7/30/2019 Security in SAP XI 3.0
1/28
SAP AG 2004, Title of Presentation / Speaker Name / #
Topics
Agenda
Introduction to SAP XI 3.0
System Landscape Directory
Integration Repository
Integration Directory
Monitoring
Adapter Framework
Business Process Management
Server Administration
Security
B2B and Industry Standards
7/30/2019 Security in SAP XI 3.0
2/28
SAP AG 2004, Title of Presentation / Speaker Name / #
Security Topics
Authentication & Authorization
Message level security
Network and Communication Security
Recommended setup for inter enterprise
connectivity
Some pointers for certificate management in the
J2EE key store
7/30/2019 Security in SAP XI 3.0
3/28
SAP AG 2004, Title of Presentation / Speaker Name / #
Why Is Security Necessary?
Business processes executed using XI have to be done in a
secure manner
XML messages which contain confidential business data need to
be transported over a secure connection
Security requirements also apply to communicating XI
components- securing information like user names and
passwords
7/30/2019 Security in SAP XI 3.0
4/28
SAP AG 2004, Title of Presentation / Speaker Name / #
User administration and authentication
All components of XI 3.0 that run on SAP Web AS use the
underlying infrastructure provided by the Web AS for the following:
User management
Administration
Authorizations
Authentication
The only exception is for the J2SE adapters
7/30/2019 Security in SAP XI 3.0
5/28
SAP AG 2004, Title of Presentation / Speaker Name / #
User administration and authentication
User Store
Standard: Users are maintained in the ABAP user store
Can also be integrated with LDAP based user administration
Certificate Store
XI and RNIF protocols support message level security based on digital
signature RNIF protocol also supports encryption
The required certificates to be used need to be entered into the key
store of the J2EE engine
In the Integration Directory these certificates are referred by the name of
the key store view and the certificate name
Recommended to store CA certificates in the TrustedCAs view
7/30/2019 Security in SAP XI 3.0
6/28
SAP AG 2004, Title of Presentation / Speaker Name / #
Users
With respect to authentication and authorization, we distinguish two
major scenarios. During design and configuration, dialog users
communicate through the Integration Builder with XI. At runtime the
actors are computer systems rather than humans!
1. At design and configuration time(Integration Repository)
2. At runtime
Real User
Computer systems
7/30/2019 Security in SAP XI 3.0
7/28 SAP AG 2004, Title of Presentation / Speaker Name / #
Dialog Users
Dialog users represent humanusers that log on through the
various UIs of the Integration Builder
Dialog users are generally maintained in the ABAP part of the SAP
Web AS
The roles for the different dialog users are predefined and shipped
with the installation
7/30/2019 Security in SAP XI 3.0
8/28 SAP AG 2004, Title of Presentation / Speaker Name / #
Service UsersService users provide dialog free access to XI components
Service users have the SAP user roles on the ABAP part of the WebApplication Server
They are made available on the J2EE part as user groups
Service users have the required authorizations to access the required
services on the addressed XI components
Service users are created during installation
Names and passwords can be assigned during installation
7/30/2019 Security in SAP XI 3.0
9/28 SAP AG 2004, Title of Presentation / Speaker Name / #
Service Users during Design and Configuration
XIREPUSER Access the XI Repository for Design
XIDIRUSER Access the XI Directory for Configuration
XIISUSER - Get Cache-updates from XI Directory to RuntimeCache
XILDUSER - Get Business System Name from System Landscape Directory
Integration Builder
Integration
Directory
(ID)
Integration
Repository
(IR)
Integration
Server
(IS)
System Landscape Directory (SLD)
Central Monitoring
SAP
Systems
3rd Party
Systems
3rd Party
MiddlewareComponent
Marketplace/
Business
Partner
XIISUSER
XIREPUSER XIDIRUSER
7/30/2019 Security in SAP XI 3.0
10/28 SAP AG 2004, Title of Presentation / Speaker Name / #
XI Service Users in use during Runtime
XILDUSER Get Business System Name from System Landscape Directory
XIRWBUSER Get monitorring information to Runtime WorkBench
XIISUSER
Get Cache-updates from XI Directory to RuntimeCache XIAPPLUSER Access XI Engines for messageprocessing (SAP template)
XIAFUSER Access Adapter Framework
SAP
System
IDocs
RFCs
SAP Web AS 6.20Proxy
3rd Party
Apps
File
DB
JMS
Apps of
Business
Partner
Local Integration Engine
Proxy Runtime
Partner
Connectivity Kit
Apps/Systems
of (small)
Business Partner
Integration
Server
Central Monitoring
IntegrationDirectory
System
Landscape
Directory
Business Process Engine
Integration Engine
Adapter Engine
XILDUSER
customer specific copy
of XIAPPLUSER XIAFUSER
XIRWBUSER
XIISUSER
XILDUSER
7/30/2019 Security in SAP XI 3.0
11/28 SAP AG 2004, Title of Presentation / Speaker Name / #
Default service users in XI systems and their roles
Created automatically at installation time.
Referenced in the Exchange Profile.
In the future it will be possible to create custom UserIDs at
installation time
must have the role: SAP_XI_IR_SERV_USER
must have the role: SAP_XI_ID_SERV_USER
must have the role: SAP_XI_APPL_SERV_USER
must have the role: SAP_XI_IS_SERV_USER
must have the role: SAP_XI_RWB_SERV_USER
must have the role: SAP_XI_AF_SERV_USER_MAIN
must have the role: SAP_BC_AI_LANDSCAPE_DB_RFC
7/30/2019 Security in SAP XI 3.0
12/28 SAP AG 2004, Title of Presentation / Speaker Name / #
User maintenance
Users and roles are maintained via the standard Web AS ABAP
user management (SU01)
After a short delay, the updated users are automatically replicated
to the J2EE engine
J2EE User maintenance
in Visual Administrator tool Security provider service UME (User Management Engine) available as part of J2EE engine
7/30/2019 Security in SAP XI 3.0
13/28 SAP AG 2004, Title of Presentation / Speaker Name / #
J2EE User maintenance
Visual Admin tool
UME frontend
7/30/2019 Security in SAP XI 3.0
14/28 SAP AG 2004, Title of Presentation / Speaker Name / #
Availability
Levels of Security
XI 1.0 /
XI 2.0
XI 3.0
XI protocol
XI 3.0
RNIF
Connection Level Security
(HTTPS)
Message Level Security (for B2B)
Signature
Data Integrity
Non-Repudiation of origin
Non-Repudiation of receipt
Encryption
Security Availability with XI 3.0
P P
PPP
PP
PPP
P
TechnologyWS-Security(XML-Signature)
S/MIME
7/30/2019 Security in SAP XI 3.0
15/28 SAP AG 2004, Title of Presentation / Speaker Name / #
Security Outlook
Availability
Levels of Security
XI 1.0 /
XI 2.0
XI 3.0
XI protocol
XI 3.0
RNIF
Connection Level Security
Message Level Security (for B2B)
Signature
Data Integrity
Non-Repudiation of origin
Non-Repudiation of receipt
Encryption
P P
PPP
PP
PPP
P
Focus of future security
enhancements for XI
7/30/2019 Security in SAP XI 3.0
16/28 SAP AG 2004, Title of Presentation / Speaker Name / #
Message Exchange
In general, the message exchange between business systems can be
separated into two communication segments that are treateddifferently from an authentication and authorization point of view:
Business System Business SystemXI 3.0
1. Sending System to
Integration Server
2. Integration Server
to Receiving System
HTTP(S) HTTP(S)
Technical
communication
configured only once
Configuration done in
the Integration
Directory
7/30/2019 Security in SAP XI 3.0
17/28
SAP AG 2004, Title of Presentation / Speaker Name / #
Message level security
Message level security enabled through the use of digital signatures
in XI 3.0
Digital signatures authenticate sending partner and ensure data
integrity
Adds security qualities to communication level security that are
required for B2B communication
Message level security for XI 3.0 protocol is based on the Web
Service security standard
RosettaNet employs the S/MIME standard
Encryption ensures that the message content is confidential
Only supported by the RNIF protocol
7/30/2019 Security in SAP XI 3.0
18/28
SAP AG 2004, Title of Presentation / Speaker Name / #
Archiving secured messages
For non-repudiation secured messages are archived in the non
repudiation store
For each secured message the following data is stored
The raw message
Security policy as configured in the directory
References to certificates in the keystore
Identification of the certification used
The archive can be monitored using the Runtime Workbench
Non repudiation archive only available for the RNIF protocol
7/30/2019 Security in SAP XI 3.0
19/28
SAP AG 2004, Title of Presentation / Speaker Name / #
HTTP and SSLXI runtime components support encryption of the HTTP data stream using
SSLA certificate must be installed on the server component based on X.509 to
enable HTTPs
Configuring SSL for message exchange for ABAP and Java are
different
SSL can also be configured for technical communication like
cache updates and respository access in the directory
Network and Communication Security
RFC and SNCConnections between SAP components can be secured by SNC
SNC supports three levels of security protectionAuthentication only
Integrity protection
Confidentiality protection
WebAS security guide explains how to set up SNC
7/30/2019 Security in SAP XI 3.0
20/28
SAP AG 2004, Title of Presentation / Speaker Name / #
SSL and SNC for secure connections
Secure connection possible between the following
Between adapters and Integration Server Between business systems and Integration Server
Between PCK and Integration Server
Between business systems and adapters
Cache updates
7/30/2019 Security in SAP XI 3.0
21/28
SAP AG 2004, Title of Presentation / Speaker Name / #
B2B communication Recommended setup
External
Partners
Internet
Firewall
Firewall
Firewall
Firewall
Inner
DMZ
Outer
DMZ
Server
LAN
Application
Gateway
ISBusinessSystems
Proxy
Proxies and application gateways are placed in the outer DMZ providing access
control between Internet and internal networks
7/30/2019 Security in SAP XI 3.0
22/28
SAP AG 2004, Title of Presentation / Speaker Name / #
J2EE engine Pointers for security related configuration
Trusted certification authorities on J2EE key store
7/30/2019 Security in SAP XI 3.0
23/28
SAP AG 2004, Title of Presentation / Speaker Name / #
J2EE engine Pointers for security related configuration
Creation of server certificate
J2EE engine Pointers for security related
7/30/2019 Security in SAP XI 3.0
24/28
SAP AG 2004, Title of Presentation / Speaker Name / #
J2EE engine
Pointers for security relatedconfiguration
Import the certificate signing response file into your key store
J2EE i P i t f it l t d fi ti
7/30/2019 Security in SAP XI 3.0
25/28
SAP AG 2004, Title of Presentation / Speaker Name / #
J2EE engine Pointers for security related configuration
Import the public key of your partner
J2EE i P i t f it l t d fi ti
7/30/2019 Security in SAP XI 3.0
26/28
SAP AG 2004, Title of Presentation / Speaker Name / #
J2EE engine Pointers for security related configuration
Partners public key in the J2EE key store
J2EE i P i t f it l t d fi ti
7/30/2019 Security in SAP XI 3.0
27/28
SAP AG 2004, Title of Presentation / Speaker Name / #
J2EE engine Pointers for security related configuration
User authentication for the different views created
F th D t ti
7/30/2019 Security in SAP XI 3.0
28/28
Further Documentations
XI 3.0 Security Guide
SAP Web As Network and Communication Security:
This section describes the network and communication security for
the SAP Web AS.
SAP Web AS Security Guide for ABAP Technology:
This section describes the security aspects involved with the SAP
WebAS when using ABAP technology.
SAP Web AS Security Guide for J2EE Technology:This section describes the security aspects involved with the SAP
WebAS when using Java or J2EE technology.