SAP Security - Day 1
112
Confidentia © Copyright IBM Corporation 2
-
Upload
kishore-venigalla -
Category
Documents
-
view
25 -
download
1
description
SAP Security - Day 1this document gives details of SAP Sec.
Transcript of SAP Security - Day 1
Objectives
$ypes of secrity
A who's who …
Safegards &
What is Security ?
In ,ther Words
integrity% and availability of co#pters%
their progra#s% hard-are devices% and
data+
A secure System
behave differently+
!otential to cause a failure of
security +
Who cold attac) the syste# .
challenge the secrity of the
syste#
What
Why
Why to Secre i+e++ I#portance of the
'ata./rticle etc+
Security Achieved $y
eeping 1nathoried 3erson ot of the Syste#
eeping 3eople ot of 3laces Where $hey Shold ot Be
Safegarding the 'ata fro# 'a#age or 5oss
So% &o I understand ? … I need to im!lement some
safeguards to avoid threats and that(s how I achieve
my security goals ?
6+ $a#pering
Security + ,nder The -icrosco!e …
,rganiational
Gard% Spa# Bloc)er?
A #nown story with an etension
5ets recollect& the .abbit / Tortoise story again+
,nce the $ortoise -on the rn the @abbit -ants to
congratlate the tortoise and so the rabbit -ants to
gift a piece of #e#ento to the tortoise+ $he @abbit
needs to carry the #e#ento to the $ortoiseAs ho#e+
,r point of focs -old be&++
6 + Is the rabbit secred at its o-n ho#e!
2+ Is the tortoise secred at its o-n ho#e!
7+ Is the #e#ento secred !
4 + $he road throgh -hich the rabbit needs to go%
is that secred !
…Remember
Secrity can be void if
$he applications are not secred > consider the
hands by -hich the rabbit carries the gift to
tortoise?
$he ,.S is not secred >the hose of the rabbit or
the tortoise?
gift?
$he net-or) path is not secred > the path throgh
-hich the rabbit needs to rn?
)ets understand these challenges in our
#nown terms and their safeguards…
)ets introduce… *rogram Security
Confidential © Copyright IBM Corporation 2004
Co#pter progra#s are the first line of defense in co#pter secrity%
since progra#s provide logical controls+ 3rogra#s% ho-ever% are
sbect to error% -hich can affect co#pter secrity+
/ co#pter progra# is correct if
it #eets the reDire#ents for -hich it
-as designed+
Co#plete
it perfor#s only those operations
specified by reDire#ents+
8Eact
A!!lication Security / Threat 0low
/pplication ,vervie-
Architecture
T
e
s
t
-y *rogram is Secured $ut is my O1S secured ?
2ow as o!erating system is build?
$he inner#ost layer provides direct access to the
hard-are facilities of the co#pting syste# and
eEports very pri#itive abstract obects to the neEt
layer+ 5ets visalie that ++
O!erating systems% structured s!ecifically% for security are
built in a #erneli3ed manner
Secrity of operating syste#s
,S ernel
threats
'atabase $hreats
Why to 3rotect a 'ata Base F Intelligent $hreats
'ata Base
&atabase 4ulnerabilities
Basically database secrity can be bro)en do-n into the follo-ing )ey
points of interest+
@estricting 'atabase /ccess
targeting Internet based databases% since they have been
the #ost recent targets of attac)s+
$able /ccess Control
collaboration of both syste# ad#inistrator and database
developer
'atabase Connections
8nsre that every connection ses its o-n niDe ser
to access the shared data
Server Secrity
Server secrity is the process of li#iting actal
access to the database server itself% $he basic idea is
&atabase Web+Security
Session security 99 ensring that data is not intercepted as it is broadcast over the Internet or Intranet
Server security 99 ensring secrity relating to the
actal data or private =$M5 files stored on the
server
secrity that prevents nathoried access to
infor#ation
5noc# 5noc# … can you save my data?
Some &atabase Security -easures
Server Secrity 3blic and 3rivate ey Secrity
'atabase Connections
Secre Soc)ets 5ayer >SS5? and S9=$$3
Session Secrity
2uh 66
et-or) Secrity
3rotection of net-or)s and their services fro# nathoried #odification%
destrction% or disclosre% and provision of assrance that the net-or)
perfor#s its critical fnctions correctly and there are no har#fl side9
effects+ et-or) secrity incldes data integrity +
)ets identify the rabbit(s dangers on the road
$he @abbitAs gift could have been stolen %
destroyed by any other ani#al . stranger on the
road &
$o safegard &
2+ $he rabbit cold rn faster
7 + $he rabbit cold fool the# && etc
"ommon security attac#s and their countermeasures
0inding a way into the networ# 0irewalls
7!loiting software bugs% buffer
overflows Intrusion &etection Systems
T"* hijac#ing I*Sec
*ac#et sniffing 7ncry!tion 8SS2% SS)%
2TT*S9 Social !roblems
I3 /ttac)s
ICM3 /ttac)s
4isuali3e … imagine … you reali3e
:etwor# Security Threats
Web Security Threats
Is there anyone who can save me?
:etwor# Security Safeguards
Certificate 3roEy Spa# Bloc)er
SA* world and security
&ifferent )ayer of Security With SA* A!!lication
SAP
APPLICATION
SECURITY
:7TWO.5
Confidential © Copyright IBM Corporation 2004
Secrity in an integrated syste# li)e S/3 tries to achieve the
follo-ing&+
Authentication 9 ,nly legiti#ate sers shold be able to access the syste#
Authori3ation 9 1sers shold only be able to perfor# their designated
tas)s
Integrity 9 'ata integrity needs to be granted at all ti#e
*rivacy 9 3rotection of data against nathorised access
Objectives
et-eaver brea)do-n
SA* *roduct Introduction + 2istory
The <=>s@ A .eal+Time 4ision
In 6KL2% five for#er IBM e#ployees 99 'iet#ar =opp% =ans9Werner =ector% =asso
3lattner% las $schira% and Clas Wellenrether 99 lanch a co#pany called Syste#s%
Applications% and *rodcts
$heir visionJ to develop standard application soft-are for real9ti#e bsiness processing+
,ne year later% the first financial acconting soft-are [email protected] syste# is co#plete+H
H@H stands for real9ti#e data processing+
By the end of the decade% intensive eEa#ination of S/3s IBM database and dialog
control syste# leads to the birth of S/3 @.2+
… continued
$he S/3 @.2 syste# attains the high level of stability
eeping in #ind its #ltinational csto#ers% S/3 designs S/3 @.2 to handle different
langages and crrencies+
With the fonding of sbsidiaries in 'en#ar)% S-eden% Italy% and the 1nited States%
S/3s international eEpansion ta)es a leap for-ard+
… continued
S/3 @.7 is nleashed on the #ar)et+
$he client9server concept% nifor# appearance of graphical interfaces% consistent se of
relational databases% and the ability to rn on co#pters fro# different vendors #eets
-ith over-hel#ing approval+
With S/3 @.7% S/3 shers in a ne- generation of enterprise soft-are 99 fro# #ainfra#e
… continued
The 2000s: Innovation for the New Millennium
With the Internet% the ser beco#es the focs of soft-are applications+ S/3 develops #yS/3 Wor)place and paves the -ay for the idea of an enterprise portal and role9 specific access to infor#ation+
By 200:%
62 #illion sers -or) each day -ith S/3 soltions
600%<00 installations -orld-ide
over 2: indstry9specific bsiness soltions
#ore than 77%200 csto#ers in 620 contries
S/3 et-eaver developed based on Services9,riented /rchitectre >S,/?
SOA
Soft-are architectre that defines the se of loosely copled soft-are services to
spport the reDire#ents of bsiness processes and soft-are sers
@esorces on a net-or) in an S,/ environ#ent are #ade available as independent
services that can be accessed -ithot )no-ledge of their nderlying platfor#
i#ple#entation
S,/9based syste#s can therefore be independent of develop#ent technologies and
platfor#s >sch as Nava% +8$ etc?
Confidential © Copyright IBM Corporation 2004
o- let s ta)e a loo) at so#e technical " operational challenges facing a
distribted syste# &
SA* :etWeaver
2ow to address the integration challenge ?
SA* :etWeaver
S/3 etWeaver integrates varios different technological concepts and previos
platfor#s in a single soltion
It is an open technology platfor# -hich offers a co#prehensive set of technologies that
are natively integrated
:etWeaver / *eo!le Integration
Mlti9Channel /ccess
3ortal Collaboration
*eo!le Integration brings together the right fnctionality and the right
infor#ation to the right people
:etWeaver / *eo!le Integration / *ortal / Sam!le 4iew
:etWeaver / *eo!le Integration ++ *ortal
$he portal is the Web front9end co#ponent for S/3 etWeaver
It is a personalied% interactive gate-ay% providing e#ployees% partners% sppliers and csto#ers -ith a single point of access+
$he )ey capabilities of the portal -ithin S/3 etWeaver are as follo-sJ
=eterogeneos infor#ation integration /d#inistrator " 81S 1ser #anage#ent " Secrity spport 3ersonaliation @eady9to9deploy bsiness pac)ages 'elegated ad#inistration
Mlti9Channel /ccess
:etWeaver / *eo!le Integration / -ulti+"hannel Access
Mlti9Channel /ccess
3ortal Collaboration
With multi+channel access% you can connect to enter!rise systems through voice% mobile%
or radio+freCuency technology
-ulti+channel access is delivered through -obile Infrastructure
The #ey elements of SA* :etWeaver(s multi+channel access ca!abilities are
SA* :etWeaver -obile%
Web+based B,I
:etWeaver / *eo!le Integration / -ulti+"hannel Access
etWeaver Mobile co#prises of varios technical architectres sed for enabling end9to9
end #obile bsiness soltions targeting specific ser roles and device platfor#s
S/3 /to9I' Infrastrctre connects @(I' data directly fro# ato9I' data9captre
sorces% sch as @(I' readers% and integrates high9vol#e data directly into enterprise
applications in real9ti#e
S/3 etWeaver provides standardied interfaces to lin) 7rd party co##nication
#anage#ent applications -ith bsiness applications+ It enables the integration of faE% s#s
or e#ail
Web9based G1I enables end9sers to gain access to their enterprise bsiness via a
Bro-ser or Nava 1ser Interface
S/3 etWeaver ;oice #a)es bsiness processes accessible by any telephone% any ti#e+
1sers can interact -ith S/3 bac)end syste#s sing speech recognition or toch tones+ It
:etWeaver / *eo!le Integration / "ollaboration
$he collaboration capabilities delivered -ith S/3 etWeaver% are designed to enable
individals% tea#s% and interest grops to -or) together closely to-ards a co##on goal+
$he co#prehensive set of collaboration tools and services allo-s sers to share
relevant infor#ation% co##nicate online in real9ti#e% plan -ith the help of a nified
calendar% and provide a single point of access to doc#ents and resorces+
Mlti9Channel /ccess
:etWeaver / Information Integration
Infor#ation Integration #a)es both strctred and nstrctred infor#ation
available in the enterprise in a consistent and accessible #anner
1sers de#and biDitos access to infor#ation -herever it resides+ $hat
infor#ation #st be served in a consistent #anner and its integrity
garanteed
Confidential © Copyright IBM Corporation 2004
:etWeaver / Information Integration / $usiness Intelligence
Bsiness Intelligence in etWeaver is co#posed of the follo-ing partsJ
&ata warehousing% -hich for#s the application9netral fondation for Bsiness Intelligence+ S/3 BW spports the co#plete data -arehosing process% fro# data integration% data transfor#ation% consolidation and cleansing to data provision for analysis+
/ business intelligence !latform that serves as the technological infrastrctre to spport infor#ation access and co#prehensive analytics+
$usiness intelligence suite that transfor#s data into insightfl infor#ation and serves a -ide variety of sers for decision9#a)ing+
Master 'ata Manage#ent
:etWeaver / Information Integration / 5nowledge
-anagement
no-ledge Manage#ent >M? is the #brella ter# for the #anage#ent of nstrctred infor#ation
F that is% all )inds of doc#ents
$he no-ledge Manage#ent >M? capabilities of S/3 etWeaver trn nstrctred infor#ation into
organiational )no-ledge F an essential fnction in this age of global e9bsiness
$he bsiness challenge is to transfor# nstrctred infor#ation into organiational )no-ledge by
strctring and classifying it in sch a -ay that it beco#es assessable and relevant to the
enterprises )no-ledge -or)ers
$here is an rgent need to create a central point of access -ithin the enterprise to #anage
-anagement
$oday% co#panies operating -ithin heterogeneos I$ landscapes are co##onplace% and the de#and for strea#lining co##nication -ithin sch an environ#ent is great+
S/3 Master 'ata Manage#ent >S/3 M'M? 9 a )ey capability of S/3 etWeaver 9 enables infor#ation integrity across the bsiness net-or)+ It enables co#panies to store% ag#ent% and consolidate #aster data% -hile ensring consistent distribtion to all applications and syste#s -ithin the I$ landscape+
It leverages eEisting I$ invest#ents in bsiness9critical data% delivering vastly redced data #aintenance costs throgh effective data #anage#ent+
:etWeaver / *rocess Integration
3rocess Integration enables bsiness processes to rn sea#lessly across heterogeneos
I$ landscapes+
Integration bro#er 99 $his capability enables OM5.S,/39based co##nication bet-een
application co#ponents fro# varios sorces and vendors+ It also enables yo to define
soft-are co#ponents% interfaces% #appings% and content9based roting rles+ $his
capability is delivered throgh S/3 8Echange Infrastrctre >OI?
$usiness !rocess management 99 With bsiness process #anage#ent% yo can #odel
and drive processes in a dyna#ic I$ environ#ent+ It allo-s yo to co#bine nderlying
applications into adaptive% end9to9end processes spanning the entire vale chain+
Integration Bro)er Bsiness 3rocess Manage#ent
:etWeaver / *rocess Integration ++ DI
S/3 etWeaver 8Echange InfrastrctreJ
3rovides a technical infrastrctre for OM59based #essage eEchange in order to
connect S/3 co#ponents -ith each other% as -ell as -ith non9S/3 co#ponents
'elivers bsiness9process and integration )no-ledge to the csto#er% in the for# of
S/3As predefined integration scenarios
3rovides an integrated toolset for bilding ne- integration scenarios by defining and
#aintaining all integration9relevant infor#ation >Hshared collaboration )no-ledgeH?
Integration Bro)er Bsiness 3rocess Manage#ent
-anagement
B3M has three focses to caterJ
Collaboration $as)s% -hich is part of the 8nterprise 3ortal (ra#e-or)% to enable individals to create light9-eight ad hoc process to opti#ie their day9to9day tas)s and add transparency to -hat they are doing in relation to their colleages+ $his is -hat delivers the people empowerment +
S/3 Bsiness -or)flo-% e#bedded -ithin the S/3 Web /pplication Server% -hich is sed to ato#ate the bsiness processes ta)ing place -ithin an S/3 co#ponent and integrate the S/3 sers -ith the bsiness processes+ $his is -hat delivers the workflow empowerment -ithin the #yS/3 co#ponents+
:etWeaver / A!!lication *latform
$he application platfor# of S/3 etWeaver is the S/3 Web /pplication Server
It provides a co#plete infrastrctre to develop% deploy and rn platfor#9 independent% robst and scalable Web Services and bsiness applications+
$o allo- this fleEibility% different technologies have been established
Nava 2 3latfor# 8nterprise 8dition >N288?
/B/3
S/3 Web /pplication Server >S/3 Web
/S? is the application platfor# of S/3
etWeaver% i+e+ it provides the co#plete
infrastrctre to develop% deploy and rn
all S/3 etWeaver applications+ $he
#aor )ey capability of S/3 Web /S is the
fll spport for both the proven /B/3
technology and the innovative open sorce
internet9driven technologies Nava% Nava 2
8nterprise 8dition >N288? and Web
Services+
:etWeaver / A!!lication *latform / A$A*
/B/3 is the S/3P Web /pplication Server progra##ing langage for bsiness
applications
It contains all characteristics of an obect9oriented progra##ing langage and at the
sa#e ti#e provides the benefits of a 4G5 langageJ Many fnctions that are located
in libraries in other langages are contained as langage ele#ents% -hich #a)e it
:etWeaver / A!!lication *latform / &$ E OS Abstraction
1sing the SA* Web A!!lication Server % yo can develop applications regardless of the
nderlying ,S+ 1sing O!enSF)% yo can develop applications that rn i##ediately on a
given set of databases+ With Web &yn!ro yo can develop ser interfaces that rn on a
given set of -eb bro-sers+
With -"O& >#ltiple co#ponents in one database?% S/3 provides the option to deploy
several independent S/3 co#ponents in one database -ithot co#pro#ising fleEibility+
With SA* &$% S/3 has its o-n 'B platfor# offering+ S/3 'B is an enterprise open
sorce database designed for easy and si#ple ad#inistration and providing very lo-
total costs of o-nership+
:etWeaver / A!!lication *latform / "om!osite A!!lication 0ramewor#
Co#posites ai# at enabling efficient develop#ent of ne-
applications that are easily adopted by csto#ers% and allo-
fleEibility in bac)end connectivity
- Model9driven architectre
- 5oose copling to bac)end syste#s
- /daptive ser9centric process flo- and ser interfaces
/#ong the #ain featres that S/3 C/( provides areJ
- Spport for the three layers of a co#posite application
>services% ser interfaces% and processes?
- 3atterns and te#plates at all three levels to increase
develop#ent efficiency and application ho#ogeneity
- Model9 and code9generation9based #ethods sing tools
that store #odels in a proprietary #eta#odel repository
C o # p o s
i t e / p p
l i c a
t i o n
> C / ( ?
Questions ?
Objectives
etWeaver Secrity
*erfect Security ?
eeds to evolve -ith changing technologies " associated ris)s
Why is Security necessary ?
With the increasing se of distribted syste#s and the Internet for #anaging bsiness
data% the de#ands on secrity are also on the rise+
When sing a distribted syste#% yo need to be sre that yor data and processes
spport yor bsiness needs -ithot allo-ing nathoried access to critical
infor#ation+
1ser errors% negligence% or atte#pted #aniplation on yor syste# shold not reslt in
loss of infor#ation or processing ti#e+
What to !rotect ?
$here are varios aspects to consider -hile considering the ans-er to the above
In the S/3 environ#ent% -e shold be able to redce the ris) of a secrity attac) in the
entire etWeaver stac)
Broadly% -e are loo)ing at redcing secrity ris)s to the follo-ing etWeaver layersJ
3eople Integration
3rocess Integration
Mlti9Channel /ccess
3ortal Collaboration
3eople Integration brings together the right fnctionality and the right
infor#ation to the right people+ $his #odle of the etWeaver stac) ai#s at
providing sea#less ser eEperience% bondless collaboration fnctionality% and
pervasive access+
$his fnctionality of this #odle of the etWeaver stac) is frther bro)en do-n
intoJ
Mlti9Channel /ccess
We -ill investigate the secrity aspects to be considered for the above sb9
co#ponents in forth co#ing slides+
:etWeaver / *ortal Security
$he S/3 etWeaver 3ortal offers sers a single point of access to all applications% infor#ation% and
services needed to acco#plish their daily tas)s+ 5in)s to bac)9end and legacy applications% self9
service applications% co#pany intranet services% and Internet services are all readily available in the
serAs portal+ Becase the borders bet-een co#pany intranets and the Internet are blrring%
co#prehensive secrity is vital to protect the co#panyAs bsiness+
Belo- are the aspects to consider -hile ai#ing to secre enterprise portalJ
- 1ser ad#inistration " /thentication
- 'ata Storage Secrity
- ,perating Syste# Secrity
*ortal Security + ,ser Administration E Authentication
$his section coversJ
1ser Manage#ent
,ser -anagement
$he S/3 etWeaver 3ortal ses the 1ser Manage#ent 8ngine >1M8? for ser
#anage#ent+
$he 1M8 can be configred to -or) -ith ser #anage#ent data fro# #ltiple data
sorces% for eEa#ple% an 5'/3 directory% database of the S/3 etWeaver /pplication
Server >/S? Nava% or /B/3 syste#+
,ser -anagement 7ngine 8,-79
,ser -anagement 7ngine 8,-79
$he 1ser Manage#ent 8ngine >1M8? provides a centralied ser #anage#ent for all Nava
applications+ It can be configred to -or) -ith ser #anage#ent data fro# #ltiple data sorces+ It
is sea#lessly integrated in the S/3 etWeaver /pplication Server >/S? Nava as its defalt ser
store and can be ad#inistrated sing the ad#inistration tools of the /S Nava+
In the figre% ser data is stored in one or #ore data sorces+ 8ach type of data sorce has its o-n
persistence adapter+ $he persistence #anager conslts the persistence adapters -hen creating%
reading% -riting% and searching ser #anage#ent data+ $he application progra##ing interface >/3I?
is a layer on top of the persistence #anager+
In the persistence #anager% yo configre -hich data is -ritten to or read fro# -hich data sorce%
so that the applications sing the /3I do not have to )no- any details abot -here ser
#anage#ent data is stored+
*ortal Security + Authentication
/thentication provides a -ay of verifying the serAs identity before he or she is granted
access to the portal+
Several athentication #echanis#s eEist% so#e detailed belo-J
- Basic athentication >1serid " 3ass-ord?
- Client Certificates
- Single Sign9on
Confidential © Copyright IBM Corporation 2004
*ortal Security / Authentication / $asic Authentication
Basic /thentication is an =$$3 standard #ethod to se for athentication% -hereby the
ser provides a ser I' and pass-ord for athentication+
S/3 N288 8ngine ses Basic /thentication for applications that are set p to se
basic or form athentication+
When sing basic athentication% the serAs infor#ation is passed to the server over the
=$$3 connection in a header variable as a base9<4 encoded string+
When sing for#9based athentication% the infor#ation is passed in the 1@5 as an 1@5
para#eter+
Since the above is not very secre% the ser of SS5 to secre is reco##ended -hich
then converts a =$$3 reDest to =$$3S+
Confidential © Copyright IBM Corporation 2004
*ortal Security / Authentication + "lient "ertificates
In addition to sing SS5 for encrypting connections% yo can se SS5 and O+:0K client
certificates for athenticating client or ser access reDests to the N288 8ngine+
When sing client certificates% athentication ta)es places transparently for the ser -ith
the nderlying SS5 secrity protocol+ $herefore% yo can se athentication -ith client
certificates to integrate the N288 8ngine in a Single Sign9,n environ#ent+
1sers need to receive their client certificates fro# a Certification /thority >C/? as part
of a pblic9)ey infrastrctre >3I?+ If yo do not have an established 3I then yo can
se a $rst Center Service to obtain certificates+
*ortal Security / Authentication / Single Sign+On 8SSO9
SS, is a )ey featre of the S/3 etWeaver 3ortal that eases ser interaction -ith the
#any co#ponent syste#s available to the ser in a portal environ#ent+ ,nce the ser is
athenticated to the portal% he or she can se the portal to access eEternal applications+
With SS, in the portal% the ser can access different syste#s and applications -ithot
having to repeatedly enter his or her ser infor#ation for athentication+
$he portal SS, #echanis# is available in the follo-ing variants depending on secrity
reDire#ents and the spported eEternal applicationsJ
- SS, -ith logon tic)ets
- SS, -ith ser I' and pass-ord
Both variants eli#inate the need for repeated logons to individal applications after the
initial athentication at the portal+ Whereas SS, -ith logon tic)ets is based on a secre
tic)eting #echanis#% SS, -ith ser I' and pass-ord for-ards the serAs logon data
*ortal Security / Authentication / Single Sign+On 8SSO9
Single Sign9,n With 5ogin $ic)ets
5ogon tic)ets represent the ser credentials+ $he portal server isses a logon tic)et to a ser after
sccessfl initial athentication
$he logon tic)et itself is stored as a coo)ie on the client and is sent -ith each reDest of that client+
It can then be sed by eEternal applications sch as S/3 syste#s to athenticate the portal ser to
those eEternal applications -ithot any frther ser logons being reDired+
5ogon tic)ets contain infor#ation abot the athenticated ser+ $hey do not contain any pass-ords+
Specifically% logon tic)ets contain the follo-ing ite#sJ
- 3ortal ser I' and one #apped ser I' for eEternal applications
- /thentication sche#e
- 'igital signatre
When sing logon tic)ets% one syste# #st be the tic)et9issing syste#+ $his can either be the portal
or another syste#+
*ortal Security / Authentication / Single Sign+On
Single Sign9,n With 1serid " 3ass-ord
$he Single Sign9,n >SS,? #echanis# -ith ser na#e and pass-ord provides an alternative for
applications that cannot accept and verify logon tic)ets+
With this SS, #echanis# the portal server ses ser #apping infor#ation provided by sers or
ad#inistrators to give the portal ser access to eEternal syste#s+ Q
$he portal co#ponents connect to the eEternal syste# -ith the serAs credentials+
Since the syste# sends the sers logon I' and pass-ord across the net-or)% se a secre protocol
*ortal Security + Authori3ation
/thoriations define -hich obects sers can access and -hich actions they can
perfor#+ $he portal has an athoriation concept that is i#ple#ented sing the follo-ing
conceptsJ 3er#issions
Secrity Rones
1M8 /ctions
AuthRequirement property
3ortal per#issions define portal ser access rights to portal obects in the 3C' and are based on
access control list >/C5? #ethodology+
Secrity Rones Control -hich portal co#ponents and portal services sers can lanch and are
defined in the develop#ent phase+
1M8 /ctions the 1ser Manage#ent 8ngine >1M8? eDivalent of portal per#issions+ $he 1M8
verifies that sers have the appropriate 1M8 actions assigned to the# before granting the# access
to 1M8 i;ie-s and fnctions+
/th@eDire#ent property $his is a #aster i;ie- property sed in 83 :+0 that defines -hich sers
Confidential © Copyright IBM Corporation 2004
*ortal Security / Authentication / *ortal .oles
In the S/3 etWeaver 3ortal% roles are only indirectly lin)ed to athoriation+
3ortal roles grop together the portal content reDired by sers -ith a certain role in the
co#pany+ In addition% the role strctre defines the navigation strctre that a ser sees
in the portal+
1sers and grops assigned to a role inherit the per#issions of the role+ By defalt this is
end ser per#ission+
*ortal Security / :etwor# E "ommunication Security
$he portal is dependent on the etWeaver /pplication Server for Nava for net-or)
co##nication+
S/3 syste#s are i#ple#ented as client9server fra#e-or)s bilt in three levelsJ
database server level% application server level and the presentation level >front ends?+
$he servers are the #ost vlnerable part of the net-or) infrastrctre and special care
"ollaboration Security
SAP Collaboration allo-s access to co#pany9internal personal data% infor#ation% and
doc#ents that #ay not be eDally accessible to all portal sers+ Settings for data
secrity prevent nathoried access and data #aniplation+
Collaboration ses the ser #anage#ent and ser athentication #echanis#s in the
S/3 etWeaver platfor#% in particlar those in the S/3 Web /pplication Server >Nava?+
$herefore% the secrity reco##endations and gidelines for ser #anage#ent and
athentication apply as described in the S/3 Web /pplication Server secrity gide+
Collaboration ses the per#issions concept provided by the S/3 Web /pplication
Server >Nava?+ $herefore% the secrity reco##endations and gidelines for per#issions
apply as described in the S/3 Web /pplication Server >Nava? secrity gide+
$his per#issions concept is based on roles that are valid throghot the portal% -hich
are assigned to the sers+
-ulti+"hannel Access Security
With #lti9channel access% yo can connect to enterprise syste#s throgh voice%
#obile% or radio9freDency technology+
Mlti9channel access is delivered throgh Mobile Infrastrctre+
$he #obile device is threatened by the follo-ing potential dangersJ
- 5oss of the device
- 1nathoried se by an nathoried person
- 'ata #aniplation in the file syste#
-obile Infrastructure / Authentication
$he ser #anage#ent of the S/3 MI Client Co#ponent #anages ser I's and local
logon pass-ords+ $he local logon pass-ord is sed for local ser athentication+ It is
stored in coded for# on the #obile device% and not in plain teEt+ $he n#ber of possible
failed atte#pts can be restricted+
/ second pass-ord% called the synchroniation pass-ord% is sed for synchroniation
-ith the S/3 MI Server Co#ponent >S/3 etWeaver /S?+
o can change the pass-ords on the client side at any ti#e+ $he data can% ho-ever%
only be synchronied sccessflly if the ser I' and synchroniation pass-ord for the
client have conterparts on the server+ 1sers can change both pass-ords -ith the S/3
MI Client Co#ponent
-obile Infrastructure / Authentication
(or #obile devices -ith only one ser yo can configre the device in sch a -ay that the ser does
not have to logon -ith the local logon pass-ord+ $he start page of the S/3 MI Client Co#ponent
appears i##ediately as soon as the #obile device is started+ Where this is the case% the ser #st be
able to identify hi#9 or herself on the operating syste#+
Where this is the case% the ser #st be able to identify hi#9 or herself on the operating syste#+
$he athentication on the operating syste# is not technically lin)ed to the S/3 MI Client Co#ponent+
It is a conceptal% organiational prereDisite for -or)ing -ith the S/3 MI Client Co#ponent+
When the ser synchronies -ith the S/3 MI Server Co#ponent he or she has to se the
-obile Infrastructure + Authentication
Authentication with Single Sign+On
o can configre the S/3 MI Client Co#ponent to spport single sign9on >SS,? if the
device is available -ith an online connection+
$he SS, technology is based on the S/3 logon tic)ets+
$he #obile device receives the S/3 logon tic)et fro# a syste# that isses tic)ets% sch
as S/3 8nterprise 3ortal+
$he #obile device can then be verified at the S/3 MI Server Co#ponent -ith the S/3
-obile Infrastructure + Authori3ation
$he secrity reco##endations and gidelines for athoriations described in the S/3
etWeaver /pplication Server Secrity Gide also apply% therefore% to S/3 MI+
$he athoriation concept of the S/3 etWeaver /S is based on the assign#ent of
athoriations to sers on the basis of roles+ 1se the profile generator >transaction
3(CG? for role #aintenance on S/3 etWeaver /S /B/3 and the ser ad#inistration
console fro# the 1ser Manage#ent 8ngine on S/3 etWeaver /S Nava+
/ccess to data and applications on the S/3 MI Client Co#ponent is controlled by ser9
-obile Infrastructure / Securing the "ommunication "hannel
$here are 2 co##nication paths to secreJ
- (ro# the S/3 MI Client Co#ponent to the S/3 etWeaver /S /B/3 and vice versa
3rotocols inclde =$$3%SS5 or =$$3S
'ata transferred incldes application data% control data for S/3 Mobile Infrastrctre%
synchroniation pass-ord
'ata reDiring particlar protection incldes synchroniation pass-ord% as it is copied fro#
the #obile device to the S/3 etWeaver /S /B/3 -ith each =$$3 reDest+ 1se of SS5 or
=$$3S is reco##ended
- (ro# S/3 etWeaver /S /B/3 to bac)9end syste# and vice versa
3rotocols inclde @(C
Confidential © Copyright IBM Corporation 2004
Information Integration+ Security .is#s ?
Infor#ation Integration #a)es both strctred and nstrctred infor#ation
available in the enterprise in a consistent and accessible #anner+
1sers de#and biDitos access to infor#ation -herever it resides+ $hat
infor#ation #st be served in a consistent #anner and its integrity
garanteed+
$usiness Information Warehouse Security
Why Is Security :ecessary?
S/3 etWeaver BI serves to integrate% transfor#% and consolidate data fro# all areas of an enterprise in order to provide this for analysis% interpretation and distribtion+ $his incldes confidential corporate data% for eEa#ple% personal data fro# 3ersonnel /d#inistration+ 'ecisions are #ade in all enterprise areas and target9oriented actions are deter#ined on the basis of this data+ (or this reason% secrity -hen accessing data and the ability to garantee data integrity is of great i#portance+
$he follo-ing eEa#ples sho- the dangers to -hich BI can be eEposedJ
$I Security + Authentication
$he athentication process enables the identity of a ser to be chec)ed before this ser gains access to BI or BI data+ S/3 etWeaver spports varios athentication #echanis#s+
So#e of the athentication #echanis#s incldeJ
- Single Sign9,n >SS,? - Client Certificates - S/3 5ogon $ic)ets
Single sign9on i#plies that once a ser is athenticated -ith a serna#e " pass-ord% the ser then has access to other S/3 syste#s that are in the landscape
/s an alternative to ser athentication sing a ser I' and pass-ords% sers sing Internet applications via the Internet $ransaction Server >I$S? can also provide O+:0K client certificates+ In this case% ser athentication is perfor#ed on the Web Server sing the Secre Soc)ets 5ayer 3rotocol >SS5 3rotocol? and no pass-ords have to be transferred+ 1ser athoriations are valid in accordance -ith the athoriation concept in the S/3 syste#+
$I Security + Authori3ation
/n athoriation allo-s a ser to perfor# a certain activity on a certain obect
in the BI Syste#+ $here are t-o different concepts for this depending on the
role and tas)s of the serJ
Standard /thoriations
- $hese athoriations are reDired by all sers that are -or)ing in the 'ata
Warehosing Wor)bench to #odel or load data% and also by sers that -or) in the
planning -or)bench or the /nalysis 3rocess 'esigner and those that -or) -ith the
@eporting /gent or the B8E Broadcaster or define Deries+
/nalysis /thoriations+
- /ll sers that -ant to display transaction data fro# athoriation9relevant
5nowledge -anagement 85-9 Security
$he M secrity aspects deal -ith preventing illegal access to doc#ents and settings and prevent the# being #aniplated illegally+
Secrity in M is achieved by i#ple#enting one or #ore of the follo-ing #easresJ - @oles - /C5As - Secrity Rones
.oles are of G ty!es@
5nowledge -anagement 85-9 Security
@estricting access per#issions only by sing the role concept or -or)sets is not sfficient+ $he se /C5s is reco##ended+
- /ccess per#issions on the root nodes of secrity9relevant repositories shold be restricted i##ediately after the installation or after configring ne- repository #anagers in order to prevent doc#ents being read illegally by sers hac)ing or gessing doc#ent 1@5s+
- Change the /C5s for sbordinate folders if different per#issions apply for these folders+
Secrity ones
- Secrity ones restrict nathoried direct access to M content - (or initial M content% the reDired per#issions in the secrity ones are already assigned
dring installation of S/3 etWeaver+
Confidential © Copyright IBM Corporation 2004
5- Security + "ommunication "hannel Security
;arios channels of co##nication and technologies are sed bet-een the co#ponents and data sorces in no-ledge Manage#ent+
$he follo-ing technologies are sed for co##nicationJ
- =$$3.=$$3S
- Web'/;
- IC8
Confidential © Copyright IBM Corporation 2004
*rocess Integration / Security .is#s ?
Why Is Secrity ecessary!
/s the central infrastrctre for eEchanging bsiness doc#ents% 3I has to #a)e sre that the involved processes can be eEected in a secre #anner+ 3articlar secrity reDire#ents have to be considered if bsiness partners co##nicate over the Internet+
OM5 #essages #ay contain confidential bsiness data+ In order to protect the# against eavesdropping and nathoried access% the co##nication lines as -ell as the storage locations of OM5 #essages need to be #ade secre+
*I Security + "ommunication
$he co#ponents of a process integration >3I? landscape co##nicate -ith each other
for different prposes li)e configration% ad#inistration% #onitoring% or the actal
#essaging+
$he pri#ary prpose of a 3I landscape is to enable bsiness partners and applications
to eEchange OM5 #essages >bsiness doc#ents?+ $his incldes bsiness
co##nication bet-een bsiness syste#s% Integration Servers or /dapter 8ngines+
In addition to proper #essaging% technical co##nication bet-een varios 3I tools and
rnti#e co#ponents is reDired+
*I Security + Authentication
Session9based single sign9on is spported for the dialog sers of the 3I tools+
/ dialog ser has to log on only once for all 3I tools% provided that the sa#e bro-ser
session is sed for each tool access% and that the tools are started fro# the sa#e S/3
etWeaver /pplication Server Nava+
Single sign9on is also spported by the @nti#e Wor)bench -here access to other 3I
Confidential © Copyright IBM Corporation 2004
*I Security / -essage )evel Security
Message9level secrity allo-s yo to digitally sign or encrypt doc#ents eEchanged bet-een
syste#s or bsiness partners+ It i#proves co##nication9level secrity by adding secrity featres
that are particlarly i#portant for inter9enterprise co##nication+ Message9level secrity is
reco##ended and so#eti#es a prereDisite for inter9enterprise co##nication+
Certificate Store
- Message9level secrity processing is generally done in S/3 etWeaver /pplication Server Nava
>/S9Nava?+ If the Integration Server eEectes secrity processing% a Web service is called in the
N288 8ngine+ $herefore% the certificates as -ell as the certification athority >C/? certificates to
be sed #st be entered into the )eystore of the N288 8ngine that eEectes the secrity
handling at rnti#e+
/rchiving Secred Messages
- (or non9repdiation prposes% signed #essages are stored in a dedicated archive% the non9
repdiation archive+ It contains data to prove the validity of the signatre+ $he follo-ing data is
storedJ
$he ra- #essage
$he secrity policy as configred in the Integration 'irectory
$he sender certificate
Questions ?
$ypes of secrity
A who's who …
Safegards &
What is Security ?
In ,ther Words
integrity% and availability of co#pters%
their progra#s% hard-are devices% and
data+
A secure System
behave differently+
!otential to cause a failure of
security +
Who cold attac) the syste# .
challenge the secrity of the
syste#
What
Why
Why to Secre i+e++ I#portance of the
'ata./rticle etc+
Security Achieved $y
eeping 1nathoried 3erson ot of the Syste#
eeping 3eople ot of 3laces Where $hey Shold ot Be
Safegarding the 'ata fro# 'a#age or 5oss
So% &o I understand ? … I need to im!lement some
safeguards to avoid threats and that(s how I achieve
my security goals ?
6+ $a#pering
Security + ,nder The -icrosco!e …
,rganiational
Gard% Spa# Bloc)er?
A #nown story with an etension
5ets recollect& the .abbit / Tortoise story again+
,nce the $ortoise -on the rn the @abbit -ants to
congratlate the tortoise and so the rabbit -ants to
gift a piece of #e#ento to the tortoise+ $he @abbit
needs to carry the #e#ento to the $ortoiseAs ho#e+
,r point of focs -old be&++
6 + Is the rabbit secred at its o-n ho#e!
2+ Is the tortoise secred at its o-n ho#e!
7+ Is the #e#ento secred !
4 + $he road throgh -hich the rabbit needs to go%
is that secred !
…Remember
Secrity can be void if
$he applications are not secred > consider the
hands by -hich the rabbit carries the gift to
tortoise?
$he ,.S is not secred >the hose of the rabbit or
the tortoise?
gift?
$he net-or) path is not secred > the path throgh
-hich the rabbit needs to rn?
)ets understand these challenges in our
#nown terms and their safeguards…
)ets introduce… *rogram Security
Confidential © Copyright IBM Corporation 2004
Co#pter progra#s are the first line of defense in co#pter secrity%
since progra#s provide logical controls+ 3rogra#s% ho-ever% are
sbect to error% -hich can affect co#pter secrity+
/ co#pter progra# is correct if
it #eets the reDire#ents for -hich it
-as designed+
Co#plete
it perfor#s only those operations
specified by reDire#ents+
8Eact
A!!lication Security / Threat 0low
/pplication ,vervie-
Architecture
T
e
s
t
-y *rogram is Secured $ut is my O1S secured ?
2ow as o!erating system is build?
$he inner#ost layer provides direct access to the
hard-are facilities of the co#pting syste# and
eEports very pri#itive abstract obects to the neEt
layer+ 5ets visalie that ++
O!erating systems% structured s!ecifically% for security are
built in a #erneli3ed manner
Secrity of operating syste#s
,S ernel
threats
'atabase $hreats
Why to 3rotect a 'ata Base F Intelligent $hreats
'ata Base
&atabase 4ulnerabilities
Basically database secrity can be bro)en do-n into the follo-ing )ey
points of interest+
@estricting 'atabase /ccess
targeting Internet based databases% since they have been
the #ost recent targets of attac)s+
$able /ccess Control
collaboration of both syste# ad#inistrator and database
developer
'atabase Connections
8nsre that every connection ses its o-n niDe ser
to access the shared data
Server Secrity
Server secrity is the process of li#iting actal
access to the database server itself% $he basic idea is
&atabase Web+Security
Session security 99 ensring that data is not intercepted as it is broadcast over the Internet or Intranet
Server security 99 ensring secrity relating to the
actal data or private =$M5 files stored on the
server
secrity that prevents nathoried access to
infor#ation
5noc# 5noc# … can you save my data?
Some &atabase Security -easures
Server Secrity 3blic and 3rivate ey Secrity
'atabase Connections
Secre Soc)ets 5ayer >SS5? and S9=$$3
Session Secrity
2uh 66
et-or) Secrity
3rotection of net-or)s and their services fro# nathoried #odification%
destrction% or disclosre% and provision of assrance that the net-or)
perfor#s its critical fnctions correctly and there are no har#fl side9
effects+ et-or) secrity incldes data integrity +
)ets identify the rabbit(s dangers on the road
$he @abbitAs gift could have been stolen %
destroyed by any other ani#al . stranger on the
road &
$o safegard &
2+ $he rabbit cold rn faster
7 + $he rabbit cold fool the# && etc
"ommon security attac#s and their countermeasures
0inding a way into the networ# 0irewalls
7!loiting software bugs% buffer
overflows Intrusion &etection Systems
T"* hijac#ing I*Sec
*ac#et sniffing 7ncry!tion 8SS2% SS)%
2TT*S9 Social !roblems
I3 /ttac)s
ICM3 /ttac)s
4isuali3e … imagine … you reali3e
:etwor# Security Threats
Web Security Threats
Is there anyone who can save me?
:etwor# Security Safeguards
Certificate 3roEy Spa# Bloc)er
SA* world and security
&ifferent )ayer of Security With SA* A!!lication
SAP
APPLICATION
SECURITY
:7TWO.5
Confidential © Copyright IBM Corporation 2004
Secrity in an integrated syste# li)e S/3 tries to achieve the
follo-ing&+
Authentication 9 ,nly legiti#ate sers shold be able to access the syste#
Authori3ation 9 1sers shold only be able to perfor# their designated
tas)s
Integrity 9 'ata integrity needs to be granted at all ti#e
*rivacy 9 3rotection of data against nathorised access
Objectives
et-eaver brea)do-n
SA* *roduct Introduction + 2istory
The <=>s@ A .eal+Time 4ision
In 6KL2% five for#er IBM e#ployees 99 'iet#ar =opp% =ans9Werner =ector% =asso
3lattner% las $schira% and Clas Wellenrether 99 lanch a co#pany called Syste#s%
Applications% and *rodcts
$heir visionJ to develop standard application soft-are for real9ti#e bsiness processing+
,ne year later% the first financial acconting soft-are [email protected] syste# is co#plete+H
H@H stands for real9ti#e data processing+
By the end of the decade% intensive eEa#ination of S/3s IBM database and dialog
control syste# leads to the birth of S/3 @.2+
… continued
$he S/3 @.2 syste# attains the high level of stability
eeping in #ind its #ltinational csto#ers% S/3 designs S/3 @.2 to handle different
langages and crrencies+
With the fonding of sbsidiaries in 'en#ar)% S-eden% Italy% and the 1nited States%
S/3s international eEpansion ta)es a leap for-ard+
… continued
S/3 @.7 is nleashed on the #ar)et+
$he client9server concept% nifor# appearance of graphical interfaces% consistent se of
relational databases% and the ability to rn on co#pters fro# different vendors #eets
-ith over-hel#ing approval+
With S/3 @.7% S/3 shers in a ne- generation of enterprise soft-are 99 fro# #ainfra#e
… continued
The 2000s: Innovation for the New Millennium
With the Internet% the ser beco#es the focs of soft-are applications+ S/3 develops #yS/3 Wor)place and paves the -ay for the idea of an enterprise portal and role9 specific access to infor#ation+
By 200:%
62 #illion sers -or) each day -ith S/3 soltions
600%<00 installations -orld-ide
over 2: indstry9specific bsiness soltions
#ore than 77%200 csto#ers in 620 contries
S/3 et-eaver developed based on Services9,riented /rchitectre >S,/?
SOA
Soft-are architectre that defines the se of loosely copled soft-are services to
spport the reDire#ents of bsiness processes and soft-are sers
@esorces on a net-or) in an S,/ environ#ent are #ade available as independent
services that can be accessed -ithot )no-ledge of their nderlying platfor#
i#ple#entation
S,/9based syste#s can therefore be independent of develop#ent technologies and
platfor#s >sch as Nava% +8$ etc?
Confidential © Copyright IBM Corporation 2004
o- let s ta)e a loo) at so#e technical " operational challenges facing a
distribted syste# &
SA* :etWeaver
2ow to address the integration challenge ?
SA* :etWeaver
S/3 etWeaver integrates varios different technological concepts and previos
platfor#s in a single soltion
It is an open technology platfor# -hich offers a co#prehensive set of technologies that
are natively integrated
:etWeaver / *eo!le Integration
Mlti9Channel /ccess
3ortal Collaboration
*eo!le Integration brings together the right fnctionality and the right
infor#ation to the right people
:etWeaver / *eo!le Integration / *ortal / Sam!le 4iew
:etWeaver / *eo!le Integration ++ *ortal
$he portal is the Web front9end co#ponent for S/3 etWeaver
It is a personalied% interactive gate-ay% providing e#ployees% partners% sppliers and csto#ers -ith a single point of access+
$he )ey capabilities of the portal -ithin S/3 etWeaver are as follo-sJ
=eterogeneos infor#ation integration /d#inistrator " 81S 1ser #anage#ent " Secrity spport 3ersonaliation @eady9to9deploy bsiness pac)ages 'elegated ad#inistration
Mlti9Channel /ccess
:etWeaver / *eo!le Integration / -ulti+"hannel Access
Mlti9Channel /ccess
3ortal Collaboration
With multi+channel access% you can connect to enter!rise systems through voice% mobile%
or radio+freCuency technology
-ulti+channel access is delivered through -obile Infrastructure
The #ey elements of SA* :etWeaver(s multi+channel access ca!abilities are
SA* :etWeaver -obile%
Web+based B,I
:etWeaver / *eo!le Integration / -ulti+"hannel Access
etWeaver Mobile co#prises of varios technical architectres sed for enabling end9to9
end #obile bsiness soltions targeting specific ser roles and device platfor#s
S/3 /to9I' Infrastrctre connects @(I' data directly fro# ato9I' data9captre
sorces% sch as @(I' readers% and integrates high9vol#e data directly into enterprise
applications in real9ti#e
S/3 etWeaver provides standardied interfaces to lin) 7rd party co##nication
#anage#ent applications -ith bsiness applications+ It enables the integration of faE% s#s
or e#ail
Web9based G1I enables end9sers to gain access to their enterprise bsiness via a
Bro-ser or Nava 1ser Interface
S/3 etWeaver ;oice #a)es bsiness processes accessible by any telephone% any ti#e+
1sers can interact -ith S/3 bac)end syste#s sing speech recognition or toch tones+ It
:etWeaver / *eo!le Integration / "ollaboration
$he collaboration capabilities delivered -ith S/3 etWeaver% are designed to enable
individals% tea#s% and interest grops to -or) together closely to-ards a co##on goal+
$he co#prehensive set of collaboration tools and services allo-s sers to share
relevant infor#ation% co##nicate online in real9ti#e% plan -ith the help of a nified
calendar% and provide a single point of access to doc#ents and resorces+
Mlti9Channel /ccess
:etWeaver / Information Integration
Infor#ation Integration #a)es both strctred and nstrctred infor#ation
available in the enterprise in a consistent and accessible #anner
1sers de#and biDitos access to infor#ation -herever it resides+ $hat
infor#ation #st be served in a consistent #anner and its integrity
garanteed
Confidential © Copyright IBM Corporation 2004
:etWeaver / Information Integration / $usiness Intelligence
Bsiness Intelligence in etWeaver is co#posed of the follo-ing partsJ
&ata warehousing% -hich for#s the application9netral fondation for Bsiness Intelligence+ S/3 BW spports the co#plete data -arehosing process% fro# data integration% data transfor#ation% consolidation and cleansing to data provision for analysis+
/ business intelligence !latform that serves as the technological infrastrctre to spport infor#ation access and co#prehensive analytics+
$usiness intelligence suite that transfor#s data into insightfl infor#ation and serves a -ide variety of sers for decision9#a)ing+
Master 'ata Manage#ent
:etWeaver / Information Integration / 5nowledge
-anagement
no-ledge Manage#ent >M? is the #brella ter# for the #anage#ent of nstrctred infor#ation
F that is% all )inds of doc#ents
$he no-ledge Manage#ent >M? capabilities of S/3 etWeaver trn nstrctred infor#ation into
organiational )no-ledge F an essential fnction in this age of global e9bsiness
$he bsiness challenge is to transfor# nstrctred infor#ation into organiational )no-ledge by
strctring and classifying it in sch a -ay that it beco#es assessable and relevant to the
enterprises )no-ledge -or)ers
$here is an rgent need to create a central point of access -ithin the enterprise to #anage
-anagement
$oday% co#panies operating -ithin heterogeneos I$ landscapes are co##onplace% and the de#and for strea#lining co##nication -ithin sch an environ#ent is great+
S/3 Master 'ata Manage#ent >S/3 M'M? 9 a )ey capability of S/3 etWeaver 9 enables infor#ation integrity across the bsiness net-or)+ It enables co#panies to store% ag#ent% and consolidate #aster data% -hile ensring consistent distribtion to all applications and syste#s -ithin the I$ landscape+
It leverages eEisting I$ invest#ents in bsiness9critical data% delivering vastly redced data #aintenance costs throgh effective data #anage#ent+
:etWeaver / *rocess Integration
3rocess Integration enables bsiness processes to rn sea#lessly across heterogeneos
I$ landscapes+
Integration bro#er 99 $his capability enables OM5.S,/39based co##nication bet-een
application co#ponents fro# varios sorces and vendors+ It also enables yo to define
soft-are co#ponents% interfaces% #appings% and content9based roting rles+ $his
capability is delivered throgh S/3 8Echange Infrastrctre >OI?
$usiness !rocess management 99 With bsiness process #anage#ent% yo can #odel
and drive processes in a dyna#ic I$ environ#ent+ It allo-s yo to co#bine nderlying
applications into adaptive% end9to9end processes spanning the entire vale chain+
Integration Bro)er Bsiness 3rocess Manage#ent
:etWeaver / *rocess Integration ++ DI
S/3 etWeaver 8Echange InfrastrctreJ
3rovides a technical infrastrctre for OM59based #essage eEchange in order to
connect S/3 co#ponents -ith each other% as -ell as -ith non9S/3 co#ponents
'elivers bsiness9process and integration )no-ledge to the csto#er% in the for# of
S/3As predefined integration scenarios
3rovides an integrated toolset for bilding ne- integration scenarios by defining and
#aintaining all integration9relevant infor#ation >Hshared collaboration )no-ledgeH?
Integration Bro)er Bsiness 3rocess Manage#ent
-anagement
B3M has three focses to caterJ
Collaboration $as)s% -hich is part of the 8nterprise 3ortal (ra#e-or)% to enable individals to create light9-eight ad hoc process to opti#ie their day9to9day tas)s and add transparency to -hat they are doing in relation to their colleages+ $his is -hat delivers the people empowerment +
S/3 Bsiness -or)flo-% e#bedded -ithin the S/3 Web /pplication Server% -hich is sed to ato#ate the bsiness processes ta)ing place -ithin an S/3 co#ponent and integrate the S/3 sers -ith the bsiness processes+ $his is -hat delivers the workflow empowerment -ithin the #yS/3 co#ponents+
:etWeaver / A!!lication *latform
$he application platfor# of S/3 etWeaver is the S/3 Web /pplication Server
It provides a co#plete infrastrctre to develop% deploy and rn platfor#9 independent% robst and scalable Web Services and bsiness applications+
$o allo- this fleEibility% different technologies have been established
Nava 2 3latfor# 8nterprise 8dition >N288?
/B/3
S/3 Web /pplication Server >S/3 Web
/S? is the application platfor# of S/3
etWeaver% i+e+ it provides the co#plete
infrastrctre to develop% deploy and rn
all S/3 etWeaver applications+ $he
#aor )ey capability of S/3 Web /S is the
fll spport for both the proven /B/3
technology and the innovative open sorce
internet9driven technologies Nava% Nava 2
8nterprise 8dition >N288? and Web
Services+
:etWeaver / A!!lication *latform / A$A*
/B/3 is the S/3P Web /pplication Server progra##ing langage for bsiness
applications
It contains all characteristics of an obect9oriented progra##ing langage and at the
sa#e ti#e provides the benefits of a 4G5 langageJ Many fnctions that are located
in libraries in other langages are contained as langage ele#ents% -hich #a)e it
:etWeaver / A!!lication *latform / &$ E OS Abstraction
1sing the SA* Web A!!lication Server % yo can develop applications regardless of the
nderlying ,S+ 1sing O!enSF)% yo can develop applications that rn i##ediately on a
given set of databases+ With Web &yn!ro yo can develop ser interfaces that rn on a
given set of -eb bro-sers+
With -"O& >#ltiple co#ponents in one database?% S/3 provides the option to deploy
several independent S/3 co#ponents in one database -ithot co#pro#ising fleEibility+
With SA* &$% S/3 has its o-n 'B platfor# offering+ S/3 'B is an enterprise open
sorce database designed for easy and si#ple ad#inistration and providing very lo-
total costs of o-nership+
:etWeaver / A!!lication *latform / "om!osite A!!lication 0ramewor#
Co#posites ai# at enabling efficient develop#ent of ne-
applications that are easily adopted by csto#ers% and allo-
fleEibility in bac)end connectivity
- Model9driven architectre
- 5oose copling to bac)end syste#s
- /daptive ser9centric process flo- and ser interfaces
/#ong the #ain featres that S/3 C/( provides areJ
- Spport for the three layers of a co#posite application
>services% ser interfaces% and processes?
- 3atterns and te#plates at all three levels to increase
develop#ent efficiency and application ho#ogeneity
- Model9 and code9generation9based #ethods sing tools
that store #odels in a proprietary #eta#odel repository
C o # p o s
i t e / p p
l i c a
t i o n
> C / ( ?
Questions ?
Objectives
etWeaver Secrity
*erfect Security ?
eeds to evolve -ith changing technologies " associated ris)s
Why is Security necessary ?
With the increasing se of distribted syste#s and the Internet for #anaging bsiness
data% the de#ands on secrity are also on the rise+
When sing a distribted syste#% yo need to be sre that yor data and processes
spport yor bsiness needs -ithot allo-ing nathoried access to critical
infor#ation+
1ser errors% negligence% or atte#pted #aniplation on yor syste# shold not reslt in
loss of infor#ation or processing ti#e+
What to !rotect ?
$here are varios aspects to consider -hile considering the ans-er to the above
In the S/3 environ#ent% -e shold be able to redce the ris) of a secrity attac) in the
entire etWeaver stac)
Broadly% -e are loo)ing at redcing secrity ris)s to the follo-ing etWeaver layersJ
3eople Integration
3rocess Integration
Mlti9Channel /ccess
3ortal Collaboration
3eople Integration brings together the right fnctionality and the right
infor#ation to the right people+ $his #odle of the etWeaver stac) ai#s at
providing sea#less ser eEperience% bondless collaboration fnctionality% and
pervasive access+
$his fnctionality of this #odle of the etWeaver stac) is frther bro)en do-n
intoJ
Mlti9Channel /ccess
We -ill investigate the secrity aspects to be considered for the above sb9
co#ponents in forth co#ing slides+
:etWeaver / *ortal Security
$he S/3 etWeaver 3ortal offers sers a single point of access to all applications% infor#ation% and
services needed to acco#plish their daily tas)s+ 5in)s to bac)9end and legacy applications% self9
service applications% co#pany intranet services% and Internet services are all readily available in the
serAs portal+ Becase the borders bet-een co#pany intranets and the Internet are blrring%
co#prehensive secrity is vital to protect the co#panyAs bsiness+
Belo- are the aspects to consider -hile ai#ing to secre enterprise portalJ
- 1ser ad#inistration " /thentication
- 'ata Storage Secrity
- ,perating Syste# Secrity
*ortal Security + ,ser Administration E Authentication
$his section coversJ
1ser Manage#ent
,ser -anagement
$he S/3 etWeaver 3ortal ses the 1ser Manage#ent 8ngine >1M8? for ser
#anage#ent+
$he 1M8 can be configred to -or) -ith ser #anage#ent data fro# #ltiple data
sorces% for eEa#ple% an 5'/3 directory% database of the S/3 etWeaver /pplication
Server >/S? Nava% or /B/3 syste#+
,ser -anagement 7ngine 8,-79
,ser -anagement 7ngine 8,-79
$he 1ser Manage#ent 8ngine >1M8? provides a centralied ser #anage#ent for all Nava
applications+ It can be configred to -or) -ith ser #anage#ent data fro# #ltiple data sorces+ It
is sea#lessly integrated in the S/3 etWeaver /pplication Server >/S? Nava as its defalt ser
store and can be ad#inistrated sing the ad#inistration tools of the /S Nava+
In the figre% ser data is stored in one or #ore data sorces+ 8ach type of data sorce has its o-n
persistence adapter+ $he persistence #anager conslts the persistence adapters -hen creating%
reading% -riting% and searching ser #anage#ent data+ $he application progra##ing interface >/3I?
is a layer on top of the persistence #anager+
In the persistence #anager% yo configre -hich data is -ritten to or read fro# -hich data sorce%
so that the applications sing the /3I do not have to )no- any details abot -here ser
#anage#ent data is stored+
*ortal Security + Authentication
/thentication provides a -ay of verifying the serAs identity before he or she is granted
access to the portal+
Several athentication #echanis#s eEist% so#e detailed belo-J
- Basic athentication >1serid " 3ass-ord?
- Client Certificates
- Single Sign9on
Confidential © Copyright IBM Corporation 2004
*ortal Security / Authentication / $asic Authentication
Basic /thentication is an =$$3 standard #ethod to se for athentication% -hereby the
ser provides a ser I' and pass-ord for athentication+
S/3 N288 8ngine ses Basic /thentication for applications that are set p to se
basic or form athentication+
When sing basic athentication% the serAs infor#ation is passed to the server over the
=$$3 connection in a header variable as a base9<4 encoded string+
When sing for#9based athentication% the infor#ation is passed in the 1@5 as an 1@5
para#eter+
Since the above is not very secre% the ser of SS5 to secre is reco##ended -hich
then converts a =$$3 reDest to =$$3S+
Confidential © Copyright IBM Corporation 2004
*ortal Security / Authentication + "lient "ertificates
In addition to sing SS5 for encrypting connections% yo can se SS5 and O+:0K client
certificates for athenticating client or ser access reDests to the N288 8ngine+
When sing client certificates% athentication ta)es places transparently for the ser -ith
the nderlying SS5 secrity protocol+ $herefore% yo can se athentication -ith client
certificates to integrate the N288 8ngine in a Single Sign9,n environ#ent+
1sers need to receive their client certificates fro# a Certification /thority >C/? as part
of a pblic9)ey infrastrctre >3I?+ If yo do not have an established 3I then yo can
se a $rst Center Service to obtain certificates+
*ortal Security / Authentication / Single Sign+On 8SSO9
SS, is a )ey featre of the S/3 etWeaver 3ortal that eases ser interaction -ith the
#any co#ponent syste#s available to the ser in a portal environ#ent+ ,nce the ser is
athenticated to the portal% he or she can se the portal to access eEternal applications+
With SS, in the portal% the ser can access different syste#s and applications -ithot
having to repeatedly enter his or her ser infor#ation for athentication+
$he portal SS, #echanis# is available in the follo-ing variants depending on secrity
reDire#ents and the spported eEternal applicationsJ
- SS, -ith logon tic)ets
- SS, -ith ser I' and pass-ord
Both variants eli#inate the need for repeated logons to individal applications after the
initial athentication at the portal+ Whereas SS, -ith logon tic)ets is based on a secre
tic)eting #echanis#% SS, -ith ser I' and pass-ord for-ards the serAs logon data
*ortal Security / Authentication / Single Sign+On 8SSO9
Single Sign9,n With 5ogin $ic)ets
5ogon tic)ets represent the ser credentials+ $he portal server isses a logon tic)et to a ser after
sccessfl initial athentication
$he logon tic)et itself is stored as a coo)ie on the client and is sent -ith each reDest of that client+
It can then be sed by eEternal applications sch as S/3 syste#s to athenticate the portal ser to
those eEternal applications -ithot any frther ser logons being reDired+
5ogon tic)ets contain infor#ation abot the athenticated ser+ $hey do not contain any pass-ords+
Specifically% logon tic)ets contain the follo-ing ite#sJ
- 3ortal ser I' and one #apped ser I' for eEternal applications
- /thentication sche#e
- 'igital signatre
When sing logon tic)ets% one syste# #st be the tic)et9issing syste#+ $his can either be the portal
or another syste#+
*ortal Security / Authentication / Single Sign+On
Single Sign9,n With 1serid " 3ass-ord
$he Single Sign9,n >SS,? #echanis# -ith ser na#e and pass-ord provides an alternative for
applications that cannot accept and verify logon tic)ets+
With this SS, #echanis# the portal server ses ser #apping infor#ation provided by sers or
ad#inistrators to give the portal ser access to eEternal syste#s+ Q
$he portal co#ponents connect to the eEternal syste# -ith the serAs credentials+
Since the syste# sends the sers logon I' and pass-ord across the net-or)% se a secre protocol
*ortal Security + Authori3ation
/thoriations define -hich obects sers can access and -hich actions they can
perfor#+ $he portal has an athoriation concept that is i#ple#ented sing the follo-ing
conceptsJ 3er#issions
Secrity Rones
1M8 /ctions
AuthRequirement property
3ortal per#issions define portal ser access rights to portal obects in the 3C' and are based on
access control list >/C5? #ethodology+
Secrity Rones Control -hich portal co#ponents and portal services sers can lanch and are
defined in the develop#ent phase+
1M8 /ctions the 1ser Manage#ent 8ngine >1M8? eDivalent of portal per#issions+ $he 1M8
verifies that sers have the appropriate 1M8 actions assigned to the# before granting the# access
to 1M8 i;ie-s and fnctions+
/th@eDire#ent property $his is a #aster i;ie- property sed in 83 :+0 that defines -hich sers
Confidential © Copyright IBM Corporation 2004
*ortal Security / Authentication / *ortal .oles
In the S/3 etWeaver 3ortal% roles are only indirectly lin)ed to athoriation+
3ortal roles grop together the portal content reDired by sers -ith a certain role in the
co#pany+ In addition% the role strctre defines the navigation strctre that a ser sees
in the portal+
1sers and grops assigned to a role inherit the per#issions of the role+ By defalt this is
end ser per#ission+
*ortal Security / :etwor# E "ommunication Security
$he portal is dependent on the etWeaver /pplication Server for Nava for net-or)
co##nication+
S/3 syste#s are i#ple#ented as client9server fra#e-or)s bilt in three levelsJ
database server level% application server level and the presentation level >front ends?+
$he servers are the #ost vlnerable part of the net-or) infrastrctre and special care
"ollaboration Security
SAP Collaboration allo-s access to co#pany9internal personal data% infor#ation% and
doc#ents that #ay not be eDally accessible to all portal sers+ Settings for data
secrity prevent nathoried access and data #aniplation+
Collaboration ses the ser #anage#ent and ser athentication #echanis#s in the
S/3 etWeaver platfor#% in particlar those in the S/3 Web /pplication Server >Nava?+
$herefore% the secrity reco##endations and gidelines for ser #anage#ent and
athentication apply as described in the S/3 Web /pplication Server secrity gide+
Collaboration ses the per#issions concept provided by the S/3 Web /pplication
Server >Nava?+ $herefore% the secrity reco##endations and gidelines for per#issions
apply as described in the S/3 Web /pplication Server >Nava? secrity gide+
$his per#issions concept is based on roles that are valid throghot the portal% -hich
are assigned to the sers+
-ulti+"hannel Access Security
With #lti9channel access% yo can connect to enterprise syste#s throgh voice%
#obile% or radio9freDency technology+
Mlti9channel access is delivered throgh Mobile Infrastrctre+
$he #obile device is threatened by the follo-ing potential dangersJ
- 5oss of the device
- 1nathoried se by an nathoried person
- 'ata #aniplation in the file syste#
-obile Infrastructure / Authentication
$he ser #anage#ent of the S/3 MI Client Co#ponent #anages ser I's and local
logon pass-ords+ $he local logon pass-ord is sed for local ser athentication+ It is
stored in coded for# on the #obile device% and not in plain teEt+ $he n#ber of possible
failed atte#pts can be restricted+
/ second pass-ord% called the synchroniation pass-ord% is sed for synchroniation
-ith the S/3 MI Server Co#ponent >S/3 etWeaver /S?+
o can change the pass-ords on the client side at any ti#e+ $he data can% ho-ever%
only be synchronied sccessflly if the ser I' and synchroniation pass-ord for the
client have conterparts on the server+ 1sers can change both pass-ords -ith the S/3
MI Client Co#ponent
-obile Infrastructure / Authentication
(or #obile devices -ith only one ser yo can configre the device in sch a -ay that the ser does
not have to logon -ith the local logon pass-ord+ $he start page of the S/3 MI Client Co#ponent
appears i##ediately as soon as the #obile device is started+ Where this is the case% the ser #st be
able to identify hi#9 or herself on the operating syste#+
Where this is the case% the ser #st be able to identify hi#9 or herself on the operating syste#+
$he athentication on the operating syste# is not technically lin)ed to the S/3 MI Client Co#ponent+
It is a conceptal% organiational prereDisite for -or)ing -ith the S/3 MI Client Co#ponent+
When the ser synchronies -ith the S/3 MI Server Co#ponent he or she has to se the
-obile Infrastructure + Authentication
Authentication with Single Sign+On
o can configre the S/3 MI Client Co#ponent to spport single sign9on >SS,? if the
device is available -ith an online connection+
$he SS, technology is based on the S/3 logon tic)ets+
$he #obile device receives the S/3 logon tic)et fro# a syste# that isses tic)ets% sch
as S/3 8nterprise 3ortal+
$he #obile device can then be verified at the S/3 MI Server Co#ponent -ith the S/3
-obile Infrastructure + Authori3ation
$he secrity reco##endations and gidelines for athoriations described in the S/3
etWeaver /pplication Server Secrity Gide also apply% therefore% to S/3 MI+
$he athoriation concept of the S/3 etWeaver /S is based on the assign#ent of
athoriations to sers on the basis of roles+ 1se the profile generator >transaction
3(CG? for role #aintenance on S/3 etWeaver /S /B/3 and the ser ad#inistration
console fro# the 1ser Manage#ent 8ngine on S/3 etWeaver /S Nava+
/ccess to data and applications on the S/3 MI Client Co#ponent is controlled by ser9
-obile Infrastructure / Securing the "ommunication "hannel
$here are 2 co##nication paths to secreJ
- (ro# the S/3 MI Client Co#ponent to the S/3 etWeaver /S /B/3 and vice versa
3rotocols inclde =$$3%SS5 or =$$3S
'ata transferred incldes application data% control data for S/3 Mobile Infrastrctre%
synchroniation pass-ord
'ata reDiring particlar protection incldes synchroniation pass-ord% as it is copied fro#
the #obile device to the S/3 etWeaver /S /B/3 -ith each =$$3 reDest+ 1se of SS5 or
=$$3S is reco##ended
- (ro# S/3 etWeaver /S /B/3 to bac)9end syste# and vice versa
3rotocols inclde @(C
Confidential © Copyright IBM Corporation 2004
Information Integration+ Security .is#s ?
Infor#ation Integration #a)es both strctred and nstrctred infor#ation
available in the enterprise in a consistent and accessible #anner+
1sers de#and biDitos access to infor#ation -herever it resides+ $hat
infor#ation #st be served in a consistent #anner and its integrity
garanteed+
$usiness Information Warehouse Security
Why Is Security :ecessary?
S/3 etWeaver BI serves to integrate% transfor#% and consolidate data fro# all areas of an enterprise in order to provide this for analysis% interpretation and distribtion+ $his incldes confidential corporate data% for eEa#ple% personal data fro# 3ersonnel /d#inistration+ 'ecisions are #ade in all enterprise areas and target9oriented actions are deter#ined on the basis of this data+ (or this reason% secrity -hen accessing data and the ability to garantee data integrity is of great i#portance+
$he follo-ing eEa#ples sho- the dangers to -hich BI can be eEposedJ
$I Security + Authentication
$he athentication process enables the identity of a ser to be chec)ed before this ser gains access to BI or BI data+ S/3 etWeaver spports varios athentication #echanis#s+
So#e of the athentication #echanis#s incldeJ
- Single Sign9,n >SS,? - Client Certificates - S/3 5ogon $ic)ets
Single sign9on i#plies that once a ser is athenticated -ith a serna#e " pass-ord% the ser then has access to other S/3 syste#s that are in the landscape
/s an alternative to ser athentication sing a ser I' and pass-ords% sers sing Internet applications via the Internet $ransaction Server >I$S? can also provide O+:0K client certificates+ In this case% ser athentication is perfor#ed on the Web Server sing the Secre Soc)ets 5ayer 3rotocol >SS5 3rotocol? and no pass-ords have to be transferred+ 1ser athoriations are valid in accordance -ith the athoriation concept in the S/3 syste#+
$I Security + Authori3ation
/n athoriation allo-s a ser to perfor# a certain activity on a certain obect
in the BI Syste#+ $here are t-o different concepts for this depending on the
role and tas)s of the serJ
Standard /thoriations
- $hese athoriations are reDired by all sers that are -or)ing in the 'ata
Warehosing Wor)bench to #odel or load data% and also by sers that -or) in the
planning -or)bench or the /nalysis 3rocess 'esigner and those that -or) -ith the
@eporting /gent or the B8E Broadcaster or define Deries+
/nalysis /thoriations+
- /ll sers that -ant to display transaction data fro# athoriation9relevant
5nowledge -anagement 85-9 Security
$he M secrity aspects deal -ith preventing illegal access to doc#ents and settings and prevent the# being #aniplated illegally+
Secrity in M is achieved by i#ple#enting one or #ore of the follo-ing #easresJ - @oles - /C5As - Secrity Rones
.oles are of G ty!es@
5nowledge -anagement 85-9 Security
@estricting access per#issions only by sing the role concept or -or)sets is not sfficient+ $he se /C5s is reco##ended+
- /ccess per#issions on the root nodes of secrity9relevant repositories shold be restricted i##ediately after the installation or after configring ne- repository #anagers in order to prevent doc#ents being read illegally by sers hac)ing or gessing doc#ent 1@5s+
- Change the /C5s for sbordinate folders if different per#issions apply for these folders+
Secrity ones
- Secrity ones restrict nathoried direct access to M content - (or initial M content% the reDired per#issions in the secrity ones are already assigned
dring installation of S/3 etWeaver+
Confidential © Copyright IBM Corporation 2004
5- Security + "ommunication "hannel Security
;arios channels of co##nication and technologies are sed bet-een the co#ponents and data sorces in no-ledge Manage#ent+
$he follo-ing technologies are sed for co##nicationJ
- =$$3.=$$3S
- Web'/;
- IC8
Confidential © Copyright IBM Corporation 2004
*rocess Integration / Security .is#s ?
Why Is Secrity ecessary!
/s the central infrastrctre for eEchanging bsiness doc#ents% 3I has to #a)e sre that the involved processes can be eEected in a secre #anner+ 3articlar secrity reDire#ents have to be considered if bsiness partners co##nicate over the Internet+
OM5 #essages #ay contain confidential bsiness data+ In order to protect the# against eavesdropping and nathoried access% the co##nication lines as -ell as the storage locations of OM5 #essages need to be #ade secre+
*I Security + "ommunication
$he co#ponents of a process integration >3I? landscape co##nicate -ith each other
for different prposes li)e configration% ad#inistration% #onitoring% or the actal
#essaging+
$he pri#ary prpose of a 3I landscape is to enable bsiness partners and applications
to eEchange OM5 #essages >bsiness doc#ents?+ $his incldes bsiness
co##nication bet-een bsiness syste#s% Integration Servers or /dapter 8ngines+
In addition to proper #essaging% technical co##nication bet-een varios 3I tools and
rnti#e co#ponents is reDired+
*I Security + Authentication
Session9based single sign9on is spported for the dialog sers of the 3I tools+
/ dialog ser has to log on only once for all 3I tools% provided that the sa#e bro-ser
session is sed for each tool access% and that the tools are started fro# the sa#e S/3
etWeaver /pplication Server Nava+
Single sign9on is also spported by the @nti#e Wor)bench -here access to other 3I
Confidential © Copyright IBM Corporation 2004
*I Security / -essage )evel Security
Message9level secrity allo-s yo to digitally sign or encrypt doc#ents eEchanged bet-een
syste#s or bsiness partners+ It i#proves co##nication9level secrity by adding secrity featres
that are particlarly i#portant for inter9enterprise co##nication+ Message9level secrity is
reco##ended and so#eti#es a prereDisite for inter9enterprise co##nication+
Certificate Store
- Message9level secrity processing is generally done in S/3 etWeaver /pplication Server Nava
>/S9Nava?+ If the Integration Server eEectes secrity processing% a Web service is called in the
N288 8ngine+ $herefore% the certificates as -ell as the certification athority >C/? certificates to
be sed #st be entered into the )eystore of the N288 8ngine that eEectes the secrity
handling at rnti#e+
/rchiving Secred Messages
- (or non9repdiation prposes% signed #essages are stored in a dedicated archive% the non9
repdiation archive+ It contains data to prove the validity of the signatre+ $he follo-ing data is
storedJ
$he ra- #essage
$he secrity policy as configred in the Integration 'irectory
$he sender certificate
Questions ?
