sap fiori1 week04
DESCRIPTION
SAP transcripts week4TRANSCRIPT
-
openSAP Introduction to SAP Fiori UX WEEK 4, UNIT 1
00:00:12 Hi and welcome back.
00:00:15 You may remember me from the other sessions that we've done together.
00:00:19 But if not, my name is Prakalp Phadnis and I was with you over the last few weeks for a
number of units.
00:00:27 Now that Elizabeth has taken you through the configuration section of this course,
00:00:31 let us talk about a topic that is vital to most enterprise mobility end users, namely security.
00:00:37 In this unit, the Introduction to SAP Fiori UX Security and Single Sign-On,
00:00:43 we will look at the concepts related to securing the various touch points of Fiori.
00:00:48 When running your SAP Business Suite systems, you must ensure that your data and
processes support your business needs
00:00:55 without allowing unauthorized access to critical information.
00:00:58 User errors, negligence, or attempted manipulation of your systems
00:01:03 must not result in loss of data or information or, indeed, processing time.
00:01:08 These security requirements apply equally to SAP Fiori applications.
00:01:15 If we begin to look at this topic of security from a high-level perspective,
00:01:21 what are the various touch points that we have in this context?
00:01:25 As you will notice, we are traversing at least three network layers:
00:01:29 the Internet or public network where the devices or indeed your consumption model, whatever
it may be, exists,
00:01:36 the demilitarized zone, and then the server zone.
00:01:38 Sometimes, the servers may be split into one or more DMZ layers
00:01:43 or they could consist of an inner DMZ or outer DMZ.
00:01:49 There could also be some secure server zones that are in place.
00:01:53 So I always, as a rule of thumb, consider at least four network layers.
00:01:59 Each of these layers provides a touch point, in our case, and also provides some security
aspects that need to be considered.
00:02:07 When a user launches an SAP Fiori application,
00:02:12 the launch request is sent from the client to the ABAP front-end server by the SAP Fiori
launchpad.
00:02:20 During launch, the ABAP front-end server, or Gateway server, authenticates
-
2
00:02:26 the user by using one of the following authentication and single sign-on mechanisms.
00:02:31 Obviously this is not the entire list, but this is just a selection from that list.
00:02:36 So Kerberos/SPNEGO-based or X.509 certificates-based, SAML 2.0-based, or logon tickets-
based.
00:02:46 As you know, there are many parts to the whole when it comes to Fiori
00:02:50 and each of these parts has its own security concepts that need to be considered.
00:02:55 I am not saying that they all implement security differently, but I'm saying that they all have
different aspects of the security paradigm
00:03:01 that are emphasized more in one context or another.
00:03:05 And these guides are the ones that deal with each component on an overarching level.
00:03:12 So I've opened up this particular section of the guides here.
00:03:17 And the link is also provided to you at the top in the first sentence.
00:03:23 On the left-hand side, you will see each of these guides listed out.
00:03:29 Please do use these when considering your security architecture.
00:03:37 Now, if you access SAP Fiori applications from within your corporate network,
00:03:42 you can enable Kerberos/SPNEGO-based authentication for the ABAP front-end server.
00:03:48 This type of authentication is especially recommended if you already have the infrastructure in
place,
00:03:55 for example, if you're using Microsoft Active Directory and are using Kerberos.
00:04:00 If you have implemented a public key infrastructure (or PKI, for short) for user authentication in
your organization,
00:04:07 then you can use X.509 certificates by configuring the required back-end systems to accept
these X.509 certificates.
00:04:14 Both ABAP stack and the HANA stack support X.509 certificates.
00:04:19 Authentication with X.509 certificates provides a few advantages.
00:04:24 For example, it does not require an issuing system during logon,
00:04:28 which means that in Internet-facing scenarios, this really works well.
00:04:32 It also is supported for logon using SAP GUI.
00:04:37 So if you are using SAP GUI and have HTTP access,
00:04:43 then using X.509 certificates simplifies maintenance and setup of the system landscape.
00:04:50 Of course, X.509 certificates in use means they must be distributed to the workstations or
handheld devices that are used to access Fiori applications.
00:05:01 If you have implemented the Security Assertion Markup Language (or SAML, for short) version
2.0 as a method of SSO within your organization,
00:05:10 you can configure the ABAP front-end server to use SAML 2.0-based authentication.
-
3
00:05:16 And logon tickets. Well obviously, if you have a portal in place then as a logon ticket-issuing
authority, you can use that
00:05:25 or you can use the front-end server configured to be the provider of logon tickets within your
landscape.
00:05:34 Of course, these tickets must be enabled for consumption...
00:05:39 sorry, the back-end systems must be enabled for consumption of these tickets.
00:05:45 And this week, we will look more into these different methods.
00:05:52 That brings us to the end of the unit, during which we looked at the overview of security and
security touch points related to Fiori,
00:06:02 the various layers in the architecture where the security topic comes up,
00:06:07 and looked at where you can find some of the most updated information to help you on your
way.
00:06:12 In the next unit, we will look at the topics of security related to the front-end server. See you
soon.
-
4
WEEK 4, UNIT 2
00:00:13 Hi and welcome to week 4, unit 2: Understanding Security on the SAP Front-End Server.
00:00:19 In the previous unit, we looked at the security overview,
00:00:22 the layers of architecture where the security topic will impact us,
00:00:25 and where to find the most relevant information related to security topics.
00:00:30 Today, let's look at some of these specifics related to the front-end server.
00:00:36 So connecting the dots, or at least in one direction, outside in.
00:00:41 In the simplest format, the device, whether it's a desktop or a handheld device, will connect
directly to the gateway.
00:00:48 If you implement Fiori transactional-based applications in an Internet-facing scenario,
00:00:54 SAP recommends that you deploy the SAP Web dispatcher in your demilitarized zone.
00:01:01 There's a specific section on this topic in the help guides. Please have a look.
00:01:08 The Web dispatcher should allow only requests that will be routed to the general Internet
Communication Framework (ICF) services
00:01:16 or to the Fiori apps that must be exposed.
00:01:19 For example, in the case of the HANA XS Engine,
00:01:24 the node /sap/hba/* and everything underneath that node should be blocked.
00:01:31 Or in the case of the Enterprise Search, /sap/es/* and everything under that node should be
blocked.
00:01:39 To set up the connections between Web dispatcher and the ABAP servers,
00:01:44 you must make the following settings, and not in any particular order.
00:01:48 HTTP security session management for the ABAP front-end server must be configured.
00:01:53 And you must configure the ABAP front-end server for supporting SSL.
00:01:59 In addition, we can secure the communication between the back-end server and the front-end
server.
00:02:05 To ensure confidentiality and integrity of data, SAP recommends protecting HTTP connections
using
00:02:14 Transport Layer Security (or TLS, for short) or Secure Sockets Layer (SSL for short).
00:02:21 A token-based protection against Cross-Side Request Forgery (CSRF) is active by default in
SAP Gateway
00:02:30 and HANA XS Fiori OData services.
00:02:34 These services already have this security built in.
00:02:37 And it protects all modifying requests.
00:02:43 Use SNC for user authentication and single sign-on when using SAP protocols like dialog or
RFC
-
5
00:02:53 and the SAP GUI or Java. Java is the front end.
00:02:59 So when using SAP protocols like dialog or RFC and you're using the GUI as your front end,
00:03:08 whether it's Java-based or Windows, doesn't matter.
00:03:10 Transport Layer Security is also provided when using SNC.
00:03:15 For more information on this, again have a look at the guides. There's a specific topic related
to SNC.
00:03:21 Use logon tickets for single sign-on when accessing Internet protocols
00:03:27 and a Web browser as the front-end client.
00:03:31 Use SSL and X.509 certificates for both user authentication and single sign-on
00:03:36 when using, again, Internet protocols and a Web browser as a front-end client.
00:03:44 In order to set up HTTPS for Fiori services, there are some supporting requirements that need
to be met.
00:03:50 The SAP Crypto Library, or the SAP Cryptographic Library, which is the official name, is one of
those.
00:03:56 And this is the default security product delivered by SAP for performing encryption functions in
our systems.
00:04:03 For example, you can use it to provide SNC between various SAP components, server
components,
00:04:10 or for using SSL protocol with the ABAP stack.
00:04:15 The SSL Server PSE (PSE standing for personal security environment) contains the
application server's security information
00:04:24 that it needs to communicate using SSL.
00:04:27 If you have a system with multiple application servers, then there are some additional options
that apply.
00:04:34 You can use a single system-wide SSL server PSE for all your servers.
00:04:39 You can use a server-specific SSL server PSE for individual application servers.
00:04:45 Or you can use a combination of both,
00:04:48 where you choose whichever one is the most relevant.
00:04:53 However, there exists a hard dependency to the Crypto Library being installed.
00:05:03 SNC integrates single sign-on or an external security product with SAP systems.
00:05:13 With SNC, you strengthen security by using additional functions
00:05:19 provided by a security provider product that are not directly available with SAP systems.
00:05:27 SNC protects the data communication paths between various clients
00:05:32 and between various client and server components of the SAP system.
00:05:38 There are well-known cryptographic algorithms that have been implemented by various
-
6
security products,
00:05:43 and with SNC, you can apply these algorithms to your data for increased protection.
00:05:50 With SNC, you can receive application-level, end-to-end security.
00:05:55 All communication that takes place between two protected components is secured,
00:06:00 for example, between the GUI and the application server.
00:06:05 You can use additional features that SAP doesn't directly provide, for example, smart cards,
when you have this enabled.
00:06:14 You can change the security product at any time without affecting the SAP business
applications.
00:06:21 There are three levels of security protection that you can apply:
00:06:27 Authentication only, integrity protection, and privacy protection.
00:06:31 When using authentication-only levels of protection, the system verifies the identity of the
communication partners.
00:06:38 This is the minimum level of protection offered by SNC.
00:06:43 No actual data protection is provided.
00:06:48 When using integrity protection, the system detects any changes or manipulation of the data
00:06:54 which may have occurred between the two end points of a communication.
00:06:58 When using privacy protection, the system encrypts the messages being transferred to make
eavesdropping useless,
00:07:05 but privacy protection also includes integrity protection of the data.
00:07:09 This is the maximum level of protection provided by SNC.
00:07:15 That brings us to the end of this unit, during which we looked at the security paradigms applied
to the front-end server,
00:07:21 including HTTPS, the Web dispatcher, and various methods to secure communication between
the server-side components.
00:07:29 In the next unit, we will look at topics of security related to the back-end server. See you soon.
-
7
WEEK 4, UNIT 3
00:00:12 Hi and welcome to week 4, unit 3: Understanding Security on the SAP Back-End Server.
00:00:19 In the previous units so far, we've looked at the security overview, the layers of architecture
where security will have an impact,
00:00:27 where to find the most relevant information on these topics.
00:00:30 And we also looked at security in relation to the front-end server.
00:00:34 Today let's do the same, but with a focus on the back-end server.
00:00:40 After the initial authentication,
00:00:44 the SAP Fiori applications can send requests to the ABAP back-end server
00:00:49 and to the HANA XS Engine directly as and if required.
00:00:54 This is in addition to the normal request going through the front-end server.
00:00:58 Now this little piece of change adds an extra dimension to our configuration, and we will come
back to this point a little bit later.
00:01:08 Securing the ABAP stack or the HANA platform is a huge topic and clearly out of scope for
such a course.
00:01:14 However, some of the touch points with Fiori in mind must be addressed.
00:01:18 Therefore I have added a section here and in the next slide that contains links and points to
the help pages
00:01:24 where these guides for all subtopics are located.
00:01:28 The segregation of security configuration and settings is not clear...
00:01:34 generally it's not clear in terms of what applies to the front end or the back end or both most of
the time.
00:01:40 I look at it as a handshake, and always consider unit 2 and unit 3, so the previous one and this
one,
00:01:48 to be two sides of the same coin.
00:01:50 And do look at them as one, if you will, together.
00:01:57 Transactional applications and fact sheets send OData requests through the ABAP front-end
server towards the back-end server.
00:02:03 After the initial authentication, a session is established between the client and the front-end
server.
00:02:09 OData requests towards the back-end server are then communicated using trusted RFC
connections.
00:02:16 For search in the SAP Fiori launchpad, fact sheets also send
00:02:23 INA protocol-based search requests from the client to the back-end server.
00:02:28 These requests can be authenticated using Kerberos/SPNEGO or X.509 certificates or logon
tickets and so on.
-
8
00:02:37 You can configure the front-end server to issue logon tickets after the initial authentication
00:02:42 or you can use your existing infrastructure, so your PKI infrastructure or whatever, to do the
same.
00:02:49 Now does this all sound familiar? Indeed it does, because we've talked about this in the earlier
unit, unit 2.
00:02:57 The NetWeaver Security Guide section is a huge compendium and a great resource.
00:03:02 However, of all the content there is not relevant in our context.
00:03:08 So these three subsections that you can see on the slide are deemed to be most relevant to us
in our context.
00:03:16 Please do use these actively when building your security paradigm or security strategy related
to Fiori.
00:03:24 Again, the platform-level security topic for HANA as well is a huge one.
00:03:30 The HANA Security Guide is a large compendium of directives and recommendations.
00:03:36 But in relation to the topic of Fiori, it is necessary, we need to understand, the following.
00:03:43 For analytical applications, the Web dispatcher forwards OData requests from the client to XS
Engine.
00:03:49 And therefore the communication between the Web dispatcher and the XS Engine
00:03:55 needs to be established and with an HTTPS preceding it.
00:04:02 For that to happen, all the prerequisites that we discussed in the previous units also apply
here.
00:04:11 Which takes us to the end of this unit, where we looked at an overview of security related to
the Fiori back end,
00:04:19 the various layers of architecture,
00:04:21 and also looked at the guides and where you will find information to help you build on this
particular topic as you require.
00:04:29 In the next unit, we will look at the topic of single sign-on (SSO) related to Fiori. See you soon.
-
9
WEEK 4, UNIT 4
00:00:12 Hi and Welcome to week 4, unit 4: Review the Single Sign-On Options (of course with Fiori in
mind).
00:00:19 In the previous units so far, we've looked at the security overview, the layers of architecture
where the security topic will impact us,
00:00:28 and where to find the most relevant information related to security.
00:00:32 We also looked at security topics related to the front- and back-end servers.
00:00:36 Now, let's have a look at the various single sign-on options that we have at our disposal.
00:00:42 On this slide, I only want to list out what we perhaps also have discussed earlier.
00:00:48 True to tradition, we can use SAML 2.0 tokens, we can use user certificates,
00:00:53 Kerberos-based authentication, among others, to enable SSO for Fiori.
00:01:00 Based on the specific scenario that you are implementing, there may be synergies to be
gained by choosing one method over the other.
00:01:08 This is, however, a decision that is affected by many factors, and you will have to take this call
at the time of implementation.
00:01:17 Quoting Network World...well, actually, let me give you a bit of a background.
00:01:22 While I was researching stuff, content for this slide, I came across this quote from Network
World
00:01:28 which I thought was a really nice way of introducing SAML 2.0.
00:01:33 So let me quote Network world, saying,
00:01:37 SAML 2.0 incorporates every critical use case and feature from every predecessor protocol
into a single standard.
00:01:44 As it represents a superset of all the functionality in all five predecessors, SAML 2.0 makes
them obsolete.
00:01:51 SAML 2.0 describes two roles for enabling federation:
00:01:55 the service provider, which is the entity that makes an application or a resource available to the
user,
00:02:00 while the identity provider is responsible for authenticating the user.
00:02:04 The service provider and the identity provider exchange messages to enable single sign-on
and single log-out.
00:02:10 These message exchanges can be initiated by the identity provider or the service provider.
00:02:16 That's the end of the quote. And I think it really sums up the essence for SAML 2.0.
00:02:22 If you've implemented the Security Assertion Markup Language in its second version as a
method of single sign-on within your organization,
00:02:30 you can configure the ABAP front-end server to use SAML.
00:02:33 And during logon, the SAML 2.0-based authentication requires access to an issuing system,
called the identity provider,
-
10
00:02:43 to enable single sign-on with SAML 2.0 for Internet-facing deployment scenarios.
00:02:52 And these scenarios...SAML 2.0 really leverages its federation capabilities,
00:03:02 and to do that you must ensure that the identity provider is securely accessible from outside
your corporate network.
00:03:11 When discussing logon tickets, after successful authentication, the system issues the user with
a logon ticket,
00:03:19 which then that user can use to access successive systems without repeating the steps.
00:03:25 The characteristics of a logon ticket include
00:03:29 the fact that it's stored as a nonpersistent cookie in the users Web browser
00:03:35 and for those who are interested, in our case it's going to be called mysapsso2.
00:03:40 It is deleted when the user logs off or closes that Web browser and the session.
00:03:46 The maximum life span of the logon ticket can be specified,
00:03:51 and it's done so by the issuing system and the parameters that are set there.
00:03:57 Among other things, it contains the users ID,
00:04:00 and no password, of course. It's digitally signed by the ticket-issuing server.
00:04:05 This digital signature is verified by the accepting systems and, on that basis, then user access
is allowed.
00:04:16 In cryptography, X.509 is an ITU-T standard for a Public Key Infrastructure (PKI)
00:04:26 and Privilege Management. Let's not delve to much into what these acronyms are.
00:04:35 Essentially, X.509 are user certificates.
00:04:38 And X.509 specifies, among other things, standard formats for public key certificates,
00:04:45 for the certificates themselves, for revocation lists, attribute certificates, and a certificate path
validation algorithm.
00:04:53 In the X.509 system, a certification authority issues a certificate binding, a public key,
00:05:01 to a particular distinguished name in the X.500 tradition,
00:05:07 or to an alternative name such as an e-mail address.
00:05:17 An organization's trusted root certificate can be distributed to all employees so that they can
use the company's PKI system.
00:05:26 If you have implemented a PKI infrastructure for your user authentication in your organization,
00:05:31 you can use X.509 certificates by configuring the ABAP front-end server or HANA to accept
these X.509 certificates.
00:05:39 The Fiori applications can send requests directly to the front-end server,
00:05:46 and the SAP back-end server and to a HANA server.
00:05:49 And all those requests are authenticated by each of these systems, depending on which the
recipient system is.
-
11
00:05:57 Which systems should be configured for X.509 certificate authentication depends on the type
of app that you are using.
00:06:08 This brings us to the end of this unit and, in fact, to the end of the week.
00:06:12 This week we went through various touch points in Fiori related to the security topic.
00:06:18 It's a large one and very relevant to end users.
00:06:21 Take your time digesting this information as well as researching the content from the guides
that we've talked about from help.sap.com.
00:06:30 In the next unit, you will work with me on an exercise covering these topics. See you soon.
-
12
WEEK 4, UNIT 5
00:00:12 Hi and welcome to week 4, unit 5: An exercise walking through the SAML 2.0 configuration.
00:00:20 This is a an optional exercise, as are all the exercises we've designed for you,
00:00:24 which means that there is no impact on your final score if you choose not to do it.
00:00:30 In this exercise, I would like to guide you through the SAML configuration process that we
discussed in our previous unit.
00:00:36 There are a lot of details in this particular exercise, so please take your time and do pay
attention to each step.
00:00:44 In the how-to guide, linked both in the slide as well as at the bottom of your screen,
00:00:48 you will find detailed instructions to setting up the system and executing this exercise.
00:00:54 You can also use the forum for support and discussions.
00:00:57 Have fun.
-
www.sap.com
2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.