This guide is intended to provide you with an overview of the security aspects and recommendations that apply for the SAP NetWeaver Application Server (SAP NetWeaver AS) for Java Server technology.
The J2EE Engine is the primary engine for the usage type Application Server Java (AS-Java) of the SAP NetWeaver. Therefore, the security aspects and recommendations for the AS-Java are equally relevant to securing the J2EE Engine.
· Technology consultants
· System administrators
This guide is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.
With the increasing use of distributed systems and the Internet for business transactions and business data management, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to the usage type AS-Java of the SAP NetWeaver platform. To assist you in securing the AS-Java, we provide this Security Guide
There is also an SAP NetWeaver Application Server ABAP Security Guide.
This security guide provides an overview of the security-relevant information that applies to the AS-Java. It contains an overview of the security considerations for the AS-Java and links to the security administration or development functions in the J2EE Engine Administration and Development Manuals, respectively.
The Security Guide contains the following sections:
Provides links to additional information, a list of important SAP Notes and other security guides that apply to securing the J2EE Engine.
Provides a brief overview of the technical system landscape of the Java systems.
Describes user management, standard user types and synchronization of user data, as well as, AS-Java authentication mechanisms and Single Sign-On integration.
Provides an overview of the authorization concepts on the J2EE Engine. The topics discussed include authorization checking on the J2EE Engine, standard User Management Engine (UME) actions and security roles.
Provides an overview of the communication channels used by the J2EE Engine and the corresponding transport layer security mechanisms. We also provide an example of a secure network infrastructure using network zones and information on the standard communication ports used by the J2EE Engine.
Describes the aspects in maintaining the availability, confidentiality and integrity of security sensitive data stored and used by the J2EE Engine.
Provides information about deactivating optional J2EE Engine services that you may not need in productive operations.
Presents an overview of additional topics relevant to securing the J2EE Engine, such as Java Virtual Machine (JVM) security, security of the JMS service, Database connection security and security for the Software Deployment Manager (SDM).
Provides a discussion of the security aspects in using the logging and tracing functions available on the J2EE Engine.