Network Security
Your network infrastructure is extremely important in protecting your system. Your network must support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping.
Documentation on SAP Help Portal
The following Wiki provides a comprehensive list of ports used by SAP software. Use this information for planning and configuring your network infrastructure according to SAP requirements. You can also use this information to identify specific SAP network traffic for monitoring, prioritization, or security purposes:
List of Ports Used by SAP Software
Transport Layer Security
You can provide for security at the transport layer for securing connections between SAP NetWeaver components, for example, by using secure protocols such as Secure Sockets Layer (SSL).
We offer two types of transport layer security for connections with SAP systems. For connections that use Internet protocols such as HTTP or LDAP, we recommend using the Secure Sockets Layer (SSL) protocol. For SAP protocols such as RFC or dialog, use Secure Network Communications (SNC).
Documentation on SAP Help Portal
FIPS 140 Certification for SAP Crypto Kernel
Secure System Communication with UCON
SAP NetWeaver 7.40 includes a new framework, Unified Connectivity (UCON), for securing Remote Function Calls (RFCs). RFCs are a central communication technology of SAP NetWeaver Application Server ABAP and all ABAP-based systems.
The UCON basic security scenario for RFC provides both a simple process and a toolset allowing you to drastically reduce the number of Remote-Enabled Function Modules (RFMs) that can be accessed from outside, thus dramatically reducing the potential attack surface. UCON is the new approach you should choose to make your RFC communication more secure.
For more information, see Unified Connectivity (UCON).
Digital Signatures and Encryption
Secure store and forward (SSF) mechanisms provide you with the means to secure data and documents in SAP Systems as independent data units. By using SSF functions, you can "wrap" data and digital documents in secure formats before they are saved on data carriers or transmitted over (possibly) insecure communication links.
SSF mechanisms use digital signatures and digital envelopes to secure digital documents. The digital signature uniquely identifies the signer, is not forgeable, and protects the integrity of the data. Any changes in the data after being signed result in an invalid digital signature for the altered data. The digital envelope makes sure that the contents of data are only visible to the intended recipient(s).
Documentation on SAP Help Portal
Web Services Security
You can use transport security for consuming and providing Web services either at HTTP transport level or at SOAP message level. To do this, you can use the standard HTTP transport security mechanisms such as HTTPS or the OASIS standards for Web Services to set the transport security at the higher SOAP message level (WS-SecureConversation, WS-Security XML-Signature/Encryption).
Security Assertion Markup Language (SAML) is a standard that defines a language to exchange security information between partners. The SAML standard is driven by the Organization for the Advancement of Structured Information Standards (OASIS). SAML uses assertions that contain statements about a subject, authentication, authorization and attributes. The SAML Token Profile is developed by the OASIS Web Services Security (WS-Security) Technical Committee as a standard to integrate and use SAML for Web Services Security.
WS-Security
WS-Security describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. These mechanisms can be used to accommodate a wide variety of security models and encryption technologies.
WS-Security also provides a general-purpose mechanism for associating security tokens with messages. No specific type of security token is required by WS-Security. It is designed to be extensible to support multiple security token formats. For example, a client might provide proof of identity and proof that they have a particular business certification.
Additionally, WS-Security describes how to encode binary security tokens. Specifically, the specification describes how to encode X.509 certificates and Kerberos tickets as well as how to include opaque encrypted keys. It also includes extensibility mechanisms that can be used to further describe the characteristics of the credentials that are included with a message. SAP is involved in defining parts of the standard.
The following parts of the standard are of particular relevance:
- WS-Trust describes a framework for managing, establishing and assessing trust relationships to enable Web services to securely interoperate.
- WS-SecureConversation describes a framework to establish a secure context for parties that want to exchange multiple messages.
- WS-SecurityPolicy describes general security policies that can be associated with a service.
Documentation on SAP Help Portal