP logon ticket after they have logged on to the SAP system. The ticket can then besubmitted to other systems (SAP or external systems) as an authentication token. The user does notneed to enter a user ID or password for authentication but can access the system directly after thesystem has checked the logon ticket.
IBM Global Services
BI Security - Authorization
8/3/2019 SAP Security - Day 1 1st Half_Anwar
104/112
Confidential Copyright IBM Corporation 2004
|
Secu ty ut o at o
An authorization allows a user to perform a certain activity on a certain object
in the BI System. There are two different concepts for this depending on therole and tasks of the user:
Standard Authorizations
-
These authorizations are required by all users that are working in the DataWarehousing Workbench to model or load data, and also by users that work in the
planning workbench or the Analysis Process Designer and those that work with the
Reporting Agent or the BEx Broadcaster or define queries.
Analysis Authorizations.
- All users that want to display transaction data from authorization-relevant
characteristics in a query require analysis authorizations for these characteristics.
IBM Global Services
Knowledge Management (KM) Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
105/112
Confidential Copyright IBM Corporation 2004
|
g g ( ) y
The KM security aspects deal with preventing illegal access to documents and settingsand prevent them being manipulated illegally.
Security in KM is achieved by implementing one or more of the following measures:- Roles
- ACLs
- Security Zones
Roles are of 3 types:
- Content Manager allows users to structure & manage content
- System Administrator allows user to perform KM administration
- Content Administrator allows user to perform KM specific content administration
IBM Global Services
Knowledge Management (KM) Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
106/112
Confidential Copyright IBM Corporation 2004
|
g g ( ) y
Restricting access permissions only by using the role concept or worksets is notsufficient. The use ACLs is recommended.
- Access permissions on the root nodes of security-relevant repositories should be restrictedimmediately after the installation or after configuring new repository managers in order to preventdocuments being read illegally by users hacking or guessing document URLs.
- Change the ACLs for subordinate folders if different permissions apply for these folders.
Security zones
- Security zones restrict unauthorized direct access to KM content
- For initial KM content, the required permissions in the security zones are already assignedduring installation of SAP NetWeaver.
IBM Global Services
KM Security - Communication Channel Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
107/112
Confidential Copyright IBM Corporation 2004
|
y y
Various channels of communication and technologies are used between thecomponents and data sources in Knowledge Management.
The following technologies are used for communication:
- HTTP/HTTPS
- WebDAV
-
ICE- JDBC on OpenSQL
- Operation-system-dependent and database-specific technologies
IBM Global Services
Process Integration Security Risks ?
8/3/2019 SAP Security - Day 1 1st Half_Anwar
108/112
Confidential Copyright IBM Corporation 2004
|
g y
Why Is Security Necessary?
As the central infrastructure for exchanging business documents, PI has to make surethat the involved processes can be executed in a secure manner. Particular securityrequirements have to be considered if business partners communicate over the Internet.
XML messages may contain confidential business data. In order to protect them againsteavesdropping and unauthorized access, the communication lines as well as the storage
locations of XML messages need to be made secure.
In addition to the business data exchanged using PI, the various components of PI needto communicate with each other on a technical level in order to keep the infrastructurerunning. Security requirements apply to these technical communications as well,because confidential information such as user names and passwords may have to be
sent or stored, or both.
IBM Global Services
PI Security - Communication
8/3/2019 SAP Security - Day 1 1st Half_Anwar
109/112
Confidential Copyright IBM Corporation 2004
|
y
The components of a process integration (PI) landscape communicate with each other
for different purposes like configuration, administration, monitoring, or the actual
messaging.
The primary purpose of a PI landscape is to enable business partners and applications
to exchange XML messages (business documents). This includes business
communication between business systems, Integration Servers or Adapter Engines.
In addition to proper messaging, technical communication between various PI tools and
runtime components is required.
Two different technical protocols are used for these communications: HTTP and RFC.
IBM Global Services
PI Security - Authentication
8/3/2019 SAP Security - Day 1 1st Half_Anwar
110/112
Confidential Copyright IBM Corporation 2004
|
y
Session-based single sign-on is supported for the dialog users of the PI tools.
A dialog user has to log on only once for all PI tools, provided that the same browser
session is used for each tool access, and that the tools are started from the same SAP
NetWeaver Application Server Java.
Single sign-on is also supported by the Runtime Workbench where access to other PIcomponents is required (for example, for component monitoring).
IBM Global Services
PI Security Message Level Security
8/3/2019 SAP Security - Day 1 1st Half_Anwar
111/112
Confidential Copyright IBM Corporation 2004
|
Message-level security allows you to digitally sign or encrypt documents exchanged between
systems or business partners. It improves communication-level security by adding security features
that are particularly important for inter-enterprise communication. Message-level security isrecommended and sometimes a prerequisite for inter-enterprise communication.
Certificate Store
- Message-level security processing is generally done in SAP NetWeaver Application Server Java
(AS-Java). If the Integration Server executes security processing, a Web service is called in theJ2EE Engine. Therefore, the certificates as well as the certification authority (CA) certificates to
be used must be entered into the keystore of the J2EE Engine that executes the security
handling at runtime.
Archiving Secured Messages
- For non-repudiation purposes, signed messages are stored in a dedicated archive, the non-
repudiation archive. It contains data to prove the validity of the signature. The following data isstored:
The raw message
The security policy as configured in the Integration Directory
The sender certificate
IBM Global Services
8/3/2019 SAP Security - Day 1 1st Half_Anwar
112/112
Questions ?