- SAP Community
- Products and Technology
- Technology
- Technology Q&A
- Security mechanism
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Security mechanism
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 06-04-2008 5:19 AM
What is security mechanism in XI , where it is used.
- SAP Managed Tags:
- SAP Process Integration,
- Security
Accepted Solutions (0)
Answers (4)
Answers (4)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
SSL Configuration
You need to setup SSL layer for HTTPS endpoint.
Possible HTTP security levels are (in ascending order):
HTTP without SSL
HTTP with SSL (= HTTPS), but without client authentication
HTTP with SSL (= HTTPS) and with client authentication
HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network
● Server authentication
Only the HTTP server identifies itself with a certificate that is to be verified by the client.
● Client authentication
Additionally, the HTTP client identifies itself with a certificate that is to be verified by the server.
Please go through below link for referance (above information is from below link)
Step by step guide for SSL security
Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba68...
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
Message level security
Regarding message level you can encrypt the message using certificates.
For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
Check the following links.. you will get the information all about the securities...
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
Also find soeminformation in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
Thanks
Swarup
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Shiva,
Basically security will be provided by installing certificates and configuring SSL:
1) Certificate needs to be imported in visual admin.
2) In your reciever cc...select select configure certificate authentication...from the dropdown..select your certificate..and save ..activate..and if your target sys already has the certificate..you are good to go..
Principal Propagation in SAP XI
/people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
/people/sap.user72/blog/2004/11/30/user-mapping-based-single-sign-on
http://help.sap.com/saphelp_nw04/helpdata/en/32/1c1041a0f6f16fe10000000a1550b0/frameset.htm
also you could provide SSL Configuration across the firewall
You need to setup SSL layer for HTTPS endpoint.
Possible HTTP security levels are (in ascending order):
HTTP without SSL
HTTP with SSL (= HTTPS), but without client authentication
HTTP with SSL (= HTTPS) and with client authentication
HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network
Plz refer the following links :
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/d4/d12940cbf2195de10000000a1550b0/frameset.htm
Regards,
Vinod.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
XI security mechanism is perfectly designed each and every msg that is send through XI is encrypted and then send
HTTP and SSL
All XI runtime components using the HTTP protocol support the encryption of the HTTP data stream by means of the SSL protocol, also known as HTTPS. HTTPS data streams are completely transparent to the Exchange Infrastructure.
To enable an HTTPS connection, two steps are required:
...
1. Both parties of an HTTP connection (that is, the HTTPS client and the HTTPS server) must be technically enabled.
2. The internal XI communications and the messaging communications must be configured in XI to use these HTTP connections.
In addition, for certain adapters you can enforce HTTP security for incoming messages.
Technically Enabling SSL
Whenever a hardware or software component is to be enabled for SSL, the client and the server part of an HTTP connection have to be enabled differently. Moreover, the technical configuration for HTTPS is different for XI ABAP and J2EE components. For more information, see Transport Layer Security.
HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network
● Server authentication
Only the HTTP server identifies itself with a certificate that is to be verified by the client.
● Client authentication
Additionally, the HTTP client identifies itself with a certificate that is to be verified by the server.
A general prerequisite for using HTTPS in both the ABAP and the J2EE stack of the SAP Web Application Server (AS) is that the SAP Cryptographic Library is installed on the SAP Web AS. In addition, certificates (for example an X.509 certificate) must be used that have been issued by a company-internal Certification Authority (CA), or by an external trusted CA such as Thawte, Verisign, or TC Trustcenter.
In both ABAP and J2EE components, HTTPS server authentication is enabled as follows:
● Use transaction STRUST to set up an SAP Web AS ABAP engine as HTTPS server. If not already done, you have to import a certificate generated by a trusted CA identifying the SAP Web AS. In addition, you have to enable the HTTPS port in the ICM (Internet Communication Manager).
● Use transaction STRUST to set up an SAP Web AS ABAP engine as HTTPS client. If not already done, you have to import the certificate of the CA of the HTTPS serveru2019s certificate. For an actual HTTPS connection, you have to use the HTTPS port of the server in a corresponding HTTP destination and you have to configure this HTTP destination for using SSL with the corresponding client certificate.
● Use the J2EE Visual Administrator to set up an SAP Web AS J2EE engine as HTTPS server. If not already done, you have to import a certificate generated by a CA identifying the SAP Web AS into the keystore named service_ssl in the Keystore service. In addition, you have to assign this certificate in the SSL Provider service.
● Use the J2EE Visual Administrator to set up an SAP Web AS J2EE engine as HTTPS client. If not already done, you have to import the certificate of the CA of the HTTPS serveru2019s certificate into the J2EE engineu2019s keystore view named TrustedCAs.
In the case of a client authentication, the HTTPS client must also have a certificate generated by a CA for self-identification. For validating the HTTPS clientu2019s certificate, the HTTPS server must have a corresponding CA certificate that validates this certificate. After validation of the clientu2019s certificate, the server maps the certificate to an actual system user executing the HTTP request.
The mapping of the certificate differs for the ABAP part and the Java part of the SAP Web AS. For more information, see Configuring the System for Using X.509 Client Certificates or Maintaining the User's Certificate Information, respectively.
Configuring SSL for XI Communication
XI uses HTTP for technical communication and for most of the messaging communication (for example, for the XI protocol). For an overview of all communications, see Communication.
As outlined in the previous section, all components using HTTPS connections must be technically enabled first.
In a logical system consisting of several physical application servers, each application server must be individually HTTPS-enabled and must have installed its own certificate.
Configuring SSL for Message Exchange
As described under Service Users for Message Exchange, there are four types of incoming and outgoing connection types: (s1) to (s4) and (r1) to (r4). Connections types (s2), (s3), and (r3) use internal connections between the Integration Server and the Adapter Engines. All connections (provided they are HTTP connections) can be secured by HTTPS as follows:
● (s1)
The HTTP destination from the ABAP application system to the Integration Server must be configured as HTTPS.
● (s3)
The external sender must use a HTTPS connection to the Adapter Engine.
● (s4), (r1), (r2), and (r4)
The corresponding Integration Directory channel must be configured as an XI 3.0 protocol using HTTPS.
● (r3)
The corresponding Integration Directory channel to the external receiver must be configured as a corresponding adapter protocol using HTTPS.
● Internal communication between Integration Server and Adapter Engines: (s2), (s3), and (r3).
The following exchange profile parameters must be set:
○ com.sap.aii.connect.secure_connections = messaging
○ com.sap.aii.connect.integrationserver.httpsport
○ com.sap.aii.connect.integrationserver.r3.httpsport
The HTTPS configuration data of the Adapter Engines is maintained in the SLD. It is automatically updated by a self-registration mechanism of the Adapter Engine.
For more information on profile parameters, see Exchange Profile Parameters in the SAP Exchange Infrastructure Configuration Guide.
● The connection from the J2SE Adapter Engine is described under Adapter-Specific Security Configuration.
Configuring SSL for Technical Communication
You can also stipulate that SSL is used for all internal technical communication by setting the following exchange profile parameter:
● com.sap.aii.connect.secure_connections = all
You also have to correctly set the httpsportparameter for all XI components in the exchange profile. This implicitly sets SSL for messaging as well.
For information on how to secure the technical HTTP connection to the System Landscape Directory, see SAP Note 766215.
Enforcing HTTP Security for Incoming Messages
You can define a security level for incoming messages handled by certain HTTP-based sender adapters. Use the appropriate sender communication channels in the Integration Directory for this purpose.
The supported HTTP-based adapters are:
● On the Integration Server:
○ XI protocol
○ Plain HTTP adapter
● In the Adapter Engine:
○ SOAP adapter
○ RNIF adapters
○ CIDX adapter
Possible HTTP security levels are (in ascending order):
● HTTP without SSL
● HTTP with SSL (= HTTPS), but without client authentication
● HTTP with SSL (= HTTPS) and with client authentication
When you define one of these security levels for a sender channel, only those messages that have been sent by using an HTTP connection with at least this security level are accepted by the Integration Server or Adapter Engine. If the security level of the HTTP connection is lower than the one defined for the sender channel, messages are rejected with an HTTP error. See also SAP Note 891877.
if fond worth pls do the req
Thanx
Sampath
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
HI
check the below links for complete on security
Network and Communication Security http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/frameset.htm
Service Users for Message Exchange
http://help.sap.com/saphelp_nw04/helpdata/en/d4/d12940cbf2195de10000000a1550b0/frameset.htm
Communication
http://help.sap.com/saphelp_nw04/helpdata/en/fb/322f41d606ef23e10000000a155106/frameset.htm
HTTP and SSL
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
SAP-SECURITY GUIDE
Note: reward points if solution found helpfull
Regards
Chandrakanth.k
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Data Privacy Embedding Model via Core AI in Technology Q&A
- SAP Application User provision based on Application Role via Entra ID in Technology Q&A
- Onboarding Users in SAP Quality Issue Resolution in Technology Blogs by SAP
- What’s new in Mobile development kit client 24.4 in Technology Blogs by SAP
- SAP IAS - Password Synchronisation with Active Directory in Technology Q&A
| User | Count |
|---|---|
| 87 | |
| 10 | |
| 10 | |
| 9 | |
| 6 | |
| 6 | |
| 6 | |
| 5 | |
| 4 | |
| 3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.