Security Aspects for BSP (SAP Library - Security Aspects in Development)

Security Aspects for BSP

It is important to consider security aspects when you create Web applications using the BSP programming model. Security functions are available both for when you create BSP applications as well as for when you operate them.

SAP Web AS Security

For basic information about security aspects in an SAP Web AS System in which you are creating your BSP application, see Structure link Network Infrastructure and SAP Web Application Server Security.

Note

Note in particular the Structure link Configuration for SSL Support.
Furthermore, a function is provided for increasing performance in the case of multiple logons, namely the Logon Ticket Cache.

The Structure link Internet Communication Manager (ICM) receives the HTTP requests from the Internet and returns a response.

Logging on to BSP Applications

To access a BSP application, the SAP Web AS uses the HTTP framework from the Internet Communication Manager (ICF), which provides functions for Structure link Logging on to the SAP Web Application Server.

Caution

Refer in particular to Structure link Activating and Deactivating Services. For security reasons, the only services that should be active in the HTTP service tree are those services that you really need. If, however, you activate nodes at a higher level, this means that the whole part of the service tree below this level is completely open and is therefore not secure if an anonymous user is defined, for example.

For a list of the services that have to be activated depending on their usage in note 517484.

Predefined applications SYSTEM and SYSTEM_PUBLIC are available for creating logon procedures for your BSP application; you can use these for your own applications. For more information, see Structure link Logging onto BSP Applications.

Note

From SAP Web AS 6.40 SP1 there is also a new, simplified procedure for developing and configuring the system logon. The security aspects are also integrated into this procedure. We recommend that you use this new functionality for new applications.

For more information see Structure link System Logon.

Accessing a BSP Application

A browser accesses your BSP application using HTTP or HTTPS. The most important aspects are summarized in Structure link Accessing a BSP Application.

Furthermore, you can determine that your BSP should always be accessed using HTTPS. For more information about defining the transmission options, see the description of the Structure link Properties of a BSP application.

Notes

Relevant SAP notes

Note Number	Title
517484	Inactive Services in the Internet Communication Framework
510007	Setting Up SSL on the Web Application Server
517860	Logging on to BSP Applications
434918	DNS Configuration for BSP Applications Under Windows 2000
420085	Logon Ticket Cache