security for soa in enterprises

Security for SOA inEnterprises

SAP NetWeaver Product Management Security

June 2008

© SAP 2008

Agenda

1. SOA – quick overview2. SOA and Security in Enterprises3. Securing SOA with SAP NetWeaver – on the road to BPM

3.1. Access Management and User Identity Propagation3.2. Identity Management and User Identity Provisioning3.3. Trust and Key Management3.4. Threat and Vulnerability Management

4. Outlook

© SAP 2008

Enterprise SOA as the Convergence Point ofBusiness and IT

Integration Platform

Purchaser ProductionPlanner

Accountant Portalsthat helppeople dotheir work

SAP NetWeaverPeople Integration

Information Integration

Process Integration

SRM PLM ERP SCM CRM

Composite Applications

Business Engineering

Service architecture toreduce integration costs

Develop services with acentral platform

Innovate with a partnerecosystem

Enterprise SOA

Business drives ITinvestments

Flexibility required tosurvive and grow

Operating and innovatingwith a partner ecosystem

© SAP 2008

Composition Environment

PI

Harmonizing SOA in Enterprises by Evolutionand by Design

Seamless composition

Common Enterprise ServicesRepository w/ harmonized

Enterprise Services

Harmonized UserExperience

Plug and Playpartner solutions

Unified structured andunstructured interactionmodel (Enterprise 2.0)

Unified Cross Industry Platform

SAP NetWeaver

ERP

Composite Application Framework

SRM

BUSINESS SUITEEnterprise SOA

by Evolution

Enterprise SOAby Design

Lega

cy

Con

tent

3rdpa

rty

User Experience

Enterprise ServicesRepository

SAP NetWeaver as the CommonTechnology Foundation (incl.

synchronized master data)

SCMCRM

PLM

MDM BI XI

Harmonizedindustry solutions

© SAP 2008

SAPApplication

Service Enabling Enterprise Applications

Service enabling consists of two aspects:From an application perspective, the SAP system providesmeaningful services to prospective client applicationsFrom a technology perspective, the SAP system supportscommunication based on the Web Services standards stack

Web ServiceTechnologies:

XMLXSDWSDLSOAPBPEL4WS…

Application services:Business SuiteCRMSRM…

Technical services:AS ABAPAS Java

© SAP 2008

SAP NetWeaver as the Technology Platform for SOAHelp Customers Establish a Unified Platform for Business ProcessManagement

SOA ProvisioningStable, scalable core with SAP NetWeaver 7.0Open, standards-basedService-enabling processes, information,events

Service RepositoryCentral storage of servicedefinitionsService modeling and top-down service creationBusiness processmodeling, routing andmapping

Composition EnvironmentFast paced “edge” of the businessDon’t just code – compose!Lean consumption

User ExperienceMobile Infrastructure (MI)Enterprise Portal (EP)DuetAdobe Forms…

© SAP 2008

Agenda



4. Outlook

© SAP 2008

What Does Enterprise SOA Mean for HowSecurity Is Done?

Integration:

Security is nolonger contained toa single system

Scenario basedsecurity forend-to-endsolutions

Evolution:

What workedbefore still works

New and“upgraded”solutions to dealwith newchallenges

Convenience andlow TCO:

easy to runeasy to configureeasy to design

© SAP 2008

Threats, Safeguards and Security Goals

SQL injection

Tampering

Authorization violation

Denial of service

Eavesdropping

XSS Scripting

Repudiation

Masquerading

Buffer overflow

Spoofing

THREATS

Security monitors

Securedevelopment

Firewalls

Public keyinfrastructure

Encryption

SAFEGUARDS

Access Control

GOALS

Authentication

Authorizations

Confidentiality

Integrity

Non-repudiation

Availability

Single Sign-On

Auditing

Identity Management

Governance andcompliance framework

© SAP 2008

SAP NetWeaver Security FunctionalityThe Big Picture

OPEN AND STANDARDS BASED

enables secure and interoperableintegration in open environments

ECOSYSTEM

extends security functionality to meetspecific customer requirements

COMPREHENSIVE SET OF INTEGRATED SECURITY FUNCTIONALITYmanage, operate and run secure business processes on top of SAP NetWeaver

SAP NetWeaver today provides a flexible & extensible securityinfrastructure for secure & compliant business processes

SAP NetWeaver IdentityManagement

Web-Service Security

Authorization Management

Enterprise SOASecurity

Encryption &Digital Signatures

Authentication &Single Sign-On

Front-end SecurityCompliance

© SAP 2008

Encapsulated in source codeEncapsulated in source code((““call transactioncall transaction””))

User authentication andUser authentication andauthorization checksauthorization checks

Security Policy Definition in a Classical Client-Server System Architecture

“Webifying”user access

“Webifying”process output

http(s)

One level of integration:application server

Security policies “contained” within application server

Security for user access:

Security for application processes:

© SAP 2008

ServiceConsumere.g. Portal

ServiceConsumere.g. Portal

Web Services, RFCs and DistributingApplication Processes

http(s)RFC…

http(s)http(s)No ‚line-of-sight‘connection toApplication

Service Provider

SOAPSOAP

SOA Application processes inherently distributedand paradigm changes to „end-to-end“ solutions!

ServiceProvider

ServiceProvider

ServiceIntermediary

© SAP 2008

Paradigm Change with Enterprise Services andEnd-to-End Security

ServiceConsumer

ServiceProvider

ServiceIntermediary

Transport security=

Point-to-PointSecurity

Message Security=

End-to-End Security

SOA Application processes inherently distributedmust apply security „end-to-end“!

© SAP 2008

Security token handlingSecurity token handling

Secure user accessSecure user access

Access control based on useridentityAccess control based on useridentity

Consequences for User-Centric Security

ACCESS MANAGEMENT

Standards-based integration inauthentication frameworks

Secure Single Sign-On

Secure user identitypropagation via trusted systems

IDENTITY MANAGEMENT

External, centralized usermanagement

Externalized management ofauthorization assignments

User identity supply viaprotocols

Manage user identity centrallyManage user identity centrally

Provision user identitiesProvision user identities

Federated identitiesFederated identities

© SAP 2008

Consequences for Application Process-CentricSecurity

System keys and trust managementframeworksWS Security extensionsSecure message exchangesSecure application development andcustomizationDistributed audit framework

Trusted system setup and hardeningInteroperable security policypropagation via standardcommunication infrastructureSecuring end-to-end applicationprocessesApplication platform integrityprotectionEase integration of risk andcompliance controls

Business

User

Business Partner /

Customer

Service

Provider

TechnicalPI

© SAP 2008

Agenda

1. SOA - overview2. SOA and Security in Enterprises3. Securing SOA with SAP NetWeaver – down the road to BPM

3.1. Access Management and Identity Propagation3.2. Identity Management and user identity provisioning3.3. Trust and key management3.4. Threat and vulnerability management

4. Outlook

© SAP 2008

Secure authentication or SSO of users accessing enterprise resourcesUser identity propagation for access to service resources

Authorize user access to enterprise service providers with user‘s own role andpermission assignmentsAudit user access to resources of enterprise service provider

Web application Portalas Service Consumer

BackendService Provider

Bob BobBob

HTTPSOAPRFCRMI

Bob

Access Management and the User IdentityLifecycle in SOA

© SAP 2008

SAP NetWeaver User Authentication and SSOSolutions for Securing User Authentication for Access toEnterprise Applications from a Web browser

1 supported with Portal2 supported with Portal or AS Java

Web

Bro

wse

r(U

ser

Age

nt)

SAP

Net

Wea

ver

Tech

nolo

gy P

latfo

rm

AnonymousAccess

anonymous access with namedanonymous users1

UserAuthentication

user ID / passworduser mapping1

PKI-basedAuthentication

X.509 client certificatesRule based client authentication2

Certificate filtering2

Automated certificate mapping2

CRL support2

ExternalAuthentication

SPNego2

integrated OS authentication with KerberosHeader variables2

SSO via TrustedSystems

SSO Logon ticketsSAML2

Security Assertion Markup Language

CustomMechanism

JAAS Login Module2

Java Authentication and Authorization Services

© SAP 2008

Use SNC and external security productAuthentication takes place outside of SAP system

Use SAP-certified SNC product

Also available:Windows NTLM (gssntlm.dll)Windows 2000 Kerberos (gsskrb5.dll)

SAP GUI forWindows

Externalsecurity product

Externalsecurity product

SAP NetWeaver AS ABAP SSOSolutions for Securing User Authentication and SSO for Accessto Enterprise Applications from the SAP GUI

© SAP 2008

SAP Logon Tickets: SSO via Trusted Systemsfor User Access from a Web Browser

SAP NetWeaverApplication Server

(Trusted System)

Access

SSO Ticket as non-persistentcookie in browser

Initiallogon

BI

CRM

Other...

ERP

Intranet

Groupware

© SAP 2008

Example of an HTTP Request ContainingSSO Logon Ticket

GET /someresource HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, [ … ], */*Referer: https://some.host.domain/some/other/resourceAccept-Language: en,de;q=0.5Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;.NET CLR 1.1.4322)Host: nw-portal.wdf.sap.corpConnection: Keep-AliveCookie: saplb_*=(J2EE6527200)6527250; PortalAlias=portal;MYSAPSSO2=AjExMDAgAA5wb3J0YWw6ZDAzMzA5OYgAE2Jhc2ljYXV0aGVudGljYXRpb24BAAdEMDMzMDk5AgADMDAwAwADTldUBAAMMjAwNTA5MDIwNjE0BQAEAAAACAoAB0QwMzMwOTn%2FAPUwgfIGCSqGSIb3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHBMIG%2BAgEBMBMwDjEMMAoGA1UEAxMDTldUAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNTA5MDIwNjE0NDRaMCMGCSqGSIb3DQEJBDEWBBQ28lOiAPAV2KfBJR18ElZxaNenHzAJBgcqhkjOOAQDBC8wLQIUIaaWKYY4%2BCT26P07coHVYP63eCkCFQCLt0ERDvDKCpog89q5n%2B5ahpQQCw%3D%3D;JSESSIONID=(J2EE6527300)ID6527350DB307014776305034697End; sap-ssolist=O3I9cHdkZjA5NjJfY3BwXzQ0

SAP Logon Ticket is represented ascookie in the Browser

SAP Logon Tickets contain:User ID(s)

Authentication scheme

Validity period

Issuing system

Digital signature of trusted issuer

Content of the SAP Logon Ticket isBASE64 encoded

Signed by Trusted System thatauthenticated user

https://some.host.domain/some/other/resource

© SAP 2008

SAMLSAP Logon Ticket

Domain Boundary

Security Assertions Markup Language (SAML)SSO via Trusted Systems Across Domain and TechnologyBoundaries

Interoperable security solution to allowsystems integration with great ease,minimal resources and infrastructurereuseSAML is a security protocol for:

encoding security related useridentity information into XML“assertions”Verifying authentication against anasserting authority – SAML IdentityProviderexchanging this information in arequest/response fashion (similar toSSO tickets but not cookie based)

For secure message exchange SAMLuses standard security protocols likeSSL and XML signatures/encryptionSAML is an established OASIS standard

© SAP 2008

SAML 1.1 – SSO with Browser Artifact ProfileOpen, Standards-based and Interoperable Web Browser SSO viaTrusted Systems for Heterogeneous Landscapes

Authenticate once Access

Initiallogon 2. Redirect URL + artifact

3. Request

SAML 1.1 Assertion Issuere.g. SAP NetWeaver CE 7.1 or

SAML 1.1 supporting access management product

4. Pull assertion

5. Assertion

6. Resource

Internet

CRM

Other...

ERP

Intranet

Groupware1. Call transfer URL

© SAP 2008

Single Sign-On and Authentication for Services

SSO information sent from trusted service consumer viaSOAP Protocol for secure interoperability and(WS Security) authentication/SSO in cross-vendor Web

service-based enterprise applications

Transport protocol for performance, backward compatibilityand security in homogeneous service-based enterprise applicationsAuthentication Flavors

WSS Username Token Profile 1

User ID and PasswordAuthenticateService User

WSS X.509 Certificate Token Profile 1

X.509 client certificateAuthenticateconsumersystem

WSS SAML Token Profiles 1

SSO ticketsPropagate userIdentity

1 supported for WS Protocols only

© SAP 2008

Underlies Principal Propagation with Process Integration 7.1

User Identity Propagation for Web Services:SAML Sender Vouches Subject Confirmation and SSO Tickets

How it works:

Enables access to provider-side resources by providing consumerside user context when sending Service requestUser identity verified by WS provider based on SSO token issued byWS consumerUser identities must be synchronized via shared user store or userstore synchronization

Local SAMLAssertion /SSOticket issuer

Service EndpointInterface

ClientApplication

Service Call viaLogical Port

Trusted system relationship based on

issuing system’s X.509 certificate1.

2.

4. 5.

7.

3.

7.6.

© SAP 2008

Service Consumer:1. Identify Logical Port configuration for

service consumption2. Request SAML assertion from pre-

configured SAML Assertion Issuer3. Return SAML assertion (digitally signed)4. Send Service Request with enclosed SAML

assertion

Service Provider:5. Verify assertion‘s digital signature with

system X.509 certificate of SAML AssertionIssuer

6. Use assertion for user authentication7. Return service response on success

SAML Holder of Key Subject Confirmation Methodfor Web Services – Planned for Future Releases

SAMLAssertionIssuer

Service ProviderApplicationclient application Service call via

Logical Port

X.509 Certificate based

trust relationship

1.

2.

4. 5.

7.

3.

7. 6.

By decoupling the SAMLidentity provider from theservice consumer,administrators canconfigure a third systemto issue SAML assertions

By decoupling the SAMLidentity provider from theservice consumer,administrators canconfigure a third systemto issue SAML assertions

© SAP 2008

Support of SAML in the SAP NetWeaverPlatform

Limitations:Authorization Information is not supportedAuthentication scenarios onlyUse SSL for Transport Security

SAML Browser Artifact Scenario for SSO for WebApplications

NW04

NW7.00

NW7.10

SAML 1.1 – Accepting SAML Assertions – Java X X X

SAML 1.1 – Accepting SAML Assertions - ABAP - - X

SAML 1.1 – Issuing SAML Assertions – CE Portal - - X

WSS SAML Token Profiles 1.0 for Service SSO NW04

NW 7.00 NW7.10

Sender Vouches Subject – Java - - X

Sender Vouches Subject - ABAP - X(AS ABAP SP14

and higher)

X

© SAP 2008

Standardizing End to End SSO Scenarios onSAML

1. SSO withSAML 1.1

Browser Artifact

2. A

cces

s to

Reso

urce

with

WSS

SAM

L To

ken

Prof

ile

Initial User AuthenticationAny Supported Solution

Web Browser based SSOSAML 1.1 Browser/ArtifactProfileSSO ticket

Web Service based SSOWSS SAML Token Profile

SAML Identity Providere.g. SAP NetWeaver 7.1 CE

Initial User

Authentication

© SAP 2008

„“Security, Standards and Interoperability

The IEEE defines interoperability as:

The ability of two or more systems or components toexchange information and to use the informationthat has been exchanged*

* Institute of Electrical and Electronics Engineers. IEEE Standard Computer Dictionary: A Compilation of IEEE StandardComputer Glossaries. New York, NY: 1990

© SAP 2008

Platform BPlatform A

The Role of Web Service Standards forInteroperability

ServiceConsumer

ServiceConsumer

SourceInfrastructure

SourceInfrastructure

DestinationInfrastructureDestination

Infrastructure

SendDeliver

ServiceProviderServiceProvider

Message

Web Service Standards define the format of the message in transit to guarantee theinteroperable exchange between service consumer and provider on a technical level

Web Service Standards don’t specify any infrastructure- or application-specific aspects,such as

APIs or programming languages that applications must use to send or deliver messagesRuntime architecture and components

Scope of Web ServiceStandards andInteroperability

© SAP 2008

A Glimpse of the Whole Web ServiceStandards Stack

Security Transactions ReliableMessaging

Messaging

Business Processes Management

ServiceDescription

Inter-operability

Early Work Specificationin progress

Reachingmaturity

Approved andwidely adoptedspecification

BPEL4People WS-HumanTask WS-BPEL

WS-Security

WS-SecureConversation

WS-Trust

WS-SecurityPolicy

WS-Federation

SPML

Liberty ID-FF /SAML 2.0

WS-Policy

WS-PolicyAttachment

WS-IBasic Profile

WS-IBasic Security

Profile

WS-IReliable Secure

Profile

WS-Management

WS-Coordination

WS-Atomic

Transaction

WS-BusinessActivity

WS-Reliable

Messaging

WS-Reliable

MessagingPolicy

WS-MetadataExchange

WSIL

UDDI

SOAP 1.2SOAP 1.1 WSDL 1.1 WSDL 2.0 WS-Addressing

WS-DistributedManagement

© SAP 2008

WS-Security – Motivation

The SOAP protocol on its own does not provideany security mechanisms for

Message Integrity & ConfidentialityAuthenticationNon Repudiation of origin or receiptBut: SOAP can be extended to provideadditional features

Up to the year 2002 (even now!), best practice was to secureWeb Services using Secure Sockets Layer (SSL)

But SSL provides transport – not application-level securitySOAP Messages secured point-to-point, not end-to-endMessages stored unencrypted in files or databases at intermediariesnot independent of underlying transport protocol

WS-Security submitted to standards body (OASIS) in Sept 2002 and approved asan OASIS Standard in April 2004

SOAP EnvelopeSOAP Envelope

SOAP Header

SOAP Body

Data

SOAP message format

© SAP 2008

WS-Security: Overview

The OASIS WS-Security Standard defines a new SOAP Header,the WS-Security Header

This new SOAP Header contains all relevant security metadata to secure a SOAPmessage, such as

Security Tokens to carry security information (e.g. user authentication data,X.509 certificates)A Timestamp to protectagainst Replay AttacksSignatures to protectagainst message tampering*Encrypted Keys and Datato protect confidentialinformation


SOAP Header

SOAP Body

Data

Security Token

Timestamp

Signature

Encrypted Key+ Data

WS-SecurityHeader

* The act of altering something secretly or improperly

© SAP 2008

WS-Security – Features (1/3)

Security Tokens identifying principals and keysXML Token (e.g. Username token, defined by WS-Security Standard)<wsse:UsernameToken><wsse:Username>alice</wsse:Username><wsse:Password>2secret4u</wsse:Password>

</wsse:UsernameToken>

Binary Token encapsulating binary objects (e.g. X.509 CertificateToken, defined by WS-Security Standard)

Timestamp<wsu:Timestamp xmlns:wsu=… ><wsu:Created>2007-10-06T12:10:01Z</wsu:Created>

</wsu:Timestamp>

© SAP 2008



SOAP Header

SOAP Body

Data

WS-Security Header

Security Token (X.509 Cert)

Timestamp

Signature

SignatureValue

KeyInfo

SignedInfo

SignatureMethod (e.g. RSA)

Reference (#Timestamp)

Reference (#Body)

SignatureSyntax given by XML Signature1.0 W3C Recommendation<Signature> element in SOAPsecurity header<SignedInfo> contains pointerswith hash values (<Reference>

childs) to signed message parts<SignatureValue> containsSignature (encrypted digest)<KeyInfo> contains reference topublic key for signatureverification

© SAP 2008


EncryptionSyntax given by XML-Encryption 1.0W3C Recommendation<EncryptedKey> contains encryptedsession key used to encrypt data<KeyInfo> refers to public keycertificate used to encrypt thesession key (e.g. via unique key pairidentifier)<CipherData> contains encryptedsecret session key<ReferenceList> has pointers toencrypted message parts<EncryptedData> containsencrypted payload (e.g. messagebody)


SOAP Header

SOAP Body

EncryptedData

WS-Security Header

EncryptedKey

CipherData

ReferenceList

DataReference (#Body)

EncryptionMethod

KeyInfo

© SAP 2008

Standards Supported by SAP NetWeaver

Performance

Federation

Policy & Trust

Transport Security

Document Security

Message Security WS-Security

Under Evaluation

WS-TrustWS-SecurityPolicy

WS-SecureConversation

SAML 2.0

Future Work

S/MIME

Supported by SAP

Authorization Provisioning

Authentication WSS X.509Token Profile

WSS SAMLToken Profile

XACML SPML LDAP

XML Sig PKCS#7XML Enc

SSL/TLS GSS

WSS UsernameToken Profile

New Feature withSAP NetWeaver 7.1

Security mechanisms based on mature standards to supportinteroperable solutions for secure partner integration“

SAML 1.1Browser Artifacts





SAP NetWeaver 7.1,AS ABAP 7.0 SP 14

and higher

© SAP 2008

Agenda


3.1. Access Management and User Identity Propagation3.2. Identity Management and Provisioning3.3. Trust and Key Management3.4. Threat and Vulnerability Management

4. Outlook

© SAP 2008

Controlling User Access with AuthorizationAssignments in SAP NetWeaver

ROLESPortalRoles

User Management

Users

User Groups

Assignment

End User NavigationTop Level Navigation Detailed Navigation

Definition Portal Content(Portal Content

Directory)

AssignmentWorksets

PagesiViews

ACLs

Authorizationfor backend

application UI

Business Logic Authorizations from AS ABAP or AS Java based or non-SAPbackend systems

Input forend user

assignment

© SAP 2008

AS

AB

AP

Rol

e

Always refer to asingle AS ABAPapplicationDepends on theuser’s tasks in theSAP system

SAP Easy AccessMenuSingle roles carryauthorizationinformation asauthorizationobjects.

Single applicationrolesOptionalcomposite roles

TransactionPFCG:role creation andmaintenancerole/userassignmentsauthorizationgeneration

SAP NetWeaverIdM for businessrole management

Portal Roles and ABAP Roles: ComparisonPo

rtal

Rol

e

Decoupled fromunderlyingapplicationSimilar tocomplete jobdescriptions, notlimited to objectsfrom SAPSystems

Top-level anddetailed PortalnavigationContent object -an authorizationobjectAuthorizationsmaintained inbackend systems

Not divided intodifferent roletypesConcept of“Worksets” asadditional contentobject to easeadministration

Web-based toolsin the PortaladministrationenvironmentAS Java UserManagementSAP NetWeaverIdM for businessrole management

Role Contents Authorizations Defined Role Types Admin environment

© SAP 2008

Separation of authorization concept and application logic withUME Authorization concept

Authorizations for Java Applications withSAP NetWeaver

Permission 1

Permission 2

Permission 3

Action 1

Action 2

JEE Role

UME Role 1

UME Role 2

UME Role 3Group

User

Created as Javaclass duringdevelopment

UME XML for actions

Standard JEE meansfor JEE Roles

User/Role administration

JACC Support in UME with SAP NetWeaver 7.1: JEE Rolesadministered as UME actions

© SAP 2008

Authorizations for Java Applications– Rules of Thumb

Use Java Security Roles, whenyour code is already instrumented withJEE security rolesyour code needs to run on other Javaapplication servers as wellyou only have one argument, that hasan impact on the authorization decision(a distinction in different role names issufficient)you only have straight forward(most often technical) decisions tomakeYou need to decouple role definitionfrom application code via JEEdeclarative authorizations

Use UME Authorization Concept,when

authorizations are complex for yourapplicationsthe decisions are mostly business basedand need to be easily adjustableafterwardsyour applications need to be able to workwith decisions based on values or valuerangesyou must evaluate more than oneargument to find the correct authorizationdecision (a distinction in different rolenames is not sufficient)

Tutorials available in SAP Help Portal:AS Java Developer’s Guide > Integrating Security Functions

© SAP 2008

Business Roles and Technical Roles inSAP NetWeaver Identity Management

Business RolesAre defined in Identity CenterRepresent the business tasks of anemployeeAre usually defined as part of a businessprocessCan be set up in hierarchiesAre a combination of technical rolesand/or other business rolesAre usually assigned to end users

Technical RolesRepresent the access information ortechnical authorizations (like ABAPauthorization roles, UME roles, Portalroles, AD groups, …)Are usually uploaded from the targetsystemAre system specificAre usually represented as so-called“privileges” in Identity Center

E-mailE-mail ADuserADuser

Business RolesManagerManager

AccountingAccounting

UserUser

Technical RolesEnd user

(Portal role)End user

(Portal role)Accounting(ABAP role)Accounting(ABAP role)

HR manager(ABAP role)

HR manager(ABAP role)

SAP HRActiveDirectoryActive

DirectorySAP FI

E-MailSystemE-Mail

SystemSAP

Portal

© SAP 2008

SAP NetWeaver Identity Management

SAP Introduces Business Driven Identity ManagementHolistic identity management solution for both SAP andheterogeneous landscapesEnabling a complete compliance solution through SAP GovernanceRisk and Compliance (SAP GRC) integrationRule based and business driven roleassignments

Key deliverablesCentral identity storeRole assignments automatedthrough rules and workflowsCentral monitoring and auditing of identitiesPassword reset for users throughoutsystem landscapeService enabled identitiesVirtual directory server

SAP NetWeaver IdentityManagement

PasswordManagement

Audit andReporting

IdentityVirtualization

DataSynchronization

Roles andEntitlements

Provisioning

© SAP 2008

Central Identity Store

Central store is the hub between all components inIdentity Center

Provisioning is based on identity datafrom the storeBusiness roles and privileges are stored hereWorkflows are processing based on this dataMeta directory operations will keep the informationup-to-date

Properties of the identity storeKeep historical data and full auditto support complianceTemporary attributes for trackingtime critical valuesRoles and privileges - time to live definableEvents on attributes trigger workflow tasksVirtual attributes referring data in external sourcesRollback of identity data

© SAP 2008

Role Definition and Provisioning

Role Definition (design, 1x)Read system access information (roles,groups, authorizations, …) from targetsystemsDefine a business role hierarchyAssign technical roles to business rolesDevelop rules for role assignments

Provisioning (regularly)Assign or remove roles to/from people

manually through Workflow orautomatically, e.g. HR-driven

Automatic adjustment of master data andassignments of technical authorizations intarget systems

Connectors:ABAP (BAPI from 4.6c)Java (SPML from SAP NetWeaver ‘04)Non SAP (ADS, LDAP, … and more)

E-mailE-mail AD userAD user

Business RolesManagerManager

AccountingAccounting

UserUser

Technical RolesEnd user(Portal role)End user(Portal role)

Accounting(ABAP role)Accounting(ABAP role)

HR manager(ABAP role)HR manager(ABAP role)

SAP HRActiveDirectoryActiveDirectory

SAP FIE-MailSystemE-MailSystem

SAPPortal

© SAP 2008

Auditing and Monitoring

Application/privilege centricWho has access to the system?

User CentricWhich privileges does this user have?

Reports can be scheduled or run on request

Off-the-shelf reporting tools can be used

Entry dataCurrent data, Historical data, Timestamps,Modified by, Audit flags

Approval dataWho approved what when?

Who had what privilege at what time?Segregation of dutiesAttestation

Task audit logWhich task was run on user/by user?

General logs

© SAP 2008

Identity Virtualization

Virtual Directory Server (VDS) providesSingle consistent view and entry point for multipledistributed identity data sourcesIdentity information as a service for applicationsthrough standard protocols (LDAP, DSMLv2)Abstraction layer for underlying data stores

Consumer only sees one standard interfaceTransform incoming LDAP requests, and connectdirectly to the existing data repositories

Data stays within original data sourceEfficient caching

PropertiesReal-time access to dataNo need to consolidate data sourcesNo extra data store

Quick LDAP deploymentEasier and cheaper maintenance

Attribute manipulationName space modificationsComplex operations on-the-fly

© SAP 2008

Local Identity Provisioning to SAP NetWeaverApplication Server with SPML

AS JAVA

AS ABAP ASJAVAAS

JAVA

SPML

SPML

ProvisioningSystem

Service Provisioning Markup Language (SPML) is an XML standard forthe provisioning of identity information

Partner products can use the interface to provision identity informationto SAP NetWeaver

SPML is supported by key Identity Management providers

Functionality NW04 NW 7.00 (04s) NW 7.10 (CE)

SPML 1.0 – Java X X X

SPML provides a standard interface to integrate SAP NetWeaver withthird-party identity management products“

© SAP 2008

Wizard Based Trust and Key Managementin SAP NetWeaver

Generic Key store (AS Java) and PSE (AS ABAP)server key management services from the platform

Server private keysPublic system certificates of trusted communicationpartners (Trusted Systems)CA certificates

Centralized and web based administration in SAPNetWeaver Administrator

Certificate and Key ManagementUser access via special authorization assignmentCustom AS Java application access control to keys viacode based permissions

Trusted Systems Setup via dedicated UIsSSO2 Logon Ticket Configuration Wizard for SSOSAML Browser Artifact for SSOSAML Token Profiles for user identity propagation in WS

Management of cryptographic key and trust management throughintegrated interfaces for administrators and users“

Detailed information about use: http://help.sap.com - search keyword “System Security”

http://help.sap.com/

© SAP 2008

Attack Prevention as Part of the infrastructure

SAP NetWeaver Virus Scanning InterfaceAllows to check files or documents exchanged between SAP modules (e.g. between applicationservers and front-end clients)Third party product (external anti virus solution) necessary to perform the virus scan (partnercertification)Interface integrated in standard upload functions or called directly by application developers

XML Validation in PI 7.1Check incoming and outgoing message structure against XML schemaPI configuration for Adapter Engine or Integration EngineSupport for synchronous and asynchronous service messages and error handling

Output EncodingEncodes output streams to prevent attacks like XSSIntegrated in latest SAP NetWeaver standard output frameworksAPI functions available in JAVA, ABAP

Blacklist filteringSupport for regular expression based input filtering in the Internet Connection Manager (ICM)

Important Note:The described security features cannot replace traditional security mechanisms (e.g. Firewalls, DMZ). The functions are seenas an addition in order to enable a multi-layer defense to counter attacks that are difficult to address with standard methods or

need to be addressed at application layer.

Integrated functionality to protect SAP NetWeaver and applicationsagainst typical attack types“

© SAP 2008

Scaling WS-Security Configuration: SecurityTemplates in SAP NetWeaver

Security Policies in WSDL describe provider security requirements to protect themessage (What must be protected).

Communication Profiles define templates for runtime configuration for severalServices or Service Consumer Proxies (How will the message be protected)

One Communication profile may be assigned to multiple operations – for example whenthe same certificate is to be used for an certificate based authentication

Inbound

Outbound

Outbound

Inbound

SOAPRequest

SOAPResponse

Inbound/OutboundSecurity Profile based on aSecurity Template

operation()operation()

……

ServiceConsumer

ServiceConsumer

ServiceProviderServiceProvider

© SAP 2008

Profile/DomainSupported Authentication Mechanisms

SAML (always possible)Assertion TicketUsername/Password in message

Scaling Service Administration – Mass ServiceConfiguration Example

Consumer System Provider System

Consumer Group“Employee Services”LeaveRequestOverviewService

ChangeBankDataService

Account “Service User”

Account “Ticket Logon”

DestinationTicket Single Sign On Mech. = SAMLService User Mech. = Service User in message

Technical Administrator

SAP Shipment

Business Administrator

Example: two runtime configurations on providerand consumer side for changing own data

Provider SideConsumable via HTTPS

Required Authentication Mechanisms: SAML,Assertion Ticket, Username/Password in message

Consumer SideUses HTTPS

LeaveRequestOverViewService uses service userauthentication (Account’s Service User)

ChangeBankDataService uses SAML authentication

© SAP 2008

SAP Security Recommendations

Use encrypted communications (SNC / SSL)

Check/set good password rules and session timeouts

Protect OS and DB users of the SAP system

Tune authorizations for technical users to the minimum required

Enable auditing and logging (also HTTP logging)

Only enable required services and applications

Apply available patches regularly

Do not install test/demo software on productive systems, where possible

© SAP 2008

Secure Network Topology and LayeredDefense

Outer DMZ Inner DMZ

Firewall Firewall

End User

IntranetFirewall

Backend Networks

Applicationserver farm

R/3R/3


ERP

ERP

DIRApplicationGateways

Firewall

Pre-scan userrequest for validityand known exploits

Preprocessing andvalidation of userinput and output

Process business logic orweb service request.

Same level asother applications!

WebAS, Portalor other

Web service

© SAP 2008

Backend Networks


R/3R/3


ERP

ERP

DIR

Secure Network Topology with Encryption

Internet Outer DMZ

ApplicationGateways

Inner DMZ

NetworkIDS Sensor

NetworkIDS Sensor

Monitoring Systems

SSLGSS-API

SSLGSS-API

NetworkIDS Sensor

WebAS, Portalor other

Web service

NetworkIDS Sensor

SSLGSS-API

© SAP 2008

Security in Composition and BPM Scenarios:Example System Setup - Focus on Application and Service Level Security

SAP NW 7.1 CE

tbd

SEI

NW CE CONSUMERTOOLS

NW CE PORTAL

SE

RV

ICE

LAY

ER

•e.g. SAPNetWeaver

IdentityManagement

NW PORTAL 7.0

FPN

SEI

SERVICEDEFINITION

SAP PROVIDER

SEI

SERVICEDEFINITION

Non-SAPPROVIDER

SEI

SOAP

SOAP

SOAP

SOAP

SERVICEDEFINITION

SERVICEDEFINITION

Non-SAPPROVIDER

LP

LP

LP

LP

service user

service user

user ID propagation

user ID propagation

SAPPROVIDER

© SAP 2008

Setting Up Security for SOA Applications

Integrated Security Functions of SAP NetWeaver Platform(JAAS, GSS-API, ICM, UME, Key Management, Virus Scanning …)

Service SecurityMessage authenticationService guarantees

ConfidentialityIntegrityAging

Service OptimizationWS-Secure ConversationWS-Security PolicyWS-Trust

Application SecurityAuthentication checkAuthorization check

System SecurityTrust ConfigurationsDestinationsUser IdentitiesIdentity provisioning

Infrastructural Safeguards(firewalls, proxy servers, network zones, …)

© SAP 2008

provider service layerDefine authentication requirement(in SEI only)

Service user or user clientauthentication – user id orcertificatePropagate consumer user id -logon ticket or SAML tokenprofiles

Define service guarantees (indefinition/SEI)

Confidentiality (SSL / XML enc)Integrity (SSL / XML Sign)…

Setup routed service call via proxy

provider applicationDefine access controlcheck in method/functionof app

Programmatic– UME– JEE– ABAP (authority-

check)Declarative– JEE

provider systemSynchronize orprovision authorizationinformation (roles andACLs) to centralizeduser identitymanagement forlandscapeProvide access tosystem public keys forservice access /guarantee

Best Practices for Service Provisioning

LP

SERVICEIMPLEMENTATIONSEI

CONSUMERAPPLICATION

CONSUMER

SERVICEIMPLEMENTATION

PROVIDER

© SAP 2008

consumer service layerAcquire based on WSSecurity Policy definitions inWSDL

consumer applicationDefine web accessauthentication configuration

ticket template for SSODefine access control check inmethod/function of app

Programmatic– UME– JEE– ABAPDeclarative– JEEUI– Portal Role

consumer systemConfigure userauthentication or SSOAssign provider rolesto users

– Local usermanagement

– Provision fromSAP NetWeaverIdM

Define servicedestination to providerExchange systemcertificates withprovider

LP

SERVICEIMPLEMENT

ATIONSEI

CONSUMERAPPLICATION

CONSUMER

SERVICEIMPLEMENTATION

PROVIDER

Best Practices for Service Consumption

© SAP 2008

Runtime Security in Composite and BPMApplications

LPtbd

CONSUMERTOOLS (CE)

CE PORTAL

SERVICEIMPLEMENTATIONSERVICE

IMPLEMENTATION

PROVIDER

ROUTINGMAPPING

BPM

Process Integration

SEI Adapter / LP

ROUTINGMAPPING

BPM

SERVICEIMPLEMENTATIONSERVICE

IMPLEMENTATION

PROVIDER

Interface / SEI

LP

SEI

System SecuritySetup trust to Providers / Service BrokersSetup destination to providers with optional logon information

Application SecurityAuthentication configuration in ticket policy configurationUI authorization via portal roles and business rolesLogic flow authorization with JEE and UME conceptsComposite applications – register BO operations for ACL check and useserver CAF authorization tool to map ACLs to rolesBPM applications - provision identity information from deploy target systemover SPML

Service SecurityTransport for homogeneous service provider landscapes, message level forheterogeneous service provider landscapesPrincipal propagation to manage service provider access based on useridentities with authentication, authorization and audit

Bob Bob

Deploy

© SAP 2008

The SAP AdvantageAn Integrated Solution for Business and IT

Integrated platform approach supports acomprehensive enterprise SOA strategybuilt on SAP’s open platform

Seamlessly links IDs with business roles,for smoother process integration

Powerful synchronization andvirtualization, plus integration with coreprocesses and information in enterprisesystems

Standards based and centralizedsecurity functions for secure operationand enterprise service governance

© SAP 2008

SAP NetWeaver: Security Solutions forEnterprise SOA

Empower business users Delegated user and content administration withcentralized Identity Management for landscapesSupport flexible service and user authentication and SSOoptions

Simplify administration and ensurebusiness continuity with lower TCO

Integrated security administration in standardized andWizard based interfaces for admin usersSAP NetWeaver Identity ManagementIndustry Standards-based security solutions

Native support for interoperable andflexible security solutions based onopen standards

JAASSAMLSPMLGSS API

WS-Security1

WS-Secure Conversation1

WS-Policy and WS-Security PolicyWS-Reliable Messaging1

Security Solutions for EnterpriseService Oriented Architectures andProcess Integration

WS-Security, WS Security Extensions1

SAML Browser Artifacts and WSS SAML Token Profiles1

Service Repository and Composites Security

Infrastructure-based protection of SAPNetWeaver applications againstcommon attacks

Access control and secure key managementVirus Scanning interface, Output Encoding, Blacklistfiltering, XML Schema Validation

SAP NetWeaver provides security solutions as an integrated platformservice to meet requirements of diverse enterprise environments“

REQUIREMENT SAP NETWEAVER

1 support for XML Signatures, Username and Certificate token profiles in SAP NetWeaver 7.0. Support for XML Encryption and SAML Token Profiles inapplication server with SAP NetWeaver 7.10, SAP NetWeaver 7.0 AS ABAP SP 14 and higher

© SAP 2008

Security Roadmap Highlights

2007/2008 2010 and beyond2009

Meta-rolesdefinition andassignment

Enhanced supportfor WS-* standards

Central IdentityManagement forheterogeneouslandscapes

Centralized policy-based securityadministration

Identity federationsupport (SAMLv2)

Standards-basedsingle sign-oninfrastructure (SAML)

Standards-basedprincipalpropagation

Harmonization ofsecurityadministration

Role managementsimplification andTCO reduction

Business processintegrated identitymanagement

Business rolemanagement

Harmonizedauthorizationconcepts

Extended SOAscenario support

Model drivensecuritymanagement

Role &AuthorizationMgmt.

IdentityManagement

EnterpriseSOA andStandards

SecurityManagement

Add. WS-* standards(WS-Sec.Conversation, WS-Trust)

© SAP 2008

Copyright 2008 SAP AGAll Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changedwithout prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed arethe trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior writtenpermission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies,developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note thatthis document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant theaccuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express orimplied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitationshall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in thesematerials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durchSAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.

Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte können Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwähnte SAP-Produkte und Services sowie diedazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Ländern weltweit. Alle anderen in diesem Dokument erwähnten Namen vonProdukten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zuInformationszwecken. Produkte können länderspezifische Unterschiede aufweisen.

Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Formauch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet. Bei dieser Publikation handelt es sich um eine vorläufige Version, die nicht Ihrem gültigen Lizenzvertragoder anderen Vereinbarungen mit SAP unterliegt. Diese Publikation enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts. SAP entsteht aus dieserPublikation keine Verpflichtung zu einer bestimmten Geschäfts- oder Produktstrategie und/oder bestimmten Entwicklungen. Diese Publikation kann von SAP jederzeit ohne vorherigeAnkündigung geändert werden.

SAP übernimmt keine Haftung für Fehler oder Auslassungen in dieser Publikation. Des Weiteren übernimmt SAP keine Garantie für die Exaktheit oder Vollständigkeit der Informationen, Texte,Grafiken, Links und sonstigen in dieser Publikation enthaltenen Elementen. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a.,aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts.SAP haftet nicht für entstandene Schäden. Dies gilt u. a. und uneingeschränkt für konkrete, besondere und mittelbare Schäden oder Folgeschäden, die aus der Nutzung dieser Materialienentstehen können. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit.

Die gesetzliche Haftung bei Personenschäden oder Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinks zugreifen,unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über InternetseitenDritter ab.

Alle Rechte vorbehalten.

security for soa in enterprises

Documents