The Developer's Guide to SAP Netweaver Security

Martin Raepple is a standards architect at SAP AG. Since his move to SAP in 2005, Martin Raepple has represented the company in the working groups of several international standards bodies, including OASIS and WS-I. In these groups, he is actively involved in the creation of new technology standards in the areas of security and identity management. Functioning as a link between the standards bodies and SAP development, he incorporates SAP's requirements into the work of the bodies and helps include the latest industry findings in the ongoing development of the SAP NetWeaver technology platform. He also collaborates closely with SAP partners in the planning and implementation of interoperability scenarios between SAP NetWeaver and other platforms. For example, he was responsible for developing the WS-I Sample Application for SAP NetWeaver and for carrying out interoperability tests that successfully proved the compliance of SAP NetWeaver with new security standards for Web services.

Preface ... 15 1 ... Introduction ... 17 2 ... Basic Principles of IT Security ... 23 ... 2.1 ... Security and Service-Oriented Architectures ... 24 ... 2.2 ... Developing Security Concepts ... 34 ... 2.3 ... Basic Security Measures ... 39 ... 2.4 ... Public Key Infrastructure ... 49 ... 2.5 ... Summary ... 52 3 ... Authentication and Authorization in SAP NetWeaver Application Server Java ... 53 ... 3.1 ... J2EE Application Security ... 54 ... 3.2 ... J2EE Security in Practice ... 68 ... 3.3 ... Application Security in J2EE Applications Using the SAP User Management Engine API ... 98 ... 3.4 ... Java Authentication and Authorization Service ... 133 ... 3.5 ... Summary ... 148 4 ... Single Sign-On ... 151 ... 4.1 ... Basic Principles ... 152 ... 4.3 ... Intercompany Single Sign-On ... 194 ... 4.4 ... Summary ... 287 5 ... Identity Provisioning ... 289 ... 5.1 ... Basic Principles ... 289 ... 5.2 ... Service Provisioning Markup Language ... 292 ... 5.3 ... SPML Support in SAP NetWeaver ... 302 ... 5.4 ... Federated Identity Provisioning ... 312 ... 5.5 ... Summary ... 333 6 ... Secure Web Services ... 335 ... 6.1 ... Architecture ... 335 ... 6.2 ... Basic Web Service Standards ... 337 ... 6.3 ... Security Standards ... 346 ... 6.4 ... Interoperability ... 362 ... 6.5 ... Support for Secure Web Services in SAP NetWeaver ... 366 ... 6.6 ... Testing and Error Analysis ... 408 ... 6.7 ... Enterprise Scenario: Process Automation with Web Services ... 418 ... 6.8 ... Exercise 6: Implementing the Subscenarios with WS-Security ... 426 ... 6.9 ... Summary ... 491 Appendix ... 495 ... A ... Setting Up the Certificate Authority and Key Management in the Enterprise Scenario ... 497 ... A.1 ... Installing the Certificate Authority ... 499 ... A.2 ... Creating the SecureSale SSL Key Pair for Apache Tomcat ... 504 ... A.3 ... Setting Up the SSL Server for SecureSale in SAP NetWeaver Application Server Java ... 507 ... A.4 ... Setting Up the SSL Server for SecureShipping in the SAP NetWeaver Application Server ABAP ... 515 ... A.5 ... Creating the CompSOA SSL Key Pair ... 521 ... A.6 ... Creating the SecureSale Web Service Key Pairs for Signatures and Encryption in the SAP NetWeaver Application Server Java ... 522 ... A.7 ... Creating the CompSOA Web Services Keystore ... 526 ... A.8 ... Creating the SecureShipping Web Service Key Pair for Signatures ... 529 ... A.9 ... Creating the TrustedBank Web Service Signature Key Pair ... 531 ... B ... Referenced Literature ... 535 ... C ... Author ... 539 Index ... 541