Show TOC

SAP Mobile Platform Security ArchitectureLocate this document in the navigation structure

SAP Mobile Platform uses standard HTTPS protocol to integrate into your existing security landscape.

SAP Mobile Platform provides seamless end-to-end authentication and security policy integration across the platform without proxies or intermediary configurations. SAP Mobile Platform Server allows you to configure end-to-end authentication from the client to the back end without a VPN. The server uses the standard HTTPS protocol to integrate into your existing security landscape without disruption.

Secure Network Communications

SAP Mobile Platform secures all network communications across the enterprise by using HTTPS for all communications.

On the server side, SAP Mobile Platform Server uses <SMP_HOME>\Server\configuration\smp_keystore.jks as its Java keystore for the server certificate and as the truststore for CA certificates. The X.509 User Certificate authentication provider verifies that the certificate from the client is within its validity date and is signed by a trusted CA from this keystore. You may optionally configure OCSP or CRL checking for certificate revocations.

On the client side, the server certificate is validated (within its validity dates). The CN of the server’s subject must match to the host.domain from the HTTPS request, and must be signed by a CA that is in the truststore for the device. SAP Mobile Platform does not support certificate revocation checking on the clients, SAP client applications overriding these certificate checks, or users optionally trusting a certificate that has failed these checks.

The SAP Mobile Platform keystore may also contain user certificates used to authenticate to back-end systems. HTTPS connections to back-end systems go through the same standard validations on their server certificates.

Common Security Infrastructure

SAP Mobile Platform uses Common Security Infrastructure (CSI). The CSI provides:
  • Authentication – making sure the connecting users are who they claim to be
  • Role mapping – assigning users into SAP Mobile Platform defined logical roles

Authentication Mechanisms

In SAP Mobile Platform, supported authentication mechanisms include basic authentication, SSO (including SiteMinder), and X.509 certificates. The following figure illustrates how data flows from the device to the back end using common SAP Mobile Platform security constructs, for example SiteMinder, SAP SSO2 tokens, and the HTTP/HTTPS authentication provider.

SAP Mobile Platform Security Authentication Mechanisms and Data Flow

Communication Process

The following figure illustrates the SAP Mobile Platform communication process before any data is sent to the mobile application:
  1. Establishes Transport Encryption when the client connects with SAP Mobile Platform
  2. Verifies application registration (App ID)
  3. Establishes SAP Mobile Platform Server authentication takes place

SAP Mobile Platform Security Communication Process