Security

Adapter for SAP Configuration

For information on how to configure your Integration Server securely, please refer to the IBM webMethods Integration Server Administrator’s Guide for your release.

User Authentication Between Adapter for SAP and an SAP System

Authentication Through User Name and Password

When logging on through an HTTP or FTP client, standard user/password authentication is used. The user is mapped to an Integration Server session, and a service calling an SAP system is executed. This service uses the logon parameters associated with an RFC connection that likely does not reflect the identity of the original HTTP client. The user configured for the RFC Connection is usually a pool user shared among several physical users. This pooling allows for optimal performance.

If your RFC connection is configured to use SNC, a secure connection to the SAP system will be established. You need to install and configure the correct *sapcrypto.* library for your platform. This library supports SAP's Secure Network Communication (SNC) Standard. SNC works on top of the RFC protocol.

Authentication Through X.509 Certificate

Another method for user authentication in the Integration Server is through client authentication as a part of the SSL protocol. This requires that the corresponding HTTPS listener (port) requests a Client Certificate and that the client sends a trusted certificate that is mapped to an existing Integration Server user. A certificate is considered "trusted" if it has been issued by a CA (Certificate Authority) and is listed in a local CA Certificate Directory.

It is then possible to logon to the SAP system by means of this X.509 certificate. You need to install and configure a library supporting SAP's Secure Network Communication (SNC) Standard. SNC works on top of the RFC protocol. The following instructions describe the setup of this authentication method.

See Using Adapter for SAP with the SAP Cryptographic Library for SNC for more information about SNC and adapters for SAP.

Figure 1. User Authentication via X.509 Certificate
Important: For the authentication via certificates against an SAP system, it is required to enable SNC connections for the RFC Connection defined at Adapter for SAP and on the SAP system. These settings are listed in the section Configuring Adapter Connections. For detailed information on the SAP system and RFC client settings for SNC see the corresponding SAP documentation.
Important: The HTTPS port defined on Integration Server should have the Request Client Certificate option set for the Client Authentication field.
Important: SNC connections opened with the X.509 certificate are locked to the HTTPS session and will remain open until the HTTPS session is closed.
Tip: For more information on ports, see IBM webMethods Integration Server Administrator’s Guide for your release.

If you want to log on to an SAP system via an Integration Server using any SAP user and a certificate, you can do so by providing a trusted certificate for Integration Server.

Important: Before you can log on to Integration Server using a trusted certificate, you have to import the (personalized) client certificate for each user from a local directory to Integration Server and map it to Integration Server user.

For validation purposes, you must also enter the path to the CA Certificate directory. The CA Certificate directory specifies the name of your local directory containing the root certificates of CAs that this server trusts. You may specify the directory using an absolute path or one that is relative to the Integration Server_directory directory.

When a user logs on (for example, from a Web client) using this certificate, Integration Server verifies the root certificate in the CA Certificate directory and then passes the client certificate, including the user name, to the SAP system. However, you must make sure that this user can access the services he wants to execute in Integration Server. That is why you must map the client certificate to the corresponding Integration Server user, or alternatively to a (standard) Integration Server user, depending on the authorizations required. If you want to execute a protected service within the Integration Server, the mapped user must be allowed in the corresponding ACLs (access control lists). For more information on ACLs, see IBM webMethods Integration Server Administrator’s Guide for your release.

Example

You want to execute a service on Integration Server that retrieves sales order data from an SAP system. This service is protected by an ACL. Integration Server user ‘Sales' is registered in this ACL and allowed to execute the service. If you map the certificate to the user ‘Sales', your SAP user can also execute the service. In addition, the SAP user must be authorized to execute the function modules of the corresponding function group.

To restrict the rights of the SAP logon users you should create specific user accounts in the SAP system with the minimum necessary set of authorizations. If for instance Adapter for SAP is used as a pure RFC-Server, it will only perform very few function callbacks to the calling SAP system. These callbacks are needed to determine the function interface specification. To allow for this it is sufficient to use an SAP logon user with the authorization to the following SAP standard function groups: RFC1, SDIF, SG00, SRFC.

If this user shall be used to call other application interfaces as well you need to add the respective function groups to the authorization list. Add this authorization to the standard authorization object 'S_RFC' and create an authorization profile which only contains this authorization. When creating the SAP user you can then assign this profile to it. For more details on authorization for SAP users please refer to the SAP documentation.

Authentication When Adapter for SAP Acts As an RFC-Server

Figure 2. Mapping SAP User to Integration Server User

If Adapter for SAP is called from an SAP system, the call is always trusted. Therefore, only the user name from the SAP system is used for the logon. This user is the user who triggered the synchronous or asynchronous call. If a user wants to execute a service protected by an ACL (access control list), this user must be entered in the corresponding ACL that allows access to this service.

Inbound calls can be secured by SNC the same way as outbound calls. To secure your inbound connection, enable SNC for your listener. See Listeners for the SNC parameters you need to configure for a secure network connection.

Tip: In the user concept, the default user is called SAPUser (Password: 22101999). If Adapter for SAP is called by an SAP user that does not exist within Integration Server, the system switches automatically to the user SAPUser as the default user.

The User SAPUser is part of the User Group SAPUsers. It figures in the SAPUsers ACL that prevents unauthorized access to all Listener Notifications and Inbound Processes of the transports related to an SAP system.

The user called SAPUser, the User Group, and the ACL are created automatically when you start Integration Server and Adapter for SAP for the first time.

If an SAP user has been created in Integration Server in order to execute all Listener Notifications within Integration Server, you have to assign this user at least to the User Group SAPUsers.

Important: If you want to avoid that an SAP user which has not been created within Integration Server, can use the whole authorization range of the SAPUser, you should assign this SAP user individually to the corresponding User Group(s), respectively to the corresponding ACL(s).
Important: The user names in Integration Server are case sensitive.

Using Adapter for SAP with the SAP Cryptographic Library for SNC

About this task

The SAP Cryptographic Library is the default security product delivered by SAP for performing encryption functions in SAP systems. You can use it for providing Secure Network Communications (SNC) between SAP system components. The sapcrypto.lib is also used to implement Single Sign-On (SSO). This section describes the procedure steps that are required to run Adapter for SAP communication using the sapcrypto.lib. For more detailed information on the installation of thesapcrypto.lib and the generation of PSE (Personal Security Environment) see Using the SAP Cryptographic Library for SNC in the SAP Online Documentation (SAP Library).

Figure 3. Adapter for SAP Communication Using the SAP Cryptographic Library for SNC

To use Adapter for SAP with the SAP Cryptographic Library

Procedure

  1. Install the SAP Cryptographic Library (see the SAP Online Documentation).
  2. Generate a PSE (Personal Security Environment) for SNC (see the SAP Online Documentation).
  3. Create the Server's Credentials using SAPGENPSE (see the SAP Online Documentation).
  4. Exchange the security information between the communication partners (servers): see the SAP Online Documentation.
  5. Configure your Adapter for SAP and the corresponding SAP system for SNC use (see Security Options in the section Configuring Adapter Connections and Listeners).
  6. Optional: Adopt the SECUDIR environment variable (see the SAP Online Documentation) to point to the correct location of your PSE files by modifying the startup script:
    • Windows platforms: insert a line in server.bat as follows: after the SETLOCAL line set SECUDIR=<pse-path>
    • Unix platforms: insert a line in server.sh as follows at the very beginning export SECUDIR=<pse-path>

Installing Adapter for SAP According to Your Security Policy

Adapter for SAP can only access SAP systems for which an RFC connection alias has been created. There is no service available that allows you to execute RFC calls to SAP systems that are not defined there.

In addition to this restriction, you can also protect access to SAP systems in an intranet by installing an additional firewall between Integration Server and the SAP systems or putting Integration Server in the DMZ. You can configure the firewall to restrict which SAP systems can be accessed from Adapter for SAP through the SAP router.

Finally, you might even want to completely disallow Integration Server in the DMZ to actively open connections to a SAP system in the intranet. To do so, you need to install two Integration Servers: one in the DMZ, which is configured as an Enterprise Gateway Server, and one in the intranet. Integration Server in the intranet establishes the connection to Enterprise Gateway Server, whereas data still flows synchronously from the outside to the inside. For information about how to configure Integration Server as an Enterprise Gateway Server, see IBM webMethods Integration Server Administrator’s Guide for your release.