Confidential © Copyright IBM Corporation 2004

IBM Global Services

Objectives
 What is security ?  Security threats & measures to combat threats  Types of security

|

Confidential © Copyright IBM Corporation 2004

IBM Global Services

A who's who … Security , Secured System, Threats, Safeguards …

|

Confidential © Copyright IBM Corporation 2004

and availability of computers. safety.IBM Global Services What is Security ? Dictionary meaning  Freedom from risk or danger. integrity. hardware devices. and data. In Other Words The process of ensuring confidentiality. their programs. | Confidential © Copyright IBM Corporation 2004 .

| Confidential © Copyright IBM Corporation 2004 .IBM Global Services A secure System and Threat A secure System It is a system which does exactly what we want it to do and nothing that we don't want it to do even when someone else tries to make it behave differently. Threat It is an act or event that has the potential to cause a failure of security .

IBM Global Services Why I am here … and how do I achieve it ? | Confidential © Copyright IBM Corporation 2004 .

Why  Who could attack the system / challenge the security of the system From Whom | Confidential © Copyright IBM Corporation 2004 . Importance of the Data/Article etc.e..IBM Global Services A security Consultant should know What To Secure What Why to Secure i.

IBM Global Services Security Achieved By  Keeping Unauthorized Person out of the System Keeping People out of Places Where They Should Not Be Safeguarding the Data from Damage or Loss | Confidential © Copyright IBM Corporation 2004 .

Do I understand ? …. I need to implement some safeguards to avoid threats and that’s how I achieve my security goals ? …. Lets see the big picture | Confidential © Copyright IBM Corporation 2004 .IBM Global Services So..

Access Control Firewall Encryption Confidentiality Integrity Threats Safe Guards Goals Availability 1. 2. Tampering Planting Eves. 6. 4.. 3.Dropping Penetration Authorization Violation O/s Cracking Digital Certificate Obligation Anti-Virus Security O/S Monitor Hardening | Confidential © Copyright IBM Corporation 2004 .IBM Global Services The BIG Picture . 5.

| Confidential © Copyright IBM Corporation 2004 .Under The Microscope ….IBM Global Services Security .

Access Control) (Authentication . O/S Hardening (Authentication. Security Monitor) Confidential © Copyright IBM Corporation 2004 Technical Database N/W security | . O/S Hardening. Firewall . Encryption. Virus Guard. Spam Blocker) (Authentication.IBM Global Services Types Of Security Organizational Policies Monitoring Training Disaster Plan Organizational Physical Server Facilities Building Fire Alarm Camera Program Level O/S Level Patches .

Once the Tortoise won the run the Rabbit wants to congratulate the tortoise and so the rabbit wants to gift a piece of memento to the tortoise. Is the tortoise secured at its own home? 3. Is the rabbit secured at its own home? 2. The Rabbit needs to carry the memento to the Tortoise’s home.IBM Global Services A known story with an extension Lets recollect… the Rabbit – Tortoise story again. is that secured ? | Confidential © Copyright IBM Corporation 2004 .. 1. Is the memento secured ? 4. Our point of focus would be…. The road through which the rabbit needs to go.

IBM Global Services If we co-relate the rabbit and the tortoise to our computer world … Remember Any computer is not secured Security can be void if • The applications are not secured ( consider the hands by which the rabbit carries the gift to tortoise) The O/S is not secured (the house of the rabbit or the tortoise) The database and data is not secured ( The container from where the rabbit takes the piece of gift) The network path is not secured ( the path through which the rabbit needs to run) • • • | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Lets understand these challenges in our known terms and their safeguards… | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Lets introduce… Program Security | Confidential © Copyright IBM Corporation 2004 .

Programs. since programs provide logical controls.IBM Global Services Computer programs are the first line of defense in computer security. Exact Correct A computer program is correct if it meets the requirements for which it was designed. a program is exact if it performs only those operations specified by requirements. | Confidential © Copyright IBM Corporation 2004 . Complete A program is complete if it meets all requirements. Finally. which can affect computer security. however. are subject to error.

IBM Global Services Application Security – Threat Flow Identify Security Objectives Application Overview Identify Vulnerabilities Decompose Application Identify Threats | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Application Security Virus. Spy ware Injection Attacks Architecture D e s i g n Authentication Error Cross Site Scripting T e s t Application Security Deny Of Service Web Defacement Implementation Trojan Path Traversal | Confidential © Copyright IBM Corporation 2004 .

But is my O/S secured ? | Confidential © Copyright IBM Corporation 2004 .IBM Global Services My Program is Secured ..

structured specifically. Lets visualize that . for security are built in a kernelized manner. The innermost layer provides direct access to the hardware facilities of the computing system and exports very primitive abstract objects to the next layer. A kernelized operating system is designed in layers.IBM Global Services How as operating system is build? Operating systems. | Confidential © Copyright IBM Corporation 2004 ..

IBM Global Services Security of operating systems To avoid threats we apply different Patches and Harden our O/S. O/S Patch O/s Hardening OS Kernel | Confidential © Copyright IBM Corporation 2004 .

Database damage threats | Confidential © Copyright IBM Corporation 2004 .IBM Global Services The container story ….

IBM Global Services Database Threats Data Overwrite User Conflict Data Loss Database Improper Change/Alteration of Data Scrambled Data Unauthorized Changes | Confidential © Copyright IBM Corporation 2004 .

Unit Price inference Aggregation Customer Data Total Market Share | Confidential © Copyright IBM Corporation 2004 .IBM Global Services Why to Protect a Data Base – Intelligent Threats Name Age Data Base No Of Cust.

•Server Security Server security is the process of limiting actual access to the database server itself.IBM Global Services Database Vulnerabilities Basically database security can be broken down into the following key points of interest. The basic idea is this. since they have been the most recent targets of attacks. •Database Connections Ensure that every connection uses it's own unique user to access the shared data •Table Access Control Properly using Table access control will require the collaboration of both system administrator and database developer •Restricting Database Access Mainly into the network access of the system. Specifically targeting Internet based databases. "You can't access what you can't see". | Confidential © Copyright IBM Corporation 2004 .

you must address three primary areas:  Session security -.ensuring login security that prevents unauthorized access to information • Server security -.ensuring that data is not intercepted as it is broadcast over the Internet or Intranet  User-authentication security -.ensuring security relating to the actual data or private HTML files stored on the server | Confidential © Copyright IBM Corporation 2004 .IBM Global Services Database Web-Security For Web security.

IBM Global Services Knock .. Knock … can you save my data? | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Some Database Security Measures Database Connections Public and Private Key Security Server Security Table Access Control Digital Signatures as Passwords Database Dynamic Page Generation Session Security User-Authentication Security Vendor-Specific Security Kerberos Secure Sockets Layer (SSL) and S-HTTP | Confidential © Copyright IBM Corporation 2004 .

.IBM Global Services Huh !! The rabbit is on the way . but is it secured enough ? | Confidential © Copyright IBM Corporation 2004 .

or disclosure. | Confidential © Copyright IBM Corporation 2004 . destruction. and provision of assurance that the network performs its critical functions correctly and there are no harmful sideeffects. Network security includes data integrity .IBM Global Services Network Security  Protection of networks and their services from unauthorized modification.

IBM Global Services Lets identify the rabbit’s dangers on the road .. | Confidential © Copyright IBM Corporation 2004 .

| Confidential © Copyright IBM Corporation 2004 . The rabbit could hide 2.IBM Global Services The Rabbit’s gift could have been stolen . The rabbit could run faster 3 . The rabbit could fool them …… etc Let’s see in our network world …. destroyed by any other animal / stranger on the road … To safeguard … 1 .

IDS TCP hijacking •IPSec Packet sniffing • Encryption (SSH. buffer overflows •Intrusion Detection Systems Denial of Service • Ingress filtering. HTTPS) Social problems •Education | Confidential © Copyright IBM Corporation 2004 . SSL.IBM Global Services Common security attacks and their countermeasures Finding a way into the network • Firewalls Exploiting software bugs.

IBM Global Services Attacks on Different Layers  IP Attacks ICMP Attacks Routing Attacks Session Hijacking Application Layer Attacks     | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Visualize … imagine … you realize | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Web and Network Security Threats Web Security Threats Network Security Threats | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Is there anyone who can save me? | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Network Security Safeguards Firewall Certificate Digital Cert Port Scan Proxy Router Spam Blocker Encryption IDS Antivirus Access Control Monitoring Corporate Network | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services SAP world and security | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Different Layer of Security With SAP Application NETWORK SECURITY WORKSTATION SECURITY SAP APPLICATION SECURITY O/S SECURITY DATABASE SECURITY | Confidential © Copyright IBM Corporation 2004 .

Protection of data against unauthorised access .Users should only be able to perform their designated tasks Integrity Privacy Obligation .IBM Global Services Security in an integrated system like SAP tries to achieve the following….Ensuring liability and legal obligation towards stakeholders and shareholders including validation | Confidential © Copyright IBM Corporation 2004 .Data integrity needs to be granted at all time .Only legitimate users should be able to access the system Authorization . Authentication .

SAP Product Overview Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Objectives      Introduction to SAP Netweaver – What is ? Netweaver Stack – Introduction Netweaver breakdown SOA | Confidential © Copyright IBM Corporation 2004 .

five former IBM employees -. and Claus Wellenreuther -.  By the end of the decade. Klaus Tschira. intensive examination of SAP's IBM database and dialog control system leads to the birth of SAP R/2.IBM Global Services SAP Product Introduction . Hasso Plattner. Hans-Werner Hector. the first financial accounting software "R/1 system” is complete.Dietmar Hopp.launch a company called Systems.History The 1970s: A Real-Time Vision  In 1972. Applications."  "R" stands for real-time data processing. and Products  Their vision: to develop standard application software for real-time business processing. | Confidential © Copyright IBM Corporation 2004 .  One year later.

| Confidential © Copyright IBM Corporation 2004 . Sweden. Italy. and the United States. SAP's international expansion takes a leap forward. SAP designs SAP R/2 to handle different languages and currencies.  With the founding of subsidiaries in Denmark.IBM Global Services … continued The 1980s: Rapid Growth  The SAP R/2 system attains the high level of stability  Keeping in mind its multinational customers.

IBM Global Services

… continued
The 1990s: A New Approach to Software and Solutions
 SAP R/3 is unleashed on the market.  The client-server concept, uniform appearance of graphical interfaces, consistent use of relational databases, and the ability to run on computers from different vendors meets with overwhelming approval.  With SAP R/3, SAP ushers in a new generation of enterprise software -- from mainframe computing to the three-tier architecture of database, application, and user interface.

|

Confidential © Copyright IBM Corporation 2004

IBM Global Services

… continued
The 2000s: Innovation for the New Millennium
 With the Internet, the user becomes the focus of software applications. SAP develops mySAP Workplace and paves the way for the idea of an enterprise portal and rolespecific access to information.  By 2005,  12 million users work each day with SAP solutions  100,600 installations worldwide  more than 1,500 partners  over 25 industry-specific business solutions  more than 33,200 customers in 120 countries  SAP Netweaver developed based on Services-Oriented Architecture (SOA)  Companies can integrate people, information, and processes within the company and beyond.

|

Confidential © Copyright IBM Corporation 2004

IBM Global Services

What is SOA ?

|

Confidential © Copyright IBM Corporation 2004

IBM Global Services SOA  Software architecture that defines the use of loosely coupled software services to support the requirements of business processes and software users  Resources on a network in an SOA environment are made available as independent services that can be accessed without knowledge of their underlying platform implementation  SOA-based systems can therefore be independent of development technologies and platforms (such as Java. .NET etc) | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services  Now let us take a look at some technical & operational challenges facing a distributed system … | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services SAP NetWeaver | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services How to address the integration challenge ? | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services SAP NetWeaver  SAP NetWeaver integrates various different technological concepts and previous platforms in a single solution  It is an open technology platform which offers a comprehensive set of technologies that are natively integrated | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services NetWeaver – People Integration Multi-Channel Access Portal Collaboration People Integration brings together the right functionality and the right information to the right people | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services NetWeaver – People Integration – Portal – Sample View | Confidential © Copyright IBM Corporation 2004 .

interactive gateway. providing employees.  The key capabilities of the portal within SAP NetWeaver are as follows:       Heterogeneous information integration Administrator & EUS User management & Security support Personalization Ready-to-deploy business packages Delegated administration | Confidential © Copyright IBM Corporation 2004 .IBM Global Services NetWeaver – People Integration -. suppliers and customers with a single point of access. partners.Portal Multi-Channel Access Portal Collaboration  The portal is the Web front-end component for SAP NetWeaver  It is a personalized.

or radio-frequency technology  Multi-channel access is delivered through Mobile Infrastructure  The key elements of SAP NetWeaver’s multi-channel access capabilities are SAP NetWeaver Mobile.IBM Global Services NetWeaver – People Integration – Multi-Channel Access Multi-Channel Access Portal Collaboration  With multi-channel access. mobile. you can connect to enterprise systems through voice. Message Interfaces (SMS. SAP Auto-ID Infrastructure SAP NetWeaver Voice. Email) and  Web-based GUI | Confidential © Copyright IBM Corporation 2004 . Fax.

| Confidential © Copyright IBM Corporation 2004 . any time. It enables the integration of fax. and integrates high-volume data directly into enterprise applications in real-time  SAP NetWeaver provides standardized interfaces to link 3rd party communication management applications with business applications. Users can interact with SAP backend systems using speech recognition or touch tones. such as RFID readers. sms or email  Web-based GUI enables end-users to gain access to their enterprise business via a Browser or Java User Interface  SAP NetWeaver Voice makes business processes accessible by any telephone. It is currently not part of a standard SAP NetWeaver shipment.IBM Global Services NetWeaver – People Integration – Multi-Channel Access  NetWeaver Mobile comprises of various technical architectures used for enabling end-toend mobile business solutions targeting specific user roles and device platforms  SAP Auto-ID Infrastructure connects RFID data directly from auto-ID data-capture sources.

and interest groups to work together closely towards a common goal. teams. communicate online in real-time. | Confidential © Copyright IBM Corporation 2004 . are designed to enable individuals.IBM Global Services NetWeaver – People Integration – Collaboration Multi-Channel Access Portal Collaboration  The collaboration capabilities delivered with SAP NetWeaver. and provide a single point of access to documents and resources.  The comprehensive set of collaboration tools and services allows users to share relevant information. plan with the help of a unified calendar.

IBM Global Services NetWeaver – Information Integration Business Intelligence Knowledge Management Master Data Management Information Integration makes both structured and unstructured information available in the enterprise in a consistent and accessible manner  Users demand ubiquitous access to information wherever it resides. That information must be served in a consistent manner and its integrity guaranteed | Confidential © Copyright IBM Corporation 2004 .

from data integration. consolidation and cleansing to data provision for analysis.IBM Global Services NetWeaver – Information Integration – Business Intelligence Business Intelligence Knowledge Management Master Data Management Business Intelligence in NetWeaver is composed of the following parts:  Data warehousing. SAP BW supports the complete data warehousing process. | Confidential © Copyright IBM Corporation 2004 .  Business intelligence suite that transforms data into insightful information and serves a wide variety of users for decision-making.  A business intelligence platform that serves as the technological infrastructure to support information access and comprehensive analytics. which forms the application-neutral foundation for Business Intelligence. data transformation.

all kinds of documents  The Knowledge Management (KM) capabilities of SAP NetWeaver turn unstructured information into organizational knowledge – an essential function in this age of global e-business  The business challenge is to transform unstructured information into organizational knowledge by structuring and classifying it in such a way that it becomes assessable and relevant to the enterprise's knowledge workers  There is an urgent need to create a central point of access within the enterprise to manage information and translate it into knowledge for success | Confidential © Copyright IBM Corporation 2004 .IBM Global Services NetWeaver – Information Integration – Knowledge Management Business Intelligence Knowledge Management Master Data Management  Knowledge Management (KM) is the umbrella term for the management of unstructured information – that is.

and the demand for streamlining communication within such an environment is great. SAP MDM accelerates the execution of business processes.enables information integrity across the business network. delivering vastly reduced data maintenance costs through effective data management.  By ensuring cross-system data consistency. and consolidate master data.IBM Global Services NetWeaver – Information Integration – Master Data Management Business Intelligence Knowledge Management Master Data Management  Today. companies operating within heterogeneous IT landscapes are commonplace. augment. | Confidential © Copyright IBM Corporation 2004 . greatly improves decision-making and helps companies maintain their competitive advantage.  SAP Master Data Management (SAP MDM) . It enables companies to store.  It leverages existing IT investments in business-critical data. while ensuring consistent distribution to all applications and systems within the IT landscape.a key capability of SAP NetWeaver .

 Integration broker -. mappings.This capability enables XML/SOAP-based communication between application components from various sources and vendors.With business process management. interfaces. This capability is delivered through SAP Exchange Infrastructure (XI)  Business process management -. and content-based routing rules. It allows you to combine underlying applications into adaptive. It also enables you to define software components. you can model and drive processes in a dynamic IT environment. end-to-end processes spanning the entire value chain.IBM Global Services NetWeaver – Process Integration Integration Broker Business Process Management  Process Integration enables business processes to run seamlessly across heterogeneous IT landscapes. | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services NetWeaver – Process Integration -.XI Integration Broker Business Process Management SAP NetWeaver Exchange Infrastructure:  Provides a technical infrastructure for XML-based message exchange in order to connect SAP components with each other. as well as with non-SAP components  Delivers business-process and integration knowledge to the customer. in the form of SAP’s predefined integration scenarios  Provides an integrated toolset for building new integration scenarios by defining and maintaining all integration-relevant information ("shared collaboration knowledge") | Confidential © Copyright IBM Corporation 2004 .

embedded within the SAP Web Application Server.IBM Global Services NetWeaver – Process Integration – Business Process Management Integration Broker Business Process Management BPM has three focuses to cater:  Collaboration Tasks. which is part of the Enterprise Portal Framework.  Cross-Component BPM. This is what delivers the workflow empowerment within the mySAP components. which is used to automate the business processes taking place within an SAP component and integrate the SAP users with the business processes. | Confidential © Copyright IBM Corporation 2004 . to enable individuals to create light-weight ad hoc process to optimize their day-to-day tasks and add transparency to what they are doing in relation to their colleagues. drives and controls complex business processes across business applications and enterprise boundaries This delivers the total Business Process Empowerment in a heterogeneous system landscape. This is what delivers the people empowerment.  SAP Business workflow. which is part of SAP Exchange Infrastructure.

To allow this flexibility. different technologies have been established  Java 2 Platform Enterprise Edition (J2EE)  ABAP  DB and OS Abstraction | Confidential © Copyright IBM Corporation 2004 . robust and scalable Web Services and business applications. deploy and run platformindependent.IBM Global Services NetWeaver – Application Platform J2EE ABAP DB and OS Abstraction  The application platform of SAP NetWeaver is the SAP Web Application Server  It provides a complete infrastructure to develop.

it provides the complete infrastructure to develop. The major key capability of SAP Web AS is the full support for both the proven ABAP technology and the innovative open source internet-driven technologies Java. deploy and run all SAP NetWeaver applications. i. Java 2 Enterprise Edition (J2EE) and Web Services.IBM Global Services NetWeaver – Application Platform – SAP WAS  SAP Web Application Server (SAP Web AS) is the application platform of SAP NetWeaver.e. | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services NetWeaver – Application Platform – ABAP  ABAP is the SAP® Web Application Server programming language for business applications  It contains all characteristics of an object-oriented programming language and at the same time provides the benefits of a 4GL language: Many functions that are located in libraries in other languages are contained as language elements. which make it easier to check statistics and is beneficial for program performance. | Confidential © Copyright IBM Corporation 2004 .

SAP has its own DB platform offering. SAP DB is an enterprise open source database designed for easy and simple administration and providing very low total costs of ownership. SAP provides the option to deploy several independent SAP components in one database without compromising flexibility.  With MCOD (multiple components in one database). With Web Dynpro you can develop user interfaces that run on a given set of web browsers. you can develop applications regardless of the underlying OS. you can develop applications that run immediately on a given set of databases. Using OpenSQL. | Confidential © Copyright IBM Corporation 2004 .IBM Global Services NetWeaver – Application Platform – DB & OS Abstraction  Using the SAP Web Application Server.  With SAP DB.

Model.Reuse of existing assets .Patterns and templates at all three levels to increase development efficiency and application homogeneity . user interfaces. and processes) .Model-driven architecture .and code-generation-based methods using tools that store models in a proprietary metamodel repository | Confidential © Copyright IBM Corporation 2004 .Support for the three layers of a composite application (services.IBM Global Services NetWeaver – Application Platform – Composite Application Framework Composite Application Framework (CAF)  Composites aim at enabling efficient development of new applications that are easily adopted by customers. and allow flexibility in backend connectivity  The key characteristics of composite applications are: .Adaptive user-centric process flow and user interfaces  Among the main features that SAP CAF provides are: .Loose coupling to backend systems .

IBM Global Services Questions ? | Confidential © Copyright IBM Corporation 2004 .

Introduction to SAP Product Security Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Objectives  Why security & implications ?  What types of security ?  NetWeaver Security | Confidential © Copyright IBM Corporation 2004 .

IBM Global Services Perfect Security ?  There is no perfect security  Needs to evolve with changing technologies & associated risks  Risk to a security attack can be minimized | Confidential © Copyright IBM Corporation 2004 .

you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. or attempted manipulation on your system should not result in loss of information or processing time. the demands on security are also on the rise.  These demands on security apply likewise to the SAP NetWeaver platform.  User errors.  When using a distributed system. negligence. | Confidential © Copyright IBM Corporation 2004 .IBM Global Services Why is Security necessary ?  With the increasing use of distributed systems and the Internet for managing business data.

we should be able to reduce the risk of a security attack in the entire NetWeaver stack  Broadly.IBM Global Services What to protect ?  There are various aspects to consider while considering the answer to the above  In the SAP environment. we are looking at reducing security risks to the following NetWeaver layers:  People Integration  Process Integration  Information Integration  Application Platform | Confidential © Copyright IBM Corporation 2004 .

| Confidential © Copyright IBM Corporation 2004 . This module of the NetWeaver stack aims at providing seamless user experience. boundless collaboration functionality.IBM Global Services People Integration – Security Risks ? Multi-Channel Access Portal Collaboration  People Integration brings together the right functionality and the right information to the right people.  This functionality of this module of the NetWeaver stack is further broken down into: Portal Infrastructure Collaboration Multi-Channel Access  We will investigate the security aspects to be considered for the above subcomponents in forth coming slides. and pervasive access.

Links to back-end and legacy applications. company intranet services. information. and Internet services are all readily available in the user’s portal.IBM Global Services NetWeaver – Portal Security  The SAP NetWeaver Portal offers users a single point of access to all applications.  Below are the aspects to consider while aiming to secure enterprise portal: - User administration & Authentication Authorizations Network & Communication Security Data Storage Security Operating System Security | Confidential © Copyright IBM Corporation 2004 . Because the borders between company intranets and the Internet are blurring. selfservice applications. comprehensive security is vital to protect the company’s business. and services needed to accomplish their daily tasks.

IBM Global Services Portal Security .User Administration & Authentication  This section covers:  User Management  Authentication  Integration Into Single Sign-On Environments | Confidential © Copyright IBM Corporation 2004 .

| Confidential © Copyright IBM Corporation 2004 .IBM Global Services User Management  The SAP NetWeaver Portal uses the User Management Engine (UME) for user management.  The UME can be configured to work with user management data from multiple data sources.  The UME is integrated as a service of the Java AS. an LDAP directory. for example. database of the SAP NetWeaver Application Server (AS) Java. or ABAP system.

IBM Global Services User Management Engine (UME)  What is the User Management Engine ? | Confidential © Copyright IBM Corporation 2004 .

writing. | Confidential © Copyright IBM Corporation 2004 . you configure which data is written to or read from which data source. reading. and searching user management data. user data is stored in one or more data sources. It is seamlessly integrated in the SAP NetWeaver Application Server (AS) Java as its default user store and can be administrated using the administration tools of the AS Java. In the persistence manager. The persistence manager consults the persistence adapters when creating. so that the applications using the API do not have to know any details about where user management data is stored. It can be configured to work with user management data from multiple data sources.IBM Global Services User Management Engine (UME)    The User Management Engine (UME) provides a centralized user management for all Java applications. The application programming interface (API) is a layer on top of the persistence manager. Each type of data source has its own persistence adapter. In the figure.

 Several authentication mechanisms exist.Authentication  Authentication provides a way of verifying the user’s identity before he or she is granted access to the portal. some detailed below: - - Basic authentication (Userid & Password) Client Certificates Single Sign-on Single Sign-On with Logon Tickets Single Sign-On with User-id & Password | Confidential © Copyright IBM Corporation 2004 .IBM Global Services Portal Security .

whereby the user provides a user ID and password for authentication. the user’s information is passed to the server over the HTTP connection in a header variable as a base-64 encoded string. the user of SSL to secure is recommended which then converts a HTTP request to HTTPS.  SAP J2EE Engine uses Basic Authentication for applications that are set up to use basic or form authentication.  When using form-based authentication.  When using basic authentication.IBM Global Services Portal Security – Authentication – Basic Authentication  Basic Authentication is an HTTP standard method to use for authentication.  Since the above is not very secure. | Confidential © Copyright IBM Corporation 2004 . the information is passed in the URL as an URL parameter.

509 client certificates for authenticating client or user access requests to the J2EE Engine.  Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI).Client Certificates  In addition to using SSL for encrypting connections. authentication takes places transparently for the user with the underlying SSL security protocol. you can use SSL and X.IBM Global Services Portal Security – Authentication . If you do not have an established PKI then you can use a Trust Center Service to obtain certificates. | Confidential © Copyright IBM Corporation 2004 . you can use authentication with client certificates to integrate the J2EE Engine in a Single Sign-On environment. Therefore.  When using client certificates.

he or she can use the portal to access external applications. Whereas SSO with logon tickets is based on a secure ticketing mechanism. With SSO in the portal.  The portal SSO mechanism is available in the following variants depending on security requirements and the supported external applications: - SSO with logon tickets SSO with user ID and password  Both variants eliminate the need for repeated logons to individual applications after the initial authentication at the portal.IBM Global Services Portal Security – Authentication – Single Sign-On (SSO)  SSO is a key feature of the SAP NetWeaver Portal that eases user interaction with the many component systems available to the user in a portal environment. SSO with user ID and password forwards the user’s logon data (user ID and password) to the systems that a user wants to call. | Confidential © Copyright IBM Corporation 2004 . the user can access different systems and applications without having to repeatedly enter his or her user information for authentication. Once the user is authenticated to the portal.

logon tickets contain the following items: - - Portal user ID and one mapped user ID for external applications Authentication scheme Validity period Information identifying the issuing system Digital signature  When using logon tickets. one system must be the ticket-issuing system.  Logon tickets contain information about the authenticated user. | Confidential © Copyright IBM Corporation 2004 . This can either be the portal or another system. The portal server issues a logon ticket to a user after successful initial authentication  The logon ticket itself is stored as a cookie on the client and is sent with each request of that client.  It can then be used by external applications such as SAP systems to authenticate the portal user to those external applications without any further user logons being required. Specifically.IBM Global Services Portal Security – Authentication – Single Sign-On (SSO) Single Sign-On With Login Tickets  Logon tickets represent the user credentials. They do not contain any passwords.

| Confidential © Copyright IBM Corporation 2004 .  With this SSO mechanism the portal server uses user mapping information provided by users or administrators to give the portal user access to external systems. ]  The portal components connect to the external system with the user’s credentials.IBM Global Services Portal Security – Authentication – Single Sign-On Single Sign-On With Userid & Password  The Single Sign-On (SSO) mechanism with user name and password provides an alternative for applications that cannot accept and verify logon tickets. use a secure protocol such as Secure Sockets Layer (SSL) for sending data.  Since the system sends the user's logon ID and password across the network.

| Confidential © Copyright IBM Corporation 2004 .  AuthRequirement property This is a master iView property used in EP 5. The portal has an authorization concept that is implemented using the following concepts:     Permissions Security Zones UME Actions AuthRequirement property  Portal permissions define portal user access rights to portal objects in the PCD and are based on access control list (ACL) methodology.  Security Zones Control which portal components and portal services users can launch and are defined in the development phase. The UME verifies that users have the appropriate UME actions assigned to them before granting them access to UME iViews and functions.0 that defines which users are authorized to access a master iView or Java iViews derived from a master iView.  UME Actions the User Management Engine (UME) equivalent of portal permissions.IBM Global Services Portal Security .Authorization  Authorizations define which objects users can access and which actions they can perform.

 Portal roles group together the portal content required by users with a certain role in the company. the role structure defines the navigation structure that a user sees in the portal.IBM Global Services Portal Security – Authentication – Portal Roles  In the SAP NetWeaver Portal.  Users and groups assigned to a role inherit the permissions of the role. | Confidential © Copyright IBM Corporation 2004 . By default this is end user permission. roles are only indirectly linked to authorization. In addition.

application server level and the presentation level (front ends).IBM Global Services Portal Security – Network & Communication Security  The portal is dependent on the NetWeaver Application Server for Java for network communication.  The servers are the most vulnerable part of the network infrastructure and special care should be taken to protect them from unauthorized access | Confidential © Copyright IBM Corporation 2004 .  SAP systems are implemented as client-server frameworks built in three levels: database server level.

and documents that may not be equally accessible to all portal users. in particular those in the SAP Web Application Server (Java).IBM Global Services Collaboration Security  SAP Collaboration allows access to company-internal personal data. Settings for data security prevent unauthorized access and data manipulation. | Confidential © Copyright IBM Corporation 2004 . information.  Collaboration uses the user management and user authentication mechanisms in the SAP NetWeaver platform.  This permissions concept is based on roles that are valid throughout the portal. Therefore. the security recommendations and guidelines for permissions apply as described in the SAP Web Application Server (Java) security guide.  Collaboration uses the permissions concept provided by the SAP Web Application Server (Java). which are assigned to the users. the security recommendations and guidelines for user management and authentication apply as described in the SAP Web Application Server security guide. Therefore.

you can connect to enterprise systems through voice. or radio-frequency technology. mobile.  Multi-channel access is delivered through Mobile Infrastructure.IBM Global Services Multi-Channel Access Security  With multi-channel access.  The mobile device is threatened by the following potential dangers: - Loss of the device Theft Unauthorized use by an unauthorized person Data manipulation in the file system  Authentication & Authorization procedures are discussed in the next few slides | Confidential © Copyright IBM Corporation 2004 .

and not in plain text. called the synchronization password.  A second password. only be synchronized successfully if the user ID and synchronization password for the client have counterparts on the server.  You can change the passwords on the client side at any time. Users can change both passwords with the SAP MI Client Component | Confidential © Copyright IBM Corporation 2004 . The local logon password is used for local user authentication. It is stored in coded form on the mobile device. The number of possible failed attempts can be restricted. is used for synchronization with the SAP MI Server Component (SAP NetWeaver AS). The data can. however.IBM Global Services Mobile Infrastructure – Authentication  The user management of the SAP MI Client Component manages user IDs and local logon passwords.

Where this is the case. the user must be able to identify him. It is a conceptual.or herself on the operating system. | Confidential © Copyright IBM Corporation 2004 . organizational prerequisite for working with the SAP MI Client Component.IBM Global Services Mobile Infrastructure – Authentication Authentication Using System Logon (Bypassing Local SAP MI Logon)  For mobile devices with only one user you can configure the device in such a way that the user does not have to logon with the local logon password. This results in a configuration conflict.or herself on the operating system. The start page of the SAP MI Client Component appears immediately as soon as the mobile device is started. the user must be able to identify him.  When the user synchronizes with the SAP MI Server Component he or she has to use the synchronization password. You cannot use this bypass option in conjunction with the handling option local for the synchronization password.  The authentication on the operating system is not technically linked to the SAP MI Client Component.  Where this is the case.

 The mobile device receives the SAP logon ticket from a system that issues tickets.IBM Global Services Mobile Infrastructure .Authentication Authentication with Single Sign-On  You can configure the SAP MI Client Component to support single sign-on (SSO) if the device is available with an online connection. such as SAP Enterprise Portal.  The SSO technology is based on the SAP logon tickets.  The mobile device can then be verified at the SAP MI Server Component with the SAP logon ticket without the user having to enter an additional password | Confidential © Copyright IBM Corporation 2004 .

therefore.  Access to data and applications on the SAP MI Client Component is controlled by userspecific data filtering based on the SAP authorization concept. | Confidential © Copyright IBM Corporation 2004 .IBM Global Services Mobile Infrastructure .  The authorization concept of the SAP NetWeaver AS is based on the assignment of authorizations to users on the basis of roles. to SAP MI. Use the profile generator (transaction PFCG) for role maintenance on SAP NetWeaver AS ABAP and the user administration console from the User Management Engine on SAP NetWeaver AS Java.Authorization  The security recommendations and guidelines for authorizations described in the SAP NetWeaver Application Server Security Guide also apply.

IBM Global Services Mobile Infrastructure – Securing the Communication Channel  There are 2 communication paths to secure: - From the SAP MI Client Component to the SAP NetWeaver AS ABAP and vice versa  Protocols include HTTP. Use of SSL or HTTPS is recommended - From SAP NetWeaver AS ABAP to back-end system and vice versa  Protocols include RFC  Data type includes application data | Confidential © Copyright IBM Corporation 2004 . control data for SAP Mobile Infrastructure. as it is copied from the mobile device to the SAP NetWeaver AS ABAP with each HTTP request.SSL or HTTPS  Data transferred includes application data. synchronization password  Data requiring particular protection includes synchronization password.

 Security risk revolve around ensuring the integrity of data | Confidential © Copyright IBM Corporation 2004 .Security Risks ?  Information Integration makes both structured and unstructured information available in the enterprise in a consistent and accessible manner. That information must be served in a consistent manner and its integrity guaranteed.IBM Global Services Information Integration.  Users demand ubiquitous access to information wherever it resides.

Decisions are made in all enterprise areas and target-oriented actions are determined on the basis of this data. This includes confidential corporate data. for example. transform.IBM Global Services Business Information Warehouse Security Why Is Security Necessary?  SAP NetWeaver BI serves to integrate. For this reason. security when accessing data and the ability to guarantee data integrity is of great importance. interpretation and distribution. personal data from Personnel Administration. and consolidate data from all areas of an enterprise in order to provide this for analysis.  The following examples show the dangers to which BI can be exposed: - Attacks from the Internet or Intranet when using BEx Web functionality and Web Services Infringement of data protection guidelines through unauthorized access to personal data - | Confidential © Copyright IBM Corporation 2004 .

The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket. | Confidential © Copyright IBM Corporation 2004 .509 client certificates. users using Internet applications via the Internet Transaction Server (ITS) can also provide X. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token.IBM Global Services BI Security . SAP NetWeaver supports various authentication mechanisms.  Some of the authentication mechanisms include: - Single Sign-On (SSO) Client Certificates SAP Logon Tickets  Single sign-on implies that once a user is authenticated with a username & password. user authentication is performed on the Web Server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred.Authentication  The authentication process enables the identity of a user to be checked before this user gains access to BI or BI data. users can issue an SAP logon ticket after they have logged on to the SAP system.  BI supports SAP logon tickets. User authorizations are valid in accordance with the authorization concept in the SAP system. the user then has access to other SAP systems that are in the landscape  As an alternative to user authentication using a user ID and passwords. In this case. To make Single Sign-On available for several systems.

IBM Global Services

BI Security - Authorization
 An authorization allows a user to perform a certain activity on a certain object in the BI System. There are two different concepts for this depending on the role and tasks of the user:  Standard Authorizations
-

These authorizations are required by all users that are working in the Data Warehousing Workbench to model or load data, and also by users that work in the planning workbench or the Analysis Process Designer and those that work with the Reporting Agent or the BEx Broadcaster or define queries.

 Analysis Authorizations.
-

All users that want to display transaction data from authorization-relevant characteristics in a query require analysis authorizations for these characteristics.

|

Confidential © Copyright IBM Corporation 2004

IBM Global Services

Knowledge Management (KM) Security
 The KM security aspects deal with preventing illegal access to documents and settings and prevent them being manipulated illegally.

 Security in KM is achieved by implementing one or more of the following measures:
-

Roles ACL’s Security Zones

 Roles are of 3 types:
-

Content Manager – allows users to structure & manage content System Administrator – allows user to perform KM administration Content Administrator – allows user to perform KM specific content administration

|

Confidential © Copyright IBM Corporation 2004

IBM Global Services

Knowledge Management (KM) Security
 Restricting access permissions only by using the role concept or worksets is not sufficient. The use ACLs is recommended.
-

Access permissions on the root nodes of security-relevant repositories should be restricted immediately after the installation or after configuring new repository managers in order to prevent documents being read illegally by users hacking or guessing document URLs. Change the ACLs for subordinate folders if different permissions apply for these folders.

-

 Security zones
-

Security zones restrict unauthorized direct access to KM content For initial KM content, the required permissions in the security zones are already assigned during installation of SAP NetWeaver.

|

Confidential © Copyright IBM Corporation 2004

Communication Channel Security  Various channels of communication and technologies are used between the components and data sources in Knowledge Management.IBM Global Services KM Security .  The following technologies are used for communication: - HTTP/HTTPS WebDAV ICE JDBC on OpenSQL Operation-system-dependent and database-specific technologies | Confidential © Copyright IBM Corporation 2004 .

| Confidential © Copyright IBM Corporation 2004 .IBM Global Services Process Integration – Security Risks ? Why Is Security Necessary?  As the central infrastructure for exchanging business documents.  XML messages may contain confidential business data. the various components of PI need to communicate with each other on a technical level in order to keep the infrastructure running. the communication lines as well as the storage locations of XML messages need to be made secure. In order to protect them against eavesdropping and unauthorized access. Security requirements apply to these technical communications as well.  In addition to the business data exchanged using PI. Particular security requirements have to be considered if business partners communicate over the Internet. PI has to make sure that the involved processes can be executed in a secure manner. because confidential information such as user names and passwords may have to be sent or stored. or both.

technical communication between various PI tools and runtime components is required. administration.Communication  The components of a process integration (PI) landscape communicate with each other for different purposes like configuration.  The primary purpose of a PI landscape is to enable business partners and applications to exchange XML messages (business documents).IBM Global Services PI Security . monitoring. | Confidential © Copyright IBM Corporation 2004 . This includes business communication between business systems. or the actual messaging.  In addition to proper messaging. Integration Servers or Adapter Engines.  Two different technical protocols are used for these communications: HTTP and RFC.

for component monitoring). and that the tools are started from the same SAP NetWeaver Application Server Java.IBM Global Services PI Security .  Single sign-on is also supported by the Runtime Workbench where access to other PI components is required (for example. | Confidential © Copyright IBM Corporation 2004 .Authentication  Session-based single sign-on is supported for the dialog users of the PI tools.  A dialog user has to log on only once for all PI tools. provided that the same browser session is used for each tool access.

 Certificate Store - Message-level security processing is generally done in SAP NetWeaver Application Server Java (AS-Java).IBM Global Services PI Security – Message Level Security  Message-level security allows you to digitally sign or encrypt documents exchanged between systems or business partners. The following data is stored:  The raw message  The security policy as configured in the Integration Directory  The sender certificate | Confidential © Copyright IBM Corporation 2004 . the nonrepudiation archive. signed messages are stored in a dedicated archive. It contains data to prove the validity of the signature. a Web service is called in the J2EE Engine.  Archiving Secured Messages . Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication. It improves communication-level security by adding security features that are particularly important for inter-enterprise communication. Therefore. If the Integration Server executes security processing. the certificates as well as the certification authority (CA) certificates to be used must be entered into the keystore of the J2EE Engine that executes the security handling at runtime.For non-repudiation purposes.

IBM Global Services Questions ? | Confidential © Copyright IBM Corporation 2004 .

Sign up to vote on this title
UsefulNot useful