Network Security and Communication

SAP System

ICF Services

To use the ICF to communicate with other systems, you must activate separately each individual service that you want use.

Virtual Hosts

It is possible to redirect inbound HTTP requests to another system using a specific URL parameter.

To avoid this mechanism from being abused, you can use the Virtual Host concept of the ICF. To do this, you have to create an ICF service tree for each virtual host.

Trusted-System-Netzwerke

If you use HTTP RFC destinations (RFC connection type H) for ICF communications with another SAP system, you can set up a Trusted System network, as with RFC communications.

In a scenario that consists of trusted systems, servers in one system trust servers from another system. Users in the first system (system A) who access the second system (system B), are not authenticated by passwords each time they access system B. System B trusts system A; this trust relationship allows system B to accept the user from system A without any further authentication. The user must have user accounts in both systems and gets the authorizations from the target system, in this case system B.

The benefit of this procedure is that users only need to authenticate themselves once when they communicate with trusting systems. No logon information needs to be sent across the network.

However, to guarantee the security of trusting systems, you must check the following prerequisites, which entail an increased amount of administration:

  • The systems must have the same level of security requirements. (This means they must represent a single ‘virtual’SAP system.) Do not implement the trusted system concept between systems with very different levels of security requirements, for example, between your development system and your personnel system.

  • The systems must have a compatible user administration concept and share an authorization concept. Users who exist in one system must exist in all systems.

Only if you meet these requirements do we recommend the implementation of a trusted system concept.

Web Applications

When a Web application is in use, a potential attacker can obtain information that a user entered manually on a website by means of cross-frame scripting (XFS). This risk arises from a security breach in the Web browser, even if AS ABAP itself is not vulnerable to XFS attacks.

Web applications can provide an additional protection against such attacks if this security breach in the browser has not yet been resolved. See SAP Note 2028904 Information published on SAP site.

The risk of XFS attacks on SAP systems is low to moderate, since this security breach has already been resolved in most browsers supported by SAP.

More Information