Network Security and Communication (SAP Library

Network Security and Communication

Using ICF Services

● To use the ICF to communicate with other systems, you must activate separately each individual service that you want use.

Note

Since each active service could potentially perform security-relevant functions in other systems, it is important that you only activate those services that you really need.

Using Virtual Hosts

Basically, it is possible for inbound HTTP requests to be redirected to another system using specific URL parameters.

To keep this function from being abused, you can use the Virtual Host concept of the ICF.

For this you need to create an ICF service tree of your own for each virtual host.

Using Trusted System Networks

If you use HTTP RFC destinations (RFC connection type H) for ICF communications with another SAP system, you can set up a Trusted System network, as with RFC communications.

In a scenario that consists of trusted systems, servers in one system trust servers from another system. Users in the first system (system A) who access the second system (system B), are not authenticated by passwords each time they access system B. System B trusts system A; this trust relationship allows system B to accept the user from system A without any further authentication. The user must have user accounts in both systems and gets the authorizations from the target system, in this case system B.

SAP Trusted System Network

This graphic is explained in the accompanying text

The benefit of this procedure is that users only need to authenticate themselves once when they communicate with trusting systems. No logon information needs to be sent across the network.

However, to guarantee the security of trusting systems, you must check the following prerequisites, which entail an increased amount of administration:

The systems must have the same level of security requirements. (This means they must represent a single ‘virtual’ SAP system.) Do not implement the trusted system concept between systems with very different levels of security requirements, for example, between your development system and your personnel system.
The systems must have a compatible user administration concept and share an authorization concept. Users who exist in one system must exist in all systems.

Only if you meet these requirements do we recommend the implementation of a trusted system concept.

More Information

● Virtual Hosts

● Setting Up a Trusted System Networks

● ICF Communication Using SSL