SAP Fiori
Overview of SSL + SAML 2.0 Configuration
SAP Fiori and SSL + SAML 2.0
A Typical Connection Scenario
© 2013 SAP AG. All rights reserved. 3
SAP Fiori Apps: A Typical Use Case
A typical use case for SAP Fiori apps is where access should be granted from the public internet.
In this case, single sign-on can be implemented using SAML 2.0 based authentication in conjunction
with IdP (Identity Provider) software such as SAP IDP, Ping Federate or Microsoft’s Active Directory
Federation Service (AD FS).
The user will need to authenticate themselves in a process known as Service Provider based
authentication.
Proxy SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Public Internet Corporate DMZ Internal Corporate Network
© 2013 SAP AG. All rights reserved. 4
Authentication Flow: 1/11
The client sends a request to SAP NW Gateway via a proxy server.
This request could be either unauthenticated or expired (due to a timeout).
The request issued by the client refers to an external URL for the SAP Fiori App that is specific to the
particular customer’s situation.
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network
1
Public Internet
Unauthenticated
access request
Proxy
© 2013 SAP AG. All rights reserved. 5
Authentication Flow: 2/11
The proxy rewrites the URL to its internal equivalent and forwards the request to SAP NW Gateway.
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network
2
Public Internet
URL rewritten
& forwarded Proxy
© 2013 SAP AG. All rights reserved. 6
Authentication Flow: 3/11
SAP NW Gateway recognises that the request is unauthenticated and could respond in one of two
ways: either using an HTTP POST or an HTTP 302 redirect. In the case shown here, an HTTP 302
redirect is being used. Either way, the Gateway server responds to the client by saying:
“I don’t know who you are; go talk to the SAML 2.0 IdP server”
All URLs passing through the proxy server (in either direction) are rewritten as required.
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network
3
Public Internet
HTTP 302
redirect Proxy
© 2013 SAP AG. All rights reserved. 7
Authentication Flow: 4/11
The client follows the HTTP 302 redirect URL, and sends the request to the SAML 2.0 IdP server.
In this case, the SAML 2.0 IdP server is located behind the firewall, so the IdP request goes through
the proxy. However, if the SAML 2.0 IdP server is cloud based (i.e. publicly available), it would be a
direct request.
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network Public Internet
HTTP 302
redirect
Proxy
4
© 2013 SAP AG. All rights reserved. 8
Authentication Flow: 5/11
The SAML 2.0 IdP server challenges the client to identify itself.
At this point, the SAML 2.0 IdP server can be configured to accept whatever form of authentication is
required by the customer’s security standards – for instance, basic authentication, form or an X.509
certificate etc.
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network
5
Public Internet
Who are you? Proxy
© 2013 SAP AG. All rights reserved. 9
Authentication Flow: 6/11
The client responds by supplying the required credentials – for instance, an X.509 certificate.
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network Public Internet
I am… (X.509 Certificate)
Proxy
6
© 2013 SAP AG. All rights reserved. 10
Authentication Flow: 7/11
If the SAML 2.0 IdP server determines the user credentials to be valid, it responds with another
HTTP 302 to redirect the client back to the Gateway server; however, this response now additionally
carries a SAML artifact.
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network Public Internet
HTTP 302 redirect
+ SAML artifact
7 Proxy
© 2013 SAP AG. All rights reserved. 11
Authentication Flow: 8/11
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network Public Internet
Access request
+ SAML artifact
The client follows the HTTP 302 redirect URL and in doing so, passes the SAML artifact back to the
Gateway server.
8
Proxy
© 2013 SAP AG. All rights reserved. 12
Authentication Flow: 9/11
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network Public Internet
In order to double-check the validity of the SAML artifact, the Gateway server sends it back to the
SAML 2.0 IdP server for resolution as a back-channel Web Service (SOAP) request. Here, the
Gateway server is saying to the SAML 2.0 IdP server:
"I've just received a SAML artifact that claims to have come from you.
Did you really create this artifact?"
This type of double-check is designed to prevent 3rd parties from spoofing SAML artifacts.
9
Resolve
artifact
Proxy
© 2013 SAP AG. All rights reserved. 13
Authentication Flow: 10/11
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network Public Internet
The SAML 2.0 IdP Server resolves the artifact and returns an assertion that says:
"Yes, the artifact came from me and it identifies user such-and-such"
SAP NW Gateway then validates the user name in the assertion and if successful, the user's request
is considered authentic and an ABAP session is created.
10
SAML
assertion
Proxy
© 2013 SAP AG. All rights reserved. 14
Authentication Flow: 11/11
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Corporate DMZ Internal Corporate Network Public Internet
11
The OData service in SAP NW Gateway now starts and sends data to the client.
From this point onwards, the SAML 2.0 IdP server takes no further part in communication between
the client and the SAP NW Gateway server.
Once the user either explicitly logs off, closes their browser window or allows their session to
timeout, any further client requests will be considered unauthenticated and the whole authentication
flow process described in the preceding slides will be repeated.
Proxy
SSL + SAML 2.0 Configuration
Configuration steps needed to implement this particular scenario
Caveat:
The instructions in the following section of this presentation are not intended to act as a cookbook or how-to guide. Instead,
they provide an overview of the steps performed during an SAP Fiori implementation and links to the standard SAP Help
Portal information on each of the relevant topics.
© 2013 SAP AG. All rights reserved. 16
Outline of Configuration Steps
The following configuration steps need to be performed in the SAP NetWeaver AS
ABAP server acting as the Gateway hub:
1. Setup SSL Communication Enable the webserver within SAP NW AS ABAP to communicate using the Secure Sockets Layer.
This allows all HTTP based communication with the server to be encrypted.
2. Perform SAML 2.0 Configuration This configuration defines how SAP NW Gateway and the external SAML 2.0 IdP server should
communicate with each other, and should only be performed once the SSL configuration has been
successfully completed.
3. Perform Proxy Configuration The proxy used to protect access to the corporate network must be configured to rewrite at least the
fully qualified hostname and port number contained within all HTTP traffic passing between the SAP
NW Gateway server and the client device running the SAP Fiori application.
SSL Configuration
Enabling SAP NW Gateway to use the Secure Sockets Layer (HTTPS)
© 2013 SAP AG. All rights reserved. 18
SSL Configuration
Instructions for installing the cryptographic libraries and configuring SSL on a NetWeaver AS ABAP
can be found in the SAP Help Portal. Once the cryptographic libraries are installed and the kernel
profile parameters modified (examples shown below), you must bounce the AS ABAP server.
Notice that the standard HTTPS
port number of 443 is being used
© 2013 SAP AG. All rights reserved. 19
Using Ports Numbers Less Than 1024
The standard port number for unencrypted HTTP communication is 80, and for encrypted HTTP
communication using the Secure Sockets Layer is 443.
However, for security reasons, all variants of the Unix operating system prevent any process from
binding to a port number less than 1024 – unless that process has super user (root) authority.
If you wish your AS ABAP server to use the default port numbers for HTTP and HTTPS communication, you must use an SAP delivered program called icmbnd. This privileged program
binds to port numbers less than 1024, then returns the listening socket to the SAP server instance.
In this way, it acts as a proxy through which the SAP instance can communicate on those ports.
In this case, we are concerned only with the configuration for port 443.
1. In directory /usr/sap/<SID>/SYS/exe/run, change the ownership of program icmbnd using the
command chown root:sapsys icmbnd
2. Check that the profile parameter for your webserver is set in the instance profile. In this case, the value is icm/server_port_1 = PROT=HTTPS,PORT=443,TIMEOUT=30,EXTBIND=1
3. Restart the SAP server instance
© 2013 SAP AG. All rights reserved. 20
SSL Kernel Profile Parameters – What not to do!
Commonly used profile parameter values (such as path names) can be defined as variables and
then referenced as part of other profile parameter values. E.G.
DIR_INSTANCE = /usr/sap/DG9/DVEBMGS15
DIR_EXECUTABLE = $(DIR_INSTANCE)/exe
Therefore, when configuring the path name to the SSL encryption executable, it might seem logical
to do the following:
ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so
Unfortunately, this does not work as expected.
The variable name $(DIR_EXECUTABLE) in the value of parameter ssl/ssl_lib is not evaluated.
Consequently, when the NW Gateway system is restarted, you’ll find that you are unable to log on
with a normal user because this erroneous configuration has invalidated the system’s license!
© 2013 SAP AG. All rights reserved. 21
PSEs and Certificates – Overview
Transaction STRUST is used to manage the configuration of your
system’s SSL certificates and the secure containers within which
they are stored (known as PSEs).
A Personal Security Environment (PSE) is a secure, operating
system level file, managed by an SAP system that holds both the
public and private information of either a user or a component.
This information includes the owner’s public-key certificate, a
private address book of certificates and their private key.
Each component within an SAP system that requires the use of
SSL based communication typically has its own PSE.
Each PSE can contain a list of trusted certificates that will be used
during communication with a particular secure server.
© 2013 SAP AG. All rights reserved. 22
PSEs and Certificates – Check SSL Library Versions
In transaction STRUST, select the menu option Environment Display SSF Version.
At the time of writing this presentation (May, 2013), the latest version is 1.555 patch level 34
© 2013 SAP AG. All rights reserved. 23
PSEs and Certificates – 1/5
The first PSE to create is the “System PSE”.
The “Own Certificate” held in
this PSE is used only for the
generation of SSO2 cookies.
© 2013 SAP AG. All rights reserved. 24
PSEs and Certificates – 2/5
Next, create the “SSL Server Standard” PSE. This is the PSE that holds your SSL server’s
certificate.
The Canonical Name by which
this SSL server is known
CN=*.blahblah.com, OU=I0029244232, OU=SAP Web AS
© 2013 SAP AG. All rights reserved. 25
PSEs and Certificates – 3/5
The “SSL Client (Standard)” PSE holds a list of trusted certificates used when NW Gateway acts as
an HTTPS client. E.G. During back-channel communication with the Identity Provider.
The root certificate of the
SAML 2.0 IdP Server
CN=sso.blahblah.com, OU=IT, O=Blah Ltd, L=London
© 2013 SAP AG. All rights reserved. 26
PSEs and Certificates – 4/5
The PSEs called “SSF SAML2 Service Provider – E” and “SSF
SAML2 Service Provider - S” belong to SAP’s Secure Store &
Forward (SSF) component.
Unless you need to use non-standard settings, do not create
these PSEs manually. They are created for you when the SAML2
configuration wizard is run.
SSF SAML2 Service Provider – E
Used by SSF to encrypt data sent to the Identity Provider.
SSF SAML2 Service Provider – S
Used by SSF to sign data sent to the Identity provider. Signed
data can be sent either in encrypted form or as plain text.
© 2013 SAP AG. All rights reserved. 27
PSEs and Certificates – 5/5
You do not need to add this certificate yourself. It is added automatically by the SAML2 configuration
wizard and is required by the Service Provider to verify the data it receives from the Identity Provider.
The certificate of the Identity
Provider used for data signing
CN=SFDC, O=Blah Ltd, C=GB
© 2013 SAP AG. All rights reserved. 28
PSEs and Certificates – Check HTTPS Connectivity
After the SSL configuration steps have been performed, you should be able to issue a URL to the
NW Gateway server using the HTTPS protocol.
If the browser warns you that the certificate issued by the secure server is not trusted, then this is
probably because your SSL server certificate is self-signed. The browser could also warn you that
the certificate does not belong to the hostname that sent it.
Self-signed certificates are fine for the purposes of testing and building PoC applications, but when
creating a public certificate, it should be signed by a recognised certification authority (CA) – for
instance, VeriSign.
SAML 2.0 Configuration
Enabling SAP NW Gateway to accept user authentication via
SAML 2.0
© 2013 SAP AG. All rights reserved. 30
Activate Session Security
Using transaction SICF_SESSIONS, activate session security for the client in which you are working.
For more information, see the SAP Help Portal.
This particular system has session
security active only for client 100
© 2013 SAP AG. All rights reserved. 31
SAML 2.0 Configuration
The standard SAP documentation for configuring SAML 2.0 based authentication can be found in the
SAP Help library.
Warning
If SSL communication is not working correctly, do not attempt to start any SAML 2.0 configuration!
Not only will it be impossible to complete the SAML 2.0 configuration, but the SAML 2.0 configuration
will need to be repeated after the SSL configuration has been corrected.
In NW Gateway, start transaction SAML2. This will start your browser and then start a Web Dynpro
application to perform the SAML configuration.
© 2013 SAP AG. All rights reserved. 32
SAML Configuration – 1/6
The signing and encryption key pairs are derived
from the “SSL SAML2 Service Provider – E” and
“SSL SAML2 Service Provider – S” PSEs shown
on slide 26
The first thing to do is create and enable a
Local Provider.
This identifies your NW Gateway server as a
system that can accept SAML based
authentication.
© 2013 SAP AG. All rights reserved. 33
SAML Configuration – 2/6
The Metadata button allows you to export the
SAML 2.0 service provider metadata so that it
can be imported into the external SAML 2.0
identity provider
Once the Local Provider SAML settings have
been defined and enabled for the NW Gateway
server, you should export this information.
© 2013 SAP AG. All rights reserved. 34
SAML Configuration – 3/6
The easiest way to set up a new Trusted
Provider is to ask the administrator of the
SAML 2.0 IdP server to export their server’s
configuration as an XML Metadata file.
An XML configuration file can be
imported directly by this wizard.
https://sso.blahblah.com/idp/SSO.saml2
https://sso.blahblah.com/idp/SSO.saml2
https://sso.blahblah.com/idp/SSO.saml2
https://sso.blahblah.com/idp/SSO.saml2
HTTP 302 redirects will be used
to bind to the external SAML 2.0
IdP server
BlahBlahDev
"BlahBlahDev"
© 2013 SAP AG. All rights reserved. 35
SAML Configuration – 4/6
SAML 2.0 can accept user names in various
different formats.
In this particular case, the format is
open; therefore, the NameID format
of “Unspecified” is configured.
In this particular case, the user name
supplied by the SAML 2.0 assertion is
identical to the userid in SAP NW Gateway
BlahBlahDev
"BlahBlahDev"
© 2013 SAP AG. All rights reserved. 36
SAML Configuration – 5/6
During the import process, the wizard
guides you through several pages, on
each of which you can accept the
default values, except…
On the Signature and Encryption tab
Under “Artifact Profile”, the
“Require Signature” field must
be set to “Never”
BlahBlahDev
CN=SFDC, O=Blah Ltd, C=GB
"BlahBlahDev"
© 2013 SAP AG. All rights reserved. 37
SAML Configuration – 6/6
During the import process, the wizard
guides you through several pages, on
each of which you can accept the
default values, except…
And the Authentication Requirements
tab
Under “Authentication
Response”, the “Binding” field
must be set to “HTTP Artifact”
BlahBlahDev
"BlahBlahDev"
SAML Enabling a Gateway Service
Enabling a NW Gateway server to accept user authentication via
SAML artifacts and assertions
© 2013 SAP AG. All rights reserved. 39
SAML Enable a Gateway Service – 1/3
Once the SAML configuration has been
completed, you must adapt the logon policy for
the Gateway Services behind the SAP Fiori
apps to use SAML 2.0 Authentication.
This is done in transaction SICF on the NW
Gateway Server.
Locate the ICF node that corresponds to the
SAP Fiori app you are implementing and
double click on it.
The “Invoice Tracking” SAP Fiori app is
implemented as ICF node sra021_srv
© 2013 SAP AG. All rights reserved. 40
SAML Enable a Gateway Service – 2/3
Select the “Logon Data” tab and change the
Procedure field from “Standard” to “Alternative
Logon Procedure”.
SAML based authentication is
activated by changing the logon procedure
Change the Security Requirement to SSL
© 2013 SAP AG. All rights reserved. 41
SAML Enable a Gateway Service – 3/3
Once the “Alternative Logon Procedure” has
been changed, you can scroll down within the
Logon Data tab area and you will see a list of
Logon Procedures.
By default, SAML Logon is item 7 in the list.
To change this order, simply overtype the
number in the left-hand column with 1 (or 2).
The list is then automatically sorted according
to the new order, but “Logon Through HTTP
Fields” will always be item one.
Save your changes and when you execute the
Gateway service, the client will be redirected to
the logon screen of the external SAML 2.0 IdP
server.
SAML based authentication will
now be used in the event that the
HTTP header does not contain the required user information
Proxy Configuration
Using a proxy to protect access from the public internet
© 2013 SAP AG. All rights reserved. 43
Proxy Configuration
Due to the fact that there are many different proxy products available and each is configured slightly
differently, it is not possible to give exact instructions at this point. Irrespective of how your particular
proxy is configured to rewrite URLs, the following URL information must be forwarded:
• The pathname to the SAP Fiori app
• All HTTP header fields
• The entire URL query string
SAP NW
Gateway SAP ECC
SAML 2.0
IdP
Public Internet Corporate DMZ Internal Corporate Network
Proxy
© 2013 SAP AG. All rights reserved. 44
Proxy Configuration: A Possible Error – 1/2
If the URL information passed through to SAP NW
Gateway is incomplete, you could get the error
message shown here:
No default application path is configured for ACS endpoint
What this means is that although the proxy is passing through the application path and HTTP headers, it is not
passing through the query string parameters. Therefore, SAP NW Gateway receives a valid, authenticated
request, but without any app name (held in the query string parameter called "Relay State").
Since the app name is missing, Gateway then tries to run a default application, but since none is configured, the
above error is displayed.
© 2013 SAP AG. All rights reserved. 45
Proxy Configuration: A Possible Error – 2/2
Incidentally, if you want to configure a default application to run in the
event that none is specified, it can be done in the SAML2 configuration
wizard under “Local Provider” “Service Provider Settings”.
Important
This is not required for any of the SAP Fiori apps!
Only used in case of IdP-initiated SSO because
in this case, the service provider does not know what app to run after authentication.
Trouble Shooting
What to do if it all goes horribly wrong…
© 2013 SAP AG. All rights reserved. 47
Trouble Shooting
If you find an error in your configuration, the following tools are available:
1. SAP Help Portal on how to diagnose SAML 2.0 problems
2. SDN Wiki Page for SAML 2.0
3. Common problems encountered when configuring SAML 2.0 for AS ABAP
4. Trouble shooting SAML 2.0 scenarios
5. When testing the SAP Fiori apps from a non-mobile client (say your desktop browser), some of
these apps require the following query string parameter to be added to the URL:
sap-ui-xx-fakeOS=<os_name>
where <os_name> is “ios” or “android” or “bb”
© 2013 SAP AG. All rights reserved. 48
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
© 2013 SAP AG. All rights reserved
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
© 2013 SAP AG. All rights reserved. 49
© 2013 SAP AG. Alle Rechte vorbehalten.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in
welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet.
In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.
Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten
auch anderer Softwarehersteller enthalten.
Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken der Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System
z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7,
POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize,
XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere,
Tivoli, Informix und Smarter Planet sind Marken oder eingetragene Marken der IBM Corporation.
Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Ländern.
Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene Marken von
Adobe Systems Incorporated in den USA und/oder anderen Ländern.
Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer Tochtergesellschaften.
UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin sind Marken oder
eingetragene Marken von Citrix Systems, Inc.
HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C®, World Wide Web
Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri
und Xcode sind Marken oder eingetragene Marken der Apple Inc.
IOS ist eine eingetragene Marke von Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry
Storm, BlackBerry Storm2, BlackBerry PlayBook und BlackBerry App World sind Marken oder eingetragene
Marken von Research in Motion Limited.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads,
Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice,
Google Mail, Gmail, YouTube, Dalvik und Android sind Marken oder eingetragene Marken von Google Inc.
INTERMEC ist eine eingetragene Marke der Intermec Technologies Corporation.
Wi-Fi ist eine eingetragene Marke der Wi-Fi Alliance.
Bluetooth ist eine eingetragene Marke von Bluetooth SIG Inc.
Motorola ist eine eingetragene Marke von Motorola Trademark Holdings, LLC.
Computop ist eine eingetragene Marke der Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork,
SAP HANA und weitere im Text erwähnte SAP-Produkte und Dienstleistungen sowie die entsprechenden
Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern.
Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports, Crystal Decisions,
Web Intelligence, Xcelsius und andere im Text erwähnte Business-Objects-Produkte und Dienstleistungen
sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Business Objects Software Ltd.
Business Objects ist ein Unternehmen der SAP AG.
Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere im Text erwähnte
Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene
Marken der Sybase Inc. Sybase ist ein Unternehmen der SAP AG.
Crossgate, m@gic EDDY, B2B 360°, B2B 360° Services sind eingetragene Marken der Crossgate AG in
Deutschland und anderen Ländern. Crossgate ist ein Unternehmen der SAP AG.
Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben
im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische
Unterschiede aufweisen.
Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung
dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, nur mit
ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet.