SAP Web AS Security Guide for Java Technology 

Purpose

This guide is to provide you with an overview of the security aspects and recommendations when using the Java technology provided with the SAP Web AS in your applications.

Integration

There is also a SAP Web AS Security Guide for ABAP Technology.

Constraints

This guide does not describe the administration or development functions for security on the SAP J2EE Engine. Such information is provided in the Administration Manual and Development Manual respectively. It only provides the additional information that apply to specific scenarios or application types.

How to Use This Guide

This guide is divided into the following sections:

·        Overview of Security for Java Application Types

This topic provides an overview of the application types (either access using a Web interface or using remote objects) on the SAP Web AS Java and the security aspects involved.

·        Users and User Management

This section describes security aspects involved with managing, authenticating, and monitoring users.

·        Authorizations

This topic provides a very brief overview of the security role concept on the SAP J2EE Engine. More information is provided in the security documentation for the SAP J2EE Engine.

·        Network Security for the SAP J2EE Engine

In this section, we provide an overview of the protocols used by the SAP J2EE Engine, as well as the corresponding secure protocols to use. We also provide an example of how to set up a secure network infrastructure using network zones.

·        Java Virtual Machine Security

The J2EE Engine’s processes run in a Java Virtual Machine (JVM), which means that any security aspects that apply to the virtual machine also affect the security of the J2EE Engine. Therefore, make sure you stay informed and install the latest patches provided by the virtual machine vendor.

·        Disabling Optional Services on the J2EE Engine

This topic provides information about deactivating services on the J2EE Engine that are not needed in productive operations.

·        Security Aspects for the Database Connection

This section describes security aspects that apply to the database connection. In particular the storage of the database user and its password, which are stored in a secured storage, is explained.

·        Security on JMS Service

This section describes the security aspects involved when using Java Messaging Services (JMS). The aspects described include authentication, authorization, the policy configurations used by the server, applying restrictions to message selectors, communication security, and data storage security.

·        Security Guide for the SAP System Landscape Directory

This section describes the security aspects involved with the SAP System Landscape Directory (SLD). In particular:

Ў        Securing the HTTP connections to the SLD

Ў        Securing RFC connections to the SLD

Ў        Setting up a secure network topology for the SLD

·        Security Aspects When Using Remote Administration

In this section, we provide recommendations when using the Visual Administrator or telnet to remotely administer the J2EE Engine.

·        Security Aspects When Using HTTP and Web Container Tracing

This section discusses the security implications from enabling the tracing functions of the HTTP Provider and Web Container services

In addition, see the following sections in the Security Aspects in Development section of the SAP Web AS Security Guide:

·        Security of the SAP Java Development Infrastructure

·        Working with the SDM (Software Deployment Manager)

·        The SAP NetWeaver Developer Studio: Security Aspects

·        Security Aspects of Web Dynpro for Java

·        Deployment Authorizations When Using Deploy  Service