Start of Content Area

Background documentation Business Client Security Issues  Locate the document in its SAP Library structure

This section contains an overview of security issues and recommendations for using the Business Client for your applications. Security functions are available for creating Web applications in the Business Client and for running these applications in the Business Client.

Security in AS-ABAP

Settings for the Configuration for SSL Support are particularly important for Security with AS ABAP. The Logon Ticket Cache function is provided for increasing performance when there are multiple logons.

Certain Virus Scan Profiles are also delivered by SAP in the standard system. A virus scan can be performed when uploading HTTP (more information: Virus Scan Interface).

The Business Client and an SAP ECC system can communicate when the following criteria are fulfilled:

      System parameters are set

       login/accept_sso2_ticket: 1

       login/create_sso2_ticket: 2

      HTTP and HTTPS are defined as services in transaction SMICM

      Systems PSE, SAP CryptoLib, SSL Server, SSL Client (standard) are implemented in transaction STRUSTSSO2

More Information:

SAP NetWeaver Application Server ABAP Security Guide

Network and Communication Security

Security Aspects for BSP

Security Issues for Web Dynpro ABAP

Logging on to Web Applications

To access a Web application, AS ABAP uses the HTTP framework from the Internet Communication Manager (ICF), which provides functions for Logging on to the AS ABAP.

Caution

Refer to Activating and Deactivating Services. For security reasons, the only services that should be active in the HTTP service tree are those services that you really need. If, however, you activate nodes at a higher level, this means that the whole part of the service tree below this level also active and completely open, and therefore not secure for instance if an anonymous user is defined.

A simple procedure is available for developing and configuring the System Logon with Web applications in the Business Client. Security issues are included in this procedure.

SAP GUI Scripting

The installation of SAP GUI Scripting is mandatory, see also the relevant section under Prerequisites under Business Client Installation.

Security Risk List

A white list infrastructure in the HTTP framework fends off XSS attacks. See also Security Risk List.

User Management

Standard AS ABAP users are used in the Business Client. Keep in mind the following points:

      If the Business Client is running in the mode in which email addresses are used for authentication, the email address must be defined as an alias.

You can make this setting in transaction SU01 on the tab page Logon Data. Enter the correct email address in the Alias field and save it.

      If your applications are all based on HTTP-based applications, and there are no SAP GUI applications among them, you can also enter a different value in the User Type field instead of the standard dialog user. This will increase security as no SAPGUI session can be started with this user ID.

Microsoft Hotfix 909425

See Authentication with Certificates and Microsoft Hotfix 909425

SAP Notes

Important SAP Notes

SAP Note Number

Title

517484

Inactive Services in the Internet Communication Framework

510007

Setting Up SSL on the Web Application Server

420085

Logon Ticket Cache

853878

HTTP white list check (security)

1029940

Release restrictions for the NetWeaver Business Client

 

 

End of Content Area