This section describes the security procedures and technology measures implemented in SAP Gateway to prevent unauthorized access and modification of data stored or processed by the system.
Besides using standard authentication and authorization mechanisms, SAP Gateway provides additional level of protection against cross site scripting (XSS) and request forgery (CSRF) attacks.
For more information see Session Security Protection.
The user authenticates to the Web server using one of the supported options.
This flow step is out of scope for consuming SAP Gateway.
The client submits a business call to the server that in turn issues a request for SAP data that resides in an SAP backend system.
Security Measure: The server generates a client certificate for the user in the context and signs it with a CA certificate.
The generated certificate is a short lived certificate valid for a limited period (number of hours to days). The CA used for the certificate signing should be trusted by SAP Gateway. Therefore it should be stored in a secure manner on the consumer side.
The certificate is attached to the HTTPS call to SAP Gateway, which maps the subject of the certificate to the user’s name, makes authorization checks, and processes the request.
Security Measure: SAP Gateway should have proper user mapping, and SAP Gateway users should be assigned to their corresponding roles based on the SAP Gateway role templates.
SAP Gateway forwards the returned data to the Web server, which in turn delivers it to the calling client. The specific SAP data is returned to SAP Gateway through the trusted connection using RFC
Security Measure: A trusted connection using RFC is made to the specific SAP ERP backend.