ADM960 SAP NetWeaver Application Server Security. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s)
SAP Copyrights and Trademarks 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Copyright. All rights reserved. iii
iv Copyright. All rights reserved.
About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study. Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used. This information is displayed in the instructor s presentation Demonstration Procedure Warning or Caution Hint Related or Additional Information Facilitated Discussion User interface control Example text Window title Example text Copyright. All rights reserved. v
vi Copyright. All rights reserved.
Contents ix Course Overview 1 Unit 1: Computer Security Overview 1 Lesson: Analyzing Security Threats 1 Lesson: Evaluating the SAP System Environment 3 Unit 2: Network Basics 3 Lesson: Describing the Basics of Networks 3 Lesson: Determining the Key Points of Network Security 3 Lesson: Installing and Configuring SAProuter 3 Lesson: Installing and Configuring the SAP Web Dispatcher 5 Unit 3: Basic Security for SAP Systems 5 Lesson: Securing the Front End 5 Lesson: Setting Up User Security in SAP Systems 5 Lesson: Defining Authorizations in SAP Systems 5 Lesson: Setting Up Interface Security in SAP Systems 6 Lesson: Providing Development Protection and Applying Security Patches 6 Lesson: Monitoring SAP Systems 6 Lesson: Monitoring and Analyzing Security with SAP Solution Manager 7 Unit 4: Introduction to Cryptography 7 Lesson: Evaluating Cryptography for Security 7 Lesson: Evaluating Authentication and Digital Signatures for Security 7 Lesson: Applying Cryptography in SAP Systems 9 Unit 5: Secure Network Communication (SNC) 9 Lesson: Setting up Secure Network Communication (SNC) 11 Unit 6: Secure Socket Layer (SSL) 11 Lesson: Enabling Secure Socket Layer with SAP NetWeaver AS 11 Lesson: Enabling Secure Socket Layer (SSL) on the SAP NetWeaver AS ABAP 11 Lesson: Enabling Secure Socket Layer (SSL) on SAP NetWeaver AS Java 11 Lesson: Enabling Secure Socket Layer (SSL) on SAP Web Dispatcher and SAP Management Console Copyright. All rights reserved. vii
13 Unit 7: Authentication and Single Sign-On (SSO) Mechanisms in SAP Systems 13 Lesson: Evaluating SAP System Authentications 13 Lesson: Enabling Session Security 13 Lesson: Using Single Sign-On (SSO) viii Copyright. All rights reserved.
Course Overview TARGET AUDIENCE This course is intended for the following audiences: Technology Consultant Project Manager Systems Architect System Administrator Copyright. All rights reserved. ix
x Copyright. All rights reserved.
UNIT 1 Computer Security Overview Lesson 1: Analyzing Security Threats Analyze security threats and safeguards Lesson 2: Evaluating the SAP System Environment Identify the components of SAP Business Suite Evaluate the SAP NetWeaver Application Server (SAP NetWeaver AS) architecture Copyright. All rights reserved. 1
Unit 1: Computer Security Overview 2 Copyright. All rights reserved.
UNIT 2 Network Basics Lesson 1: Describing the Basics of Networks Describe network communication in the SAP environment Lesson 2: Determining the Key Points of Network Security Describe the important topics of network security in an SAP landscape Lesson 3: Installing and Configuring SAProuter Install and configure SAProuter Lesson 4: Installing and Configuring the SAP Web Dispatcher Install and configure the SAP Web Dispatcher using a dedicated port Copyright. All rights reserved. 3
Unit 2: Network Basics 4 Copyright. All rights reserved.
UNIT 3 Basic Security for SAP Systems Lesson 1: Securing the Front End Configure security features of SAP GUI for Windows Lesson 2: Setting Up User Security in SAP Systems Deal with the tools for user administration Name standard users Recognize different user types Lesson 3: Defining Authorizations in SAP Systems Explain authorizations in SAP systems Manage passwords in SAP systems Securely store user and password information Configure password parameters Lesson 4: Setting Up Interface Security in SAP Systems Secure Remote Function Call (RFC) communication Ensure SAP Gateway security Secure Internet Communication Manager (ICM) Ensure SAP Message Server security Copyright. All rights reserved. 5
Unit 3: Basic Security for SAP Systems Establish interface security Lesson 5: Providing Development Protection and Applying Security Patches Protect development Apply security patches Lesson 6: Monitoring SAP Systems Explore the various options of security configuration monitoring Use the security audit log Use other monitoring tools Understand the security audit logs and reports Lesson 7: Monitoring and Analyzing Security with SAP Solution Manager Obtain a landscape-wide overview of the security configuration 6 Copyright. All rights reserved.
UNIT 4 Introduction to Cryptography Lesson 1: Evaluating Cryptography for Security Evaluate cryptography for security Understand encryption Lesson 2: Evaluating Authentication and Digital Signatures for Security Evaluate the basic concepts of digital certificates and digital signatures Lesson 3: Applying Cryptography in SAP Systems Apply cryptography in SAP systems Copyright. All rights reserved. 7
Unit 4: Introduction to Cryptography 8 Copyright. All rights reserved.
UNIT 5 Secure Network Communication (SNC) Lesson 1: Setting up Secure Network Communication (SNC) Secure Dynamic Information and Action Gateway (DIAG) and Remote Function Call (RFC) communication Copyright. All rights reserved. 9
Unit 5: Secure Network Communication (SNC) 10 Copyright. All rights reserved.
UNIT 6 Secure Socket Layer (SSL) Lesson 1: Enabling Secure Socket Layer with SAP NetWeaver AS Use Secure Socket Layer (SSL) on SAP NetWeaver AS Lesson 2: Enabling Secure Socket Layer (SSL) on the SAP NetWeaver AS ABAP Enable Secure Socket Layer (SSL) on the SAP NetWeaver AS ABAP Lesson 3: Enabling Secure Socket Layer (SSL) on SAP NetWeaver AS Java Enable Secure Socket Layer (SSL) on SAP NetWeaver AS Java Lesson 4: Enabling Secure Socket Layer (SSL) on SAP Web Dispatcher and SAP Management Console Enable Secure Socket Layer (SSL) on the SAP Web Dispatcher Enable Secure Socket Layer (SSL) for SAP Management Console Copyright. All rights reserved. 11
Unit 6: Secure Socket Layer (SSL) 12 Copyright. All rights reserved.
UNIT 7 Authentication and Single Sign- On (SSO) Mechanisms in SAP Systems Lesson 1: Evaluating SAP System Authentications Describe authentication mechanisms Configure Application Server ABAP (AS ABAP) for usage of logon tickets Configure Application Server Java (AS Java) for usage of logon tickets Use X.509 client certificates Use Security Assertion Markup Language (SAML) for authentication Lesson 2: Enabling Session Security Enable session security Lesson 3: Using Single Sign-On (SSO) Use Single Sign-On (SSO) for SAP systems Copyright. All rights reserved. 13