J2EE Engine Security
Purpose
Providing security for the applications that run on the J2EE Engine is also an important aspect in the overall architecture of the SAP Web Application Server. You need to be able to identify the users that access the server and you need to protect access to individual resources. In addition, confidentiality is also important when dealing with sensitive information. The following topics explain how the J2EE Engine fulfills these security requirements.
· An Overview of the Security-Related Services
In this section, we briefly describe the J2EE Engine services that you need to perform the various security-related administration tasks.
In this section, we briefly describe how you can use network zones to separate your network components, in particular the J2EE Engine and the backend system.
In this section, we describe the functions available with the Key Storage service to use for key management on the J2EE Engine.
· Transport Layer Security on the SAP J2EE Engine
In this section, we describe how you can use the Secure Sockets Layer (SSL) protocol and Secure Network Communications (SNC) to secure the data communications between the SAP J2EE Engine and other components.
· Authentication on the J2EE Engine
In this section, we describe how the J2EE Engine handles user authentication and Single Sign-On.
In this section, we describe how to manage users on the J2EE Engine. This includes:
¡ The concept of interchangeable user stores and how to set up the active user store.
The J2EE Engine supports two different user stores, the DBMS user store and the User Management Engine (UME). The UME is the default user store.
¡ User administration using the UME user administration console or the Visual Administrator.
¡ Using access control lists to protect resources.
In this section, we describe how to protect certain resource areas (domains) on the J2EE Engine using protection domains.
In this section, we describe how security is applied to Web services.
· Secure Storage for Application-Specific Data
In this section, we describe how to administer the secure storage area that applications can use to encrypt and store critical data such as passwords.
In this section, we describe how to view and delete active login sessions on the J2EE Engine.
Implementation Considerations
SAP Java Cryptographic Toolkit
When using encryption, for example, SSL, you must use a cryptographic provider, which is not supplied directly with the J2EE Engine. Per default, SAP provides the SAP Cryptographic Library and the SAP Java Cryptographic Toolkit, which are available to SAP customers free of charge. For more information and to download, see the Download Area on the SAP Service Marketplace at service.sap.com/download.
The distribution of these products is subject to and controlled by German export regulations and is not available to all customers. In addition, the library may be subject to local regulations of your own country that may further restrict the import, use and (re-)export of cryptographic software. If you have any further questions on this issue, contact your local SAP subsidiary.
Unlimited Strength Jurisdiction Policy Files from Sun Microsystems, Inc.
Due to import regulations in various countries, Sun Microsystems, Inc. differentiates between limited and unlimited strength cryptography in its J2SE 1.4.x packages by providing different strength policy files (limited and unlimited). Per default, the limited policy files are delivered with the J2SE packages.
Therefore, to use the strong cryptography functions provided with the Secure Storage FS and SSL Provider services, you have to use the unlimited strength cryptographic functions. In this case, download and install the unlimited strength jurisdiction policy files from Sun Microsystems, Inc.
The use of these policy files can underlie import regulations. Make sure you are allowed to use these files before you download and install them.
The policy files are available from Sun Microsystems, Inc. at java.sun.com.