SAP Mobile Platform Security Architecture
SAP Mobile Platform uses the standard HTTPS protocol to integrate into your existing security landscape. It also integrates into your existing user and permission stores, so you can continue to use your user administration tools.
SAP Mobile Platform provides seamless end-to-end authentication and security policy integration across the platform without proxies or intermediary configurations. SAP Mobile Platform Server allows you to configure end-to-end authentication from the client to the back end without a VPN. The server uses the standard HTTPS protocol to integrate into your existing security landscape without disruption.
Secure Network Communications
SAP Mobile Platform secures all network communications across the enterprise by using HTTPS for all communications.
The server uses <SMP_HOME>\Server\configuration\smp_keystore.jks as its Java keystore for the server certificate and as the truststore for CA certificates. The keystore may also contain user certificates for authenticating to back-end systems. The local keystore, local_smp_keystore.jks, is created and maintained by the product installer on each cluster node, and stores server certificates for HTTPS connections.
Signed by a trusted CA
Within the validity period
For server certificates, the certificate CN must match the server host.domain in the URL
Additionally, you can configure the server to validate certificates by either checking certificate revocation lists (CRL) or using the Online Certificate Revocation Protocol (OCSP). By default, certificate revocation checking is disabled. Clients cannot check for certificate revocation.
Clients that you build using the SAP Mobile Platform SDK cannot bypass certificate checking, nor can they defeat trusted-CA checking by temporarily trusting a certificate that fails any of the standard checks.
Common Security Infrastructure
- Authentication – making sure the connecting users are who they claim to be
- Role mapping – assigning users to SAP Mobile Platform logical roles
The SAP Mobile Platform supported authentication mechanisms include basic authentication, SSO, and X.509 certificates. The following figure illustrates how data flows from the device to the back end using common security constructs, for example CA Single Sign-On (SiteMinder), SAP SSO2 tokens, and the HTTP/HTTPS authentication provider.
SAP Mobile Platform Security Authentication Mechanisms and Data Flow
- Establishes Transport Encryption when the client connects with SAP Mobile Platform
- Verifies application registration (App ID)
- Establishes SAP Mobile Platform Server authentication takes place
SAP Mobile Platform Security Communication Process