PUBLIC

SAP Mobile Documents 1.0 SP06Document Version: 1.6 – 2017-03-02

Security Guide

Content

1 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Authentication and Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.4 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Recommendations on Network and Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Used URL Endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Separation of User and Admin Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.5 Security Aspects of Data, Data Flow, and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.6 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.7 Document Classification and Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 P U B L I CSecurity Guide

Content

1 Security

The security guide provides an overview of the security-relevant information that applies to SAP Mobile Documents on premise.

CautionThis guide does not replace the administration or operation guides that are available for productive operations.

Target Audience

● Technology consultants● Security consultants● System administrators

This document is different from the installation guides, configuration guides, technical operation manuals, and upgrade guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the security guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also intensified. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to SAP Mobile Documents. To assist you in securing SAP Mobile Documents, we provide this security guide.

Related Information

Before You Start [page 4]Authentication and Authorizations [page 4]Session Security Protection [page 5]Network and Communication Security [page 6]Security Aspects of Data, Data Flow, and Processes [page 8]Data Storage Security [page 9]Document Classification and Security Policies [page 9]

Security GuideSecurity P U B L I C 3

1.1 Before You Start

Review the information provided here before you begin your security configuration.

Fundamental Security Guides

SAP Mobile Documents uses features of SAP NetWeaver Application Server for Java. Therefore, the corresponding security guides also apply to SAP Mobile Documents.

If your scenario uses the Knowledge Management content management system (CMS), the Knowledge Management Security Guide for your CMS also applies.

Related Information

SAP NetWeaver <release>, see Security Information

1.2 Authentication and Authorizations

SAP Mobile Documents uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server for Java.

Therefore, the basic principles for authentication and authorization, as well as recommendations and guidelines for user administration and authentication, as described in the SAP NetWeaver Application Server for Java Security Guide, also apply to SAP Mobile Documents. For authentication, we recommend that you integrate SAP Mobile Documents into the existing corporate ID management system for LDAP or Active Directory Server, for example, SAP ID Management. Currently, users in SAP Mobile Documents cannot be mapped to the back-end systems. Therefore, the users must have the same name in both systems.

All the SAP Mobile Documents apps support the use of basic authentication (user name and password) and X.509 client certificate authentication. The SAP NetWeaver Application Server for Java needs to be configured to support certificate authentication.

SAP Mobile Documents manages users and permissions using the user management engine of SAP NetWeaver Application Server for Java. The standard roles included in the shipment are described in Assigning UME Roles in SAP Mobile Documents.

In addition to the role-based authorizations, SAP Mobile Documents uses ACL-based authorizations as supplied by the underlying components and connected back-end systems.

Access Control Lists (ACLs) limit the access to individual objects. For repository connections, the existing ACLs of the repositories are used within the SAP Mobile Documents application. Ensure that newly created repository connections fit your needs regarding ACLs.

4 P U B L I CSecurity Guide

Security

Related Information

Using X.509 Client Certificates on the AS Java

1.3 Session Security Protection

You use secure session management to increase security and prevent access to assertion tickets and security session cookies.

Web applications use these session cookies to persist user data during sessions.

TipWe highly recommended that you use SSL to protect the network communications where these security-relevant cookies are transferred.

In addition to the information in the SAP NetWeaver Application Server for Java Security Guide, SAP Mobile Documents offers the following protection:

Cross-Site Scripting Protection

Cross-site scripting (XSS) describes the manipulation of user entries that are transferred to a Web application when an attacker embeds harmful program code into a correct environment, so that this code is executed on the client side. XSS can occur whenever the application dynamically creates its HTML, JavaScript, or CSS content, which is passed to the user's Web browser, and attacker-controlled values are used in this process.

SAP Mobile Documents uses common encoding techniques from frameworks (SAPUI5) as a countermeasure against XSS attacks.

In addition, documents can contain malicious code. To avoid such risks, the possibility to open documents directly in the browser is deactivated for all browsers and cannot be reactivated. For the same reason, the handling of attachments is restricted to Internet Explorer as the only browser that can open attachments in the context of the existing session.

Cross-Site Request Forgery Protection

Cross-site request forgery (XSRF or CSRF) refers to the manipulation of a Web browser with the goal of performing the actions of an authorized user in a Web application. An XSRF attack is successful when attackers manage to send their own queries to the Web application using the browser of the authorized user.

To avoid XSRF attacks, SAP Mobile Documents has implemented a mechanism on top of the CMIS protocol used, which works with unique security tokens that are only valid for a single session.

Security GuideSecurity P U B L I C 5

1.4 Network and Communication SecurityYour network infrastructure is important for the protection of your system.

Your network must support the communication means necessary for your enterprise and your requirements, without allowing unauthorized access. A clearly defined network topology can remove many security risks caused by software errors (at the level of the operating system or application) or eliminate attacks on the network, such as eavesdropping. If users cannot log on to your application server or database server at operating-system or database level, it is impossible for intruders to abuse the machines or to access the database of files on the back-end system. If users cannot connect with the server LAN (Local Area Network), they cannot exploit any known errors or security gaps in the network services on the servers.

The network topology for SAP Mobile Documents is based on the topology used by the SAP NetWeaver platform. Consequently, the security guidelines and recommendations described in the security guide for SAP NetWeaver also apply to SAP Mobile Documents. For more information, see the SAP NetWeaver security guide, especially Network and Communication Security and Connectivity and Interoperability Technologies.

Related Information

SAP NetWeaver Security Guide (7.4)

1.4.1 Recommendations on Network and FirewallYour network infrastructure is an important element in protecting your SAP Mobile Documents scenario. The network topology for the SAP Mobile Documents server is based on the topology used by the underlying SAP NetWeaver platform. For more information, see the SAP NetWeaver Application Server for Java Security Guide.

6 P U B L I CSecurity Guide

Security

The figure above only showcases one of the possible setups.

In this example, the SAP Mobile Documents clients all reside in the Internet area using the Advanced Encryption Standard (AES) to connect to the application gateways that reside in the outer demilitarized zone (DMZ) using HTTPS. These gateways access the SAP Mobile Documents server using HTTPS in the inner DMZ. The server then accesses the remote KM repositories or another content management repository, for example, Microsoft SharePoint 2010, in the high security area of your system landscape using HTTP or HTTPS.

For your final decision you should take into account the corporate security and network policies.

1.4.2 Used URL Endpoints

If you want to implement any URL-based rule check, you need to consider these endpoints.

SAP Mobile Documents apps connect to the following URL endpoints:

Table 1: URL Endpoints

URL Endpoint Description

/mcm/browser/* SAP Mobile Documents Web UI (browser app).

/mcm/admin/* SAP Mobile Documents administration UI (browser app).

/sapui5/* SAPUI5 delivered with SAP NetWeaver for all UIs.

NoteTo use the SAP Mobile Documents sharing UI these endpoints must be accessible without requir­ing authentication.

/mcm/json/* CMIS browser binding used by the SAP Mobile Documents apps.

/mcm/atom/* CMIS AtomPub binding used by the third-party apps.

/cmis/json/* CMIS browser binding used by the SAP Mobile Documents KM connector.

This endpoint is only required with a distributed installation of KM and the SAP Mobile Documents server.

/mcm/public/* SAP Mobile Documents sharing UI (browser app) and the public REST APIs.

NoteThese endpoints must be accessible without requiring authentication. Otherwise, there may be restrictions for the app.

1.4.3 Separation of User and Admin Interfaces

SAP Mobile Documents provides user management engine (UME) roles to separate the access to administrative and business user functions. Some sections of the administration Web UI are not visible to users who have the

Security GuideSecurity P U B L I C 7

administrator role. These sections are only displayed if the user has the analyst role. One user can be assigned both roles.

In addition, you can restrict the access to administrative UIs by using network-based rules. SAP NetWeaver Administrator, for example, applies such rules by default. You maintain these network-based rules as specific Internet Communication Manager (ICM) rules.

For more information, see SAP Note 1451753 .

1.5 Security Aspects of Data, Data Flow, and Processes

To improve the security of your SAP Mobile Documents installation you have to consider several security aspects.

The figure above describes the security aspects within the SAP Mobile Documents infrastructure as described in .

The business users log on using desktop, mobile app, or Web UI using either X.509 certificates or basic authentication with a user name and password. These credentials or certificates are sent SSL-encrypted to the SAP Mobile Documents server, which forwards them to the integrated identity management of the SAP NetWeaver Application Server for Java for verification. After verification of their credentials or certificates and the corresponding UME roles, the users have access to the SAP Mobile Documents server and the connected repositories. The connections between the server and these systems are secured using Secure Sockets Layer (SSL) protocol and by a trust relationship. Using SAP Mobile Documents, you can protect your files at each stage. Security policies prevent leakage of confidential data. The data on the users' devices and in the repository is encrypted during transport using SSL. In addition, all synced documents on the user's mobile app are secured using Advanced Encryption Standard (AES). All documents are kept either in the repositories or on the apps, but not on the server.

8 P U B L I CSecurity Guide

Security

1.6 Data Storage Security

Data saved in this area is encrypted using a secret key that is provided and created explicitly for the application or service component by the corresponding SAP NetWeaver Application Server for Java.

SAP Mobile Documents uses the secure storage provided by the underlying SAP NetWeaver Application Server for Java, where the applications or service components store sensitive data, such as passwords or communication destinations, in encrypted form. For more information, see Data Storage Security in the SAP NetWeaver Application Server for Java Security Guide.

SAP Mobile Documents uses strong encryption for documents on mobile devices and in the document repository as follows:

● During data transfer using secure sockets layer (SSL) protocol and transport layer security (TLS)● For storage on mobile devices using Advanced Encryption Standard (AES)● During temporary storage in the case of large documents (over 4 MB)

The desktop app uses folders, which are under the control of the currently logged-on user, to download documents and store configurations. This protects the folders in the case of a multiuser operation system.

The business user remains responsible for documents downloaded over Web UIs and the desktop app on public PCs, for example, an internet café or PCs with shared access.

The security of the data stored in the back-end systems depends on the possibilities, for example, virus scanning, of the content management systems used, for example, Knowledge Management, Microsoft SharePoint. It is out of the scope of this document.

Related Information

Data Storage SecurityJava-Specific ConfigurationVirus Scanner Service

1.7 Document Classification and Security Policies

SAP Mobile Documents enhances data security by assigning document classification levels to the repositories.

The administrator can, for example, classify a Corporate Documents repository as strictly confidential. If the administrator then defines the security policies for the various actions available on the mobile device, for example, the Disable Sharing security policy, the user cannot share any document contained in a Corporate Documents repository. For the desktop app, the administrator can currently set only one security policy: Disable Sync for Corporate Repositories. Depending on the document classification of the repositories, users cannot sync the corporate repositories with their desktop apps.

In addition, administrators can hide the corporate repositories so they are not displayed in the Web app, that is in the users' browsers. This setting is also based on classification. In the security settings of the General tab on the

Security GuideSecurity P U B L I C 9

administration UI, administrators select the classification level, for example, Confidential - Strictly Confidential. With this setting, the users can no longer see corporate repositories that are classified as confidential or strictly confidential in their browsers.

When configuring a corporate repository, administrators can also restrict the access to this corporate repository to users with specific roles.

10 P U B L I CSecurity Guide

Security

Important Disclaimers and Legal Information

Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.

AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.

Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.

Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).

Security GuideImportant Disclaimers and Legal Information P U B L I C 11

go.sap.com/registration/contact.html

© 2017 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.