This chapter provides an overview of security aspects and recommendations relevant to using SAP NetWeaver Business Client (NWBC). As security is a wide ranging but important aspect that affects the server and the client, all security relevant aspects are described in this chapter. After the most basic recommendation to always use HTTPS for communications, the most interesting aspect is that of authentication. A large part of the chapter is dedicated to drawing parallels between the standard authentication processes that are available in any browser-based access to an SAP server and the authentication process as is supported by NWBC. This includes looking at authentication, also achieving single sign-on using certificates, and the subsequent re-authentication needed when each new application is started. On a small scale, the use of the Internet Communication Framework (ICF) to control access to NWBC services on the server is discussed.
This chapter describes high-level security concepts that are relevant to NWBC. However, for detailed discussion of how specific security concepts are implemented in SAP servers, and especially their configuration, a reference is made each time to the relevant documentation that covers that topic in detail.
The following concepts are described:
NWBC and authentication
Describes in general the authentication process from NWBC to the server. This section explains that, principally, the authentication process in NWBC is exactly equivalent to the authentication process as is managed in a browser.
Use of digital certificates
Elaborates on how single sign-on can be achieved with the use of digital certificates.
Logon tickets and assertion tickets
Explains the prerequisite of logon tickets ( MYSAPSSO2 cookies), or alternatively assertion tickets, which must be available for handling the re-authentication process when starting a new application in the content area.
Extends the authentication process over multiple servers using logon tickets.
Configuring authentication on the aerver
Groups all relevant server configuration information. This is mostly a set of references to other relevant information for in-depth information.
Describes the use of ICF to control HTTP access to NWBC runtime.
Certificate Error Popups in the Browser
Highlights problems related to the use of digital certificates that are normally perceived as error situations, although they are usually just different variations of invalid certificates.
Security zones in Internet Explorer
Internet Explorer implements the Internet Explorer zone model. This security model helps protect your computer from unsafe operations by using security zones and levels.
A whitelist infrastructure in the HTTP framework defends against XSS attacks.
When using HTTPS, we highly recommend that you read at least 7.2 Use of Digital Certificates for the prerequisite of installing the Microsoft hotfix 919477.