Security Guide SAP Web Channel Experience Management 3.

0
Target Audience J2? System administrators J2? Technology consultants J2? Security consultants

CUSTOMER J2OT-'<d~k|9VB;{47j )YB'!Z

Document History

CAUTION

Before you start the implementation, make sure you have the latest version of this document. You can find the latest version on SAP Service Marketplace at http://service.sap.com/ securityguide or at http://service.sap.com/wec-inst. The following table provides an overview of the most important document changes:
Version Date Description

1.0 1.1 1.2 1.3 1.4

2012-11-29 2012-12-05 2013-01-10 2013-01-16 2013-02-07

Initial Version Restructuring done to make what was previously section 15.9 into chapter 16 Security Checklist. Addition of reference to SAP Note 1029819 to chapter 2.2 Important SAP Notes. Correction in section 12.4.1 Restricting Access to the Administration Area of Web Channel Applications. Addition of caution in section 8.1.1.1 HTTPS Switch.

2/118

CUSTOMER

2013-02-07

Table of Contents

Chapter 1 1.1 1.2 Chapter 2 2.1 2.2 2.3 Chapter 3 Chapter 4 4.1 4.2 4.2.1 4.2.2 4.2.3 4.2.3.1 4.2.3.2 4.2.3.3 Chapter 5 5.1 5.1.1 5.1.2 5.1.2.1 5.1.2.2 5.2 5.2.1 5.2.2 5.2.3 5.2.3.1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Why Is Security Necessary? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Overview of the Guide's Main Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fundamental Security Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Important SAP Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 13 13 14

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Security Aspects of Data, Data Flow, and Processes . . . . . . . . . . . . . . . . . General Data Flow of Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . Data and Data Flow of Specific Web Channel Functionality . . . . . . . . . . . . . . . Web Channel Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Product Catalog and Product Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . Product Catalog: Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Product Catalog: Adding to the Shopping Cart . . . . . . . . . . . . . . . . . . . . . . . . Product Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet User Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Shop Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Channel Builder Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Service User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administration User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UME Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 17 18 18 18 19 19 20 21 23 23 23 24 24 26 26 26 27 27 27

2013-02-07

CUSTOMER

3/118

5.2.3.2 5.2.3.3 5.2.3.4 5.2.3.5 5.3 5.3.1 5.3.1.1 5.3.1.2 5.3.1.3 5.3.1.4 5.3.2 5.3.3 5.4 5.5 5.5.1 5.6 Chapter 6 6.1 6.1.1 6.1.1.1 6.1.1.2 6.1.1.3 6.1.1.4 6.1.1.5 6.1.2 6.1.2.1 6.1.2.2 6.1.2.3 6.1.2.4 6.2 6.2.1 6.2.2 6.2.3 6.2.3.1 6.2.3.2 6.2.3.3

Web Channel Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Follow-On Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Identification Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Early Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Service Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Channel Builder Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Shop Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Users Relevant for Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . . . User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integration into Single Sign-On (SSO) Environments . . . . . . . . . . . . . . . . . . . Secure Network Communications (SNC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Roles and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Predefined User Roles on SAP NetWeaver AS ABAP . . . . . . . . . . . . . . . . . . . . . Predefined User Roles on SAP NetWeaver MDM . . . . . . . . . . . . . . . . . . . . . . . Predefined User Role on SAP NetWeaver AS Java . . . . . . . . . . . . . . . . . . . . . . . Additional Aspects of Web Channel User Roles . . . . . . . . . . . . . . . . . . . . . . . . Authorization Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SU24 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Service Name Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Channel Module ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Service Name Suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Trace Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Standard Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Critical Authorizations and Combinations . . . . . . . . . . . . . . . . . . . . . . . . . . . Special Web Channel Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . Document Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Channel Builder Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Values of Different Web Channel Builder User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

28 28 28 29 29 29 29 30 30 33 34 34 36 37 37 37 39 39 39 39 43 44 45 45 47 48 48 48 49 49 49 51 52 53 54 55

4/118

CUSTOMER

2013-02-07

6.2.3.4 6.2.3.5 6.2.4 6.2.4.1 6.2.4.2 Chapter 7 7.1 7.1.1 7.1.1.1 7.1.1.2 7.1.2 Chapter 8 8.1 8.1.1 8.1.1.1 8.1.1.2 8.1.1.3 8.1.1.4 8.2 8.2.1 8.2.2 8.3 8.3.1 8.3.1.1 8.3.2 Chapter 9 9.1 9.1.1 9.1.2 9.1.2.1 9.1.2.2 9.1.2.3 9.1.2.4 9.1.3

Authorizations Required for Setting Certain Request URL Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorizations for Development, Testing, and Support . . . . . . . . . . . . . . . . . Business Object Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorizations Based on the Access Control Engine in SAP CRM . . . . . . . . . . Business Object Access Control in SAP ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Security Protection on SAP NetWeaver AS Java . . . . . . . . . . . . . . . . . . Recommended Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Switch to HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS for Whole Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Security Aspects of the Product Catalog . . . . . . . . . . . . . . . . . . . . . . . Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS for Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS Servlet Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Grace Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS in the Administration Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFC Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic Creation of Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SAP NetWeaver MDM Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Storage Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPSRequired Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . COMSAPWECUM01 Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Java Cart Cookie (recoverCart) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Database of SAP NetWeaver AS Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

56 57 57 57 57 59 59 59 60 60 61 63 63 65 65 66 67 68 69 69 70 70 70 72 72 75 75 75 75 76 76 77 77 78

2013-02-07

CUSTOMER

5/118

9.1.4 9.1.5 9.1.6 9.1.7 9.1.8 Chapter 10 10.1 10.2 10.3 10.4 10.5 10.5.1 10.5.2 10.6 10.6.1 10.6.2 10.6.3 10.7 10.8 10.9 10.10 10.11 10.12 10.13 Chapter 11 11.1 11.2

Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encryption of Payment Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encryption of Gift Card Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customer-Specific List Price . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTP Request Serialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cross Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Input Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Riding: Cross Site Request Forgery (XSRF) . . . . . . . . . . . . . . . . . . . . . File Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virus Scanning for Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upload of Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cookie Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure Cookie Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HttpOnly Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Cookie Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Fixation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fast Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Distributed Denial-of-Service Attacks (DDOS) . . . . . . . . . . . . . . . . . . . . . . . . . URL Session Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ZIP Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Autocompletion Attribute of UI Components . . . . . . . . . . . . . . . . . . . . . . . . . Clickjacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

78 78 79 79 79 81 81 81 82 83 85 85 86 86 86 86 87 87 88 88 88 88 89 89

Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Integrating Payment Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Securing the Communication Between the Back-End System and SAP NetWeaver MDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security-Relevant Module Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Channel Builder (WECB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Channel Builder Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Preview in Web Channel Builder . . . . . . . . . . . . . . . . . . . . . . . . . . Web Channel Builder Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Channel Builder Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 93 93 93 94 95 95

Chapter 12 12.1 12.2 12.2.1 12.2.2 12.2.3 12.2.4

6/118

CUSTOMER

2013-02-07

12.2.5 12.3 12.3.1 12.3.2 12.3.3 12.3.4 12.3.5 12.3.6 12.4 12.4.1 12.5 12.5.1 12.6 12.6.1 12.6.2 12.6.3 12.6.4 12.6.5 12.6.6 12.6.7 12.6.8 12.6.9 Chapter 13 Chapter 14 14.1 14.2 14.3 Chapter 15 15.1 15.1.1 15.1.2 15.2 15.3 15.4

Web Channel Builder Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Web Channel User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 User Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Self-Registration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Guest User Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Digitally-Signed E-Mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Web Channel Administration Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Restricting Access to the Administration Area of Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Security-Relevant Information for Other Web Channel Modules . . . . . . . . . . 98 Java Cart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Additional Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 AJAX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Theme Server Location and HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Search Engine Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Web Application ID (WEC-APPID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Error Page and Runtime Error Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 URL Parameter wec-debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Exception Hierarchy and Mapping to Error Pages . . . . . . . . . . . . . . . . . . . . . . 101 Dynamic UI Help Texts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Payment Card Security According to PCI-DSS . . . . . . . . . . . . . . . . . . . . . 103 Security Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web Channel Log and Trace Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Excluding Sensitive Data from Session Tracing . . . . . . . . . . . . . . . . . . . . . . . Web Service Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Communication Channel Security: Force HTTPS . . . . . . . . . . . . . . . . . . . . . Error Handling: Project Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 105 105 106 107 107 107 108 109 109 110

2013-02-07

CUSTOMER

7/118

15.5 15.6 15.7 15.8 Chapter 16

Session Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cross-Site Request Forgery Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110 111 112 112

Security Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

8/118

CUSTOMER

2013-02-07

1 1.1

Introduction Why Is Security Necessary?

1 Introduction

CAUTION

This guide does not replace the administration or operation guides that are available for productive operations. This document is not included as part of the installation guides, configuration guides, technical operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software lifecycle, whereas security guides provide information that is relevant for all lifecycle phases.

1.1 Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, security demands are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These security demands also apply to SAP Web Channel Experience Management (Web Channel). Web Channel allows you to do your business over the Internet. Security is therefore important, because any business-related information can be accessed and your application can be the target of many different attack scenarios. The following table provides an overview of some attack scenarios and references to subsections that contain details on how to protect your application:
Attack Scenarios Attack Type Description Relevant Subsections

Broken access control

Authenticated users are not required to perform User Administration and restrictions on the activities. Authentication Data Storage Security Other Security-Relevant Information Broken authentication The account credentials and session tokens may Network and Communication and session management not be properly protected. As a result, attackers Security can overcome authentication restrictions to access passwords, keys, session cookies, or other tokens and assume other users identities. Storage that is not secure Data stored in the files is not protected Data Storage Security accordingly.

2013-02-07

CUSTOMER

9/118

1 1.1

Introduction Why Is Security Necessary? Description Relevant Subsections

Attack Type

Distributed denial-ofDDOS attacks service (DDOS) Cross-site request forgery Cross-site request forgery, also known as a oneattack click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF, is a type of malicious violation of a Web site whereby unauthorized commands are transmitted from a user that the Web site trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. For more information, see https://www.owasp.org/index.php/CrossSite_Request_Forgery_(CSRF). Cross-site scripting Cross-site scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted Web sites. Cross-site scripting attacks occur when an attacker uses a Web application to send malicious code, generally in the form of a browser side script, to a different end user. For more information, see https://www.owasp.org/ index.php/Cross-site_Scripting_(XSS). Session Fixation Session fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the Web application manages the session ID, more specifically the vulnerable Web application. When authenticating a user, it doesnt assign a new session ID, making it possible to use an existing session ID. The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it. The session fixation attack is a class of session hijacking, which steals the established session between the client and the Web server after the user logs in. Instead, the session fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in. For more information, see https:// www.owasp.org/index.php/Session_fixation.

Other Security-Relevant Information Web Application Security

Web Application Security

Session Security Protection Web Application Security

To assist you in securing Web Channel scenarios and applications, we provide this security guide.

10/118

CUSTOMER

2013-02-07

1 1.2

Introduction Overview of the Guide's Main Sections

1.2 Overview of the Guide's Main Sections

The security guide contains the following main sections: > Before You Start This section contains information about why security is necessary, how to use this document, and references to other security guides that build the foundation for this security guide. > Technical System Landscape This section provides an overview of the technical components and communication paths that are used by Web Channel applications. > Security Aspects of Data, Data Flow, and Processes This section provides information on data and data flows for Web Channel applications. > User Administration and Authentication This section provides an overview of the following user administration and authentication aspects: Q Recommended tools to use for user management Q User types that are required by Web Channel applications Q Standard users that are delivered with Web Channel applications Q Overview of the user synchronization strategy, if several components or products are involved Q Overview of how integration into single sign-on environments is possible > Authorization This section provides an overview of the authorization concept that applies to Web Channel applications. > Session Security Protection This section provides session security protection information including recommended settings, details on in-session switching from HTTP to HTTPS, and security information pertaining to the product catalog. > Network and Communication Security This section provides an overview of the communication paths used by Web Channel and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level. > Data Storage Security This section provides an overview of any critical data that is used by Web Channel applications and the security mechanisms that apply. > Web Application Security This section provides security information that applies to Web applications. The section includes countermeasures for specific attack scenarios. > Security for Additional Applications This section provides security information that applies to applications that are used with Web Channel applications.

2013-02-07

CUSTOMER

11/118

1 1.2

Introduction Overview of the Guide's Main Sections

,l Other Security-Relevant Information This section contains information about Web Channel application security that was not covered in the previous sections. ,l Payment Card Security According to PCI-DSS This section provides information about payment card security. ,l Security Logging and Tracing This section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach occurs. ,l Web Service Security This section provides security information relevant for Web Channel Web services. ,l Security Checklist This section provides an overview of the tasks required to ensure Web Channel application security.

12/118

CUSTOMER

2013-02-07

2 2.1

Before You Start Fundamental Security Guides

2 Before You Start

2.1 Fundamental Security Guides

SAP Web Channel Experience Management uses a framework that provides logic composition capabilities to expose functionality from a SAP CRM or SAP ERP back end in Web Channel applications. Web Channel applications based on SAP CRM can include e-commerce, e-service, and e-marketing functionality. With SAP ERP, the functionality is restricted to e-commerce. To enable Web Channel scenarios, Web Channel applications leverage different components such as the Internet Pricing and Configuration Engine (IPC), or product catalogs on SAP NetWeaver Master Data Management (SAP NetWeaver MDM) servers. Furthermore, third-party products for knowledge management and other functionality can be included. Web Channel application scenarios are built using ABAP functionality (RFC function modules) on the SAP CRM or SAP ERP server and Java-based functionality on the SAP NetWeaver Application Server Java (SAP NetWeaver AS Java). The Java-based applications on the SAP NetWeaver AS Java provide the user interface that is based on Java Server Faces (JSF). The corresponding security guides also apply to the Web Channel applications. The most relevant sections or specific restrictions are listed in the following table:
Fundamental Security Guides Scenario-, Application-, or Component Security Guide Guide
http://service.sap.com/securityguide http://service.sap.com/securityguide

SAP NetWeaver AS Java/ABAP SAP CRM SAP ERP SAP NetWeaver MDM Product Catalog

SAP NetWeaver SAP Business Suite SAP Business Suite SAP NetWeaver SAP

Applications Applications

SAP CRM SAP ERP

http://service.sap.com/securityguide

http://service.sap.com/securityguide

NetWeaver MDM

For a complete list of the available SAP Security Guides, see SAP Service Marketplace at http:// service.sap.com/securityguide.

2.2 Important SAP Notes

The SAP Notes that are relevant to the security of Web Channel are listed in the following table:

2013-02-07

CUSTOMER

13/118

2 2.3

Before You Start Additional Information Title

SAP Note

891659 77503 1029819

Composite Security Note: AS Java Audit Information System Encryption of payment cards in SD and customer master

You can also find a list of security-relevant SAP Hot News and SAP Notes on SAP Service Marketplace at http://service.sap.com/securitynotes.

2.3 Additional Information

For more information about specific topics, see the relevant documents on SAP Service Marketplace, as listed in the following table:
Content SAP Service Marketplace Address
http://service.sap.com/security http://service.sap.com/securityguide http://service.sap.com/notes http://service.sap.com/platforms http://service.sap.com/securityguide http://service.sap.com/solutionmanager

Security Security Guides Related SAP Notes Released Platforms Network Security SAP Solution Manager

14/118

CUSTOMER

2013-02-07

Technical System Landscape

3 Technical System Landscape

The figure below shows an overview of the technical system landscape for Web Channel.

&M+gVa@Technical System Landscape

Web Channel applications are deployed to SAP NetWeaver AS Java and run in the Web Container of SAP NetWeaver AS Java. Different back-end systems can be used to run the business logic. Standard Web Channel supports the SAP CRM or SAP ERP back ends. The SAP NetWeaver MDM server provides the product catalog functionality.

2013-02-07

CUSTOMER

15/118

Technical System Landscape

?iE$Web Channel UI Based on Java Server Faces

The Web Channel UI is based on Java Server Faces 2.0, with Apache MyFaces 2.1.7 and Velocity templates being used for UI rendering.. AJAX capabilities are provided using jQuery library. Web Channel applications can run in different Web browsers. Web Channel applications are called via HTTP and HTTPS. Connections to the back-end system are built via RFC using the SAP Java Connector (JCo). The destination information is maintained in the destination service of SAP NetWeaver AS Java. Web Channel Builder (WECB) is used to configure Web Channel applications. To allow application support and monitoring, each Web Channel application provides an Administration area. For more information about the technical system landscape, see the resources listed in the following table:
Topic Guide/Tool Quick Link to the SAP Service Marketplace
http://service.sap.com/wec-inst

Technical description for Web Channel and Master Guide the underlying components such as SAP NetWeaver Installation Guide for Web Channel Installation Guide High availability High Availability for SAP Solutions Technical landscape design Security See applicable documents

http://service.sap.com/wec-inst http://sdn.sap.com/irj/sdn/ha

http://sdn.sap.com/irj/sdn/ landscapedesign http://sdn.sap.com/irj/sdn/security

16/118

CUSTOMER

2013-02-07

4 4.1

Security Aspects of Data, Data Flow, and Processes General Data Flow of Web Channel Applications

4 Security Aspects of Data, Data Flow, and Processes

4.1 General Data Flow of Web Channel Applications

The figure below shows an overview of the data flow for Web Channel applications using a SAP CRM back-end system:

Uo(R5&-`Data Flow for Web Channel Applications with SAP CRM Back End

The table below shows the security aspect to be considered for the process step and what mechanism applies:
Step Description Security Measure

1 2

User Submits Form Process Business Data

3 4 5 6

Return Data Return 302 Response Perform Redirect Display Result

Communication protocol HTTPS RFC based on destination using the current SAP NetWeaver AS Java User Management Engine (UME) user User Type: Dialog User SNC Not applicable Not applicable Communication protocol HTTPS Communication protocol HTTPS

2013-02-07

CUSTOMER

17/118

4 4.2

Security Aspects of Data, Data Flow, and Processes Data and Data Flow of Specific Web Channel Functionality

4.2 Data and Data Flow of Specific Web Channel Functionality

This section describes the security aspects of data and data flow of the specific Web Channel processes.

4.2.1 Web Channel Builder

Web Channel Builder is used to create and maintain Web Channel application configurations. It also provides an approval process to allow distributed responsibilities for the release of application configurations. Initially the Web Channel configuration data is stored in the XML files below the CDM folder in the application WEB-INF folder. The configurations are transferred into the Java DB after the start of the application. Afterwards the Java DB is always used to store configuration data.

4.2.2 User Management

ydM42[
%Logon Data Flow Step Description Security Measure

1 2 3 4 5

User Submits Logon Form Check for Business Partner BP Available UME Authentication User Authenticated

Communication protocol HTTPS User type: Dialog (UME) user RFC based on destination SNC User type: Service user Not applicable Programmatic UME authentication (UME API call) Not applicable

18/118

CUSTOMER

2013-02-07

4 4.2 Step

Security Aspects of Data, Data Flow, and Processes Data and Data Flow of Specific Web Channel Functionality Description Security Measure

6 7 8 9 10

UME User Details Return User Details Get Business Partner Details Return BP Details Welcome User

Programmatic UME API call Not applicable RFC based on destination SNC User type: Dialog user Not applicable Not applicable

4.2.3 Product Catalog and Product Registration

The figure below provides an overview of the systems involved in the data flow for the product catalog and product registration.

f+0K?k`
Product Catalog

4.2.3.1 Product Catalog: Browsing

The product catalog operates in the following modes: f Anonymous This allows non-registered users to browse the catalog. f Registered user This allows Internet users in the consumer and contact scenarios to browse the catalog.

2013-02-07

CUSTOMER

19/118

4 4.2

Security Aspects of Data, Data Flow, and Processes Data and Data Flow of Specific Web Channel Functionality

4.2.3.2 Product Catalog: Adding to the Shopping Cart

Web Channel provides the following options for shopping carts: ] Back-end cart With this option, the Web shop is configured with back-end functionality from either SAP CRM or SAP ERP. To add a product to the cart, the user must log on by either registering, or providing a user name and password. For more information, see User Administration Tools in the section User Management of this guide. ] Java cart With this option, the Web shop is configured with a Java cart, thereby reducing the load on the back end. With this scenario, logon is not required, although it is still possible, to add products, view, or modify cart contents. At checkout time, user logon is mandatory.

]t4A8e&#FrBack-End Cart

20/118

CUSTOMER

2013-02-07

4 4.2

Security Aspects of Data, Data Flow, and Processes Data and Data Flow of Specific Web Channel Functionality

V6/XsRJava Cart

4.2.3.3 Product Registration

V6/XsRProduct Registration

Product registration requires a user to be logged on.

2013-02-07

CUSTOMER

21/118

This page is left blank for documents that are printed on both sides.

5 5.1

User Administration and Authentication Users

5 User Administration and Authentication

Web Channel applications leverage the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver AS ABAP and Java. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and the SAP NetWeaver Application Server Java Security Guide also apply to Web Channel applications. In addition to these guidelines, information about user administration and authentication that specifically applies to Web Channel applications is available in the following topics: v; User Management This topic lists the tools to utilize for user management, the types of users required, and the standard users that are delivered with Web Channel applications. v; User Data Synchronization v; Integration into Single Sign-On Environments This topic describes how Web Channel applications support single sign-on mechanisms.

5.1 Users 5.1.1 User Types

To use Web Channel applications, different users are needed, such as the following: v; Service users Service or technical users are used to access business functionality on the SAP CRM or SAP ERP back-end servers that can be used anonymously. These service users are maintained in the corresponding SAP NetWeaver AS Java destinations and are used to establish anonymous stateless or stateful connections to the back-end systems. v; Administrators Administrators are internal users who have the task to administer SAP NetWeaver AS Java and SAP NetWeaver AS ABAP. These users can use the Admin area of Web Channel applications. v; Reference users A reference user provides default authorizations to Internet users in the self-registration process. The user is not used for any dialog. v; Internet users

2013-02-07

CUSTOMER

23/118

5 5.1

User Administration and Authentication Users

Internet users are external or internal users who access the business functionality provided by Web Channel applications. For Web Channel applications, the following kinds of Internet users can be differentiated: dM Web shop customers To enable the usage of Web Channel business functions, Internet users of Web Channel applications are linked to business partners. Different Internet user models, dependent on the back-end system in use, exist for the Web Channel scenarios. dM Delegated user administrator Internet user with special authorizations to create and administer other Internet users for their company. dM Web Channel Builder users For the internally used Web Channel Builder application, internal users are needed. For this application no linkage to a business partner is needed.

5.1.2 Internet User Models

This section describes how the Internet users are modeled in the specific ABAP back-end system.
NOTE

If the User Management Engine (UME) used for authentication uses a different user persistency than the back-end system (for example LDAP or database), an additional UME user must exist in the UME data persistency. If Web Channel user management functionality is used to create and maintain users, this is managed. Additional UME users need to be created if other functionality (non-Web Channel) is used.

5.1.2.1 Web Shop Customers

Consumer Scenario

In the consumer scenario, the Internet user is linked to a business partner that represents a consumer. The realization of the business partner depends on the back-end system.

24/118

CUSTOMER

2013-02-07

5 5.1

User Administration and Authentication Users

m6)gMr]E[NSAP CRM Consumer Scenario

On the SAP CRM back end, the business partner is realized as a business partner with partner role Consumer. The linkage between the business partner and the SU01 user is built using the Central Person (table HRP1001).

m6)gMr]EQTq\SAP ERP Consumer Scenario

On the SAP ERP back end, the business partner is realized as a KNA1 customer. The linkage between the business partner and the SU01 user is built using the user object references (table USAPREF).
Contact Scenario

In the contact scenario, the Internet user is linked to a business partner that represents a contact person for one or more customers. How the business partner is realized depends on the back-end system.

2013-02-07

CUSTOMER

25/118

5 5.2

User Administration and Authentication User Authentication

d\VKgs%kM3)SAP CRM Contact Scenario

On the SAP CRM back end, partners with partner roles Contact Person and Sold-to-Party are used.

d\VKgs%kM3)SAP ERP Contact Scenario

On the SAP ERP back end, the contact person is equivalent to an entry in the KNVK table that is linked to a KNAI customer.

5.1.2.2 Web Channel Builder Users

Web Channel Builder (WECB) users do not need a business partner. In this case, only an SU01 user must exist on the back-end system used for the WECB application.

5.2 User Authentication 5.2.1 Service User Authentication

Service users are specified in the destinations used by Web Channel applications. The authentication of service users happens implicitly on SAP NetWeaver AS ABAP if a connection is established to the SAP CRM or SAP ERP back-end system based on the destination containing the service user.

26/118

CUSTOMER

2013-02-07

5 5.2

User Administration and Authentication User Authentication

5.2.2 Administration User Authentication

For the Web Channel Administration area of Web Channel applications, container-based authentication is used: In the Web descriptor, a security constraint is declared that secures the Web resources of the Web Channel Administration area. The default SAP NetWeaver AS Java authentication stack (ticket authorization) is used.

5.2.3 Internet User Authentication

Web Channel Internet user authentication consists of several authentication steps induced by the Internet user model that is used for a Web Channel application. The step sequence below does not reflect the sequence of processing at runtime. Web Channel provides two different user authentication approaches depending on the User Storage System settings: * UME authentication * Web Channel logon (ABAP logon)
NOTE

Only UME authentication provides single sign-on (SSO) support, as well as sufficient protection against session fixation attacks. For more information, see the following: * Integration into Single Sign-On Environments in this chapter * Session Security Protection chapter * Session Fixation in the Session Security Chapter

5.2.3.1 UME Authentication

Web Channel applications use their own logon views for authentication. The logon views are embedded into other Web Channel application pages. Consequently, the programmatic authentication of the User Management Engine (UME), located on SAP NetWeaver AS Java, is used to authenticate users. The programmatic authentication relies on the configured security policy of the Web Channel application. A policy configuration determines the logon views that are in the authentication stack, and any configurations that apply to that stack. For more information, see Authorization Concept of the AS Java: http://help.sap.com/saphelp_nw73/helpdata/en/48/c943f3825c581ce10000000a42189c/ frameset.htm.
NOTE

The policy configuration property can be specified for the application configuration in the User module of Web Channel Builder. The default value is Form, which defines a UME logon with a username and password, but without SSO support.

2013-02-07

CUSTOMER

27/118

5 5.2

User Administration and Authentication User Authentication

With the User module, container-based authentication is avoided. For this reason, do not enter any security constraints to the Web descriptor of Web Channel applications for common Web Channel Web resources. The programmatic authentication of the Web Channel applications relies on the security policy form or the corresponding logon module stack. For more information, see Policy Configurations and Authentication Stacks: http://help.sap.com/ saphelp_nw73/helpdata/en/99/f66e424925c253e10000000a1550b0/frameset.htm.

5.2.3.2 Web Channel Logon

With Web Channel logon, no UME logon takes place. Internet users are authenticated via RFC modules that call the ABAP Identity Management for authentication.
RECOMMENDATION

We recommend using UME authentication for Web Channel applications. In addition to the Web Channel logon, UME authentication enables the usage of session security protection on SAP NetWeaver AS Java. For more information, see the sections Session Security Protection and Communication Channel Security in this guide.

5.2.3.3 Follow-On Steps

: Authorization check (only valid for Web Channel Builder users) For Web Channel Builder, access is controlled by the authorization object COM_WEC_AP. The logon process is only successful if the Internet users have been granted the required authorization. : Business partner determination (only valid for Web shop customers) For Web shop customers of Web Channel applications, a business partner must be linked to the user. During the logon of a Web shop customer, the existence of a business partner is checked on the back-end system. The Web application is only usable if the required business partner exists.

5.2.3.4 User Identification Types

Web Channel supports the following user identification types: : User Name (based on UME and the SU01 user ID) : User Alias (based on the SU01 user alias) : E-Mail Address : Technical ID (for example, the Web shop customer ID) The user ID and user alias identification types are based on UME and SU01 user data, whereas e-mail address and technical ID are based on business partner data. If the user alias, e-mail address, or technical ID is used initially, the system retrieves the user ID related to the given identification. The user ID is

28/118

CUSTOMER

2013-02-07

5 5.3

User Administration and Authentication User Management

then used for the authentication with the given password. For example, when a user enters their email address, the system retrieves the business partner, and determines the related user object. The user ID of the user object is then used for authentication.
RECOMMENDATION

For optimal security, use the user ID or user alias instead of e-mail address or technical ID.

5.2.3.5 Early Logon

You can configure early logon for Web Channel applications in the User module of Web Channel Builder. When you enable this setting, Web shop customers must log on before they can enter the Web shop.

5.3 User Management

User management for Web Channel uses the mechanisms provided with SAP NetWeaver AS ABAP and SAP NetWeaver AS Java, for example, tools, user types, and password policies. For an overview of how these mechanisms apply to Web Channel applications, see the sections below. In addition, we provide a list of the standard users required for operating Web Channel applications.

5.3.1 User Administration Tools 5.3.1.1 Service Users

The table below shows the tools to use for the user management and user administration of service users.
Tool Detailed Description Prerequisites

Service user and role maintenance For more information, see User and with SAP NetWeaver AS ABAP Role Administration of Application Server (transactions SU01, PFCG) ABAP: http://help.sap.com/
saphelp_nw70ehp2/helpdata/en/ 52/671126439b11d1896f0000e8322d 00/frameset.htm.

Select the user type Service. User Management Engine with SAP For more information, see User NetWeaver AS Java Management Engine: http://
help.sap.com/saphelp_nw73/ helpdata/en/5b/ 5d2706ebc04e4d98036f2e1dcfd47d/ frameset.htm.

UME user persistency equals backend system, for example SAP CRM or SAP ERP.

2013-02-07

CUSTOMER

29/118

5 5.3

User Administration and Authentication User Management

5.3.1.2 Web Channel Builder Users

The table below shows the tools to use for user management and user administration of Internet (dialog) users of Web Channel Builder (WECB). The configuration of the user storage system determines whether a WECB user can be created using the Identity Management of SAP NetWeaver AS ABAP or/and SAP NetWeaver AS Java.
Tool Detailed Description Prerequisites

User and role maintenance with SAP NetWeaver AS ABAP (transactions SU01, PFCG) User Management Engine with SAP NetWeaver AS Java

For more information, see User and Role Administration of Application Server ABAP: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/ 52/671126439b11d1896f0000e8322d00/frameset.htm. Select the user type Dialog.

For more information, see User Management Engine: http://help.sap.com/ User storage system saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/ includes UME frameset.htm. If the user storage system is set to UME Only, it is sufficient to create the Internet user using SAP NetWeaver AS Java Identity Management. If the user storage system is set to ABAP and UME, the Internet user must be created using both SAP NetWeaver AS Java and SAP NetWeaver AS ABAP Identity Management.

5.3.1.3 Web Shop Customers

This section explains how to create and maintain Web shop customers.
Creating Web Shop Customers

You can create Web shop customers using either tool-based or manual methods. Tool-Based Creation The following options are available for tool-based creation of Web shop customers: lEQ User Self-registration This consists of Web shop customers using the registration guided activity to create their own Internet users in the configured user storage system. In the consumer scenario, registration is always available. In the contact scenario, you must enable registration in the User module in Web Channel Builder. As part of the procedure to enable registration, you must activate one of the following registration types: lE> With New Sold-To Party This allows the customer to register both their company and their user. lE> With Existing Sold-To Party and Contact This requires the customer to enter a valid company ID, and allows them to enter only their own data as the contact person.

30/118

CUSTOMER

2013-02-07

5 5.3

User Administration and Authentication User Management

You can control registration in the contact scenario by means of a workflow. This allows customers to register themselves and their company in the Web shop, but requires the approval of the Web shop administrator. h` Delegated user administration This option is available for the contact scenario and is enabled in the User module of Web Channel Builder. It allows delegated user administrators to create and maintain users for all of the sold-to parties to which they are assigned. You can also configure this setting so that the first contact for a new sold-to party is given superuser privileges that allow them to create and maintain users for their company. As the creation and maintenance of users are security-critical operations, we recommend that you offer authorizations selectively, and that you not assign them to reference users that are used for registration. For more information, see SAP Library for SAP Web Channel Experience Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and then Application Help. In SAP Library, choose User Management Delegated User Administration . Manual Creation Since an Internet user consists of an SU01 user and a business partner, user creation cannot be achieved using SAP NetWeaver user maintenance alone. For Web shop customers, business partner maintenance functionality is needed as well. Web shop customers can be created in both the consumer scenario and the contact scenario using manual methods. Manual creation may be necessary if users are needed for development and testing. The following table lists approaches for manually creating Internet users in the consumer scenario.
Tool Detailed Description Prerequisites

SAP CRM business 1. partner maintenance in SAP GUI (transaction 2. BP) SAP CRM business partner maintenance in WebClient UI

Create business partner with partner role Consumer (CRM006). Maintain the Internet user partner role.

Only available in SAP GUI

Only available in WebClient UI

NOTE

The application does not support central user administration. SAP ERP customer maintenance (transactions VD0* ) SAP ERP user and role maintenance with SAP NetWeaver AS ABAP (transactions SU01, PFCG) User Management Engine with SAP NetWeaver AS Java 1. 2. 3. Create a customer. Create an SU01 user. Create user references to the related customer (object type KNA1).

For more information, see User Management Engine:

http://help.sap.com/saphelp_nw73/helpdata/

Internet user is already created using the tools mentioned above. If the user storage system is set to

2013-02-07

CUSTOMER

31/118

5 5.3 Tool

User Administration and Authentication User Management Detailed Description

en/5b/5d2706ebc04e4d98036f2e1dcfd47d/ frameset.htm.

Prerequisites

UME Only, the Internet user must be created in the UME as well.

The following table lists approaches for manually creating Internet users in the contact scenario.
Tool Detailed Description Prerequisites

SAP CRM business partner maintenance in SAP GUI (transaction BP)

1.

Create business partner with business partner role Contact Person BUP001. 2. Maintain Internet user partner role. For more information, see Business Partners: http://
help.sap.com/saphelp_crm700_ehp02/helpdata/en/ 52/cff837a9aae651e10000009b38f8cf/frameset.htm

Only available in SAP GUI

WebClient UI business partner maintenance

Only available in WebClient UI

NOTE

The application does not support central user administration. SAP ERP customer and contact person maintenance (transactions VD0* and VAP*) SAP ERP user and role maintenance with SAP NetWeaver AS ABAP (transactions SU01 and PFCG) User Management Engine with SAP NetWeaver AS Java 1. 2. 3. Create a customer and a contact person. Create an SU01 user. Create user references to the related contact person (object type BUS1006001) and related customer (object type KNA1). -

For more information, see User Management Engine:

http://help.sap.com/saphelp_nw73/helpdata/en/ 5b/5d2706ebc04e4d98036f2e1dcfd47d/ frameset.htm.

Internet user is already created using the tools mentioned above. If the user storage system is set to UME Only, the Internet user must be created in the UME as well.

Delegated user administrators can use the tools described above to create Internet users. For more information, see SAP Library for SAP Web Channel Experience Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and then Application Help. In SAP Library, choose User Management Creation of and Search for Delegated User Administrators .
Maintaining Web Shop Customers

The table below shows the tools that can be used to maintain the user part of an Internet user.
Tool Detailed Description Prerequisites

Administrator user and For more information, see User and Role Administration of Application You have created role maintenance with Server ABAP: http://help.sap.com/saphelp_nw70ehp2/ an Internet user. SAP NetWeaver AS

32/118

CUSTOMER

2013-02-07

5 5.3 Tool

User Administration and Authentication User Management Detailed Description

helpdata/en/52/671126439b11d1896f0000e8322d00/ frameset.htm.

Prerequisites

ABAP (transactions SU01, PFCG) User Management Engine with SAP NetWeaver AS Java

Select the user type Service. For more information, see User Management Engine: http://
help.sap.com/saphelp_nw73/helpdata/en/5b/ 5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm.

You have created an Internet user. UME user persistency equals back-end system, for example SAP CRM or SAP ERP.

The table below shows the tools that can be used to maintain the business partner part of an Internet user.
Tool Detailed Description Prerequisites

SAP CRM business partner maintenance in SAP GUI (transaction BP) SAP CRM business partner maintenance in WebClient UI

Only available in SAP GUI Only available in WebClient UI

NOTE

The application does not support central user administration. SAP ERP customer maintenance (transactions VD0* ) -

Web shop customers can maintain their own Internet user with Web Channel self-service. This allows them to change their password and address data. Depending on the settings made in Web Channel Builder, Web shop customers in the contact scenario can also be maintained by company superusers using delegated user administration.

5.3.1.4 Administrators
The table below shows the tools to use for the user management and user administration of administrators.
Tool Detailed Description Prerequisites

User Management Engine with SAP For more information, see User NetWeaver AS Java Management Engine: http://
help.sap.com/saphelp_nw73/ helpdata/en/5b/ 5d2706ebc04e4d98036f2e1dcfd47d /frameset.htm

2013-02-07

CUSTOMER

33/118

5 5.3

User Administration and Authentication User Management

5.3.2 User Types

It may be necessary to specify different security policies for different user types. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but that the users who run background processing jobs do not need to change their passwords regularly. The user types that are required for Web Channel applications include: rgk Dialog users rg Internet users can access Web Channel applications. The users have the user type Dialog User. In the current version of SAP NetWeaver, the Internet users have the same policies as internal dialog users. If an Internet user has been authenticated, any necessary connections to the back-end system are established for this user based on the Web Channel destination that uses the current user as the authentication type. rg Web Channel Builder users have the user type Dialog User. They can access administrative Web Channel applications such as Web Channel Builder. rgk Technical users rg Service users are used for connections from SAP NetWeaver AS Java to SAP CRM or SAP ERP. The service user is used to access business functionality provided anonymously, such as help values or product catalog browsing. The service user also provides the basis for the guest user scenario. The service user has to be maintained in the destinations (authentication type: Technical User) for the back-end system created for Web Channel on SAP NetWeaver AS Java. rg SAP NetWeaver MDM communication users For more information about these user types, see the section User Types in the SAP NetWeaver AS ABAP Security Guide on http://service.sap.com/securityguide.

5.3.3 Users Relevant for Web Channel Applications

Several users are needed to use the Web Channel applications. However, note that no user is delivered. You have to create the service users and reference users after the Web Channel application is installed. Only Internet users can be created by self-registration within Web Channel applications if selfregistration is made available. Maintain the service users in the SAP NetWeaver AS Java destination service in the appropriate destination used for the connections to the used back-end system. Maintain the reference users in the Web Channel application configurations that use Web Channel selfregistration functionality.
RECOMMENDATION

We recommend changing the user IDs and passwords for users that are automatically created during installation.

34/118

CUSTOMER

2013-02-07

5 5.3

User Administration and Authentication User Management

The tables below show the users required for operating SAP Web Channel Experience Management.
Delivered Users on SAP NetWeaver MDM Repository System User Password Role

SAP NetWeaver MDM

Admin

initial

Admin

SAP Web Channel Experience Management Users (Consumer Scenario and Contact Scenario) System User Type Description

Configured back-end Technical user system: SAP CRM or SAP for anonymous ERP functionality

Service user

Configured back-end Internet user system: SAP CRM or SAP ERP (and UME if user persistency unequals ABAP back-end system) Configured back-end Reference user system: SAP CRM or SAP ERP

Dialog user

User for establishing the stateless connection between Web Channel applications and the configured back-end system. Created using the User Maintenance (SU01) transaction in SAP NetWeaver AS ABAP or user management in SAP NetWeaver AS Java, if UME persistency equals ABAP back end. The user ID and password must be stored in the RFC destination for the connection. The user that logs on to Web Channel applications. The full-state connection is established with this user. Created using one of the user management tools mentioned above. This user is needed if self-registration is configured for consumer scenario applications. The user is automatically assigned to Internet users for authorization purposes. This user is needed for product catalog functionality. The user is used to establish connections to the SAP NetWeaver MDM server that provides the product catalogs. This user must have the role WEBCHANNEL_CATALOGDISPLAY_ROLE.

Reference user

SAP NetWeaver MDM

Technical user

Web Channel Builder Users System User Type Description

Configured back-end Technical user Service user system: SAP CRM or SAP for anonymous ERP functionality

User for establishing the stateless connection between Web Channel applications and the configured back-end system. Created using the User Maintenance (SU01) transaction on SAP NetWeaver AS ABAP or user management in SAP NetWeaver AS Java. The user ID and password must be stored in the RFC destination for the connection.

2013-02-07

CUSTOMER

35/118

5 5.4 System

User Administration and Authentication User Data Synchronization User Type Description

Configured back-end Web Channel system: SAP CRM or SAP Builder User ERP

Dialog user

The user that logs on to Web Channel Builder applications. The full-state connection is established with this user. Created using the User Maintenance (SU01) transaction in SAP NetWeaver AS ABAP or user management in SAP NetWeaver AS Java.

SAP NetWeaver AS Java Users Required for Administration System User Delivered Type Default Password Description

SAP NetWeaver AS Java

Administrato Yes (part of r SAP NetWeaver AS Java installation)

User administered on SAP NetWeaver AS Java

As defined during the installation of SAP NetWeaver AS Java

We recommend that you create a new user with fewer rights for the administration of Web Channel applications on SAP NetWeaver AS Java instead of using the SAP NetWeaver AS Java Administrator.

Users Required for the Web Channel Administration Area System User Delivered Type Default Password Description

SAP NetWeaver AS Java

Administrator -

User administered on SAP NetWeaver AS Java

User who uses the Web Channel admin area. The user has role Web Channeladmin. The role is mapped to the server role Administrators.

5.4 User Data Synchronization

Web Channel can use the SAP NetWeaver AS Java User Management Engine (UME) for authentication. The UME can use the following types of data sources: 2B^ Database of SAP NetWeaver AS Java 2B^ Directory service (LDAP) 2B^ User Management of SAP NetWeaver AS ABAP Based on the configured UME data source, the Web Channel user storage configuration must be set up accordingly. For more information, see the section Installing SAP NetWeaver 730 SP02 AS Java in the SAP Web Channel Experience Management Installation Guide. The configured UME data source influences the Internet users of Web Channel applications. For Web Channel applications, users must be defined on the specific Web Channel ABAP back-end system (SAP CRM or SAP ERP). If the UME data source is different from the Web Channel ABAP backend system, this means that two user entities with the same user ID are defined: one user in the UME and one user on the back-end system. The only exception is that the back-end system is used as UME user persistency.

36/118

CUSTOMER

2013-02-07

5 5.5

User Administration and Authentication Integration into Single Sign-On (SSO) Environments

There is no automatic user data synchronization between the ABAP back-end system and the UME user persistency. However, the Web Channel user management enables user creation and maintenance on the UME and the back-end system if Web Channel user management functions, such as selfregistration or the user administration, are used.
NOTE

If other applications are used to maintain users, for example the UME or the SU01 on the backend system, data synchronization must be carried out manually.

5.5 Integration into Single Sign-On (SSO) Environments

Single sign-on (SSO) is a specialized form of software authentication that enables users to authenticate once to gain access to resources for multiple software systems. Web Channel makes use of various SSO options provided by SAP NetWeaver, such as client certificates, logon tickets, and SAML2.0. For information about the different options and how to configure your SAP NetWeaver AS, see Single Sign-On for Web-Based Access: http://help.sap.com/saphelp_nw73/helpdata/en/4a/ 672251117a0c89e10000000a42189b/frameset.htm. When you configure a Web Channel application, you specify the type of SSO authentication to use by selecting the corresponding policy configuration. For more information, see UME Authentication in the User Authentication section of this guide.

5.5.1 Secure Network Communications (SNC)

SNC is available for user authentication and can be used in an SSO environment when using SAP GUI for Windows or remote function calls (RFC). SNC can be used for the connections from SAP NetWeaver AS Java to SAP CRM or SAP ERP. To use SNC, maintain the Web Channel RFC destinations to the SAP CRM or SAP ERP system accordingly. For more information about the required destinations for Web Channel applications, see the section Communication Destinations in this guide. For more information about SNC as part of network and transport layer security in SAP NetWeaver, see Secure Network Communications (SNC): http://help.sap.com/saphelp_nw73/helpdata/en/ e6/56f466e99a11d1a5b00000e835363f/frameset.htm.
NOTE

The certificate used by SAP NetWeaver AS Java must be accepted by the back-end system.

5.6 User Management Configuration

In addition to settings specific to user management in UME and in the ABAP back-end systems, you make settings in the User module of Web Channel Builder to define authentication and user

2013-02-07

CUSTOMER

37/118

5 5.6

User Administration and Authentication User Management Configuration

identification types. You can also specify early logon, user registration settings, e-mail templates, methods for handling forgotten passwords (for example, security questions), and enable the guest user scenario and delegated user administration.

38/118

CUSTOMER

2013-02-07

6 6.1

Authorization Authorization Concept

6 Authorization

6.1 Authorization Concept

Web Channel applications use the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations apply as described in the SAP NetWeaver Security Guide: http://help.sap.com/saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/ frameset.htm. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. When using ABAP technology, use the profile generator (transaction PFCG) for role maintenance. When using Java, use the UME user administration.
NOTE

Since most of the business functionality of Web Channel applications runs on the SAP CRM or SAP ERP system, the ABAP authorization concept is used more often. SAP NetWeaver AS Java user groups are used if Web Channel applications need to be secured by Web container security constraints.

6.1.1 Roles and Profiles

User roles are the container for authorization objects needed for specific tasks and functionality. The authorizations are provided by authorization profiles. User roles and profiles are assigned to service users and Internet users to enable the usage of Web Channel functionality. Several Web Channel user roles are predefined and included in the standard delivery. Some roles are delivered on SAP NetWeaver AS ABAP, and others are delivered on SAP NetWeaver AS Java. The following subsections provide overviews of available predefined roles for each platform. We recommend that you create your own copies of the roles, or run authorization traces to enable the creation of user roles that suit your Web Channel applications.

6.1.1.1 Predefined User Roles on SAP NetWeaver AS ABAP

This section explains the user roles for various Web Channel applications in each back-end system.
NOTE

Create your own user roles as described in Authorization Proposals in this chapter, and specify the authorization values according to your needs.

2013-02-07

CUSTOMER

39/118

6 6.1

Authorization Authorization Concept

User Roles for Web Channel Builder

You use Web Channel Builder to configure Web Channel applications, send new or changed application configurations through an approval process, set the go-live date for an application configuration, and create product views. Web Channel Builder supports various different user roles, and Web Channel Builder users must be assigned to one of these roles before they can launch the application. The back-end system (SAP CRM or SAP ERP) used for the Web Channel applications determines which roles must be assigned to the user. To create and assign Web Channel Builder users, you must first configure user management functionality in both the relevant back-end system (transaction SU01 in either SAP CRM or SAP ERP), and in SAP NetWeaver AS Java User Management Engine (UME).If the user persistence in UME differs from that used in the back-end system, you must create an additional UME user that has the same user ID as the Web Channel Builder user in the back-end system. This additional user is only required for authentication purposes, and should not be assigned any roles in UME. The following table lists the common user roles for SAP CRM and SAP ERP that are contained in the standard delivery of Web Channel Builder (WECB).
User Roles on SAP CRM or SAP ERP System Role
SAP_CRM_WEC_WCB_ADMIN SAP_ERP_WEC_WCB_ADMIN SAP_CRM_WEC_WCB_USER SAP_ERP_WEC_WCB_USER

User

Description

SAP CRM SAP ERP SAP CRM SAP ERP

WECB Administrator WECB User

Web Channel Builder administrator with full application configuration authorization Web Channel Builder user with limited application configuration authorization This is the main user for creating and editing Web Channel applications and configurations. This user can also submit configurations for approval. Web Channel Builder manager with application configuration authorization on manager level This user can view all applications and configurations and approve or reject configurations that have been submitted for approval. Web Channel Builder user with display authorization Web Channel Builder service user This user is for technical users of WECB. The user is maintained in destinations used by WECB. Web Channel Builder user with authorization to create product views This user can access and use all functionality on the Product Views tab page. If you would like

SAP CRM SAP ERP

SAP_CRM_WEC_WCB_MANAGER SAP_ERP_WEC_WCB_MANAGER

WECB Manager

SAP CRM SAP ERP SAP CRM SAP ERP

SAP_CRM_WEC_WCB_USER_DISPLAY SAP_ERP_WEC_WCB_USER_DISPLAY SAP_CRM_WEC_WCB_TU SAP_ERP_WEC_WCB_TU

WECB User WECB Service User

SAP CRM SAP ERP

SAP_CRM_WEC_WCB_PROD_VIEWS SAP_ERP_WEC_WCB_PROD_VIEWS

WECB User for Product Views

40/118

CUSTOMER

2013-02-07

6 6.1 System

Authorization Authorization Concept Role User Description

SAP CRM SAP ERP

SAP_CRM_WEC_WCB_TU_PROD_VIEWS SAP_ERP_WEC_WCB_TU_PROD_VIEWS

certain users to be able to display product views without being able to modify them, you need to create a copy of this user and restrict its activity level. WECB Service Web Channel Builder service user for User for Product product views Views These roles are assigned to the technical users that are used for the destinations in Web Channel Builder.

Additional Information Regarding User Roles for Product Views When you create a product view, you specify the back-end destination that it uses. This allows you to create product views for back ends other than the back-end system used by the Web Channel application. In mixed scenarios like this, you create the WECB Service User for Product Views on the back-end system that is used by the product view. If the product view is created for SAP CRM, you assign the role SAP_CRM_WEC_WCB_TU_PROD_VIEWS to the user, and if the product view is created for SAP ERP, you assign the role SAP_ERP_WEC_TU_PROD_VIEWS to the user. If the Web Channel application and the product view use the same back end, you can assign the service user roles for both the WECB Service User and the WECB Service User for Product Views to the same service user.

G<14fxPZd#Q6Product Views

For more information about product views, see SAP Library for SAP Web Channel Experience Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and then Application Help. In SAP Library, choose Configuration Configuring Web Channel Applications (Web Channel Builder) Product Views .
Example User Roles for Web Channel Applications

As of Web Channel 3.0, example user roles are available that are based on external services and their authorization proposals. There is one technical role and one Internet user role for each back-end system.

2013-02-07

CUSTOMER

41/118

6 6.1

Authorization Authorization Concept

Example Internet User Roles System Role

SAP_CRM_WEC_WU_ALL SAP_ERP_WEC_WU_ALL

SAP CRM SAP ERP

Example Service User Roles System

Role
SAP_CRM_WEC_TU_ALL SAP_ERP_WEC_TU_ALL

SAP CRM SAP ERP

These user roles are examples that support Web Channel applications based on delivered templates. If you plan to create Web Channel applications without using templates, we recommend that you perform authorization traces and that you create and maintain your own user roles. The example user roles contain the WEC_MODULE or ERP_WEC_MODULE external services in their menus. You update the roles with existing customer values using SAP Role Maintenance (transaction PFCG). Examples of values that you maintain in the roles include customer-specific data, such as transaction types used for sales and service documents, marketing objects, and organizational data such as sales organization information, distribution channels, and user groups. Authorizations requiring further maintenance are identified by yellow or red traffic lights in the authorization overview for the role. Technical user roles contain the authorizations to support self-registration, specifically the authorizations to assign user profiles (S_USER_PRO) and user roles (S_USER_AGR). These authorizations must be populated with the user roles and user profiles that are used by the Web Channel applications.
EXAMPLE

If the Web Channel application uses the example Internet user role for SAP CRM, you must do the following: nF Assign the SAP_CRM_WEC_WU_ALL user role to authorization object S_USER_AGR nF Assign the user profile generated for this role to authorization object S_USER_PRO nF Assign the S_USER_GRP object to the user group designated for Web Channel application users If self-registration is not enabled for the Web Channel application, we recommend that you remove the S_USER_PRO and S_USER_AGR authorization objects. If you require roles with different activity levels, you must create copies of the roles. For more information, see Special Web Channel Authorization Objects in this chapter. Note, however, that users cannot have different roles if your Web shop uses self-registration. For users to have different roles in the contact scenario, you must use delegated user administration or Web Channel user management tools. To allow customers to register themselves in the Web shop, you must assign the Internet user role to a reference user. You configure the reference user in the User module in Web Channel Builder.

42/118

CUSTOMER

2013-02-07

6 6.1

Authorization Authorization Concept

User Role for Delegated User Administration

As of Web Channel 3.0, delegated user administration is available for Web Channel applications in the contact scenario. This confers administration privileges on a delegated user for a sold-to party, allowing them to create and maintain Internet users for their company.
User Roles for Delegated User Administration System Role
SAP_CRM_WEC_USER_ADMIN SAP_ERP_WEC_USER_ADMIN

SAP CRM SAP ERP

These roles contain specific authorizations required by the delegated user, otherwise known as the superuser, to enable the creation and maintenance of users and business partners. Specifically, the roles contain authorizations to assign user profiles (S_USER_PRO) and user roles (S_USER_AGR). In the authorization objects, you must specify all user roles and user profiles that are used in the Web Channel application.
EXAMPLE

If the Web Channel application uses the example Internet user role for SAP CRM, you must do the following: Y'2 Assign the SAP_CRM_WEC_WU_ALL user role to authorization object S_USER_AGR Y'2 Assign the user profile generated for this role to authorization object S_USER_PRO Y'2 Assign the S_USER_GRP object to the user group designated for Web Channel application users If self-registration is not enabled for the Web Channel application, we recommend that you remove the S_USER_PRO and S_USER_AGR authorization objects.
CAUTION

Do not assign full authorizations to these authorization objects. Furthermore, do not assign these roles to standard (non-delegated) Internet users or to the reference users designated for selfregistration.
User Roles for Development, Testing, and Support

Specific authorizations are used to control Web Channel functionality that is useful in the developing and testing phase, or to provide support in the productive phase. We recommend NOT providing these authorizations to productive Internet users of a specific scenario. The authorizations should be collected in a role that can be assigned additionally to users if needed. For more information, see Authorization Objects in this chapter.

6.1.1.2 Predefined User Roles on SAP NetWeaver MDM

Role
Admin

Description

Administrative role

2013-02-07

CUSTOMER

43/118

6 6.1 Role

Authorization Authorization Concept Description

WEBCHANNEL_CATALOGAUTHOR_ROLE WEBCHANNEL_CATALOGDISPLAY_ROLE

Role with edit access to tables and fields in SAP NetWeaver MDM only Role with read-only rights. This role must be assigned to the SAP NetWeaver MDM user that is used to access the catalog from within a Web Channel application.

6.1.1.3 Predefined User Role on SAP NetWeaver AS Java

Role
wecadmin

User

Description

Admin

Security role for users of the Web Channel Admin area

A security constraint is defined in the Web Channel application deployment descriptor (web.xml file) to secure the Web Channel administration area.
SYNTAX Security Constraint <!-- Security settings for administration area --> <security-constraint> <web-resource-collection> <web-resource-name>admin</web-resource-name> <url-pattern>/com.sap.common/adminStartPage.jsf</url-pattern> </web-resource-collection> <auth-constraint> <role-name>wecadmin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <realm-name>wecadmin</realm-name> </login-config> <security-role> <role-name>wecadmin</role-name> </security-role>

The security role wecadmin is mapped by default to the UME server role administrator. This is due to a mapping definition in the Web descriptor file Web-j2ee-engine.xml.
SYNTAX Security Role Mapping <security-role-map> <role-name>wecadmin</role-name> <server-role-name>administrator</server-role-name> </security-role-map> CAUTION

If mapping in the web-j2ee-engine.xml file is changed, make sure that the administrator of the target system has created the UME role before the application is deployed. If the role is missing,

44/118

CUSTOMER

2013-02-07

6 6.1

Authorization Authorization Concept

no mapping occurs. For more information, see Permissions, Actions, and UME Roles: http://
help.sap.com/saphelp_nw73/helpdata/en/06/371640b7b6dd5fe10000000a155106/ frameset.htm

The administrator user is always assigned to the Administrator UME role. A corresponding UME action wecadmin is also created automatically for each Web Channel application. The action can be assigned to UME roles that in turn can be assigned to UME users. We recommend not using the administrator user for the admin area of the Web Channel applications. The user of this area should have fewer rights than the administrator of SAP NetWeaver AS Java. Instead of using the SAP NetWeaver AS Java administrator, a new user should be created, and a new role containing the wecadmin action should be assigned to the user. This can be done in Identity Management of SAP NetWeaver AS Java. For more information, see Authorization Concept of the AS Java: http://
help.sap.com/saphelp_nw73/helpdata/en/48/c943f3825c581ce10000000a42189c/frameset.htm

Only users that are assigned to the given server role or that are assigned the UME action wecadmin have access to the administration pages.

6.1.1.4 Additional Aspects of Web Channel User Roles

Self-Registration

To assign authorizations to users within the self-registration process, reference users are used. The reference user must be maintained in the configuration data of Web Channel applications that use selfregistration. The reference user must be assigned the Internet user role that corresponds to the specific Web Channel application.
Access Control Engine

If the Access Control Engine (ACE) is used for SAP CRM-based Web Channel applications, the resulting user roles must be maintained in the ACE rights used in Web Channel applications.
Guest User Scenario

In the guest user scenario, no explicit user authentication takes place and all actions are performed by the technical service user. The service user therefore requires appropriate authorizations for tasks such as creating sales documents, and maintaining business partner objects. A specific service user role must be created using the external services of the relevant application modules having the external service suffix TU and TU_STATEFUL, and assigned to the service user. For more information, see User Management in the User Administration and Authorizations chapter of this guide.

6.1.1.5 Authorization Proposals

The Web Channel standard delivery contains several Web Channel application templates. For these application templates, corresponding authorization proposals are provided that are based on

2013-02-07

CUSTOMER

45/118

6 6.1

Authorization Authorization Concept

authorization traces performed for each template. The proposals are provided by external services (see transaction SU22/SU24 Type of Application). For each application, template-specific external services need to be assigned in a user role to adopt the proposals. As of Web Channel 3.0, external services are distinguished by the modules for which they are developed. All external services for SAP CRM have the prefix WEC_MODULE, whereas those for SAP ERP have ERP_WEC_MODULE. The system provides authorization proposals for external services, and this supports all templates provided by SAP. The following tables lists these external services.
External Services for Service User Roles for Release 3.0 System External Service
WEC_MODULE_campaign_TU WEC_MODULE_catalog_TU WEC_MODULE_checkout_TU WEC_MODULE_com.sap.common_TU WEC_MODULE_customerinteraction_TU WEC_MODULE_instore_TU WEC_MODULE_ipc_TU WEC_MODULE_knowledgemanagement_TU WEC_MODULE_loyalty_TU WEC_MODULE_payment_TU WEC_MODULE_prodavailability_TU WEC_MODULE_productrecommend_TU WEC_MODULE_productregistration_TU WEC_MODULE_salestransactions_TU WEC_MODULE_storelocator_TU WEC_MODULE_user_TU

SAP CRM

SAP ERP

ERP_WEC_MODULE_catalog_TU ERP_WEC_MODULE_checkout_TU ERP_WEC_MODULE_com.sap.common_TU ERP_WEC_MODULE_com.sap.common_TU_STATEFUL ERP_WEC_MODULE_ipc_TU ERP_WEC_MODULE_ipc_TU_STATEFUL ERP_WEC_MODULE_payment_TU ERP_WEC_MODULE_payment_TU_STATEFUL ERP_WEC_MODULE_prodavailability_TU ERP_WEC_MODULE_productrecommend_TU ERP_WEC_MODULE_salestransactions_TU ERP_WEC_MODULE_salestransactions_TU_STATEFUL ERP_WEC_MODULE_user_TU ERP_WEC_MODULE_user_TU_STATEFUL

External Services for Internet User Roles for Release 3.0 System External Service
WEC_MODULE_catalog_WU WEC_MODULE_checkout_WU WEC_MODULE_com.sap.common_WU WEC_MODULE_complaintsandreturns_WU WEC_MODULE_customerinteraction_WU

SAP CRM

46/118

CUSTOMER

2013-02-07

6 6.1 System

Authorization Authorization Concept External Service

WEC_MODULE_customerprofiles_WU WEC_MODULE_installedbase_WU WEC_MODULE_ipc_WU WEC_MODULE_loyalty_WU WEC_MODULE_payment_WU WEC_MODULE_productregistration_WU WEC_MODULE_productviewmain_WU WEC_MODULE_salestransactions_WU WEC_MODULE_servicecontract_WU WEC_MODULE_servicerequest_WU WEC_MODULE_user_WU

SAP ERP

ERP_WEC_MODULE_checkout_WU ERP_WEC_MODULE_com.sap.common_WU ERP_WEC_MODULE_ipc_WU ERP_WEC_MODULE_payment_WU ERP_WEC_MODULE_salestransactions_WU ERP_WEC_MODULE_user_WU

If user roles for applications based on the application templates are created, these external services must be assigned to the corresponding roles to include the authorization proposals. For more information about Web Channel user roles based on authorization proposals, see SAP Library for SAP Web Channel Experience Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and then Application Help. In SAP Library, choose User Management Authorization Concept .
NOTE

SAP only provides authorization proposals for the shipped application templates and roles. See the section SU24 Support for information on performing your own authorization traces. With external services, the default values for authorizations are not automatically adopted by the profile generator. In an intermediate step, the SAP standard values must be copied to the customer namespace using transaction SU25. Afterwards the values can be changed using the transaction SU24. The role templates and the available authorization proposals can be used to create your own user roles.

6.1.2 SU24 Support

In Web Channel, authorization traces can be enabled. The authorization traces are performed on Web Channel module level. The traces collect all authorizations that are checked within the remote function calls (RFCs) performed in Web Channel modules. The traced authorization objects are assigned to the external services of service type WEC CRM Web Channel Experience Management Module. Several external services can exist per module depending on the used destination and user. The external service names are created using the following format, which consists of the service name prefix, the Web Channel module ID in which the RFC is located, and the service name suffix:

2013-02-07

CUSTOMER

47/118

6 6.1

Authorization Authorization Concept

<Service name prefix><WEC module ID><Service name suffix> NOTE

If different authorization levels are needed, create several roles with different authorization values.

6.1.2.1 Service Name Prefix

By default, the service name prefix is WEC_MODULE, but you can also specify a different service name prefix in the application settings of a Web Channel application using the property authTraceServicePrefix.
NOTE

For the external services, TADIR entries are created. As a consequence, the external service names must be unique. Since Web Channel applications can be based on SAP CRM, SAP ERP, or other SAP back-end systems, the Web Channel back-end scenario is evaluated. In the case of back-end systems that are not SAP CRM back-end systems, the scenario back-end value, for example R3, SAP ERP or other, is added to the service name prefix:
<backend_scenario>_<service name prefix> Service Name Prefix = WEC_MODULE | Config Parameter authTraceServicePrefix EXAMPLE <service name prefix>: = ERP_<service name prefix>

6.1.2.2 Web Channel Module ID

This is the ID of the Web Channel module in which the RFC call is located. This may impact the used external service name if a module uses functionality provided by common modules. The Web Channel generic search functionality is one example of the commonly reused functionality called from modules. For the Web Channel generic search, the Web Channel authorization trace functionality retrieves the module ID of the calling module to use it for creating or identifying the correct module.

6.1.2.3 Service Name Suffix

By default, the service name suffix is determined from the destination or the respective connection settings. If the destination has authorization type Current_User, the prefix is WU (Internet (Web) user). If the destination has authorization type Configured_User, the system checks whether the Web Channel logon method is used, and the destination user is overwritten. In this case, WU is set as well. If this is not the case, the system checks whether the connection type is stateful. If this is true, the prefix is

48/118

CUSTOMER

2013-02-07

6 6.2

Authorization Authorization Objects

TU_STATEFUL (technical user with a stateful connection). In all other cases, the prefix is TU (technical

user). The external services can be used to create appropriate roles for technical users and Internet users. As a prerequisite, the external services must be included in the role menu if a specific module is active in a Web Channel application for which user roles are created. With external services, the default values for authorizations are not automatically adopted by the profile generator. In an intermediate step, the SAP standard values must be copied to the customer namespace using transaction SU25. Afterwards the values can be changed using transaction SU24. For more information about missing authorizations in generated profiles, see SAP Note 444686.
NOTE

If different authorization levels are needed, you must create several roles with different authorization values.

6.1.2.4 Authorization Trace Activation

You activate authorization tracing in the back-end system and in Web Channel. For information about activating authorization traces in the back-end system, see SAP Note 747528. To activate authorization traces in Web Channel, you access the Web Channel application in Web Channel Builder, and then find the application settings for which you want to run authorization traces. For these settings, set the parameter authTrace to true. Since authorization traces run in parallel to normal business functionality, we recommend disabling authorization tracing for productive usage.

6.2 Authorization Objects 6.2.1 Standard Authorization Objects

The table below shows the security-relevant SAP basis and cross-application authorization objects that are used by the Web Channel applications.
Authorization Object
S_RFC

Field
RFC_NAME

Value

Description

S_USER_GRP

Names of the RFC function modules that are used by Web Channel applications <User group to use for Web Channel SU01 users>

Needed to allow access to any business functionality on back-end servers accessed via RFC.
CAUTION

Do not assign full authorization to this object. Common authorization object with SAP NetWeaver AS ABAP user management. Needed to enable functionality related to user management, such as the assignment of roles and profiles.

2013-02-07

CUSTOMER

49/118

6 6.2

Authorization Authorization Objects

Authorization Object

Field

Value

Description

Used to enable a grouping of users. Web Channel user management functionality allows assignment of a specific user group to Web Channel Internet users.
CAUTION

S_USER_AGR Role Name

S_USER_PRO

Authorization Profile

S_OC_DOC

S_OC_SEND

S_BDS_DS

Do not assign full authorization to this object. Roles that can be Needed for delegated user administration user role, or assigned to Web for service user roles if self-registration is enabled. Channel application users by delegated user administration or selfregistration Name of Needed for delegated user administration user role, or authorization for service user roles if self-registration is enabled. profile that corresponds to Web Channel user roles that should be assigned to users by delegated user administration or selfregistration Checks whether a function may be applied to an SAPoffice document. Defined fields: ACTVT: 24 Activity 24 is checked if a user wishes to move an SAPoffice document to a connected archive. Defines the following: :{<q Authorization to send externally and internally :{<q Maximum number of recipients for a communication method per send operation Defined fields: :{<q COM_MODE (communication method) :{<q NUMBER (maximum number of recipients for this communication method) Authorization for Business Document Service documents that belong to a document set

50/118

CUSTOMER

2013-02-07

6 6.2

Authorization Authorization Objects

6.2.2 Critical Authorizations and Combinations

The following authorization objects are required for performing specific Web Channel functions, but their values must be restricted to increase security. The table below provides information about the values that should be maintained and describes where and when the authorization object is needed.
Authorization Object
S_USER_AGR

Field

Value

Description

Activity Role Name

S_USER_PRO

Activity

02, 22 Needed for service user roles if self-registration is enabled. Name of Web CAUTION Channel user Do not include the object in any role if self-registration roles that should is disabled. be assigned to users by CAUTION delegated user Do not assign full authorization to this object. administration or by selfregistration 01, 22 Needed for service user roles if self-registration is enabled.
CAUTION

Authorization Profile

S_RFC

RFC_NAME

B_CARD_SEC

Name of authorization CAUTION profile that Do not include the object in any role if self-registration corresponds to is disabled. Web Channel user roles that CAUTION should be Do not assign full authorization to this object. assigned to users by delegated user administration or by selfregistration Names of the Needed to allow access to any business functionality on backRFC function end servers accessed via RFC. modules that are CAUTION used by Web Do not assign full authorization to this object. Channel applications Needed to decrypt payment card numbers stored in PCA Master.
CAUTION

Do not include the object in any role if self-registration is disabled. Needed for service user roles if self-registration is enabled.

S_DEVELOP

Do not assign decryption rights to any Internet or service user. Controls the access to the ABAP Workbench.

2013-02-07

CUSTOMER

51/118

6 6.2

Authorization Authorization Objects

Authorization Object

Field

Value

Description

If ABAP debugging from the Java layer is needed, the user needs this authorization to use the ABAP debugger.
CAUTION

Do not assign the authorization to any user in productive mode.

S_USER_GRP

Maintain the user groups used for Internet users and services users of Web Channel applications.

CAUTION

Do not assign full authorization to this object.

6.2.3 Special Web Channel Authorization Objects

Authorization Object
WEC_AUTH (SAP CRM) WEC_AUTERP (SAP ERP) ACTVT WEC_RATING WEC_OBJ_TY ACTVT COM_WEC_CP COM_WEC_RT ACTVT WEC_RT_OBJ WEC_RT_FLD ACTVT

Field
WEC_OBJ

Value

Description

See Document Authorization Concept in this chapter. See Authorization Required for Setting Certain Request URL Parameters in this chapter.

Web Channel document authorizations. Used to provide user permissions in the front-end layer. Product ratings and reviews Customer profile Web Channel framework runtime authorization object.
CAUTION

COM_WCB

OBJECT_WCB ACTVT

See Web Channel Builder Authorizations in this chapter. 16 16

WECB WBUILDER

Do not assign the authorization to any user in productive mode. Assign the authorization only to special users. Central Web Channel Builder authorization object CRM Middleware: Admin Console Authorization for CRM Adapter Repository Authorization is checked when the user logs on. A Web Channel application can only be accessed if the user has been granted the appropriate authorization. Authorization is checked if different Web Channel sites are maintained by one Web Channel Builder application.

CRM_MW_AC CMW_CRMADP

ACTVT ACTVT

COM_WEC_AP

J2EE_APPL WEC_APPL

COM_WEC_AP

J2EE_APPL

<list of allowed Web Channel sites>

52/118

CUSTOMER

2013-02-07

6 6.2

Authorization Authorization Objects

6.2.3.1 Document Authorization Concept

The document authorization concept enables the differentiation of authorizations for documents such as sales and service orders, and other business objects such as users and business partners. You can create different roles with different authorization value characteristics of the ACTVT authorization value to assign different document authorizations to different users.
Authorization Object
WEC_AUTH

Field
WEC_OBJ ACTVT

Value

Description

WEC_AUTERP

WEC_OBJ ACTVT

Web Channel document authorizations for SAP CRM Web Channel document authorizations for SAP ERP

The authorization is used in the Java layer to control the navigation to document-related pages and views and to check if the user can create, change, or display documents. To perform this in the Java layer, the user.hasPermision() method is used. The mapping from the authorization objects to the Java layer permissions is achieved by the permissionMapping-config. Web Channel supports document authorizations for the following document types:
Authorization Object WEC_OBJECT Description Modules
Salestransaction User Checkout, User Complaintsandreturns Customerprofiles, Payment Installedbase Productregistration

WEC_AUTH

BASKET BUSINESSPARTNER CHECKOUTPROFILE COMPLAINT CUSTOMERPROFILE IBASE IOBJECT_CRMPROD LOYALTY ORDER PAYMENT PRODUCTVIEWWCB QUOTATION RATING RETURN SCHEDULESERVICE SERVICECONTRACT SERVICEREQUEST USER

Shopping cart Business partner Checkout profile Complaint Customer profile Installed base component IObject for product registration Loyalty ISales: order list Payment Product views in Web Channel Builder Quotation and inquiry (request for quotation) Ratings and reviews Return Schedule service Service contract Service request User

Loyalty Salestransaction Payment WCBEXT

Salestransaction

Customerinteraction Complaintsandreturns Servicerequest Servicecontract Servicerequest User

2013-02-07

CUSTOMER

53/118

6 6.2

Authorization Authorization Objects WEC_OBJECT Description Modules

Salestransaction User Checkout, User Salestransaction

Authorization Object

WEC_AUTERP

BASKET BUSINESSPARTNER CHECKOUTPROFILE INQUIRY ORDER PAYMENT PRODUCTVIEWWCB QUOTATION USER

Shopping cart Business partner Checkout profile Inquiry (request for quotation) Order Payment Product views in Web Channel Builder Quotation User

Salestransaction Payment WCBEXT

Salestransaction User

6.2.3.2 Web Channel Builder Authorizations

As described in Predefined User Roles in the Roles and Profiles section of this chapter, several predefined Web Channel user roles are provided. The roles differ in the authorizations for the following authorization objects:
Authorization Object Field
COM_WCB OBJECT_WCB

Value

Description

ACTVT

COM_WEC_AP

J2EE_APPL WEC_APPL

WCB_CONF (WECB Configuration) WCB_APPL (WECB Application) WCB_ASET (Application Settings) WCB_BSET (Web Channel Builder Settings) 01 (Create) 02 (Change) 03 (Display) 06 (Delete) 69 (Discard = Cancel) 10 (Post= Submit) 37 (Accept =Approve) 96 (Reject) WECB WCBUILDER

Authorization to control Web Channel Builder functionality

COM_WEC_AP

J2EE_APPL WEC_APPL

<list of allowed Web Channel sites> (quotation marks) Provides a DUMMY value at authorization check.

Authorization is checked at logon. A Web Channel application can only be accessed if the user has been granted the appropriate authorization. Authorization is checked if different Web Channel Sites are maintainable by one Web Channel Builder application.

Web Channel Builder Site Permissions

A single Web Channel Builder application can maintain several Web Channel application sites. The authorization object COM_WEC_AP is used to control the sites for which a Web Channel Builder user has

54/118

CUSTOMER

2013-02-07

6 6.2

Authorization Authorization Objects

access permissions. All permitted sites must be maintained in authorization field J2EE_APPL. Authorization field WEC_APPL is checked with the DUMMY value. Thus the field needs assigned (quotation marks).

6.2.3.3 Authorization Values of Different Web Channel Builder User Roles

The following tables provide the authorizations granted for each Web Channel Builder user role.

w ,sYr8Activity Values Web Channel Builder Administrator Authorization Object

COM_WCB

Field
OBJECT_WCB

Value

Description

ACTVT

WCB_CONF (WCB Configuration) WCB_APPL (WCB Application) WCB_ASET (WCB Application Settings) WCB_BSET (WCB Settings) 01 Create 02 Change 03 Display 06 Delete 10 Post 37 Accept 69 Discard 96 Reject

Web Channel document authorizations for Web Channel Builder IT administrators

2013-02-07

CUSTOMER

55/118

6 6.2

Authorization Authorization Objects

Web Channel Builder User Authorization Object

COM_WCB

Field
OBJECT_WCB

Value

Description

ACTVT

WCB_CONF WCB_APPL 01 Create 02 Change 03 Display 06 Delete 10 Post 69 Discard

Web Channel document authorizations for Web Channel Builder users

Web Channel Builder Manager Authorization Object

COM_WCB

Field
OBJECT_WCB

Value

Description

ACTVT

WCB_CONF WCB_APPL WCB_ASET 03 Display 37 Accept 96 Reject

Web Channel document authorizations for Web Channel Builder managers

6.2.3.4 Authorizations Required for Setting Certain Request URL Parameters

The following request URL parameters require authorization in order for the values of these parameters to be used by Java Server Faces (JSF) runtime: @h @h
wec-debug wec-perfscope CAUTION

Do not assign the authorization for these parameters to productive Internet users of Web Channel applications. Only use it for special users in testing or development. We recommend creating a special user role which contains the authorization that can be assigned to users on a case-by-case basis. The authorization object that is required for setting these parameters is COM_WEC_RT and the values of this object's fields need to be set as follows:
Authorization Object
COM_WEC_RT

Field
WEC_RT_OBJ WEC_RT_FLD

Value

ACTVT

Value that needs to be set for FRW_UI_PARAMS or * Value that needs to be set for the parameter name itself ( for example, wec-debug) or * 02

56/118

CUSTOMER

2013-02-07

6 6.2

Authorization Authorization Objects

Without authorization (either the user has not logged on, or the user does not have proper authorization), any attempt to set the above URL request parameter value is ignored by JSF runtime. An appropriate JSF message is added, which is visible to the application that shows these messages.

6.2.3.5 Authorizations for Development, Testing, and Support

Authorization Object
COM_WEC_RT S_DEVELOP S_RFC

Description

See the section Authorization Required for Setting Certain Request URL Parameters See the section Critical Authorizations and Combinations To enable an authentication trace, a test user must have the authorization to use the function modules of the function group SAUTHTRACE.

6.2.4 Business Object Access Control 6.2.4.1 Authorizations Based on the Access Control Engine in SAP CRM
The access control engine (ACE) is another important step towards authorizations in Web Channel. The ACE controls access to specific business objects for users. The ACE is used together with the ABAP authorization concept to provide full security for the applications and data. The ACE checks run only on SAP CRM as a back-end system. In Web Channel, additional data security and a segregation of duties can be achieved using the ACE. Access to the data for the users is defined through a set of predefined rules in the ACE. These rules are applied to the data when it is being created and stored, and an access control list (ACL) is generated from this data. This ACL is then used during runtime to determine the extent of access the user has to the data. To set up the ACE, the customers must go through certain steps, as defined in the ACE Guide. In addition, customers can define their own rules and access rights to provide additional access control, based on their business requirements. For more information, see Customizing for Customer Relationship Management under Basic Functions Access Control Engine .

6.2.4.2 Business Object Access Control in SAP ERP

NOTE

The ACE is not available in SAP ERP. SAP ERP has no authorization check on business object level. A user can see all documents for which authorizations (PFCG roles) have been assigned. For example, an SU01 user has the right to see and

2013-02-07

CUSTOMER

57/118

6 6.2

Authorization Authorization Objects

maintain documents of an entire sales area. For that reason, the Web Channel ERP Java Business Object Layer provides checks to verify whether the sold-to-party related to the user who is currently logged on, is contained in sales documents.
RECOMMENDATION

Ensure that SAP ERP Internet users cannot access SAP ERP by using any other channel. They must use the Web Channel application to access SAP ERP.

58/118

CUSTOMER

2013-02-07

7 7.1

Session Security Protection Session Security Protection on SAP NetWeaver AS Java

7 Session Security Protection

7.1 Session Security Protection on SAP NetWeaver AS Java

Session security protection on SAP NetWeaver AS Java offers the following properties:
Property
SessionIdRegenerationEnabled

Description

SystemCookiesDataProtection SystemCookiesHTTPSProtection

SecuritySessionIDHTTPSProtection

If activated, a security session is established after UME authentication and a JSessionMarkId cookie is created and sent to the browser. If activated for all system cookies, the HTTP only attribute is set. If activated, the secure flag is set for all system cookies. All system cookies need to be sent by HTTPS from the HTTP client. If activated, only the Security Session Cookie (JSessionMarkId) needs to be sent by HTTPS. In this case, the SystemCookiesHTTPSProtection needs to be deactivated.

The properties of the Web Container service are maintained in the Config Tool of SAP NetWeaver AS Java. For more information and detailed instructions, see the section Session Security Protection in the SAP NetWeaver Security Guide: http://help.sap.com/saphelp_nw73/helpdata/en/4a/ af6fd65e233893e10000000a42189c/frameset.htm and SAP Notes 1449940 (Browsing Web Shop via HTTP with SessionIDRegenerationEnabled) and 1310561 (SAP J2EE Engine Session Fixation Protection).
NOTE

The session ID regeneration is only supported by Web Channel applications when the UME logon functionality is used. When the system performs UME authentication, the additional security session is created to prevent security fixation attacks.

7.1.1 Recommended Settings

Property
SessionIdRegenerationEnabled SystemCookiesDataProtection

Recommended Value
true true

To prevent session fixation attacks, we recommend setting the SessionIdRegenerationEnabled property to true. To prevent access in JavaScript or plug-ins to the SAP logon ticket and security session cookie(s), we recommend also activating the SystemCookiesDataProtection property.

2013-02-07

CUSTOMER

59/118

7 7.1

Session Security Protection Session Security Protection on SAP NetWeaver AS Java

We also highly recommend using SSL to protect the network communications where these securityrelevant cookies are transferred. With regard to this, several factors must be taken into account, which are explained in the sections that immediately follow, and in HTTPS for Web Channel Applications in the Network and Communication chapter of this guide.

7.1.1.1 Switch to HTTPS

Web Channel supports in-session switching from HTTP to HTTPS. This is required when a user starts in an HTTP part of the application, such as the product catalog, and then needs to switch to HTTPS, for example for authentication. In this case, only the security session cookie (JSessionMarkId) needs to be sent by HTTPS. For these Web applications, it is necessary to set the SystemCookiesHTTPSProtection property to False and the SecuritySessionIDHTTPSProtection property to True.
Switch to HTTPS: Recommended Settings Property
SystemCookiesHTTPSProtection SecuritySessionIDHTTPSProtection

Recommended Value
false true

Web Channel applications need further settings to enable a switch to HTTPS. For more information, see HTTPS Switch in the Network Security chapter, and HTTPsRequired Cookie in the Data Storage Security chapter (both in this guide). Due to Web Channel's support for switching from HTTP to HTTPS within a session, the secure cookie attribute is not set. This attribute can be requested for Web Channel application cookies by setting the secure cookie scenario parameter. For more information, see Cookie Security in the Web Application Security chapter in this guide.

7.1.1.2 HTTPS for Whole Session

If the whole session of the Web Channel application is being run using HTTPS, we recommend the following settings:
HTTPS for Whole Session: Recommended Settings Property
SystemCookiesHTTPSProtection SecuritySessionIDHTTPSProtection

Value
true false

To run the complete Web Channel application using HTTPS, the forceHTTPS application scenario parameter must be activated in Web Channel Builder. If forceHTTPS is activated, a call using HTTP is redirected to HTTPS.

60/118

CUSTOMER

2013-02-07

7 7.1

Session Security Protection Session Security Protection on SAP NetWeaver AS Java

7.1.2 Session Security Aspects of the Product Catalog

Product Catalog operates in a stateless mode. This is important for bookmarking. Hence, all the information that is part of the session is visible in the URL.

2013-02-07

CUSTOMER

61/118

This page is left blank for documents that are printed on both sides.

8 8.1

Network and Communication Security Communication Channel Security

8 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A welldefined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks, such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the back-end systems database or files. Additionally, if users are not able to connect to the server local area network (LAN), they cannot exploit well-known bugs and security holes in network services on the server machines. The network topology for Web Channel applications is based on the topology used by the SAP NetWeaver platform. For that reason, the security guidelines and recommendations described in the SAP NetWeaver Security Guide: http://help.sap.com/saphelp_nw73/helpdata/en/4a/ af6fd65e233893e10000000a42189c/frameset.htm also apply to Web Channel applications. Details that specifically apply to Web Channel applications are described in the following sections: <(T% Communication Channel Security This topic describes the communication paths and protocols used by Web Channel applications. <(T% Network Security This topic describes the recommended network topology for Web Channel applications. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate the Web Channel applications. <(T% Communication Destinations This topic describes the information needed for the various communication paths, such as the user to set for each path. For more information, see the SAP NetWeaver Security Guide: http://help.sap.com/saphelp_nw73/ helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htm, sections: <(T% Network and Communication Security <(T% Security Guides for Connectivity and Interoperability Technologies

8.1 Communication Channel Security

The table below shows the communication channels used by Web Channel applications, the protocol used for the connections, and the type of data transferred.

2013-02-07

CUSTOMER

63/118

8 8.1

Network and Communication Security Communication Channel Security Protocol Used Data Requiring Special Protection

Communication Channel

Type of Data Transferred

Web browser to HTTP server (reverse proxy) HTTP server to SAP NetWeaver AS Java (Web Channel applications) SAP NetWeaver AS Java (Web Channel applications) to SAP CRM or SAP ERP SAP NetWeaver AS Java (Web Channel applications) to Internet Pricing and Configurator (IPC) SAP NetWeaver AS Java (Web Channel applications) to SAP NetWeaver MDM product catalog SAP NetWeaver AS Java (Web Channel applications) to a third-party server

HTTP HTTP

All application data All application data

Passwords, credit card information Passwords, credit card information

RFC

All application data relevant for Credit card information business logic Pricing data -

RFC

Socket

Product catalog data (products, prices, images)

HTTP

Payment

Credit card information

In addition to these communication channels, there may be other possibilities, depending on the functionality used by the different back-end systems. For more information, see the installation guide and security guide for your back-end system. The Dynamic Information and Action Gateway (DIAG) and Remote Function Call (RFC) connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. For more information, see the SAP NetWeaver Security Guide: http://help.sap.com/saphelp_nw73/ helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htm, section Transport Layer Security.
NOTE

To access product catalog data from SAP NetWeaver MDM in Web Channel applications, you must first set up the product catalog and extract catalog data from SAP CRM or SAP ERP. For more information, see SAP Library for SAP Web Channel Experience Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and then Application Help. In SAP Library, choose SAP Web Channel Experience Management SAP Web Channel Experience Management: Configuration Configuring SAP NetWeaver MDM Product Catalog .

64/118

CUSTOMER

2013-02-07

8 8.1

Network and Communication Security Communication Channel Security

8.1.1 HTTPS for Web Channel Applications 8.1.1.1 HTTPS Switch

For Web Channel applications, a switch from HTTP protocol to the HTTPS protocol happens during user authentication by default. A switch to HTTPS during authentication is needed for different reasons: M To protect the transfer of any sensitive data such as passwords or credit cards M To support the SecuritySessionIDHTTPSProtection property of SAP NetWeaver AS Java if the security session is enabled (SessionIDRegeneration). In this case, the secure flag is set for the JSessionMarkId cookie, created due to the activated parameters. The browser must send the JsessionMarkId cookie via HTTPS. If the cookie is not in the request, the application runs into session timeout errors.
NOTE

To support the security session for Web Channel applications, the UME authentication must be selected. The indicator to switch to HTTPS is implemented in the Web Channel User Management authentication process. This behavior is hardcoded and cannot be influenced by any Web Channel Builder setting. After switching from HTTP to HTTPS, the application remains in HTTPS mode for the whole session. A switch back to HTTP is not possible. Outside of user authentication, you can enable a switch from HTTP protocol to the HTTPS protocol for specific pages. You can also force a Web Channel application to start with HTTPS, even if the initial request is made for HTTP. You do this by activating the Force HTTP setting in Web Channel Builder. When you activate this setting, all requests to the Web Channel application are made using HTTPS, and all HTTP requests are redirected to HTTPS. For more information about requesting an HTTPS switch at other events/pages or for the whole session, see the Development and Extension Guide for SAP Web Channel Experience Management on SAP Service Marketplace at http://service.sap.com/wec-inst, section HTTPS Switch Concept.
CAUTION

The HTTPS switch can be deactivated on application level in the SAP NetWeaver Administrator. For more information, see SAP Note 1812800. However, since SAP is recommending to secure all HTTP communication channels using SSL/ TLS, we strongly recommend not to deactivate the HTTPS switch in SAP NetWeaver Administrator. SAP shall not be accountable for any confidentiality/integrity issues if the HTTPS switch functionality is switched off. The deactivation of this functionality is undertaken at your own risk.

2013-02-07

CUSTOMER

65/118

8 8.1

Network and Communication Security Communication Channel Security

8.1.1.2 HTTPS Servlet Filter

Once the session is switched to HTTPS on the server, there are two cases to consider when a request is sent via an unsecure protocol to the server already running in secure mode. .,% Request using GET Method This usually happens when the user chooses the browser back or selects a bookmarked link of the Web Channel application that uses HTTP. .,% Request using POST Method This happens if a user has multiple browser windows or tabs open, and switches from one window or tab using HTTPS to another window or tab and tries to perform an action or intentionally manipulate a request. In this case, further processing of the request is prevented. These cases are handled and controlled by the servlet filter HttpsSwitchFilter, which checks every incoming request and adapts the request processing depending on the severity of the issue produced. .,% In the GET case, the request is reconstructed by exchanging the unsecure port and the protocol with a secure one. JSF-lifecycle is not executed, and a redirection (302 status) is performed on the browser, which sends the secured Get URL again. .,% In the POST case, further processing of the request is prevented by raising a session timeout exception. This exception can be mapped to a specific error page. For more information, see Exception hierarchy and Mapping to Error Pages in the chapter Other Security-Relevant Information in this guide. The HTTPS switch servlet filter is located in the class com.sap.wec.tc.core.jsfextensions.filter.WCFHttpsSwitchFilter.java. The servlet filter is enabled by default and can be disabled by defining a specific web.xml file for you Web Channel application project.
SYNTAX Filter Declaration <filter> <filter-name>HttpsSwitchFilter</filter-name> <filter-class>com.sap.wec.tc.core.filter.HttpsSwitchFilter</filter-class> <init-param> <param-name>com.sap.wec.HttpsSwitchFilter.enabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>HttpsSwitchFilter</filter-name> <servlet-name>Faces Servlet</servlet-name> </filter-mapping>

The allowed parameter is as follows:

com.sap.wec.HttpsSwitchFilter.enabled = [true]|[false]

This enables or disables the HTTPS switch filter. SAP considers a typo and missing parameter as activated filter [true] for security reasons.

66/118

CUSTOMER

2013-02-07

8 8.1

Network and Communication Security Communication Channel Security RECOMMENDATION

Do not switch off the HTTPS switch filter. For security reasons, we recommend that you place the HTTPS servlet filter at the second position of the servlet filters in the web.xml file, after the CharacterEncodingFilter.
NOTE

Enabling cookies to enable the full functionality of the HTTPS switch is mandatory.

8.1.1.3 Grace Period

If UME authentication is used and the SAP NetWeaver AS Java properties SessionIDRegeneration and SecuritySessionIDHTTPsProtection are activated, the HTTPS switch functionality interferes with the grace period specified for SAP NetWeaver AS Java. The grace period allows a group of parallel requests that meet certain criteria (for example have equal authentication configuration) to be accepted by SAP NetWeaver AS Java. The property default value is 2 seconds. This is used to distinguish valid requests from session fixation attacks. The HTTPS switch servlet filter is called at the beginning of the filter chain of Web Channel applications and checks the presence of the auto-generated cookie HTTPsRequired, after a successful UME logon. The cookie indicates that a switch to HTTPS has happened and that the Web Channel application shall run with HTTPS. If the user now uses an HTTP bookmark or browser back HTTP GET request directly after the successful authentication and within the grace period, then SAP NetWeaver AS Java does not execute the HTTPS switch filter to prevent a possible session fixation attack. However, there is one special case where a control is forwarded to the HTTPS switch, even if no session is present. This is the case when a POST request is received and the HTTPsRequired cookie is set but the protocol is HTTP. This is due to the fact that this might mean a user was already using HTTPS, but then clicked a HTTP bookmark or issued an HTTP request via browser back, while the JSessionMarkId cookie was set. In those cases, the JSessionMarkId cookie will not be sent via the HTTP request and thus the J2EE does not find the related session. However, this is not a session timeout and the HTTPS switch functionality resends the request using HTTPS, reconnecting the user to the session. As a consequence, the timeout functionality must forward the request to the HTTPS functionality to enable a reconnection to the original session, as illustrated in the figure below:

2013-02-07

CUSTOMER

67/118

8 8.1

Network and Communication Security Communication Channel Security

Ipv7%|@%CSEnable Reconnection to Original Session NOTE

To prevent SSL certificate issues on the browser side, the J2EE AS Java server is set up accordingly (SSL issuer name with a full qualified domain name). On the client side, the SSL certificate is installed in the Trusted Root Certificate Authorities Store for Internet Explorer. For Firefox, installing the certificate is sufficient.

8.1.1.4 HTTPS in the Administration Area

The Web Channel administration area operates with HTTPS for the whole session. This is achieved by using the transport guarantee Confidential in the corresponding security constraint definition of the Web descriptor of Web Channel applications:
SYNTAX Transport Guarantee <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>

68/118

CUSTOMER

2013-02-07

8 8.2

Network and Communication Security Network Security

8.2 Network Security 8.2.1 Network Topology

We recommend that you run Web Channel applications in the secured network zone. The figure below introduces a possible network topology, which is secured by different firewalls and uses a reverse proxy server/Web dispatcher.
CAUTION

The business data of SAP NetWeaver AS ABAP servers for SAP CRM or SAP ERP can only currently be accessed synchronously via RFC. It is not possible to replicate required business data from a SAP CRM or SAP ERP back-end server to an SAP NetWeaver AS ABAP front-end server, nor is the reverse possible.

T{))8^b
y7lNetwork Topology

Web Channel applications leverage the standard SAP NetWeaver AS Java HTTP and HTTPS ports. The following references pertain to sections in the SAP NetWeaver Security Guide: http://help.sap.com/ saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htm: T For more information about the services and ports used by SAP NetWeaver, see the section Network Services. T For more information about how to set up the SAP NetWeaver AS Java securely, see the sections Technical System Landscape and Network and Communication Security. T For more information about how to set up a firewall, see the section Using Firewall Systems for Access Control. T For more information about how to set up multiple network zones, see the section Using Multiple Network Zones. For more information about how to set up a Web dispatcher, see SAP Web Dispatcher: http:// help.sap.com/saphelp_nw73/helpdata/en/48/8fe37933114e6fe10000000a421937/frameset.htm.

2013-02-07

CUSTOMER

69/118

8 8.3

Network and Communication Security Communication Destinations

For more information about how to set up a reverse proxy, see Configuring Reverse Proxy Settings: http:// help.sap.com/saphelp_nw73/helpdata/en/ba/08850933b342f9a3ab1f94c244625f/frameset.htm. For more information about setting up an SAProuter as an intermediate proxy between your SAP systems (Intranet) and the external Network (DMZ), see What Is SAProuter?:http://help.sap.com/ saphelp_nw73/helpdata/en/48/6b41efb74c07bee10000000a42189d/frameset.htm. For more information about determining which component has to be set up in which network segment, see the Installation Guide for SAP Web Channel Experience Management on SAP Service Marketplace at http://service.sap.com/wec-inst.

8.2.2 Ports
Web Channel applications run on, and use the ports from, SAP NetWeaver AS Java. For more information, see the topics for AS Java Ports in the SAP NetWeaver Security Guide: http://help.sap.com/ saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htm. For other components, for example, SAPinst, SAProuter, or SAP Web Dispatcher, see the document TCP/IP Ports Used by SAP Applications, available on SAP Developer Network at http://sdn.sap.com/irj/sdn/ security Infrastructure Security Network and Communications Security .

8.3 Communication Destinations 8.3.1 RFC Destinations

These destinations have to be defined in the Java destination service of SAP NetWeaver AS. The destination must be selected in Web Channel Builder when configuring an application.
CAUTION

Enable a Secure Network Communication (SNC) for RFC destinations. For more information, see Network and Communication Security: http://help.sap.com/saphelp_nw73/helpdata/en/4a/ af6fd65e233893e10000000a42189c/frameset.htm. For more information on SAP Gateway security settings, see SAP note 1408081 and Security Settings in the SAP Gateway: http://help.sap.com/saphelp_nw73/helpdata/en/48/ b2096e7895307be10000000a42189b/frameset.htm.
RECOMMENDATION

Use dedicated logon groups for the Web Channel RFC destinations to the back-end systems. For more information on logon load balancing and logon groups, see Recommendations for Logon Load Balancing and Logon Groups: http://help.sap.com/saphelp_nw73/helpdata/en/ c4/3a64c1505211d189550000e829fbbd/frameset.htm. The table below gives an overview of the destination, type, and user authorizations required.

70/118

CUSTOMER

2013-02-07

8 8.3

Network and Communication Security Communication Destinations Delivered Type User, Authorizations Description

Destination

<WEC default destination>

No

<WEC default destination>_SSO

No

RFC Destination authorization type: Configured user RFC Destination authorization type: Current user

Service user

Used for stateless or anonymous communication with the back-end system

<WEC default No destination>_COPY _SSO

<Server name>_<system number>_SSO

No

<WEC default No destination>_1TIM ECUST

RFC Destination authorization type: Current user RFC Destination authorization type: Current user RFC

User who is currently logged on Authorization of currently logged-on user is used; assigned by user management methods. User who is currently logged on

Used for stateful communication with the back-end system

Used for stateful connection for LORD scenario to maintain additional sales document Used for connections to the application server that has called the IPC application for pricing information.

Service User Used for connections used by The service user must the guest user scenario. have authorizations based on external services with suffixes TU and TU_STATEFUL.

The destination used by Web Channel Builder (WECB) is specified in the destination property in the scenario configuration properties file of the CDM_CONTENT for WECB. In the CDM_CONTENT, the destinations WEC_DEFAULT and WEC_ERP_DEFAULT are used, and these must be created in SAP NetWeaver AS Java before WECB can be started. You can use different destinations to differentiate between the WECB and the Web Channel applications. For example, for the <WEC default destination> for Web Channel applications, you can replace WEC_APP by WEC_APP_DEFAULT. If you need to run separate applications for consumer and contact scenarios, and you need to restrict the authorizations of the service user to the needs of the specific application, you must ensure that each application has its own destination and service user. The table below shows examples for separate destinations.
Destination Delivered Type User, Authorization Description

WEC_B2C No

RFC Consumer service user: SAP_CRM_WEC_TU_B2C

Used for stateless or anonymous communication with the backend system.

2013-02-07

CUSTOMER

71/118

8 8.3

Network and Communication Security Communication Destinations Description

Destination Delivered Type User, Authorization

WEC_B2B No

RFC Contact service user: SAP_CRM_WEC_TU_B2B

Used for stateless or anonymous communication with the backend system.

8.3.1.1 Automatic Creation of Destinations

Web Channel can create the destinations needed for the user that is currently logged on (where the destination authorization type is Current user) based on the default Web Channel destination (<WEC default destination>). These destinations are required for the configured application functionality. Only one destination for the back-end system needs to be defined in SAP NetWeaver AS Java. All other destinations, such as <WEC default destination>_SSO, <WEC default destination>_COPY_SSO, or <Server name>_<System number>_SSO are automatically created when they are required.
CAUTION

As there are potential security risks in using this approach, we strongly recommend that you ensure that this solution is feasible for you. The activation of this functionality is undertaken at your own risk. Perform the following steps: 1. Create a UME role using SAP NetWeaver AS Java User management (UME). 2. Assign the Destination Service Write Permission activity to the UME role. 3. Assign the UME role to the GUEST user or to the GUEST user role.

8.3.2 SAP NetWeaver MDM Destination

SAP NetWeaver MDM destinations must be defined in the Java destination service of SAP NetWeaver AS. The destination must be selected in Web Channel Builder when configuring an application. A secure connection can be configured. For more information, see the installation guide for SAP NetWeaver MDM for your operating system on SAP Service Marketplace at http://service.sap.com/ instguides, section Setting Up SSL Communication for MDM Servers.
Destination Delivered Type User, Authorizations Description

<WECdefault MDM No destination>

SAP SAP NetWeaver MDM Service NetW User eaver User needs role MDM WEBCHANNEL_CATALOG_DISPLA Y_ROLE.

Used for connections to SAP NetWeaver MDM server for Web Channel product catalog functionality. SAP NetWeaver MDM properties such as the repository name and

72/118

CUSTOMER

2013-02-07

8 8.3

Network and Communication Security Communication Destinations Delivered Type User, Authorizations Description

Destination

master data server name must be provided.

2013-02-07

CUSTOMER

73/118

This page is left blank for documents that are printed on both sides.

9 9.1

Data Storage Security Storage Areas

9 Data Storage Security

9.1 Storage Areas

Web Channel application data is located in different storage areas, depending on the type of data.

9.1.1 SAP Database

The main business data is stored in the database of the back-end SAP system. For special functionality, other data storage areas are used.

9.1.2 Cookies
Cookies store a small amount of data on the client browser. Web Channel uses the following types of cookies: eI Session cookies These are required to keep a client session, and are deleted when the browser is closed.
RECOMMENDATION

Keep session cookies turned on for both security and functional purposes. eI Persistent cookies These are used to store data on the client machine. Data storage security may not work if these cookies are disabled. For information about how to control cookie handling, see your Web browser documentation. The cookie and its data are stored in the Web browsers file system on the client machine. The following cookies are used in Web Channel:
Name
recoverCart

Content

Description

Java cart GUID

HTTPSRequired

Anonymous User ID

COMSAPWECUM01

Globally unique identifier (GUID) of the Java cart that is used to recover the shopping cart saved in the last session or saved due to a lost session. Indicates that the current session has switched to HTTPS (see below). GUID that can be used to identify the anonymous user.

2013-02-07

CUSTOMER

75/118

9 9.1

Data Storage Security Storage Areas

9.1.2.1 HTTPSRequired Cookie

The HTTPSRequired cookie is used within the Web Channel HTTPS switch functionality. It indicates that a switch to HTTPS has occurred and that the incoming HTTP request needs to be redirected to the HTTPS protocol. This is required in particular if SAP NetWeaver AS Java is set up to generate a security session after a successful UME authentication (activated by property SessionIDRegeneration). When the security session is generated, the secure flag (property SecuritySessionIDHTTPSProtection) is set for the corresponding JSessionMarkId cookie. This instructs the browser to send the cookie using the HTTPS protocol. In this case, the JSessionMarkId cookie is not included with any HTTP requests that can be triggered by using browser back or Web Channel application bookmarks within a session. Failure to send the JSessionMarkId cookie with every request after the authentication results in session timeout errors. To prevent this, the Web Channel HTTPS switch functionality adds the HTTPSRequired cookie to the response when the HTTPS switch takes place. The presence of the HTTPSRequired and JSessionId cookie, coupled with the absence of the JSessionMarkId cookie, is checked in the HTTPS servlet filter. The filter then sends a 302 response to the browser to redirect the request using the HTTPS protocol. The HTTPSRequired cookie is deleted within a successful logoff. In the event of a timeout, there is no valid HTTP request object, so the HTTPsRequired cookie cannot be reset. However, when the server receives the next request, the request switches to HTTPS (if necessary), as the cookie is still available. The attribute HTTPOnly is applied to the cookie to prevent its misuse by means of JavaScript, for example. The Secure attribute is not applied to the cookie, otherwise the cookie could not be sent to the server without using the HTTPS protocol. For more information, see Cookie Security in the Web Application Security chapter of this guide.

9.1.2.2 COMSAPWECUM01 Cookie

This cookie provides a global unique identifier (GUID) that is dynamically read or created in the Restore View phase of the JSF lifecycle. The GUID is supplied to the user Business Object (class UserCoreImpl.java) at runtime by means of the getAnonymousUserId method. This is needed for users who browse the Web shop before logging on. Once the user logs on, the GUID is no longer available for the Business Object. The cookie determines whether the current browser has already been used to visit the Web shop. The information supplied by the cookie makes it possible to provide specific Web shop content, such as the last searched-for product. When using the cookie's GUID, data privacy should be taken into consideration; the GUID is not intended for user identification. When you activate the cookie, the (anonymous) user can delete it

76/118

CUSTOMER

2013-02-07

9 9.1

Data Storage Security Storage Areas

using the browser tools, which erases the browser identification. Application using the cookie GUID should be aware of this. The COMSAPWECUM01 cookie is disabled by default. It is only created when you activate the phase listener 'UserPhaseListener' (currently commented-out) in the faces-config.xml file in the Users module of Web Channel Builder.
SYNTAX UserPhaseListener <lifecycle> <phase-listener>com.sap.wec.tc.module.user.UserPhaseListener</phase-listener> </lifecycle>

9.1.2.3 Java Cart Cookie (recoverCart)

You configure the Java cart in the Sales Transaction module of Web Channel Builder. When you enable the Java cart, the current shopping cart content is stored in a database table in the SAP NetWeaver AS Java DBMS, thereby making it possible for Web shop customers to recover their shopping cart if, for example, the session is unexpectedly terminated. The persistent recoverCart cookie is used to retrieve the anonymously-collected shopping cart if it was not posted.
NOTE

If a Web shop customers computer is used by different users with the same user account, the cookie is valid for all of these users.

9.1.2.4 Additional Cookies

SAP NetWeaver Application Server Java

Web Channel runs as an application in the Web container of SAP NetWeaver AS Java. The following cookies are created and controlled from SAP NetWeaver AS Java for Web Channel applications:
Cookie Name
jsession jsessionMarkID saplb

Description

Session cookie Security session cookie Load balancing cookie

Cookie settings are made in SAP NetWeaver Administrator of the corresponding SAP NetWeaver AS Java system. For more information, consult the application help for SAP NetWeaver.
Flash Scope

Web Channel is based on Java Server Faces and Apache MyFaces. To enable and handle Flash Scope, Java Server Faces creates the following cookies:

2013-02-07

CUSTOMER

77/118

9 9.1

Data Storage Security Storage Areas

) oam.Flash.redirect ) oam.Flash.rendermap.Token These cookies are not controlled by Web Channel.

9.1.3 Database of SAP NetWeaver AS Java

Some data is stored in the local database of SAP NetWeaver AS Java, such as the following: ) Shopping carts When using the Java cart in a Web Channel application, the data is stored in the SAP NetWeaver AS database. All data regarding shopping carts is stored in the database, although payment information such as the credit card number is excluded. ) Wish list In the Web Channel application, data belonging to a user-specific wish list is stored in the SAP NetWeaver AS database. The data contains information about products that a user has added to the wish list. There can be only one wish list per user. Wish list functionality is available exclusively for authenticated users, meaning that the user must log on to navigate to their wish list. In the database table, the user identifier and the Web Channel application are used to identify the user wish list. ) Web Channel application configuration data Web Channel applications are configured using Web Channel Builder. The customer settings are stored in the local database of SAP NetWeaver AS Java.

9.1.4 Secure Storage

Specific values of Web Channel application configurations are stored encrypted in the secure storage of the J2EE. The values are masked with asterisks (*) when displayed in Web Channel Builder. These parameters have the property type password in the configuration metadata. For example, the SAP NetWeaver MDM user password for Web Channel product catalog is displayed as asterisks. To ensure secure encryption, you must to install the cryptographic toolkit software for Java provided by SAP. For more information about installing the cryptographic software provided by SAP, see Installing the SAP Cryptographic Library on the AS Java for SNC: http://help.sap.com/saphelp_nw73/helpdata/en/ 9b/29f63def83c452e10000000a114084/frameset.htm.

9.1.5 File System

Web Channel configuration data can also be stored in the file system. In this case, the configuration data is stored in XML files in subfolders of the WEB-INF subdirectory CDM_CONTENT at the Web Channel application root.

78/118

CUSTOMER

2013-02-07

9 9.1

Data Storage Security Storage Areas

9.1.6 Encryption of Payment Cards

In Web Channel applications, you may use payment cards. For data protection reasons, we recommend that you store the encrypted payment card number on the database. For information about how to enable the encryption of payment card numbers, see the documentation for the Customizing activity Maintain Payment Card Type in the SAP CRM back end or SAP ERP back end.
CAUTION

Do not assign decryption authorization (B_CARD_SEC) to any unauthorized user. In particular, roles used for any user within Web Channel applications must not have the B_CARD_SEC authorization assigned to them.

9.1.7 Encryption of Gift Card Code

Web Channel allows Web shop customers to buy gift cards that can be used for payment. The backend system generates the gift card code and sends it as clear text by e-mail to the gift card recipient. When the gift card code is generated, it is hashed and the hash value is stored in the back-end system database. As part of the redemption process, the user enters the gift card code in the payment step of the checkout process. The code is hashed (SHA2 with 512bit) in the Web application on SAP NetWeaver AS Java, and the hash value is sent by RFC to the back-end system. After the user has paid, the code will be displayed masked.

9.1.8 Customer-Specific List Price

Web applications that use SAP NetWeaver Master Data Management (SAP NetWeaver MDM) can support business partner-specific pricing by storing the sold-to party in SAP NetWeaver MDM along with other pricing-related data. When a user is logged on to the Web shop, the users business partner ID is checked against the data in SAP NetWeaver MDM.

2013-02-07

CUSTOMER

79/118

This page is left blank for documents that are printed on both sides.

10 10.1

Web Application Security HTTP Request Serialization

10 Web Application Security

The following sections explain specific aspects of Web application security.

10.1 HTTP Request Serialization

Requests are queued for the purpose of serialization so that the back end is not called concurrently.

10.2 Cross Site Scripting (XSS)

To prevent XSS, Web Channel provides encoding of HTML output in most Web Channel UI components. In addition, the values of UI component attributes specified in Web Channel xhtml files, which are automatically rendered without modification in the HTML output stream, are encoded. Depending on the type of the attribute, it is either HTML encoded, JavaScript encoded, or URL encoded. The following dedicated security methods are available: q HTML encoding:
com.sap.security.core.server.csi.util.StringUtils.escapeToAttributeValue (strToEsc)

Example: <wec:outputText> is encoded as &lt;wec:outputText&gt; q JavaScript encoding:

com.sap.security.core.server.csi.util.StringUtils.escapeToJS(strToEsc)

Example: <script>alert(Security). q URL encoding:

</script> is encoded as \\u003cscript\\u003ealert

(\\"Security\\");\\u003c/script\\u003e

com.sap.security.core.server.csi.util.StringUtils.escapeToURL (queryStringValues)

The values of the name=value pair of the queryString is encoded. The complete URL is then validated against the URLChecker.isValid() method. For information about how the URL is validated, see the following JavaDoc: http://help.sap.com/javadocs/nwce/current/se/com.sap.se/com/
sap/security/core/server/csi/URLChecker.html CAUTION

The value attribute (htmlContent) of UI component OutputHTML is not HTML encoded, otherwise the provided HTML code would be escaped. For this reason, we recommend paying particular attention to the use of this UI component with regard to XSS attacks.

2013-02-07

CUSTOMER

81/118

10 10.3

Web Application Security Input Validation

For example, if the outputHTML component is used to incorporate content from a content management system, you must ensure that the content does not contain any malicious script code on the client side.
SAP NetWeaver MDM Catalog Item Overview

It is possible for catalog items to maintain an extended item description containing HTML in SAP NetWeaver MDM. This description is shown in the Overview tab page of the product details page. The maintenance of the text is not sanitized.

10.3 Input Validation

You can use the servlet filter SecurityFilter for additional input validation. The servlet filter provides black list filtering using regular expressions to validate request parameters and header values. If a pattern in a parameter or header value is found that matches a given regular expression, a SecurityFilterException is raised. The servlet filter is not enabled by default. To use the servlet filter, the servlet filter declaration provided below must be added to the web.xml file of the Web Channel applications, and regular expressions must be specified. If a servlet filter parameter is not specified or the value is empty, the parameter is not used in the servlet filter. The validation of a request parameter or header value is based on package java.util.regex in the following way:
SYNTAX Input Validation Pattern pattern = Pattern.compile(<parameterRegEx>); Matcher m = pattern.matcher(<parameterValue>); m.find(); SYNTAX Filter Declaration <filter> <filter-name>SecurityFilter</filter-name> <filter-class>com.sap.wec.tc.core.filter.SecurityFilter</filter-class> <init-param> <param-name>com.sap.wec.SecurityFilter.ParameterRegEx</param-name> <param-value></param-value> </init-param> <init-param> <param-name>com.sap.wec.SecurityFilter.HeaderRegEx</param-name> <param-value></param-value> </init-param> <init-param> <param-name>com.sap.wec.SecurityFilter.ExcludedParameters</param-name> <param-value></param-value> </init-param> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name>

82/118

CUSTOMER

2013-02-07

10 10.4

Web Application Security Session Riding: Cross Site Request Forgery (XSRF) <servlet-name>Faces Servlet</servlet-name> </filter-mapping>

The following is an example of a regular expression that checks for XSS patterns such as <script>alert ()</script> in request parameters:
SYNTAX Example of a Regular Expression <init-param> <param-name>com.sap.wec.SecurityFilter.ParameterRegEx</param-name> <param-value>\x3C\s*script[^\x3E]*\x3E(.*)\x3C\s*/script\s*\x3E</param-value> </init-param>

Please note that this regular expression does not detect all possible cross-site scripting attacks. You must adapt the regular expression to enable a state-of-the-art blacklist filter. Other regular expressions can be specified for the servlet filter parameters com.sap.wec.SecurityFilter.ParameterRegEx and com.sap.wec.SecurityFilter.HeaderRegEx, if required. The filter checks header and request parameters with regard to the given regular expressions. Specific request parameters can be excluded by listing the fully qualified input parameter IDs in the parameter com.sap.wec.SecurityFilter.ExcludedParameters. Parameters are separated by ; (semi-colons).
SYNTAX Example of an Exclusion of Request Parameters <init-param> <param-name>com.sap.wec.SecurityFilter.ExcludedParameters</param-name> <param-value>content:app:ApplicationView:det:iAppDesc; content:app:ApplicationView:det:iAppLongDesc;content:app:ApplicationView:det:iAp pName</param-value> </init-param>

10.4 Session Riding: Cross Site Request Forgery (XSRF)

Web Channel provides XSRF protection. The protection is activated by default. The validation is implemented by the servlet filter XSRFTokenEvaluation. The filter specification is integrated in the Web description of Web Channel applications. The following TAM diagram explains the main mechanism of the servlet filter when the server receives a request.

2013-02-07

CUSTOMER

83/118

10 10.4

Web Application Security Session Riding: Cross Site Request Forgery (XSRF)

#~: aZuP6p`XSRFTokenEvaluation Servlet Filter Mechanism

The filter is enabled by default. In case an application intends to temporarily deactivate the filter, the parameter value of the servlet filter parameter com.sap.wec.XSRFTokenEvaluationFilter.enabled must be exchanged and set to false in the web.xml file as in the following example:
SYNTAX <filter> <filter-name>XSRFTokenEvaluationFilter</filter-name> <filter-class>com.sap.wec.tc.core.filter.XSRFTokenEvaluationFilter</filterclass> <init-param> <param-name>com.sap.wec.XSRFTokenEvaluationFilter.enabled</param-name> <param-value>false</param-value> </init-param> </filter> CAUTION

We recommend that you keep XSRF protection enabled.

NOTE

You need the NetWeaver XSRF Protection Framework on SAP NetWeaver AS Java to enable the XSRF protection. For more information, see SAP Note 1450166.

84/118

CUSTOMER

2013-02-07

10 10.5

Web Application Security File Uploads

10.5 File Uploads 10.5.1 Virus Scanning for Uploaded Files

Some Web Channel components offer a file upload functionality that is based on the WCEM InputFile UI component. The file upload UI component supports the SAP Virus Scan Interface (VSI). The SAP Virus Scan Interface (VSI) can be used to include external virus scanners in SAP systems to increase security. To enable the virus scan for Web Channel applications, you must set up an external virus scanner and ensure that it is also enabled on the J2EE server. For more information about setting up the SAP virus scan interface, see the following: ) Under Secure Programming Java, see SAP Virus Scan Interface: http://help.sap.com/saphelp_nw73/
helpdata/en/44/6ad7e1e5254ddee10000000a1553f7/frameset.htm

) SAP Note 786179 ) The subsections that follow

Virus Scan Profile

Virus Scan (VS) profiles handle and control the virus scanning of uploaded files using the SAP Virus Scan Interface (VSI). You create VS profiles using the Virus Scan Provider Service in the SAP NetWeaver Administrator of SAP NetWeaver Java Application Server. To enable virus scanning, at least one VS profile must be active in SAP NetWeaver AS Java, and designated as the default profile. Attackers can abuse a file upload to modify displayed application content or to obtain authentication information from a legitimate user. Usually, virus scanners are not able to detect files designed for this kind of attack. For this reason, the standard SAP Virus Scan Interface includes an enhancement option to protect the user and/or the SAP system from potential attacks. The VS profile can also be used to filter out files with specific MIME types and file extensions by specifying black- and whitelists of allowed and disallowed MIME types and files extensions. For more information, see SAP Note 1693981.
Activating Virus Scanning for Web Channel Applications CAUTION

By default, the SAP Virus Scan Interface is disabled for Web Channel applications. We recommend that you enable virus scanning if you plan to allow files to be uploaded to the Web shop. For Web Channel 1.0 and 2.0, add the following to the Web Channel application web.xml file to enable virus scanning for the application:
SYNTAX File Upload <context-param> <param-name>com.sap.wec.upload.virusscan.enabled</param-name> <param-value>true</param-value> </context-param>

2013-02-07

CUSTOMER

85/118

10 10.6

Web Application Security Cookie Security

If you have not installed a virus scanner for the J2EE server, you must disable the virus scan in the application Web descriptor for the component to function. This is not recommended for productive usage. You enable virus scanning in the Common Settings module in Web Channel Builder. The Enable Virus Scan setting has the following options
Property Value Description

No No virus scan is performed. Yes (Server Default Profile) The default virus scan profile of SAP NetWeaver Application Server Java is used as default Web Channel virus scan profile. Yes The input field Virus Scan Profile is available where you enter the virus scan profile that is used as the default Web Channel virus scan profile.
NOTE

The Web descriptor parameter com.sap.wec.upload.virusscan.enabled is obsolete as of Web Channel 3.0.

10.5.2 Upload of Attachments

You use the settings under Attachments in the Common Settings module of Web Channel Builder to control the maximum file size and types that are allowed for uploaded attachments.

10.6 Cookie Security 10.6.1 Secure Cookie Attribute

The secure cookie attribute informs the browser whether a cookie should only be sent using a secure protocol such as HTTPS or SSL. Web Channel provides the central setting Secure Attribute for Web Channel applications. If this parameter is set to true, then the secure cookie attribute is set. This setting applies to all application cookies that support this parameter. A list of these cookies can be found below.
NOTE

As secure cookies are only sent with HTTPS, you must activate the Force HTTPS setting for the Web Channel application. The secure flag is not set if Force HTTPS is not activated. To improve security it is recommended to set the attribute.

10.6.2 HttpOnly Attribute

The HttpOnly cookie attribute prevents application cookies from being accessible in the browser by using client-side scripting, for example, JavaScript. Web Channel provides the central setting HTTP

86/118

CUSTOMER

2013-02-07

10 10.7

Web Application Security Session Fixation

Only Attribute for Web Channel applications. If this parameter is set to true, then it applies to all application cookies that support this parameter. A list of these cookies can be found below.
NOTE

The secureCookie and HttpOnly attributes for cookies controlled by SAP NetWeaver AS Java, such as the session ID and the load balancing cookie, can be set using the SAP NetWeaver Administrator application. For more information, see Session Security Protection in this guide. For specific Web Channel application cookies, the secureCookie and the HttpOnly attributes can be activated in the Web Channel application using Web Channel Builder. The below table shows which Web Channel cookies support these attributes.
Name
recoverCart HTTPsRequired COMSAPWECUM01

Secure Attribute

HttpOnly Attribute

Set by Scenario Parameter

Yes No Yes

Yes Yes Yes

Yes No Yes

10.6.3 Application Cookie Protection

For Web Channel application cookies, a detection of cookie manipulations is enabled. To make the protection more secure a secret can be specified in the Web descriptor using the context parameter com.sap.wec.WCFSecurity.CookieHashSalt.
NOTE

If you change the value of parameter com.sap.wec.WCFSecurity.CookieHashSalt for a deployed and active application, old cookies do not work. The cookie protection is currently available for the recoverCart cookie.

10.7 Session Fixation

Web Channel and SAP NetWeaver AS Java provide the following countermeasures against session fixation attacks: K R Security Session To prevent session fixation attacks, an additional session ID is created after user authentication.
NOTE

As a prerequisite, the UME authentication must be configured for Web Channel applications. Furthermore, the usage of the security session must be activated on SAP NetWeaver AS Java. For more information, see Session Security Protection in this guide. K R Deactivation of URL Session Rewriting

2013-02-07

CUSTOMER

87/118

10 10.8

Web Application Security Fast Session Timeout

To prevent session fixation attacks, the session ID must not be part of the Web application URLs. For more information, see URL Session Rewriting in the current chapter of this guide. b SSL/TLS We recommend setting up and using HTTPS for the whole session. For more information, see Session Security Protection in this guide.

10.8 Fast Session Timeout

The fast session timeout feature detects when the user has navigated away from the Web shop. The user session is terminated shortly after this condition is detected. Note that the session timeout limits the chances an attacker has to guess or steal an existing user session and to use a valid session ID from another user. For more information, see the Development and Extension Guide for SAP Web Channel Experience Management (Generic Information) on SAP Service Marketplace at http://service.sap.com/wecinst, section Framework Functions under Fast Session Timeout (FST).

10.9 Distributed Denial-of-Service Attacks (DDOS)

SAP does not provide in-house DDOS defense tools or mechanisms. For this reason, we strongly recommend that the Web Channel administrator uses third-party tools to protect against these types of attacks.

10.10 URL Session Rewriting

We recommend that you do not allow URL rewriting. This is especially true if any redirect to external service providers, for example payment service providers, is made. Set the DisableUrlSessionTracking property of the HTTP provider service to true or the disable_url_session_tracking ICM parameter to true. For more information on the HTTP provider service, see HTTP Provider Service: http://help.sap.com/saphelp_nw73/helpdata/en/4a/ 95204e00c638dde10000000a42189b/frameset.htm or ICM Administration: http://help.sap.com/ saphelp_nw73/helpdata/en/47/8d787bf41a4f8fad4c225bea4247bb/frameset.htm.

10.11 ZIP Bombs

Web Channel Builder provides the ability to import Web Channel application configurations. This is done by uploading a zip file containing the application configuration files. The functionality contains a protection against ZIP bombs.

88/118

CUSTOMER

2013-02-07

10 10.12

Web Application Security Autocompletion Attribute of UI Components

10.12 Autocompletion Attribute of UI Components

We recommend that the autocomplete attribute of input UI components such as <wec:inputText> be explicitly set to off for sensitive data. This instructs the browser not to provide the autocompletion functionality for this component. UI component <wec:inputSecret> provides the autocomplete=off by default.

10.13 Clickjacking
Web Channel does not provide protection against clickjacking attacks. We suggest that you follow the recommendations provided by the Open Web Application Security Project (OWASP) at https:// www.owasp.org/index.php/ClickjackFilter_for_Java_EE.

2013-02-07

CUSTOMER

89/118

This page is left blank for documents that are printed on both sides.

11 11.1

Security for Additional Applications Integrating Payment Service Providers

11 Security for Additional Applications

11.1 Integrating Payment Service Providers

Web Channel enables the integration of third-party payment service providers.
RECOMMENDATION

When you integrate third-party payment service providers, we recommend that you comply with your company security guidelines. When processing payment data, we recommend that you use HTTPS instead of HTTP. For more information about integrating payment service providers, see the Development and Extension Guide for SAP Web Channel Experience Management on SAP Service Marketplace at http:// service.sap.com/wec-inst, section Integration of Payment Service Providers.

11.2 Securing the Communication Between the Back-End System and SAP NetWeaver MDM
To perform the communication strategy outlined below for the master data transfer between the backend system and SAP NetWeaver MDM, a third-party Secure Socket Shell (SSH) application capable of port forwarding is required. Following the recommendations given in SAP Note 795131, proceed as follows: 1. Create an SSH port forwarding on the back-end system (SAP CRM/SAP ERP), that is, all data sent to a certain port will be forwarded using SSH to the destination system (the SAP NetWeaver MDM system). 2. Create an SSH port forwarding on the SAP NetWeaver MDM system, that is, all data received on a defined port will be forwarded to the local File Transport Protocol (FTP) server. With this securing communication strategy in place for the SAP CRM back end, the destination in the SAP CRM MW and the MDMGX configurations are no longer the IP of the SAP NetWeaver MDM server, but the local port with SSH forwarding enabled. The local port with forwarding enabled defines the IP of the SAP NetWeaver MDM server. The data flow is then as follows: The back-end system sends the data to the defined SSH forwarding port. This local port encrypts the data and sends it to the SAP NetWeaver MDM server's defined forwarding port. The SAP NetWeaver MDM server forwards the data to the local FTP server. All communication between the systems is encrypted using SSH.

2013-02-07

CUSTOMER

91/118

11 11.2

Security for Additional Applications Securing the Communication Between the Back-End System and SAP NetWeaver MDM

A potential scenario could be as follows: The CRM system configures port 12345 to perform SSH forwarding to MDMSERVERIP:54321. The SAP NetWeaver MDM server configures the port 54321 to forward to the port 21 (the port of the FTP server).

92/118

CUSTOMER

2013-02-07

12 12.1

Other Security-Relevant Information Security-Relevant Module Settings

12 Other Security-Relevant Information

12.1 Security-Relevant Module Settings

When configuring Web Channel applications in Web Channel Builder, the following settings in the Settings tab page are security-relevant: 1 u Back End and Destination under Main 1 u The settings under Security 1 u The settings under Authorization Trace The following modules in Web Channel Builder also contain security-relevant settings:
Module Settings

User

Common Settings Product Catalog Checkout Payment

1 u Policy Configuration under Logon Settings 1 u Enable Self-Registration 1 u The settings under Delegated User Administration 1 u Enable Virus Scan 1 u The settings under Attachments MDM Destination URL under Terms and Conditions 1 u The settings under Payment Methods 1 u Credit Card Types and Payment Service Providers under General Settings

12.2 Web Channel Builder (WECB)

The following sections provide security-relevant information pertaining to Web Channel Builder.

12.2.1 Web Channel Builder Applications

The Web Channel default delivery provides four Web Channel Builder applications. The applications result from combinations of: 1 u The back-end system (SAP CRM or SAP ERP) and 1 u The authentication method to use (UME or WEC Logon)
WECB Application Authentication Back-End System

wcbuilder wcbuilder_ume wcbuilder_erp wcbuilder_erp_ume

WECLogon UME Logon WECLogon UME Logon

SAP CRM SAP CRM SAP ERP SAP ERP

2013-02-07

CUSTOMER

93/118

12 12.2

Other Security-Relevant Information Web Channel Builder (WECB)

To support the SAP NetWeaver AS Java security settings, the Web Channel Builder (WECB) applications wcbuilder_ume and wcbuiler_erp_ume are preconfigured by default.
NOTE

You need to maintain the used Web Channel destinations as described in the section Communication Destinations of this guide. In addition, the certificate used by the UME to create SAP logon tickets or assertion tickets must be known by the back-end system. For more information, see the section Integration into Single Sign-On Environments in this guide. To add or remove WECB applications from the list of available applications, you must change the Java system property wcb.online.application.ids. You can use SAP NetWeaver Administrator NWA Configurations Infrastructure Java System Properties or the SAP NetWeaver AS Config Tool (config.bat) to perform the changes. Several entries can be separated by a comma. For more information, see the Installation Guide for SAP Web Channel Experience Management on SAP Service Marketplace at http://service.sap.com/wec-inst, section Post-Installation Steps for Web Channel Builder.
NOTE

Changes are only effective after a restart of the WECB application (NWA-based change) or after a restart of SAP NetWeaver AS Java (change based on Config Tool).
RECOMMENDATION

SAP recommends using the WECB applications leveraging UME logon.

12.2.2 Application Preview in Web Channel Builder

Web Channel Builder (WECB) allows you to preview new and existing Web Channel applications. To prevent unauthorized preview operations from being carried out in the applications URL, previewed applications are enhanced with a unique URL parameter value known as a token. During the creation of the URL, the token is generated and stored in the Java database. The lifetime of this token is defined in milliseconds using the context parameter in the web.xml file. The default token lifetime is one hour.
SYNTAX Token Lifetime Definition Using the Context Parameter <!-- lifetime of the token which is used for preview --> <context-param> <param-name>lifetime.preview.wcb.wec.sap.comparamname>lifetime.preview.wcb.wec.sap.com> <param-value>3600000param-value>3600000> </context-param>

When the Web Channel application preview is called, it is checked first to ensure that the token for the given appId and configId is available and valid. In case of an incorrect token, a TokenNotValidException is triggered. Otherwise, the preview is started.

94/118

CUSTOMER

2013-02-07

12 12.3

Other Security-Relevant Information Web Channel User Management

The URL parameter wec-configid is only considered in preview mode. In all other cases, the active online configuration is started.

12.2.3 Web Channel Builder Password Change

Web Channel Builder currently does not provide password change functionality. WECB users must use password change functionality from the UME or from the back-end system, depending on the user management configuration.

12.2.4 Web Channel Builder Logon

Early logon is mandatory for Web Channel Builder. The logon uses the HTTPS protocol, and if Web Channel Builder is called using HTTP, the system redirects to the HTTPS protocol. Please note that when the logon method WECLogon is used (in wecbuilder and wecbuilder_erp applications) an expired or initial user password is not detected. To change the password of a Web Channel Builder user, you use the password change functionality in SAP NetWeaver User Management. We recommend using UME logon to improve security.

12.2.5 Web Channel Builder Settings

You make settings for Web Channel Builder applications only in their CDM_CONTENT sources. Furthermore, you must make these settings before you deploy Web Channel Builder to SAP NetWeaver Application Server Java. This impacts the following security-relevant settings for Web Channel Builder: -\ Virus scan enabling and virus scan profile -\ Authorization trace activation -\ Destination -\ Logon method

12.3 Web Channel User Management

The following sections provide security-relevant information about the User module in Web Channel Builder.

12.3.1 User Management Configuration

In addition to the user management-specific settings in UME and in the back-end systems, Web Channel user management is configured in the User module in Web Channel Builder. Here you can define the authentication and user identification type to use, specify self-registration settings, select e-mail

2013-02-07

CUSTOMER

95/118

12 12.3

Other Security-Relevant Information Web Channel User Management

templates, specify handling for forgotten passwords (security questions), and enable the guest user scenario.

12.3.2 Self-Registration Process

Web Channel provides users with a self-registration process. This process can be set up as single page registration, or as a guided activity. Depending on the configuration, the user account is either active immediately after registration (allowing the user to log on right away), or must be activated following registration. In the latter case, an activation mail is sent to the users e-mail address. This e-mail includes a URL containing an activation key. The user has to open the URL to activate the user account. It is also possible to define a validity period for the activation key. The validity of the activation key is defined in days. For more information, see SAP Library for SAP Web Channel Experience Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and then Application Help. In SAP Library, choose User Management Registration User Registration .

12.3.3 Forgotten Password

Web Channel provides functionality to help users who have forgotten their Web shop password. This functionality is enabled in the User module in Web Channel Builder. When users forget their password, they can generate a new one. To do so, they must provide data to identify themselves. The type of data to be provided is selected in the User module. A security question can also be specified. The system sends the new password to the user's e-mail address. When the user logs on with the new password, they must immediately change it. For more information, see SAP Library for SAP Web Channel Experience Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and then Application Help. In SAP Library, choose User Management Logging On with the Consumer Scenario or Logging On with the Contact Scenario.

12.3.4 Guest User Scenario

The guest user scenario allows users to, for example, order products without registering with the Web shop. The user in this scenario works on an anonymous technical user (an SU01 user), and a reference business partner. The name and address of the guest user is only required during checkout.
RECOMMENDATION

To avoid prolonged system resource allocation, enable the fast session timeout feature. For more information, see Fast Session Timeout in the Web Application Security chapter of this guide.

96/118

CUSTOMER

2013-02-07

12 12.4

Other Security-Relevant Information Web Channel Administration Area

Due to the fact that the guest user scenario does not use authentication, the scenario is potentially vulnerable against session fixation attacks. We recommend deactivating URL session rewriting. For more information, see URL Session Rewriting in the Web Application Security chapter of this guide.

12.3.5 User Groups

An SU01 user can be assigned a user group for authorization checks. Only users having the appropriate rights (granted by authorization object S_USER_GRP) can create and maintain users of a given user group. Web Channel user management enables the assignment of a user group that is used for user creation through self-registration and user administration. The user group must be specified in the configuration settings for the User module in Web Channel Builder.

12.3.6 Digitally-Signed E-Mails

After Web shop customers have confirmed their registration in the Web shop, they receive a confirmation e-mail. To authenticate this confirmation e-mail, a digital signature can be used. Since digitally signed e-mails are user-dependent, you can decide if you want to authenticate your emails. You need to enter parameter BCSSIGN in your user profile in transaction SU01. In user management, the technical user (WEC_USER) is used to send the digital signature. Therefore, the user profile of this technical user needs to be adapted in transaction SU01. The sent e-mails are classified as Confidential by default. This ensures that an administrative user is not able to read the sent e-mails in transaction SOST.
NOTE

For more information, see SAP Note 149926. Since SAP does not deliver proprietary tools to digitally sign e-mails, you need to use third-party tools. Use transaction SCOT to connect the third-party tool to the SAP ABAP mail system. To enable the use of digital signatures in the SAP CRM and SAP ERP back ends, use report RSCONN5.

12.4 Web Channel Administration Area 12.4.1 Restricting Access to the Administration Area of Web Channel Applications
Every Web Channel application contains pages for technical support of the application. These pages provide the following features: * Session logging * File monitoring

2013-02-07

CUSTOMER

97/118

12 12.5

Other Security-Relevant Information Security-Relevant Information for Other Web Channel Modules

 CCMS heartbeat  JCO monitoring You can access the administration pages at the following location:
https://<server>:<https-port>/<deployment_unit>/com.sap.common/adminStartPage.jsf.

For more information, see HTTPS in the Administration Area in the Communication Channel Security section of this guide.
NOTE

It is mandatory to restrict the access to the administration pages from the Internet. This should be done by HTTP proxy or a reverse proxy. The administration pages are secured using ticket authentication (default SAP NetWeaver AS Java logon policy). Access to administration pages is limited by security roles. For more information, see the Security Guide for SAP NetWeaver on SAP Service Marketplace at http://service.sap.com/ securityguide, section User Roles on NetWeaver AS Java.

12.5 Security-Relevant Information for Other Web Channel Modules 12.5.1 Java Cart
You configure the Java cart in the Sales Transaction module. If activated, shopping cart contents are stored in a database table on the SAP NetWeaver AS Java DBMS. This allows customers to recover shopping cart contents if, for example, the session terminates unexpectedly. A persistent recoverCart cookie is created to retrieve the anonymously collected shopping cart if it was not posted.
NOTE

If a customer computer is used by different users with the same user account, the cookie is shared by all these users.

12.6 Additional Security Information 12.6.1 JavaScript

Web Channel applications use JavaScript extensively. If JavaScript is disabled on the browser, the application may not work as expected.

12.6.2 AJAX
AJAX functionality in Web Channel is provided by jQuery library. This functionality cannot be deactivated.

98/118

CUSTOMER

2013-02-07

12 12.6

Other Security-Relevant Information Additional Security Information

12.6.3 Theme Server Location and HTTPS

In displayed pages, the Web Channel framework renders the URL for mimes, such as CSS and JavaScript (URL manipulation). JavaScript and CSS can be outsourced to an external server, not necessarily running with the same protocol of the Web Channel application. As a result, a security warning popup appears when several data sources are not opened from the same protocol. To block the warning popup, Web Channel Builder contains two dedicated input fields, one for the normal HTTP URL and one for the secure URL of the external mime server. To access the fields, choose Details of the active configuration Modules and open the uicomponentconfig link. The fields are located on the Settings tab.

12.6.4 Search Engine Optimization

The shipped version of Web Channel does not contain a robot.txt file. We recommend you create a robot.txt file if you want to restrict access to your pages for search engine robots.

12.6.5 Web Application ID (WEC-APPID)

Some request parameters are critical and play an important role in the initialization of Web Channel applications. These request parameters cannot be changed once a session has started. Whenever an attempt is made to change critical request parameters while a session is running, the system displays an error page to the user. By default, changing the Web Channel application ID parameter, wecappid, would result in the system displaying an error page. However, you can adjust the parameter value in such a way that a change can be permitted without generating an error. To do so, specify the following context parameter in the web.xml file:
SYNTAX Web Application ID Parameter <!-- Whether wec-appid request param is enabled. If enabled, the current session is invalidated and the new URL is allowed. If disabled, error page is shown that wec-appid cannot be changed within the session. --> <context-param> <param-name>com.sap.wec.appidchange.enable</param-name> <!-- possible values are true/false --> <!-- true means appid change is allowed without any error pages --> <param-value> false </param-value> </context-param>

12.6.6 Error Page and Runtime Error Stack

Ensure that you disable the display of the runtime error stack in your productive applications.

2013-02-07

CUSTOMER

99/118

12 12.6

Other Security-Relevant Information Additional Security Information

Specify the project stage as Production. The project stage can be used to set up the current state of the Web Channel application in a typical product development life cycle. You can configure the project stage in the following ways: @ Request Parameter This option is only possible for users with certain administration privileges (see authorization object COM_WET_RT). Set the request parameter javax.faces.PROJECT_STAGE in the URL, for example:
http://<url>/somepage.jsf?wec-projectstage=Production

This is normally only used to test in productive mode in the development and test phase. @ Config Tool Set Java system parameter com.sap.projectStage in the SAP NetWeaver AS Java Config Tool. If your J2EE server is still running, stop it using the SAP Management Console in case it is still running. 1. Start the configtool.bat on your J2EE. 2. Select the instance on the navigation tree and the VM parameters on the right detail pane, then select the System tab. 3. Create a new parameter with the name com.sap.projectStage. @ JNDI You have to use telnet to change the JNDI value for the project stage using the parameter name java:comp/env/ProjectStage. 1. Start telnet and connect to the server with the following command: Open <server> 2. Log on with the J2EE administrator user and enter the following commands: @ @
add naming bind java:comp/env/ProjectStage<ProjectStage>, for example bind java:comp/env/ProjectStage Production

3. Restart your application. @ Web Descriptor Set the context parameter javax.faces.PROJECT_STAGE as shown below:
<context-param> <param-name>javax.faces.PROJECT_STAGE</param-name> <param-value>Production</param-value> </context-param>

12.6.7 URL Parameter wec-debug

Adding the URL parameter wec-debug to a Web Channel application request yields the following information: @ The name of each view component on a Web page @ In case of a runtime error, the runtime stack trace instead of an error page

100/118

CUSTOMER

2013-02-07

12 12.6

Other Security-Relevant Information Additional Security Information

t> The error messages that are normally traced when the trace level is set to DEBUG The parameter is only used if the service or Internet user has the appropriate authorizations. For more information, see Authorization Required for Setting Certain Request URL Parameters in the Authorization chapter of this guide.
CAUTION

Do not assign the authorizations to use the parameters to the normal service and internet user roles. The authorization should be granted using a special role that can be assigned to users in special cases for instance if application support is needed. If the project is in production mode, the system parameter wec.debug.enabled must be set to true to allow the parameter to be used. The parameter is set to False by default.
CAUTION

We recommend setting the parameter to False in productive mode. In this mode the parameter should only be activated in exceptional cases, such as when application support is required.

12.6.8 Exception Hierarchy and Mapping to Error Pages

Web Channel servlet filters can raise exceptions when the system encounters an error or is subject to attack. The exception hierarchy is shown in the following diagram:

t>+OBSh;Exception Hierarchy

You can map exceptions to a dedicated error page of your choice. Whether you do this for every servlet filter exception or to a parent exception depends on your scenario. Mapping is performed in the web.xml file as follows:

2013-02-07

CUSTOMER

101/118

12 12.6

Other Security-Relevant Information Additional Security Information SYNTAX Exception Mapping <exception-type>com.sap.wec.tc.core.filter.exceptions.SessionTimeoutException</ exception-type> <location>/sap.wcf/com.sap.common/redirectToRefererPage.xhtml</location> </error-page>

12.6.9 Dynamic UI Help Texts

The Web Channel dynamic UI enables UI definition in a declarative way. You can modify help texts that are presented to users by applying the following dynamic UI XML tag:
<helpDescription output=html>comsapcommon.common.01.scenarioconfig.applurl.help</ helpDescription>

The UI component OutputHTML allows HTML formatting of texts in the browser. You enable the component by using the attribute output=html.
CAUTION

When modifying help texts, we advise against entering HTML code that allows, for example, crosssite scripting attacks.

102/118

CUSTOMER

2013-02-07

13

Payment Card Security According to PCI-DSS

13 Payment Card Security According to PCI-DSS

The Payment Card Industry Data Security Standard (PCI-DSS) was jointly developed by major credit card companies to create a set of common industry security requirements for the protection of cardholder data. Compliance with this standard is relevant for companies processing credit card data. For more information, see http://www.pcisecuritystandards.org. Web Channel relies on payment functionality provided by the SAP CRM or SAP ERP back-end system. Refer to the security guide for your back-end system for information about implementing payment card security, and the steps required to comply with the PCI-DSS. Please note that the SAP security guides are application-specific, and that the PCI-DSS encompasses more than the steps and considerations covered in the guides. It is the customers responsibility to ensure that they are fully compliant with the PCI-DSS. For general information about ensuring payment card security, see the Payment Card Security Guide, listed among the security guides for SAP ERP, on SAP Service Marketplace at http://service.sap.com/securityguide. For updated general PCI-DSS information, see also SAP Note 1609917.

2013-02-07

CUSTOMER

103/118

This page is left blank for documents that are printed on both sides.

14 14.1

Security Logging and Tracing Web Channel Log and Trace Files

14 Security Logging and Tracing

Web Channel applications rely on SAP NetWeaver AS ABAP and SAP NetWeaver AS Java. Thus, the SAP NetWeaver security logs and traces are valid for Web Channel applications as well.
NOTE

If you want to activate JCO traces or RFC traces, see the following notes: h RFC Trace: 1148023 h JCO Trace: 1521137

14.1 Web Channel Log and Trace Files

Web Channel logging and tracing is configured centrally using the log configuration service of SAP NetWeaver AS Java. The service is configured using the Administrator tool of SAP NetWeaver AS Java. Make sure that the severity level for the following locations is set to ERROR: h h
com.sap.wec com.sap.wcf NOTE

UI elements based on the UI component for secure input (mainly used for passwords) are not logged into traces/logs prepared by the Web Channel UI component framework.

14.2 Session Trace

Web Channel supports a single-session trace. This trace obtains the information for a particular session, and is used by developers or by support personnel. The severity is set to DEBUG during the session trace. The log location is set to com.sap.wec and com.sap.wcf in the init-config.xml. Please note that session tracing only functions in a non-clustered environment where no load balancing takes place. This means that Web Channel applications can only be deployed to a single instance with one server node. To switch the trace on, perform the following steps: 1. To start the session logging page, enter the following URL in your browser:
http:<server>:<port>/<deployment_unit>/com.sap.common/adminStartPage.jsf

The logon page of the admin area is displayed.

2013-02-07

CUSTOMER

105/118

14 14.3

Security Logging and Tracing Excluding Sensitive Data from Session Tracing

2.

3.

4.

Enter the credentials of a user who is authorized to use the admin area. For more details about the user, see the section User Roles on SAP NetWeaver AS Java in this guide. The homepage of the admin area is displayed. Select the tab Session Logging. From the list of available Web Channel applications of the deployment unit, you can now select the Web Channel application for which session logging shall be performed. You can also activate session logging of excluded locations, if required. Follow the instructions on the Session Logging page. After having stopped the trace by clicking the button, a link appears where you can download the log file.

14.3 Excluding Sensitive Data from Session Tracing

When the trace level is set to DEBUG, Web Channel UI components trace all data. To ensure that sensitive data, such as credit card numbers and back account data, are not traced, you can turn off tracing for a given component. This is done using a UI component parameter called trace. When set to False, the trace of the UI component is prevented, and the information that would have been traced is replaced by default text, such as Component attribute TRACE is set to false. Debug trace is prevented. The trace attribute is supported by the components <wec:outputText> and <wec:inputText>.
EXAMPLE <wec:outputText id=someId value=CREDIT_CARD_NUMBER value=CREDIT_CARD_NUMBER_TOOLTIP trace=false />

106/118

CUSTOMER

2013-02-07

15 15.1

Web Service Security Authentication

15 Web Service Security

Web Channel supports the development of restful Web services based on the Open Data Protocol (OData). OData was initiated by Microsoft to provide a standard for platform-agnostic interoperability. OData is a Web protocol for querying and updating data. It applies and builds on Web technologies such as HTTP, Atom Publishing Protocol (AtomPub), and JSON (JavaScript Object Notation) to provide access to information from a variety of applications. It is easy to understand and extensible, and provides consumers with a predictable interface for querying a variety of data sources. For the basic data operations, that is, Create, Read, Update, and Delete (CRUD), the usual HTTP request methods PUT, GET, POST, and DELETE are used. In addition to the CRUD operations, OData supports the following main features: b< Processing of data lists, for example by trimming, sorting, or paging b< Data filtering b< Links to data entities b< Provision of metadata for each Web service For more information about OData, see http://www.odata.org.
NOTE

No Web services currently exist to create Web service users. Furthermore, Web services do not support password changes, meaning that Web services cannot handle initial or expired passwords. To create users and perform password changes, access the user management functionality offered by the User Management Engine (UME) or by User Management (transaction SU01) in the back-end system.

15.1 Authentication
Web service authentication is based on settings you make in the User module in Web Channel Builder. For Web services, the same logon methods (UME Authentication and WECLogin) are supported.

15.1.1 Configuration
The authentication process is configured by the scenario parameters Login Scenario and User Storage System. If the user storage system is using SAP NetWeaver AS Java User Management Engine/Identity Management (UME), you must specify the policy configuration in the logon settings of the Users module in Web Channel Builder. The logon policy is valid in Web Channel for Web services and Web applications,

2013-02-07

CUSTOMER

107/118

15 15.1

Web Service Security Authentication

and currently you can specify only one logon policy. For this reason, the policy that you select must support both authentication processes. For example, the Form logon policy, which is the default for Web Channel, supports basic authentication as well as HTML runtime.
Authentication Required

For Web services that require authentication, set the authRequired attribute to true in the wsconfig.xml file, as shown in the following example:
SYNTAX Authentication Attribute <?xml version="1.0" encoding="UTF-8"?> <webServices> <webService webServiceName="" authRequired="true" > </webService> </webServices> NOTE

If authentication is required but no user credentials are provided, the system returns a 401 Unauthorized HTTP status code. If authentication is required and the incoming Web service request is not secure, the system returns a 403 Forbidden HTTP status code.
Authentication Servlet Filter

The system performs the authentication process using the servlet filter class WebServicesAuthenticationFilter. The servlet filter class must run after the WebServicesSessionInitializationFilter, because the servlet filter class requires a Web Channel Web service session context. We strongly recommend that you keep the authentication filter activated.

15.1.2 Authentication Mechanisms

The following subsections describe authentication mechanisms that are supported by Web Channel Web services. We recommend that you use SSL/TLS to secure the HTTP connection.
Basic Authentication

Basic authentication is supported as specified in RFC 2617. The user credentials are provided using the HTTP header Authorization with value Basic and the Base64 encoded string that consists of user ID + ":" + password.
EXAMPLE Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== NOTE

If authentication is required, the system returns the 401 Unauthorized HTTP status code only. The WWW-Authenticate header is not added to the response.

108/118

CUSTOMER

2013-02-07

15 15.2

Web Service Security Communication Channel Security: Force HTTPS

X.509 Client Certificates

Client certificates are supported if the logon method you select for Web Channel uses UME. Set the Policy Configuration setting in the Users module in Web Channel Builder to an authentication stack that supports client certificates such as client_cert. As a prerequisite, SAP NetWeaver AS Java must be set up to enable client-server communication based on SSL/TLS. Measurements are taken to enable a secure storage of the client certificate on the client side, for example on a mobile device.
Single Sign-On

Single sign-on is supported if the logon method you select for Web Channel uses UME. Set the Policy Configuration setting in the Users module in Web Channel Builder to ticket or to an authentication stack that supports single sign-on mechanisms. For example, a MYSSO2 SAP single sign-on cookie can be added to the OData request that is issued from any previously accessed SAP system.

15.2 Communication Channel Security: Force HTTPS

For Web services that require HTTPS, set the httpsRequired attribute to true in the ws-config.xml file, as shown in the following example:
SYNTAX HTTPS Attribute <?xml version="1.0" encoding="UTF-8"?> <webServices> <webService webServiceName="" httpsRequired="true"> </webService> </webServices>

15.3 Error Handling: Project Stage

The project stage can be used to set up the current state of the Web service application in a typical product development lifecycle. You configure the project stage in the Web Channel application using one of the following values: G |+ Development G |+ UnitTest G |+ SystemTest G |+ Production In the web.xml file, set the context parameter com.sap.wec.webservices.PROJECT_STAGE, as shown in the following example:
SYNTAX WebServices Project Stage <context-param>

2013-02-07

CUSTOMER

109/118

15 15.4

Web Service Security Logging and Tracing <param-name>com.sap.wec.webservices.PROJECT_STAGE</param-name> <param-value>Production</param-value> </context-param>

Depending on the project stage, the system sends detailed error information, including stack traces, to the Web service consumer. To prevent any information disclosure, we recommend that you set the project stage to Production in productive mode.

15.4 Logging and Tracing

Category and Location for Web Services

Logs that are specific to Web services use the category /Applications/Common/Infrastructure/ WEB_CHANNEL_FRAMEWORK/WEB_SERVICE. You can locate Web service traces by filtering within the Java package com.sap.wec.tc.core.webservices, or any of its subpackages.
Request/Response Trace

You can write Web service requests and their responses into the trace file. Since both requests and responses can contain sensitive data, the caller needs to explicitly allow them to be written; you do this by passing the wec-debug parameter either as URL or header parameter. Furthermore, special authorization is required to use the wec-debug parameter. To enable the debug trace in the log configuration, and to filter all request and response traces in the log viewer, you can use the following location: com.sap.wec.tc.core.webservices.util.WebServicesRequestTraceUtil For information about providing authorization to use the wec-debug parameter, see Authorization Required for Setting Certain Request URL Parameters in the Authorization chapter.

15.5 Session Handling

Stateless Session Support

The Web service framework provides a proper initialized environment for Web service development. Beneath application scoped framework objects, which are initialized during bootstrap of the application or by lazy load mechanism, the framework also creates session-based objects, the lifetime of which is restricted to the HTTP session. This functionality is implemented in filter WebServicesSessionInitializationFilter. To determine a Web service application and its application-based configurations and module definitions, an ID is required. If the Web service application ID is not available, the system returns a 400 Bad Request HTTP status code. To ensure that the called application is configured for Web service runtime scenarios, the system uses the method checkIfRuntimeScenarioIsValid. If the application is not appropriately configured, the system returns a 404 Not Found HTTP status code.

110/118

CUSTOMER

2013-02-07

15 15.6

Web Service Security Authorizations

As RESTful services are stateless by default, the HTTP session is invalidated after request processing within this filter.
Stateful Session Support

The Web Channel Framework session object WecSession is stateful, which requires that the HTTP session be terminated for every request. This functionality is implemented in filter WebServicesSessionInitializationFilter. Web Channel framework allows you to keep the state. In case of stateful session, the WecSession object is stored in the HTTP session, and the session is not destroyed until the ReleaseState service operation is called or the session times out. You can enable stateful support using the Java system property wec.webservices.stateful.enabled in the Java System Properties of the SAP NetWeaver Administrator application on SAP NetWeaver AS Java. If the system property is set to true, you can initiate stateful behavior by calling the service operation KeepState. All Web services that are called after the KeepState operation run in the same HTTP session. To invalidate the HTTP session, the ReleaseState service operation must be called. The two system service operations are only visible in the metadata and available to be run if the Java System Property is enabled.

15.6 Authorizations
Web Channel does not provide security constraints related to OData Web Services. If you require security constraints, use UME authentication and create corresponding UME user roles.
NOTE

If you use security constraints to control specific HTTP verbs, you must take into account the fact that verb tampering could be used to bypass Web authentication and authorization. For more information, see the Aspect Security Web site (https://www.aspectsecurity.com/). On the Free & Open Documents page under the Research menu, download Bypassing Web Authentication and Authorization with HTTP Verb Tampering (2008). After you create security constraints, configure Web Services to require authentication. Special care must be taken if no authentication artifacts are provided for the Web services, as this causes the Web container to take over the authentication process. If you run Web services standalone, configure SAP NetWeaver AS Java and the Web Channel applications to support basic authentication (Basic) or client certificates (Cert), otherwise the response may not contain adequate values. If you run Web service business functionality on the SAP CRM or SAP ERP back-end system, authorization checks are performed, and this requires that you create corresponding user roles for the users. Use authorization tracing to determine the required authorizations. For more information, see the following section, as well as the Authorization chapter in this guide.

2013-02-07

CUSTOMER

111/118

15 15.7

Web Service Security Authorization Tracing

15.7 Authorization Tracing

Web Channel enables authorization tracing for Web services. External services created for remote function calls triggered by Web service functionality are identified by the additional character sequence WS in the external service name.
EXAMPLE WEC_MODULE_WS_user_WU

15.8 Cross-Site Request Forgery Protection

Web Channel does not currently provide protection for Web service enablement against cross-site request forgery attacks. You must implement your own protective measures.

112/118

CUSTOMER

2013-02-07

16

Security Checklist

16 Security Checklist

The following table provides an overview of the measures to perform to ensure Web Channel application security.
Topic Security Measure Details

Network security

Set up a secure network topology using firewalls and reverse proxies. Activities Performed in SAP NetWeaver AS ABAP (SAP CRM, SAP ERP) Session security protection Set up trusted system management, and enable credit card encryption in the PCA master. User management Access User Maintenance (transaction SU01) to create the following: qyFNd Web Channel Builder users qyFNd Service users for Web Channel destinations qyFNd Reference users for self-registration Role maintenance, which includes Create roles for Internet users and service the following: users for your Web Channel applications. If you enable user self-registration, do the qyFNd Maintenance of critical authorization objects following: Ensuring that you do not assign qyFNd qyFNd Create a reference user and assign it full authorizations to objects the Internet user role of the corresponding Web Channel qyFNd Ensuring that you do not assign the COM_WEC_RT authorization application. object to Web Channel user qyFNd Adapt the service user role to allow roles the assignment of the user role (S_USER_AGR) and corresponding user profile (S_USER_PRO). If using delegated user administration, do the following: qyFNd In the relevant Customizing activities, maintain the user roles that can be assigned. qyFNd Set up the relevant user module settings. Activities Performed in SAP NetWeaver AS Java Session security, which includes the Enable HTTPS and clarify which of the following: following scenarios you would like to implement: qyFNd Session fixation protection qyFNd Settings for the security session qyFNd Web Channel applications run HTTPS cookie for the whole session

Chapter 8.2

Chapter 7

Chapter 5

Chapter 6

qyFNd Chapter 7 (for information on session fixation and settings for security session cookie)

2013-02-07

CUSTOMER

113/118

16

Security Checklist

Topic

Security Measure

Details

Jw URL session rewriting

Virus scanning

User Management Engine (UME), which includes the following: Jw Authentication Jw Single sign-on Jw Session fixation protection Jw X.509 client certificates Jw Integration of special authentication approaches

Jw Web Channel applications switch to HTTPS only when authentication takes place Based on the scenario you select, specify parameters for session security protection. In SAP NetWeaver AS Java, make the recommended settings for the security session cookie. Disable URL session rewriting. Enable virus scanning by doing the following: Jw Set up an external virus scanner and ensure that it is also enabled on the J2EE server. Jw Create a virus scan profile for Web Channel in SAP NetWeaver AS Java. Do the following: Jw Specify the user persistency to use for the UME. Jw Configure the UME. Jw Set up trusted system management.

Jw Chapter 10.10 (for information on URL session rewriting)

Chapter 10.5

Jw Chapter 5 (for information on authentication and single sign-on) Jw Chapter 10 (for information on session fixation) Jw Chapter 15 (for information on X.509 client certificates) Jw SAP NetWeaver Identity Management Security Guide:
http:// service.sap.com/ securityguide

SAP

Communication destinations

Do the following: Jw Create required RFC and SAP NetWeaver MDM destinations for Web Channel applications. Jw Use Secure Network Communication/HTTPS for the destinations. Activities Performed in SAP Web Channel Experience Management Authorization tracing Run authorization traces to determine required authorizations. User management Do the following to configure customer logon:

NetWeaver SAP NetWeaver Identity Management Chapter 8.3

Chapter 6.1.3 Chapter 5

114/118

CUSTOMER

2013-02-07

16

Security Checklist

Topic

Security Measure

Details

Virus scanning Cookie security Error handling Cross-site scripting Cross-site request forgery Session fixation

Lf Specify the logon method. The recommended and default method is UME authentication. Lf Specify the user identification type and whether early logon is required. Lf If user self-registration is used, create a reference user and assign it the Internet user role of the corresponding Web Channel application. Lf If delegated user administration is used, maintain the user roles that you assign in Customizing. Lf Make settings in the required modules of Web Channel Builder. To set up functionality for forgotten passwords, define security questions. Enable virus scanning, and maintain the default virus scan profile for Web Channel. Specify cookie security settings. Set the project stage to Production in productive mode. -

Chapter 10.5 Chapter 10.6 Chapter 12.5.6 Chapter 10.2 Chapter 10.4 Chapter 10.8

2013-02-07

CUSTOMER

115/118

Typographic Conventions

Example
<Example>

Description

Example Example Example

Example

Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, Enter your <User Name>. Arrows separating the parts of a navigation path, for example, menu options Emphasized words or expressions Words or characters that you enter in the system exactly as they appear in the documentation Textual cross-references to an internet address Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web Hyperlink to an SAP Note, for example, SAP Note 123456 hNSO Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options. hNSO Cross-references to other documentation or published works hNSO Output on the screen following a user action, for example, messages hNSO Source code or syntax quoted directly from a program hNSO File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE Keys on the keyboard

http://www.sap.com /example

123456 Example

Example

EXAMPLE

EXAMPLE

116/118

CUSTOMER

2013-02-07

SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com

Copyright 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Disclaimer

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for disclaimer information and notices.

Documentation in the SAP Service Marketplace

You can find this document at the following address: http://service.sap.com/instguides

2013-02-07

CUSTOMER

117/118

SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com

Copyright 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.