direct store delivery- security guide

8/10/2019 Direct Store Delivery- Security Guide

http://slidepdf.com/reader/full/direct-store-delivery-security-guide 1/21

Di r ec t Sto r e Del i ve ry : Secur i t yGu ide

Release 2005 A

D

D

O

N

. E

R

P

S

E

C

G

U

I D

E

_ D

S

D



SAP Online Help 14.11.2006

Direct Store Delivery: Security Guide 2005 2

Copyright

© Copyright 2006 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose

without the express permission of SAP AG. The information contained herein may bechanged without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400,OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner,WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPCare trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin aretrademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, WorldWide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products andservices mentioned herein as well as their respective logos are trademarks or registeredtrademarks of SAP AG in Germany and in several other countries all over the world. All otherproduct and service names mentioned are the trademarks of their respective companies.Data contained in this document serves informational purposes only. National productspecifications may vary.

These materials are subject to change without notice. These materials are provided by SAP

AG and its affiliated companies ("SAP Group") for informational purposes only, withoutrepresentation or warranty of any kind, and SAP Group shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP Group products andservices are those that are set forth in the express warranty statements accompanying suchproducts and services, if any. Nothing herein should be construed as constituting anadditional warranty.





Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of

information at a glance. For more information, see Help on Help → General InformationClasses and Information Classes for Business Information Warehouse on the first page of anyversion of SAP Library .

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include fieldnames, screen titles, pushbuttons labels, menu names, menu paths,and menu options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and tabletitles.

EXAMPLE TEXT Technical names of system objects. These include report names,program names, transaction codes, table names, and key concepts of aprogramming language when they are surrounded by body text, forexample, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and theirpaths, messages, names of variables and parameters, source text, andnames of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in thesystem exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace thesewords and characters with appropriate entries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.





Direct Store Delivery: Security Guide........................................................................................ 5

Introduction ............................................................................................................................ 5

Before You Start..................................................................................................................... 6

Technical System Landscape ................................................................................................ 8

User Administration and Authentication................................................................................. 8

User Management .............................................................................................................. 8

User Data Synchronization............................................................................................... 11

Integration Into Single Sign-On Environments................................................................. 12

Authorizations ...................................................................................................................... 13

Network and Communication Security................................................................................. 14

Communication and Channel Security ............................................................................. 14

Network Security .............................................................................................................. 16

Communication Destinations............................................................................................ 16

Data Storage Security .......................................................................................................... 20

Other Security-Relevant Information.................................................................................... 20

Trace and Log Files ............................................................................................................. 21





Introduction

This guide does not replace the daily operations handbook that we recommendcustomers to create for their specific productive operations.

Target Audience

! Technology consultants

!

System administrators

This document is not included as part of the Installation Guides, Configuration Guides,Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certainphase of the software life cycle, whereby the Security Guides provide information that isrelevant for all life cycle phases.

Why Is Security Necessary?With the increasing use of distributed systems and the Internet for managing business data,the demands on security are also on the rise. When using a distributed system, you need tobe sure that your data and processes support your business needs without allowingunauthorized access to critical information. User errors, negligence, or attemptedmanipulation on your system should not result in loss of information or processing time.

A mobile device is much more vulnerable than a server. Whereas the server is in a separateroom, the mobile device is used on the road. It is therefore relatively easy to access the filesystem of the mobile device physically. The operating systems of a number of mobile devices(especially PDAs) also provide neither sufficient protection against access, nor authorizationsystems at file level. Its vulnerability is increased when a mobile device is used by multipleusers.

The mobile device can be threatened by for example the following potential dangers:

! Loss of the device

! Theft

!

Unauthorized use by an unauthorized person

! Data manipulation in the file system

These demands on security apply likewise to the scenario Direct Store Delivery. To assist youin securing the Direct Store Delivery scenario, we provide this Security Guide.

We strongly recommend consulting the SAP Mobile Infrastructure SecurityGuide, the SAP NetWeaver Security Guide, the SAP ECC Security Guide andthe SAP Customer Relationship Management (CRM) Security Guide in additionto this document.

About this Document

Direct Store Delivery (DSD) is a business scenario often used in the Consumer Productsindustry (CP) to sell and distribute goods directly to the customer’s store, bypassing theretailer’s warehouses.

Key success factors for the high margins in DSD are:

!

An integrated mobile solution to support the sales and distribution activities of your

mobile workforce

!

Alignment between sales force and distribution through integrated scheduling





! Low distribution costs through efficient visit control.

This security guide provides security-relevant information for the scenario Direct StoreDelivery (DSD).

A lot of security-relevant information about used SAP and non-SAP products can be found inthe specific security guides of these products.

For information about the fundamental security guides that relate to Direct Store Delivery , seeBefore You Start [].

In many cases the required information has already been provided in other security guidesand in configuration and installation guides. In these cases, the guide provides a reference tothe relevant units.

All security guides are available at http://service.sap.com/securityguide.

Before You Start

Fundamental Security GuidesApplication Guide Most relevant sections or

specific restrictions

SAP NetWeaver 2004s SAP NetWeaver SecurityGuide

SAP NetWeaver 2004sSecurity Guides (Complete)

SAP Mobile Infrastructure SAP Mobile InfrastructureSecurity Guide

SAP NetWeaver 2004sSecurity Guides (Complete)

→ Security Guides for SAPNetWeaver According to

User Types → SecurityGuide for Usage Type MI

SAP ECC 6.0 mySAP ERP 2005 SecurityGuide

mySAP ERP 2005 SecurityGuides

Operating Systems andDatabase Platforms

SAP NetWeaver 2004s DBand OS Platform SecurityGuides

SAP NetWeaver 2004s DBand OS Platform SecurityGuides

For a complete list of the available SAP Security Guides, see the Quick Link

securityguide on the SAP Service Marketplace.

You can find all security guides and other security-relevant documentation for Direct StoreDelivery as follows:

Guide/Documentation Full path to the guide

SAP for Consumer Products Master Guide service.sap.com/instguides →

Industry Solution→ Industry Solution Master

Guides → SAP for Consumer Products

Direct Store Delivery Documentation help.sap.com → mySAP ERP → SAP ERP

Central Component→ Logistics → LogisticsExecution

SAP Mobile Infrastructure help.sap.com → SAP NetWeaver → SAP

NetWeaver 2004s → Technology

Consultant’s Guide→ Mobilizing BusinessProcesses





SAP NetWeaver Documentation help.sap.com → SAP NetWeaver → SAP

NetWeaver 2004s

SAP NetWeaver '04 Installation Guide service.sap.com/instguides → SAP

NetWeaver → Release 2004s → Installation

Important SAP Notes

The most important SAP Notes that apply to the security of the scenario Direct Store Deliveryare shown in the table below.

Important SAP Notes

SAP Note Number Title Comment

775561 Security Guide: SAP DirectStore Delivery

The note covers all problemsdiscovered after thepublication of the securityguide, and provides

additional information aboutsecurity issues

602993 Root Certificates in theTruststore of the SAP

ME Client Component

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

Quick Links to Additional Information

Content Quick Link on the SAP Service Marketplace

Security service.sap.com/security

Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes

Released platforms service.sap.com/platforms

Network security service.sap.com/network

service.sap.com/securityguide

Technical infrastructure service.sap.com/ti

SAP Solution Manager service.sap.com/solutionmanager





Technical System Landscape

Use

For more information about the technical system landscape, see the resources listed in thetable below.

Topic Guide/Tool Quick Link to the SAP ServiceMarketplace

Technical description forDirect Store Delivery andthe underlyingtechnological componentssuch as SAP NetWeaver

Master Guide service.sap.com/instguides

Technical configuration

High Availability

Technical InfrastructureGuide

service.sap.com/ti

Security service.sap.com/security

User Administration and Authentication

Direct Store Delivery uses the user management and authentication mechanisms providedwith the SAP NetWeaver platform, in particular the SAP Web Application Server Java and

ABAP. Therefore, the security recommendations and guidelines for user administration andauthentication as described in the Security Guide for Usage Type AS also apply to DirectStore Delivery .

In addition to these guidelines, in the following topics, we provide information about useradministration and authentication, that specifically applies to Direct Store Delivery .

User Management

Use

User management for the Direct Store Delivery scenario uses the mechanisms provided bythe SAP Web Application Server ABAP and Java, for example, tools, user types, andpassword policies. For an overview of how these mechanisms apply for the Direct StoreDelivery scenario see the sections below. In addition, we provide a list of the standard usersrequired for operating the Direct Store Delivery scenario.

User Administration Tools

The table below shows the tools to use for user management and user administration with theDirect Store Delivery scenario.





User Management Tools

Tool Detailed Description

User Management Engine (UME)administration console

Use the web-based UME administrationconsole to maintain users, roles and

authorizations in Java-based systems thatuse the UME for the user store, for example,the SAP Web AS Java and the EnterprisePortal. The UME also supports variouspersistency options, such as ABAP Engine ora directory server.

SAP Web AS Java user management usingthe Visual Administrator

Use the Visual Administrator to maintainusers and roles on the SAP Web AS Java.The SAP Web AS Java also supports apluggable user store concept. The UME isthe default user store.

User Management for the ABAP Engine

(transaction code SU01)

Use the user management transaction SU01

to maintain users in ABAP-based systems.

Profile Generator (transaction code PFCG) Use the Profile Generator to create roles andassign authorizations to users in ABAP-based systems.

Central User Administration (CUA) Use the CUA to centrally maintain users formultiple ABAP-based systems.Synchronization with a directory server isalso supported.

SAP Mobile Infrastructure Client UserManagement

The SAP Mobile Infrastructure ClientComponent uses its own User Management.For more information, see the SAP Mobile

Infrastructure Security Guide → User Administration and Authentication.

For a detailed description of the user management tools available in SAPNetWeaver, see the SAP Service Marketplace

http://service.sap.com/securityguide → SAP NetWeaver Security

Guide → User Administration and Authentication → User Management → UserManagement Tools.

User Types

It is often necessary to specify different security policies for different types of users. For

example, your policy may specify that individual users who perform tasks interactively have tochange their passwords on a regular basis, but not those users under which backgroundprocessing jobs run.

For more information on these user types, see User Types in the Security Guide for UsageType AS.

Standard Users

The table below shows the standard users that are necessary for operating the Direct StoreDelivery scenario.

System User ID Type Password Description

SAP WebAS <sapsid>adm SAP System

Administrator

To be entered SAP NetWeaver

2004s InstallationGuide





SAP WebAS SAPService<sapsid>

SAP SystemService

Administrator

To be entered SAP NetWeaver2004s InstallationGuide

SAP WebAS SAP Standard ABAP Users

(SAP*, DDIC,EARLYWATCH,SAPCPIC)

See SAPNetWeaver

Security Guide

See SAPNetWeaver

Security Guide

SAP NetWeaver2004s Security

Guides (Complete) → Security Guidesfor SAP NetWeaver

According to Usage

Types → SecurityGuide for Usage

Type AS → SAPNetWeaver

Application Server ABAP Security

Guide → User

Authentication → Protection Standard

Users

SAP WebAS SAP Standard

SAP Web ASJava Users(Administrator,Guest,Emergency

See SAPNetWeaverSecurity Guide

See SAPNetWeaverSecurity Guide

SAP NetWeaver2004s SecurityGuides (Complete)

→ Security Guidesfor SAP NetWeaver

According to Usage

Types → SecurityGuide for Usage

Type AS → SAPNetWeaver

Application Server

Java Security Guide → User

Administration andStandard Users

SAP MI ClientComponent

End user Dialog No Security Guide forUsage Type MI*

SAP MIServerComponent

End user Dialog INIT if createdwith copyfunction

Security Guide forUsage Type MI*

SAP MIServer

Component

Administratorsfor the SAP MI

Web Console

Dialog No Security Guide forUsage Type MI*


Administrator forCCMS



Administrator forSmartSynchronization



Batch user forbatch tasks

System ordialog

No Security Guide forUsage Type MI*


Service user fordisplayingdetailed error

System No Security Guide for

Usage Type MI*





message texts ifserver logonfailed

Backend End user Dialog No Security Guide forUsage Type MI*

* You will find further information in the SAP NetWeaver 2004s Security Guides (Complete) under Security Guides for SAP NetWeaver According to Usage Types → Security Guide for

Usage Type MI → Security Guide for SAP Mobile Infrastructure→ User Administration→ User Types

For information about SAP NetWeaver standard users, see the SAP Service

Marketplace http://service.sap.com/ → SAP NetWeaver 2004s Security

Guides (Complete) → Security Guides for SAP NetWeaver According to Usage

Types → Security Guide for Usage Type AS → SAP NetWeaver Application

Server ABAP Security Guide→ User Authentication → Protection StandardUsers.

For information about SAP NetWeaver password rules, the SAP ServiceMarketplace http://service.sap.com/securityguide → SAP

NetWeaver 2004s Security Guides (Complete) → Security Guides for SAP

NetWeaver According to Usage Types → Security Guide for Usage Type AS →

SAP NetWeaver Application Server ABAP Security Guide → User

Authentication → Authentication and Single Sign-On → Logon and Password

Security in the SAP System→ Password Rules.

For information about SAP Mobile Infrastructure passwords and password rules,

see the SAP NetWeaver 2004s Security Guides (Complete) → Security Guides

for SAP NetWeaver According to Usage Types → Security Guide for Usage

Type MI → Security Guide for SAP Mobile Infrastructure→ Authentication → Passwords (Without Single Sign-On).

User Data Synchronization

Use

To avoid administrational effort, the use of user data synchronization could be useful in yoursystem landscape. As the components of the Direct Store Delivery scenario are based onSAP NetWeaver, all the mechanisms for user data synchronization of SAP NetWeaver areavailable for Direct Store Delivery .

For information about user data synchronization, see the SAP Service

Marketplace at http://service.sap.com/securityguide → SAP

NetWeaver 2004s Security Guide (Complete) → User Administration and

Authentication → Integration of User Management in Your System Landscape.





Integration Into Single Sign-On Environments

Use

Direct Store Delivery partly supports the Single Sign-On (SSO) mechanisms provided by theSAP Web Application Server Java and ABAP. Therefore, the security recommendations andguidelines for user administration and authentication as described in the SAP Web

Application Server Security Guide also apply to SAP Direct Store Delivery.

The supported mechanisms are listed below.

SAP Mobile Infrastructure does not support single sign-on. For more

information, see the SAP NetWeaver 2004s Security Guides (Complete) →

Security Guides for SAP NetWeaver According to Usage Types → Security

Guide for Usage Type MI → Security Guide for SAP Mobile Infrastructure →

Authentication→ Passwords (Without Single Sign-On).

Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when usingSAP GUI for Windows or remote function calls.

For more information, see Secure Network Communications (SNC) in the Security Guide forUsage Type AS.

SAP log-on tickets

SAP Auto-ID Infrastructure supports the use of log-on tickets for SSO when using a Webbrowser as the front end client. In this case, users can be issued a logon ticket after they haveauthenticated themselves with the initial SAP system. The ticket can then be submitted toother systems (SAP or external systems) as an authentication token. The user does not needto enter a user ID or password for authentication but can access the system directly after thesystem has checked the logon ticket.

You can find more information under SAP Log-on Tickets in the Security Guide for UsageType AS.

Client certificates

As an alternative to user authentication using a user ID and passwords, users using a Webbrowser as a front end client can also provide X.509 client certificates to use forauthentication. In this case, user authentication is performed on the Web server using theSecure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred.User authorizations are valid in accordance with the authorization concept in the SAP system.

You can find more information under Client Certificates in the Security Guide for Usage Type AS.





Authorizations

Use

The Direct Store Delivery scenario uses the authorization provided by the SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations asdescribed in the Security Guide for Usage Type AS also apply to the Direct Store Deliveryscenario.

The SAP Web Application Server authorization concept is based on assigning authorizationsto users based on roles. For role maintenance, use the profile generator (transaction PFCG)on the SAP Web AS ABAP and the User Management Engine’s user administration consolefor SAP Web AS Java.

For information about assigning applications to the users of a role in the SAPMobile Infrastructure, see the documentation of SAP Mobile Infrastructure on

help.sap.com → SAP NetWeaver→ SAP NetWeaver 2004s→ Technology

Consultants’s Guide→ Mobilizing Business Processes→ Assigning of Mobile

Components to Users→ Assigning Mobile Components Using a Role Profile.

The Direct Store Delivery scenario based on the component SAP Mobile Infrastructure alsouses some additional mechanisms to control the authorizations and the access of the users.These mechanisms are listed below.

Role Editing for Mobile Applications

Authorizations are assigned in the SAP Mobile Infrastructure according to the SAPauthorization concept.

You can find detailed information about the authorization concept of SAP Mobile

Infrastructure in the documentation of SAP Mobile Infrastructure on help.sap.com → SAP

NetWeaver→ SAP NetWeaver 2004s→ Technology Consultant’s Guide → Mobilizing

Business Processes→ Configuration of SAP NetWeaver AS→ General Settings→ RoleEditing .

Creating a User Group for Synchronization

If mobile applications are assigned with a role in a backend system, the role synchronization(WAF_DEPLOYMENT_FROM_ROLES) creates a user with the same name withoutauthorizations and with an initial password for each user with this role that does not yet existon the SAP Web AS.

The detailed description of this functionality can be found in documentation of SAP Mobile

Infrastructure on help.sap.com → SAP NetWeaver→ SAP NetWeaver 2004s →

Technology Consultant’s Guide→ Mobilizing Business Processes→ Configuration of SAPNetWeaver AS→ General Settings → Creating a User Group for Synchronization.

Maintaining Transaction Screens for the Settlement Cockpit

The transactions screens visible in the Settlement Cockpit can be controlled by a two specialcustomizing tables. In the first, the screens available in the Settlement Cockpit aremaintained, in the second the available screens can be set active or inactive.

The detailed description of this functionality can be found in the Direct Store Delivery

Configuration Guide → Route Accounting → Route Settlement → Settlement Cockpit → Maintaining Transaction Screens and Activating Transaction Types.





Accessibility Control on the Mobile Devices

To administer security measures on mobile devices, the accessibility of specified transactionon the mobile device by mobile users can be controlled by customizing settings. Groups andgroup-specific roles are linked, and can be given a password.


Configuration Guide → Mobile Device Connectivity → Administration of Mobile Devices.

Administration of Mobile Device Settings

The administrator control over mobile applications on mobile devices can be controlled bycustomizing settings on different levels: globally, by group or for individual devices.


Configuration Guide → Mobile Device Connectivity → Administration of Mobile DeviceSettings.

Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your networkneeds to support the communication necessary for your business and your needs withoutallowing unauthorized access. A well-defined network topology can eliminate many securitythreats based on software flaws (at both the operating system and application level) andnetwork attacks such as eavesdropping. If users cannot log on to your application ordatabase servers at the operating system or database layer, then there is no way for intrudersto compromise the machines and gain access to the backend system’s database or files.

Additionally, if users are not able to connect to the server LAN (local area network), theycannot exploit well-known bugs and security holes in network services on the servermachines.

The network topology for the Direct Store Delivery scenario is based on the topology used bythe SAP NetWeaver platform. Therefore, the security guidelines and recommendationsdescribed in the SAP NetWeaver Security Guide also apply to the Direct Store Deliveryscenario. Details that specifically apply to the Direct Store Delivery scenario are described inthe following topics.

For more information, see the following sections in the SAP NetWeaver Security Guide:

! Network and Communication Security

! Security Aspects for Connectivity and Interoperability

Communication and Channel SecurityUse

As communication channels transfer all kinds of your business data, they should be protectedagainst unauthorized access. SAP offers general recommendations and technologies toprotect your system landscape, based on SAP NetWeaver.

You should activate the Secure Network Communication (SNC) for RFC andSecure Sockets Layer Protocol (SSL) for http within all communication channelsin the Direct Store Delivery scenario to achieve a secure system landscape.

For information about the communication security of SAP NetWeaver, see the

SAP Service Marketplace at http://service.sap.com/securityguide →





SAP NetWeaver 2004s Security Guides (Complete) → Network andCommunication Security .

For information about security aspects for connectivity and interoperability ofSAP NetWeaver, see the SAP Service Marketplace at

http://service.sap.com/securityguide → SAP NetWeaver 2004s

Security Guides (Complete) →

Security Guides for Connectivity andInteroperability Technologies.For information about security aspects for connectivity and interoperability ofSAP Mobile Infrastructure see the documentation of SAP Mobile Infrastructure

on help.sap.com → SAP NetWeaver→ SAP NetWeaver 2004s→

Technology Consultant’s Guide→ Mobilizing Business Processes → Installing

SAP MI on the Mobile Device → Configuration of Security (Optional).

The table below shows the communication paths used by the Direct Store Delivery scenario,the protocol used for the connection and the type of data transferred.

Communication Paths

Communication

Path

Protocol Used Type of Data

Transferred

Data Requiring

Special Protection

Front-end client usingSAP GUI forWindows toapplication server

DIAG All application data For examplepasswords, businessdata

Front end client usinga Web browser toapplication server

HTTP(S) All application data For examplepasswords, businessdata

Application server toapplication server

RFC, HTTP(S) Integration data Business data

Application server tothird-party application HTTP(S) All application data For examplepasswords, businessdata

For more information about communication paths and the data sent andreceived within the Direct Store Delivery scenario, see the SAP Service

Marketplace at http://service.sap.com/ibc → Industry Solutions →

Consumer Products → Direct Store Delivery → Configuration Guide → SystemConnections.

DIAG and RFC connections can be protected using Secure Network Communications (SNC).HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.

For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.





Network Security

Use

Your network infrastructure is extremely important in protecting your system. A well-definednetwork topology can eliminate many security threats based on software flaws (at both theoperating system and application level), or network attacks such as eavesdropping.

SAP offers general recommendations to protect your system landscape based on SAPNetWeaver.

For information about network security of SAP NetWeaver, see the SAP Service


NetWeaver 2004s Security Guides (Complete) → Network and CommunicationSecurity .

A minimum security demand for your network infrastructure is the use of a firewall for all your

services provided via the Internet.

A more secure variant is to protect your systems (or groups of systems) by locating thedifferent "groups" in different network segments, each protected with a firewall againstunauthorized access. Note that external security attacks can also come from "inside", if theintruder has already taken over control of one of your systems.

For information about access control using firewalls, see the SAP Service


NetWeaver 2004s Security Guides (Complete) → Network and Communication

Security→ Using Firewall Systems for Access Control .

Communication Destinations

Use

Users and authorizations for connection destinations can cause high securityflaws in instances of careless use!

Golden Rules for connection users and authorizations:

" Choose user type connection or system.

"

Assign only the minimum required authorizations to the user.

"

Choose a secure and secret password for the user.

" Store only connection user log-on data for users of type connection orsystem.

"

Choose trusted system functionality whenever possible instead of storing

connection user logon data.

The table below shows an overview of the communication destinations used by the scenarioDirect Store Delivery .





Connection Destinations

Destination DSD Backend→ DSD Connector

Delivered No

Type RFC – R/3

User, Authorizations -

Description Direct Store Delivery Configuration Guide →

System Connections → Connection of DSD

Backend to DSD Connector → Defining anRFC Destination for the DSDBackend/Connector

and

SAP Mobile Infrastructure Installation Guide

→ Installation of the SAP Mobile

Infrastructure 2.5→ Configuration →

Configuration of the SAP MI ABAP ServerComponent → Creating an RFC DestinationPointing to the Backend

and

SAP Mobile Infrastructure Installation Guide

→ Installation of the SAP Mobile

Infrastructure 2.5 → Configuration → Configuration of Smart Synchronization

(optional)→ Defining RFC Destinations forSyncBOs

Destination DSD Connector→ DSD Backend

Delivered No

Type RFC – R/3






Description SAP Direct Store Delivery Configuration

Guide → System Connections → Connection

of DSD Backend to DSD Connector → Defining an RFC Destination for the DSDBackend/Connector

andDocumentation of SAP Mobile Infrastructure:

help.sap.com → SAP NetWeaver→ SAP

NetWeaver 2004s→ Technology

Consultant’s Guide→ Mobilizing Business

Processes→ Configuration of Mobile

Applications → Creating an RFC DestinationPointing to the Backend

and

Documentation of SAP Mobile Infrastructure:


NetWeaver 2004s→ TechnologyConsultant’s Guide→ Mobilizing Business

Processes→ Configuration of Mobile

Applications → Defining RFC Destinations forSyncBOs

Destination DSD Connector→ Mobile InfrastructureServer Component

Delivered No

Type RFC – R/3



System Connections → Connection of DSDConnector to Mobile Infrastructure Server

Component → Defining an RFC Destinationon the DSD Connector

and

Direct Store Delivery Configuration Guide →

Mobile Device Connectivity → Logical

System Connectivity

Destination Mobile Infrastructure Server Component→ DSD Connector

Delivered No

Type RFC – R/3







System Connections → Connection of MobileInfrastructure Server Component to DSD

Connector → Defining RFC Destination onMobile Infrastructure Server Component

and

Direct Store Delivery Configuration Guide →

Mobile Device Connectivity → LogicalSystem Connectivity

Destination Mobile Device -> Mobile Infrastructure ServerComponent

Delivered No

Type http(s)


Description Documentation of SAP Mobile Infrastructure:




Processes→ Installing SAP MI on the Mobile

Device → Parameters for Installation on theMobile Device

and

Documentation of SAP Mobile Infrastructure:




Processes→ Installing SAP MI on the Mobile

Device → Editing User Settings





Data Storage Security

Use

The data storage security of SAP NetWeaver and components installed on this base isdescribed in detail in the SAP NetWeaver Security Guide.

For information about the data storage security of SAP NetWeaver, see the SAP

Service Marketplace at http://service.sap.com/securityguide → SAP

NetWeaver Security Guide→ Operation System and Database PlatformSecurity Guides.

For information about the data storage security of SAP Mobile Infrastructure,see the SAP Service Marketplace at

http://service.sap.com/securityguide → SAP NetWeaver 2004s

Security Guides (Complete)→ Security Guides for SAP NetWeaver According

to Usage Types→ Security Guide for Usage Type MI → Security Guide for SAPMobile Infrastructure→ Data Security .

Other Security-Relevant Information

Web Browser as User Front End

To use the Web browser as user frontend, it is necessary to activate Java script (ActiveScripting) to ensure a working user interface.

This could conflict with your security policy regarding web services.

Pre-defining and Setting Parameters for all Users within the SAP MobileInfrastructure

To predefine or set certain parameters for all users in the SAP Mobile Infrastructure, the fileMobileEngine.config can be modified. In this configuration file also security relevantparameters like SSL, password handling and so forth can be set.

The detailed description of the predefining and setting of security relevant parameters withinthe SAP Mobile Infrastructure can be found in the documentation of SAP Mobile Infrastructure

on help.sap.com → SAP NetWeaver→ SAP NetWeaver 2004s→ Technology

Consultant’s Guide→ Mobilizing Business Processes → Configuration of Mobile Devices →

Preconfiguration of SAP MI Client (Optional) → Preconfiguring on Windows32 Platforms.

Setting the Screen Mode of the SAP MI Client Component

You can define that the SAP MI Client Component should always start in full screen mode orin minimized mode on the mobile device by adding files to the installation.

The detailed description of setting the screen mode for the SAP MI Client Component can be

found in the documentation of SAP Mobile Infrastructure on help.sap.com → SAP

NetWeaver→ SAP NetWeaver 2004s→ Technology Consultant’s Guide → Mobilizing

Business Processes→ Configuration of Mobile Devices → Preconfiguration of SAP MI Client

(Optional)→ Setting the Screen Mode of the SAP MI Client Component.




Trace and Log Files

Use

All trace and log files use SAP NetWeaver standard mechanisms.

For information about the trace and log files of SAP NetWeaver, see the SAP

Service Marketplace at http://service.sap.com/securityguide → SAP

NetWeaver Security Guide.

Route Accounting

Within the DSD Route Accounting functionality it is possible to switch on or off the applicationlog. Information about the application log of DSD Route Accounting can be found in the Direct

Store Delivery Configuration Guide → Route Accounting → Basic Functions → ApplicationLog .

direct store delivery- security guide

Documents