Download - Security for SOA in Enterprises
Security for SOA inEnterprises
SAP NetWeaver Product Management Security
June 2008
© SAP 2008 Page 2
Agenda
1. SOA – quick overview2. SOA and Security in Enterprises3. Securing SOA with SAP NetWeaver – on the road to BPM
3.1. Access Management and User Identity Propagation3.2. Identity Management and User Identity Provisioning3.3. Trust and Key Management3.4. Threat and Vulnerability Management
4. Outlook
© SAP 2008 Page 3
Enterprise SOA as the Convergence Point ofBusiness and IT
Integration Platform
Purchaser ProductionPlanner
Accountant Portalsthat helppeople dotheir work
SAP NetWeaverPeople Integration
Information Integration
Process Integration
SRM PLM ERP SCM CRM
Composite Applications
Business Engineering
Service architecture toreduce integration costs
Develop services with acentral platform
Innovate with a partnerecosystem
Enterprise SOA
Business drives ITinvestments
Flexibility required tosurvive and grow
Operating and innovatingwith a partner ecosystem
© SAP 2008 Page 4
Composition Environment
PI
Harmonizing SOA in Enterprises by Evolutionand by Design
Seamless composition
Common Enterprise ServicesRepository w/ harmonized
Enterprise Services
Harmonized UserExperience
Plug and Playpartner solutions
Unified structured andunstructured interactionmodel (Enterprise 2.0)
Unified Cross Industry Platform
SAP NetWeaver
ERP
Composite Application Framework
SRM
BUSINESS SUITEEnterprise SOA
by Evolution
Enterprise SOAby Design
Lega
cy
Con
tent
3rdpa
rty
User Experience
Enterprise ServicesRepository
SAP NetWeaver as the CommonTechnology Foundation (incl.
synchronized master data)
SCMCRM
PLM
MDM BI XI
Harmonizedindustry solutions
© SAP 2008 Page 5
SAPApplication
Service Enabling Enterprise Applications
Service enabling consists of two aspects:From an application perspective, the SAP system providesmeaningful services to prospective client applicationsFrom a technology perspective, the SAP system supportscommunication based on the Web Services standards stack
Web ServiceTechnologies:
XMLXSDWSDLSOAPBPEL4WS…
Application services:Business SuiteCRMSRM…
Technical services:AS ABAPAS Java
© SAP 2008 Page 6
SAP NetWeaver as the Technology Platform for SOAHelp Customers Establish a Unified Platform for Business ProcessManagement
SOA ProvisioningStable, scalable core with SAP NetWeaver 7.0Open, standards-basedService-enabling processes, information,events
Service RepositoryCentral storage of servicedefinitionsService modeling and top-down service creationBusiness processmodeling, routing andmapping
Composition EnvironmentFast paced “edge” of the businessDon’t just code – compose!Lean consumption
User ExperienceMobile Infrastructure (MI)Enterprise Portal (EP)DuetAdobe Forms…
© SAP 2008 Page 7
Agenda
1. SOA – quick overview2. SOA and Security in Enterprises3. Securing SOA with SAP NetWeaver – on the road to BPM
3.1. Access Management and User Identity Propagation3.2. Identity Management and User Identity Provisioning3.3. Trust and Key Management3.4. Threat and Vulnerability Management
4. Outlook
© SAP 2008 Page 8
What Does Enterprise SOA Mean for HowSecurity Is Done?
Integration:
Security is nolonger contained toa single system
Scenario basedsecurity forend-to-endsolutions
Evolution:
What workedbefore still works
New and“upgraded”solutions to dealwith newchallenges
Convenience andlow TCO:
easy to runeasy to configureeasy to design
© SAP 2008 Page 9
Threats, Safeguards and Security Goals
SQL injection
Tampering
Authorization violation
Denial of service
Eavesdropping
XSS Scripting
Repudiation
Masquerading
Buffer overflow
Spoofing
THREATS
Security monitors
Securedevelopment
Firewalls
Public keyinfrastructure
Encryption
SAFEGUARDS
Access Control
GOALS
Authentication
Authorizations
Confidentiality
Integrity
Non-repudiation
Availability
Single Sign-On
Auditing
Identity Management
Governance andcompliance framework
© SAP 2008 Page 10
SAP NetWeaver Security FunctionalityThe Big Picture
OPEN AND STANDARDS BASED
enables secure and interoperableintegration in open environments
ECOSYSTEM
extends security functionality to meetspecific customer requirements
COMPREHENSIVE SET OF INTEGRATED SECURITY FUNCTIONALITYmanage, operate and run secure business processes on top of SAP NetWeaver
SAP NetWeaver today provides a flexible & extensible securityinfrastructure for secure & compliant business processes
SAP NetWeaver IdentityManagement
Web-Service Security
Authorization Management
Enterprise SOASecurity
Encryption &Digital Signatures
Authentication &Single Sign-On
Front-end SecurityCompliance
© SAP 2008 Page 11
Encapsulated in source codeEncapsulated in source code((““call transactioncall transaction””))
User authentication andUser authentication andauthorization checksauthorization checks
Security Policy Definition in a Classical Client-Server System Architecture
“Webifying”user access
“Webifying”process output
http(s)
One level of integration:application server
Security policies “contained” within application server
Security for user access:
Security for application processes:
© SAP 2008 Page 12
ServiceConsumere.g. Portal
ServiceConsumere.g. Portal
Web Services, RFCs and DistributingApplication Processes
http(s)RFC…
http(s)http(s)No ‚line-of-sight‘connection toApplication
Service Provider
SOAPSOAP
SOA Application processes inherently distributedand paradigm changes to „end-to-end“ solutions!
ServiceProvider
ServiceProvider
ServiceIntermediary
© SAP 2008 Page 13
Paradigm Change with Enterprise Services andEnd-to-End Security
ServiceConsumer
ServiceProvider
ServiceIntermediary
Transport security=
Point-to-PointSecurity
Message Security=
End-to-End Security
SOA Application processes inherently distributedmust apply security „end-to-end“!
© SAP 2008 Page 14
Security token handlingSecurity token handling
Secure user accessSecure user access
Access control based on useridentityAccess control based on useridentity
Consequences for User-Centric Security
ACCESS MANAGEMENT
Standards-based integration inauthentication frameworks
Secure Single Sign-On
Secure user identitypropagation via trusted systems
IDENTITY MANAGEMENT
External, centralized usermanagement
Externalized management ofauthorization assignments
User identity supply viaprotocols
Manage user identity centrallyManage user identity centrally
Provision user identitiesProvision user identities
Federated identitiesFederated identities
© SAP 2008 Page 15
Consequences for Application Process-CentricSecurity
System keys and trust managementframeworksWS Security extensionsSecure message exchangesSecure application development andcustomizationDistributed audit framework
Trusted system setup and hardeningInteroperable security policypropagation via standardcommunication infrastructureSecuring end-to-end applicationprocessesApplication platform integrityprotectionEase integration of risk andcompliance controls
Business
User
Business Partner /
Customer
Service
Provider
TechnicalPI
© SAP 2008 Page 16
Agenda
1. SOA - overview2. SOA and Security in Enterprises3. Securing SOA with SAP NetWeaver – down the road to BPM
3.1. Access Management and Identity Propagation3.2. Identity Management and user identity provisioning3.3. Trust and key management3.4. Threat and vulnerability management
4. Outlook
© SAP 2008 Page 17
Secure authentication or SSO of users accessing enterprise resourcesUser identity propagation for access to service resources
Authorize user access to enterprise service providers with user‘s own role andpermission assignmentsAudit user access to resources of enterprise service provider
Web application Portalas Service Consumer
BackendService Provider
Bob BobBob
HTTPSOAPRFCRMI
Bob
Access Management and the User IdentityLifecycle in SOA
© SAP 2008 Page 18
SAP NetWeaver User Authentication and SSOSolutions for Securing User Authentication for Access toEnterprise Applications from a Web browser
1 supported with Portal2 supported with Portal or AS Java
Web
Bro
wse
r(U
ser
Age
nt)
SAP
Net
Wea
ver
Tech
nolo
gy P
latfo
rm
AnonymousAccess
anonymous access with namedanonymous users1
UserAuthentication
user ID / passworduser mapping1
PKI-basedAuthentication
X.509 client certificatesRule based client authentication2
Certificate filtering2
Automated certificate mapping2
CRL support2
ExternalAuthentication
SPNego2
integrated OS authentication with KerberosHeader variables2
SSO via TrustedSystems
SSO Logon ticketsSAML2
Security Assertion Markup Language
CustomMechanism
JAAS Login Module2
Java Authentication and Authorization Services
© SAP 2008 Page 19
Use SNC and external security productAuthentication takes place outside of SAP system
Use SAP-certified SNC product
Also available:Windows NTLM (gssntlm.dll)Windows 2000 Kerberos (gsskrb5.dll)
SAP GUI forWindows
Externalsecurity product
Externalsecurity product
SAP NetWeaver AS ABAP SSOSolutions for Securing User Authentication and SSO for Accessto Enterprise Applications from the SAP GUI
© SAP 2008 Page 20
SAP Logon Tickets: SSO via Trusted Systemsfor User Access from a Web Browser
SAP NetWeaverApplication Server
(Trusted System)
Access
SSO Ticket as non-persistentcookie in browser
Initiallogon
BI
CRM
Other...
ERP
Intranet
Groupware
© SAP 2008 Page 21
Example of an HTTP Request ContainingSSO Logon Ticket
GET /someresource HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, [ … ], */*Referer: https://some.host.domain/some/other/resourceAccept-Language: en,de;q=0.5Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;.NET CLR 1.1.4322)Host: nw-portal.wdf.sap.corpConnection: Keep-AliveCookie: saplb_*=(J2EE6527200)6527250; PortalAlias=portal;MYSAPSSO2=AjExMDAgAA5wb3J0YWw6ZDAzMzA5OYgAE2Jhc2ljYXV0aGVudGljYXRpb24BAAdEMDMzMDk5AgADMDAwAwADTldUBAAMMjAwNTA5MDIwNjE0BQAEAAAACAoAB0QwMzMwOTn%2FAPUwgfIGCSqGSIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHBMIG%2BAgEBMBMwDjEMMAoGA1UEAxMDTldUAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNTA5MDIwNjE0NDRaMCMGCSqGSIb3DQEJBDEWBBQ28lOiAPAV2KfBJR18ElZxaNenHzAJBgcqhkjOOAQDBC8wLQIUIaaWKYY4%2BCT26P07coHVYP63eCkCFQCLt0ERDvDKCpog89q5n%2B5ahpQQCw%3D%3D;JSESSIONID=(J2EE6527300)ID6527350DB307014776305034697End; sap-ssolist=O3I9cHdkZjA5NjJfY3BwXzQ0
SAP Logon Ticket is represented ascookie in the Browser
SAP Logon Tickets contain:User ID(s)
Authentication scheme
Validity period
Issuing system
Digital signature of trusted issuer
Content of the SAP Logon Ticket isBASE64 encoded
Signed by Trusted System thatauthenticated user
© SAP 2008 Page 22
SAMLSAP Logon Ticket
Domain Boundary
Security Assertions Markup Language (SAML)SSO via Trusted Systems Across Domain and TechnologyBoundaries
Interoperable security solution to allowsystems integration with great ease,minimal resources and infrastructurereuseSAML is a security protocol for:
encoding security related useridentity information into XML“assertions”Verifying authentication against anasserting authority – SAML IdentityProviderexchanging this information in arequest/response fashion (similar toSSO tickets but not cookie based)
For secure message exchange SAMLuses standard security protocols likeSSL and XML signatures/encryptionSAML is an established OASIS standard
© SAP 2008 Page 23
SAML 1.1 – SSO with Browser Artifact ProfileOpen, Standards-based and Interoperable Web Browser SSO viaTrusted Systems for Heterogeneous Landscapes
Authenticate once Access
Initiallogon 2. Redirect URL + artifact
3. Request
SAML 1.1 Assertion Issuere.g. SAP NetWeaver CE 7.1 or
SAML 1.1 supporting access management product
4. Pull assertion
5. Assertion
6. Resource
Internet
CRM
Other...
ERP
Intranet
Groupware1. Call transfer URL
© SAP 2008 Page 24
Single Sign-On and Authentication for Services
SSO information sent from trusted service consumer viaSOAP Protocol for secure interoperability and(WS Security) authentication/SSO in cross-vendor Web
service-based enterprise applications
Transport protocol for performance, backward compatibilityand security in homogeneous service-based enterprise applicationsAuthentication Flavors
WSS Username Token Profile 1
User ID and PasswordAuthenticateService User
WSS X.509 Certificate Token Profile 1
X.509 client certificateAuthenticateconsumersystem
WSS SAML Token Profiles 1
SSO ticketsPropagate userIdentity
1 supported for WS Protocols only
© SAP 2008 Page 25
Underlies Principal Propagation with Process Integration 7.1
User Identity Propagation for Web Services:SAML Sender Vouches Subject Confirmation and SSO Tickets
How it works:
Enables access to provider-side resources by providing consumerside user context when sending Service requestUser identity verified by WS provider based on SSO token issued byWS consumerUser identities must be synchronized via shared user store or userstore synchronization
Local SAMLAssertion /SSOticket issuer
Service EndpointInterface
ClientApplication
Service Call viaLogical Port
Trusted system relationship based on
issuing system’s X.509 certificate1.
2.
4. 5.
7.
3.
7.6.
© SAP 2008 Page 26
Service Consumer:1. Identify Logical Port configuration for
service consumption2. Request SAML assertion from pre-
configured SAML Assertion Issuer3. Return SAML assertion (digitally signed)4. Send Service Request with enclosed SAML
assertion
Service Provider:5. Verify assertion‘s digital signature with
system X.509 certificate of SAML AssertionIssuer
6. Use assertion for user authentication7. Return service response on success
SAML Holder of Key Subject Confirmation Methodfor Web Services – Planned for Future Releases
SAMLAssertionIssuer
Service ProviderApplicationclient application Service call via
Logical Port
X.509 Certificate based
trust relationship
1.
2.
4. 5.
7.
3.
7. 6.
By decoupling the SAMLidentity provider from theservice consumer,administrators canconfigure a third systemto issue SAML assertions
By decoupling the SAMLidentity provider from theservice consumer,administrators canconfigure a third systemto issue SAML assertions
© SAP 2008 Page 27
Support of SAML in the SAP NetWeaverPlatform
Limitations:Authorization Information is not supportedAuthentication scenarios onlyUse SSL for Transport Security
SAML Browser Artifact Scenario for SSO for WebApplications
NW04
NW7.00
NW7.10
SAML 1.1 – Accepting SAML Assertions – Java X X X
SAML 1.1 – Accepting SAML Assertions - ABAP - - X
SAML 1.1 – Issuing SAML Assertions – CE Portal - - X
WSS SAML Token Profiles 1.0 for Service SSO NW04
NW 7.00 NW7.10
Sender Vouches Subject – Java - - X
Sender Vouches Subject - ABAP - X(AS ABAP SP14
and higher)
X
© SAP 2008 Page 28
Standardizing End to End SSO Scenarios onSAML
1. SSO withSAML 1.1
Browser Artifact
2. A
cces
s to
Reso
urce
with
WSS
SAM
L To
ken
Prof
ile
Initial User AuthenticationAny Supported Solution
Web Browser based SSOSAML 1.1 Browser/ArtifactProfileSSO ticket
Web Service based SSOWSS SAML Token Profile
SAML Identity Providere.g. SAP NetWeaver 7.1 CE
Initial User
Authentication
© SAP 2008 Page 29
„“Security, Standards and Interoperability
The IEEE defines interoperability as:
The ability of two or more systems or components toexchange information and to use the informationthat has been exchanged*
* Institute of Electrical and Electronics Engineers. IEEE Standard Computer Dictionary: A Compilation of IEEE StandardComputer Glossaries. New York, NY: 1990
© SAP 2008 Page 30
Platform BPlatform A
The Role of Web Service Standards forInteroperability
ServiceConsumer
ServiceConsumer
SourceInfrastructure
SourceInfrastructure
DestinationInfrastructureDestination
Infrastructure
SendDeliver
ServiceProviderServiceProvider
Message
Web Service Standards define the format of the message in transit to guarantee theinteroperable exchange between service consumer and provider on a technical level
Web Service Standards don’t specify any infrastructure- or application-specific aspects,such as
APIs or programming languages that applications must use to send or deliver messagesRuntime architecture and components
Scope of Web ServiceStandards andInteroperability
© SAP 2008 Page 31
A Glimpse of the Whole Web ServiceStandards Stack
Security Transactions ReliableMessaging
Messaging
Business Processes Management
ServiceDescription
Inter-operability
Early Work Specificationin progress
Reachingmaturity
Approved andwidely adoptedspecification
BPEL4People WS-HumanTask WS-BPEL
WS-Security
WS-SecureConversation
WS-Trust
WS-SecurityPolicy
WS-Federation
SPML
Liberty ID-FF /SAML 2.0
WS-Policy
WS-PolicyAttachment
WS-IBasic Profile
WS-IBasic Security
Profile
WS-IReliable Secure
Profile
WS-Management
WS-Coordination
WS-Atomic
Transaction
WS-BusinessActivity
WS-Reliable
Messaging
WS-Reliable
MessagingPolicy
WS-MetadataExchange
WSIL
UDDI
SOAP 1.2SOAP 1.1 WSDL 1.1 WSDL 2.0 WS-Addressing
WS-DistributedManagement
© SAP 2008 Page 32
WS-Security – Motivation
The SOAP protocol on its own does not provideany security mechanisms for
Message Integrity & ConfidentialityAuthenticationNon Repudiation of origin or receiptBut: SOAP can be extended to provideadditional features
Up to the year 2002 (even now!), best practice was to secureWeb Services using Secure Sockets Layer (SSL)
But SSL provides transport – not application-level securitySOAP Messages secured point-to-point, not end-to-endMessages stored unencrypted in files or databases at intermediariesnot independent of underlying transport protocol
WS-Security submitted to standards body (OASIS) in Sept 2002 and approved asan OASIS Standard in April 2004
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
SOAP message format
© SAP 2008 Page 33
WS-Security: Overview
The OASIS WS-Security Standard defines a new SOAP Header,the WS-Security Header
This new SOAP Header contains all relevant security metadata to secure a SOAPmessage, such as
Security Tokens to carry security information (e.g. user authentication data,X.509 certificates)A Timestamp to protectagainst Replay AttacksSignatures to protectagainst message tampering*Encrypted Keys and Datato protect confidentialinformation
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
Security Token
Timestamp
Signature
Encrypted Key+ Data
WS-SecurityHeader
* The act of altering something secretly or improperly
© SAP 2008 Page 34
WS-Security – Features (1/3)
Security Tokens identifying principals and keysXML Token (e.g. Username token, defined by WS-Security Standard)<wsse:UsernameToken><wsse:Username>alice</wsse:Username><wsse:Password>2secret4u</wsse:Password>
</wsse:UsernameToken>
Binary Token encapsulating binary objects (e.g. X.509 CertificateToken, defined by WS-Security Standard)
Timestamp<wsu:Timestamp xmlns:wsu=… ><wsu:Created>2007-10-06T12:10:01Z</wsu:Created>
</wsu:Timestamp>
© SAP 2008 Page 35
WS-Security – Features (2/3)
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
Data
WS-Security Header
Security Token (X.509 Cert)
Timestamp
Signature
SignatureValue
KeyInfo
SignedInfo
SignatureMethod (e.g. RSA)
Reference (#Timestamp)
Reference (#Body)
SignatureSyntax given by XML Signature1.0 W3C Recommendation<Signature> element in SOAPsecurity header<SignedInfo> contains pointerswith hash values (<Reference>
childs) to signed message parts<SignatureValue> containsSignature (encrypted digest)<KeyInfo> contains reference topublic key for signatureverification
© SAP 2008 Page 36
WS-Security – Features (3/3)
EncryptionSyntax given by XML-Encryption 1.0W3C Recommendation<EncryptedKey> contains encryptedsession key used to encrypt data<KeyInfo> refers to public keycertificate used to encrypt thesession key (e.g. via unique key pairidentifier)<CipherData> contains encryptedsecret session key<ReferenceList> has pointers toencrypted message parts<EncryptedData> containsencrypted payload (e.g. messagebody)
SOAP EnvelopeSOAP Envelope
SOAP Header
SOAP Body
EncryptedData
WS-Security Header
EncryptedKey
CipherData
ReferenceList
DataReference (#Body)
EncryptionMethod
KeyInfo
© SAP 2008 Page 37
Standards Supported by SAP NetWeaver
Performance
Federation
Policy & Trust
Transport Security
Document Security
Message Security WS-Security
Under Evaluation
WS-TrustWS-SecurityPolicy
WS-SecureConversation
SAML 2.0
Future Work
S/MIME
Supported by SAP
Authorization Provisioning
Authentication WSS X.509Token Profile
WSS SAMLToken Profile
XACML SPML LDAP
XML Sig PKCS#7XML Enc
SSL/TLS GSS
WSS UsernameToken Profile
New Feature withSAP NetWeaver 7.1
Security mechanisms based on mature standards to supportinteroperable solutions for secure partner integration“
SAML 1.1Browser Artifacts
New Feature withSAP NetWeaver 7.1
New Feature withSAP NetWeaver 7.1
New Feature withSAP NetWeaver 7.1
New Feature withSAP NetWeaver 7.1
SAP NetWeaver 7.1,AS ABAP 7.0 SP 14
and higher
© SAP 2008 Page 38
Agenda
1. SOA – quick overview2. SOA and Security in Enterprises3. Securing SOA with SAP NetWeaver – on the road to BPM
3.1. Access Management and User Identity Propagation3.2. Identity Management and Provisioning3.3. Trust and Key Management3.4. Threat and Vulnerability Management
4. Outlook
© SAP 2008 Page 39
Controlling User Access with AuthorizationAssignments in SAP NetWeaver
ROLESPortalRoles
User Management
Users
User Groups
Assignment
End User NavigationTop Level Navigation Detailed Navigation
Definition Portal Content(Portal Content
Directory)
AssignmentWorksets
PagesiViews
ACLs
Authorizationfor backend
application UI
Business Logic Authorizations from AS ABAP or AS Java based or non-SAPbackend systems
Input forend user
assignment
© SAP 2008 Page 40
AS
AB
AP
Rol
e
Always refer to asingle AS ABAPapplicationDepends on theuser’s tasks in theSAP system
SAP Easy AccessMenuSingle roles carryauthorizationinformation asauthorizationobjects.
Single applicationrolesOptionalcomposite roles
TransactionPFCG:role creation andmaintenancerole/userassignmentsauthorizationgeneration
SAP NetWeaverIdM for businessrole management
Portal Roles and ABAP Roles: ComparisonPo
rtal
Rol
e
Decoupled fromunderlyingapplicationSimilar tocomplete jobdescriptions, notlimited to objectsfrom SAPSystems
Top-level anddetailed PortalnavigationContent object -an authorizationobjectAuthorizationsmaintained inbackend systems
Not divided intodifferent roletypesConcept of“Worksets” asadditional contentobject to easeadministration
Web-based toolsin the PortaladministrationenvironmentAS Java UserManagementSAP NetWeaverIdM for businessrole management
Role Contents Authorizations Defined Role Types Admin environment
© SAP 2008 Page 41
Separation of authorization concept and application logic withUME Authorization concept
Authorizations for Java Applications withSAP NetWeaver
Permission 1
Permission 2
Permission 3
Action 1
Action 2
JEE Role
UME Role 1
UME Role 2
UME Role 3Group
User
Created as Javaclass duringdevelopment
UME XML for actions
Standard JEE meansfor JEE Roles
User/Role administration
JACC Support in UME with SAP NetWeaver 7.1: JEE Rolesadministered as UME actions
© SAP 2008 Page 42
Authorizations for Java Applications– Rules of Thumb
Use Java Security Roles, whenyour code is already instrumented withJEE security rolesyour code needs to run on other Javaapplication servers as wellyou only have one argument, that hasan impact on the authorization decision(a distinction in different role names issufficient)you only have straight forward(most often technical) decisions tomakeYou need to decouple role definitionfrom application code via JEEdeclarative authorizations
Use UME Authorization Concept,when
authorizations are complex for yourapplicationsthe decisions are mostly business basedand need to be easily adjustableafterwardsyour applications need to be able to workwith decisions based on values or valuerangesyou must evaluate more than oneargument to find the correct authorizationdecision (a distinction in different rolenames is not sufficient)
Tutorials available in SAP Help Portal:AS Java Developer’s Guide > Integrating Security Functions
© SAP 2008 Page 43
Business Roles and Technical Roles inSAP NetWeaver Identity Management
Business RolesAre defined in Identity CenterRepresent the business tasks of anemployeeAre usually defined as part of a businessprocessCan be set up in hierarchiesAre a combination of technical rolesand/or other business rolesAre usually assigned to end users
Technical RolesRepresent the access information ortechnical authorizations (like ABAPauthorization roles, UME roles, Portalroles, AD groups, …)Are usually uploaded from the targetsystemAre system specificAre usually represented as so-called“privileges” in Identity Center
E-mailE-mail ADuserADuser
Business RolesManagerManager
AccountingAccounting
UserUser
Technical RolesEnd user
(Portal role)End user
(Portal role)Accounting(ABAP role)Accounting(ABAP role)
HR manager(ABAP role)
HR manager(ABAP role)
SAP HRActiveDirectoryActive
DirectorySAP FI
E-MailSystemE-Mail
SystemSAP
Portal
© SAP 2008 Page 44
SAP NetWeaver Identity Management
SAP Introduces Business Driven Identity ManagementHolistic identity management solution for both SAP andheterogeneous landscapesEnabling a complete compliance solution through SAP GovernanceRisk and Compliance (SAP GRC) integrationRule based and business driven roleassignments
Key deliverablesCentral identity storeRole assignments automatedthrough rules and workflowsCentral monitoring and auditing of identitiesPassword reset for users throughoutsystem landscapeService enabled identitiesVirtual directory server
SAP NetWeaver IdentityManagement
PasswordManagement
Audit andReporting
IdentityVirtualization
DataSynchronization
Roles andEntitlements
Provisioning
© SAP 2008 Page 45
Central Identity Store
Central store is the hub between all components inIdentity Center
Provisioning is based on identity datafrom the storeBusiness roles and privileges are stored hereWorkflows are processing based on this dataMeta directory operations will keep the informationup-to-date
Properties of the identity storeKeep historical data and full auditto support complianceTemporary attributes for trackingtime critical valuesRoles and privileges - time to live definableEvents on attributes trigger workflow tasksVirtual attributes referring data in external sourcesRollback of identity data
© SAP 2008 Page 46
Role Definition and Provisioning
Role Definition (design, 1x)Read system access information (roles,groups, authorizations, …) from targetsystemsDefine a business role hierarchyAssign technical roles to business rolesDevelop rules for role assignments
Provisioning (regularly)Assign or remove roles to/from people
manually through Workflow orautomatically, e.g. HR-driven
Automatic adjustment of master data andassignments of technical authorizations intarget systems
Connectors:ABAP (BAPI from 4.6c)Java (SPML from SAP NetWeaver ‘04)Non SAP (ADS, LDAP, … and more)
E-mailE-mail AD userAD user
Business RolesManagerManager
AccountingAccounting
UserUser
Technical RolesEnd user(Portal role)End user(Portal role)
Accounting(ABAP role)Accounting(ABAP role)
HR manager(ABAP role)HR manager(ABAP role)
SAP HRActiveDirectoryActiveDirectory
SAP FIE-MailSystemE-MailSystem
SAPPortal
© SAP 2008 Page 47
Auditing and Monitoring
Application/privilege centricWho has access to the system?
User CentricWhich privileges does this user have?
Reports can be scheduled or run on request
Off-the-shelf reporting tools can be used
Entry dataCurrent data, Historical data, Timestamps,Modified by, Audit flags
Approval dataWho approved what when?
Who had what privilege at what time?Segregation of dutiesAttestation
Task audit logWhich task was run on user/by user?
General logs
© SAP 2008 Page 48
Identity Virtualization
Virtual Directory Server (VDS) providesSingle consistent view and entry point for multipledistributed identity data sourcesIdentity information as a service for applicationsthrough standard protocols (LDAP, DSMLv2)Abstraction layer for underlying data stores
Consumer only sees one standard interfaceTransform incoming LDAP requests, and connectdirectly to the existing data repositories
Data stays within original data sourceEfficient caching
PropertiesReal-time access to dataNo need to consolidate data sourcesNo extra data store
Quick LDAP deploymentEasier and cheaper maintenance
Attribute manipulationName space modificationsComplex operations on-the-fly
© SAP 2008 Page 49
Local Identity Provisioning to SAP NetWeaverApplication Server with SPML
AS JAVA
AS ABAP ASJAVAAS
JAVA
SPML
SPML
ProvisioningSystem
Service Provisioning Markup Language (SPML) is an XML standard forthe provisioning of identity information
Partner products can use the interface to provision identity informationto SAP NetWeaver
SPML is supported by key Identity Management providers
Functionality NW04 NW 7.00 (04s) NW 7.10 (CE)
SPML 1.0 – Java X X X
SPML provides a standard interface to integrate SAP NetWeaver withthird-party identity management products“
© SAP 2008 Page 50
Agenda
1. SOA – quick overview2. SOA and Security in Enterprises3. Securing SOA with SAP NetWeaver – on the road to BPM
3.1. Access Management and User Identity Propagation3.2. Identity Management and User Identity Provisioning3.3. Trust and Key Management3.4. Threat and Vulnerability Management
4. Outlook
© SAP 2008 Page 51
Wizard Based Trust and Key Managementin SAP NetWeaver
Generic Key store (AS Java) and PSE (AS ABAP)server key management services from the platform
Server private keysPublic system certificates of trusted communicationpartners (Trusted Systems)CA certificates
Centralized and web based administration in SAPNetWeaver Administrator
Certificate and Key ManagementUser access via special authorization assignmentCustom AS Java application access control to keys viacode based permissions
Trusted Systems Setup via dedicated UIsSSO2 Logon Ticket Configuration Wizard for SSOSAML Browser Artifact for SSOSAML Token Profiles for user identity propagation in WS
Management of cryptographic key and trust management throughintegrated interfaces for administrators and users“
Detailed information about use: http://help.sap.com - search keyword “System Security”
© SAP 2008 Page 52
Agenda
1. SOA – quick overview2. SOA and Security in Enterprises3. Securing SOA with SAP NetWeaver – on the road to BPM
3.1. Access Management and User Identity Propagation3.2. Identity Management and Provisioning3.3. Trust and Key Management3.4. Threat and Vulnerability Management
4. Outlook
© SAP 2008 Page 53
Attack Prevention as Part of the infrastructure
SAP NetWeaver Virus Scanning InterfaceAllows to check files or documents exchanged between SAP modules (e.g. between applicationservers and front-end clients)Third party product (external anti virus solution) necessary to perform the virus scan (partnercertification)Interface integrated in standard upload functions or called directly by application developers
XML Validation in PI 7.1Check incoming and outgoing message structure against XML schemaPI configuration for Adapter Engine or Integration EngineSupport for synchronous and asynchronous service messages and error handling
Output EncodingEncodes output streams to prevent attacks like XSSIntegrated in latest SAP NetWeaver standard output frameworksAPI functions available in JAVA, ABAP
Blacklist filteringSupport for regular expression based input filtering in the Internet Connection Manager (ICM)
Important Note:The described security features cannot replace traditional security mechanisms (e.g. Firewalls, DMZ). The functions are seenas an addition in order to enable a multi-layer defense to counter attacks that are difficult to address with standard methods or
need to be addressed at application layer.
Integrated functionality to protect SAP NetWeaver and applicationsagainst typical attack types“
© SAP 2008 Page 54
Scaling WS-Security Configuration: SecurityTemplates in SAP NetWeaver
Security Policies in WSDL describe provider security requirements to protect themessage (What must be protected).
Communication Profiles define templates for runtime configuration for severalServices or Service Consumer Proxies (How will the message be protected)
One Communication profile may be assigned to multiple operations – for example whenthe same certificate is to be used for an certificate based authentication
Inbound
Outbound
Outbound
Inbound
SOAPRequest
SOAPResponse
Inbound/OutboundSecurity Profile based on aSecurity Template
operation()operation()
……
ServiceConsumer
ServiceConsumer
ServiceProviderServiceProvider
© SAP 2008 Page 55
Profile/DomainSupported Authentication Mechanisms
SAML (always possible)Assertion TicketUsername/Password in message
Scaling Service Administration – Mass ServiceConfiguration Example
Consumer System Provider System
Consumer Group“Employee Services”LeaveRequestOverviewService
ChangeBankDataService
Account “Service User”
Account “Ticket Logon”
DestinationTicket Single Sign On Mech. = SAMLService User Mech. = Service User in message
Technical Administrator
SAP Shipment
Business Administrator
Example: two runtime configurations on providerand consumer side for changing own data
Provider SideConsumable via HTTPS
Required Authentication Mechanisms: SAML,Assertion Ticket, Username/Password in message
Consumer SideUses HTTPS
LeaveRequestOverViewService uses service userauthentication (Account’s Service User)
ChangeBankDataService uses SAML authentication
© SAP 2008 Page 56
SAP Security Recommendations
Use encrypted communications (SNC / SSL)
Check/set good password rules and session timeouts
Protect OS and DB users of the SAP system
Tune authorizations for technical users to the minimum required
Enable auditing and logging (also HTTP logging)
Only enable required services and applications
Apply available patches regularly
Do not install test/demo software on productive systems, where possible
© SAP 2008 Page 57
Secure Network Topology and LayeredDefense
Outer DMZ Inner DMZ
Firewall Firewall
End User
IntranetFirewall
Backend Networks
Applicationserver farm
R/3R/3
Applicationserver farm
ERP
ERP
DIRApplicationGateways
Firewall
Pre-scan userrequest for validityand known exploits
Preprocessing andvalidation of userinput and output
Process business logic orweb service request.
Same level asother applications!
WebAS, Portalor other
Web service
© SAP 2008 Page 58
Backend Networks
Applicationserver farm
R/3R/3
Applicationserver farm
ERP
ERP
DIR
Secure Network Topology with Encryption
Internet Outer DMZ
ApplicationGateways
Inner DMZ
NetworkIDS Sensor
NetworkIDS Sensor
Monitoring Systems
SSLGSS-API
SSLGSS-API
NetworkIDS Sensor
WebAS, Portalor other
Web service
NetworkIDS Sensor
SSLGSS-API
© SAP 2008 Page 59
Agenda
1. SOA – quick overview2. SOA and Security in Enterprises3. Securing SOA with SAP NetWeaver – on the road to BPM
3.1. Access Management and User Identity Propagation3.2. Identity Management and Provisioning3.3. Trust and Key Management3.4. Threat and Vulnerability Management
4. Summary and Outlook
© SAP 2008 Page 60
Security in Composition and BPM Scenarios:Example System Setup - Focus on Application and Service Level Security
SAP NW 7.1 CE
tbd
SEI
NW CE CONSUMERTOOLS
NW CE PORTAL
SE
RV
ICE
LAY
ER
•e.g. SAPNetWeaver
IdentityManagement
NW PORTAL 7.0
FPN
SEI
SERVICEDEFINITION
SAP PROVIDER
SEI
SERVICEDEFINITION
Non-SAPPROVIDER
SEI
SOAP
SOAP
SOAP
SOAP
SERVICEDEFINITION
SERVICEDEFINITION
Non-SAPPROVIDER
LP
LP
LP
LP
service user
service user
user ID propagation
user ID propagation
SAPPROVIDER
© SAP 2008 Page 61
Setting Up Security for SOA Applications
Integrated Security Functions of SAP NetWeaver Platform(JAAS, GSS-API, ICM, UME, Key Management, Virus Scanning …)
Service SecurityMessage authenticationService guarantees
ConfidentialityIntegrityAging
Service OptimizationWS-Secure ConversationWS-Security PolicyWS-Trust
Application SecurityAuthentication checkAuthorization check
System SecurityTrust ConfigurationsDestinationsUser IdentitiesIdentity provisioning
Infrastructural Safeguards(firewalls, proxy servers, network zones, …)
© SAP 2008 Page 62
provider service layerDefine authentication requirement(in SEI only)
Service user or user clientauthentication – user id orcertificatePropagate consumer user id -logon ticket or SAML tokenprofiles
Define service guarantees (indefinition/SEI)
Confidentiality (SSL / XML enc)Integrity (SSL / XML Sign)…
Setup routed service call via proxy
provider applicationDefine access controlcheck in method/functionof app
Programmatic– UME– JEE– ABAP (authority-
check)Declarative– JEE
provider systemSynchronize orprovision authorizationinformation (roles andACLs) to centralizeduser identitymanagement forlandscapeProvide access tosystem public keys forservice access /guarantee
Best Practices for Service Provisioning
LP
SERVICEIMPLEMENTATIONSEI
CONSUMERAPPLICATION
CONSUMER
SERVICEIMPLEMENTATION
PROVIDER
© SAP 2008 Page 63
consumer service layerAcquire based on WSSecurity Policy definitions inWSDL
consumer applicationDefine web accessauthentication configuration
ticket template for SSODefine access control check inmethod/function of app
Programmatic– UME– JEE– ABAPDeclarative– JEEUI– Portal Role
consumer systemConfigure userauthentication or SSOAssign provider rolesto users
– Local usermanagement
– Provision fromSAP NetWeaverIdM
Define servicedestination to providerExchange systemcertificates withprovider
LP
SERVICEIMPLEMENT
ATIONSEI
CONSUMERAPPLICATION
CONSUMER
SERVICEIMPLEMENTATION
PROVIDER
Best Practices for Service Consumption
© SAP 2008 Page 64
Runtime Security in Composite and BPMApplications
LPtbd
CONSUMERTOOLS (CE)
CE PORTAL
SERVICEIMPLEMENTATIONSERVICE
IMPLEMENTATION
PROVIDER
ROUTINGMAPPING
BPM
Process Integration
SEI Adapter / LP
ROUTINGMAPPING
BPM
SERVICEIMPLEMENTATIONSERVICE
IMPLEMENTATION
PROVIDER
Interface / SEI
LP
SEI
System SecuritySetup trust to Providers / Service BrokersSetup destination to providers with optional logon information
Application SecurityAuthentication configuration in ticket policy configurationUI authorization via portal roles and business rolesLogic flow authorization with JEE and UME conceptsComposite applications – register BO operations for ACL check and useserver CAF authorization tool to map ACLs to rolesBPM applications - provision identity information from deploy target systemover SPML
Service SecurityTransport for homogeneous service provider landscapes, message level forheterogeneous service provider landscapesPrincipal propagation to manage service provider access based on useridentities with authentication, authorization and audit
Bob Bob
Deploy
© SAP 2008 Page 65
The SAP AdvantageAn Integrated Solution for Business and IT
Integrated platform approach supports acomprehensive enterprise SOA strategybuilt on SAP’s open platform
Seamlessly links IDs with business roles,for smoother process integration
Powerful synchronization andvirtualization, plus integration with coreprocesses and information in enterprisesystems
Standards based and centralizedsecurity functions for secure operationand enterprise service governance
© SAP 2008 Page 66
SAP NetWeaver: Security Solutions forEnterprise SOA
Empower business users Delegated user and content administration withcentralized Identity Management for landscapesSupport flexible service and user authentication and SSOoptions
Simplify administration and ensurebusiness continuity with lower TCO
Integrated security administration in standardized andWizard based interfaces for admin usersSAP NetWeaver Identity ManagementIndustry Standards-based security solutions
Native support for interoperable andflexible security solutions based onopen standards
JAASSAMLSPMLGSS API
WS-Security1
WS-Secure Conversation1
WS-Policy and WS-Security PolicyWS-Reliable Messaging1
Security Solutions for EnterpriseService Oriented Architectures andProcess Integration
WS-Security, WS Security Extensions1
SAML Browser Artifacts and WSS SAML Token Profiles1
Service Repository and Composites Security
Infrastructure-based protection of SAPNetWeaver applications againstcommon attacks
Access control and secure key managementVirus Scanning interface, Output Encoding, Blacklistfiltering, XML Schema Validation
SAP NetWeaver provides security solutions as an integrated platformservice to meet requirements of diverse enterprise environments“
REQUIREMENT SAP NETWEAVER
1 support for XML Signatures, Username and Certificate token profiles in SAP NetWeaver 7.0. Support for XML Encryption and SAML Token Profiles inapplication server with SAP NetWeaver 7.10, SAP NetWeaver 7.0 AS ABAP SP 14 and higher
© SAP 2008 Page 67
Security Roadmap Highlights
2007/2008 2010 and beyond2009
Meta-rolesdefinition andassignment
Enhanced supportfor WS-* standards
Central IdentityManagement forheterogeneouslandscapes
Centralized policy-based securityadministration
Identity federationsupport (SAMLv2)
Standards-basedsingle sign-oninfrastructure (SAML)
Standards-basedprincipalpropagation
Harmonization ofsecurityadministration
Role managementsimplification andTCO reduction
Business processintegrated identitymanagement
Business rolemanagement
Harmonizedauthorizationconcepts
Extended SOAscenario support
Model drivensecuritymanagement
Role &AuthorizationMgmt.
IdentityManagement
EnterpriseSOA andStandards
SecurityManagement
Add. WS-* standards(WS-Sec.Conversation, WS-Trust)
© SAP 2008 Page 68
Copyright 2008 SAP AGAll Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changedwithout prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed arethe trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior writtenpermission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies,developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note thatthis document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant theaccuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express orimplied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitationshall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in thesematerials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durchSAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.
Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte können Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwähnte SAP-Produkte und Services sowie diedazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Ländern weltweit. Alle anderen in diesem Dokument erwähnten Namen vonProdukten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zuInformationszwecken. Produkte können länderspezifische Unterschiede aufweisen.
Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Formauch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet. Bei dieser Publikation handelt es sich um eine vorläufige Version, die nicht Ihrem gültigen Lizenzvertragoder anderen Vereinbarungen mit SAP unterliegt. Diese Publikation enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts. SAP entsteht aus dieserPublikation keine Verpflichtung zu einer bestimmten Geschäfts- oder Produktstrategie und/oder bestimmten Entwicklungen. Diese Publikation kann von SAP jederzeit ohne vorherigeAnkündigung geändert werden.
SAP übernimmt keine Haftung für Fehler oder Auslassungen in dieser Publikation. Des Weiteren übernimmt SAP keine Garantie für die Exaktheit oder Vollständigkeit der Informationen, Texte,Grafiken, Links und sonstigen in dieser Publikation enthaltenen Elementen. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a.,aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts.SAP haftet nicht für entstandene Schäden. Dies gilt u. a. und uneingeschränkt für konkrete, besondere und mittelbare Schäden oder Folgeschäden, die aus der Nutzung dieser Materialienentstehen können. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit.
Die gesetzliche Haftung bei Personenschäden oder Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinks zugreifen,unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über InternetseitenDritter ab.
Alle Rechte vorbehalten.