Security in SAP XI 3.0

7/30/2019 Security in SAP XI 3.0

1/28

SAP AG 2004, Title of Presentation / Speaker Name / #

Topics

Agenda

Introduction to SAP XI 3.0

System Landscape Directory

Integration Repository

Integration Directory

Monitoring

Adapter Framework

Business Process Management

Server Administration

Security

B2B and Industry Standards


2/28


Security Topics

Authentication & Authorization

Message level security

Network and Communication Security

Recommended setup for inter enterprise

connectivity

Some pointers for certificate management in the

J2EE key store


3/28


Why Is Security Necessary?

Business processes executed using XI have to be done in a

secure manner

XML messages which contain confidential business data need to

be transported over a secure connection

Security requirements also apply to communicating XI

components- securing information like user names and

passwords


4/28


User administration and authentication

All components of XI 3.0 that run on SAP Web AS use the

underlying infrastructure provided by the Web AS for the following:

User management

Administration

Authorizations

Authentication

The only exception is for the J2SE adapters


5/28


User administration and authentication

User Store

Standard: Users are maintained in the ABAP user store

Can also be integrated with LDAP based user administration

Certificate Store

XI and RNIF protocols support message level security based on digital

signature RNIF protocol also supports encryption

The required certificates to be used need to be entered into the key

store of the J2EE engine

In the Integration Directory these certificates are referred by the name of

the key store view and the certificate name

Recommended to store CA certificates in the TrustedCAs view


6/28


Users

With respect to authentication and authorization, we distinguish two

major scenarios. During design and configuration, dialog users

communicate through the Integration Builder with XI. At runtime the

actors are computer systems rather than humans!

1. At design and configuration time(Integration Repository)

2. At runtime

Real User

Computer systems


7/28 SAP AG 2004, Title of Presentation / Speaker Name / #

Dialog Users

Dialog users represent humanusers that log on through the

various UIs of the Integration Builder

Dialog users are generally maintained in the ABAP part of the SAP

Web AS

The roles for the different dialog users are predefined and shipped

with the installation



Service UsersService users provide dialog free access to XI components

Service users have the SAP user roles on the ABAP part of the WebApplication Server

They are made available on the J2EE part as user groups

Service users have the required authorizations to access the required

services on the addressed XI components

Service users are created during installation

Names and passwords can be assigned during installation



Service Users during Design and Configuration

XIREPUSER Access the XI Repository for Design

XIDIRUSER Access the XI Directory for Configuration

XIISUSER - Get Cache-updates from XI Directory to RuntimeCache

XILDUSER - Get Business System Name from System Landscape Directory

Integration Builder

Integration

Directory

(ID)

Integration

Repository

(IR)

Integration

Server

(IS)

System Landscape Directory (SLD)

Central Monitoring

SAP

Systems

3rd Party

Systems

3rd Party

MiddlewareComponent

Marketplace/

Business

Partner

XIISUSER

XIREPUSER XIDIRUSER



XI Service Users in use during Runtime

XILDUSER Get Business System Name from System Landscape Directory

XIRWBUSER Get monitorring information to Runtime WorkBench

XIISUSER

Get Cache-updates from XI Directory to RuntimeCache XIAPPLUSER Access XI Engines for messageprocessing (SAP template)

XIAFUSER Access Adapter Framework

SAP

System

IDocs

RFCs

SAP Web AS 6.20Proxy

3rd Party

Apps

File

DB

JMS

Apps of

Business

Partner

Local Integration Engine

Proxy Runtime

Partner

Connectivity Kit

Apps/Systems

of (small)

Business Partner

Integration

Server

Central Monitoring

IntegrationDirectory

System

Landscape

Directory

Business Process Engine

Integration Engine

Adapter Engine

XILDUSER

customer specific copy

of XIAPPLUSER XIAFUSER

XIRWBUSER

XIISUSER

XILDUSER



Default service users in XI systems and their roles

Created automatically at installation time.

Referenced in the Exchange Profile.

In the future it will be possible to create custom UserIDs at

installation time

must have the role: SAP_XI_IR_SERV_USER

must have the role: SAP_XI_ID_SERV_USER

must have the role: SAP_XI_APPL_SERV_USER

must have the role: SAP_XI_IS_SERV_USER

must have the role: SAP_XI_RWB_SERV_USER

must have the role: SAP_XI_AF_SERV_USER_MAIN

must have the role: SAP_BC_AI_LANDSCAPE_DB_RFC



User maintenance

Users and roles are maintained via the standard Web AS ABAP

user management (SU01)

After a short delay, the updated users are automatically replicated

to the J2EE engine

J2EE User maintenance

in Visual Administrator tool Security provider service UME (User Management Engine) available as part of J2EE engine



J2EE User maintenance

Visual Admin tool

UME frontend



Availability

Levels of Security

XI 1.0 /

XI 2.0

XI 3.0

XI protocol

XI 3.0

RNIF

Connection Level Security

(HTTPS)

Message Level Security (for B2B)

Signature

Data Integrity

Non-Repudiation of origin

Non-Repudiation of receipt

Encryption

Security Availability with XI 3.0

P P

PPP

PP

PPP

P

TechnologyWS-Security(XML-Signature)

S/MIME



Security Outlook

Availability

Levels of Security

XI 1.0 /

XI 2.0

XI 3.0

XI protocol

XI 3.0

RNIF

Connection Level Security

Message Level Security (for B2B)

Signature

Data Integrity

Non-Repudiation of origin

Non-Repudiation of receipt

Encryption

P P

PPP

PP

PPP

P

Focus of future security

enhancements for XI



Message Exchange

In general, the message exchange between business systems can be

separated into two communication segments that are treateddifferently from an authentication and authorization point of view:

Business System Business SystemXI 3.0

1. Sending System to

Integration Server

2. Integration Server

to Receiving System

HTTP(S) HTTP(S)

Technical

communication

configured only once

Configuration done in

the Integration

Directory


17/28


Message level security

Message level security enabled through the use of digital signatures

in XI 3.0

Digital signatures authenticate sending partner and ensure data

integrity

Adds security qualities to communication level security that are

required for B2B communication

Message level security for XI 3.0 protocol is based on the Web

Service security standard

RosettaNet employs the S/MIME standard

Encryption ensures that the message content is confidential

Only supported by the RNIF protocol


18/28


Archiving secured messages

For non-repudiation secured messages are archived in the non

repudiation store

For each secured message the following data is stored

The raw message

Security policy as configured in the directory

References to certificates in the keystore

Identification of the certification used

The archive can be monitored using the Runtime Workbench

Non repudiation archive only available for the RNIF protocol


19/28


HTTP and SSLXI runtime components support encryption of the HTTP data stream using

SSLA certificate must be installed on the server component based on X.509 to

enable HTTPs

Configuring SSL for message exchange for ABAP and Java are

different

SSL can also be configured for technical communication like

cache updates and respository access in the directory

Network and Communication Security

RFC and SNCConnections between SAP components can be secured by SNC

SNC supports three levels of security protectionAuthentication only

Integrity protection

Confidentiality protection

WebAS security guide explains how to set up SNC


20/28


SSL and SNC for secure connections

Secure connection possible between the following

Between adapters and Integration Server Between business systems and Integration Server

Between PCK and Integration Server

Between business systems and adapters

Cache updates


21/28


B2B communication Recommended setup

External

Partners

Internet

Firewall

Firewall

Firewall

Firewall

Inner

DMZ

Outer

DMZ

Server

LAN

Application

Gateway

ISBusinessSystems

Proxy

Proxies and application gateways are placed in the outer DMZ providing access

control between Internet and internal networks


22/28


J2EE engine Pointers for security related configuration

Trusted certification authorities on J2EE key store


23/28



Creation of server certificate

J2EE engine Pointers for security related


24/28


J2EE engine

Pointers for security relatedconfiguration

Import the certificate signing response file into your key store

J2EE i P i t f it l t d fi ti


25/28



Import the public key of your partner



26/28



Partners public key in the J2EE key store



27/28



User authentication for the different views created

F th D t ti


28/28

Further Documentations

XI 3.0 Security Guide

SAP Web As Network and Communication Security:

This section describes the network and communication security for

the SAP Web AS.

SAP Web AS Security Guide for ABAP Technology:

This section describes the security aspects involved with the SAP

WebAS when using ABAP technology.

SAP Web AS Security Guide for J2EE Technology:This section describes the security aspects involved with the SAP

WebAS when using Java or J2EE technology.

Documents

Security in SAP XI 3.0