SAP Multichannel Foundation for Utilities and Public Sector · PDF fileNavigate to SAP NetWeaver Gateway OData Channel Configuration Connection Settings Manage ... SAP Multichannel

Administrator's Guide for SAP for Public SectorDocument version: 1.2 – 2016-04-05

SAP Multichannel Foundation for Utilities and Public Sector

CUSTOMER

Document History

CautionBefore you start the implementation, make sure you have the latest version of this document. You can find the

latest version at the following location: service.sap.com/publicsector .

The following table provides an overview of the most important document changes:

Table 1

Version Date Description

1.2 2016-04-05 SAP Multichannel Foundation for Utilities and Public Sector 1.0 SP6

2

CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.

SAP Multichannel Foundation for Utilities and Public SectorDocument History

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fpublicsector

Content

1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4 Application Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

SAP Multichannel Foundation for Utilities and Public SectorContent

CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.

All rights reserved. 3

4

CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector

1 Getting Started

This document is a single source of information for the implementation of SAP Multichannel Foundation for Utilities and Public Sector. It contains implementation information, security information, and operation information only for SAP for Public Sector. The document for utilities is on the SAP Service Marketplace under SAP for Utilities.

Related Information

For more information about implementation topics not covered in this guide, see the following content:

Table 2

Content Location

Installation and upgrade guides service.sap.com/instguides

Released platforms and technology-related topics service.sap.com/platforms

Platform availability matrix service.sap.com/pam

Network security service.sap.com/securityguide

High availability sdn.sap.com/irj/sdn/ha

Performance service.sap.com/performance

Support package stacks, latest software versions, patches service.sap.com/sp-stacks

Unicode technology sdn.sap.com/irj/sdn/i18n

SAP Notes service.sap.com/notes

SAP Software Distribution Center service.sap.com/swdc

SAP Online Knowledge Products service.sap.com/rkt

Related Guides

For more information about relevant applications, see the following content:

Table 3

Title Location

SAP NetWeaver 7.0 Master Guide service.sap.com/installNW70

SAP NetWeaver Technical Operations Guide help.sap.com/nw74 System Administration and

Maintenance Information

SAP NetWeaver Gateway Security Guide help.sap.com/nwgateway Security Information

SAP NetWeaver Gateway Technical Operations Guide help.sap.com/nwgateway System Administration and

Maintenance Information

SAP Multichannel Foundation for Utilities and Public SectorGetting Started



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Finstguides

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fplatforms

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fpam

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurityguide

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsdn.sap.com%2Firj%2Fsdn%2Fha

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fperformance

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsp-stacks

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsdn.sap.com%2Firj%2Fsdn%2Fi18n

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fnotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fswdc

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Frkt

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2FinstallNW70

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnw74

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnwgateway


SAP Notes

You must read and implement the following SAP Notes before you start the installation. These SAP Notes contain the most recent information and are prerequisites for installing SAP Multichannel Foundation for Utilities and Public Sector.

You can find the most current versions of the SAP Notes at service.sap.com/notes .

Table 4

Number Title

1942072 SAP NetWeaver Gateway 2.0 Support Package Stack

1964240 * User Self Service: Check Password Security Policy Fixes

1988794 * User Self Service Enhancement: Resetting Password Using Email ID of the User

2000713 * User Self Service: User is Unable to Change the Password

2004762 * User Self Service: Reset Credentials with Autogenerated Password

2025549 * User Self Service: Improving the Error Message Shown to End User

2028105 * User Self Service: Short Dump While Checking Password

2287733 Collective Fixes for Both Backend and UI for Multichannel Utilities for Public Sector SP06

Note*These SAP Notes are required if you have installed IW_BEP SP08 or the corresponding SAP_GWFND support pack.

RecommendationWe recommend that you implement the following SAP Notes:

Table 5

Number Title

1509851 ICF Logoff Service with Redirect URL

853878 HTTP WhiteList Check (security)

6


SAP Multichannel Foundation for Utilities and Public SectorGetting Started

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fnotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2F~form%2Fhandler%3F_APP%3D01100107900000000342%26_EVENT%3DREDIR%26_NNUM%3D1942072%26_NLANG%3Den%26_NVERS%3D0










2 Installation

SAP ERP Server

1. You need to install SAP Public Sector Collection and Disbursement (PSCD)/Tax and Revenue Management (TRM) based on SAP ERP 6.0 EHP5 or higher.

2. Install IW_BEP SP11. If you are installing on SAP NetWeaver 7.4, you need to install SAP_GWFND 740 SP12 instead of IW_BEP.

NoteFor more information on the compatibility of the various SAP Gateway components, see SAP Note

1942072 .

3. Install add-on UMCERP01.

SAP Gateway Server

1. For SAP NetWeaver versions prior to SAP NetWeaver 7.40, you need to install GW_CORE SP04 and IW_FND SP04. If you are installing on SAP NetWeaver 7.4, you need to install SAP_GWFND SP06.

NoteFor more information on the compatibility of the various SAP Gateway components, see SAP Note

1942072 .

2. For SAPUI5 add-ons, install UISAPUI5 SP13 or higher and UI_INFRA SP08 or higher.

NoteUISAPUI5 and UI_INFRA can be delivered with the SAP_UI add-on. In this scenario, SAP_UI SP13 or higher must be installed. If you installed SAP_UI 740 or higher, UISAPUI5 and UI_INFRA do not need to be installed as they are already included.

3. Install UMCUI501 add-on.

Optional UI5 components include UI5_731 SP05 for team provider and other UI5 components depending on your UI approach.

Hardware Sizing

An SAP Gateway sizing guide is available on the SAP Service Marketplace at service.sap.com/sizing . You can refer to the SAP ERP sizing guide, too. You can use the quick sizer tool to calculate hardware for the system landscape.

SAP Multichannel Foundation for Utilities and Public SectorInstallation





http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsizing

3 Configuration

To configure your SAP PSCD/TRM system as a standalone system, you need to maintain roles, users, and activations in the system.

SAP NetWeaver System Settings

To ensure that online users are authenticated correctly, you need to set the correct AS profile parameters related to HTTP security session management on AS ABAP. You use the sessions transaction.

Sample values for HTTP session parameters are as follows:

● login/create_sso2_ticket=2● login/accept_sso2_ticket=1● login/ticketcache_off=0● login/ticket_only_by_https=1● icf/user_recheck=1

NoteThese parameters may be different according to your session security configuration.

SAP Gateway Activation

To check if SAP NetWeaver Gateway is activated, choose the following path in Customizing SAP NetWeaver Gateway OData Channel Configuration Activate or Deactivate SAP NetWeaver Gateway .

Maintaining System Aliases for SAP ERP

To create system aliases for SAP ERP, proceed as follows:

1. Using the RFC destinations transaction, create trusted RFC connections to the appropriate systems.

2. On the Logon and Security tab pages, choose Current User.

3. Use the Customizing transaction and open the SAP Reference IMG.

4. Navigate to SAP NetWeaver Gateway OData Channel Configuration Connection Settings Manage SAP System Aliases and create the system aliases for SAP ERP.

Registering Services

OData channel implementations retrieve the data from SAP Business Suite, which is a backend system. You use the OData services that are defined by SAP. You can redefine the OData services according to your requirements. Once an OData service is defined in the backend system, the service must be registered or activated on SAP Gateway.

To register services in the SAP NetWeaver Gateway Hub system, proceed as follows:

1. Using the service maintenance transaction, select Add Service.

2. Select the SAP ERP system then select Get Services.

3. Add the following services:

○ USERMANAGEMENT

8


SAP Multichannel Foundation for Utilities and Public SectorConfiguration

○ USERREQUESTMANAGEMENT○ ERP_FMCA_MC_SRV○ ERP_FMCA_MC_PUBLIC_SRV

4. Select a package in the customer namespace for the objects created during the services registration.

5. For each registered service, select ICF Node pushbutton and then select Configure (SICF).

6. For additional security, navigate to the Logon Data tab page and adjust the security parameters as necessary.

Create PFCG Role for Reference User for SAP Gateway Hub System

To execute the user self service, the system needs to be set up with users and authorizations for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the reference user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZMCF_REF_USR using the /IWBEP/RT_USS_INTUSR template.

2. Add the authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name), you must ensure that the following entries exist:

3. Add authorization object S_RFCACL.

Table 6

Program ID Object Type Object Name

R3TR IWSG ERP_FMCA_MC_SRV

R3TR IWSG USERMANAGEMENT

NoteThe name of the authorization role is provided as an example only. You can choose any other name in the customer namespace. To ensure that the object names appear in the F4 Help, you must register and activate the OData Services mentioned in the preceding table in transaction/IWFND/MAINT_SERVICE and then execute the service in the SAP NetWeaver Gateway client. For more information, see the section Registering Services. You must ensure that values relevant to the current business scenarios are provided for authorization objects that do not have predefined values for authorization fields in the templates.

NoteDepending on whether external user management is to be used, it may make sense to define two reference users. One reference user for users who are not authorized to create users and another reference user who is allowed to create users in the SAP Gateway Hub System.

NoteIf you want to use the external user management scenario, you must add additional authorization objects that allow you to create or maintain users in the gateway server. This process can be triggered from the ERP system.




Create Reference User in SAP Gateway Hub System

Procedure

To execute the user self service, the system needs to be set up with users and the required authorization for those users. Users also have to be created and maintained using SAP NetWeaver ABAP AS User Management, using transaction SU01. A reference user is a standard SAP user with the “Reference” user type created in the SAP Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. This user is used by the user management service as a template to create other users in the system.

1. In transaction SU01, create user MCF_REF_USR.

NoteThe name of the user is provided as an example. You can use any other name, but you must make sure that the same name is maintained for the service in transaction SICF.

2. On the Logon Data tab page, specify the user’s type as L - Reference.

3. Specify the alias for the user as MCF_REFERENCE_USER.

4. On the Roles tab page, assign the role ZMCF_REF_USR created previously.

Creating Users in SAP ERP

1. Create a role containing the authorizations for your scenario. The following list contains the required authorization objects for the UI template to work without further modification.

Table 7

Object Technical Name

Authorization check for RFC user S_RFCACL

Authorization object for trusted-trusting system definition S_RFC_TT

Business partner: BP roles B_BUPA_RLT

Business partner relationships: Relationship categories B_BUPR_BZT

Banks: general maintenance authorization F_BNKA_MAN

Banks: general maintenance authorization by country F_BNKA_MAO

Authorization check for RFC access S_RFC

Authorization encryption card master B_CARD_SEC

Check at start of external services S_SERVICE

Transaction code check at transaction start S_TCODE

BC-SRV-KPR-BDS: authorizations for document set S_BDS_DS

ArchiveLink: authorizations for access to documents S_WFAR_OBJ

Partner contact management B_PCONTACT

Authorization object for the activities (EBPP) F_ACT_EBPP

FICA document management service: Company code areas

F_KKDM_BUK

10




FICA document management service: Document type F_KKDM_DOT

Authorization for interest posting F_KKINTER

FICA doc in contract accts rec and pay: CoCode authorization

F_KKKO_BUK

FICA doc in contract accts rec and pay: business area auth F_KKKO_GSB

FICA contract account: company code authorization F_KKVK_BUK

FICA contract acct: contract acct type authorization F_KKVK_VKT

FICA special functions for FSCM biller direct F_KK_EBPP

FICA special functions F_KK_SOND

PSCD beleg: contract object type authorization F_PSDO_VGT

PSCD facts: fact type parts F_PSFA_CAT

PSCD facts: authorization for a fact set F_PSFA_SET

PSCD facts: fact set parts F_PSFA_TYP

Authorization object public sector form handling, FB type F_PSFH_FBT

Authorization object public sector, form handling, form view

F_PSFH_FVW

Authorization object public sector form handling, status F_PSFH_STA

PSCD contract object: object type authorization F_PSOB_VGT

Payment cards B_CCARD

Unmasked display of credit card numbers B_CCSEC

SAP gateway: User self service management /IWBEP/URB

Authorizations: Role check S_USER_AGR

User master maintenance: User groups S_USER_GRP

User master maintenance: Authorization profile S_USER_PRO

User master maintenance: System-specific assignments* S_USER_SAS

* You use either authorization object S_USER_SAS or (S_USER_AGR, S_USER_GRP, S_USER_PRO).

Make the following entries for the authorization object S_SERVICE and authorization field SRV_NAME:

Table 8


R3TR IWSV ERP_FMCA_MC_SRV

R3TR IWSV /IWBEP/USERMANAGEMENT

2. Using the user maintenance transaction, create the MCF users with the user type Communications Data.




3. Using function module FMCA_MC_USER_CREATE, link your user to its corresponding business partner ID.

Business Configuration

Use transaction SCPR20 to activate the BC set FMCA_MC_SETTING.

This generates sample configuration entries for the Customizing step SAP Multichannel Foundation for Utilities and Public Sector Maintain Settings for Business Processes .

Activating Forgotten Password

To activate the forgotten password, perform the following steps:

Create PFCG Role for Service User for SAP Gateway Hub System

To execute the user self service, the system needs to be setup with users and authorizations for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the service user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZMCF_FORGOTTEN_PW_USER .

2. Add the required authorization objects:

○ /IWFND/SRV○ S_SECPOL○ S_TCODE○ S_RFCACL○ S_RFC_TT○ S_RFC○ S_SERVICE

3. You must ensure that the following entries exist for the authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name):

Table 9


R3TR IWSG USERREQUESTMANAGEMENT

NoteThe name of the authorization role is provided as an example only. You can choose any other name in the “customer namespace”.

To ensure that the object names appear in the F4 Help, you must register and activate the OData Services mentioned in the preceding table in the transaction/IWFND/MAINT_SERVICE and then execute the service in the SAP NetWeaver Gateway client. For more information, see Registering Services.

4. Limit the authorization values for all authorization objects to the necessary values relevant to the required business scenario.

Create PFCG Role for Service User in the SAP ERP System

To execute the user self service, the system needs to be set up with users and authorization for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this

12



step, a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the service user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In the transaction PFCG, create a new role ZMCF_FORGOTTEN_PW_USER using the templates /IWBEP/RT_USS_SRVUSR.


○ Program ID: R3TR○ Object Type: IWSV○ Object Name: /IWBEP/USERREQUESTMANAGEMENT 0001

3. Limit the authorization values for all authorization objects to the necessary values relevant to the current business scenarios.

4. Check Customizing using the transaction SPRO under the path SAP NetWeaverApplication ServerSystem AdministrationUsers and AuthorizationsSet Customizing Switch in Table PRGN_CUST . If CHECK_S_USER_SAS is specified as YES, the authorization object S_USER_SAS must be manually added to the PFCG role for the service user.

Create Service User in SAP Gateway Hub System

Procedure

To execute the user self service, the system needs to be set up with users and the required authorizations for those users. Users also have to be created and maintained using SAP NetWeaver ABAP AS User Management, using transaction SU01. A service user is a standard SAP user with the “Service” user type created in the SAP Gateway Hub and also in the SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData Service/IWBEP/USERREQUESTMANAGEMENT.

1. In transaction SU01, create the user MCF_SRV_USR1.


2. On the Logon Data tab page, specify the user’s type as S - Service.

3. On the Roles tab page, assign the role ZMCF_FORGOTTEN_PW_USER created previously.

Create Service User in the SAP ERP System

To execute the user self service, the system needs to be set up with users and the required authorization for those users. Users also have to be created and maintained using SAP NetWeaver ABAP AS User Management, using transaction SU01. A service user is a standard SAP user with the “Service” user type created in the Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData service /IWBEP/USERREQUESTMANAGEMENT_0001.

Procedure







3. On the Roles tab page, assign the role ZMCF_FORGOTTEN_PW_USER created previously..

Set Service User in SICF Node for Public OData Services

Procedure

To define the service user in the ICF Node for USERREQUESTMANAGEMENT, proceed as follows:

1. In transaction SICF, find the node /default_host/sap/opu/odata/sap/USERREQUESTMANAGEMENT.

2. Under Logon Data, specify logon settings for the SAP Gateway Hub system for the service user:

○ Client: SAP Gateway Hub system client

○ User: MCF_SRV_USR1○ Password: MCF_SRV_USR1 user’s password

3. Disable Cross-Site Request Forgery (CSRF) for USERREQUESTMANAGEMENT ICF node since the service is executed in the context of the service user. To disable CSRF validation on the Service Data tab page of the ICF node, select GUI Configuration and add the parameter ~CHECK_CSRF_TOKEN with value 0.

Activating Anonymous Form Submission or Payments

To activate the anonymous form submission or payments, perform the following steps:

Create PFCG Role for Service User for SAP Gateway Hub System

To execute the user self service, the system needs to be setup with users and authorizations for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the service user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZMCF_ANONY_SERV_USER.

2. Add the required authorization objects:

○ /IWFND/SRV○ S_SECPOL○ S_TCODE○ S_RFCACL○ S_RFC_TT○ S_RFC○ S_SERVICE


14



Table 10


R3TR IWSG ERP_FMCA_MC_PUBLIC_SRV

NoteThe name of the authorization role is provided as an example only. You can choose any other name in the “customer namespace”.

To ensure that the object names appear in the F4 Help, you must register and activate the OData Services mentioned in the preceding table in transaction/IWFND/MAINT_SERVICE and then execute the service in the SAP NetWeaver Gateway client. For more information, see Registering Services.

4. Limit the authorization values for all authorization objects to the necessary values relevant to the required business scenario.

Create PFCG Role for Service User in the SAP ERP System

To execute the user self service, the system needs to be set up with users and authorization for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the service user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector.

Procedure

1. In transaction PFCG, create a new role ZMCF_ANONY_SERV_USER.


○ Program ID: R3TR○ Object Type: IWSV○ Object Name: ERP_FMCA_MC_PUBLIC_SRV 0001

3. Add the following authorization objects:

Table 11


Authorization check for RFC user S_RFC

Authorization check for RFC user (for example, trusted system)

S_RFCACL

BC-SRV-KPR-BDS: Authorizations for document set S_BDS_DS

Authorization object for the activities (EBPP) F_ACT_EBPP

General ledger: Authorization for segment F_FAGL_SEG

FI-CA document in contract accounts rec. and pay.: CoCode Authorization

F_KKKO_BUK

FI-CA document in contract accounts rec. and pay.: Business area authorization

F_KKKO_GSB

FI-CA contract account: Company code authorization F_KKVK_BUK





FI-CA contract account: Contract account type authorization

F_KKVK_VKT

FI-CA special functions for FSCM biller direct F_KK_EBPP

FI-CA processing locks F_KK_LOCK

PSCD document: Contract object type authorization F_PSDO_VGT

Authorization object public sector form handling, F.B type F_PSFH_FBT

Authorization object public sector form handling, Form view

F_PSFH_FVW

Authorization object public sector form handling, Status F_PSFH_STA

4. Limit the authorization values for all authorization objects to the necessary values relevant to the required business scenarios.

Create Service User in SAP Gateway Hub System

Procedure

To execute the user self service, the system needs to be set up with users and the required authorizations for those users. Users also have to be created and maintained using SAP NetWeaver ABAP AS User Management, using transaction SU01. A service user is a standard SAP user with the “Service” user type created in the SAP Gateway Hub and also in the SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData ServiceERP_FMCA_MC_PUBLIC_SRV.


NoteThe name of the user is provided as an example. You can use any other name of your choice but you must make sure that the same name is maintained for the service in transaction SICF.


3. On the Roles tab page, assign the role ZMCF_ANONY_SERV_USER created previously.

Create Service User in the SAP ERP System

To execute the user self service, the system needs to be set up with users and the required authorization for those users. Users also have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user with the “Service” user type created in the Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData service ERP_FMCA_MC_PUBLIC_SRV_0001.

Procedure

1. In transaction SU01, create user MCF_SRV_USR2.



16



3. On the Roles tab page, assign the role ZMCF_ANONY_SERV_USER created previously.

NoteIf you want to send a confirmation e-mail after an anonymous payment or form submission, maintain an e-mail address for the service user.

Set Service User in SICF Node for Public OData Services

Procedure

To define the service user in the ICF Node for ERP_FMCA_MC_PUBLIC_SRV, proceed as follows:

1. In transaction SICF, find the node /default_host/sap/opu/odata/sap/ERP_FMCA_MC_PUBLIC_SRV.

2. Under Logon Data, specify logon settings for the SAP Gateway Hub system for the service user:

○ Client: SAP Gateway Hub system client

○ User: MCF_SRV_USR2○ Password: MCF_SRV_USR2 user’s password

3. Disable Cross-Site Request Forgery (CSRF) for ERP_FMCA_MC_PUBLIC_SRV ICF node since the service is executed in the context of the service user. To disable CSRF validation on the Service Data tab page of the ICF node, select GUI Configuration and add the parameter ~CHECK_CSRF_TOKEN with the value 0.

External User Management

Setting up external user management is included in Customizing under the path: Public Sector ManagementSAP Multichannel Foundation for Utilities and Public Sector Maintain Settings for External User Management

For more information, see help.sap.com/nwgateway .

Quick Testing of OData Services ERP_FMCA_MC

Procedure

It is sometimes necessary to perform a quick test on OData services to see how the entities work. By performing the following steps, you can test OData services with your user using the SAP Gateway client or Google Chrome’s Advanced Rest client:

NoteYou must ensure that you have a user with the same username in transaction SU01 in the SAP Gateway Hub and SAP ERP systems.

1. Use transaction SU01 in the SAP ERP system, open your user, and select Goto References in the menu.

2. Create a new reference for your user, and set the object type to BUS1006.

3. Set the key to the business partner ID which has test data that you want to use to test the OData services.

4. In the SAP Gateway client, execute a GET request on the ERP_FMCA_MC service for the OData entity Account.

You should receive the data for the business partner that you assigned to yourself when performing the GET account.

If you did not receive the data, perform an analysis on the user authorization log in transaction SU53 to see if you are missing any authorizations for your user.





NoteYou must ensure that the test user does not exist in the production environment.

18



4 Application Operations

SAP Multichannel Foundation for Utilities and Public Sector is delivered with a default project for OData Services. The default project is called ERP_FMCA_MC and you can modify it by accessing the data model and creating additional entities, entity attributes, and navigation properties. You can create your own project.

You use this BAdI definition to create new or modify existing OData entity implementations. The purpose of this BAdI is to provide an implementation specific to the entity name. The base class of implementation classes for all entities is CL_ISU_UMC_ODATA_ABSTRACT.

By default, all BAdI implementations are active and flagged as default implementations. The default implementation is executed automatically. This BAdI is filter-dependent, and the filter is based on the name of the entity. For example, the filter for the account entity is ENTITY_NAME=Account.

SAP Gateway Service Model Extensibility in SAP ERPAs mentioned in an earlier section, the extensibility of SAP Multichannel for Utilities and Public Sector is based on the BAdI FMCA_MC_ODATA. SAP standard delivery consists of two OData services in SAP ERP, namely, ERP_FMCA_MC and ERP_FMCA_MC_PUBLIC_SRV.

In the standard delivery we follow the rules listed below:

1. If the BAdI implementation of an entity is identical for both ERP_FMCA_MC and ERP_FMCA_MC_PUBLIC_SRV, the BAdI implementation only maintains filter entity_name = requested entity, for example Account.

2. If an entity has different BAdI implementations for ERP_FMCA_MC and ERP_FMCA_MC_PUBLIC_SRV, then the implementation for ERP_FMCA_MC_PUBLIC_SRV maintains the filters service_name = ERP_FMCA_MC_PUBLIC_SRV and entity_name = requested entity, while the implementation for ERP_FMCA_MC maintains the filters entity_name = requested entity and service_name <> ERP_FMCA_MC_PUBLIC_SRV.

Therefore, when you extend ERP_FMCA_MC to derive a Z service for the entities you choose to expose, there are two options:

1. A new BAdI implementation is created for the entity with your own implementation class, you must maintain filter values in the BAdI implementation filters entity_name = requested entity and service_name = Z service

2. No new BAdI implementation is created, and the applicable SAP implementation with the correct filter values is called.

The SAP Gateway service model can be extended at the following different levels:

○ OData entity field extension

○ OData entity logic extension

○ Addition of new OData entities

If you want to add new fields to an entity, the following approach can be used. Each OData entity is based on a DDIC structure that you can see by accessing the Service Builder (transaction SEGW). This DDIC structure has a subset of fields originating from the API. The names of the fields correspond to those in the API; however, the labels for data elements are displayed on the UI.

By creating an append structure, you can add fields from the API, and then regenerate the model in the Service Builder. By doing so, no further coding is required for GET operations, although further adjustments may be required for POST, PUT, and DELETE operations in the OData entity implementation class.

To overwrite standard behavior, create a new BAdI implementation with the required filter value. This implementation is then called instead of the standard one. The BAdI definition is based on the interface

SAP Multichannel Foundation for Utilities and Public SectorApplication Operations



IF_ISU_UMC_ODATA_BADI. This interface has only one method get_instance, which provides an instance of a Multichannel service implementation class to the standard data provider class (class with the suffix DPC_EXT).

You can define your own entity-based service implementation class using the inheritance from the existing class that was assigned to the BAdI implementation. In your service implementation class, you can redefine all the methods of both the IF_ISU_UMC_ODATA_BADI and IF_ISU_UMC_ODATA_IMPL interfaces to replace the functions provided by SAP with your own functions.

Some implementation classes also provide additional methods that you can redefine. If your implementation is inherited or based on the SAP standard BAdI implementation, we recommend that you call super-class methods whenever possible. This ensures that subsequent corrections or updates delivered by SAP are integrated within the implementation.

If a new entity is needed, you can enhance the existing SEGW model with new entities and follow the SAP BAdI concept.

In some cases, business entity instances may logically belong together and need to be handled or processed together in the same logical unit of work. For example, on moving out of a premise, an update of two or more entities could be required and must be processed together in a single request (all or none). SAP Gateway can be used to process such scenarios with its capability to execute multiple operations in a single request, including retrieval and change. In the delivered OData Service for SAP Multichannel Foundation for Utilities and Public Sector, batch processing is already enabled. Therefore, it is possible to use $batch to collect a fixed number of operations (get, create, update, delete) of an OData Service in one single HTTP POST request.

Example

The following example has four GET calls in a batch.

Batch Request Header

POST /sap/opu/odata/sap/ERP_FMCA_MC_SRV/$batchContent-Type: multipart/mixed;boundary=batch_11d6-7608-09f8Batch Request Body

--batch_11d6-7608-09f8Content-Type: application/httpContent-Transfer-Encoding: binaryGET Accounts('1000001530')/AccountAlerts/$count HTTP/1.1Accept-Language: enAccept: application/jsonMaxDataServiceVersion: 2.0DataServiceVersion: 2.0--batch_11d6-7608-09f8Content-Type: application/httpContent-Transfer-Encoding: binaryGET Accounts('1000001530')/ContractAccounts?$format=json&$expand=ContractAccountBalanceHTTP/1.1Accept-Language: enAccept: application/jsonMaxDataServiceVersion: 2.0DataServiceVersion: 2.0

20



--batch_11d6-7608-09f8Content-Type: application/httpContent-Transfer-Encoding: binaryGET Accounts('1000001530')/FilingObligations/$count?$filter=FormBundleSubmitted%20eq%20%27%27%20%20and%20ClearingReason%20eq%20%27%27%20 HTTP/1.1Accept-Language: enAccept: application/jsonMaxDataServiceVersion: 2.0DataServiceVersion: 2.0--batch_11d6-7608-09f8Content-Type: application/httpContent-Transfer-Encoding: binaryGET Accounts('1000001530')/FormBundles/$count?$filter=StatusID%20eq%20%27Draft%27%20HTTP/1.1Accept-Language: enAccept: application/jsonMaxDataServiceVersion: 2.0DataServiceVersion: 2.0--batch_11d6-7608-09f8—By using batch processing, you can improve performance, since OData Service operations can be grouped in one round trip. However, batch processing is more complex than standalone OData Service operations, and may not always be beneficial. We suggest reviewing your use cases on an individual basis, to evaluate the benefits of batch processing.

For more examples, see SAP Note 1869434 .

If you have to execute specific business logic before processing a “changeset” in a batch, you must overwrite the framework method /IWBEP/IF_MGW_APPL_SRV_RUNTIME~CHANGESET_BEGIN. In the implementation of SAP Multichannel Foundation for Utilities and Public Sector OData Services, this method was redefined in the class CL_ERP_FMCA_MC_DPC_EXT.

For example, the redefined method sets a flag for each session to indicate the batch mode that will be used by the SAP Multichannel Foundation for Utilities and Public Sector redefined /IWBEP/IF_MGW_APPL_SRV_RUNTIM methods at a subsequent stage. CREATE_ENTITY is one such example and also performs basic validation on whether an operation is allowed in a batch process. This is due to the fact that SAP Gateway is solely responsible for commit and rollback for batch processing, so if an operation uses an API that has its own commit or rollback logic, such an operation should not be included in a batch. /IWBEP/IF_MGW_APPL_SRV_RUNTIME~CHANGESET_END can be redefined for logic after a “changeset” is processed.

RecommendationSAP recommends you use batch processing in the SAPUI5 Web application.

For more examples, see SAP Note 1869434 .

Consuming OData Batch Request from SAP UI

Since the SAPUI5 control ODataModel supports batch processing, SAPUI5 applications can consume the OData service in batches. You might need to use one or more of the following methods:






● addBatchChangeOperations

● clearBatch

● addBatchReadOperations

● createBatchOperation

● setUseBatch

For more information about ODataModel, see sapui5.hana.ondemand.com/sdk/#docs/api/symbols/

sap.ui.model.odata.ODataModel.html .

The following code snippet is an example of a batch request from the SAP Multichannel Foundation for Utilities and Public Sector Application.

Figure 1

22



http://help.sap.com/disclaimer?site=http%3A%2F%2Fsapui5.hana.ondemand.com%2Fsdk%2F%23docs%2Fapi%2Fsymbols%2Fsap.ui.model.odata.ODataModel.html

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsapui5.hana.ondemand.com%2Fsdk%2F%23docs%2Fapi%2Fsymbols%2Fsap.ui.model.odata.ODataModel.html

Figure 2

Error Message Handling

Error message handling in SAP Multichannel Foundation for Utilities and Public Sector follows OData protocol and SAP Gateway approaches. OData entities should return standardized HTTP codes to inform the client about the status of the request.

SAP Gateway runtime checks that the payload and resource URL are consistent. For example, when a character field is provided, the runtime returns an error with HTTP code 500. If a resource is addressed incorrectly, the runtime produces the HTTP status code 500 again.

For other error situations, service implementation needs to provide error handling. If a technical exception is raised, HTTP status code is 500 (server error) with an exception message appended to it; if it is a business-related application error, the HTTP code is 400. Each entity calls a certain API or BAPI to execute business logic and this API returns a list of error messages propagated using SAP Gateway in the payload.

The following table describes various error situations and the associated HTTP status codes:

Table 12

Scenario Sample Request Response Behavior Handling Level*

Authorization failure on accessing an entity with a wrong key

GETAccounts(‘X’) 404 not found with no specific error message

Service implementation

GET entity by key not found GETAccounts(‘X’) 404 not found with no specific error message

Entity implementation

GET entity set not found GETInvoices 200 with empty payload Entity implementation

GET with navigation A(‘x’)/B

not found

GETAccounts(‘X’)/StandardAccountAddress

200 with empty payload Service implementation




Scenario Sample Request Response Behavior Handling Level*

POST POSTAccountAddressDependentEmail

404 not found due to authorization issues

400 bad request due to business logic issues

201 created on success with payload with a newly created entity returned


UPDATE UPDATEAccountAddressDependentEmail



200 no success with updated entity returned in payload


DELETE DELETEAccountAddressDependentEmail



204 no content on success


Expand on entities that do not have keys filled in the source entity, A(‘x’)$expand=B,C

GETAccounts(‘X’)?$expand=AccountAddressDependentEmail,AccountAddressDependentPhone

Entities for which keys are not filled in source are ignored, payload still returned with 200

Service implementation

Not properly formed URL, payload

GETAccounts(‘X’)/NotExistingResource

500 server error with a specific error message

SAP Gateway

*Handling levels are as follows:

● SAP Gateway runtime

● Service implementation (data provider and abstract classes from which all entities inherit)

● Entity implementation (specific OData entity implementation class)

It is possible to change the error logic for a specific entity by redefining the methods HANDLE_BUSINESS_ERROR or HANDLE_TECHNICAL_ERROR where a mapping can be provided from API error messages to friendly messages on the UI. Alternatively, to implement a generic mapping for error messages for all entities, you can define an implicit enhancement point at the start of the methods HANDLE_BUSINESS_ERROR and HANDLE_TECHNICAL_ERROR in the abstract class CL_ISU_UMC_ODATA_ABSTRACT.

SAP Multichannel Foundation for Utilities and Public Sector Solution Monitoring

Monitoring is an essential task in managing SAP technology.

Alert Monitoring

To monitor errors and alert messages in SAP Gateway and in the backend systems, use the error log transactions.

24



Trace and Log Files

Trace files and log files are essential for analyzing problems. SAP Multichannel Foundation for Utilities and Public Sector follows the approach used by SAP NetWeaver Gateway.


SAP Multichannel Foundation for Utilities and Public Sector Management

SAP provides you with an infrastructure to help your technical support consultants and system administrators effectively manage all SAP components and complete all tasks related to technical administration and operation.

For more information, see help.sap.com/netweaver .

Certain components or scenarios used by this application can be configured and tools are available for adjusting these components.


SAP UI5 Sample Application Configuration

When you install the add-on UMCUI501 for SAP Gateway, you receive a sample SAP UI5 application, FMCAUI5_MOBILE. This is an example of how OData services are consumed within SAP Multichannel Foundation for Utilities and Public Sector.

You must be running the following SAPUI5-related add-ons:

● UISAPUI5 (with this add-on, SAP UI5 JavaScript library is installed)

● UI_INFRA● Optional SAP UI5 components UI5_731 SP5 for team provider and other SAP UI5 components depending on

the UI implementation approach

FMCAUI5_MOBILE Application

The FMCAUI5_MOBILE application is stored as a BSP application under the MIME repository path /sap/bc/bsp/sap/FMCAUI5_MOBILE. It contains a set of CSS, HTML, and JavaScript files packaged into a BSP application and uploaded to the server using a team provider Eclipse plugin. To copy the application and upload it to the server again, you use report /UI5/UI5_REPOSITORY_LOAD.

SAP NetWeaver Gateway Service Configuration

The FMCAUI5_MOBILE application calls OData services from SAP ERP; therefore, ERP_FMCA_MC_SRV and /IWBEP/USERMANAGEMENT services need to be configured to point to a backend system (SAP system alias) using the service maintenance transaction in SAP NetWeaver Gateway.


Logon Configuration

The HTML logon page is prepared dynamically as a server response by the ABAP class /UI2/CL_SRA_LOGIN. It is set on Error Pages Logon Errors System Logon Configuration Logon Layout and Procedure Custom Implementation in SICF configuration for the node /default_host/sap/bc/ui5_ui5/sap/fmcaui5_mobile.

For more information about SICF configuration, see help.sap.com/nwgateway .

The template_login page represents an HTML page with certain parameters that are dynamically set and the final HTML page is provided to the browser.

The following code snippet is from the template_login.html page supplied with the sample application:





http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnetweaver




Note@sys_form_name_login and all items that start with @ are the parameters that are replaced during runtime by the HTM_LOGIN method of the /UI2/CL_SRA_LOGIN class.

Users are only logged in once they have entered their user ID and password and choose the log-on option. A form is prepared with certain set fields in the client and is posted to the server. If authentication is completed successfully, the user is brought to the index.html page of the Web application. If it fails, error messages are returned instead of the parameter @sys_messages_text and shown on the UI.

Logon Logic

Figure 3: Logon Logic

When the browser accesses the path of the SAP UI5 application, a request is sent to the server; the request is processed based on the SICF Customizing for SAP UI5 Web applications. This Customizing mentions the availability of a custom implementation for the logon layout and procedure and the HTM_LOGIN method of /UI2/CL_SRA_LOGIN class is executed. It searches for the login.properties file in the UMCUI5 Web application directory. In the login.properties file, it searches for a way to load the template_login page (see screenshot below).

26



Figure 4: Login Properties File

The template_login page represents an HTML page with certain parameters that are dynamically set and the final HTML page is provided to the browser.

The following code snippet is from the template_login.html page supplied with the sample application:

Figure 5: Code Sample from template_login.html page

Note@sys_form_name_login and all items that start with @ are the parameters that are replaced during runtime by the HTM_LOGIN method of the /UI2/CL_SRA_LOGIN class.

Users are only logged in once they have entered their user ID and password and choose the log-on option. A form is prepared with certain set fields in the client and is posted to the server. If authentication is completed successfully, the user is brought to the index.html page of the Web application. If it fails, error messages are returned instead of the parameter @sys_messages_text and shown on the UI.

Logout Configuration

There is no specific logout page. SAP UI5 needs to execute navigation to the standard logout ICF node /sap/public/bc/icf/logoff with a redirect URL. You can define an external alias for this ICF node with the same




name for which you define a logout redirect ( error pages Logoff Page Redirect to URL ). This affects the entire server.

For more information about the logout redirect, see SAP Note 1509851 . We recommend applying an HTTP

whitelist as described in SAP Note 853878 .

NoteNot all log out functionality is available in releases prior to SAP NetWeaver 7.02.

UMCUI5_MOBILE Foundation Application

The foundation application is stored under the MIME repository path /sap/public/bc/ui2/umcui5_mobile_foundation. The foundation files are loaded manually into the MIME repository. The foundation JavaScript library is required by both the private and public applications.

Custom UI Theme

To apply a custom theme for the SAPUI5 mobile application, execute the JavaScript code

sap.ui.getCore().applyTheme("myThemeName");.

An example of the dynamic theme switch is in the ActionSheetController.js file in the home component for the responsive UI.

28





5 Security

This section provides security-relevant information applicable to SAP Multichannel Foundation for Utilities and Public Sector. The system landscape of SAP Multichannel Foundation for Utilities and Public Sector is built from SAP ERP and SAP NetWeaver Gateway so the corresponding security guides apply.

Technical System Landscape

The following figure illustrates the technical system landscape for SAP Multichannel Foundation for Utilities and Public Sector.

Figure 6: Technical System Landscape for SAP Multichannel Foundation for Utilities and Public Sector

UMCERP01 is the SAP ERP add-on that groups business processes. A sample SAPUI5 template is hosted on the SAP NetWeaver Gateway. The UI application communicates with the SAP NetWeaver Gateway using OData protocol. The SAP NetWeaver Gateway dispatches the calls to specific backend systems.

Data, Data Flow, and Processes

The following figure illustrates the data flow when a user logs onto SAP Multichannel Foundation for Utilities and Public Sector.

SAP Multichannel Foundation for Utilities and Public SectorSecurity



Figure 7: Data Flow

The following table lists the security aspects to consider for each process step.

Table 13

Step Description Security Measure

1 User logs on with user name and password

HTTPS communication protocol

2 User credentials sent SAP NetWeaver user management

3 Retrieves user accounts Communication using HTTPS and synchronous RFC to trusted destination

RecommendationTo protect users from being locked after several failed login attempts, we recommend that you set the parameter login/failed_user_auto_unlock to remove user locks at midnight. This is maintained in the CCMS profile maintenance tool.

For more information, see SAP NetWeaver at help.sap.com/nw_platform .

User Administration and Authentication

SAP Multichannel Foundation for Utilities and Public Sector adopts the user management and authentication mechanisms provided by SAP NetWeaver, specifically SAP NetWeaver Application Server ABAP (SAP NW AS ABAP). Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide apply to this solution. The SAP NetWeaver Application Server ABAP Security Guide contains the following information:

● User management concept, tools, and required users

● User authentication and single sign-on

30



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnw_platform

● Authorization and roles

Starting from SAP NetWeaver Gateway SP07, a set of OData Services are available that expose some of the functionality of SAP NetWeaver User Management and enhances it with User Request Management that allows online users to request the creation of user accounts.

User Creation and Activation for Standalone SAP ERP

When you create users on the SAP Gateway system and on the application backend system, the main user record is stored in SAP Gateway with an active password and communications data user type. Users with the same name are created in SAP ERP with no password and a communications data user type.

Users in the Back End Systems and SAP Gateway

Application users are relevant for the backend system.

In the SAP backend systems, users are created without a password. This protects the users against incorrect or insecure password handling. Users also require a user ID for the SAP Gateway layer. They must have the same user name as the users in the backend system. The user authorizations trigger the application services in the backend system.

By default, all application users are created with the same username in SAP Gateway and in the backend systems.

SAP Multichannel Foundation for Utilities and Public Sector does not use single sign-on (SSO). SAP NetWeaver provides SSO so customers may use it if necessary.

For more information, see SAP NetWeaver at help.sap.com/nw_platform , help.sap.com/nwgateway , and

help.sap.com/netweaver .

Password Rules and Security Policy

Password rules define what form a password can take in SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP. Some rules are predefined in the system, while others you can configure with the security policy or with profile parameters.

For more information, seehelp.sap.com/nw_platform , and then choose Identity Management User and Role Administration of Application Server ABAP Configuration of User and Role Administration First Installation Procedure Logon and Password Security in SAP NetWeaver Application Server ABAP Password Rules .

Authorizations

SAP Multichannel Foundation for Utilities and Public Sector uses the authorization concept provided by SAP NetWeaver Application Server ABAP. The recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server ABAP Security Guide apply to SAP Multichannel Foundation for Utilities and Public Sector. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator transaction on the Application Server ABAP (AS ABAP).

Session Security Protection

For SAP NetWeaver 7.0 and higher, we recommend you activate HTTP security session management using the respective transaction. In particular, it is recommended that you activate extra protection of security-related cookies.

● The HttpOnly flag instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser does not reveal the cookie to a third party.

● The secure flag tells the browser to send the cookie only if the request is being sent over a secure channel, such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.








You configure these additional flags with the following profile parameters:

Table 14

Profile Parameter Recommended Value Description Comment

icf/set_HTTPonly_flag_on_cookies

0 Add HttpOnly flag Client-dependent

login/ticket_only_by_https

1 Add Secure flag Client-independent

RecommendationWe recommend upgrading to SAP NetWeaver 7.02 or higher as the logout feature is not available to users using earlier SAP NetWeaver versions.

User request data is stored in SAP NetWeaver Gateway for processing. Depending on your business needs and local regulations, you can delete some user requests after certain periods of time. SAP Multichannel Foundation for Utilities and Public Sector is built on SAP NetWeaver Gateway. To ensure your data is protected and inaccessible, see the data protection and privacy information provided by SAP NetWeaver Gateway.

Network and Communication

Your network infrastructure is extremely important in protecting your system and it needs to support your business communication without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws at the operating system level and application level or network attacks, such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, intruders cannot compromise the machines and gain access to the backend system’s database or files. Also, if users are not able to connect to the LAN, they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for SAP Multichannel Foundation for Utilities and Public Sector is based on SAP NetWeaver. The security guidelines and recommendations described in the SAP NetWeaver Security Guide apply to SAP Multichannel Foundation for Utilities and Public Sector.

Communication Channel

The following table illustrates the communication channels used by SAP Multichannel Foundation for Utilities and Public Sector, the protocols used for the connection, and the data types transferred.

Table 15

Communication Path Protocol Used Data Types Transferred Data Requiring Special Protection

Web browser acting as frontend client to SAP NetWeaver Gateway

HTTPS Application data and security credentials

Application data and security credentials

SAP NetWeaver Gateway to SAP backend systems and among each other

RFC Application data Application data

RFC connections can be protected using SNC. HTTP connections are protected using the SSL protocol. It is important to use HTTPS protocol in all cases so that sensitive information is encrypted. To ensure that in SICF node (for the UI application and all the services), you need to set SSL flag on the Logon Data tab page.

32



For more information, see SAP Note, 510007 .

Network

Internet access to your SAP ERP backend system from SAP Multichannel Foundation for Utilities and Public Sector is secured by an application-level gateway in the corporate network DMZ, as described in the SAP NetWeaver Security Guide.

Communication Destinations

The following table illustrates an overview of the communication destinations used by SAP Multichannel Foundation for Utilities and Public Sector.

Table 16

Destination Delivered Type User, Authorizations Description

Connection to SAP ERP system

Yes RFC User ID Used by service user to create user account in SAP ERP system (trusted RFC connection)

Internet Communication Framework Security

Security for SAP Multichannel Foundation for Utilities and Public Sector consists of SAP NetWeaver Gateway OData services and HTML5/SAP UI5-based web-enabled content managed by the Internet Communication Framework (ICF) (transaction SICF).

You must activate the ICF services required for the applications that you want to use.

NoteYou can also activate these services during the technical configuration.

The SAP Multichannel Foundation for Utilities and Public Sector solution relies on the following services in SAP ERP:

FMCAUI5_MOBILE: An HTML5/SAP UI5-based web-enabled interface to access the OData services.

ERP_FMCA_MC_PUBLIC_SRV: Anonymous OData Service from SAP ERP system.

ERP_FMCA_MC: OData services from the SAP ERP system

The application also uses the service USERMANAGEMENT, USERREQUESTMANAGEMENT from SAP NetWeaver Gateway.

More Information

For more information about ICF and OData service activation, see the RCF/ICF Security Guide at help.sap.com/

netweaver under SAP NetWeaver 7.0 Including Enhancement Package 1 SAP NetWeaver Security GuideSecurity Guides for Connectivity and Interoperability Technologies.

Data Protection and Privacy

Since the SAP Multichannel Foundation for Utilities and Public Sector solution collects and processes online users’ personal data, it is often required to comply with legal regulations or public standards such as data privacy. In this instance, the user interface may need to be adjusted. For example, a check box has to be added to obtain the online user’s consent before an account is created.







The SAP Multichannel Foundation for Utilities and Public Sector application uses session cookies. For more information, see Session Security Protection [external document].

RecommendationWe recommend activating secure session management. We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.

User request data is stored in SAP Gateway for processing. Depending on business needs and local regulations, you can delete some user requests after certain periods of time.

The SAP Multichannel Foundation for Utilities and Public Sector solution is built on SAP Gateway. To ensure your data is protected and cannot be accessed by anyone, we recommend that you see the Guide on Data Protection

and Privacy provided by SAP NetWeaver at help.sap.com/netweaver under SAP NetWeaver Gateway 2.0Security Information SAP NetWeaver Gateway Security Guide .

Read Access Logging (RAL)

Read Access Logging (RAL) is used to monitor and log read access to sensitive data. It is often required to comply with legal regulations or public standards such as data privacy. Since the application relies on the underlying business suite to save sensitive data, we highly recommend reading the documents for the underlying platforms and activating the RAL according to your specific requirements.

For more information, see help.sap.com/saphelp_nw74/helpdata/en/54/69bbeab2e94c93b9031584711d989d/

frameset.htm .

More Information

● For more information about deleting user requests, see the SAP Help Portal at help.sap.com/nwgateway . In the SAP NetWeaver Gateway Developer Guide, choose OData Channel Advanced Features User Self Service Configuration Settings for User Self Service User Self Service IMG Activities (see User Request Cleanup Customizing Activity).

● For more information about data protection and privacy, see the SAP Help Portal at help.sap.com/

nwgateway . In the SAP NetWeaver Gateway Security Guide, choose Data Protection and Privacy.

● For information about configuration settings for User Self Service, see the SAP Help Portal at help.sap.com/

nwgateway . In the SAP NetWeaver Gateway Developer Guide, choose OData Channel Advanced Features User Self Service Configuration Settings for User Self Service .

OData Services Security

SAP Multichannel Foundation for Utilities and Public Sector accesses backend data using OData. OData is a standardized protocol for creating and consuming data APIs. OData builds on core protocols such as HTTP and commonly accepted methodologies such as REST. The result is a uniform way of exposing full-featured data APIs.

REST web services rely on HTTP semantics. Therefore, they use PUT and DELETE HTTP methods for update and delete operations. If an application-level gateway (reverse proxy) is used, it must be configured to enable the HTTP methods for the SAP NetWeaver Gateway OData services.

To secure the consumption of OData services, we recommend using batch mode for OData service requests. In batch mode, all OData service requests are encapsulated into POST requests. Without this, navigation, filter, and other properties are visible in the URL. This means they can be bookmarked and present in the browser history and potential sensitive data can be hacked.

34




http://help.sap.com/disclaimer?site=https%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2F54%2F69bbeab2e94c93b9031584711d989d%2Fframeset.htm

http://help.sap.com/disclaimer?site=https%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2F54%2F69bbeab2e94c93b9031584711d989d%2Fframeset.htm






Other Security-Related InformationError HandlingICM or SAP Web dispatcher creates HTTP error messages in the standard system and sends them to the client. For security reasons, the details should not be made available to Internet users.

Some profile parameters, such as is/HTTP/show_detailed_errors and icm/HTTP/error_templ_path, affect the contents of the error pages of the ICM or SAP Web dispatcher.

VulnerabilitiesClickjacking, also known as a “UI Redress Attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. There are different solutions against clickjacking attacks, such as setting the X-Frame-Options, HTTP header field, frame buster Java script, and others.

The X-Frame-Options can be set with the instance profile parameter:ict/perm_response_header=<name>:<value>We support the following values:

● DENY (no hosting frame allowed)

● SAMEORIGIN (only same origin allowed)

● ALLOW-FROM (hostname.example.com )

If this solution is not applicable, inclusion of JavaScript code in HTML pages can actively block pages to be embedded in a frame. The following is an example of the code:

Figure 8

Sensitive Information in Browser CacheA technical limitation has been identified that some PDF files are cached by browsers. This may cause security issues when the PDF files have sensitive information. This issue has been investigated and a solution is being implemented at this time. Contact SAP for information about the availability of this solution.

Payment Card SecurityThe Payment Card Industry Data Security Standard (PCI-DSS) was jointly developed by major credit card companies to create a set of common industry security requirements to protect cardholder data. Compliance




http://help.sap.com/disclaimer?site=https%3A%2F%2Fhostname.example.com

with this standard is relevant for companies processing credit card data. For more information, see

www.pcisecuritystandards.org .

This application relies on the underlying SAP Business Suite to store or process payment card information. For general information and measures to ensure payment card security, see the Payment Card Security Guide on SAP

Service Marketplace at service.sap.com/securityguide under SAP Business Suite Applications Payment Card Security on the left-hand side panel.

NoteThe PCI-DSS covers more than those steps and considerations. Complying with the PCI-DSS is the customer’s responsibility.

In addition to the other measures, it is important to make an access log and mask the payment card numbers when they are displayed or transmitted. This can be handled by SAP Business Suite in Customizing under

Cross-Application Components Payment Cards Basic Settings Make Security Settings for Payment Cards .

For current information about PCI-DSS, see SAP Note 1609917 .

CAPTCHA

A CAPTCHA is a program that protects Websites against bots by generating and grading tests that humans can pass but current computer programs cannot. There are many CAPTCHA services available online, such as Google’s ReCAPTCHATM. It is strongly recommended that you integrate the CAPTCHA service into the application to further protect some public services, for example, User Registration, Anonymous Bill Payment, and so on.

NoteCAPTCHA integration involves extending the OData Model, which is detailed in an earlier chapter.

Virus Scan Interface

The virus scan interface can be used to include external virus scanners in the SAP system to increase security, especially when uploading files from an unknown source is allowed. The virus scan interface can be used to restrict file types that can be uploaded to the system. It is important that the virus scan is configured and activated in the system.

For details about enabling antivirus scans, see the SAP Library at help.sap.com/saphelp_nw74/helpdata/en/4e/

2606c3c61920cee10000000a42189c/frameset.htm and help.sap.com/saphelp_nw74/helpdata/en/

b5/5d22518bc72214e10000000a44176d/content.htm .

More Information

For more information, see help.sap.com/nw_platform and choose Technical Operations for SAP NetWeaver (7.01) Configuration Profiles Maintaining Profiles Changing and Switching Profile Parameters .

Security-Relevant Logging and Tracing

For more information about security logs for the SAP NetWeaver Gateway, see help.sap.com/nwgateway and choose SAP NetWeaver Gateway Developer Guide OData Channel APIs and Coding Logging In SAP NetWeaver Gateway .

36



http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.pcisecuritystandards.org

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurityguide


http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2F4e%2F2606c3c61920cee10000000a42189c%2Fframeset.htm

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2F4e%2F2606c3c61920cee10000000a42189c%2Fframeset.htm

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2Fb5%2F5d22518bc72214e10000000a44176d%2Fcontent.htm

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw74%2Fhelpdata%2Fen%2Fb5%2F5d22518bc72214e10000000a44176d%2Fcontent.htm



Typographic Conventions

Table 17

Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.

Example Example Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in the documentation

www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example ● Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

● Cross-references to other documentation or published works

Example ● Output on the screen following a user action, for example, messages

● Source code or syntax quoted directly from a program

● File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

SAP Multichannel Foundation for Utilities and Public SectorTypographic Conventions



http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com



38

CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector

www.sap.com

© Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

http://www.sap.com

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

Documents

SAP Multichannel Foundation for Utilities and Public Sector · PDF fileNavigate to SAP NetWeaver Gateway OData Channel Configuration Connection Settings Manage ... SAP Multichannel