SAP Mobile Platform Security Architecture

SAP Mobile Platform uses the standard HTTPS protocol to integrate into your existing security landscape. It also integrates into your existing user and permission stores, so you can continue to use your user administration tools.

SAP Mobile Platform provides seamless end-to-end authentication and security policy integration across the platform without proxies or intermediary configurations. SAP Mobile Platform Server allows you to configure end-to-end authentication from the client to the back end without a VPN. The server uses the standard HTTPS protocol to integrate into your existing security landscape without disruption.

Secure Network Communications

SAP Mobile Platform secures all network communications across the enterprise by using HTTPS for all communications.

The server uses <SMP_HOME>\Server\configuration\smp_keystore.jks as its Java keystore for the server certificate and as the truststore for CA certificates. The keystore may also contain user certificates for authenticating to back-end systems. The local keystore, local_smp_keystore.jks, is created and maintained by the product installer on each cluster node, and stores server certificates for HTTPS connections.

SAP Mobile Platform Server and clients always verify these certificate attributes:
  • Signed by a trusted CA

  • Within the validity period

  • For server certificates, the certificate CN must match the server host.domain in the URL

Additionally, you can configure the server to validate certificates by either checking certificate revocation lists (CRL) or using the Online Certificate Revocation Protocol (OCSP). By default, certificate revocation checking is disabled. Clients cannot check for certificate revocation.

Clients that you build using the SAP Mobile Platform SDK cannot bypass certificate checking, nor can they defeat trusted-CA checking by temporarily trusting a certificate that fails any of the standard checks.

Common Security Infrastructure

SAP Mobile Platform uses a common security infrastructure (CSI), which provides:
  • Authentication – making sure the connecting users are who they claim to be
  • Role mapping – assigning users to SAP Mobile Platform logical roles

Authentication Mechanisms

The SAP Mobile Platform supported authentication mechanisms include basic authentication, SSO, and X.509 certificates. The following figure illustrates how data flows from the device to the back end using common security constructs, for example CA Single Sign-On (SiteMinder), SAP SSO2 tokens, and the HTTP/HTTPS authentication provider.

SAP Mobile Platform Security Authentication Mechanisms and Data Flow

Communication Process

The following figure illustrates the communication processes that occur before any data is sent to a mobile application:
  1. Establishes Transport Encryption when the client connects with SAP Mobile Platform
  2. Verifies application registration (App ID)
  3. Establishes SAP Mobile Platform Server authentication takes place

SAP Mobile Platform Security Communication Process