Show TOC Start of Content Area

Background documentation Security Considerations  Locate the document in its SAP Library structure

This topic discusses issues you need to consider and plan for in order to secure the portals in your federated portal network.

General Security-Related Tasks

·        Before you begin to expose or consume content within the network, first secure each portal in the network as an independent unit.

Caution

Each NetWeaver portal must comply with the recommendations and guidelines documented in the Portal Security Guide. All non-SAP portals must be installed, configured and secured according to the documentation supplied by the vendor.

More information: Network and Communication Security 

Once each portal is secure, you can then apply the additional security recommendations and guidelines for producer and consumer portals, as described below.

      By default, the logon ticket used in the federated portal network can potentially be used in the domain and sub-domains of the consumer. To prevent the malicious use of a logon ticket of an existing user on the portal and back-end systems trusted with the portal's authentication, before the ticket has expired, you need to take measures to ensure that the logon ticket is not sent outside the sub-domain.

For this you could create a separate DNS sub-domain for all SAP systems integrated into the portal using HTTP. Usually this can be done by creating DNS aliases for the SAP systems, so there is no need for you to change the fully qualified domain name of those systems.

For more information about UME settings for logon tickets, see Logon Tickets.

Security-Related Information and Tasks for Producers

All users in the federated portal network should be registered in the same user base. Therefore, permissions you define for content in a portal strictly control access to that content across the network. By assigning portal permissions to your content, you determine specifically which content you want to expose and to which remote portals (see Exposing Content to Consumers). For example:

      On a consumer portal, only those administrators explicitly granted permission by an administrator on the producer portal can manage remote content.

      Only end users explicitly granted read permission by an administrator on the producer portal can execute remote applications.

Note that you can expose iViews to non-SAPportals that are WSRP compliant. However, since WSRP does not currently support cross-platform user authentication, you may expose iViews by assigning them to anonymous users, such as the Anonymous Users group (see Setting Permissions to Producer iViews for non-SAP Consumers).

The following factors and guidelines contribute to ensuring the security of producer portals in the federation:

      The use of logon tickets is mandatory for establishing trust between producer and consumer portals. See Setting Up Trust.

      For remote delta link usage, you can set up an SSL connection between a producer and consumer portal. See Setting Up SSL for Remote Delta Link Usage.

·        To prevent unwanted consumers from registering with your portal:

¡        Set a registration password. See Configuring Your Registration Password.

¡        Do not distribute the password publicly.

¡        Change the password frequently.

¡        Do not publicly distribute the path to your WSDL file.

·        In the View My Consumers screen on the portal, periodically monitor the consumers using your portal as a content producer. See Viewing Your Consumers.

·        You can remove unwanted, invalid, or suspicious consumers that have registered with your portal. See Removing Consumers.

Alternatively, you can temporarily block consumers until you decide to remove them permanently. See Enabling/Disabling Access to Registered Consumers.

      If you are using SAP logon tickets to authenticate users with any back-end systems connected to the producer portal, you need to set up trust between your portal and any back-end system providing data for the portal and applications running in it. For information on setting up trust between SAP NetWeaver Portal and a SAP system, see Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine.

      Alternative forms of authentication, besides SAP logon ticket,s can be used to authenticate users between the client browser and consumer portal, and the client browser and secure back-end systems. For more information, see Single Sign-On.

      When users from a SAP NetWeaver consumer are successfully authenticated on the producer, they are assigned to the Authenticated Users group on the producer. Without trust, users from the consumer are classified as anonymous users and are assigned by default to the Anonymous Users group; thereby limiting the amount and type of content they are permitted to view.

      You can expose SAP NetWeaver content to non-SAP consumers through WSRP. The following options provide added control over the content you expose and how other remote portals access your portal:

¡        Non-SAP consumers are not recognized as anonymous users. You need to create a specific portal user for each non-SAP consumer. Through this user you can selectively assign content using the portal permission infrastructure. See Creating Users for Non-SAP Consumers.

       You must also assign a password to the user you create for non-SAP consumers. The consumer needs this password to be able to register. See Creating Users for Non-SAP Consumers.

      You can quickly restrict the area of content you want to expose by designating the root folder in the Portal Catalog from which all non-SAP consumers begin to browse your content repository. See Setting the Root PCD Folder for WSRP-Based Browsing.

Security-Related Information and Tasks for Consumers

The following factors and guidelines contribute towards securing consumer portals in the federation:

      Registering your portal as a consumer on a producer portal is unidirectional: The producer cannot act as a consumer and automatically use your own content. Instead, the producer must register itself as a consumer on your portal in order to use your exposed content.

      The use of logon tickets is mandatory for establishing trust between producer and consumer portals. See Setting Up Trust.

      For remote delta link usage, you can set up an SSL connection between producer and consumer portals. See Setting Up SSL for Remote Delta Link Usage.

      To control the actions that other administrators on the consumers can perform in relation to a producer portal, the system administrator on the consumer can assign administrator permissions to producer objects. See Assigning Administrator Permissions to Producer Objects.

      You can remove producer portals that you no longer use. See Removing Producers.

      In the View My Producers screen on the portal, you can temporarily block access from your portal to remote content on producers with which you have registered. See Enabling/Disabling Access to Registered Producers.

      To control end-user execution of remote content through your consumer portal, assign end-user permission to a producer object and localized content. See Assigning End-User Permission to Producer Objects and Content.

      If you are using SAP logon tickets to authenticate users with any secure back-end system, you need to set up trust between your portal and the remote back-end system. For information on setting up trust between SAP NetWeaver Portal and a SAP system, see Configuring SAP Web AS ABAP to Accept Logon Tickets from the J2EE Engine.

·        By default, the communication protocol between a consumer portal and a producer portal must be the same as that used between a portal user client and the consumer and producer portals. A system administrator on the consumer portal can specify that the communication protocol between the producer portal and consumer portal must work over HTTP, while the communication protocol between a portal user client and the consumer and producer portals is working over HTTPS.

To enable this:

...

                            a.      Ensure that the consumer portal is registered with the producer portal using HTTP as the connection protocol in the HTTP / HTTPS communication settings. More information: Adding NetWeaver Producers or Editing Connection Properties to Producers.

                            b.      On the consumer portal, do the following using the PCD Inspector tool:

...

                                                  i.       Edit the relevant producer object.

                                                ii.       Add a new string-type property called com.sap.portal.remotePortal.ExternalNetworkProtocol.

                                               iii.       Assign the value https to the new property.

                                               iv.       Assign the HTTPS port number of the producer to the existing property called com.sap.portal.remotePortal.ExternalNetworkPort.

Note

    This property already exists in all producer objects so there is no need to create it.

    Alternatively, you can modify this property directly in the portal without using the PCD Inspector. Open the producer object in the Property Editor, and enter the port number in the External Network Port property (see Editing Connection Properties to Producers).

                                                 v.       Save and close.

If the properties have already been added and you want to disable this feature, assign an empty value to each property in the producer object. You can do this in Property Editor in the portal.

For more information about using the PCD Inspector, see PCD Inspector.

 

More Information

Portal Permissions 

 

End of Content Area