Welcome to this SAP presentation which will cover the ...
Transcript of Welcome to this SAP presentation which will cover the ...
1
Welcome to this SAP presentation which will cover the Security features of SAP
NetWeaver Gateway Productivity Accelerator for Microsoft or GWPAM for short.
In this session, the following topics will be covered:
An overview of the Authentication Mechanisms used with GWPAM
Step by Step instructions on how to implement each of the Authentication Mechanisms
Step by Step instructions on how to roll-out the Group Policy across a domain
And lastly, validating the Group Policy Roll-Out
3
GWPAM provides easily pluggable libraries to handle security and single sign-on for
applications.
The different types of authentication mechanisms supported are Basic, SAML 2.0 and X509.
Let’s take a look at each of the options……..
Basic Authentication
The basic authentication method is where the user name and password is set directly in the
code or by using the adm file.
Basic Authentication should only be used in a development/test environment.
SAML2.0
The Security Assertion Markup Language (SAML) version 2.0 is a standard for the
communication of assertions about principals, typically users. The assertion can include the
means by which a subject was authenticated, attributes associated with the subject, and an
authorization decision for a given resource.
X.509
An X.509 client certificate is a digital "identification card" for use in the Internet, also known
as a public-key certificate. A user who accesses the SAP Web Application Server and
presents a valid certificate is authenticated on the server using the SSL protocol. The
information contained in the certificate is passed to the server and the user is logged on to
the server based on this information. User authentication takes place in the underlying
protocols and no user ID and password entries are necessary.
Additional information on SAML 2.0 and X.509 can be found in the SAP Help Portal using
the links in this document
4
To use the Basic authentication as the security mechanism to interact with SAP NW Gateway,
the following changes would need to be completed in the generated code:
1. From the Solution Explorer, navigate to Project folder SAP Service Reference
App.config.
2. Double click the App.config to open it.
3. Change the “SSO” value in App.config file to “BASIC”
4. Fill in the User Name and Password for basic authentication in the
HandleSAPConnectivity method in BusinessConnectivityHelper class.
5
To use the SAML 2.0 SSO authentication as the security mechanism to interact with SAP NW
Gateway, the following changes would need to be completed in the generated code:
1. From the Solution Explorer, navigate to Project folder SAP Service Reference
App.config.
2. Double click the App.config to open it.
3. Change the “SSO” value in App.config file to “SAML20” and provide the appropriate
value for the “client”
Additional information on SAML 2.0 configuration can be found on the SAP Help Portal at
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/fram
eset.htm
6
To use the X.509 certificate SSO authentication as the security mechanism to interact with SAP
NW Gateway, the following changes would need to be completed in the generated code:
1. The user machine should have a X.509 certificate whose root certificate is trusted by
SAP NW Gateway.
2. From the Solution Explorer, navigate to Project folder SAP Service Reference
App.config.
3. Double click the App.config to open it.
4. Change the “SSO” value in App.config file to “X509” and provide the appropriate value
for the “client” as shown in the diagram
5. Enter the name of the Trusted Issuer Certificate
Additional information on the X.509 configuration can be found on the SAP Help Portal at:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/co
ntent.htm
7
Configuration for Security can be maintained in both the Group Policy Administrative Template
file (ADM) or the app.config file. However, if both are maintained the entries in the app.config
file will be given preference.
In order for the Group Policy Administrative Template file (ADM) to always be given preference
the ‘Service Section’ in the App.config file must be commented out
1. From the Solution Explorer, navigate to Project folder SAP Service Reference
App.config.
2. Double click the App.config to open it.
3. Find the ‘Service Section’ and comment out the complete section
8
This section provides the steps to roll-out the policy based configuration across a domain.
By default each GWPAM project created will contain an administrative template file and the
templates will be attached to the generated solution. The administrative template file can be
found in the “SAP Service Reference” folder with the .adm file extension.
You can add/modify/delete the entries in this template file as required and save it as a .adm file.
The file will then be used by the domain administrator to roll-out the policy globally.
9
To copy the .adm file to the Domain server navigate to C:\....\Documents\Visual Studio
2010\Projects\(Project Name)\(Project Name)\SAP Service Reference
1. Right click on the .adm file and select Copy
2. Paste it in a location on the Domain server
10
1. In the domain server navigate to Start Programs Administrative Tools Group Policy
Management. The Group Policy Management screen appears.
2. Expand Domains System (name of the system) and select Group Policy Objects in the
tree region.
3. Right click on the Group Policy Objects and select ‘New’ from the resulting dropdown list.
4. Enter the name for your new Group Policy Object and select ‘OK’.
11
1. The newly created policy will be displayed under the Global Policy Objects folder in the
tree region
2. Right click on the new group policy object and select ‘Edit’ from the dropdown list……the
Group Policy Management Editor screen will appear
12
1. Expand User Configuration Policies and select Administrative Templates.
2. Right click on Administrative Templates and select Add/Remove Templates. The
Add/Remove Templates window appears.
3. Select ‘Add’ to locate your template (.adm file)
4. Navigate to the location where the .adm file was saved.
Ensure that you are adding the correct template file.
On adding a incorrect file the tree region will not display the new folder under Classic
Administrative Templates folder.
5. The Group Policy template will added to the Classic Administrative Templates folder
13
1. Close the Add/Remove Templates window. A new folder will appear under Classic
Administrative Templates folder in the tree region.
2. Expand the new folder and select the Service Details folder. The details region displays
the services settings available in the template file.
3. Double click on the settings to open the Properties window and enable the setting by
selecting the ‘Enabled’ radio button.
4. Provide the URL, Client and SSO Options.
5. Click Apply and close the Properties window then close the Group Policy Management
Editor.
14
1. Navigate to the policy you have created in the Group Policy Management screen under
Group Policy Objects. The details region displays the details of the policy.
2. Choose Settings tab. The details you provided in the Properties window will be displayed
in the settings view of the Group Policy Objects
15
The next step is to setup the security filter. The filter assigns the policy to the objects, for
example Groups, Users, Computers, etc.
1. Click the Scope tab in the details region.
2. Click Add in the Security Filtering region.
The Authenticated Users in Security Filtering window should be removed if you do not
want the Group Policy to be applied for all authenticated users in the domain.
The Select User, Computer, or Group window appears.
3. Enter the name of the user in the Enter the object name to select and click Check Names to
populate the matching names.
4. Select the required user and click OK to add it.
16
1. Click and drag the new policy under Group Policy Objects to the domain system listed
under Domains to create a link between the policy and the domain.
A confirmation message displays confirming the linking. Click OK to proceed.
17
1. The policy is now listed under the selected domain.
2. Right click on the policy listed under the domain and select Enforced to activate it. A check
mark appears indicating that it is selected.
18
The verification of the policy roll-out should be done for the user that was included in Security
Filtering region. The verification must be done on the client machine.
To verify the policy roll-out in the client machine proceed as follows:
1. Log on to a client machine that is connected to the domain and log in with a user for whom
the policy is applicable.
2. Open the command prompt and run the GPUPDATE /force command to synchronize the
policy, in case it is not already synchronized.
3. Open the Registry Editor navigate to HKEY_CURRENT USER Software Policies
4. The policy you created will be available under the Policies folder and the details region will
displays the corresponding registry entries.
19
www.sap.com
© 2013 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP
products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG in Germany
and other countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as
well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP
company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL
Anywhere, and other Sybase products and services mentioned herein
as well as their respective logos are trademarks or registered
trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are
registered trademarks of Crossgate AG in Germany and other
countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if
any. Nothing herein should be construed as constituting an additional
warranty. .