cancel
Showing results for 
Search instead for 
Did you mean: 

HTTP service using ICF - security

mona_mehta
Participant
0 Kudos

Hello Experts,

We am developing a HTTP serviice to display PDF documents to customers. The link will be provided to the customer on the email

and when clicked, the PDF data returned as a reponse will be rendered on the client browser.

Since this service is to be used on the internet, we need to ensure that the security aspects are covered.

As far as i could understand, since this service is communicated through ICM, all the requests would be routed via

Web dispatcher, and we could build a URL filter to provide additional security.

Has anybody been a part of such an implementation, and if so, please suggest how the security could be enforced to this HTTP service.

Thanks a lot.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi,

The HTTP service should only be available on https from the internet.

The user should authenticate himself which means that he needs an abap user.

you can use the URL filter function of the SA Web Dispatcher.

These are just ideas. The security requirements will be different in each company.

Regards,

Olivier

mona_mehta
Participant
0 Kudos

Thanks Olivier,

Could we just not use the SSL logon procedure and provide the logon and passowrd at the ICF node itself.

How secure will be that??

Former Member
0 Kudos

Hi Mona,

If by "SSL logon procedure", you mean client certificate authentication, there should not be user/password set in SICF.

But a mapping will be needed between the client certificate and an ABAP user.

Setting a user/password in SICF is as secured as an open door even if the door is armoured (SSL)....

As I said before, all of this depends from your specific security and confidentiality needed in your company for this PDF.

Regards,

Olivier

Answers (1)

Answers (1)

0 Kudos

Hi ,

Olivier is right that having SSL and proper WebService auth is crucial to reduce security risks. Besides that you may want to cosider

having a Web Dispatcher placed in the border-zone / DMZ . If, for some reason, you don't want to enable SSL on the ICM side (WAS), you can do SSL offload on the SAP WD side and thus will have HTTP traffic only inside your companies LAN/Intranet

Regards,

Mike

mona_mehta
Participant
0 Kudos

Thank you Olivier and Mike for your suggestions. I have rewarded you for Helpful answers.

Olivier - Could you supply some more details on mapping of ABAP user with Client certificate. Since I am not a basis person, I am not really sure if that will be already known by the basis person..If not, then any more details on this will be very helpful.

Thank you again.

Former Member
0 Kudos

Hi Mona,

The information is a click away in the search engine of help.sap.com !

the mapping is done in table USREXTID.

Check [Configuring the System for Using X.509 Client Certificates |http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/frameset.htm]

Regards,

Olivier