Show TOC

7.6 ICF Configuration Locate this document in the navigation structure

 

As NWBC is an HTTP-based application framework, it also supports the usual security concepts as they are offered in the Internet Communication Framework (ICF). For more information, see ICF Scenarios.

Whenever NWBC (as a shell, not the content area) accesses the ABAP server, this is handled by the NWBC HTTP handler CL_NWBC_HTTP. You can find this handler in the ICF service tree (transaction SICF), under /sap/bc/nwbc. To allow the NWBC to access the server, the corresponding node has to be active in the ICF tree. For more information, see 4.2 Active Services in the ICF.

In addition, there is an external alias /nwbc defined and shipped that points directly onto the ICF path /sap/bc/nwbc. This alias can also be security-relevant, but not for access control. For more information, see External Aliases.

For security reasons, the only services that should be active in the HTTP service tree are those services that are really needed. If you activate nodes at a higher level, this means that the whole part of the service tree below this level is also active and accessible via HTTP. For more information, see Activating and Deactivating ICF Services.

The second security-relevant aspect of the ICF nodes are all logon configurations that are handled via the ICF layer. For more information, see Maintaining Logon Procedures.

Caution Caution

Note that this ICF node only controls access of the NWBC shell to the server, it does not control or enforce any access that an application might need to have to run. This is controlled by the different relevant frameworks.

For example, for Web Dynpro ABAP applications a large number of additional ICF nodes need to be activated. For more information, see Active Services in SICF.

Similarly, if other types of applications, such as BSPs or BI are loaded, their relevant ICF nodes also need to be active.

End of the caution.

Below the nwbc node in the ICF tree, there are some special nodes, which are explained in detail in 4.2 Active Services in the ICF. From a security viewpoint, the following nodes play a role:

Node

Security-Relevance

/sap/bc/nwbc

Must be active to use productively.

/nwbc

Should be available to use productively.

/sap/bc/nwbc/nwbc_launch

We recommend that this node be deactivated.

/sap/bc/nwbc/nwbc_test

We highly recommend that this node be deactivated.

/sap/bc/nwbc/nwbc_testcanvas

We highly recommend that this node be deactivated.

/sap/bc/nwbc/nwbc_debug

We highly recommend that this node be deactivated.

/sap/bc/nwbc/exprt_sapportal

We recommend to deactivate this node, unless the functionality is explicitly used with an enterprise portal in your system landscape.

/sap/bc/nwbc/nwbc_ext2int

If you want to use the side panel, this node must be active.