03-22-2007 9:14 PM
Hi All,
I have a scenario here, we are trying to access the 3rd party site to retrieve some Invoice Information, but the data is very sensitive so the vendor requires very <b>secured</b> way of accessing their site to get that information
Our first bet would be to use <b>AppIntegrator iView</b>, but inorder for us to access the vendor site and retrieve the appropriate Invoice we need to provide certain parameters to get the appropriate data
And we can provide those values using "<b>User Template Fraction for User Mapping</b>" property of the <b>AppIntegrator iView</b>
But the problem here is, it is not really secured, the url though hides the values but the values can be sniffed easly using any available URL Sniffer/HTTP Sniffer software
I hope some one might have come across this situation before, I would greatly appreciate any thoughts or ideas you may have
Thanks,
kk
03-23-2007 12:38 PM
03-23-2007 3:04 PM
What kind of attack are you concerned of? You have mentioned that "sensitive data" will be transmitted. That sounds like the usage of SSL / https is strongly advised.
If the 3rd party site also supports X.509 client authentication you could use this for authentication (rather than using UID/PWD).
What you describe sounds different from what has been discussed in a .
Best regards,
Wolfgang
04-02-2007 5:33 PM
Hi Wolfgang,
Thanks for your response
My main concern is that when a request with certain acct# invoice# parameters is made to <b>CompanyB</b> site to retrieve the invoice information the url though hides the values but the values can be <b>sniffed</b> easily using any available URL Sniffer/HTTP Sniffer software
some one on SDN recommended setting up HTTPS on the System, so I tried setting up HTTPS for the system property "Protocol of Target System" and passing the values by POST, but all the iViews using this SYSTEM were failing, so I had to change it back to HTTP
The 3rd party site currently does NOT support <b>X.509</b> client Authentication, what are the steps they need to perform at their end in order to support <b>X.509</b>?
Since we will be retrieving the invoice info from <b>CompanyB</b>, technically Company B will be the issuer and we will be the client? so in this scenario how do we setup X.509 at both ends?
Thanks for any suggestions
kk
04-03-2007 7:24 AM
does the remote system support HTTPS (just try to access the URL using the browser) ?
Is the server key self signed ?
Is the CA in your list of trusted CAs ?
Regards,
Patrick
04-03-2007 4:03 PM
Patrick,
I am still researching to find out the best way of achieving my objective, so I am not sure about your question related to CA
And I assume the remote system supports HTTPS
thx
kk
04-03-2007 4:19 PM
Hi kk,
in essence, what happens is that the user will get a response from the server telling the browser to open an iview from the 3rd party system. <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/70/5a3842134bad04e10000000a1550b0/frameset.htm">See also this doc for more details</a>.
So what should be done is protecting all this traffic by SSL (HTTPS). Can you access both the portal and the 3rd party system using https ?
regarsd,
Patrick
04-03-2007 6:39 PM
Hello Patrick,
Thanks for your response
hmm...There is a confusion, here is the scenario, we will be the "client" retrieving an invoice from a 3rd party company (which is <b>Non-SAP System</b>) by passing the parameters such as Acct# and Invoice# etc in App Integrator iView, but the 3rd party company is asking us to make a <b>secure</b> connection to their site.
We plan to use <b>App-Integrator iView and the System-Alias</b>, to make a connection to the 3rd party website, and with in the System if I select HTTPS as Transport protocol then the iView is <b>NOT</b> working, but with HTTP and POST the values can easily be <b>sniffed</b> using HTTP Sniffer or URL Sniffer softwares
No I cannot access the portal using HTTPS
Appreciate any suggestions
Thanks
04-04-2007 9:22 AM
Hi kk,
please see my previous post, the app integrator only provides a link to the 3rd party system to the browser of the user but will not make the portal to communicate to the system itself directly, if you use an HTTP system as target.
If you want to connect to the 3rd party system from wihtin a portal application over ssl, you have to make sure, the remote system's ssl key or ca cert is in the list of trusted certs of the portal and the hostname of backend and matches the name.
Regards,
Patrick