Transcript
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 1/21
Di r ec t Sto r e Del i ve ry : Secur i t yGu ide
Release 2005 A
D
D
O
N
. E
R
P
S
E
C
G
U
I D
E
_ D
S
D
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 2/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 2
Copyright
© Copyright 2006 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may bechanged without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400,OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner,WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPCare trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin aretrademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, WorldWide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products andservices mentioned herein as well as their respective logos are trademarks or registeredtrademarks of SAP AG in Germany and in several other countries all over the world. All otherproduct and service names mentioned are the trademarks of their respective companies.Data contained in this document serves informational purposes only. National productspecifications may vary.
These materials are subject to change without notice. These materials are provided by SAP
AG and its affiliated companies ("SAP Group") for informational purposes only, withoutrepresentation or warranty of any kind, and SAP Group shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP Group products andservices are those that are set forth in the express warranty statements accompanying suchproducts and services, if any. Nothing herein should be construed as constituting anadditional warranty.
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 3/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 3
Icons in Body Text
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of
information at a glance. For more information, see Help on Help → General InformationClasses and Information Classes for Business Information Warehouse on the first page of anyversion of SAP Library .
Typographic Conventions
Type Style Description
Example text Words or characters quoted from the screen. These include fieldnames, screen titles, pushbuttons labels, menu names, menu paths,and menu options.
Cross-references to other documentation.
Example text Emphasized words or phrases in body text, graphic titles, and tabletitles.
EXAMPLE TEXT Technical names of system objects. These include report names,program names, transaction codes, table names, and key concepts of aprogramming language when they are surrounded by body text, forexample, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and theirpaths, messages, names of variables and parameters, source text, andnames of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in thesystem exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace thesewords and characters with appropriate entries to make entries in thesystem.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 4/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 4
Direct Store Delivery: Security Guide........................................................................................ 5
Introduction ............................................................................................................................ 5
Before You Start..................................................................................................................... 6
Technical System Landscape ................................................................................................ 8
User Administration and Authentication................................................................................. 8
User Management .............................................................................................................. 8
User Data Synchronization............................................................................................... 11
Integration Into Single Sign-On Environments................................................................. 12
Authorizations ...................................................................................................................... 13
Network and Communication Security................................................................................. 14
Communication and Channel Security ............................................................................. 14
Network Security .............................................................................................................. 16
Communication Destinations............................................................................................ 16
Data Storage Security .......................................................................................................... 20
Other Security-Relevant Information.................................................................................... 20
Trace and Log Files ............................................................................................................. 21
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 5/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 5
Introduction
This guide does not replace the daily operations handbook that we recommendcustomers to create for their specific productive operations.
Target Audience
! Technology consultants
!
System administrators
This document is not included as part of the Installation Guides, Configuration Guides,Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certainphase of the software life cycle, whereby the Security Guides provide information that isrelevant for all life cycle phases.
Why Is Security Necessary?With the increasing use of distributed systems and the Internet for managing business data,the demands on security are also on the rise. When using a distributed system, you need tobe sure that your data and processes support your business needs without allowingunauthorized access to critical information. User errors, negligence, or attemptedmanipulation on your system should not result in loss of information or processing time.
A mobile device is much more vulnerable than a server. Whereas the server is in a separateroom, the mobile device is used on the road. It is therefore relatively easy to access the filesystem of the mobile device physically. The operating systems of a number of mobile devices(especially PDAs) also provide neither sufficient protection against access, nor authorizationsystems at file level. Its vulnerability is increased when a mobile device is used by multipleusers.
The mobile device can be threatened by for example the following potential dangers:
! Loss of the device
! Theft
!
Unauthorized use by an unauthorized person
! Data manipulation in the file system
These demands on security apply likewise to the scenario Direct Store Delivery. To assist youin securing the Direct Store Delivery scenario, we provide this Security Guide.
We strongly recommend consulting the SAP Mobile Infrastructure SecurityGuide, the SAP NetWeaver Security Guide, the SAP ECC Security Guide andthe SAP Customer Relationship Management (CRM) Security Guide in additionto this document.
About this Document
Direct Store Delivery (DSD) is a business scenario often used in the Consumer Productsindustry (CP) to sell and distribute goods directly to the customer’s store, bypassing theretailer’s warehouses.
Key success factors for the high margins in DSD are:
!
An integrated mobile solution to support the sales and distribution activities of your
mobile workforce
!
Alignment between sales force and distribution through integrated scheduling
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 6/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 6
! Low distribution costs through efficient visit control.
This security guide provides security-relevant information for the scenario Direct StoreDelivery (DSD).
A lot of security-relevant information about used SAP and non-SAP products can be found inthe specific security guides of these products.
For information about the fundamental security guides that relate to Direct Store Delivery , seeBefore You Start [Page 6].
In many cases the required information has already been provided in other security guidesand in configuration and installation guides. In these cases, the guide provides a reference tothe relevant units.
All security guides are available at http://service.sap.com/securityguide.
Before You Start
Fundamental Security GuidesApplication Guide Most relevant sections or
specific restrictions
SAP NetWeaver 2004s SAP NetWeaver SecurityGuide
SAP NetWeaver 2004sSecurity Guides (Complete)
SAP Mobile Infrastructure SAP Mobile InfrastructureSecurity Guide
SAP NetWeaver 2004sSecurity Guides (Complete)
→ Security Guides for SAPNetWeaver According to
User Types → SecurityGuide for Usage Type MI
SAP ECC 6.0 mySAP ERP 2005 SecurityGuide
mySAP ERP 2005 SecurityGuides
Operating Systems andDatabase Platforms
SAP NetWeaver 2004s DBand OS Platform SecurityGuides
SAP NetWeaver 2004s DBand OS Platform SecurityGuides
For a complete list of the available SAP Security Guides, see the Quick Link
securityguide on the SAP Service Marketplace.
You can find all security guides and other security-relevant documentation for Direct StoreDelivery as follows:
Guide/Documentation Full path to the guide
SAP for Consumer Products Master Guide service.sap.com/instguides →
Industry Solution→ Industry Solution Master
Guides → SAP for Consumer Products
Direct Store Delivery Documentation help.sap.com → mySAP ERP → SAP ERP
Central Component→ Logistics → LogisticsExecution
SAP Mobile Infrastructure help.sap.com → SAP NetWeaver → SAP
NetWeaver 2004s → Technology
Consultant’s Guide→ Mobilizing BusinessProcesses
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 7/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 7
SAP NetWeaver Documentation help.sap.com → SAP NetWeaver → SAP
NetWeaver 2004s
SAP NetWeaver '04 Installation Guide service.sap.com/instguides → SAP
NetWeaver → Release 2004s → Installation
Important SAP Notes
The most important SAP Notes that apply to the security of the scenario Direct Store Deliveryare shown in the table below.
Important SAP Notes
SAP Note Number Title Comment
775561 Security Guide: SAP DirectStore Delivery
The note covers all problemsdiscovered after thepublication of the securityguide, and provides
additional information aboutsecurity issues
602993 Root Certificates in theTruststore of the SAP
ME Client Component
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Quick Links to Additional Information
Content Quick Link on the SAP Service Marketplace
Security service.sap.com/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
Released platforms service.sap.com/platforms
Network security service.sap.com/network
service.sap.com/securityguide
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 8/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 8
Technical System Landscape
Use
For more information about the technical system landscape, see the resources listed in thetable below.
Topic Guide/Tool Quick Link to the SAP ServiceMarketplace
Technical description forDirect Store Delivery andthe underlyingtechnological componentssuch as SAP NetWeaver
Master Guide service.sap.com/instguides
Technical configuration
High Availability
Technical InfrastructureGuide
service.sap.com/ti
Security service.sap.com/security
User Administration and Authentication
Direct Store Delivery uses the user management and authentication mechanisms providedwith the SAP NetWeaver platform, in particular the SAP Web Application Server Java and
ABAP. Therefore, the security recommendations and guidelines for user administration andauthentication as described in the Security Guide for Usage Type AS also apply to DirectStore Delivery .
In addition to these guidelines, in the following topics, we provide information about useradministration and authentication, that specifically applies to Direct Store Delivery .
User Management
Use
User management for the Direct Store Delivery scenario uses the mechanisms provided bythe SAP Web Application Server ABAP and Java, for example, tools, user types, andpassword policies. For an overview of how these mechanisms apply for the Direct StoreDelivery scenario see the sections below. In addition, we provide a list of the standard usersrequired for operating the Direct Store Delivery scenario.
User Administration Tools
The table below shows the tools to use for user management and user administration with theDirect Store Delivery scenario.
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 9/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 9
User Management Tools
Tool Detailed Description
User Management Engine (UME)administration console
Use the web-based UME administrationconsole to maintain users, roles and
authorizations in Java-based systems thatuse the UME for the user store, for example,the SAP Web AS Java and the EnterprisePortal. The UME also supports variouspersistency options, such as ABAP Engine ora directory server.
SAP Web AS Java user management usingthe Visual Administrator
Use the Visual Administrator to maintainusers and roles on the SAP Web AS Java.The SAP Web AS Java also supports apluggable user store concept. The UME isthe default user store.
User Management for the ABAP Engine
(transaction code SU01)
Use the user management transaction SU01
to maintain users in ABAP-based systems.
Profile Generator (transaction code PFCG) Use the Profile Generator to create roles andassign authorizations to users in ABAP-based systems.
Central User Administration (CUA) Use the CUA to centrally maintain users formultiple ABAP-based systems.Synchronization with a directory server isalso supported.
SAP Mobile Infrastructure Client UserManagement
The SAP Mobile Infrastructure ClientComponent uses its own User Management.For more information, see the SAP Mobile
Infrastructure Security Guide → User Administration and Authentication.
For a detailed description of the user management tools available in SAPNetWeaver, see the SAP Service Marketplace
http://service.sap.com/securityguide → SAP NetWeaver Security
Guide → User Administration and Authentication → User Management → UserManagement Tools.
User Types
It is often necessary to specify different security policies for different types of users. For
example, your policy may specify that individual users who perform tasks interactively have tochange their passwords on a regular basis, but not those users under which backgroundprocessing jobs run.
For more information on these user types, see User Types in the Security Guide for UsageType AS.
Standard Users
The table below shows the standard users that are necessary for operating the Direct StoreDelivery scenario.
System User ID Type Password Description
SAP WebAS <sapsid>adm SAP System
Administrator
To be entered SAP NetWeaver
2004s InstallationGuide
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 10/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 10
SAP WebAS SAPService<sapsid>
SAP SystemService
Administrator
To be entered SAP NetWeaver2004s InstallationGuide
SAP WebAS SAP Standard ABAP Users
(SAP*, DDIC,EARLYWATCH,SAPCPIC)
See SAPNetWeaver
Security Guide
See SAPNetWeaver
Security Guide
SAP NetWeaver2004s Security
Guides (Complete) → Security Guidesfor SAP NetWeaver
According to Usage
Types → SecurityGuide for Usage
Type AS → SAPNetWeaver
Application Server ABAP Security
Guide → User
Authentication → Protection Standard
Users
SAP WebAS SAP Standard
SAP Web ASJava Users(Administrator,Guest,Emergency
See SAPNetWeaverSecurity Guide
See SAPNetWeaverSecurity Guide
SAP NetWeaver2004s SecurityGuides (Complete)
→ Security Guidesfor SAP NetWeaver
According to Usage
Types → SecurityGuide for Usage
Type AS → SAPNetWeaver
Application Server
Java Security Guide → User
Administration andStandard Users
SAP MI ClientComponent
End user Dialog No Security Guide forUsage Type MI*
SAP MIServerComponent
End user Dialog INIT if createdwith copyfunction
Security Guide forUsage Type MI*
SAP MIServer
Component
Administratorsfor the SAP MI
Web Console
Dialog No Security Guide forUsage Type MI*
SAP MIServerComponent
Administrator forCCMS
Dialog No Security Guide forUsage Type MI*
SAP MIServerComponent
Administrator forSmartSynchronization
Dialog No Security Guide forUsage Type MI*
SAP MIServerComponent
Batch user forbatch tasks
System ordialog
No Security Guide forUsage Type MI*
SAP MIServerComponent
Service user fordisplayingdetailed error
System No Security Guide for
Usage Type MI*
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 11/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 11
message texts ifserver logonfailed
Backend End user Dialog No Security Guide forUsage Type MI*
* You will find further information in the SAP NetWeaver 2004s Security Guides (Complete) under Security Guides for SAP NetWeaver According to Usage Types → Security Guide for
Usage Type MI → Security Guide for SAP Mobile Infrastructure→ User Administration→ User Types
For information about SAP NetWeaver standard users, see the SAP Service
Marketplace http://service.sap.com/ → SAP NetWeaver 2004s Security
Guides (Complete) → Security Guides for SAP NetWeaver According to Usage
Types → Security Guide for Usage Type AS → SAP NetWeaver Application
Server ABAP Security Guide→ User Authentication → Protection StandardUsers.
For information about SAP NetWeaver password rules, the SAP ServiceMarketplace http://service.sap.com/securityguide → SAP
NetWeaver 2004s Security Guides (Complete) → Security Guides for SAP
NetWeaver According to Usage Types → Security Guide for Usage Type AS →
SAP NetWeaver Application Server ABAP Security Guide → User
Authentication → Authentication and Single Sign-On → Logon and Password
Security in the SAP System→ Password Rules.
For information about SAP Mobile Infrastructure passwords and password rules,
see the SAP NetWeaver 2004s Security Guides (Complete) → Security Guides
for SAP NetWeaver According to Usage Types → Security Guide for Usage
Type MI → Security Guide for SAP Mobile Infrastructure→ Authentication → Passwords (Without Single Sign-On).
User Data Synchronization
Use
To avoid administrational effort, the use of user data synchronization could be useful in yoursystem landscape. As the components of the Direct Store Delivery scenario are based onSAP NetWeaver, all the mechanisms for user data synchronization of SAP NetWeaver areavailable for Direct Store Delivery .
For information about user data synchronization, see the SAP Service
Marketplace at http://service.sap.com/securityguide → SAP
NetWeaver 2004s Security Guide (Complete) → User Administration and
Authentication → Integration of User Management in Your System Landscape.
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 12/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 12
Integration Into Single Sign-On Environments
Use
Direct Store Delivery partly supports the Single Sign-On (SSO) mechanisms provided by theSAP Web Application Server Java and ABAP. Therefore, the security recommendations andguidelines for user administration and authentication as described in the SAP Web
Application Server Security Guide also apply to SAP Direct Store Delivery.
The supported mechanisms are listed below.
SAP Mobile Infrastructure does not support single sign-on. For more
information, see the SAP NetWeaver 2004s Security Guides (Complete) →
Security Guides for SAP NetWeaver According to Usage Types → Security
Guide for Usage Type MI → Security Guide for SAP Mobile Infrastructure →
Authentication→ Passwords (Without Single Sign-On).
Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment when usingSAP GUI for Windows or remote function calls.
For more information, see Secure Network Communications (SNC) in the Security Guide forUsage Type AS.
SAP log-on tickets
SAP Auto-ID Infrastructure supports the use of log-on tickets for SSO when using a Webbrowser as the front end client. In this case, users can be issued a logon ticket after they haveauthenticated themselves with the initial SAP system. The ticket can then be submitted toother systems (SAP or external systems) as an authentication token. The user does not needto enter a user ID or password for authentication but can access the system directly after thesystem has checked the logon ticket.
You can find more information under SAP Log-on Tickets in the Security Guide for UsageType AS.
Client certificates
As an alternative to user authentication using a user ID and passwords, users using a Webbrowser as a front end client can also provide X.509 client certificates to use forauthentication. In this case, user authentication is performed on the Web server using theSecure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred.User authorizations are valid in accordance with the authorization concept in the SAP system.
You can find more information under Client Certificates in the Security Guide for Usage Type AS.
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 13/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 13
Authorizations
Use
The Direct Store Delivery scenario uses the authorization provided by the SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations asdescribed in the Security Guide for Usage Type AS also apply to the Direct Store Deliveryscenario.
The SAP Web Application Server authorization concept is based on assigning authorizationsto users based on roles. For role maintenance, use the profile generator (transaction PFCG)on the SAP Web AS ABAP and the User Management Engine’s user administration consolefor SAP Web AS Java.
For information about assigning applications to the users of a role in the SAPMobile Infrastructure, see the documentation of SAP Mobile Infrastructure on
help.sap.com → SAP NetWeaver→ SAP NetWeaver 2004s→ Technology
Consultants’s Guide→ Mobilizing Business Processes→ Assigning of Mobile
Components to Users→ Assigning Mobile Components Using a Role Profile.
The Direct Store Delivery scenario based on the component SAP Mobile Infrastructure alsouses some additional mechanisms to control the authorizations and the access of the users.These mechanisms are listed below.
Role Editing for Mobile Applications
Authorizations are assigned in the SAP Mobile Infrastructure according to the SAPauthorization concept.
You can find detailed information about the authorization concept of SAP Mobile
Infrastructure in the documentation of SAP Mobile Infrastructure on help.sap.com → SAP
NetWeaver→ SAP NetWeaver 2004s→ Technology Consultant’s Guide → Mobilizing
Business Processes→ Configuration of SAP NetWeaver AS→ General Settings→ RoleEditing .
Creating a User Group for Synchronization
If mobile applications are assigned with a role in a backend system, the role synchronization(WAF_DEPLOYMENT_FROM_ROLES) creates a user with the same name withoutauthorizations and with an initial password for each user with this role that does not yet existon the SAP Web AS.
The detailed description of this functionality can be found in documentation of SAP Mobile
Infrastructure on help.sap.com → SAP NetWeaver→ SAP NetWeaver 2004s →
Technology Consultant’s Guide→ Mobilizing Business Processes→ Configuration of SAPNetWeaver AS→ General Settings → Creating a User Group for Synchronization.
Maintaining Transaction Screens for the Settlement Cockpit
The transactions screens visible in the Settlement Cockpit can be controlled by a two specialcustomizing tables. In the first, the screens available in the Settlement Cockpit aremaintained, in the second the available screens can be set active or inactive.
The detailed description of this functionality can be found in the Direct Store Delivery
Configuration Guide → Route Accounting → Route Settlement → Settlement Cockpit → Maintaining Transaction Screens and Activating Transaction Types.
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 14/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 14
Accessibility Control on the Mobile Devices
To administer security measures on mobile devices, the accessibility of specified transactionon the mobile device by mobile users can be controlled by customizing settings. Groups andgroup-specific roles are linked, and can be given a password.
The detailed description of this functionality can be found in the Direct Store Delivery
Configuration Guide → Mobile Device Connectivity → Administration of Mobile Devices.
Administration of Mobile Device Settings
The administrator control over mobile applications on mobile devices can be controlled bycustomizing settings on different levels: globally, by group or for individual devices.
The detailed description of this functionality can be found in the Direct Store Delivery
Configuration Guide → Mobile Device Connectivity → Administration of Mobile DeviceSettings.
Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your networkneeds to support the communication necessary for your business and your needs withoutallowing unauthorized access. A well-defined network topology can eliminate many securitythreats based on software flaws (at both the operating system and application level) andnetwork attacks such as eavesdropping. If users cannot log on to your application ordatabase servers at the operating system or database layer, then there is no way for intrudersto compromise the machines and gain access to the backend system’s database or files.
Additionally, if users are not able to connect to the server LAN (local area network), theycannot exploit well-known bugs and security holes in network services on the servermachines.
The network topology for the Direct Store Delivery scenario is based on the topology used bythe SAP NetWeaver platform. Therefore, the security guidelines and recommendationsdescribed in the SAP NetWeaver Security Guide also apply to the Direct Store Deliveryscenario. Details that specifically apply to the Direct Store Delivery scenario are described inthe following topics.
For more information, see the following sections in the SAP NetWeaver Security Guide:
! Network and Communication Security
! Security Aspects for Connectivity and Interoperability
Communication and Channel SecurityUse
As communication channels transfer all kinds of your business data, they should be protectedagainst unauthorized access. SAP offers general recommendations and technologies toprotect your system landscape, based on SAP NetWeaver.
You should activate the Secure Network Communication (SNC) for RFC andSecure Sockets Layer Protocol (SSL) for http within all communication channelsin the Direct Store Delivery scenario to achieve a secure system landscape.
For information about the communication security of SAP NetWeaver, see the
SAP Service Marketplace at http://service.sap.com/securityguide →
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 15/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 15
SAP NetWeaver 2004s Security Guides (Complete) → Network andCommunication Security .
For information about security aspects for connectivity and interoperability ofSAP NetWeaver, see the SAP Service Marketplace at
http://service.sap.com/securityguide → SAP NetWeaver 2004s
Security Guides (Complete) →
Security Guides for Connectivity andInteroperability Technologies.For information about security aspects for connectivity and interoperability ofSAP Mobile Infrastructure see the documentation of SAP Mobile Infrastructure
on help.sap.com → SAP NetWeaver→ SAP NetWeaver 2004s→
Technology Consultant’s Guide→ Mobilizing Business Processes → Installing
SAP MI on the Mobile Device → Configuration of Security (Optional).
The table below shows the communication paths used by the Direct Store Delivery scenario,the protocol used for the connection and the type of data transferred.
Communication Paths
Communication
Path
Protocol Used Type of Data
Transferred
Data Requiring
Special Protection
Front-end client usingSAP GUI forWindows toapplication server
DIAG All application data For examplepasswords, businessdata
Front end client usinga Web browser toapplication server
HTTP(S) All application data For examplepasswords, businessdata
Application server toapplication server
RFC, HTTP(S) Integration data Business data
Application server tothird-party application HTTP(S) All application data For examplepasswords, businessdata
For more information about communication paths and the data sent andreceived within the Direct Store Delivery scenario, see the SAP Service
Marketplace at http://service.sap.com/ibc → Industry Solutions →
Consumer Products → Direct Store Delivery → Configuration Guide → SystemConnections.
DIAG and RFC connections can be protected using Secure Network Communications (SNC).HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 16/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 16
Network Security
Use
Your network infrastructure is extremely important in protecting your system. A well-definednetwork topology can eliminate many security threats based on software flaws (at both theoperating system and application level), or network attacks such as eavesdropping.
SAP offers general recommendations to protect your system landscape based on SAPNetWeaver.
For information about network security of SAP NetWeaver, see the SAP Service
Marketplace at http://service.sap.com/securityguide → SAP
NetWeaver 2004s Security Guides (Complete) → Network and CommunicationSecurity .
A minimum security demand for your network infrastructure is the use of a firewall for all your
services provided via the Internet.
A more secure variant is to protect your systems (or groups of systems) by locating thedifferent "groups" in different network segments, each protected with a firewall againstunauthorized access. Note that external security attacks can also come from "inside", if theintruder has already taken over control of one of your systems.
For information about access control using firewalls, see the SAP Service
Marketplace at http://service.sap.com/securityguide → SAP
NetWeaver 2004s Security Guides (Complete) → Network and Communication
Security→ Using Firewall Systems for Access Control .
Communication Destinations
Use
Users and authorizations for connection destinations can cause high securityflaws in instances of careless use!
Golden Rules for connection users and authorizations:
" Choose user type connection or system.
"
Assign only the minimum required authorizations to the user.
"
Choose a secure and secret password for the user.
" Store only connection user log-on data for users of type connection orsystem.
"
Choose trusted system functionality whenever possible instead of storing
connection user logon data.
The table below shows an overview of the communication destinations used by the scenarioDirect Store Delivery .
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 17/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 17
Connection Destinations
Destination DSD Backend→ DSD Connector
Delivered No
Type RFC – R/3
User, Authorizations -
Description Direct Store Delivery Configuration Guide →
System Connections → Connection of DSD
Backend to DSD Connector → Defining anRFC Destination for the DSDBackend/Connector
and
SAP Mobile Infrastructure Installation Guide
→ Installation of the SAP Mobile
Infrastructure 2.5→ Configuration →
Configuration of the SAP MI ABAP ServerComponent → Creating an RFC DestinationPointing to the Backend
and
SAP Mobile Infrastructure Installation Guide
→ Installation of the SAP Mobile
Infrastructure 2.5 → Configuration → Configuration of Smart Synchronization
(optional)→ Defining RFC Destinations forSyncBOs
Destination DSD Connector→ DSD Backend
Delivered No
Type RFC – R/3
User, Authorizations -
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 18/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 18
Description SAP Direct Store Delivery Configuration
Guide → System Connections → Connection
of DSD Backend to DSD Connector → Defining an RFC Destination for the DSDBackend/Connector
andDocumentation of SAP Mobile Infrastructure:
help.sap.com → SAP NetWeaver→ SAP
NetWeaver 2004s→ Technology
Consultant’s Guide→ Mobilizing Business
Processes→ Configuration of Mobile
Applications → Creating an RFC DestinationPointing to the Backend
and
Documentation of SAP Mobile Infrastructure:
help.sap.com → SAP NetWeaver→ SAP
NetWeaver 2004s→ TechnologyConsultant’s Guide→ Mobilizing Business
Processes→ Configuration of Mobile
Applications → Defining RFC Destinations forSyncBOs
Destination DSD Connector→ Mobile InfrastructureServer Component
Delivered No
Type RFC – R/3
User, Authorizations -
Description Direct Store Delivery Configuration Guide →
System Connections → Connection of DSDConnector to Mobile Infrastructure Server
Component → Defining an RFC Destinationon the DSD Connector
and
Direct Store Delivery Configuration Guide →
Mobile Device Connectivity → Logical
System Connectivity
Destination Mobile Infrastructure Server Component→ DSD Connector
Delivered No
Type RFC – R/3
User, Authorizations -
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 19/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 19
Description Direct Store Delivery Configuration Guide →
System Connections → Connection of MobileInfrastructure Server Component to DSD
Connector → Defining RFC Destination onMobile Infrastructure Server Component
and
Direct Store Delivery Configuration Guide →
Mobile Device Connectivity → LogicalSystem Connectivity
Destination Mobile Device -> Mobile Infrastructure ServerComponent
Delivered No
Type http(s)
User, Authorizations -
Description Documentation of SAP Mobile Infrastructure:
help.sap.com → SAP NetWeaver→ SAP
NetWeaver 2004s→ Technology
Consultant’s Guide→ Mobilizing Business
Processes→ Installing SAP MI on the Mobile
Device → Parameters for Installation on theMobile Device
and
Documentation of SAP Mobile Infrastructure:
help.sap.com → SAP NetWeaver→ SAP
NetWeaver 2004s→ Technology
Consultant’s Guide→ Mobilizing Business
Processes→ Installing SAP MI on the Mobile
Device → Editing User Settings
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 20/21
SAP Online Help 14.11.2006
Direct Store Delivery: Security Guide 2005 20
Data Storage Security
Use
The data storage security of SAP NetWeaver and components installed on this base isdescribed in detail in the SAP NetWeaver Security Guide.
For information about the data storage security of SAP NetWeaver, see the SAP
Service Marketplace at http://service.sap.com/securityguide → SAP
NetWeaver Security Guide→ Operation System and Database PlatformSecurity Guides.
For information about the data storage security of SAP Mobile Infrastructure,see the SAP Service Marketplace at
http://service.sap.com/securityguide → SAP NetWeaver 2004s
Security Guides (Complete)→ Security Guides for SAP NetWeaver According
to Usage Types→ Security Guide for Usage Type MI → Security Guide for SAPMobile Infrastructure→ Data Security .
Other Security-Relevant Information
Web Browser as User Front End
To use the Web browser as user frontend, it is necessary to activate Java script (ActiveScripting) to ensure a working user interface.
This could conflict with your security policy regarding web services.
Pre-defining and Setting Parameters for all Users within the SAP MobileInfrastructure
To predefine or set certain parameters for all users in the SAP Mobile Infrastructure, the fileMobileEngine.config can be modified. In this configuration file also security relevantparameters like SSL, password handling and so forth can be set.
The detailed description of the predefining and setting of security relevant parameters withinthe SAP Mobile Infrastructure can be found in the documentation of SAP Mobile Infrastructure
on help.sap.com → SAP NetWeaver→ SAP NetWeaver 2004s→ Technology
Consultant’s Guide→ Mobilizing Business Processes → Configuration of Mobile Devices →
Preconfiguration of SAP MI Client (Optional) → Preconfiguring on Windows32 Platforms.
Setting the Screen Mode of the SAP MI Client Component
You can define that the SAP MI Client Component should always start in full screen mode orin minimized mode on the mobile device by adding files to the installation.
The detailed description of setting the screen mode for the SAP MI Client Component can be
found in the documentation of SAP Mobile Infrastructure on help.sap.com → SAP
NetWeaver→ SAP NetWeaver 2004s→ Technology Consultant’s Guide → Mobilizing
Business Processes→ Configuration of Mobile Devices → Preconfiguration of SAP MI Client
(Optional)→ Setting the Screen Mode of the SAP MI Client Component.
8/10/2019 Direct Store Delivery- Security Guide
http://slidepdf.com/reader/full/direct-store-delivery-security-guide 21/21
SAP Online Help 14.11.2006
Trace and Log Files
Use
All trace and log files use SAP NetWeaver standard mechanisms.
For information about the trace and log files of SAP NetWeaver, see the SAP
Service Marketplace at http://service.sap.com/securityguide → SAP
NetWeaver Security Guide.
Route Accounting
Within the DSD Route Accounting functionality it is possible to switch on or off the applicationlog. Information about the application log of DSD Route Accounting can be found in the Direct
Store Delivery Configuration Guide → Route Accounting → Basic Functions → ApplicationLog .
top related