Embed Size (px)
Citation preview
PUBLIC
SAP Disclosure ManagementDocument Version: 10.1 SP08 – 2016-11-24
Security Guide
Content
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
6 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
6.1 Password Encryption for Connection Strings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Changing Connection Strings After Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.2 Cross-Origin Resource Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.3 RESTful API and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Enable AD Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
RESTful API Calls Within SAP Disclosure Management (SAP DM). . . . . . . . . . . . . . . . . . . . . . . . . . 18
RESTful API Calls from Outside SAP Disclosure Management (SAP DM). . . . . . . . . . . . . . . . . . . . . 19
7 Changing the Signing Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
8 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
8.1 Cookies in SAP Disclosure Management (SAP DM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
9 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
10 Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
10.1 Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
10.2 Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
10.3 Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
10.4 Authenticating Using Security Assertion Markup Language 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
10.5 Preventing Anonymous Access to SAP Disclosure Management Online User Help Files. . . . . . . . . . . . . 31
11 Security for Addititional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2 P U B L I CSecurity Guide
Content
1 Introduction
CautionThis document is not included as part of the Installation Guides, Administration Guides, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases.
Target Audience
● Technology consultants● System administrators
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to SAP Disclosure Management. To assist you in securing SAP Disclosure Management , we provide this Security Guide.
About this Document
The Security Guide provides an overview of the security-relevant information that applies to SAP Disclosure Management.
The Security Guide comprises the following main sections:
● Before You StartThis section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.
● Technical System LandscapeThis section provides an overview of the technical components and communication paths that are used by SAP Disclosure Management.
● User Administration and AuthenticationThis section provides an overview of the following user administration and authentication aspects:○ Recommended tools to use for user management.
Security GuideIntroduction P U B L I C 3
○ User types that are required by SAP Disclosure Management.○ Standard users that are delivered with SAP Disclosure Management.○ Overview of the user synchronization strategy, if several components or products are involved.○ Overview of how integration into Single Sign-On environments is possible.
● AuthorizationsThis section provides an overview of the authorization concept that applies to SAP Disclosure Management.
● Network and Communication SecurityThis section provides an overview of the communication paths used by SAP Disclosure Management and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.
● Data Storage SecurityThis section provides an overview of any critical data that is used by SAP Disclosure Management and the security mechanisms that apply.
● Security for Third-Party or Additional ApplicationsThis section provides security information that applies to third-party or additional applications that are used with SAP Disclosure Management.
● Other Security-Relevant InformationThis section contains information about the following topics:○ Server Security○ Web Services○ Javascript○ Passwords
4 P U B L I CSecurity Guide
Introduction
2 Before You Start
Fundamental Security Guides
For a complete list of the available SAP Security Guides, see http://service.sap.com/securityguides on the SAP Service Marketplace.
Important SAP Notes
The most important SAP Notes that apply to the security of SAP Notes Management are shown in the table below.
Table 1:
SAP Note Title Comment
1621689 Advice for Server Installation of Disclosure Management 10.0
1318499 Transportability of Web services
In addition, you can find a list of security-relevant SAP Hot News and SAP Notes on the SAP Service Marketplace at http://service.sap.com/securitynotes.
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Table 2:
Content Quick Link on the SAP Service Marketplace or SDN
Security http://sdn.sap.com/irj/sdn/security
Security Guides http:// service.sap.com/securityguide
Related SAP Notes http:// service.sap.com/notes
service.sap.com/securitynotes
Released platforms http:// service.sap.com/pam
Network security http:// service.sap.com/securityguide
SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver
Security GuideBefore You Start P U B L I C 5
3 Technical System Landscape
The figure below shows an overview of the technical system landscape for SAP Disclosure Management:
For more information about the technical system landscape, see the resources listed in the following table:
Table 3:
Topics Guide/Tool Quick Link to the SAP Service Marketplace or SDN
Technical description for SAP Disclosure Management
Master Guide http://service.sap.com/instguides
Security See applicable documents http://sdn.sap.com/irj/sdn/security
NoteFor a list of the software and hardware requirements for SAP Disclosure Management 10.1 and SAP Disclosure Management XBRL reporting add-ons 1.0, see the SAP Disclosure Management 10.1 Product Availability Matrix
6 P U B L I CSecurity Guide
Technical System Landscape
(PAM). The Product Availability Essentials presentation also contains information for getting started, and can be found under General Information Details and Dates Essentials .
Security GuideTechnical System Landscape P U B L I C 7
4 User Administration and Authentication
We include information about user administration and authentication that specifically applies to the SAP Disclosure Management in the following topic:
● User Management [page 8]This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with SAP Disclosure Management.
4.1 User Management
SAP Disclosure Management has its own user management mechanisms. For an overview of how these mechanisms apply, see the sections below. In addition, we provide a list of the standard users required for operating SAP Disclosure Management.
User Administration Tools
The table below shows the tools to use for user management and user administration in SAP Disclosure Management.
Table 4: User Management Tools
Tool Detailed Description
User administration in SAP Disclosure Management You can manage users on the Administration tab in the SAP Disclosure Management application.
For more information, see the section “User Administration” in the SAP Disclosure Management Administrator's Guide.
Standard Users
The table below shows the standard users that are necessary for operating SAP Disclosure Management.
8 P U B L I CSecurity Guide
User Administration and Authentication
Table 5:
System Type Description
Internet Information Server (IIS) Windows Domain Account with read permission for Active Directory
The Windows Domain Account is required to authenticate SAP Disclosure Management users against Active Directory when using Single Sign-On (SSO).
NoteThe login screen of SAP Disclosure Management prompts the user for a user name and password. For security reasons the user name field does not provide an autocomplete function. The autocomplete function is provided by modern browsers but is switched off for the login screen.
Security GuideUser Administration and Authentication P U B L I C 9
5 Authorizations
Standard Roles
The table below shows the standard roles that are used by SAP Disclosure Management:
Table 6:
Role Description
Standard Admin Administers the system, assigned to authorization object Manages Apps
Standard Manager Manages and edits reports
Standard Editor Can only edit chapters
Standard Readonly Can only read reports and chapters
Standard Transporter Imports and exports content
You can assign roles to users at the following levels:
● GloballyIf you assign a role to a user in User Administration, this user gets the corresponding permissions in all reports and chapters.
● LocallyIf you assign a role to a user on the Permissions tab in a report or chapter, this user get the corresponding permissions for this report or chapter only.
NoteTo ensure data protection and prevent unauthorized access to reports or chapters, we recommend that you use local authorizations rather than global authorizations.
Standard Authorization Objects on the SAP Disclosure Management Server
In SAP Disclosure Management, you can create customized roles. When creating a role, you can assign it any combination of the authorization objects described below.
The table below shows the security-relevant authorization objects that are used on the SAP Disclosure Management server:
10 P U B L I CSecurity Guide
Authorizations
Table 7:
Group Permission Description
Administration system All features available on the Administration tab on the SAP Disclosure Management server
Period manage Create, change, and delete periods
Report manage Create, change, and delete reports
view Display report content (read-only)
undo Undo checkout of report content
edit Edit report content
lock Lock all chapters of a report
undo all chapters Undo checkout of all chapters of a report
unlock Unlock all chapters of a report
edit for writeback Write back content from a generated report document to the chapter documents
Chapter edit Edit chapter content
view Display report content (read-only)
undo Undo checkout of chapter content
Standard Authorization Objects in the SAP BW System
If you want to use an SAP Business Information Warehouse (SAP BW) system as a data source, you must have a user in the SAP BW system. To retrieve data from an SAP BW system, you must log on to the SAP BW system using credentials for this system.
When users create briefing books in the SAP Disclosure Management Microsoft Office add-in, the system stores these briefing books in the SAP Disclosure Management BW Connector.
The table below shows the security-relevant authorization object that is used in the SAP BW system:
Table 8:
Authorization Object Field Value Description
DCUBIPAUH ACTVT (Activity) 01 (Create or generate) This value is currently not checked.
02 (Change) This value is currently not checked.
03 (Display) This value is currently not checked.
Security GuideAuthorizations P U B L I C 11
Authorization Object Field Value Description
16 (Execute) With this authorization, users can display and use all briefing books that have been created in SAP BusinessObjects Disclosure Management.
Without this authorization, users can only display and use the briefing books that they have created or that have been assigned to them in the SAP BusinessObjects Disclosure Management Microsoft Office add-in.
43 (Release) This value is currently not checked.
This authorization object is available in the SAP BW system after you have installed the SAP Disclosure Management BW Connector.
You can use this authorization object in an authorization profile, which can be assigned to a role. You can then assign the role to users. For more information, see the SAP NetWeaver Security Guide.
To assign SAP BW queries to a briefing book, users must also have authorizations for the queries in the SAP BW system.
To access the replicated data from the SAP BW system in SAP Disclosure Management, users must have view authorization for chapters.
12 P U B L I CSecurity Guide
Authorizations
6 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system's database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.
Communication Channel Security
The following table describes the communication paths and protocols used between different components of the application:
Table 9:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection
Frontend client using a Web browser to application server
HTTP(S) All application data Passwords
Frontend client using FREC client to application server
HTTP(S) / SOAP Report content and chapter content
Report content and chapter content
Frontend client using Microsoft Office add-in to application server (via ASP.NET Web services)
HTTP(S) / SOAP Report content and chapter content
Report content and chapter content
Application server to Microsoft SQL Server database
TCP/IP All application data Passwords, report content and chapter content
Application server to XBRL Processing Engine (XPE)
TCP/IP XBRL instances XBRL instances
NoteTo ensure data protection and privacy, we recommend that you use HTTPS rather than HTTP for the communication between the frontend client and the application server. In order to use HTTPS, you have to activate HTTPS on the Microsoft Internet Information Services Server (IIS). For more information about the activation of HTTPS on IIS, see the information in the Microsoft Knowledge Base.
The following figure shows the communication paths used to get data from different data sources :
Security GuideNetwork and Communication Security P U B L I C 13
The following table describes the communication paths and protocols used to get data from different data sources:
Table 10:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection
Microsoft Office add-in to SAP ERP data source
RFC Financial report data Financial report data
Microsoft Office add-in to Microsoft Analysis Services data source
TCP/IP (MDX / XMLA) Financial report data Financial report data
Microsoft Office add-in to XML or Microsoft Excel data source
File system Financial report data Financial report data
Microsoft Office add-in to ODBC or OLEDB data source
TCP/IP (SQL) Financial report data Financial report data
Microsoft Office add-in or application server to SAP Business Information Warehouse (BW) data source with the SAP Disclosure Management BW Connector
HTTP(S) / SOAP Financial report data Financial report data
Microsoft Office add-in or application server to Microsoft SQL Server data source
TCP/IP (SQL) Financial report data Financial report data
14 P U B L I CSecurity Guide
Network and Communication Security
6.1 Password Encryption for Connection Strings
SAP Disclosure Management connection strings can pose a security problem as the login and password are defined in clear text. Although this information is only visible to the system administrator, this person may not be the database administrator and therefore should not be allowed to see the database connection login and password. There is potential for a severe misuse of sensitive data.
The clear text connection strings are currently only used by the application server and task engine service in the files listed below:
File location: DM AppServer Installation Folder\Bin\cundus.enterpriseReporting.Services.dll.Config
File location: DM Taskengine Installation Folder \SAP\SAP Disclosure Management TaskEngine\SAP.DM.TaskEngine.WinService.exe.config
Encryption API
Microsoft provides a standard RSA Encryption Provider called DataProtectionConfigurationProvider, which is used to encrypt and decrypt connection strings of ASP.NET Web configuration files. The method is called with the parameter value connectionStrings, which is the section name in the corresponding configuration file. First the configuration file is loaded, then the section is RSA encrypted, and the configuration file is saved again.
Encryption Schedule
The encryption runs automatically when the SAP Disclosure Management application or task engine starts.
SAP Disclosure Management application server
The connection string encryption method is called from the global.asax method Application_Start(), where the encryption process will also be logged. When the method is called after an IISReset, the connection string is encrypted automatically. If the administrator needs to reset the application, the connection string information can be changed beforehand. You also have the option to change it if the server, login, or password changes during productive use of SAP Disclosure Management.
SAP Disclosure Management Task Engine Service
The connection string encryption method is called from the program.cs method OnStart(), where the encryption process will also be logged. The method is called when the service starts or restarts. The connection string information can be changed before this is done; you can also change it if the server, login, or password changes during productive use of SAP Disclosure Management. The same encryption occurs when the task engine console is started.
Security GuideNetwork and Communication Security P U B L I C 15
6.1.1 Changing Connection Strings After Encryption
Context
If the connection string server or password information has changed, proceed as follows:
<connectionStrings> <add name="enterpriseReporting" connectionString="Data Source=server;Initial Catalog=DM_Development;Integrated Security=true; User Id=CDMUser; Password=#CDMUserPassword#MultipleActiveResultSets=True" providerName="System.Data.SqlClient"></add> </connectionStrings>
Procedure
1. Replace the clear text <connectionStrings> section with the encrypted section in all configuration files in all SAP Disclosure Management components.
2. Reset or restart the application.3. The new connection string is encrypted again.
Alternatively, you can find a template <connectionStrings> section in both configuration files; copy this and paste it over the existing encrypted section.
6.2 Cross-Origin Resource Sharing
Context
The SAP Disclosure Management application server does not prevent cross-origin requests, as these are required to be able to operate within the entire network without being limited to a specific domain. However, if you do want to limit cross-origin resource sharing, follow the steps below:
Procedure
1. Open Internet Information Service Manager (IIS Manager).2. Select the SAP Disclosure Management web site.
16 P U B L I CSecurity Guide
Network and Communication Security
3. Select the IIS feature HTTP Response Headers.4. Add a new HTTP response header Access-Control-Allow-Origin and set the value to the required domain.
6.3 RESTful API and Security
SAP Disclosure Management provides and uses many RESTful APIs. These APIs are secured with a signed access token, which is created during the login procedure or by using an authentication request. The signing is done with a certificate. By default, a self-signed certificate with the issuer ApiDisclosureManagement is used, which is delivered with SAP Disclosure Management and imported to the server's certificate store during the installation of SAP Disclosure Management.
NoteIt is strongly recommended to use an officially signed certificate in your productive system. For more information, see Changing the Signing Certificate [page 21].
6.3.1 Enable AD Authentication
You can use RESTful API with AD Authentication. When using this function, it is necessary to extend the Web.config file which is located in the SAP Disclosure Management server root folder. Paste the content below within the section <configuration> to your Web.config file:
Sample Code
<configuration> <!-- Disable Forms Authentication for this URL --> <location path="api/Authenticate"> <!-- Disable Forms Authentication --> <FormsAuthenticationWrapper enabled="false" /> <system.webServer> <security> <!-- Enable IIS Windows authentication for the login page --> <authentication> <windowsAuthentication enabled="true" /> <anonymousAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location></configuration>
NoteAnonymous RESTful API calls are not allowed. In order to get an access token by using AD authentication, use the parameter UseDefaultCredentials for the command Invoke-WebRequest.
Security GuideNetwork and Communication Security P U B L I C 17
Example$access_token = Invoke-WebRequest %SERVER%/api/Authenticate -method Post -UseDefaultCredentials
6.3.2 RESTful API Calls Within SAP Disclosure Management (SAP DM)
Context
The figure below describes the process for RESTful API calls within SAP Disclosure Management:
Procedure
1. The client logs on to SAP DM.
18 P U B L I CSecurity Guide
Network and Communication Security
2. The application server creates an access token, which is used for each RESTful API call. This access token contains client-specific information and an expiration date.
3. A certificate is needed to encrypt and sign the above-mentioned data. SAP Disclosure Management requests the certificate from the personal certificate store of the Windows server.
4. SAP DM receives the certificate from the certificate store of the Windows server .5. SAP DM encrypts and signs the client's access token and stores it in the client's session.6. The client consumes a RESTful API.7. SAP DM reads the access token from the client's session.8. A certificate is needed to decrypt and validate the access token. SAP DM requests the certificate from the
certificate store of the Windows server.9. SAP DM receives the certificate from the certificate store of the Windows server.10. SAP DM decrypts and validates the client's access token.11. SAP DM sends the response to the client if the access token is valid.
6.3.3 RESTful API Calls from Outside SAP Disclosure Management (SAP DM)
Context
SAP DM provides RESTful APIs for external clients that are not logged in to SAP DM. This procedure is shown in the figure below:
Security GuideNetwork and Communication Security P U B L I C 19
Procedure
1. 1. The client authenticates itself against SAP DM by using an Authenticate API which allows anonymous calls.2. The application server creates an access token, which is used for each RESTful API call. This access token
contains client-specific information and an expiration date.3. A certificate is needed to encrypt and sign the above-mentioned data. SAP DM requests the certificate from
the certificate store of the Windows server.4. SAP DM receives the certificate from the personal certificate store of the Windows server.5. SAP DM encrypts and signs the client's access token and stores it in the client's session.6. The client receives an encrypted and signed access token.7. The client consumes a RESTful API and sends the access token from step 6 in the request header.8. SAP DM reads the access token from the client's request header.9. A certificate is needed to decrypt and validate the access token. SAP DM requests the certificate from the
certificate store of the Windows server.10. SAP DM receives the certificate from the certificate store of the Windows server.11. SAP DM decrypts and validates the client's access token.12. SAP DM sends the response to the client if the access token is valid.
20 P U B L I CSecurity Guide
Network and Communication Security
7 Changing the Signing Certificate
Context
The shipped self-sign certificate is used by default to encrypt and sign access tokens. If you want to use a certificate other than the default one, we strongly recommend that you use a certificate signed by a Trusted Root Certification Authority. Follow the steps below:
Procedure
1. Using the Microsoft Management Console, import a certificate into the Microsoft Windows Certificate Manager, to your personal folder on your local computer.
2. Assuming that the issuer of the imported certificate is ‘CN=SAPDisclosureManagement’, it is necessary to extend the <applicationSettings> in the Web.config file, which is located in the SAP DM root folder as shown below:
Sample Code
<applicationSettings> <cundus.enterpriseReporting.Web.Properties.Settings> <!-- Rest of the applicationSettings --> <setting name="ApiLocalDMCertificateIssuerName" serializeAs="String"> <value>SAPDisclosureManagement</value> </setting> </cundus.enterpriseReporting.Web.Properties.Settings> </applicationSettings>
Security GuideChanging the Signing Certificate P U B L I C 21
8 Data Storage Security
The data for the SAP Disclosure Management server is stored in a Microsoft SQL server database. This data is not encrypted - except the users' passwords, which are encrypted. The data is stored at every transaction.
Chapter documents that are uploaded to SAP Disclosure Management are also stored in a Microsoft SQL server database. These documents are not encrypted. The documents are stored when a chapter document is uploaded.
Temporary Storage of Data
Data is stored temporarily in the following cases:
● When users use the Upload function on the server, the documents are stored on the file system on the server machine during the upload process. You can configure the path to the folder under AdministrationSystem Configuration Upload .
● When users use the Compare function on the server, the documents to be compared are stored on the file system on the server machine. You can configure the path to the folder under Administration System Configuration Upload .
● When users use the Edit or View function on the server, the requested document is temporarily stored in the %TEMP% folder on the client machine.
8.1 Cookies in SAP Disclosure Management (SAP DM)
SAP Disclosure Management requires a Web browser as the user interface. The application stores session cookies on the front end. The session cookies contain a session ID. The cookies are valid until the end of the session.
Enabling Secure Cookies
It is possible to set the cookies to secure by using a flag . The secure flag is an option that the application server can set when sending a new cookie to the user within an HTTP response. It is used to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. To accomplish this goal, browsers that support the secure flag will only send cookies with the secure flag when the request is going to an HTTPS page.
In other words, the browser will not send a cookie with a secure flag over an unencrypted HTTP request. By setting the secure flag, the browser prevents the transmission of a cookie over an unencrypted channel.
To set the secure flag in SAP DM, proceed as follows:
1. Open the web.config file in the application folder of SAP DM.2. Locate the tag <system.web> directly under <configuration>.
22 P U B L I CSecurity Guide
Data Storage Security
3. Add the following line: <httpCookiesrequireSSL="true"/>4. Restart the application.
If you enable this option the application can only be accessed using Secure Sockets Layer (SSL). Without SSL, it will no longer be possible to log in.
Note
For more information see SAP note 2206315 .
Security GuideData Storage Security P U B L I C 23
9 Security-Relevant Logging and Tracing
Logging during debugging is switched off by default. For information about how to switch it on, see 2292975 .
NoteIf you have switched logging on, please keep in mind that it could possibly be used for a denial-of-service (DoS) attack.
24 P U B L I CSecurity Guide
Security-Relevant Logging and Tracing
10 Other Security-Relevant Information
Server Security
Technical information about the server that can be received by protocol standards should be adjustable and suppressible.
The delivery of the server information within the HTTP header can be minimized by editing the file web.config. For more information, see http://msdn.microsoft.com/en-us/library/e1f13641.aspx.
Web Services on the SAP Dislosure Management Server
SAP Disclosure Management exposes Web services based on ASP.NET. These Web services are used for the communication between the application server and the Microsoft Office add-in.
The services offered by the application use their own mechanism enabling generation of an authenticated user at the service consumer user:
1. The user is authenticated in the application.2. If the client wants to use services offered by the application, the application passes a specific URL to the
client. This URL includes an authentication token (“sessionId”).3. For each use request, the client transmits this authentication token to the application.4. If the authentication token is valid, the application grants access to the requested resource. If it is not valid,
the application denies access.
Disabling the Service Help Pages for the Web Services
SAP Disclosure Management automatically displays help pages for its Web Services. For security reasons, you can disable this feature. To do so you have to modify the webServices section of the Web.config file to explicitly remove the documentation protocol:
Source Code
<webServices> <protocols> <remove name="Documentation" /> </protocols> </webServices>
It is not necessary to restart the application.
For more information see alsohttps://msdn.microsoft.com/en-us/library/2tyf2t8t(v=vs.80).aspx
Security GuideOther Security-Relevant Information P U B L I C 25
Web Service Security in the SAP BW System
If you install the SAP BW adapter provided by SAP Disclosure Management, Web services for communication with the SAP Disclosure Management server are installed on the SAP BW server. Make sure that the settings for communication security and channel authentication are identical for all these Web services.
For more information on secure configuration of these Web services, see the section “Installing the SAP BW Adapter” in the SAP Disclosure Management Installation Guide.
Javascript
When accessing the application in a Web browser, JavaScript code is executed in the frontend.
10.1 Password Policy
To enforce a global password policy, you have to set the Enforce Password Policy parameter to Yes on the Password Policy tab. Choose Administration System configuration Password Policy . This parameter is set by default to No after the SAP Disclosure Management installation. If the parameter is set to Yes, you can define the following policy parameters:
Table 11: Global Password Definition
Password Syntax Description Default Value
Minimum length of password Sets the minimum length of the password (minimum number of characters)
0
Minimum amount of lower-case letters Sets the minimum amount of lower-case letters contained in a password
0
Minimum amount of upper-case letters Sets the minimum amount of upper-case letters contained in a password
0
Minimum amount of Arabic numerals Sets the minimum amount of Arabic numerals contained in a password
0
Minimum amount of special characters Sets the minimum amount of special characters contained in a password
0
You can also define a lifecycle for the passwords:
Table 12: Lifecycle of Passwords
Password Lifecycle Definition Default Value
Password maximum Age Validity period of password in days 0
26 P U B L I CSecurity Guide
Other Security-Relevant Information
Password Lifecycle Definition Default Value
Number of days for password expiration warning
Number of days before actual password expiration that a warning message should appear after successful logon to the SAP Disclosure Management server
7
Maximum amount of passwords stored in password history
Number of passwords to be stored in the password history. Passwords cannot be reused while they are stored in the history.
0
To deactivate any of the above-mentioned parameters, insert the value 0. The specific requirement will then be ignored during the password policy validation process. Once you have completed the policy definition, choose Save to persist all settings. Once the parameters have been set and saved, a popup is displayed where you can define whether all users should be prompted to change their passwords after their next logon. If you choose Yes, every user will be redirected to a Change User Information form the next time they log on to SAP Disclosure Management. On this form, users can change the password according to the enforced password policy.
If a user's password has expired, they are automatically redirected to the Change User Information form the next time they log on to the SAP Disclosure Management server, so that they can change the password as required.
The characters below can be used in passwords:
Table 13: Character Specification
Character Type Character Definition
Lower-Case Letters All lower-case letter characters (a - z, ä, ö, ü, ß)
Upper-Case Letters All upper-case letter characters (A - Z, Ä, Ö, Ü)
Arabic Numerals All Arabic numeral characters (0, 1 - 9)
Special Characters All characters that are neither a letter nor a number (^, °, !, ", §, $, %, &, /, (, ), =, ?, [, ], )
10.2 Password Security
Passwords are stored using a strong hash. The password hash is designed as follows:
● The application server stores a secret “MachineSalt” on disc. The MachineSalt is a high-quality random number.
● Every password is salted with a UserSalt (a high-quality random number).● The salted password is hashed using HMACSHA1 where MachineSalt is the secret key. Both the UserSalt and
the password hash are stored in the database.
The MachineSalt is stored in the web.config file. The install.exe tool automatically generates the MachineSalt and adds it to the web.config file.
Security GuideOther Security-Relevant Information P U B L I C 27
Sample Code
<configuration> <appSettings> <add Key = "MachineSecret" value = "1231231243443"/> </appSettings> <configuration>
NoteIn case of multiple application servers the MachineSalt needs to be identical on all hosts.
NoteDigest Authentication is still required for the WebDAV function.
System Upgrade to SAP Disclosure Management 10.1 SP08
When you upgrade to SAP Disclosure Management 10.1 SP08 passwords are secured as shown in the graphic below:
:
● A MachineSalt is generated and added to the web.config file.● All existing passwords in the users table will be encrypted with this MachineSalt.● WebDAV is disabled using the new system parameterEnableWebDAV (Default Value = off)
Using WebDAV in SAP Disclosure Management 10.1 SP08 and Higher
After upgrading to DM10.1SP08 WebDAV will no longer work.
How to enable WebDAV after installation of SAP DM 10.1 SP08:
1. Set parameter Enable WebDAV to true in SAP Disclosure Management under Administration System Configuration .
2. Set new passwords for all users who use Basic Authentication.
28 P U B L I CSecurity Guide
Other Security-Relevant Information
NoteUsing WebDAV means that passwords for Basic Authentication users are stored twice in the database. Both versions of the password are stored:
● Strong hash for Basic Authentication● Reversible encryption for Digest Authentication used by WebDAV
10.3 Single Sign-On
You can use single sign-on (SSO) authentication with SAP Disclosure Management. When a web browser or a SAP Disclosure Management Client sends a login request to SAP Disclosure Management Application Server the system follows the authentication steps as shown in the figure below:
The system process is as follows:
1. The client sends a request to the application server. The application sever obtains the Windows Identity which consists of the domain and the username of the current connected user to Microsoft Internet Information Server(IIS).
Security GuideOther Security-Relevant Information P U B L I C 29
2. The application server tries to authenticate the obtained Windows Identity in the SAP Disclosure Management database. This is an internal authentication. The internal authentication is considered as successful if:1. The Windows Identity is a valid user in the SAP Disclosure Management database.2. The user account of the Windows Identity is active.
3. If the internal authentication was successful, the application server tries to validate the Windows Identity in Microsoft Active Directory. The validation is considered successful if:1. Windows Identity exists in the Microsoft Active Directory.2. Domain account of the Windows Identity is not disabled in Windows Active Directory.
10.4 Authenticating Using Security Assertion Markup Language 2.0
You can use Security Assertion Markup Language 2.0 authentication (SAML 2.0 authentication) as a global setting for authentication in SAP Disclosure Management. When a Web browser or an SAP Disclosure Management client sends an authentication request to the SAP Disclosure Management application server, the system follows the authentication steps as shown below:
NoteSAML 2.0 authentication requires HTTPS.
The process steps are as follows:
1. The client sends a request to the application server.2. The application server redirects the user request to the defined identity provider (IDP).
30 P U B L I CSecurity Guide
Other Security-Relevant Information
3. The redirect works by creating an SAML request and sending this request to the IDP.4. The IDP follows its configured steps to authenticate the user.5. The IDP sends an SAML response back to the application server.6. If the SAML response is a valid response with a successful authentication result, the application server tries to
map the received authentication information to the defined SAP Disclosure Management user. If the mapping is successful, the application server tries to authenticate the mapped user in the SAP Disclosure Management database. This is an internal authentication. The internal authentication is considered to be successful if the following statements apply:○ The mapped user is a valid user in the SAP Disclosure Management database.○ The user account of the mapped user is active.
7. If the internal authentication is successful, the application server creates a signed SSO token, which is used to authenticate the user against other application servers and data sources in the landscape.
10.5 Preventing Anonymous Access to SAP Disclosure Management Online User Help Files
Context
You can prevent anonymous access to the help files of SAP Disclosure Management such as http://mo-8fe9d2668.mo.sap.corp:10170/Content/Help/101/EN/frameset.htm by adding the section below to the web.config file:
Source Code
<location path="Content/Help"> <system.web> <authorization> <deny users="?" /> <allow users="*"></allow> </authorization> </system.web> </location>
After you have added the section above to the web.config file, users can only access the help files if they are logged into SAP Disclosure Management.
NoteIf this is the initial installation of SAP Disclosure Management, then this option is already activated. For existing installations, you have to modify this option manually
Security GuideOther Security-Relevant Information P U B L I C 31
11 Security for Addititional Applications
The following frontend clients deviate from the SAP standard:
● Data ConnectorNo special security settings are required for the Data Connector.
● Microsoft Office Add-InIn order to interact with the SAP Disclosure Management application, the user name and password need to be set.
The following applications are delivered with SAP Disclosure Management:
● Taxonomy Designer● SAP Disclosure Management XBRL Mapper.
For information about current improvements or security patches for these applications, see the Taxonomy Designer Help at http://help.sap.com/bodm100.
If XBRL features are not needed, SAP Disclosure Management can be run without SAP Disclosure Management XBRL Mapper and Taxonomy Designer.
32 P U B L I CSecurity Guide
Security for Addititional Applications
Important Disclaimers and Legal Information
Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.
AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).
Security GuideImportant Disclaimers and Legal Information P U B L I C 33
go.sap.com/registration/contact.html
© 2016 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
