Show TOC

Procedure documentationMaking a Web Service Secure Locate this document in the navigation structure

 

Security is one of the main prerequisites when using Web services in an enterprise. Security measures generally concern both the protection of individual servers through authentication, authorization, and encryption as well as the sealing off of an internal infrastructure using firewalls. Security measures for integrated e-business scenarios must be more diverse since they concern the protection of individual services and data.

The settings described below for Web Services in the AS ABAP are default values for setting the runtime configuration in SOA Management (transaction SOAMANAGER) or, if available, in the SAP NetWeaver Administrator.

Procedure

When designing Web services, you can specify the minimum security settings for the appropriate Web service.

In the runtime configuration, it is not possible to fall below these values.

The pre-settings are displayed at configuration time in SOA Management or in the SAP NetWeaver Administrator.

  • You can create security at the transport level.

    HTTPS sets up an encrypted connection between the client and the server and is suitable for simple situations –for example, when a client communicates directly with a single server. Every single message that is exchanged is sent through an encrypted channel.

    This feature of HTTPS, whereby each message is encrypted, has two disadvantages.

    • Firstly, many messages have to be encrypted and decrypted on a single server simultaneously. This can have a negative effect on system performance. Furthermore, the information provided using a Web service is not always confidential and must therefore not always be encrypted.

    • Secondly, a SOAP interaction is not always a direct connection. More than two SOAP nodes can be involved. The additional intermediate nodes obtain information about actions to be executed from the SOAP header. This is not possible in the case of a complete encryption using HTTPS.

    For more information, see: Transport Security for Web Services (AS ABAP)

  • Security at message level is possible through an encryption and signature concept. Here, not the transport channel but the message itself is protected.

    WS Security describes a security model based on SOAP message transmisssion.

    To use a Web service, the user (or another client) sends a document to a server using the SOAP protocol. It is sent through the network using the HTTP protocol. Document transmission is safeguarded through the use of HTTP or SSL, or by applying signatures and/or encryption to SOAP documents using OASIS WS Security.

    For more information, see: Authentication for Web Services (AS ABAP)

  • Administration authorization for Web services is assigned to all user roles.

    For more information, see: Authorizations

  • Configure Web servies at runtime in SOA Management (transaction SOAMANAGER).

    For more information, Runtime Configuration with the SOA Manager.