Business Client Security Issues
This section contains an overview of security issues and recommendations for using the Business Client for your applications. Security functions are available for creating and running Web applications in the Business Client.
Authentication in the Business Client
The Business Client uses SSO2 for authentication. This means that SSO2 must be active in your system.
To access a Web
application, AS ABAP uses the HTTP framework from the Internet Communication
Manager (ICF), which provides functions for
logging on to the AS
ABAP.
Refer to
Activating and
Deactivating Services. For security reasons, the only services that should
be active in the HTTP service tree are those services that you really need.
If, however, you activate nodes at a higher level, this means that the whole
part of the service tree below this level also active and completely open, and
therefore not secure for instance if an anonymous user is defined.
A simple procedure is available for
developing and configuring the
System Logon with
Web applications in the Business Client. Security issues are included in this
procedure.
The Business Client instantiates and uses a completely normal Internet browser for the authentication process. The same authentication process is used in the Business Client as in the browser. The advantage of this is that all different types of authentication processes supported in the browser are also supported in the Business Client, including the use of digital signatures.
The Business Client uses SSO2 cookies for authentication, which means that SSO2 cookies have to be configured and active in your system. If you are not sure whether SSO2 is implemented in your system, refer to the following notes:
● 817529
● 616900
● 517860
More
information:
Using the Secure
Sockets Layer Protocol with the AS ABAP
Security in AS-ABAP
Settings for the Configuration for
SSL Support are particularly important for
Security with AS
ABAP. The
logon ticket cache
function is provided for increasing performance when there are multiple
logons.
Certain
Virus Scan
Profiles are also delivered by SAP in the standard system. A virus scan
can be performed when uploading HTTP (more information:
Virus Scan
Interface).
The Business Client and an SAP ECC system can communicate when the following criteria are fulfilled:
● System parameters are set
○ login/accept_sso2_ticket: 1
○ login/create_sso2_ticket: 2
● HTTP and HTTPS are defined as services in transaction SMICM
● Systems PSE, SAP CryptoLib, SSL Server, SSL Client (standard) are implemented in transaction STRUSTSSO2
More information:
SAP NetWeaver
Application Server ABAP Security
Guide
Network and
Communication Security
Security Issues for
Web Dynpro ABAP
SAP GUI Scripting
The installation of SAP GUI Scripting is mandatory, see also the relevant section under Prerequisites under Business Client Installation.
Security Risk List
A white list
infrastructure in the HTTP framework fends off XSS attacks. See also
Security Risk
List.
User Management
Standard AS ABAP users are used in the Business Client. Keep in mind the following points:
● If the Business Client is running in the mode in which email addresses are used for authentication, the email address must be defined as an alias.
You can make this setting in transaction SU01 on the tab page Logon Data. Enter the correct email address in the Alias field and save it.
● If your applications are all based on HTTP-based applications, and there are no SAP GUI applications among them, you can also enter a different value in the User Type field instead of the standard dialog user. This will increase security as no SAPGUI session can be started with this user ID.
Use of Digital Certificates and HTTPS
More information: Authentication with Certificates and Microsoft Hotfix 909425
SAP Notes
Important SAP Notes
SAP Note Number |
Title |
517484 |
Inactive Services in the Internet Communication Framework |
510007 |
Setting up SSL on the Web Application Server |
420085 |
Logon Ticket Cache |
853878 |
HTTP White-List Check (Security) |
1029940 |
Release restrictions for the NetWeaver Business Client |