cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTPS (SSL) for an internal application: benefits? costs?

Former Member

on ‎04-10-2008 8:09 AM

0 Kudos

This is a traditional SAP R/3 customer, recently upgraded to ECC (ECC 6.0, Basis 7.0). We are still using the ABAP stack only, with no plans of installing the Java stack, installing SAP EP portal, … .

A small "Web Dynpro for ABAP" (WDA) application has been developed, as an exploration into the world of WDA. It is intended for occasional users - users who rarely use the SAP system and who do not have the SAP GUI for Windows installed on their PC. It is purely an internal service (intranet) - not customer-facing, only available on the internal network.

It is currently using plain HTTP, but the question has been raised whether we should use HTTPS (in other words, set up for SSL).

What would be gained by doing this and how much would it cost?

If I understand correctly, it would enable server authentication. You would be certain that it is the genuine SAP server that is asking for your username and password, not some phishing scheme - not really a big issue on the internal network. (We could buy a server certificate from the SAP TC Trustcenter CA - 260 EUR excl VAT.)

It would also enable client authentication. If I understand correctly, this would remove the need for username/password log-in, but it would require the creation of certificates for each one of those users, to be distributed to each one of them and installed in their browser. No small undertaking! This sounds like the scheme used for the "SAP Passport" in the SAP Service MarketPlace.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

thomas_jung
Developer Advocate
Developer Advocate
‎06-09-2010 1:36 PM
0 Kudos

First you can turn on HTTPS without the use of client certificates. These are two different things. You can have HTTPS and still use basic authentication or forms based authentication. You could do certificates as well (which then would require HTTPS), but certificates are not a requirement if you just want to do HTTPS.

The main benefit of HTTPS is the encryption of the data as it travels through your network. With plain HTTP, anyone with a network sniffer could read any of the data across the network (including the user's password when they login). The question probably comes back to how much you trust the security of your internal network. But also you might consider what a rouge employee could do with some basic network knowledge - mainly gaining other users passwords.

That is also why SAP offers a hybrid approach called switch to HTTPS for logon. This is a setting in the logon configuration in the service nodes in transaction SICF. This way you switch into HTTPS just for the logon screen. The password is sent encrypted. Then for the application data itself, you switch back into HTTP. This way you don't pay the performance cost of encrypting all the data for every HTTP request/response.

Show replies
Show replies
Former Member
‎06-09-2010 1:18 PM
0 Kudos

We stick to plain HTTP for internal users.

Show replies
Show replies
Ask a Question