Oct. 2014
EnglishEnglish
Network and security configuration (EE2)
SAP SE
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany / Building Block Configuration Guide
© SAP SE Page 1 of 4
SAP Best Practices Network and security configuration (EE2): Configuration Guide
Copyright
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Icons
Caution
Example
Note
Recommendation
Syntax
Typographic Conventions
Type Style / DescriptionExample text / Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options.
Cross-references to other documentation.
Example text / Emphasized words or phrases in body text, titles of graphics and tables.
EXAMPLE TEXT / Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.
Example text / Screen output. This includes file and directory names and their paths, messages, source code, names of variables and parameters as well as names of installation, upgrade and database tools.
EXAMPLE TEXT / Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.
Example text / Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
<Example text> / Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.
Content
1 Purpose 5
2 Preparation 6
2.1 Prerequisites 6
2.2 Intranet Deployment Security 6
2.2.1 Securing Network Channels 6
2.2.2 Additional Network Security 12
2.2.3 User management 13
2.3 Internet-facing Deployment Security 13
2.3.1 Enabling HTTPS for Apache Reverse Proxy 13
2.4 Single Sign On (SSO) Enablement 14
2.4.1 SSO with SAML 2.0 15
2.4.2 SSO with SSO2 32
2.4.3 SSO with X.509 39
2.4.4 Configuring logon procedure on Gateway 45
Network and security configuration
1 Purpose
The purpose of this document is to describe the SAP Fiori related security configuration.
When running your SAP Business Suite system, you must ensure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to SAP Fiori applications.
This document provides the internal and external network basic safety related system components in settings, and based on SAML2.0, SSO2 and X.509 a single point of single sing-on authentication configuration.
The picture below shows the overview of the security landscape of Fiori internet and intranet scenaro.
2 Preparation
2.1 Prerequisites
Before you start installing this scenario, you must install the prerequisite building blocks. For more information, see the Building Block Prerequisites Matrix for SAP EE0_NWG740_BB_ConfigGuide_EN_XX.doc. You will find this document in the content library, attached to the Steb-by-Step Guide.
PSEs should be correctly created, and SSL should be enabled in every server.
Regarding how to create PSEs in Trust Manager in ABAP systems, please refer to http://help.sap.com ® SAP NetWeaver ® Function-Oriented View ® Security ® System Security ® System Security for SAP NetWeaver AS ABAP Only ® Trust Manager.
Regarding how to enable SSL for HANA XS, please refer to http://help.sap.com ® SAP In-Memory Computing ® SAP HANA ® SAP HANA Platform ® SAP HANA Administration Guides ® SAP HANA XS Administration Tools.
2.2 Intranet Deployment Security
2.2.1 Securing Network Channels
Securing Network Channels is a way of transferring data that is resistant to overhearing and tampering. The network topology for SAP Fiori components is based on the topology used by SAP NetWeaver Gateway, SAP NetWeaver and SAP HANA.
To ensure confidentiality and integrity of data, we recommend encrypting all communication channels. The following table shows the communication channels used by the SAP Fiori apps, the protocol used for the connections, and the type of data transferred.
DB is automatically support encryption, this article will not do anything for SQL protocol.
DB related encryption method is supported by default, we do not talk about it in this document. We only need to discuss the scenario about the encryption methods between front-end and back-end.
Communication Path / Protocol Used / Type of Data Transferred /Web browser to SAP Web Dispatcher / OData HTTP/HTTPS / Application data and security credentials
SAP Web Dispatcher to ABAP front-end server(SAP NetWeaver Gateway) / OData HTTP/HTTPS / Application data and security credentials
SAP Web Dispatcher to HANA XS / OData HTTP/HTTPS / Application data and security credentials
SAP Web Dispatcher to ABAP back-end server(ERP,CRM,SRM,SCM) / INA HTTP/HTTPS / Application data and security credentials(for search and back-end transactions)
ABAP front-end server to ABAP back-end server(ERP,CRM,SRM,SCM) / RFC / Application data and security credentials
ABAP back-end server to SAP HANA / any DB / SQL / Application data and security credentials
2.2.1.1 Enabling SNC between Gateway and ABAP Backend System
2.2.1.1.1 Enabling SNC for the ABAP system
If you did not globally activate SNC for your SAP system instances, follow these steps to enable SNC for both SAP Netweaver Gateway system and SAP Backend Suite system.
1. Go to transaction RZ10 and choose the instance profile and under Edit Profile select “Extended maintenance”. The click on “Change”.
2. Set the following parameter.
Parameter / Explanation / Value /snc/enable / Activate SNC / 1
snc/gssapi_lib / Path and file name of the external shared library / for exmaple,
D:\usr\sap\local\SYS\exe\uc\NTAMD64\secude.dll
snc/identity/as / SNC name of the application server as known by the external security product / for exmaple,
p:CN=<host name>, OU=SAKP, O=SAP, C=DE
3. Restart system.
If you want your system to accept conventional connections that are not protected with SNC in parallel, then you must also set the following parameters.
Parameter / Explanation / Value /snc/accept_insecure_gui / Accept unprotected SAP GUI logons / 1
snc/accept_insecure_rfc / Accept unprotected RFCs / 1
snc/accept_insecure_cpic / Accept unprotected CPICs / 1
snc/permit_insecure_start / Allows the gateway to start programs without using SNC-protected communications / 1
2.2.1.1.2 Securing an RFC connection with SNC
On the SAP Backend Suite System, from the Display and maintain RFC destinations screen (transaction SM59):
1. Place the cursor on the RFC destination to change and choose Change.
2. Choose the Logon & Security tab page.
3. Under Status of Secure Protocol choose the SNC button. The Change View "SNC Extension: Details" screen appears.
4. Enter the quality of protection in the QoP field. Keep default value 8.
(QoP = Quality of Protection, the default value is 8, the maximum value is 9)
5. Enter the SNC name of the communication partner in the Partners field. Here input the SNC name of the SAP Netweaver Gateway system, which was defined in the previous section.
6. Save the SNC options. You return to the destination maintenance screen.
7. Choose the radio button “Active” under Status of Secure Protocol.
8. Save the settings.
After that, go to your SAP Netweaver Gateway system, you have to define every system that is allowed to connect using SNC, therefore add your SAP Backend Suite System to the access control list.
1. In your SAP Netweaver Gateway system, open transaction SNC0
2. Choose “New Entries” and specify the system ID and the SAP Backend Suite system’s SNC name, for example.
p:CN=<SAP Backend Suite host>, OU=SAKP, O=SAP, C=DE
3. Choose the checkbox before “Entry for RFC activated”.
4. Save the changes.
At last, go back to your SAP backend suite system where you setup the SNC enabled RFC call, and do a connection and authorization test.
1. In your SAP Netweaver Gateway system, open transaction SM59.
2. Choose the ABAP Connections need to be tested
3. Choose Display
4. Choose menu Utilities®Test®Connection Test
5. Choose menu Utilities®Test®Authorization Test
Before the connection authorization test, need to wait for a period of time to get configuration to take effect.
2.2.1.2 Enable Web Dispatcher to use HTTPS
Regarding how to enable HTTPS in web dispatcher, please refer to chapter 4.2 in EE0 configuration guide.
2.2.1.3 Enabling Front-end server to use HTTPS
1. Download SAP Cryptographic Library Installation Package.
Access SAP service portal https://service.sap.com/swdc ® Support Package and Patches ® Browse our Download Catalog ® Additional Components ® SAPCRYPTOLIB 5.5.5.
Choose the corresponding OS platform of your NetWeaver Gateway server and then download the package, choose the last patch level.
2. Use tool SAPCAR to extract the package.
SAPCAR –xvf <Package Path> -R <Extract to Folder >.
The SAP Cryptographic Library installation package contain the following files:
· The SAP Cryptographic Library (sapcrypto.dllfor Windows NT orlibsapcrypto. <ext>for UNIX).
· A corresponding license ticket (ticket).
· The configuration toolsapgenpse.exe.
3. Installing the SAP Cryptographic Library.
1) Logon the system using user <SID>adm.
2) Copy the library file and the configuration tool sapgense.exe to the directory specified by the application server’s profile parameter DIR_EXECUTABLE.
3) Check the file permissions for the SAP Cryptographic Library. Make sure the <SID>adm or SAPService <SID> is able to execute the library’s function.
4) Copy the ticket file to the sub-directory sec in the instance directory $(DIR_INSTANCE).
5) Set the environment variable SECUDIR to the sec sub-directory. The application server uses the variable to locate the ticket and its credentials at run-time.
If you set the environment variable using the command line, then the value may not be applied to the server's processes. Therefore, we recommend settingSECUDIRin the startup profile for the server's user or in the registry (Windows NT).
4. Set the SSL Profile Parameters.
1) Log on to the SAP NetWeaver Gateway system.
2) Access the transaction using the following transaction code:
Transaction code / RZ103) Add the following parameters:
ssl/ssl_lib=<DIR_EXECUTABLE>/sapcrypto.dll
sec/libsapsecu=<DIR_EXECUTABLE>/sapcrypto.dll
ssf/name=SAPSECULIB
ssf/ssfapi_lib=<DIR_EXECUTABLE>/sapcrypto.dll
icm/server_port_1=PROT=HTTPS,PORT=443<System No.>,TIMEOUT=30,EXTBIND=1
Be careful since this is an example for Window NT.
4) Save and restart the SAP instance.
5. Creating Personal Security Environment(PSEs).
Transaction STRUST is used to manage the configuration of your system’s SSL certificates and the secure containers within which they are stored (known as PSEs).
A Personal Security Environment (PSE) is a secure, operating system level file, managed by an SAP system that holds both the public and private information of either a user or a component.
This information includes the owner’s public-key certificate, a private address book of certificates and their private key.
Each component within an SAP system that requires the use of SSL based communication typically has its own PSE.
Each PSE can contain a list of trusted certificates that will be used during communication with a particular secure server.
For more information regarding how to config PSE, please refer to http://help.sap.com ® SAP NetWeaver ® SAP NetWeaver Platform ® Function Oriented View ® Security ® Network and Transport Layer Security® Transport Layer Security on the AS ABAP ® Configuring the AS ABAP for Supporting SSL.
Next, create the “SSL Server Standard” PSE. This is the PSE that holds your SSL server’s certificate.
The “SSL Client (Standard)” PSE holds a list of trusted certificates used when NW Gateway acts as an HTTPS client. FOR EXMAPLE, During back-channel communication with the Identity Provider.
The PSEs called “SSF SAML2 Service Provider – E” and “SSF SAML2 Service Provider - S” belong to SAP’s Secure Store & Forward (SSF) component. Unless you need to use non-standard settings, do not create these PSEs manually. They are created for you when the SAML2 configuration wizard is run.
SSF SAML2 Service Provider – E Used by SSF to encrypt data sent to the Identity Provider.
SSF SAML2 Service Provider – S Used by SSF to sign data sent to the Identity provider. Signed data can be sent either in encrypted form or as plain text.
It's a must to import the CA root certificate of the “SSL Server Standard” PSE’s own certificate into the trusted certificates list of “SSL Client (Standard)” PSE and “SSL Client (Anonymous)” to support the inner SSL connection in the ABAP Front-end server.
6. After that verify, if the service can be called in a web browser, using the https prefix, https://SAP NW Gateway Host:https port/sap/bc/ping?sap-client=SAP-Client.