Agenda

Topics
Introduction to SAP XI 3.0 System Landscape Directory Integration Repository Integration Directory Monitoring Adapter Framework Business Process Management Server Administration Security B2B and Industry Standards

SAP AG 2004, Title of Presentation / Speaker Name / #

Security Topics

Authentication & Authorization

Message level security

Network and Communication Security

Recommended setup for inter enterprise connectivity Some pointers for certificate management in the J2EE key store

SAP AG 2004, Title of Presentation / Speaker Name / #

Why Is Security Necessary?

Business processes executed using XI have to be done in a secure manner XML messages which contain confidential business data need to be transported over a secure connection Security requirements also apply to communicating XI components- securing information like user names and passwords

SAP AG 2004, Title of Presentation / Speaker Name / #

User administration and authentication

All components of XI 3.0 that run on SAP Web AS use the underlying infrastructure provided by the Web AS for the following:
User management Administration Authorizations Authentication

The only exception is for the J2SE adapters

SAP AG 2004, Title of Presentation / Speaker Name / #

User administration and authentication

User Store
Standard: Users are maintained in the ABAP user store Can also be integrated with LDAP based user administration

Certificate Store
XI and RNIF protocols support message level security based on digital signature RNIF protocol also supports encryption The required certificates to be used need to be entered into the key store of the J2EE engine In the Integration Directory these certificates are referred by the name of the key store view and the certificate name

Recommended to store CA certificates in the TrustedCAs view

SAP AG 2004, Title of Presentation / Speaker Name / #

Users
With respect to authentication and authorization, we distinguish two major scenarios. During design and configuration, dialog users communicate through the Integration Builder with XI. At runtime the actors are computer systems rather than humans!

1. At design and configuration time (Integration Repository)

2. At runtime

Real User Computer systems

SAP AG 2004, Title of Presentation / Speaker Name / #

Dialog Users
Dialog users represent human users that log on through the various UIs of the Integration Builder Dialog users are generally maintained in the ABAP part of the SAP Web AS The roles for the different dialog users are predefined and shipped with the installation

SAP AG 2004, Title of Presentation / Speaker Name / #

Service Users
Service users provide dialog free access to XI components
Service users have the SAP user roles on the ABAP part of the Web Application Server

They are made available on the J2EE part as user groups

Service users have the required authorizations to access the required services on the addressed XI components Service users are created during installation Names and passwords can be assigned during installation

SAP AG 2004, Title of Presentation / Speaker Name / #

Service Users during Design and Configuration

XIREPUSER Access the XI Repository for Design XIDIRUSER Access the XI Directory for Configuration XIISUSER - Get Cache-updates from XI Directory to RuntimeCache XILDUSER - Get Business System Name from System Landscape Directory Integration Builder <YOUR-USER> <YOUR-USER> XIISUSER Integration Directory (ID) Central Monitoring
SAP Systems

Integration Repository (IR)

Integration Server (IS)

3rd Party Systems

3rd Party Middleware Component Marketplace/ Business Partner

XIREPUSER

XIDIRUSER System Landscape Directory (SLD)

SAP AG 2004, Title of Presentation / Speaker Name / #

XI Service Users in use during Runtime

XILDUSER Get Business System Name from System Landscape Directory

XIRWBUSER Get monitorring information to Runtime WorkBench

XIISUSER Get Cache-updates from XI Directory to RuntimeCache XIAPPLUSER Access XI Engines for messageprocessing (SAP template) XIAFUSER Access Adapter Framework
Central Monitoring

XIRWBUSER
IntegrationXIISUSER Directory SystemXILDUSER Landscape Directory Business Process Engine Integration Engine Adapter Engine
customer specific copy of XIAPPLUSER

Integration Server

XIAFUSER

<User from Directory Configuration>

Partner Connectivity Kit Apps/Systems of (small) Business Partner

XILDUSER

Local Integration Engine Proxy Runtime Proxy

IDocs RFCs

SAP Web AS 6.20

SAP AG 2004, Title of Presentation / Speaker Name / #

SAP System

File DB JMS

3rd Party Apps

Apps of Business Partner

Default service users in XI systems and their roles

Created automatically at installation time. Referenced in the Exchange Profile. In the future it will be possible to create custom UserIDs at installation time
<Your XIREPUSER> must have the role: SAP_XI_IR_SERV_USER <Your XIDIRUSER> must have the role: SAP_XI_ID_SERV_USER

<Your XIAPPLUSER> must have the role: SAP_XI_APPL_SERV_USER

<Your XIISUSER> must have the role: SAP_XI_IS_SERV_USER <Your XIRWBUSER> must have the role: SAP_XI_RWB_SERV_USER

<Your XIAFUSER> must have the role: SAP_XI_AF_SERV_USER_MAIN

<Your XILDUSER> must have the role: SAP_BC_AI_LANDSCAPE_DB_RFC

SAP AG 2004, Title of Presentation / Speaker Name / #

User maintenance Users and roles are maintained via the standard Web AS ABAP user management (SU01) After a short delay, the updated users are automatically replicated to the J2EE engine

J2EE User maintenance

in Visual Administrator tool Security provider service

UME (User Management Engine) available as part of J2EE engine

SAP AG 2004, Title of Presentation / Speaker Name / #

J2EE User maintenance

Visual Admin tool

UME frontend

SAP AG 2004, Title of Presentation / Speaker Name / #

Security Availability with XI 3.0

Availability
Levels of Security

XI 1.0 /
XI 2.0

XI 3.0
XI protocol

XI 3.0
RNIF

Connection Level Security

(HTTPS)

Message Level Security (for B2B) Signature Data Integrity Non-Repudiation of origin Non-Repudiation of receipt Encryption

P P P

P P P

P
P
WS-Security
(XML-Signature)

Technology

S/MIME

SAP AG 2004, Title of Presentation / Speaker Name / #

Security Outlook
Availability
Levels of Security Connection Level Security Message Level Security (for B2B) Signature Data Integrity Non-Repudiation of origin Non-Repudiation of receipt Encryption
Focus of future security enhancements for XI
SAP AG 2004, Title of Presentation / Speaker Name / #

XI 1.0 /
XI 2.0

XI 3.0
XI protocol

XI 3.0
RNIF

P P P

P P P

P
P

Message Exchange

In general, the message exchange between business systems can be separated into two communication segments that are treated differently from an authentication and authorization point of view:

1. Sending System to Integration Server

Business System XI 3.0

2. Integration Server to Receiving System

Business System

HTTP(S)

HTTP(S)

Technical communication configured only once

SAP AG 2004, Title of Presentation / Speaker Name / #

Configuration done in the Integration Directory

Message level security

Message level security enabled through the use of digital signatures in XI 3.0 Digital signatures authenticate sending partner and ensure data integrity Adds security qualities to communication level security that are required for B2B communication Message level security for XI 3.0 protocol is based on the Web Service security standard RosettaNet employs the S/MIME standard Encryption ensures that the message content is confidential
Only supported by the RNIF protocol

SAP AG 2004, Title of Presentation / Speaker Name / #

Archiving secured messages

For non-repudiation secured messages are archived in the non repudiation store For each secured message the following data is stored
The raw message
Security policy as configured in the directory References to certificates in the keystore Identification of the certification used

The archive can be monitored using the Runtime Workbench

Non repudiation archive only available for the RNIF protocol

SAP AG 2004, Title of Presentation / Speaker Name / #

Network and Communication Security

HTTP and SSL

XI runtime components support encryption of the HTTP data stream using SSL A certificate must be installed on the server component based on X.509 to enable HTTPs

Configuring SSL for message exchange for ABAP and Java are different SSL can also be configured for technical communication like cache updates and respository access in the directory

RFC and SNC

Connections between SAP components can be secured by SNC SNC supports three levels of security protection Authentication only Integrity protection Confidentiality protection WebAS security guide explains how to set up SNC
SAP AG 2004, Title of Presentation / Speaker Name / #

SSL and SNC for secure connections

Secure connection possible between the following

Between adapters and Integration Server Between business systems and Integration Server

Between PCK and Integration Server

Between business systems and adapters Cache updates

SAP AG 2004, Title of Presentation / Speaker Name / #

B2B communication Recommended setup

Outer DMZ Firewall Firewall Firewall Inner DMZ Firewall Server LAN

Application Gateway
External Partners

IS
Proxy

Business Systems

Proxies and application gateways are placed in the outer DMZ providing access control between Internet and internal networks
SAP AG 2004, Title of Presentation / Speaker Name / #

Internet

J2EE engine Pointers for security related configuration Trusted certification authorities on J2EE key store

SAP AG 2004, Title of Presentation / Speaker Name / #

J2EE engine Pointers for security related configuration Creation of server certificate

SAP AG 2004, Title of Presentation / Speaker Name / #

J2EE engine Pointers for security related configuration

Import the certificate signing response file into your key store

SAP AG 2004, Title of Presentation / Speaker Name / #

J2EE engine Pointers for security related configuration

Import the public key of your partner

SAP AG 2004, Title of Presentation / Speaker Name / #

J2EE engine Pointers for security related configuration Partners public key in the J2EE key store

SAP AG 2004, Title of Presentation / Speaker Name / #

J2EE engine Pointers for security related configuration User authentication for the different views created

SAP AG 2004, Title of Presentation / Speaker Name / #

Further Documentations

XI 3.0 Security Guide

SAP Web As Network and Communication Security: This section describes the network and communication security for the SAP Web AS.
SAP Web AS Security Guide for ABAP Technology: This section describes the security aspects involved with the SAP WebAS when using ABAP technology. SAP Web AS Security Guide for J2EE Technology: This section describes the security aspects involved with the SAP WebAS when using Java or J2EE technology.

SAP AG 2004, Title of Presentation / Speaker Name / #