Show TOC

Security Aspect of Data, Data Flow, and ProcessesLocate this document in the navigation structure

Concept

This section describes the security procedures and technology measures implemented in SAP Gateway to prevent unauthorized access and modification of data stored or processed by the system.

Besides using standard authentication and authorization mechanisms, SAP Gateway provides additional level of protection against cross site scripting (XSS) and request forgery (CSRF) attacks.

For more information see Session Security Protection.

The figure below is an example of the data flow for the request from a client application (for example, a PHP page that performs an OData call on behalf of the user) to an SAP ERP through SAP Gateway.

Data Flow

Below is the security aspect to be considered for the process step and what mechanism applies:

  1. The user authenticates to the Web server using one of the supported options.

    Security Measure:

    This flow step is out of scope for consuming SAP Gateway.

  2. The client submits a business call to the server that in turn issues a request for SAP data that resides in an SAP back-end system.

    Security Measure: The server generates a client certificate for the user in the context and signs it with a CA certificate.

    The generated certificate is a short lived certificate valid for a limited period (number of hours to days). The CA used for the certificate signing should be trusted by SAP Gateway. Therefore it should be stored in a secure manner on the consumer side.

  3. The certificate is attached to the HTTPS call to SAP Gateway, which maps the subject of the certificate to the user's name, makes authorization checks, and processes the request.

    Security Measure: SAP Gateway should have setup a proper user mapping. and SAP Gateway users should be assigned to the corresponding roles based on the SAP Gateway, templates.

  4. SAP Gateway forwards the returned data to the Web server, which in turn delivers it to the calling client. The specific SAP data is returned to SAP Gateway through the trusted connection using RFC

    Security Measure: A trusted connection using RFC is made to the specific SAP ERP back-end.