Identity Management Security Guide

7/29/2019 Identity Management Security Guide

http://slidepdf.com/reader/full/identity-management-security-guide 1/23

SAP NetWeaver Identity Management

7.0 SPS 1

SAP NetWeaver

Identity

Management

Security Guide

Document Version 1.00 – Dezember 2007



SAP AGNeurottstraße 1669190 Walldorf GermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www.sap.com

© Copyright 2007 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in

any form or for any purpose without the express permission of

SAP AG. The information contained herein may be changed

without prior notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software

vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,

MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,

pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner,

WebSphere, Netfinity, Tivoli, and Informix are trademarks or

registered trademarks of IBM Corporation in the United States

and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of

the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered

trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C®, World Wide Web Consortium,

Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc.,

used under license for technology invented and implemented by

Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver,

and other SAP products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of

SAP AG in Germany and in several other countries all over the

world. All other product and service names mentioned are the

trademarks of their respective companies. Data contained in this

document serves informational purposes only. National product

specifications may vary.

These materials are subject to change without notice. These

materials are provided by SAP AG and its affiliated companies

("SAP Group") for informational purposes

only, without representation or warranty of any kind, and SAP

Group shall not be liable for errors or omissions with respect to

the materials. The only warranties for SAP Group products and

services are those that are set forth in the express warranty

statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

warranty.

Disclaimer

Some components of this product are based on Java™. Any code

change in these components may cause unpredictable and severe

malfunctions and is therefore expressively prohibited, as is any

decompilation of these components.

Any Java™ Source Code delivered with this product is only to be

used by SAP’s Support Services and may not be modified or

altered in any way.

Documentation on SAP Service Marketplace

You can find this documentation atservice.sap.com/securityguide

T y p o g r a p h i c C o n v en t i o n s I c o n s

Type Style Represents

Example Text Words or characters quoted fromthe screen. These include fieldnames, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.

Cross-references to other

documentation.

Example text Emphasized words or phrases inbody text, graphic titles, andtable titles.

EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, table names,and key concepts of aprogramming language whenthey are surrounded by bodytext, for example, SELECT and

INCLUDE.

Exampl e t ext Output on the screen. Thisincludes file and directory namesand their paths, messages,names of variables andparameters, source text, andnames of installation, upgradeand database tools.

Example text Exact user entry. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation.

<Example text> Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Icon Meaning

Caution

Example

Note

Recommendation

Syntax



Contents

1 INTRODUCTION................................................................................................................ 1

1.1 Target Audience........................................................................................................ 1

1.2 Why Is Security Necessary? ..................................................................................... 1

1.3 About this Document................................................................................................. 2 1.3.1 Overview of the Main Sections....................................................................... 2

2 BEFORE YOU START....................................................................................................... 3

2.1 Important SAP Notes ................................................................................................ 3

2.2 Additional Information ............................................................................................... 3

2.3 External security information..................................................................................... 3

3 TECHNICAL SYSTEM LANDSCAPE ............................................................................... 4

3.1 Architecture ............................................................................................................... 4

3.2 Usage 5

4 USER ADMINISTRATION AND AUTHENTICATION ....................................................... 6

4.1 Identity Center database logins and roles................................................................. 6

4.2 Admin login................................................................................................................ 6

4.3 Run-time login ........................................................................................................... 7

4.4 Monitoring login......................................................................................................... 7

4.5 Workflow login........................................................................................................... 7 4.5.1 Using SecurID ................................................................................................ 7

4.6 Binding database users to operating system............................................................ 7 4.7 Virtual Directory Server Login ................................................................................... 8

4.8 Integration into Single Sign-On Environments.......................................................... 8 4.8.1 Use ................................................................................................................. 8 4.8.2 Configuring the Identity Center for use with SAP Logon Tickets ................... 8

5 NETWORK AND COMMUNICATION SECURITY ............................................................ 8

5.1 HTTP security (SSL) ................................................................................................. 8

5.2 Database connectivity security.................................................................................. 8

5.3 Identity Center: Repository security .......................................................................... 9

5.4 Virtual Directory Server: LDAP security .................................................................... 9

5.5 Virtual Directory Server: Web Services security ....................................................... 9

5.6 Securing AS ABAP connections ............................................................................... 9

5.7 Firewall settings......................................................................................................... 9

5.8 AS ABAP connections............................................................................................. 10

5.9 AS Java connections............................................................................................... 10

5.10 External applications credentials............................................................................. 10



6 DATA STORAGE SECURITY ......................................................................................... 10

6.1 Use ...................................................................................................................... 10

6.2 Identity Center encryption ....................................................................................... 11

6.2.1 Runtime components and configuration UI keys.ini ..................................... 11 6.2.2 Workflow keys.ini.......................................................................................... 11 6.2.3 The encrypted data....................................................................................... 12 6.2.4 Maintaining the keys.ini file .......................................................................... 12

6.3 Password provisioning ............................................................................................ 13

6.4 Virtual Directory Server Keystores.......................................................................... 13

6.5 Configuration files.................................................................................................... 13

6.6 Configuration UI ...................................................................................................... 13

6.7 Dispatcher ............................................................................................................... 14

6.8 Event agent server .................................................................................................. 14

6.9 Workflow.................................................................................................................. 14 6.10 Monitoring................................................................................................................ 14

6.11 Virtual Directory Server configuration file................................................................ 14

7 IDENTITY CENTER WEB SERVER SECURITY AND PHP ........................................... 15

7.1 Extensions............................................................................................................... 15

7.2 Session security ...................................................................................................... 15

7.3 Additional PHP configuration .................................................................................. 16

7.4 Cross-site scripting.................................................................................................. 16

7.5 Restricting access to internal files........................................................................... 16

8 OTHER SECURITY-RELEVANT INFORMATION .......................................................... 17 8.1 The Identity Center configuration UI ....................................................................... 17

8.2 Monitoring web interface......................................................................................... 17

8.3 Possible configuration vulnerability......................................................................... 17

8.4 Disaster recovery .................................................................................................... 17

8.5 Backup .................................................................................................................... 17

9 APPENDIX ....................................................................................................................... 18

9.1.1 Security check list for the Identity Center..................................................... 18 9.1.2 Security check list for the Virtual Directory Server ....................................... 18



Introduction December 2007

Target Audience

1 Introduction

This guide does not replace the daily operations handbook that we recommendcustomers to create for their specific productive operations.

1.1 Target Audience

• Technology consultants

• System administrators

This document is not included as part of the Installation Guides, Configuration Guides,Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certainphase of the software life cycle, whereby the Security Guides provide information that is

relevant for all life cycle phases.

1.2 Why Is Security Necessary?With the increasing use of distributed systems and the Internet for managing business data,the demands on security are also on the rise. When using a distributed system, you need tobe sure that your data and processes support your business needs without allowingunauthorized access to critical information. User errors, negligence, or attemptedmanipulation on your system should not result in loss of information or processing time.

The SAP NetWeaver Identity Management will have a central role in managing accounts andaccess rights in other applications. Any unauthorized changes to data in the IdentityManagement solution may therefore also affect other applications.

To assist you in securing the identity management solution, we provide this Security Guide.

SAP NetWeaver Identity Management - Identity Center 1



Introduction December 2007

About this Document

1.3 About this DocumentThe Security Guide provides an overview of the security-relevant information that applies to

the SAP NetWeaver Identity Management, abbreviated Identity Management. This productconsists of the components Identity Center and Virtual Directory Server.

1.3.1 Overview of the Main Sections

The Security Guide comprises the following main sections:

• Before You Start

This section contains information about why security is necessary, how to use thisdocument and references to other Security Guides that build the foundation for thisSecurity Guide.

• Technical System Landscape

This section provides an overview of the technical components and communicationpaths that are used by the Identity Management.

• User Adminis tration and Authentication

This section provides an overview of the following user administration andauthentication aspects:

{ User types that are required by the Identity Management.

{ Standard users that are delivered with Identity Management.

{ Overview of the user synchronization strategy, if several components or products are involved.

• Integration into Single Sign-On Environments

This section provides an overview of how integration into Single Sign-On environmentsis possible.

• Network and Communication Security

This section provides an overview of the communication paths used by the IdentityManagement and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

• Data Storage Security

This section provides an overview of any critical data that is used by the IdentityManagement and the security mechanisms that apply.

• Configuration files

This section describes how the configuration files are secured.

• Identity Center web server security and PHP

This section describes how the web server for Monitoring/Workflow is secured.

• Other Security-Relevant Information

This section contains information about:

{ Disaster recovery

{ Backup

• Append ix

This section provides a security check list.




Before You Start December 2007

Important SAP Notes

2 Before You Start

2.1 Important SAP NotesThe most important SAP Notes that apply to the security of the SAP NetWeaver IdentityManagement are shown in the table below.

Important SAP Notes

SAP Note Number Title

1069458 SAP NetWeaver Identity Management 7.0 – Identity Center

2.2 Additional InformationFor more information about specific topics, see the Quick Links as shown in the table below.

Quick Links to Addit ional Information

Content Quick Link on the SAP ServiceMarketplace

Security service.sap.com/security

Security Guides service.sap.com/securityguide

SAP NetWeaver Security Guide: Thesections about SAP logon tickets andSecure Network Communications containrelevant information

Related SAP Notes service.sap.com/notes

Released platforms service.sap.com/platforms

Network security service.sap.com/network

service.sap.com/securityguide

2.3 External securi ty informationThe following documents contain relevant security information for important external systems:

PHP Manual, section IVSecurity

http://www.php.net/download-docs.php

Microsoft SQL Server See the documentation for the database system.Oracle Database 10g Release2 Security

http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_db_database_10gr2.pdf

Setting up Tomcat for SSL http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html





http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html




Technical System Landscape December 2007

Architecture

3 Technical System Landscape

3.1 ArchitectureThe figure below shows an overview of the technical system landscape for the SAPNetWeaver Identity Management.

External repositories

IC database

Stored procedures

Logs Audit IdS

IC database

Stored procedures

Logs Audit IdSLogs Audit IdS

MMC

Admi n UI

MMC

Admi n UI

MMC

Admi n UI

Apach e/PHP

WorkflowMonitoring

HTTP/S

Apach e/PHP

WorkflowMonitoring

Apach e/PHP

WorkflowMonitoring

HTTP/S

DSE

(Java)DSE

(Java)DSE

(Java)

DSE

(Java)DSE

(Java)DSE

(Java)

DSE

(VB)DSE

(VB)

DSE

(VB)

DSE

(VB)DSE

(VB)

DSE

(VB)DSE(VB)

DSE

(VB)Dispatcher DSE(VB)

DSE

(VB)Dispatcher <<Starts>>Web AS

(Java)

VDS

Web AS(Java)

VDS

Web AS(Java)

VDS

dB protocol

LDAP Java

ABAP WebServic es

Act ive Dir

etc

External applications

SAP HR

LDAP/WebServices

etcSiteMinder

App specific

RR

RR RR

Web AS

(Java)

VDS

Web AS

(Java)

VDS

Web AS

(Java)

VDS

LDAPRR

File system

LogsConfig

File system

LogsConfig

File system

LogsConfig

File system

LogsConfig

The Identity Center database is used to hold all information about managed users andcorresponding account information. All communication between the applications and thedatabase uses the database libraries. In addition, external repositories are accessed from theIdentity Center and Virtual Directory Server, to create user accounts and manage accessrights. Which systems are accessed, depends on each specific implementation.

The separate components have different installation jobs, and although it ispossible to install everything (including the database) on the same server,different servers will be used in a production environment.

The Virtual Directory Server uses separate configuration files, which may be stored in thedatabase. The default logging for the Virtual Directory Server is logging to the file system, butthe logging is done using Log4j, meaning that the logging is configurable.

To achieve high availability, as well as load balancing, the Identity Center solution should beinstalled on multiple servers.

The database should be clustered.

Workflow and Monitoring should be stored in separate web server clusters.

At least two servers should be installed with the runtime components. Virtual Directory Server may also be installed on these same or separate servers.

For more information about the technical system landscape, see the resources listed in the

table below.



Technical System Landscape December 2007

Usage

More Information about the Technical System Landscape

Topic Guide/Tool

Install guides SAP NetWeaver Identity Management Identity Center

Installation Overview (incl. referenced installation guides for each component

SAP NetWeaver Identity Management Virtual DirectoryServer Installation and initial configuration

Monitoring & cleanup SAP NetWeaver Identity Management Identity Center Implementation Guide: Monitoring and cleanup

Staging SAP NetWeaver Identity Management Identity Center Implementation Guide: Staging environment

Disaster recovery SAP NetWeaver Identity Management Identity Center Implementation Guide: Disaster Recovery

3.2 UsageThe Identity Management is used to manage accounts and access rights in other applications. Information about all users and the corresponding accounts are held in theIdentity Center database. The Data Synchronization Engine (Java and VB) and the VirtualDirectory Server are used to manage the users in the target systems, and therefore needenough access rights to be able to create and delete accounts and give and revoke accessrights.

The system administrators will use the Monitoring interface to monitor the operations of thesystem. This interface gives access to logs and audits, but also to the identity store data,

showing information about users and accounts. Although it is not possible to change datafrom the Monitoring interface, some data may be considered sensitive, and this should beconsidered when giving access to the management application. Only the admin user hasaccess to the identity store.


User Administration and Authentication December 2007

Identity Center database logins and roles

4 User Administration and Authentication

4.1 Identi ty Center database logins and rolesWhen a new Identity Center database is created, a number of database roles and logins arealso created, as described in this section. If required, additional database logins can becreated, and given access rights, by assigning roles. This has to be done using thecorresponding database administrator tool.

In the list of roles and users below, all start with mxmc_, this is the default prefix wheninstalling the Identity Center database. If a database is installed with a different prefix, all rolesand user are created accordingly.

Role Login Descript ion

<None> mxmc_oper This user is the owner of the database, andhas full access to all tables. It should only beused for database upgrades.

mxmc_admin_role mxmc_admin This role has to be used when creating asolution. It has all the necessary access rightsfor creating tasks, jobs and other objects in thedatabase.

It is also used by the administrator in themonitoring interface.

mxmc_user_role mxmc_user This role has mostly read access to thedatabase, and can be used to inspect theconfiguration.

mxmc_rt_role mxmc_rt This role is only used by the runtime

components, and has a very limited access tothe database.

mxmc_prov_role mxmc_prov This role is only used by the Workflowinterface, and has the necessary access rightsfor doing all the provisioning operations.

On Microsoft SQL server, users are created in addition to logins. The users arecreated in the database context, and has the same name as the login, followedby _u, for example mxmc_admin_u.

4.2 Admin loginThe SAP NetWeaver Identity Management Identity Center Getting Started describes how toadd an Identity Center to the configuration UI, using the connection wizard. For securityreasons, the optional parameter “Allow password saving” should not be checked for the Admin user. In this case, the user will be prompted for the password, every time connecting tothe database.

If several people are using the configuration UI, separate logins should be created for eachuser. The mxmc_admin or mxmc_user role can be used, depending on the access required.



User Administration and Authentication December 2007

Run-time login

4.3 Run-time loginThe run-time (RT) connection string must (unless the RT login is bound to an operatingsystem login) have the “Allow password saving” set, as this is running as a background

process, and there is no user to provide the password.If using an operating system login, the service must be running at this user.

4.4 Monitoring loginWhen stating the Monitoring interface, the mxmc_admin or mxmc_user login must be used.

4.5 Workflow loginThe Workflow web application logs in using the mxmc_prov user. This is stored in anencrypted connection string in the Workflow configuration file.

In the login screen in the Workflow, the user selects the identity store to log into, and providesuser name and password. The attribute MSKEYVALUE holds the user name and the attributeMX_PASSWORD holds MD5 encrypted password.

Users are created either by workflow tasks, or by data being synchronized from other applications, using the synchronization mechanisms of the Identity Center.

4.5.1 Using SecurID

The document RSA Secured Implementation Guide Administrative Interoperability found inthe folder \ RSA Secur I Din the installation kit of the Identity Center describes how toconfigure provisioning with SecurID. Information about secure log-in to the web server isdescribed in documentation found on ht t p: / / www. r sa. com.

The Workflow also supports a number of other authentication methods:

• CA SiteMinder

• CAMS

• Kerberos

• LDAP Server

• RSA ClearTrust

• RSA SecurID

• SAML

• Windows

• User defined

4.6 Binding database users to operating systemOn Microsoft Windows it is possible to bind a Microsoft SQL Server database login to aMicrosoft Windows login. This will avoid storing passwords in the connection string. For details on how to do this, and how to define the connection strings, see the documentation for the Microsoft SQL Server.


http://www.rsa.com/

http://www.rsa.com/



Network and Communication Security December 2007

Virtual Directory Server Login

4.7 Virtual Directory Server LoginThe Virtual Directory Server authenticates the users against a table of users in the VirtualDirectory Server configuration file, which holds the login name (which may be a DN, but this is

not a requirement) in addition to an MD5 encrypted password.The Virtual Directory Server architecture allows for plugging in external authentication.

4.8 Integration into Single Sign-On Environments

4.8.1 Use

The Identity Management supports the Single Sign-On (SSO) mechanisms provided by theSAP Web Application Server. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP Web Application Server Security Guide also apply to the Identity Management.

The supported mechanisms are listed below.

SAP logon tickets

The Identity Management supports the use of logon tickets for SSO when using a Webbrowser as the frontend client. In this case, users can be issued a logon ticket after they haveauthenticated themselves with the initial SAP system. The ticket can then be submitted toother systems (SAP or external systems) as an authentication token. The user does not needto enter a user ID or password for authentication but can access the system directly after thesystem has checked the logon ticket.

You can find more information under SAP Logon Tickets in the SAP Web Application Server Security Guide.

4.8.2 Configuring the Identi ty Center for use with SAP

Logon TicketsConfiguration of the authentication method in the Identity Center, is done for each identitystore. In the "Workflow" tab of the identity store, select “SAP Logon Tickets". For further details, see the section Integrating Identity Center Workflow in the SAP NetWeaver Portal inthe document SAP NetWeaver Identity Management Identity Center: Installing Identity Center Workflow.

5 Network and Communication SecurityPlease see the architecture figure on page 4.

5.1 HTTP security (SSL)Security between the end user and the web application is done by securing the web server,and is outside the scope of Identity Center security.

5.2 Database connectivity security All connections between the components and the database uses standard databaseprotocols, and are defined using database connection strings.

To secure these, please use the secure connection strings, as defined by the database.




Network and Communication Security December 2007

Identity Center: Repository security

5.3 Identi ty Center: Repository securityCommunication with the repositories uses either LDAP, database or application specificcommunication. The communication options are defined for each job connecting to the given

repository.The LDAP protocol supports simple authentication, SSL, NTLM or Kerberos.

For database connections, either JDBC or OLEDB connection strings are used, and securityis handled by the corresponding database library.

For application specific communication, security must be considered in each case.

5.4 Virtual Directory Server: LDAP securityThe Virtual Directory Server supports SSL for incoming LDAP requests. This requires settingup a keystore, holding a private key. The sections Maintaining keystore references andMaintaining deployments in the help system for the Virtual Directory Server contains more

details.

5.5 Virtual Directory Server: Web Services securityThe Virtual Directory Server uses Apache Tomcat for handling incoming web servicesrequests. To set up secure web services, please see the Apache Tomcat documentation.

The Virtual Directory Server supports client side and server side authentication. If only server side is required, then you need only ONE keystore (holding a private key).

If client side authentication is required, then you will typically have one more keystore whereall “trusted” certificates will be stored.

On server side, Virtual Directory Server will have a pair of keystores for each of the backends

that requires SSLThe following link describes how to set up Tomcat with SSL:

ht t p: / / t omcat . apache. org/ t omcat - 5. 5- doc/ ss l - howt o. ht ml

5.6 Securing AS ABAP connectionsConnections to AS ABAP systems use the Java Connector (JCo), which uses RemoteFunction Calls (RFC). These connections can be secured using Secure NetworkCommunications (SNC).

For more information, see the SNC documentation on the Help Portal athttp://help.sap.com/saphelp_nw70/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frame

set.htm and the document Provisioning Framework for SAP Systems: Connectivity availableon the SAP Developer Network at https://www.sdn.sap.com/irj/sdn/security.

5.7 Firewall settingsFirewall must be open to allow database communication between the components and thedatabase.

Firewall must be open to allow the runtime components and Virtual Directory Server tocommunication with external applications. Ports depend on communication protocol.

There are no specific requirements regarding firewall in the solution, but it is important toprotect the systems from unauthorized access.


http://help.sap.com/saphelp_nw70/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htm


https://www.sdn.sap.com/irj/sdn/security

https://www.sdn.sap.com/irj/sdn/security





Data Storage Security December 2007

AS ABAP connections

5.8 AS ABAP connectionsConnection to AS ABAP applications uses the RCF/JCo, and can be secured using SecureNetwork Communication (SNC)

5.9 AS Java connectionsConnections to AS Java applications, the HTTP protocol is used, and can be secured usingSSL.

5.10 External applications credentialsMake sure to set up procedures for handling password changes of the accounts in theexternal applications being used by the Identity Center and the Virtual Directory Server, asthis will also require changes in the configuration.

For the Identity Center, the passwords should always be stored in a repository definition.

For the Virtual Directory Server, the passwords are stored in the single source definitions.

6 Data Storage Security

6.1 UseThe Identity Center provides encryption to protect various information in the system. Thefollowing information can be encrypted:

• Connection strings, used to connect to the Identity Center database or other repositories. These are always encrypted.

• Passwords, which are stored in configurations. These are always encrypted.

• Job constants and global constants can be encrypted if desired.

• Any attribute value within the identity store can be encrypted if desired, using 3DES or MD5. MD5 is used for the MX_PASSWORD attribute. All other attributes are in clear,unless modified in the installation. When an attribute is encrypted, so are all historicvalues for the given attribute. However, changing the encryption setting on an existingattribute does not change any values in the identity store.


Identity Center encryption

6.2 Identi ty Center encryptionIt is recommended that 3DES encryption is used. The encryption algorithm to be used isdefined in the Tools/Options… dialog in the configuration UI, and has two options:

• Standard. This is a built-in proprietary with a hardcoded password. This does notprovide very high security, and is scrambling of data, more than encryption.

• 3DES. This uses the 3DES algorithm for encryption information.

Since the encrypted values must be accessible by runtime components without humanintervention, the encryption keys are stored in a file in the file system, called keys. i ni . Thisfile must be accessible by the Workflow and all runtime engines in the system. Also makesure that you do not use the default keys. i ni which is installed by the Workflow, but that thekeys are updated.

The keys. i ni file must be protected using file system protection, to ensure

unauthorized access. The file must be accessible by the service user runningthe dispatcher and the user running the Workflow at the web server.

6.2.1 Runtime components and conf iguration UI keys.ini

For the runtime components and configuration UI, the keys. i ni file is stored in the followingdirectory:

\ KEY\ keys. i ni

In a default installation, this will be:

C: \ Pr ogr am Fi l es\ SAP\ I dM\ I dent i t y Cent er \ KEY\ keys. i ni

This file is not installed by the installation job.

6.2.2 Workflow keys.ini

For the Workflow, the reference to the keys. i ni file is found in the configuration file, whichis stored in:

\ conf i g\ conf i g. xml

The Workflow installation installs a default keys. i ni file, and the reference tothis file is added to the conf i g. xml file. The default keys. i ni file should be

changed in a production environment.




Identity Center encryption

6.2.3 The encrypted data

The keys. i ni file can hold any number of 3DES keys. Only one of the keys is used for encryption. The other keys are old keys, which are kept in the keys. i ni file, to be able todecrypt older data.

When data is encrypted using 3DES, the result is prefixed by {DES3} followed by the keynumber used when encryption. Then the encrypted data is stored as base64. Below is asample of encrypted data:

{DES3}7: 7d081564e69f 342d81174f c8c6f 19ce9

This data is encrypted using key number 7.

Data encrypted with the internal (proprietary algorithm) is prefixed with {crypt}.

6.2.4 Maintaining the keys.ini file

It is important that all components encrypting and decrypting data use the same set of encryption keys. This section describes how to maintain the keys. i ni file in a multi-server

environment.

6.2.4.1 Setting up the ini tial key

Start by creating a new keys. i ni file using a text editor. The format of the file is shownbelow. The file which is installed with the Workflow can be used as a template for this, butmake sure to change the actual keys. The simplest way of generating a new key, is to enter the key using a text editor.

This must be exactly 48 Hex characters.

Below is a sample of the contents of the file:[ KEYS]KEY001=78664478B8AA7899FF1009887837FFEDCCBAA77897DDA009[ CURRENT]KEY=KEY001

Then copy this file to all servers running Workflow, runtime components or configuration UI. Any encryption is now done using key number 1, and the encrypted data is prefixed with{DES3}:1.

6.2.4.2 Adding a new key

After some time (dictated by the security policy of your organization), a new key should be

added.[ KEYS]KEY001=78664478B8AA7899FF1009887837FFEDCCBAA77897DDA009KEY002=7749487289BBCBD9A9E9F888D9E8F900A98F7D543A4566B6[ CURRENT]KEY=KEY001

Leave the current key set to 1, and then distribute the file to all relevant locations, asdescribed above. Now all applications are able to decrypt data, which in the future will beencrypted with key number 2.


Password provisioning

After the file is distributed, update the current key to key number 2, and distribute the fileagain.

[ KEYS]KEY001=78664478B8AA7899FF1009887837FFEDCCBAA77897DDA009

KEY002=7749487289BBCBD9A9E9F888D9E8F900A98F7D543A4566B6[ CURRENT]KEY=KEY002

Any new encryptions are now performed using key number 2, while old data which are stillencrypted using key number 1 can be decrypted.

6.3 Password provisioningThe MX_PASSWORD attribute is encrypted using the one-way MD5 algorithm. However, if the Identity Center is to do password provisioning, i.e. updating passwords in target systems,a two way encrypted password must also be saved. This is done using the attributeMX_ENCRYPTED_PASSWORD, where the password is saved using two-way encryption.

A job updating a target system will be able to decrypt the password, and update the targetsystem.

The following recommendations apply:

• Ensure that history is not kept for MX_ENCRYPTED_PASSWORD.

• Ensure that the MX_ENCRYPTED_PASSWORD attribute is deleted when thepassword has been updated in all target systems.

6.4 Virtual Directory Server KeystoresThe Virtual Directory Server uses keystores for holding private and public keys, which are

used for various purposes. To set up an SSL connection over LDAP, the Virtual DirectoryServer needs a private key, which is stored in a keystore. Information about the keystore,including the password to access the private key, is stored in the Virtual Directory Server configuration file. The Virtual Directory Server configuration file must be encrypted to protectfrom unauthorized access to the keystore passwords.

6.5 Configuration filesThe configuration files used by the Identity Center will in most cases contain a connectionstring, which is used when the application connects to the Identity Center database.

6.6 Configuration UIThe configuration data for the configuration UI, is stored in the file\ EMSConf i g. xml . It contains an encrypted connection string. By default,the “allow password saving” is not set by the connection wizard, and if so the connectionstring will not contain a password, and should not pose a security risk.

If you choose allow password saving, the encrypted connection string will contain thepassword.

It is also possible to create a database user, which is bound to a Microsoft Windows account,and use this for login. In this case, the connection string will not contain any sensitiveinformation. Consult the database documentation for information about how this is done.

Dispatcher

6.7 Dispatcher

When creating a new dispatcher, the di spat cher . pr op file contains the connection stringto the database. The key MC_JDBCURL holds the encrypted connection string.

6.8 Event agent server

When creating a new event agent server, the . pr op file contains the connection string to thedatabase. The key MC_JDBCURL holds the encrypted connection string.

6.9 Workflow

The Workflow config file (\ conf i gs\ conf i g. xml ) contains the password for connecting to the database.

After installation of the Workflow, the password is not encrypted. See thedocument SAP NetWeaver Identity Management Identity Center: InstallingIdentity Center Workflow.

6.10 MonitoringThe Monitoring config file does not contain any connection string or password.

6.11 Virtual Directory Server configuration fileThe Virtual Directory Server uses an XML based configuration file for storing theconfiguration. All passwords used to connect to other applications are scrambled, using the

standard encryption algorithm, as 3DES is not implemented in the Virtual Directory Server. Itis therefore essential to protect the Virtual Directory Server configuration files.

The passwords used for authentication by the Virtual Directory Server (i.e. to authenticateincoming requests) are hashed using MD5.

Any global constants can be encrypted.

The Virtual Directory Server stores the configuration in an . xml file. One Virtual DirectoryServer installation may run multiple configurations, each stored in a different file.

As the configuration files contain information to connect to external applications, it is essentialthat the file system security is used to protect these configuration files from unauthorizedaccess.

It is possible to store the Virtual Directory Server configuration in a database table. In thiscase, the connection string for connecting to the database is stored in tile file\ . vssset t i ngs. This connection string is scrambled, so itis essential to protect this file using file system security.



Identity Center web server security and PHP December 2007

Extensions

7 Identi ty Center web server security and PHP

7.1 ExtensionsThe Monitoring and Workflow applications use PHP. The default PHP installation adds a lot of extensions which are not needed, and should be removed. The following extensions areneeded as a minimum:

• Mssql or OCI8

• XSL

• LDAP

• MCRYPT

The following configuration options should be turned off in the php. i ni file, as they are notused, and may be a security risk:

• display_errors

• display_startup_errors

• expose_php

7.2 Session securityConsider using the following options to improve session security:

Option Description

session.cookie_secure If turned on, cookies will only be sent over secure networks (SSL)

session.entropy_filesession.entropy_length

Use these setting to increase the security of the session ID.

session.referer_check This setting can be used to validate that thesource of the incoming session.

For details see PHP Manual, section IV Security, http://www.php.net/download-docs.php.




Identity Center web server security and PHP December 2007

Additional PHP configuration

7.3 Additional PHP configurationThis section contains PHP settings that should be turned off .

Option Description

open_basedir Limits the files that can be opened by PHP tothe specified directory tree.

allow_url_fopen Enables the URL-aware fopen wrappers thatenable accessing URL object like files.

register_globals If turned on, all EGPCS (Environment, GET,POST, Cookie, Server) variables areregistered in the global scope.

error_log Controls where script errors are written. Thedefault is to display them on the screen.Should be set to a file that is writeable for theInternet Guest Account.

For details see PHP Manual, http://www.php.net/download-docs.php.

7.4 Cross-site script ingTo avoid cross-site scripting, there are limitations on the use of HTML tags in the Workflowweb interface.

In general, HTML in fields and attributes will be quoted, with the following exceptions.

• There is a configurable list of tags that are allowed (e.g. , , , ).

• HTML tags in header and footer fields are allowed. Specifically:

{ Identity Center header fields 1 through 3.{ Identity Store Welcome page header and trailer

{ Task header and trailer

Care should be taken if using HTML code in these fields, especially if the fields containattribute references. Note that Identity Center header field 4, which default contains the text“Logged in as %DISPLAYNAME%” is protected for this reason.

7.5 Restr ict ing access to internal files Access to internal files in the web server may information leaks. Thus, it is recommended torestrict access to the folders with the internal files.

If using Microsoft Internet Information Services, this refers to the common folder.

To restrict access to the files located in this folder:

1. Open the Internet Information Services Manager and view the properties of Web sites/Default Web Site/Workflow/common.

2. Select the "Directory Security" tab and choose "Edit…" in the Anonymous access andauthentication control" group box to open the "Authentication Methods" dialog box.

3. Make sure that "Anonymous access" is disabled.

Other Security-Relevant Information December 2007

The Identity Center configuration UI

8 Other Security-Relevant Information

8.1 The Identity Center configuration UIThe Identity Center configuration UI (Microsoft Management Console snap-in) is intended for implementation of a solution. It should not be made available in a production environment,unless there are very good reasons to use it. Logs and other information can be accessedusing the Monitoring interface.

8.2 Monitoring web interfaceThe Monitoring web interface is not intended for external use. It must be installed in aninternal network and be available only for system administrators.

8.3 Possible configuration vulnerabilityWhen configuring an attribute for a task, it is possible to define a default value. This defaultvalue can contain a call to a PHP function, $FUNCTION.<php_function>$$. Provided accessto cust om_f unct i ons. php, this could pose a vulnerability.

8.4 Disaster recoveryFor setting up a DR solution, please see the document SAP NetWeaver Identity ManagementIdentity Center Implementation Guide: Disaster recovery.

8.5 Backup

All configuration information and data is stored in the Identity Center database. This databaseshould be backed up according to the organization's backup policy.



Appendix December 2007

Backup

9 Appendix

9.1.1 Secur ity check list for the Identity Center

□ Encryption algorithm set to 3DES (Verify in the configuration UI)

□ Keys. i ni file updated, and distributed to all relevant systems.

□ Keys. i ni file protected by file system.

□ Database security enabled where relevant.

□ External application security enabled where relevant.

□ Web server security

□ Disable unnecessary PHP extensions

□ Enable PHP session security as defined in the organization's security policy

□ Disable the PHP settings open_basedi r , al l ow_ur l _f open andr egi st er_gl obal s

□ If password provisioning is being used:

□ No history for MX_ENCRYPTED_PASSWORD

□ MX_ENCRYPTED_PASSWORD deleted after provisioning is done

9.1.2 Secur ity check list for the Virtual Directory Server

□ Protect the Virtual Directory Server configuration file(s) from unauthorized access

□ If applicable: Set up secure communication from clients to the Virtual Directory Server

□ If applicable: Set up secure communication to repositories

Identity Management Security Guide

Documents

Transcript of Identity Management Security Guide