Show TOC

Checking and Validating Requests from GWM ApplicationsLocate this document in the navigation structure

SAP Gateway can check and verify the semantically correct state of technical and business context (such as, the status of business objects, and interdependencies of arguments) supplied by the requests coming from GWM applications.

Checks and validations are applicable as follows:

  • Deploying and running applications securely in segmented networks.

  • Entries received through component interfaces.

When you develop GWM applications, you must decide whether semantic checks and validations are relevant for your applications.

Recommendation

We recommend that you implement semantic validation in the following cases:

  • Where checks and verifications on the Gateway hub are simple to implement, and do not require huge sets of replicated data.

  • Where the checks and validation can enormously improve performance, as no additional round-trip to the backend is required, because the request can be rejected, or answered on the Gateway hub (for use in cases where public data is requested frequently). This data can be replicated to the hub.

Implementation Proposal

Context

To support secure network setup, make sure that the following is met:

  • Base all network communications on the TCP/IP family of protocols.

  • The IPv6 protocol must be supported including privacy enhancements.

  • No addresses, including host names, IP addresses, port numbers, and any combination of these, must be hardcoded.

  • No IP addresses must be used as return and callback addresses in communication protocols, for example, FTP and DCOM.

  • Connection setup requests, such as, TCP SYN, shall always occur from one and from only the same peer.

  • For applications that are exposed to the Internet, a protocol boundary must exist between product components implementing input validation functions, and business logic functions.

    You should be able to run input validation functions, and business logic, on two separate hosts.

  • Applications on mobile devices must not act as a server listening on an open port, and accepting connection setup requests from clients.

  • Only client connections that have been initiated by mobile applications (authorized by the user), and the mobile platform's standard notification services must receive data and messages.