SAP NetWeaver Master Data Management - SAP Help Portal · Application Server Java Security Guide...

Security Guide

SAP NetWeaver Master Data Management GDS 2.1

Document Version: 1.05 – 2017-03-24

CUSTOMER

SAP NetWeaver Master Data Management Global Data Synchronization Option 2.1

2

CUSTOMER

©2017 SAP AG or an SAP affiliate company. All rights reserved

SAP NetWeaver Master Data Management

Typographic Conventions

Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles,

pushbuttons labels, menu names, menu paths, and menu options.

Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names,

transaction codes, table names, and key concepts of a programming language when they

are surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages,

names of variables and parameters, source text, and names of installation, upgrade and

database tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as

they appear in the documentation.

<Example> Variable user entry. Angle brackets indicate that you replace these words and characters

with appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .


Document History

CUSTOMER

©2017 SAP AG or an SAP affiliate company. All rights reserved. 3

Document History

Version Date Change

1.04 2015-11-12 Added content from SAP Note 1905286 stating that the modification of

initial passwords is mandatory.

Moved the document content to a new template.

1.05 2017-03-24 Updated for SP05.

Added section Digital Asset Management.

https://launchpad.support.sap.com/#/notes/1905286/E

4

CUSTOMER

©2017 SAP AG or an SAP affiliate company. All rights reserved


Table of Contents

Table of Contents

1 Introduction ................................................................................................................................... 5

2 Before You Start ............................................................................................................................ 7

3 Technical System Landscape ...................................................................................................... 9

4 User Administration and Authentication ................................................................................. 10 4.1 User Management ............................................................................................................................... 10 4.2 User Data Synchronization .................................................................................................................. 13 4.3 Integration into Single Sign-On Environments .................................................................................. 13

5 Authorizations ............................................................................................................................. 14

6 Network and Communication Security ..................................................................................... 17 6.1 Communication Channel Security ...................................................................................................... 17 6.2 Network Security ..................................................................................................................................18 6.3 Communication Destinations ..............................................................................................................19

7 Data Storage Security ................................................................................................................ 22

8 Digital Asset Management ......................................................................................................... 23

9 Security for Additional Applications ........................................................................................24 9.1 AS2 Adapter for SAP NetWeaver Exchange Infrastructure 3.0 / Process Integration ................ 24

10 Other Security-Relevant Information ....................................................................................... 26

11 Security-Relevant Logging and Tracing ................................................................................... 27

12 Appendix ....................................................................................................................................... 28


Introduction

CUSTOMER


1 Introduction

Caution

This guide does not replace the administration or operation guides that are available for productive

operations.

Target Audience

Technology consultants

Security consultants

System administrators.

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation

Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas

the Security Guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on

security are also on the rise. When using a distributed system, you need to be sure that your data and processes

support your business needs without allowing unauthorized access to critical information. User errors,

negligence, or attempted manipulation of your system should not result in loss of information or processing time.

These demands on security apply likewise apply to the Global Data Synchronization (GDS) business scenario. To

assist you in securing the business scenario, we provide this Security Guide.

About this Document

The Security Guide provides an overview of the security-relevant information that applies to the business

scenario. If the business scenario consists of several application components, then it contains an overall overview

as well as the individual guides for each of the underlying application components.

Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start

This section contains information about why security is necessary, how to use this document and references

to other Security Guides that build the foundation for this Security Guide.

Technical System Landscape

6

CUSTOMER

©2017 SAP AG or an SAP affiliate company. All rights reserved.


Introduction

This section provides an overview of the technical components and communication paths used by the

business scenario.

User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

o Recommended tools to use for user management

o User types that are required by the business scenario

o Standard users that are delivered with business scenario

o Overview of the user synchronization strategy, if several components or products are involved

o Overview of how integration into Single Sign-On environments is possible.

Authorizations

This section provides an overview of the authorization concept that applies to the business scenario.

Network and Communication Security

This section provides an overview of the communication paths used by the business scenario and the security

mechanisms that apply. It also includes our recommendations for the network topology to restrict access at

the network level.

Data Storage Security

This section provides an overview of any critical data that is used by the business scenario and the security

mechanisms that apply.

Security for Third-Party or Additional Applications

This section provides security information that applies to third-party or additional applications that are used

with the business scenario.

Dispensable Functions with Impacts on Security

This section provides an overview of functions that have impacts on security and can be disabled or removed

from the system.

Other Security-Relevant Information

This section contains information about:

o Using a Web browser as a user front end.

Security-Relevant Logging and Tracing

This section provides an overview of the trace and log files that contain security-relevant information, for

example, so you can reproduce activities if a security breach occurs.

Appendix

This section provides references to further information.


Before You Start

CUSTOMER


2 Before You Start

Fundamental Security Guides

The global data synchronization (GDS) business scenario is built from the component applications. Therefore, the

corresponding Security Guides also apply to the business scenario. Pay particular attention to the most relevant

sections or specific restrictions as indicated in the table below.

Fundamental Security Guides

Scenario, Application or Component Security Guide Most Relevant Sections or Specific Restrictions

SAP NetWeaver Application Server SAP NetWeaver CE Security Guide, SAP NetWeaver

Application Server Java Security Guide

SAP ERP or SAP ECC SAP ERP Central Component Security Guide

SAP NetWeaver Exchange Infrastructure 7.0

Operating Systems and Database Platforms SAP NetWeaver CE Security Guide; choose Operating

System and Database Platform Security Guides.

Master Data Management (MDM) MDM 7.1 Security Guide

For a complete list of the available SAP Security Guides, see SAP Service Marketplace at

http://service.sap.com/securityguide.

Important SAP Notes

The most important SAP Notes that apply to the security of the business scenario are shown in the table below:

Title SAP Note Comment

Central Note for SAP NetWeaver

MDM GDS 2.1

1425531

For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace at

http://service.sap.com/securitynotes.

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

Content Quick Link on SAP Service Marketplace or SCN

Security http://scn.sap.com/community/security

Security Guides http://service.sap.com/securityguide

http://service.sap.com/securityguide

http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1425531&

http://service.sap.com/securitynotes

http://scn.sap.com/community/security


8

CUSTOMER



Before You Start

Content Quick Link on SAP Service Marketplace or SCN

Related SAP Notes http://service.sap.com/notes


Released platforms http://service.sap.com/pam

Network security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP NetWeaver http://scn.sap.com/community/netweaver

http://service.sap.com/notes


http://service.sap.com/pam


http://service.sap.com/solutionmanager

http://scn.sap.com/community/netweaver


Technical System Landscape

CUSTOMER


3 Technical System Landscape

Use

SAP NetWeaver MDM GDS consists of the following components:

Back-end system (SAP ERP, SAP ECC, or any other system that can send messages to PI)

SAP NetWeaver Process Integration (SAP EHP1 for NetWeaver PI 7.1)

MDM Server (Release 7.1) and underlying database (MS SQL, Oracle, or DB2)

GDS Console - Java-based application running on SAP NetWeaver Application Server (SAP NetWeaver

Application Server)

AS2 adapter (either SAP NetWeaver PI 7.3 B2B AS2 Adapter or Seeburger)

Third-party components

o 1Sync data pools

o SA2 data pools.

For more information about the technical system landscape, see the resources listed in the table below:

Topic Guide/Tool Quick Link on SAP Service Marketplace or

SCN

Technical description for GDS

and the underlying components

such as SAP NetWeaver

Master Guide http://service.sap.com/instguides

Security Security Guide http://service.sap.com/security

http://service.sap.com/instguides

http://service.sap.com/security

10

CUSTOMER




4 User Administration and Authentication

The GDS business scenario uses the user management and authentication mechanisms provided with the SAP

NetWeaver platform, in particular SAP NetWeaver Master Data Management and, where GDS is used in portal

mode, Application Server Java. Therefore, the security recommendations and guidelines for user administration

and authentication as described in the security guides for SAP NetWeaver MDM and for SAP NetWeaver

Application Server Java also apply to the GDS business scenario.

For the SAP NetWeaver Master Data Management Security Guide, see the SAP Service Marketplace at

http://service.sap.com/installmdm

For the SAP NetWeaver Application Server Java Security Guide, see http://service.sap.com/securityguide

→SAP NetWeaver→SAP NetWeaver in Detail→Security→Security in Detail→Security Guides→SAP Basis/

Web AS Security Guides→SAP NetWeaver Application Server Java Security Guide.

In addition to these guidelines, we include information about user administration and authentication that

specifically applies to the business scenario in the following topics:

User Management

This topic lists the tools to use for user management, the types of users required, and the standard users that

are delivered with the SAP NetWeaver MDM GDS.

User Data Synchronization

This topic describes how user data is synchronized with other sources.

Integration into Single Sign-On Environments

This topic describes how GDS supports Single Sign-On mechanisms.

Recommendation

We recommend that GDS is run with the default security settings delivered with MDM.

4.1 User Management

Use

User management for the GDS business scenario relies on the user management of the MDM component. This

means that the users of the GDS business scenario are stored in the MDM Server.

On a more detailed level, user management can be discussed alongside the following 2 scenarios.

GDS in Standalone Mode

GDS uses the user management capabilities of the MDM Server only. Thus the user types, roles, and password

policies of MDM also apply to the GDS business scenario. For more information about MDM user management





CUSTOMER


capabilities, see the security guide for MDM 7.1 on the SAP Service Marketplace at

http://service.sap.com/installmdm.

For logon purposes, the GDS business scenario uses its own logon screen.

For user administration, the user and role management screens can be used inside the GDS business scenario.

The User and Role Management menu can only be accessed by a user with the role Admin. For more information

about user and role management, see the SAP Help Portal at http://help.sap.com →SAP NetWeaver Master Data

Management, Global Data Synchronization Option.

GDS in Portal Mode

The following must be in place before the portal user can use GDS in SAP NetWeaver Portal:

The portal user must have the GDS portal role

The portal user must be mapped to a GDS User.

For more information on how to set the GDS portal role and how to configure the user mapping, see the

installation guide for GDS 2.1 on the SAP Service Marketplace at http://service.sap.com/instguides → SAP

NetWeaver Master Data Management, Global Data Synchronization Option → Installation Guide.

If GDS is running in portal mode, the capabilities of the SAP NetWeaver user management engine (UME) apply for

the user authentication. The SAP NetWeaver Portal authentication is used for authentication purposes when the

user is accessing the portal. For more information about the UME, see the SAP Help Portal at http://help.sap.com

→ User Management of SAP NetWeaver AS for Java.

In addition, GDS 2.1 uses the user defined in the MDM Server. The connection between the portal user and the

MDM user is defined with the MDM trusted connections feature. For more about trusted connections, see the

MDM 7.1 Security Guide on the SAP Service Marketplace at http://service.sap.com/installmdm →SAP NetWeaver

MDM 7.1→MDM 7.1 – Security Guide.

User Administration Tools

The table below shows the tools to use for user management and user administration with the business scenario.

User Management Tools

Tool Detailed Description Prerequisites

GDS 2.1 Console, Application

Administration, User and Role

Management

For more information, see the SAP

Help Portal at http://help.sap.com

Only a user with GDS Admin role

is able to access this tool.

MDM Console For more information, see the

security guide for MDM 7.1 on the

SAP Service Marketplace at


User management engine (UME)

with SAP NetWeaver AS Java

For more information about the

UME, see the SAP Help Portal at

http://help.sap.com → User

Management of SAP NetWeaver AS

for Java.

GDS 2.1 is running in portal

mode.


http://help.sap.com/







12

CUSTOMER




User Types

The GDS business scenario differentiates between the following two types of user:

Admin users – can access the Application Administration menu

Non-Admin users – cannot access the Application Administration menu.

Standard Users

The table below shows the standard users – sometimes referred to as technical GDS users - that are necessary to

operate the business scenario.

Standard Users

System User ID Type Initial Password Description

MDM Admin

MDM default

Admin user

<empty> or

abc123

Administrator

user initially

provided.

GDS 2.1 Console GDSAdmin

GDS Admin user <empty> or

abc123

GDS default

administrator

user. For all

workflows

launched by the

GDS business

scenario, this user

is the owner of the

workflow. Import,

export, response

processing, and

automation are

initiated with this

user during the

business scenario.

Initial Passwords are set to <empty> starting from GDS 2.1 SP04. All of these users are delivered with the

business scenario. You need to create all other business scenario users after the installation.

Recommendation

We recommend changing the user IDs and passwords for users that are automatically created during

installation. If either the user name or password is changed, update the GDS 2.1 Application Properties,

and replace the changed values. For more information about updating application properties, see the

configuration guide for GDS 2.1 on the SAP Service Marketplace at http://service.sap.com/instguides

→Industry Solutions→Industry Solution Guides→SAP for Consumer Products→SAP MDM GDS

2.1→Configuration Guide.




CUSTOMER


Caution

According to SAP Note 1905286, the modification of initial passwords of standard technical GDS users is a must

due to security reasons.

If you get the error message MDM is not available; contact your administrator after installation of GDS,

please check if the following application properties are set properly:

GDSCORE.mdmsystemuserpassword, MDM.AdminPassword, GDS.SystemUserPassword

Emergency User Concept

Standalone mode – For more information, see the SAP NetWeaver Master Data Management Security Guide

at http://service.sap.com/installmdm →SAP NetWeaver MDM 7.1→MDM 7.1 – Security Guide→Emergency

User

Portal mode - For more information, see the security guide for SAP NetWeaver CE on the SAP Help Portal at

http://help.sap.com.

4.2 User Data Synchronization

Use

User data synchronization only applies to the scenario, when GDS is running in portal mode. If a non-existing MDM

user logs in to the GDS Console from the portal, the user is created in MDM. During creation, no user information

is copied from the portal user. The MDM user is created with the same username as the portal user, and with the

single Everyone role.

Note

Portal users with the user name Admin and Administrator have the Admin role in MDM.

Note

An MDM user is created with a random password. A user who has the Admin role can change this

password to a known password, if needed. The password is not used for trusted connections.

4.3 Integration into Single Sign-On Environments

Use

The GDS business scenario supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver in portal

mode only. In this case, the security recommendations and guidelines for user administration and authentication

as described in the SAP NetWeaver Security Guide also apply to the business scenario.

GDS 2.1 in standalone mode does not support SSO.

https://launchpad.support.sap.com/#/notes/1905286/E



14

CUSTOMER



Authorizations

5 Authorizations

Use

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role

maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s

user administration console on the AS Java.

The authorization concept of the GDS business scenario is based on the SAP NetWeaver Master Data

Management role concept.

Every user can be assigned an arbitrary number of roles, which come from the MDM role management system. In

addition, authorization objects can be defined for every role, such as tabs, validations, screens, and so on. For the

complete list and details of authorization objects, see the chapter below.

Roles available in GDS can be assigned in the GDS console using Application Administration→User and Role

Management→User Management. On the Role Management tab, the authorization objects can be configured to

every role.

Note

For more information about how to assign and configure roles, see the SAP Help Portal at

http://help.sap.com →SAP NetWeaver Master Data Management, Global Data Synchronization Option →

Application Help → User and Role Management.

Standard Roles

The table below shows the standard roles that are used by the business scenario:

Standard Roles

Role Description

Admin Only users with this role are able to access

the Application Administration menu

the About screen.

Default

Everyone Every user of the GDS business scenario shall have

this role.

Support Provides read-only access for support purposes.

This role has all the screen authorization objects,

but none of the operation authorization objects

assigned to it.



Authorizations

CUSTOMER


Standard Authorization Objects

The table below shows the security-relevant authorization objects used by the business scenario.

Standard Authorization Objects

Authorization Object Field Value Description

Tabs List of tabs the user is

allowed to see on the detail

screen.

Tabs List of tabs the user is allowed to

see on the detail screen.

Validations List of validations the user is

allowed to run on executing

trade item validation. Note

that the automatic validation

prior to the registration is

based on the role defined in

the Application Properties.

Validations List of validations the user is

allowed to run on executing trade

item validation. Note that the

automatic validation prior to the

registration is based on the role

defined in the Application

Properties.

Screens List of menu items the user

is allowed to see in the

menu. An authorized screen

without the corresponding

operation results in a read-

only screen.

Screens List of menu items the user is

allowed to see in the menu. An

authorized screen without the

corresponding operation results in

a read-only screen.

Operations List of operations the user is

allowed to perform during

the business scenario.

Operations List of operations the user is

allowed to perform during the

business scenario.

Read only fields List of fields the user must

be unable to edit, and see

only in a read only mode.

Read only

fields

List of fields the user must be

unable to edit, and see only in a

read only mode.

Value restrictions List of restrictions that apply

for the visibility of items.

With value restrictions, it is

possible to restrict access to

items based on some

selected item attribute

values. Those items that do

not meet the value

restriction criteria are not

displayed to the user.

Value

restrictions

List of restrictions that apply for

the visibility of items. With value

restrictions, it is possible to

restrict access to items based on

some selected item attribute

values. Those items that do not

meet the value restriction criteria

are not displayed to the user.

Minimum Authorization Concept

We recommend that all users have the minimum necessary privileges that they need to perform their tasks:

Assign the Admin role only to those users who need to administer the system

Do not assign any authorization object listed above which is not needed for the user

16

CUSTOMER



Authorizations

If applicable, specify a value restriction.

Critical Combinations of Authorizations

Note that the Admin role has special permissions in the GDS business scenario. Every user with the Admin role

has this special permission, regardless of other roles the user has.



CUSTOMER


6 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the

communication necessary for your business needs without allowing unauthorized access. A well-defined network

topology can eliminate many security threats based on software flaws (at both the operating system and

application level) or network attacks such as eavesdropping. If users cannot log on to your application or database

servers at the operating system or database layer, then there is no way for intruders to compromise the machines

and gain access to the back-end system’s database or files. Additionally, if users are not able to connect to the

server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on

the server machines.

The network topology for the business scenario is based on the topology used by the SAP NetWeaver platform.

Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also

apply to the business scenario. Details that specifically apply to the business scenario are described in the

following topics:

Communication Channel Security

This topic describes the communication paths and protocols used by the business scenario.

Network Security

This topic describes the recommended network topology for the business scenario. It shows the appropriate

network segments for the various client and server components and where to use firewalls for access

protection. It also includes a list of the ports needed to operate the business scenario.

Communication Destinations

This topic describes the information needed for the various communication paths, for example, which users

are used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide:

http://help.sap.com → SAP NetWeaver Application Server Java Security Guide→Network Security

http://help.sap.com → Security Guide for Connectivity with the AS Java.

6.1 Communication Channel Security

Use

The following table shows the communication channels used by the business scenario, the protocol used for the

connection, and the type of data transferred:

Communication Path Protocol

Used

Type of Data Transferred Data Requiring Special Protection

Front-End client using SAP

GUI for Windows to

application server

DIAG All application data For example, passwords,

business data.



18

CUSTOMER




Communication Path Protocol

Used

Type of Data Transferred Data Requiring Special Protection

Front-End client using a Web

browser to application server

HTTP(S) All application data For example, passwords,

business data.

Application server to

application server

RFC,

HTTP(S)

Integration data Business data.

Application server to third-

party application

HTTP(S) All application data For example, passwords,

business data.

AS2 adapter to external data

pools

AS2,

HTTP

Messages from the system Encrypted messaging, digital

certificates.

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections

are protected using the Secure Sockets Layer (SSL) protocol.

For more information, see the SAP Help Portal at http://help.sap.com → SAP NetWeaver Application Server Java

Security Guide→Network Security→Transport Layer Security.

Caution

When installing SAP EHP 1 for SAP NetWeaver CE 7.1 Java Application Server and SAP MDM Server on

different hosts, consider the following: the communication channel of the MDM server is not encrypted.

This means that the communication between the GDS Console and the MDM Server is not encrypted.

Caution

When using the flat file export feature of GDS 2.1 and transmitting trade items to FTP or e-mail locations

over PI, make sure that you apply the security settings for the channel (FTPS or S/MIME).

For more information, see the SAP NetWeaver Process Integration Security Guide on the SAP Service

Marketplace, at http://service.sap.com/securityguide →SAP NetWeaver 7.0 Security Guides (Complete)

→Security Guides for SAP NetWeaver According to Usage Types→Security Guide for Usage Type

PI→Network and Communication Security→FTP and FTPS.

6.2 Network Security

Services and Ports

For more information about the services and ports used by SAP NetWeaver, see the SAP Help Portal at

http://help.sap.com →SAP NetWeaver→SAP NetWeaver CE→SAP NetWeaver Composition Environment

Library→Administrator’s Guide→SAP NetWeaver CE Security Guide→Security Guides for CE Core

Components→SAP NetWeaver Application Server for Java Security Guide→Network Security.

For more information about the services and ports used by SAP NetWeaver Master Data Management, see the

security guide for MDM on the SAP Service Marketplace at http://service.sap.com/installmdm.

For more information about the services and ports used by SAP NetWeaver Exchange Infrastructure, see the SAP

Help Portal at http://help.sap.com →SAP NetWeaver→SAP NetWeaver PI/Mobile/IdM 7.1→SAP NetWeaver








CUSTOMER


Process Integration 7.1 Including Enhancement Package 1→SAP NetWeaver Process Integration Library→Security

Guide→Security Guides for SAP NetWeaver Usage Types→SAP NetWeaver Process Integration Security Guide.

Firewall Settings

For more information about firewall settings recommended for SAP NetWeaver, see the SAP Help Portal at

http://help.sap.com →SAP NetWeaver→SAP NetWeaver CE→SAP NetWeaver Composition Environment

Library→Administrator’s Guide→SAP NetWeaver CE Security Guide→Security Guides for CE Core

Components→SAP NetWeaver Application Server Java Security Guide→Network Security.

For more information about firewall settings recommended for Master Data Management, see the security guide

for MDM on the SAP Service Marketplace at http://service.sap.com/installmdm.

6.3 Communication Destinations

Use

The table below shows an overview of the communication destinations used by the GDS business scenario.

Connection Destinations

Destination Delivered Type User, Authorizations Description

SAP ERP or

SAP ECC or

SAP ERP→SAP

NetWeaver PI

Yes RFC –

ERP

User role:

SAP_XI_APPL_SERV_USER


→Industry Solutions→Industry

Solution Guides→SAP for

Consumer Products→SAP MDM

GDS 2.1→Configuration

Guide→Setting Up Data Transfer

ERP System to GDS Console.

SAP ERP or

SAP ECC→SAP

NetWeaver PI

<SAPSLDAPI>

Yes RFC –

TCP/IP








SAP ERP or

SAP ECC→SAP

NetWeaver PI

<LCRSAPRFC>

Yes RFC –

TCP/IP







ERP to GDS Console.






20

CUSTOMER





SAP NetWeaver

PI→SAP

NetWeaver PI

Yes TCP/IP http://help.sap.com →SAP

NetWeaver→SAP NetWeaver

PI/Mobile/IdM 7.1→SAP

NetWeaver Process Integration

Library→Developer's

Guide→Integrating Applications,

Business Partners, and

Services→Tasks→Configuring

Message Processing→Working

with PCK→Configuration with the

PCK→Define Collaboration

Profile→Defining Communication

Channels→Configuring the XI

Adapter in the Integration

Directory/PCK.

SAP PI→SAP PI

<SAPSLDAPI>

Yes TCP/IP http://help.sap.com →SAP

NetWeaver→SAP NetWeaver

PI/Mobile/IdM 7.1→SAP

NetWeaver Process Integration

Library→Developer's

Guide→Integrating Applications,

Business Partners, and

Services→Tasks→Configuring

Message Processing→Working

with PCK→Configuration with the

PCK→Define Collaboration

Profile→Defining Communication

Channels→Configuring the XI

Adapter in the Integration

Directory/PCK.

SAP NetWeaver

PI→SAP ERP or

SAP ECC

Yes RFC- ERP User Role:

SAP_XI_IS_SERV_USER

Authorization Objects:

S_RFC (Activity Execute,

RFC object EDIN, object

type Function Group)

B_ALE_RECV








SAP NetWeaver

PI→1Sync Data

Pool

Yes HTTP SSL Client http://service.sap.com/instguides





Guide→Setting Up Data Exchange

with 1Sync Data Pool.







CUSTOMER



For SAP NW PI 7.3 B2B AS2

Adapter, see SAP Notes 1695520

and 1695563 for information

about download and compatibility.

For Seeburger,

http://service.sap.com/swdc

→Download→Installations and

Upgrades→Entry by Application

Group→Adapters→Seeburger→XI-

A AS2 BY SEEB. →NW2004S-PI-A

AS2 SEEB 1.6 →Installation.

SAP ERP or

SAP ECC or

SAP ERP→SAP

NetWeaver PI

Yes RFC –

ERP

User role:

SAP_XI_APPL_SERV_USER








https://launchpad.support.sap.com/#/notes/1695520




22

CUSTOMER



Data Storage Security

7 Data Storage Security

Use

For more information about the data storage security of SAP NetWeaver and components installed on this base,

see the security guide for SAP NetWeaver 7.0 on the SAP Service Marketplace at http://service.sap.com.

Additionally, for data storage security regarding data stored in MDM, see the security guide for MDM on the SAP

Service Marketplace at http://service.sap.com/installmdm.

http://service.sap.com/



Digital Asset Management

CUSTOMER


8 Digital Asset Management

Use

For more information about the optional Virus Scan Interface integration, see the Configuration Guide for the

Virus Scan Interface on the SAP Service Marketplace at http://service.sap.com.

For more information about configuring the maximum file size accepted by the SAP NetWeaver Application

Server, see the property setting of icm/HTTP/max_request_size_size_KB in the ICM Administration Guide on the

SAP Service Marketplace at http://service.sap.com.



24

CUSTOMER



Security for Additional Applications

9 Security for Additional Applications

9.1 AS2 Adapter for SAP NetWeaver Exchange Infrastructure 3.0 / Process Integration

Security Features

If you use the SAP NetWeaver PI 7.3 B2B AS2 Adapter, more information is available on the SAP Help Portal at

http://help.sap.com/nwpi →Process Integration Add-Ons. SAP Notes 1695520 and 1695563 provide further

information about download and compatibility.

To learn more about the security features of the AS2 Adapter for SAP NetWeaver Exchange Infrastructure 7.1, see

the AS2 Adapter for SAP NetWeaver Exchange Infrastructure 7.1: Setup Guide on the SAP Service Marketplace at

http://service.sap.com/swdc →Download→Installations and Upgrades→Entry by Application Group→Adapters

→Seeburger→XI-A AS2 BY SEEB→NW2004S-PI-A AS2 SEEB 1.6→Installation.

Note

To access the documentation, you must extract the ZIP file on the Download tab page. In the

Configuration Guide, choose Overview→Features.

Secure Communication Channel Configuration

To secure communication channels used by the Seeburger EDIINT AS2 Adapter for SAP

Exchange Infrastructure 7.1, see the following subsections on the SAP Service Marketplace at

http://service.sap.com/swdc →Download→Installations and Upgrades→Entry by Application Group→Adapters

→Seeburger→XI-A AS2 BY SEEB→NW2004S-PI-A AS2 SEEB 1.6→Installation.

Note

To access the AS2 Adapter for SAP NetWeaver Exchange Infrastructure 3.0 Configuration Guide, you must

extract the ZIP file on the Download tab page.

In the Channel Configuration section of the configuration guide, see the following sections:

Activities

Receiver Channel (Outbound Processing)

Sender Channel (Inbound Processing)

Sender Agreement

Receiver Agreement.

http://help.sap.com/nwpi






Security for Additional Applications

CUSTOMER


Listener Port and URL

For information about the ports and URLs used, see the Seeburger Adapter Configuration Guide, chapter Listener

Port and URL.

Security Settings

For information about encryption and signing within the AS2 Adapter for SAP NetWeaver Exchange Infrastructure

7.1, see the SAP Service Marketplace at http://service.sap.com/swdc →Download→Installations and Upgrades

→Entry by Application Group→Adapters→Seeburger→XI-A AS2 BY SEEB→NW2004S-PI-A AS2 SEEB 1.6

→Installation.

Note

To access the AS2 Adapter for SAP NetWeaver Exchange Infrastructure 3.0 Configuration Guide, you must

extract the ZIP file on the Download tab page.

In the configuration guide, choose Security Settings→Encryption and Signing.

For information about the configuration of the secure Sockets Layer (SSL) within the AS2 Adapter for SAP

NetWeaver Exchange Infrastructure 7.1, choose Security Settings→SSL.


26

CUSTOMER



Other Security-Relevant Information

10 Other Security-Relevant Information

Use

To use the Web browser as a user front end, you have to activate Java script (Active Scripting) to ensure a

working user interface. This could conflict with your security policy regarding Web services.

For more information about the security configuration of Web services, see the GDS 2.1 Configuration Guide on

the SAP Service Marketplace at http://service.sap.com/instguides →Industry Solutions→Industry Solution

Guides→SAP for Consumer Products→SAP MDM GDS 2.1→Configuration Guide GDS 2.1.



Security-Relevant Logging and Tracing

CUSTOMER


11 Security-Relevant Logging and Tracing

Use

All security-relevant log messages during the business scenario are created using the following category:

//Common//.

For more information about log and trace messages, see the GDS 2.1 Application Operations Guide on the SAP

Service Marketplace at http://service.sap.com/instguides →Industry Solutions→Industry Solution Guides→SAP

for Consumer Products→SAP MDM GDS 2.1→Application Operations Guide GDS 2.1→Trace and Log Files.

For more information about the Master Data Management security logs, see the security guide for MDM on the

SAP Service Marketplace at http://service.sap.com/installmdm.



28

CUSTOMER



Appendix

12 Appendix

You can find more information about the security of SAP applications, on the SAP Service Marketplace at

http://service.sap.com/securityguide.


www.sap.com/contactsap

© 2017 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software

vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated

companies (“SAP Group”) for informational purposes only, without

representation or warranty of any kind, and SAP Group shall not be

liable for errors or omissions with respect to the materials. The only

warranties for SAP Group products and services are those that are

set forth in the express warranty statements accompanying such

products and services, if any. Nothing herein should be construed as

constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well

as their respective logos are trademarks or registered trademarks of

SAP AG in Germany and other countries. Please see

www.sap.com/corporate-en/legal/copyright/index.epx#trademark

for additional trademark information and notices.

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

SAP NetWeaver Master Data Management - SAP Help Portal · Application Server Java Security Guide...

Documents

Transcript of SAP NetWeaver Master Data Management - SAP Help Portal · Application Server Java Security Guide...