Recommended WS Security Scenarios (SAP Library - Recommended WS Security Scenarios)

Recommended WS Security Scenarios

Use

We recommend a number of scenarios that combine authentication and transport guarantee mechanisms. The table below provides you with assistance in deciding which scenario is useful when.

The scenarios are divided by the logon mechanisms used for logging on to the WS provider system. Some scenarios use a fixed service user, while with others, the identity of the user logged on to the WS consumer system is propagated to the WS provider system (Single Sign-On). Single Sign-On is implemented using a number of techniques, depending on the authentication method in use.

Web Service messages can be passed through any number of connections and, potentially, a large number of intermediary stations. Point-to-point or connection-oriented security at the HTTP transport level may be insufficient or inappropriate for supporting this decoupled interaction. Security at the message level, on the other hand, guarantees security between the end points that is independent of the security used between the intermediary stations.

Decision Matrix

Scenario (Authentication + Connection Security)	Single Sign-On (Propagation of the Identity of the WS User)	Security at Message Level	System Compatibility
SAML & WS-SecureConversation	X	X	● SAP NetWeaver AS ABAP 7.0
User ID and Password in HTTP Header & HTTPS			● SAP NetWeaver Web AS 2004 ● SAP NetWeaver Application Server 7.0
SAP Authentication Assertion Ticket & HTTPS	X		● SAP NetWeaver Web AS 2004 ● SAP NetWeaver Application Server 7.0
X.509 SSL Client Certificate over HTTPS			● SAP NetWeaver Web AS 2004 ● SAP NetWeaver Application Server 7.0
WS-Security UsernameToken & WS-SecureConversation		X	● SAP NetWeaver AS ABAP 7.0
WS-Security: Signature Authentication & Asymmetrical Encryption		X	● SAP NetWeaver Web AS 2004 ● SAP NetWeaver Application Server 7.0

Prerequisites

In all of the scenarios, the WS provider system must trust the credentials of the WS consumer system. The type of trust configuration depends on the security mechanisms in use.

Scenario Prerequisites

Scenario	Prerequisites
SAML & WS-SecureConversation	● SSL Trust Relationship ○ Configuring the AS ABAP for Supporting SSL ○ Configuring the Use of SSL on the AS Java ● Configuring the SAP System to Accept SAML Assertions
SAP Authentication Assertion Ticket & SSL	● SSL Trust Relationship ○ Configuring the AS ABAP for Supporting SSL ○ Configuring the Use of SSL on the AS Java ● Logon ○ Configuring the AS ABAP to accept logon tickets ○ Using Logon Tickets with AS Java
WS-UsernameToken & WS-SecureConversation	● SSL Trust Relationship ○ Configuring the AS ABAP for Supporting SSL ○ Configuring the Use of SSL on the AS Java
User ID and password in the HTTP header & SSL	● SSL Trust Relationship ○ Configuring the AS ABAP for Supporting SSL ○ Configuring the Use of SSL on the AS Java
WS-Security: Signature authentication & asymmetrical encryption	● Signatures ○ Preparing the WS Consumer AS ABAP for Issuing the Signature ○ Preparing the WS Consumer AS Java for Issuing the Signature ○ Preparing the WS Provider AS ABAP for Accepting the Signature ○ Preparing the WS Provider AS Java for Accepting the Signature ○ Preparing the WS Provider AS ABAP for Signature Authentication ○ Preparing the WS Provider AS Java for Signature Authentication ● Encryption ○ Preparing the WS Consumer AS ABAP for Encryption ○ Preparing the WS Consumer AS Java for Encryption ○ Exporting an Encryption Certificate for the WS Provider AS ABAP ○ Exporting an Encryption Certificate for the WS Provider AS Java
X.509 SSL Client Certificate over HTTPS	● SSL Trust Relationship ○ Using the Secure Sockets Layer Protocol with the AS ABAP ○ Configuring the Use of SSL on the AS Java ● Logon: User Assignment for Certificate ○ Configuring the AS ABAP to use Client Certificates ○ Configuring the Use of Client Certificates for Authentication on the AS Java