on 11-08-2011 1:10 PM
Hello Experts,
We am developing a HTTP serviice to display PDF documents to customers. The link will be provided to the customer on the email
and when clicked, the PDF data returned as a reponse will be rendered on the client browser.
Since this service is to be used on the internet, we need to ensure that the security aspects are covered.
As far as i could understand, since this service is communicated through ICM, all the requests would be routed via
Web dispatcher, and we could build a URL filter to provide additional security.
Has anybody been a part of such an implementation, and if so, please suggest how the security could be enforced to this HTTP service.
Thanks a lot.
Hi,
The HTTP service should only be available on https from the internet.
The user should authenticate himself which means that he needs an abap user.
you can use the URL filter function of the SA Web Dispatcher.
These are just ideas. The security requirements will be different in each company.
Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mona,
If by "SSL logon procedure", you mean client certificate authentication, there should not be user/password set in SICF.
But a mapping will be needed between the client certificate and an ABAP user.
Setting a user/password in SICF is as secured as an open door even if the door is armoured (SSL)....
As I said before, all of this depends from your specific security and confidentiality needed in your company for this PDF.
Regards,
Olivier
Hi ,
Olivier is right that having SSL and proper WebService auth is crucial to reduce security risks. Besides that you may want to cosider
having a Web Dispatcher placed in the border-zone / DMZ . If, for some reason, you don't want to enable SSL on the ICM side (WAS), you can do SSL offload on the SAP WD side and thus will have HTTP traffic only inside your companies LAN/Intranet
Regards,
Mike
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Olivier and Mike for your suggestions. I have rewarded you for Helpful answers.
Olivier - Could you supply some more details on mapping of ABAP user with Client certificate. Since I am not a basis person, I am not really sure if that will be already known by the basis person..If not, then any more details on this will be very helpful.
Thank you again.
Hi Mona,
The information is a click away in the search engine of help.sap.com !
the mapping is done in table USREXTID.
Check [Configuring the System for Using X.509 Client Certificates |http://help.sap.com/saphelp_nw70ehp1/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/frameset.htm]
Regards,
Olivier
User | Count |
---|---|
84 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.