Security Considerations

Use

This topic discusses the issues you need to consider and plan for to secure the portals in your federated portal network.

General Security-Related Tasks

Before you begin to expose or consume content within the network, secure each portal in the network as an independent unit.

Caution
Each SAP NetWeaver Portal must comply with the recommendations and guidelines documented in the Portal Security Guide . All non-SAP portals must be installed, configured, and secured according to the documentation supplied by the vendor.

For more information, see Network and Communication Security .

Once each portal is secure, you can then apply the additional security recommendations and guidelines for producer and consumer portals, as described below.
By default, the logon ticket used in the federated portal network can potentially be used in the domain and sub-domains of the consumer. To prevent the malicious use of a logon ticket of an existing user on the portal and back-end systems trusted with the portal's authentication, before the ticket has expired, you need to ensure that the logon ticket is not sent outside the sub-domain.

For this, you could create a separate DNS sub-domain for all SAP systems integrated into the portal using HTTP. Usually this can be done by creating DNS aliases for the SAP systems, so there is no need for you to change the fully qualified domain name of those systems.

For more information about UME settings for logon tickets, see the SAP NetWeaver AS for Java documentation.
Until the initial portal permissions are configured specifically for federated portal network (FPN) usage, remote delta link (RDL) operations will not fully function for users assigned to the Content Admin and System Admin roles. For more information, see SAP Note 1552343 .

Security-Related Information and Tasks for Producers

All users in the federated portal network should be registered in the same user base. Therefore, permissions you define for content in a portal strictly control access to that content across the network. By assigning portal permissions to your content, you determine specifically which content you want to expose to which remote portals (see Exposing Content to Remote Consumer Portals ). For example:

On a consumer portal, only those administrators explicitly granted permission by an administrator on the producer portal can manage remote content.
Only end users explicitly granted read permission by an administrator on the producer portal can execute remote applications.

Note that you can expose iViews to non-SAP portals that are WSRP compliant. However, since WSRP does not currently support cross-platform user authentication, you may expose iViews by assigning them to anonymous users, such as the Anonymous Users group (see Exposing WSRP iViews on the Producer for Non-SAP Consumers ).

Consider the following factors and guidelines to ensure the security of producer portals in the federated network:

The use of logon tickets is mandatory for establishing trust between producer and consumer portals. For more information, see Setting Up Trust Using the SSO Wizard and Setting Up Trust Using the FPN Trust Editor .
For remote delta link usage, you can set up an SSL connection between producer and consumer portal. For more information, see Setting Up SSL for Remote Delta Link Usage .
To prevent unwanted consumers from registering with your portal:
- Set a registration password. For more information, see Setting a Registration Password .
- Do not distribute the registration password publicly; supply this information on a need-to-know basis.
- Change the password frequently.
- Do not publicly distribute the path to your WSDL file; supply this information on a need-to-know basis.
You should periodically monitor the consumers using your portal as a content producer. For more information, see Viewing FPN Connections and Viewing Your WSRP Consumers . You can remove unwanted, invalid, or suspicious consumers that have registered with your portal.

Alternatively, you can temporarily block consumers until you decide to remove them permanently. For more information, see Enabling/Disabling Remote Access in FPN Connections .
If you are using SAP logon tickets to authenticate users with any back-end systems connected to the producer portal, you need to set up trust between your portal and any back-end system providing data for the portal and applications running in it. For information about setting up trust between SAP NetWeaver Portal and an SAP system, see Accepting Logon Tickets Issued by the AS Java .
Alternative forms of authentication, besides SAP logon tickets, can be used to authenticate users between the client browser and consumer portal, and the client browser and secure back-end systems. For more information, see Single Sign-On .
When users from an SAP NetWeaver consumer are successfully authenticated on the producer, they are assigned to the Authenticated Users group on the producer. Without trust, users from the consumer are classified as anonymous users and are assigned by default to the Anonymous Users group, thus limiting the amount and type of content they are permitted to view.
You can expose SAP NetWeaver content to non-SAP consumers through WSRP. The following options provide added control over the content you expose and how other remote portals access your portal:
- Non-SAP consumers are not recognized as anonymous users. You need to create a specific portal user for each non-SAP consumer. Through this user you can selectively assign content using the portal permission infrastructure. For more information, see Creating Access Users on the Producer for Non-SAP Consumers .
- You must also assign a password to the user you create for non-SAP consumers. The consumer needs this password to be able to register. For more information, see Creating Access Users on the Producer for Non-SAP Consumers .
You can quickly restrict the area of content you want to expose by designating the root folder in the Portal Catalog from which all non-SAP consumers begin to browse your content repository. For more information, see Setting the Root Browse Folder for Remote WSRP Usage .

Security-Related Information and Tasks for Consumers

Caution

Disregard this section if you are running SAP NetWeaver Composition Environment (CE) without usage type EP Core - Application Portal (EPC). An SAP NetWeaver CE system is not qualified to run as a consumer portal.

Consider the following factors and guidelines to ensure the security of consumer portals in the federated network:

The use of logon tickets is mandatory for establishing trust between producer and consumer portals. For more information, see Setting Up Trust Using the SSO Wizard and Setting Up Trust Using the FPN Trust Editor .
For remote delta link usage, you can set up an SSL connection between a producer and consumer portal. For more information, see Setting Up SSL for Remote Delta Link Usage .
To control the actions that other administrators on the consumers can perform in relation to a producer portal, the system administrator on the consumer can assign administrator permissions to FPN connections. For more information, see Assigning Administrator Permissions to FPN Connections .
You can remove FPN and WSRP connections that you no longer use.
You can temporarily block access to and from a remote portal. For more information, see Enabling/Disabling Remote Access in FPN Connections , Enabling/Disabling Remote Access on WSRP Consumers , and Enabling/Disabling Remote Access on WSRP Producers .
To control end-user execution of remote content through your consumer portal, assign end-user permission to an FPN connection, WSRP producer object, and localized content. See Assigning End-User Permission to FPN Content .
If you are using SAP logon tickets to authenticate users with any secure back-end system, you need to set up trust between your portal and the remote back-end system. For information about setting up trust between SAP NetWeaver Portal and an SAP system, see Accepting Logon Tickets Issued by the AS Java .
By default, the communication protocol between a consumer portal and a producer portal must be the same as that used between a portal user client and the consumer and producer portals. A system administrator on the consumer portal can specify that the communication protocol between the producer and consumer portals must work over HTTP, while the communication protocol between a portal user client and the consumer and producer portals is working over HTTPS.

To enable this:
1. Ensure that the consumer portal is registered with the producer portal using HTTP as the connection protocol in the HTTP / HTTPS communication settings. For more information, see Creating FPN Connections or Editing Properties of WSRP Producer Connections .
2. On the consumer portal, do the following in the PCD Inspector tool:
  1. Edit the producer object that represents the producer portal in the respective FPN connection.
  2. Add a new string-type property called com.sap.portal.remotePortal.ExternalNetworkProtocol .
  3. Assign the value https to the new property.
  4. Assign the HTTPS port number of the producer to the existing property called com.sap.portal.remotePortal.ExternalNetworkPort .
    Note
    - This property already exists in all producer objects so there is no need to create it.
    - Alternatively, you can modify this property directly in the portal without using the PCD Inspector. Open the producer object in the Properties editor, and enter the port number in the External Network Port property.
  5. Save your changes.
If the properties have already been added and you want to disable this feature, assign an empty value to each property in the producer object using the Properties editor in the portal.

More Information

Portal Permissions

Administering PCD Content Using PCD Inspector