Application security for SAP NetWeaver PI

In this book chapter excerpt, you'll find an introduction to the functions of SAP NetWeaver Process Integration (PI). In addition, you'll learn about the risks and controls involved in SAP NetWeaver PI's application security.

SAP NetWeaver Process Integration (PI) links SAP and non-SAP programs across an integrated central platform. With so much data being exchanged, understanding and preparing for potential security risks is critical. In this book chapter excerpt, you'll find an introduction to the functions of the SAP NetWeaver PI suite. In addition, you'll learn about the risks and controls involved in SAP NetWeaver PI's application security.

SAP NetWeaver Process Integration

With SAP NetWeaver PI, SAP provides an enhanced integration platform for processes within distributed business applications. The objective is to integrate both SAP and non-SAP applications via a central platform using flexible web services or via interfaces. Thus, the number of required direct interfaces between individual applications can be reduced considerably. So SAP NetWeaver PI increasingly assumes the role of a powerful SAP middleware that not only enables integration using traditional interfaces but also lays the foundation for service-oriented architectures (SOAs) (see Chapter 7, Web Services, Enterprise Services, and Service-Oriented Architectures) and thus for process integration within and between companies based on an Enterprise Service Bus (ESB).

 

SAP NetWeaver PI relies on existing standards like web services (Simple Object Access Protocol (SOAP)), Remote Function Call (RFC), File Transfer Protocol (FTP), and other available protocols. It can also use interfaces (called connectors in the PI context) to Enterprise Application Integration (EAI) standards like RosettaNet or the chemical integration standard, Chemistry Industry Data eXchange (CIDX). SAP NetWeaver PI is predestinated for deployment in service-oriented architectures:

The current release, Release 7.1, contains the Enterprise Services Repository, which serves as a structured directory for enterprise services. Because SAP NetWeaver PI can run on both the ABAP stack and the Java stack of SAP NetWeaver Application Server (AS) (AS ABAP usage type, AS Java usage type, JEE5 for SAP NetWeaver PI), the security of “traditional” PI functions from Release 3.0 (SAP Exchange Infrastructure (XI)) and security characteristics and risks of new functions must be considered.

12.1 Introduction and Functions

SAP NetWeaver PI supports three communication variants, two of which are controlled directly by the PI architecture and its components:

  • Communication via the PI Integration Server
    The PI Integration Server controls the forwarding of a message or web service integration between sender and recipient or provider and consumer. The communication partners are determined statically or dynamically using the mapping or routing functions of the integration server.
  • Communication using the PI Advanced Adapter Engine
    If communication is supposed to be performed via the PI Advanced Adapter Engine, sender, recipient, their connectors, and the communication protocol already need to be defined in the configuration phase. The mapping function of the Advanced Adapter Engine then only statically controls the exchange of messages between the predefined connectors of the communication partners, which increases performance.
  • Direct communication bypassing the PI Integration Server
    SAP NetWeaver PI also dynamically supports web service communication directly between the WS provider and the consumer without PI Integration Server or the Advanced Adapter Engine. This option is configured in the PI Integration Directory and allows for an increased message throughput.

To describe the preceding PI components, the following sections provide further information on the logical technical PI architecture. If SAP NetWeaver PI is used, three phases are supported: the design phase, the configuration phase, and the runtime phase (see Figure 12.1).

  • Design time
    During the design phase, the Enterprise Services Builder/Integration Builder is used to define, design, and store the integration components and web services in the Enterprise Services Repository or Services Registry. The Services Registry corresponds to Universal Description, Discovery and Integration (UDDI) Standard 3.0 and plays a central role in provisioning web services. The Integration Directory is used to model the Application-to-Application (A2A) and Business-to-Business (B2B) communication processes.
  • Configuration time
    The configuration phase involves further configuration of the integration scenario as defined in the Integration Directory. During this phase, communication partners, communication components, and communication channels are configured in communication profiles as defined in the Integration Directory. This includes controls, such as the mapping of senders/recipients, the routing of messages, or the monitoring of the processes. The Business Process Engine, Integration Engine, and Advanced Adapter Engine, which support process integration for the runtime, are the essential Integration Server components.

Implementation Phases in SAP NetWeaver PI

Figure 12.1 Implementation Phases in SAP NetWeaver PI

  • Runtime
    At runtime, the communication profiles and integration rules as defined in the Integration Directory are used for process integration by the Integration Server components (Business Process Engine, Integration Engine, and Advanced Adapter Engine). The Integration Engine is responsible for the control, processing, and monitoring of web services, and the Advanced Adapter Engine provides numerous connectors for supporting the direct integration of communication between heterogeneous applications. This often requires a conversion of the communication protocols through the Advanced Adapter Engine. The Business Process Engine implements the process integration at runtime, controls the business process flow, and supports the monitoring processes.

The System Landscape Directory (SLD) stores all metadata that describes the necessary components, adapter versions, and so on. This data is read and updated at runtime, if necessary, by the other PI components, such as the Enterprise Services Repository, Integration Directory, and Integration Server.

From a security validation perspective, the following aspects are therefore particularly essential:

  • A direct interaction of a user with SAP NetWeaver PI only takes place during the design and configuration time. Afterward, the processes run automatically in the runtime environment and must be monitored appropriately via monitoring processes. The configuration data stored in the SLD, Enterprise Services Repository, and Integration Directory is only accessed by authenticated administration users during the design and configuration phase.
  • The security level to be achieved at runtime, particularly the security of exchanged messages by digital signature and encryption, is specified in the collaboration agreements. This is achieved by receiver agreements specifying that a message is to be encrypted and signed before it can be sent to the final recipient. In the same manner, the sender agreements can define that a signature of an inbound message needs to be validated before the message can be processed further. This holds true whether an application is a sender, or a recipient is always determined by the respective communication partner and not in SAP NetWeaver PI. An application sending a message to the PI system is therefore a sender.
  • SAP NetWeaver PI consists of numerous components exchanging information with each other. Mutual authentication is implemented via one-factor authentications based on technical users. Process integration, on the basis of the enterprise service bus using web services, requires that security criteria like authentication, authorization checks, data integrity, and data protection can be used for service-oriented architectures. To meet these criteria and control objectives, the corresponding security concepts are available for web services.

12.2 Risks and Controls

SAP NetWeaver PI runs on the SAP NetWeaver AS and uses it at runtime. The two usage types, ABAP and Java, involve similar risks that can also be mastered with the same controls.

In this section, we use a simplified version of the risk analysis methodology described in Chapter 1, Risk and Control Management, to identify the main security risks and the necessary controls for SAP NetWeaver PI (see Table 12.1). The controls are then discussed in more detail in the following sections and illustrated using examples.

No. Classification Description
1. Risk potential No authorization concept for the design and configuration phase: Via the Enterprise Services Builder, users can access configurations for which they are not authorized. This is enabled by a nonexistent or insufficient authorization concept.
  Impact The configuration of the integration scenario causes it to become unstable, leaving message exchange vulnerable to being impaired and manipulated. The availability of the integration platform can no longer be guaranteed. Message recipients can also be changed so that required postings are not affected in the actual target system, but in a system intended for this purpose by a fraudulent user.
  Risk without control(s) Extremely high
  Control Adequate roles are specified for accessing objects and collaboration agreements stored in the Enterprise Services Repository and Integration Directory. This is set in an authorization concept.
  Risk with control(s) Normal
  Section 12.3.1
2. Risk potential Passwords that are too simple: Passwords and authorizations for technical service users, which are necessary for authentication among the RFC communication partners, are too simple and can be discovered easily.
  Impact If insufficient authentications or incorrect authorizations are selected for technical service users, the component can be accessed directly, and therefore the configuration can be changed by unauthorized persons. This jeopardizes the configuration stability and availability of SAP NetWeaver PI. Unauthorized users can also read and manipulate component information.
  Risk without control(s) High
  Control The passwords for technical service users must be secure, that is, they must have sufficiently complex characteristics. Default passwords must be changed in any case. In addition, the authorizations of technical service users must be determined in accordance with the predefined roles.
  Risk with control(s) Normal
  Section 12.3.2
3. Risk potential Missing authorization concept for the SAP NetWeaver PI components: Via the Services Registry or UDDI server, users can access service definitions and configurations for which they are not authorized.
  Impact The configuration of the central SAP NetWeaver PI components becomes unstable, leaving Services Registry vulnerable to being impaired and manipulated. The availability of the services can no longer be guaranteed. Service definitions can also be changed so that required postings are not affected in the actual target system, but in a system intended for this purpose by a fraudulent user.
  Risk without control(s) Extremely high
  Control Respective roles are specified for administrative access to the services in Services Registry. This is set in an authorization concept.
  Risk with control(s) Normal
  Section 12.3.3
4. Risk potential Passwords that are too simple: The authentication mechanism for administrative access to SAP NetWeaver PI components is based on the user ID and password method. The password is too simple.
  Impact Unauthorized users can gain access by guessing the password in a brute-force attack. This allows them to compromise the service configuration.
  Risk without control(s) Extremely high
  Control Selection of an appropriately complex password for the authentication of administrators
  Risk with control(s) Normal
  Section 12.3.4
5. Risk potential The selected technical service user is the same: The same technical service user (PIAPPLUSER) is used for all communication channels from different SAP systems to the PI server. There is no differentiation of the different SAP systems.
  Impact Because there is no differentiation, other communication channels of SAP NetWeaver PI can be used by other SAP systems as well. Unauthorized transactions can therefore be triggered on other connected SAP systems.
  Risk without control(s) High
  Control For every SAP NetWeaver AS system communication channel via RFC, HTTP, and so on, a different technical system user with another password should be selected.
  Risk with control(s) Normal
  Section 12.4.1
6. Risk potential No encryption of communication channels: Communication channels to the PI server transferring authentication data of technical service users for the communication channel are not encrypted. Furthermore, the communication channels to the connected partner systems that are supposed to be integrated are also not encrypted.
  Impact The authentication data of technical service users can be eavesdropped, and therefore, can be used by unauthorized communication partners connected to the PI system. The unencrypted external communication channels enable third parties to view the exchanged messages and gain insight into confidential data. In addition, unauthorized financing transactions might be effected.
  Risk without control(s) Extremely high
  Control The internal communication channels between the SAP NetWeaver PI components must be encrypted. The communication channels between SAP and non-SAP systems connected to SAP NetWeaver PI should be secured via encryption techniques, such as (SSL) or (SNC).
  Risk with control(s) Normal
  Section 12.4.2
7. Risk potential No signature of XML messages: XML-based messages (per XI or SOAP protocol) are submitted unsigned to SAP NetWeaver PI and forwarded as such to the actual recipient.
  Impact The problem with unsigned messages is that you can’t verify the identity of the exact sender, nor can you check whether parts of the message were changed by a third person during the transfer to SAP NetWeaver PI. Moreover, incorrect postings can be triggered. Also, you can’t retrace who initiated the financing transaction as completed transactions can later be denied by the sender.
  Risk without control(s) Extremely high
  Control All inbound XML-based messages must be digitally signed by the sender, especially when using SAP NetWeaver PI in Internet scenarios where business partners are supposed to be integrated.
  Risk with control(s) Normal
  Section 12.4.3
8. Risk potential No encryption of external communication channels: XML-based messages (per XI or SOAP protocol) are transferred unencrypted to SAP NetWeaver PI.
  Impact If XML-based messages are transferred unencrypted to SAP NetWeaver PI, the information contained therein can be recorded (sniffed) by unauthorized third persons. If the information is highly confidential, that is, secret business information, the damage potential is accordingly high.
  Risk without control(s) High
  Control The messages should be encrypted, especially when using SAP NetWeaver PI for integration scenarios where business partners have to be integrated via the Internet, and where the business data is highly confidential.
  Risk with control(s) Normal
  Section 12.4.4
9. Risk potential The SAP NetWeaver PI communication channels are not secured: Communication interfaces of SAP NetWeaver PI, particularly in Internet scenarios, are abused by unauthorized third persons. Therefore, unauthorized transactions are triggered on the SAP and non-SAP systems to be integrated via SAP NetWeaver PI.
  Impact If unauthorized transactions are executed, you can’t retrace who initiated them. Rollback — restoring the original state — is also not possible, which can result in considerable damage.
  Risk without control(s) Extremely high
  Control A proxy for outbound messages and a reverse proxy for inbound messages should be implemented for SAP NetWeaver PI. Particularly in Internet scenarios, two consecutive PI systems located in different network segments should be used. One in the front-end demilitarized zone for communicating with business partners (B2B) and another one for the back-end for the internal A2A communication.
  Risk with control(s) Normal
  Section 12.4.5
10. Risk potential The message exchange is not audited or monitored: The executed messages and transactions are not checked for potential processing errors by the central monitor.
  Impact Processing errors are not discovered at an early stage and therefore result in instabilities in the integration network. In short, transactions that weren’t executed properly cannot be determined in time, which, in turn, can lead to financial losses.
  Risk without control(s) High
  Control Constant monitoring of SAP NetWeaver PI using the central monitor provided for this purpose.
  Risk with control(s) Normal
  Section 12.4.6
11. Risk potential No authentication for the file adapter: SAP NetWeaver PI lets you retrieve files from a sending system and to place them on a receiving system using file adapters. There is no authentication for the file adapter — at a technical or user level. This communication channel, therefore, is easily accessible.
  Impact Files could be introduced to a target system to, for example, overwrite the password file /etc/passwd. Afterward, the attacked target system could be taken over via a newly created administration account.
  Risk without control(s) High
  Control It is vital that you ensure a correct configuration of authorizations at the operating system level for the relevant file directories, especially when using the file adapter. In particular, this applies to the SYSADM user, under whose tutelage SAP NetWeaver PI is executed.
  Risk with control(s) Normal
  Section 12.4.7
12. Risk potential No encryption of communication channels: The communication channels between the SAP NetWeaver PI components and the connected partner systems are not encrypted.
  Impact The unencrypted HTTP communication channels enable third parties to view the exchanged service messages and gain insight into confidential business data. In addition, unauthorized financing transactions might be effected.
  Risk without control(s) Extremely high
  Control Internal and external communication channels must be secured using SSL or SNC
  Risk with control(s) Normal
  Section 12.4.8
13. Risk potential Web service security options are not utilized: Web services and enterprise services are not protected against their integrity and confidentiality being compromised.
  Impact Unprotected service message can make confidential business data public. In addition, data might be changed or unauthorized financing transactions triggered.
  Risk without control(s) Extremely high
  Control Web service security needs to be optimally configured considering the technical options.
  Risk with control(s) Normal
  Section 12.4.9

Table 12.1 Risks and Controls for SAP NetWeaver PI (Cont.)

12.3 Application Security

This section describes in more detail the risks and controls that are outlined in Table 12.1 with regard to application security.

12.3.1 Authorizations for Enterprise Services Builder

SAP NetWeaver PI does not involve direct interaction with the users in the department at runtime. SAP NetWeaver PI is pure middleware or backend infrastructure that transports messages from one SAP or non-SAP system to another target system. Using appropriate mapping rules, messages can be converted and translated so that they’re understood by the receiving system. SAP NetWeaver PI therefore fulfills the function of a central integration hub for all applications connected via connectors.

The only interaction between SAP NetWeaver PI and users, except for monitoring, takes place during the design and configuration phase. Using the Enterprise Services Builder/Integration Builder, these administrative users access the Enterprise Services Repository, Integration Directory, and SLD. A part of the user authorization is performed on the AS ABAP and can therefore be defined via the ABAP authorization system. The Enterprise Services Builder is a Java application where access to single objects of the Integration Directory can be authorized.

SAP delivers the following standard roles for administration (design and configuration phase) that can be used in this respect:

  • SAP_XI_DISPLAY_USER
    This role only grants the user read access to the information contained in the Enterprise Services Repository and Integration Directory (integration objects, communication interfaces, and so on).
  • SAP_XI_DEVELOPER
    This role can create, delete, and change the integration components in the Enterprise Services Repository.
  • SAP_XI_CONFIGURATOR
    This role can create, delete, and change integration scenarios in the Integration Directory.
  • SAP_XI_CONTENT_ORGANIZER
    This role can create, delete, and change the contents in the SLD.
  • SAP_XI_MONITOR
    This role can monitor all SAP NetWeaver PI components and all messages that were processed using SAP NetWeaver PI.
  • SAP_XI_ADMINISTRATOR
    This role includes all roles mentioned and is thus a master role for SAP NetWeaver PI administration.

Access to the individual object types within the Enterprise Services Repository and Integration Directory can, as mentioned earlier, be designed in a more detailed way. To do this, the following conditions must be met:

  • The J2EE parameter in the Exchange profile, com.sap.aii.ib.server.lockauth. activation, found at http://<server>:<HTTP port>/exchangeProfile, must be set to true.
  • On the AS ABAP of the PI system, the SAP_XI_ADMINISTRATOR_J2EE role must be assigned to the administrator, because it grants access to the Enterprise Services Builder role configurator, which is available in the Enterprise Services Builder menu. This ABAP role must therefore be granted in a very restrictive way.

Using this role configurator, accesses within the Enterprise Services Builder to the object types can be limited in both the Enterprise Services Repository and in the Integration Directory. In the Enterprise Services Repository, access to individual software component versions, name ranges, and repository object types (software components, integration scenario objects, interface objects, mapping objects, adapter objects, and imported objects) can be limited. The authorizations to Create, Change, and Delete can be granted.

In the Integration Directory, the access to the object types Interface Determination, Recipient Determination, Receiver Agreement, Configuration Scenario, and Special Agreement can be restricted. To do this, the authorizations to Create, Change, and Delete are also available. In general, read access is granted using the SAP_XI_DISPLAY_ USER ABAP role.

If new roles are created for the Enterprise Services Builder, the corresponding roles are physically stored in the UME (see Chapter 9, SAP NetWeaver AS). These UME roles for the Integration Repository then start with XIRep_*, or XIDir_* for the Integration Directory. In the UME, they can either be assigned directly to the existing administrator or to a user group.

Note
Please remember: The UME group name is identical to the name of the ABAP role. Therefore, if you assigned a specific role in the AS ABAP to a specific person group, this ABAP role can be addressed as a group in the UME. In the same way, the defined Enterprise Services Builder UME roles can be assigned to the same ABAP users.

12.3.2 Passwords and Authorizations for Technical Service Users

The various SAP NetWeaver PI components listed previously, like Enterprise Services Repository, Integration Directory, Integration Server, and so on, must access one another during the design, configuration, and runtime phases, for example, to read or write information. During this access, a component; for example, the Integration Directory accessing the Integration Server, reads the relevant technical service user data from the Exchange profile, in this case PIISUSER, and then uses it to authenticate itself to the Integration Server. The service user data is read from PIISUSER via the PILDUSER service user that knows every component.

The following technical service users are used to access the respective component:

  • Exchange profile and System Landscape Directory
    Access via the technical service user PILDUSER using the ABAP role SAP_BC_AI_LANDSCAPE_DB_RFC.
  • Enterprise Services Repository
    Access via the technical service user PIREPUSER using the ABAP role SAP_XI_IR_SERV_USER.
  • Integration Directory
    Access via the technical service user PIDIRUSER using the ABAP role SAP_XI_ID_SERV_USER.
  • (Advanced) Adapter Engine
    Access via the technical service user PIAFUSER using the ABAP role SAP_XI_AF_SERV_USER_MAIN.
  • Integration Server
    Access via the technical service user PIISUSER using the ABAP role SAP_XI_IS_SERV_USER_MAIN.
  • Runtime Workbench (cache at runtime)
    Access via the technical service user PIRWBUSER using the ABAP role SAP_XI_RWB_SERV_USER_MAIN.

These technical service users are set up during the SAP NetWeaver PI installation and are automatically configured. The passwords need to be chosen during the installation, and it is critical that they are sufficiently complex. The following rules should be applied:

  • Password length to be a minimum of eight characters
  • At least one special character
  • At least one letter
  • At least one number

12.3.3 Authorizations for Administrative Access to SAP NetWeaver PI

SAP NetWeaver PI can be considered middleware that only administrative employees need to access for configuration or monitoring tasks. Although access is therefore granted to a limited number of people, an authorization concept that assigns appropriate and restrictive authorizations needs to be documented and used.

For the essential SAP NetWeaver PI components, the standard version provides predefined ABAP roles of which — according to Best Practices — copies are adapted to the specific requirements and assigned to the administrative user. The following rules are available for the three components:

  • Enterprise Services Repository
    SAP_XI_ADMINISTRATOR_J2EE (administrative access to the AS Java)
  • Enterprise Services Registry
    SERVICES_REGISTRY_READ_ONLY (read only access to the Services Registry)
    SERVICES_REGISTRY_READ_WRITE (read access to all classifications and write access to classifications that are not predefined or technical)
    SERVICES_REGISTRY_BUSINESS_ADMINISTRATOR (read access to all classifications and write access to classifications that are not technical)
    SERVICES_REGISTRY_TECHNICAL_ADMINISTRATOR (read and write access)
  • Universal Description, Discovery, Integration (UDDI) server
    UDDI_Admin (object administration, access to user information)
    UUDI_TierN (object administration, no access to user information)
    UDDI_Tier1 (service administration, no access to user data)

12.3.4 Password Rules for Administrators

It is important that administrators have separate, individual user names and passwords for SAP NetWeaver PI. This is an administrator’s individual responsibility. Password rules should be generally applicable and specify that passwords need to be sufficiently complex:

  • Password length to be a minimum of eight characters
  • At least one special character
  • At least one letter
  • At least one number

 

This was first published in January 2011

Dig deeper on SAP PI-XI

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchManufacturingERP

SearchOracle

SearchDataManagement

SearchAWS

SearchBusinessAnalytics

SearchCRM

SearchContentManagement

SearchFinancialApplications

Close