Embed Size (px)
Citation preview
Berthold Wocher, SAP AG
SAP Web Dispatcher Configuration for a SAP Cloudfor Customer to SAP NW PI integration with clientcertificates
© 2012 SAP AG. All rights reserved. 2
Disclaimer
This slides show an option for Web Dispatcher Installation for an Integration of SAP Cloud forCustomer with SAP NW PI system. The focus is on encryption, authentication and furthersecurity aspects within the Web Dispatcher. Firewalls are not considered in detail here butshould definitely be used.
Different Setups are possible but the ones shown here are tested and rather simple to realize.
In any case this should be validated with your own security guidelines
© 2012 SAP AG. All rights reserved. 3
Reference Landscape/Goals
Customer Landscape shall beprotected against any attacks fromInternet
Data transfer should be alwaysencrypted (https instead of http)
Authentication should be done withclient certificate instead of usr/pwd
Web Dispatcher shall be a singlepoint of entry in customer’s landscapeand a second line of defense (behindfirewall) – therefore WD needs todecrypt and re-encrypt (SSLtermination)
We recommend to use port 443 onWD since this is by default supportedfrom Cloud outbound proxies
Recommended: WD with SSL termination
© 2012 SAP AG. All rights reserved. 4
Complete Setup with self signed certificates
This setup is very easy to realize – since no CA is needed for WD certificates. For a server to server communication thissetup can be used. If the WD should also serve client calls from a Browser – you can’t use this setup. The ClientCertificate M0000000xxxxx is tenant specific and preinstalled in C4C. Server PSE is created with sapgenpse – ClientPSE is copied from Server PSE within file system
STRUSTClientPSEServerPSE
NW PInwpi.corp
C4Cmyxxxxxx.crm.ondemand.
com
WebDispwebdisp.corp
https
RootCert
Issued toAnyCAIssued byAnyCA
ServerCert
issued towebdisp.corpissued bywebdisp.corp
https on port 443
ServerCert
issued tonwpi.corpissued byAnyCA
Cert TrustList
cert chaincert chain
ClientCert
Issued toM000000000XXXXXXXXIssued bySAPPassportCA
RootCert
Issued toSAPPassportCAIssued bySAPPassportCA
cert chain
ClientCert
issued towebdisp.corpissued bywebdisp.corp
cert chain
ClientCert in http header
Issued toM000000000XXXXXXXIssued bySAPPassportCA
ODProxy
IP155.56.20
8.64/28
ClientCert(public key)
issued towebdisp.corpissued bywebdisp.corp
ClientCert(public key)
issued towebdisp.corpissued bywebdisp.corp
IPandURLfilter
Also self signedcertificatecreated by
STRUST canbe used here
© 2012 SAP AG. All rights reserved. 5
Complete Setup with CA signed Server Certificate
STRUSTClientPSEServerPSE
NW PInwpi.corp
C4Cmyxxxxxx.crm.ondemand.
com
WebDispwebdisp.corp
https
RootCert
Issued toAnyCAIssued byAnyCA
ServerCert
issued towebdisp.corpissued byAnyCA
https on port 443
ServerCert
issued tonwpi.corpissued byAnyCA
Cert TrustList
cert chaincert chain
ClientCert
Issued toM000000000XXXXXXXXIssued bySAPPassportCA
RootCert
Issued toSAPPassportCAIssued bySAPPassportCA
cert chain
ClientCert
issued towebdisp.corpissued bywebdisp.corp
cert chain
ClientCert in http header
Issued toM000000000XXXXXXXIssued bySAPPassportCA
ODProxy
IP155.56.20
8.64/28
ClientCert(public key)
issued towebdisp.corpissued bywebdisp.corp
IPandURLfilter
RootCert
Issued toAnyCAIssued byAnyCA
This setup is using a CA signed Server Certificate on the Web Dispatcher.
The Client Certificate M0000000xxxxx is tenant specific and preinstalled in C4C
Also self signedcertificatecreated by
STRUST canbe used here
© 2012 SAP AG. All rights reserved. 6
5 very effective security settings
IP Filtering: create a white list of IP addresses or IP ranges which are allowed to connect tothe Web Dispatcher.
Enforce client certificate: if you set WD parameter icm/HTTPS/verify_client =2 the WD willaccept a call only in case the client brings a valid certificate (very strong protection in thisspecific scenario)
URL filtering: create a white list of URL which can be reached via the Web Dispatcher
HTTP Logging: Switch on http logging on the Web Dispatcher. With that you have anoverview on who’s connecting to your network and you can control it
Information Disclosure: The WD should not provide internal details about occurred systemerrors to the client (default for WD 7.40). Hackers could use this error information to attackthe system
More Information about SAP Web Dispatcher
Appendix
SAP NetWeaver Application Server
SAP Web Dispatcher Overview
Web Dispatcher is SAP's software load balancer.
Free of charge and low TCOHigh performancePerfectly supports SAPsystems and their loadbalancing and requestrouting featuresout of the box.
SAP Web Dispatcher Overview
Main SAP Web Dispatcher featuresLoad balancing with session stickinessReverse proxyRequest header filtering and modification, incl. redirects.Support for multiple systemsAuto-configuration by retrieving topology information from the systemSupports ABAP and Java application servers, HANA XS and other HTTP servers
PositioningEasily consumable Web infrastructure solutionNot mandatory, customer may use third party Web infrastructure
SAP Web Dispatcher Further Information
SizingSAP Web Dispatcher sizing information can be found inSAP Service Marketplace: http://service.sap.com/sizing ->Sizing Guidelines -> Database and Technology -> SAP NetWeaver
Documentationhttp://help.sap.com/saphelp_nw73/helpdata/en/48/8fe37933114e6fe10000000a421937/content.htm
SAP Web Dispatcher Security Features
SSL support for client and server connectionConfidentiality through encryption/decryptionX.509 client certificate forwardingHTTP Request/Response checks for correctness
Cookies, Headers, directory traversalsHTTP LogURL filterContent filter (rule based scanning engine)Security Log
Why using SAP Web Dispatcher for C4C NW PIintegration?
Hide the internal network - avoid direct access to ICM services from the InternetAvoid implementation of complex restrictions in WEB AS e.g. not necessary to deactivate ICF services inBackend
Concept of “multiple lines of defense” – don’t rely on one single component doing everything
It’s beneficial to have security features in a redundant wayIP filtering in firewall AND in SAP Web Dispatcher – your network will be safe even if the firewall istemporarily off
Decoupling the Consumer from the ServiceFlexibility in exchanging components
Installation
Open location http://service.sap.com/sltoolset
Navigate to Software Logistics Toolset 1.0
And download two files: the Software ProvisioningManager and the corresponding (non unicode!)kernel into a folder on your server
Unpack the SWMP SAPCAR.exe -xvf SWPM.sar
Unzip the kernel into a folder on your Server
Start the Installer sapinst.exe and follow theinstructions of the wizzard
For available Releases, Patches and compatibility withbackend systems please refer to SAP Note 908097
© 2014 SAP AG or an SAP affiliate company. All rightsreserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG (or an SAP affiliatecompany) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP AG or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP AG or SAP affiliate company products and servicesare those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting anadditional warranty.
In particular, SAP AG or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop orrelease any functionality mentioned therein. This document, or any related presentation, and SAP AG’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP AG or its affiliated companies at any time forany reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to placeundue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
© 2014 SAP AG oder ein SAP-Konzernunternehmen.Alle Rechte vorbehalten.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftlicheGenehmigung durch SAP AG oder ein SAP-Konzernunternehmen nicht gestattet.
SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken derSAP AG (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise und Informationen zum Markenrechtfinden Sie unter http://global.sap.com/corporate-de/legal/copyright/index.epx.
Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.
Produkte können länderspezifische Unterschiede aufweisen.
Die vorliegenden Unterlagen werden von der SAP AG oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich zu Informationszwecken.Die SAP AG oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation. Die SAP AGoder ein SAP-Konzernunternehmen steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte undDienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.
Insbesondere sind die SAP AG oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer zugehörigen Präsentation dargestellteGeschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu veröffentlichen. Diese Publikation oder eine zugehörige Präsentation,die Strategie und etwaige künftige Entwicklungen, Produkte und/oder Plattformen der SAP AG oder ihrer Konzernunternehmen können von der SAP AG oder ihrenKonzernunternehmen jederzeit und ohne Angabe von Gründen unangekündigt geändert werden.Die in dieser Publikation enthaltenen Informationen stellen keine Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oderFunktionen dar. Sämtliche vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von denErwartungen abweichen können. Die vorausschauenden Aussagen geben die Sicht zu dem Zeitpunkt wieder, zu dem sie getätigt wurden. Dem Leser wird empfohlen,diesen Aussagen kein übertriebenes Vertrauen zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen.
