Configure Security for SAP Mobile Platform (MP5)

Transcription

1 Building Block Guide SAP Mobile Platform 3.0 June 2015 English

2 Typographic Conventions Type Style Example Example EXAMPLE Example Example <Example> EXAMPLE Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Textual cross-references to other documents. Emphasized words or expressions. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER SAP SE or an SAP affiliate company. All rights reserved. Typographic Conventions

3 Document History Revision Date Change First version. Document History 2015 SAP SE or an SAP affiliate company. All rights reserved. 3

4 Table of Contents 1 Purpose 6 2 Preparation Prerequisites Securing Your Mobile Landscape Enabling SMP HTTPS Ports Creating a Certificate Request for the SMP Server Signing the Server Certificate Importing the CA Root Certificate into SMP Keystore Importing the Signed Server Certificate into SMP Keystore Enable Access HTTPS Endpoint Importing Endpoint CA Root Certificate into SMP Keystore Using Reverse Proxies Using Apache Reverse Proxy for Native and Hybrid Apps Install and Configure Apache Reverse Proxy Configure 1-Way HTTPS for Apache Reverse Proxy Configure 2-Way (Mutual) HTTPS for Apache Reverse Proxy Using Nginx Reverse Proxy for Agentry Apps Install and Configure Nginx as a Reverse Proxy Starting, Stopping, and Reloading Integrating SMP Admin with LDAP Adding LDAP Authentication to Admin Security Mapping Logical Roles to LDAP Roles Enabling User Authentication Creating Agentry Security Profile Creating Basic Security Profile Creating SSO2 Security Profile Creating X.509 Security Profile Creating Security Profile Importing Endpoint CA Root Certificate into SMP Keystore by X.509 Authentication Create LDAP Security Profile Verify User Authentication Creating an Application Verify Basic Security Authentication Verify SSO2 Authentication Check the SSO2 Prerequisites Importing Portal CA Root Certificate into SMP Keystore Using Web Browser REST Client to Test Verify LDAP Authentication Add User to LDAP Server Using Web Browser REST Client to Test Verify X.509 Security Authentication Setup SSO with X.509 for Endpoint Server Adding the Root CA of the User Certificates to the Server Trust Store Mapping User Certificate to System User Configuring ICM Parameter in Endpoint Server Mapping User Certificate to Impersonator Role Using Web Browser REST Client to Test SAP SE or an SAP affiliate company. All rights reserved. Table of Contents

5 3.4 Single Sign-on for Agentry Check the SSO2 Prerequisites Importing Portal CA Root Certificate into SMP Keystore Changing Agentry Security Profile to Add SSO2 Authentication Provider Configuring SSO2 in the JavaBE.Ini File Check SSO2 in Agentry Clients 31 4 Appendix Importing CA Root Certificates Importing a CA Root Certificate into Windows Importing a CA Root Certificate into IOS Importing a CA Root Certificate into Android 33 Table of Contents 2015 SAP SE or an SAP affiliate company. All rights reserved. 5

6 1 Purpose The Enterprise Mobility Solution enhances the business processes, communication channels, and reach of customers. At the same time, however, it also increases the security concerns. Before mobility, enterprise security primarily focused on the firewall and limited access to digital assets to only those users authenticated within the Enterprise Information System (EIS). SAP Mobile Platform deployment introduces a multilayer approach to corporate security designed for mobility. It ensures that the internal and external device users can securely connect to enterprise information systems, and every network link that transfers corporate information and every location that stores enterprise data guarantees confidentiality. In this building block we introduce the security-related configuration in SAP Mobile Platform, including user authentication, landscape security, networking security, and so on SAP SE or an SAP affiliate company. All rights reserved. Purpose

7 2 Preparation 2.1 Prerequisites All components of the environment related to the SAP Mobile Platform are installed. Add system environment variables: SMP_HOME = SMP installation folder, for example /SAP/MobilePlattform3 JAVA_HOME = The JDK in SMP installation folder, for example /SAP/MobilePlatform3/sapjvm_7 Path = $JAVA_HOME/bin;$SMP_HOME/Server/bin;Path Preparation 2015 SAP SE or an SAP affiliate company. All rights reserved. 7

8 3 3.1 Securing Your Mobile Landscape In a mobile scenario it is important to think about securing your data. Especially outside your internal network you should encrypt transferred data as well as the connection itself.the following guide describes what you have to do to secure your mobile landscape starting from the device, over reverse proxy, SMP, gateway to the SAP backend. SMP and its apps are using pure REST based HTTP/S channel to transfer data from device over relay server to SMP. The REST based HTTP channel has been introduced in SMP3.0 and provides a REST interface which can be called via normal HTTP requests. In principle every HTTP enabled SDK can be used to develop this kind of applications. SAP recommends securing your network connections using SSL/TLS, for example to avoid a Man-in-the-Middle attack, where an attacker could exchange or manipulate the public RSA key from SMP, which is exchanged during the first connection of app and SMP. This situation can be avoided by using Afaria and pulling the public key using the Afaria Static Link Library, by enrolling the app in a safe/trusted environment (for example a trusted connection in your local LAN) or by using HTTPS. In the next sections you will see how 1-way HTTPS can be used to secure your mobile landscape Enabling SMP HTTPS Ports This section enables the HTTPS port on SMP (by default 8081, 8082 and 8083), by default SMP uses self-signed certificate, yet in productive environment it should be replaced by certificate signed by CA. SMP uses Java keystore smp_keystore.jks to store private key and signed certificate, and the alias smp_crt for HTTPS, so we need to use Java keytool to replace certificate. The keystore password was set during installation, at any you can check the status of your entry in the keystore using the following command: keytool -list -alias smp_crt -keystore.\smp_keystore.jks -v You can refer to SAP Note for more background, operation instructions and troubleshooting Creating a Certificate Request for the SMP Server 1. In the SMP Server OS, stop the SMP Server. 2. Backup the default $SMP_HOME\Server\configuration\smp_keystore.jks and smp_crt.cer (if it exist.) 3. Using Command Prompt, change directory to configuration folder: cd $SMP_HOME\Server\configuration\ 4. Delete the existing self-signed certificate (if exists) from the keystore: keytool -keystore smp_keystore.jks -delete -alias smp_crt Note If keytool is not in the PATH, it can be found in $SMP_HOME/sapjvm_7/bin or $SMP_HOME/sapjvm_7/jre/bin/keytool. 5. Create a new key in the keystore: SAP SE or an SAP affiliate company. All rights reserved.

9 keytool -keystore smp_keystore.jks -genkeypair -keyalg RSA -sigalg SHA1withRSA - validity ext BC:ca:true -alias smp_crt Note You need to use SHA1withRSA because that is what the original smp_crt key was using and because the default keytool uses (SHA1withDSA) does not work on ios. 6. For the Command Prompt questions, input the server FQDN for What is your first and last name?, this will be the Common Name (CN) of the certificate as well. Input anything for others, confirm CN=<FQDN> and then input yes. 7. Create a certificate signing request (CSR) from this new key: keytool -keystore smp_keystore.jks -certreq -file smp_crt.csr -alias smp_crt Signing the Server Certificate Submitting your certificate request from smp_rt.csr to your Certificate Authority, copy the certificate repsonse as smp_crt.cer Importing the CA Root Certificate into SMP Keystore 1. In the SMP Server OS, copy the CA Root Certificate as $SMP_HOME\Server\configuration\root.cer 2. Import the CA Root Certificate into the keystore keytool -keystore smp_keystore.jks -importcert -file root.cer -alias root 3. For question Trust this certificate?, input yes. Note If the CA root certificate is not imported into keystore prior to the signed server certificate, you ll get an error Importing the Signed Server Certificate into SMP Keystore 1. In the SMP Server OS, copy the signed Server Certificate as $SMP_HOME\Server\configuration\smp_crt.cer 2. Import the signed Server Certificate into the keystore keytool -keystore smp_keystore.jks -importcert -file smp_crt.cer -alias smp_crt There should be the response Certificate reply was installed in keystore. 3. Restart the SMP Server SAP SE or an SAP affiliate company. All rights reserved. 9

10 3.1.2 Enable Access HTTPS Endpoint Importing Endpoint CA Root Certificate into SMP Keystore 1. In the SMP Server OS, copy the Endpoint CA Root Certificate as $SMP_HOME\Server\configuration\endpoint_root.cer 2. Import the CA Root Certificate into the keystore keytool -keystore smp_keystore.jks -importcert -file endpoint_root.cer -alias endpoint_root 3. For question Trust this certificate?, input yes. 4. Restart SMP Server Using Reverse Proxies A reverse proxy that is used with SAP Mobile Platform must be a straight pass-through proxy server. Ensure that any reverse proxy used: 1. Does not change the content encoding of requests or responses. Chunked transfer encoding is the required data transfer mechanism. Content-length encoding is not supported. 2. Does not remove any HTTP headers. 3. Sets a timeout period, if used, that is greater than the timeout used by the clients. 4. Passes the resulting URL to SAP Mobile Platform Server in the form http(s)://<server>:<port> Using Apache Reverse Proxy for Native and Hybrid Apps Since Agentry apps in SMP3.0 use web socket over HTTPS, Apache Reverse Proxy support web socket via module mod_proxy_wstunnel from version 2.4.5, yet we didnot verify it with SMP Install and Configure Apache Reverse Proxy 1. Download Apache HTTP Server from install it in the DMZ server, below will refer this folder as $Apache_Home 2. Edit the \conf\httpd.conf in the Apache installation folder. 3. Uncomment these lines to load headers, and required SSL and proxy modules: LoadModule headers_module modules/mod_headers.so LoadModule ssl_module modules/mod_ssl.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so SAP SE or an SAP affiliate company. All rights reserved.

11 LoadModule proxy_http_module modules/mod_proxy_http.so Include conf/extra/httpd-ssl.conf The three proxy_* modules are required by three proxy modes: HTTP, one-way HTTPS, and two-way HTTPS. The ssl_module is required by both HTTPS proxy modes. The headers_module is required by two-way HTTPS proxy mode. 4. Also add the following lines to the httpd.conf: # Prevent Apache from acting like a forward proxy ProxyRequests Off # Set TCP/IP network buffer size for better throughput (bytes) ProxyReceiveBufferSize Add these lines to enable port 8080 as an HTTP proxy: ############################## Listen 8080 <VirtualHost *:8080> ServerName <DMZServer> ErrorLog "$Apache_Home/logs/error.log" TransferLog "$Apache_Home/logs/access.log" <Location/> ProxyPass ProxyPassReverse </Location> </VirtualHost> ############################## 6. Validate the configuration by opening a browser and testing the URL: Configure 1-Way HTTPS for Apache Reverse Proxy 1. Use below command to generate a certificate request and key that our Apache server will need to handle SSL connections: openssl req -new -newkey rsa:2048 -nodes -keyout proxy.key -out proxy.csr -subj "/CN=<DMZServer>" 2. Use the Certificate Request server.csr to request certificate from Certificate Authorities, save the response as server.cer and copy into \conf\proxy.cer. 3. Open $Apache_Home\conf\extra\httpd-ssl.conf and perform the following modifications: - Uncomment the following line: SSLSessionCache dbm: $Apache_Home/logs/ssl_scache - Comment out the following line: SSLSessionCache shmcb: $Apache_Home/logs/ssl_scache(512000) 4. Replace <DMZServer> as your own values, and add these lines to enable port 8081 as a one-way HTTPS proxy: ############################## Listen 8081 <VirtualHost *:8081> ServerName <DMZServer> 2015 SAP SE or an SAP affiliate company. All rights reserved. 11

12 # activate HTTPS on the reverse proxy SSLEngine on SSLCertificateFile proxy.cer SSLCertificateKeyFile proxy.key SSLCertificateChainFile proxy-ca.cer SSLProxyEngine On SSLProxyCACertificateFile smp-ca.cer <Location /> ProxyPass ProxyPassReverse </Location> </VirtualHost> Configure 2-Way (Mutual) HTTPS for Apache Reverse Proxy 1. Run below commands to merge the certificate and the key into 1 pem file, so Apache Reverse Proxy can also act as a client to backend SMP server: openssl pkcs12 -export -in proxy.cer -inkey proxy.key -out proxy.p12 openssl pkcs12 -in proxy.p12 -nodes -out proxy.pem Note It is possible there is a bug of Apache Reverse Proxy will cause the.pem file doesnot work, then you should use text editor to change PRIVATE KEY to RSA PRIVATE KEY in it. 2. Copy the root certificate of User Certificates as user-ca.cer in the DMZ server. 3. Edit the httpd.conf as below, delta parts to 1-way HTTPS are in bold: Listen 8082 <VirtualHost *:8082> SSLEngine on SSLCertificateFile proxy.cer SSLCertificateKeyFile proxy.key SSLCertificateChainFile proxy-ca.cer SSLCACertificateFile user-ca.cer SSLVerifyClient optional SSLVerifyDepth 10 SSLProxyEngine On SSLProxyCACertificateFile smp-ca.cer SSLProxyMachineCertificateFile proxy.pem RequestHeader set SSL_CLIENT_CERT "" RequestHeader set SSL_CLIENT_S_DN "" RequestHeader set SSL_CLIENT_I_DN "" <Location /> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" SAP SE or an SAP affiliate company. All rights reserved.

13 RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" ProxyPass ProxyPassReverse </Location> </VirtualHost> 4. Save the \conf\httpd.conf and then restart the Apache Reverse Proxy service Using Nginx Reverse Proxy for Agentry Apps By Nginx 1.7.4, it still does not support mutual authentication with backend HTTPS upstream servers, so it cannot be used for SMP port Install and Configure Nginx as a Reverse Proxy Since Agentry server can only be HTTPS, so you must also configure Nginx as HTTPS. 1. Download the Stable version from and extract to DMZ server, below will refer this folder as $Nginx_Home. If you install on a Linux server, before it you should install PCRE library (required for HTTP rewrite module), zlib library (required for HTTP gzip module) and OpenSSL library. 2. Edit $Nginx_Home\conf\nginx.conf, make the changes below and save the file.... server { listen 8080; server_name <DMZServer>; Start Nginx. 4. In Web Browser, access you ll see the Welcome page. 5. Use the openssl command to generate a certificate and key that Nginx server will need to handle SSL connections. cd $Nginx_Home openssl req -new -newkey rsa:2048 -nodes -keyout proxy.key -out proxy.csr -subj "/CN=<DMZServer>" 6. Use the Certificate Request server.csr to request certificate from Certificate Authorities, save the response as server.cer and copy as proxy.cer in the DMZ server. 7. Edit nginx.conf, make the changes below and save the file. # HTTPS server upstream smp { server <SMPServer1>:8081; server <SMPServer2>:8081; } server { listen 8081 ssl; server_name <DMZServer>; 2015 SAP SE or an SAP affiliate company. All rights reserved. 13

14 ssl_certificate proxy.cer; ssl_certificate_key proxy.key; ssl_session_cache shared:ssl:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; proxy_pass proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Go to next upstream after if server down. proxy_next_upstream error timeout http_500 http_502 http_503 http_504; proxy_connect_timeout 5s; } } 8. Start Nginx, and access to verify Starting, Stopping, and Reloading Once Nginx is started, it can be controlled by invoking the executable with the -s parameter. Nginx -s signal Where signal may be one of the following: o stop - fast shutdown o quit - graceful shutdown o reload - reloading the configuration file o reopen - reopening the log files Especially when you changed the nginx.conf, you should run nginx s reload to reload configurations Integrating SMP Admin with LDAP You can configure Management Cockpit to authenticate user logins through an LDAP server, you can then use domain user account to log in Management Cockpit. Below will use Windows Active Directory as an example, Windows AD groups will be treated as Physical Roles, they will be mapped to SMP underlying Logical Roles, and Management Cockpit access are controlled by Logical Roles SAP SE or an SAP affiliate company. All rights reserved.

15 Adding LDAP Authentication to Admin Security 1. In Management Cockpit, choose SETTING SECURITY PROFILES, and choose admin (Cannot be deleted). 2. Under Authentication Providers, choose New. 3. On the Add Authentication Provider dialog box, create the following settings, other attributes keep the default, and then choose Save. Field Name Authentication Providers Control Flag Server Type Provider URL Initial Context Factory Bind DN Bind Password Referral Authentication Method Digest MD5 Authentication Format Default Search Base Authentication Filter Authentication Scope Authentication Search Base Use User Account Control Attribute Role Search Base Role Sope Directory Service(LDAP/AD) Sufficient msad2k for Windows Active Directory LDAP host, for example ldap://<ldapserver>:389 com.sun.jndi.ldap.ldapctxfactory Must be a valid DN (distinguished name) that identifies uniquely a user in the organization who has authority to search in the LDAP. For example [email protected] Password of above domain user follow Simple DN If can t find in Authentication/Role Search Base, then will use this. For example DC=dev101,DC=dev-wdf,DC=sap,DC=corp For example (&(samaccountname={uid}) (objectclass=user)) 1. (samaccountname={uid}) the samaccountname attribute should match the user name that has been entered 2. (objectclass=user) only consider object classes of type user. Objectclass is an attribute of an object class. 3. (&(..)(..)) both of the conditions 1 and 2 must be true. Subtree LDAP user search path, for example CN=Users,DC=dev101,DC=dev-wdf,DC=sap,DC=corp TRUE LDAP role search path, for example CN=Users,DC=dev101,DC=dev-wdf,DC=sap,DC=corp Subtree 2015 SAP SE or an SAP affiliate company. All rights reserved. 15

16 Mapping Logical Roles to LDAP Roles 1. Navigate to the SMP_HOME\Server\configuration\com.sap.mobile.platform.server.security\CSI\adminrole-mapping.xml file. 2. Edit the file to assign your required physical roles to the corresponding logical roles. For example, if you have a physical role of Engineering in an LDAP environment, edit the mapping file to assign the mapped name of Engineering to the appropriate logical role: <DefaultMapping> <LogicalName>Administrator</LogicalName> <MappedName>Administrator</MappedName> <MappedName>Engineering</MappedName> </DefaultMapping> Note If there is no physical role or group called Administrator, the mapping should be deleted so that an extra role check can be avoided to speed up the authorization checks. 3. Save the file. 4. Restart the server. 5. Login to the Management Cockpit to verify the configuration. Note Be sure to understand your groups of users so you map only the roles intended for the security profile. Mapping large groups risks including more users than necessary in your security profile. To mitigate this risk, consider using the UserRoleAuthorizer feature to provide improved security by defining a specific user, and not a group, in LDAP. This technique is required for certificate-based authentication. 3.2 Enabling User Authentication Enable authentication for device user logins by creating a new security configuration and then assigning it. Agentry applications actually use the default security profile. In order to test the user Authentication, we need to create some applications. Create an application definition that enables you to manage the application using Management Cockpit. The application definition includes a unique application identifier, connections to the back-end data source, security profile settings, and additional application-specific options Creating Agentry Security Profile 1. In choose the SETTINGS tab. 2. On the SECURITY PROFILES sub-tab, choose New. 3. On the Edit Security Profile dialog box, input Name as agentry, and then choose New. 4. On the Add Authentication Provider dialog box, choose No Authentication Challenge, and then choose Create. 5. On the next screen, choose Save. 6. On the Edit Security Profile dialog box, choose Save. Confirm agentry appears in the Security Profiles list SAP SE or an SAP affiliate company. All rights reserved.

17 3.2.2 Creating Basic Security Profile 1. In choose the SETTINGS tab. 2. On the SECURITY PROFILES sub-tab, choose New. 3. On the Edit Security Profile dialog box, input Name as basic, and then choose Add. 4. On the Add Authentication Provider dialog box, choose No Authentication Challenge, and then choose Create. 5. On the next screen, choose Save. 6. On the Edit Security Profile dialog box, choose Save. Confirm basic appears in the Security Profiles list Creating SSO2 Security Profile 1. In choose the SETTINGS tab. 2. On the SECURITY PROFILES sub-tab, choose New. 3. On the Edit Security Profile dialog box, input Name as sso2, and then choose Add. 4. On the Add Authentication Provider dialog box, choose HTTP/HTTPS Authentication, and then choose Create. 5. On the Authentication Provider Settings HTTP/HTTPS Authentication screen, input URL as and then choose Save. 6. If using SAP Logon Tickets as SSO provider, please also input SSO Cookie Name as MYSAPSSO2. 6. On the Edit Security Profile dialog box, choose Save Creating X.509 Security Profile Creating Security Profile 1. In choose the SETTINGS tab. 2. On the SECURITY PROFILES sub-tab, choose New. 3. On the Edit Security Profile dialog box, input Name as x509, and then choose Add. 4. On the Add Authentication Provider dialog box, create the following settings, other attributes keep the default, and then choose Save. Field Name Authentication Providers Control Flag Validated Certificate Is Identity Validate Cert Path x.509 User Certificate optional true true 5. On the Edit Security Profile dialog box, choose Save. Confirm x509 appears in the Security Profiles list SAP SE or an SAP affiliate company. All rights reserved. 17

18 Importing Endpoint CA Root Certificate into SMP Keystore by X.509 Authentication The premise is already established in endpoint X.509 authentication. Export user CA root certificate. 1. In the SMP Server OS, copy the User CA Root Certificate as $SMP_HOME\Server\configuration\user_root.cer 2. Import the CA Root Certificate into the keystore keytool -keystore smp_keystore.jks -importcert -file user_root.cer -alias user_root 3. For question Trust this certificate?, input yes 4. Restart SMP Server Create LDAP Security Profile 1. In choose the SETTINGS tab. 2. On the SECURITY PROFILES sub-tab, choose New. 3. On the Edit Security Profile dialog box, input Name as ldap, and then choose Add. 4. On the Add Authentication Provider dialog box, create the following settings, other attributes keep the default, choose Save. Field Name Authentication Providers Control Flag Server Type Provider URL Initial Context Factory Bind DN Bind Password Referral Authentication Method Digest MD5 Authentication Format Default Search Base Directory Service(LDAP/AD) Sufficient msad2k for Windows Active Directory LDAP host, for example ldap://<ldapserver>:389 com.sun.jndi.ldap.ldapctxfactory Must be a valid DN (distinguished name) that identifies uniquely a user in the organization who has authority to search in the LDAP. For example [email protected] Password of above domain user follow Simple DN If cannot find in Authentication/Role Search Base, then will use this. For example DC=dev101,DC=dev-wdf,DC=sap,DC=corp SAP SE or an SAP affiliate company. All rights reserved.

19 Field Name Authentication Filter Authentication Scope Authentication Search Base Use User Account Control Attribute Role Search Base Role Scope For example (&(samaccountname={uid}) (objectclass=user)) 1. (samaccountname={uid}) the samaccountname attribute should match the user name that has been entered 2. (objectclass=user) only consider object classes of type user. Objectclass is an attribute of an object class. 3. (&(..)(..)) both of the conditions 1 and 2 must be true. Subtree LDAP user search path, for example CN=Users,DC=dev101,DC=dev-wdf,DC=sap,DC=corp TRUE LDAP role search path, for example CN=Users,DC=dev101,DC=devwdf,DC=sap,DC=corp Subtree 4. On the Edit Security Profile dialog box, choose Save. Confirm basic appears in the Security Profiles list. 3.3 Verify User Authentication Creating an Application 1. In choose the Applications tab. 2. On the APPLICATIONS sub-tab, choose New. 3. In the New Application window, enter: Field Name ID Name Vendor Type Description Unique identifier for the application, in reverse domain notation. For example: com.sap.app Application name. For example: Test Auth (Optional) Vendor who developed the application. Application type. For example: Hybrid (Optional) Short description of the application. 4. Choose Save. 5. In the application configuration panel, choose the BACK END tab. 6. Enter values: 2015 SAP SE or an SAP affiliate company. All rights reserved. 19

20 Field Name Endpoint Use System Proxy Rewrite URL Allow Anonymous Access Maximum Connections Certificate Alias The URL (back-end connection, or service document) the application uses to access business data on the back-end system or service. Examples: (Optional) Whether to use system proxy settings in the SAP Mobile Platform props.ini file to access the back-end system. For example: false (Optional) Whether to mask the back-end URL with the equivalent SAP Mobile Platform Server URL. For example: true (Optional) Whether to enable anonymous access, which means the user can access the application without entering a user name and password. For example: false The number of back-end connections that are available for connection pooling for this application. For example: 500 If the back-end system has a mutual SSL authentication requirement, supply the certificate alias name given to the private key and technical user certificate that is used to access the backend system. The alias is located in smp_keystore. The default certificate alias name is smp_crt. 7. Choose Authentication tab. 8. Choose Save. Confirm this application appears in the Applications list Verify Basic Security Authentication 1. In choose the Applications tab. 2. On the APPLICATIONS sub-tab, choose the application you created in the previous section (for example: com.sap.app). 3. Choose EXISTING PROFILE sub-tab. 4. Select basic from Name. 5. Choose Save and confirm update. 6. Open RESTClient Tool from your Chrome or Firefox browser. 7. Enter values: Field Name URL Methods POST SAP SE or an SAP affiliate company. All rights reserved.

21 Field Name Header Authorization: Basic<Username+password> Content-Type: application/atom+xml; charset=utf-8 X-SMP-APPCID: <Unique string> Note <Unique string> not registered SMP, If you have already registered, delete it in SMP and then use it. the following body will use it. Body <?xml version="1.0" encoding="utf-8"?> <entry xmlns=" xmlns:m=" xmlns:d=" <category term="applications.connection" scheme=" <content type="application/xml"> <m:properties> <d:applicationconnectionid><unique string></d:applicationconnectionid> <d:devicetype>iphone</d:devicetype> </m:properties> </content> </entry> 8. Choose Send to get the response from RESTClient tool. You will get status 201 Create in response. Now, you have established a connection with SMP. 9. Get some data from Endpoint, Enter values: Field Name URL Methods Header GET Authorization: Basic<Username+password> Content-Type: application/atom+xml; charset=utf-8 X-SMP-APPCID: <Unique string> Accept: application/xml,application/atom+xml 10. Choose Send to get the response from RESTClient tool. You will get status 200 OK in response SAP SE or an SAP affiliate company. All rights reserved. 21

22 3.3.3 Verify SSO2 Authentication Check the SSO2 Prerequisites As the prerequisite, we need to configure the SAP Enterprise Portal to issue Logon Ticket as Application Help Function-Oriented View Security User Authentication and Single Sign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web- Based Access Using Logon Tickets Using Logon Tickets with AS Java Configuring the AS Java to Issue Logon Tickets; and also configure the SAP Back-End to accept Logon Ticket as Application Help Function-Oriented View Security User Authentication and Single Sign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using Logon Tickets Using Logon Tickets with AS ABAP Configuring AS ABAP to Accept Logon Tickets; then we can use web browser to check. 1. In web browser, remove the cookie MYSAPSSO2 if exists. 2. Access input the username and password, after login, check that the MYSAPSSO2 cookie appears. 3. Do not close the web browser, access a Back-End link, for example you will login to it directly, without need of inputting username/password Importing Portal CA Root Certificate into SMP Keystore 1. In the SMP Server OS, copy the CA Root Certificate as $SMP_HOME\Server\configuration\portalroot.cer 2. Import the CA Root Certificate into the keystore keytool -keystore smp_keystore.jks -importcert -file root.cer -alias portalroot 3. For question Trust this certificate?, input yes Using Web Browser REST Client to Test 1. In choose the Applications tab. 2. On the APPLICATIONS sub-tab, choose the application you created in the previous section (for example: com.sap.app). 3. Choose EXISTING PROFILE sub-tab. 4. Select sso2 from Name. 5. Choose Save and confirm update. 6. Open RESTClient Tool from your Chrome or Firefox browser. 7. Enter values: Field Name URL SAP SE or an SAP affiliate company. All rights reserved.

23 Field Name Methods Header POST Authorization: Basic<Username+password> Content-Type: application/atom+xml; charset=utf-8 X-SMP-APPCID: <Unique string> Note <Unique string> not registered SMP, If you have already registered, delete it in SMP and then use it. the following body will use it. Body <?xml version="1.0" encoding="utf-8"?> <entry xmlns=" xmlns:m=" xmlns:d=" <category term="applications.connection" scheme=" <content type="application/xml"> <m:properties> <d:applicationconnectionid><unique string></d:applicationconnectionid> <d:devicetype>iphone</d:devicetype> </m:properties> </content> </entry> 8. Choose Send to get the response from RESTClient tool. You will get status 201 Create in response. Now, you have established a connection with SMP. 9. Get some data from Endpoint, Enter values: Field Name URL Methods Header GET Authorization: Basic<Username+password> Content-Type: application/atom+xml; charset=utf-8 X-SMP-APPCID: <Unique string> Accept: application/xml,application/atom+xml 10. Choose Send to get the response from RESTClient tool. You will get status 200 OK in response Verify LDAP Authentication Add User to LDAP Server 1. Login to LDAP server SAP SE or an SAP affiliate company. All rights reserved. 23

24 2. Open Start Administrative Tools Active Directory Users and Computers Users. 3. Choose Add user icon 4. Fill First name and User logon name using Endpoint user name. 5. Choose Next. 6. Fill Password and Confirm password using Endpoint user password, Deselect User must change password at next logon. 7. Choose Next. 8. Choose Finish Using Web Browser REST Client to Test 1. In choose the Applications tab. 2. On the APPLICATIONS sub-tab, choose the application you created in the previous section (for example: com.sap.app). 3. Choose EXISTING PROFILE sub-tab. 4. Select ldap from Name. 5. Choose Save and confirm update. 6. Open RESTClient Tool from your Chrome or Firefox browser. 7. Enter values: Field Name URL Methods Header POST Authorization: Basic<Username+password> Content-Type: application/atom+xml; charset=utf-8 X-SMP-APPCID: <Unique string> Note <Unique string> not registered SMP, If you have already registered, delete it in SMP and then use it, the following body will use it SAP SE or an SAP affiliate company. All rights reserved.

25 Field Name Body <?xml version="1.0" encoding="utf-8"?> <entry xmlns=" xmlns:m=" xmlns:d=" <category term="applications.connection" scheme=" <content type="application/xml"> <m:properties> <d:applicationconnectionid><unique string></d:applicationconnectionid> <d:devicetype>iphone</d:devicetype> </m:properties> </content> </entry> 8. hoose Send to get the response from RESTClient tool. You will get status 201 Create in response. Now, you have established a connection with SMP. 9. Get some data from Endpoint, Enter values: Field Name URL Methods Header GET Authorization: Basic<Username+password> Content-Type: application/atom+xml; charset=utf-8 X-SMP-APPCID: <Unique string> Accept: application/xml,application/atom+xml 10. Choose Send to get the response from RESTClient tool. You will get status 200 OK in response Verify X.509 Security Authentication Setup SSO with X.509 for Endpoint Server This is to enable Endpoint server (also a SAP Netweaver Gateway system) to use single sign-on (SSO) authentication with X.509 certificates to confirm the logon credentials of a user Adding the Root CA of the User Certificates to the Server Trust Store 1. Login to Endpoint server. 2. Open the transaction STRUST SAP SE or an SAP affiliate company. All rights reserved. 25

26 3. Expand folder SSL Server Standard and click on the node named <SAP host>_<sid>_<instance No.>. 4. In the bottom panel Certificate, choose the Import Certificate button, and then input the file path of the root CA of the user Certificate(for exmaple, CA_FOR_USER.cer). 5. Choose Input(Enter). 6. Choose Add to Certificate List. 7. Choose Save(Ctrl + S) Mapping User Certificate to System User 1. In Endpoint server, open the transaction SM31 to maintain the mapping of certificate and system user. 1. Input VUSREXTID into filed Table/View. 2. Choose Maintain. 3. On the Determine Work Area: Entry dialog box, input DN into filed External ID Type. 4. Choose Continue (Enter). 5. Choose New Entries. 6. On the New Entries: Detail of Added Entries screen, maintain following values. Field Name External ID User Activated User Action and Values <The DN of the user certitifcate> (for exmaple, CN=user_id, O=SAP, C=DE) <The mapped user in the SAP NW Gateway System> For example, FIORI_USER) True 7. Choose Save(Ctrl + S). 8. Choose Back(F3). 9. Choose Save(Ctrl + S) Configuring ICM Parameter in Endpoint Server And also we have to maintain parameter icm/https/verify_client to 1 (allow) or 2 (require) to allow the user authentication using X.509 certificate. 1. Login into Endpoint server. 2. Access the transaction using the following navigation path: Transaction Code RZ10 3. Add following parameters: icm/https/trust_client_with_subject = <subject of the Webdispatcher outbound SSL certificate> for exmaple, icm/https/trust_client_with_subject = * icm/https/trust_client_with_issuer = <issuer of the Webdispatcher outbound SSL certificate> SAP SE or an SAP affiliate company. All rights reserved.

27 for exmaple, icm/https/trust_client_with_issuer =CN=SERVER_CA, O=SAP, C=DE icm/https/verify_client=1 4. Save and restart the SAP instatnce Mapping User Certificate to Impersonator Role 1. In in the LOGS tab, choose the SETTINGS, and then choose the Log Level of Security to info or lower. 2. After you use user certificate to access, you re then able to check <UserName> in the $SMP_HOME/Server/log/<SMPServer>-smp-server.log by searching subject.getname() 3. Edit $SMP_HOME/Server/configuration /com.sap.mobile.platform.server.security/csi/x509-rolemapping.xml, it appeared after you created the x509 security profile. 4. Change entries from <DefaultMapping> <LogicalName>Impersonator</LogicalName> <MappedName>Impersonator</MappedName> </DefaultMapping> To <DefaultMapping> <LogicalName>Impersonator</LogicalName> <MappedName>user:<UserName></MappedName> </DefaultMapping> By default, the <UserName> is the DN of user certificate; if you are using reverse proxy, and there s no network edge authentication for reverse proxy, then the <UserName> is the DN of reverse proxy; if you specify Certificate Attribute As Principal in x509 security profile, then the <UserName> is that specified attribute, like CN (Common Name). So it's better you check this value in the server log Using Web Browser REST Client to Test 1. In choose the Applications tab. 2. On the APPLICATIONS sub-tab, choose the application you created in the previous section (for example: com.sap.app). 3. Choose EXISTING PROFILE sub-tab. 4. Select x509 from Name. 5. Choose the BACK END tab. 6. Enter value: 2015 SAP SE or an SAP affiliate company. All rights reserved. 27

28 Field Name Certificate Alias If the back-end system has a mutual SSL authentication requirement, supply the certificate alias name given to the private key and technical user certificate that is used to access the back-end system. The alias is located in smp_keystore. Otherwise, leave the entry blank. For example:smp_crt Note This alias must be an alias created in section Creating a Certificate Request for the SMP Server. 7. Choose Save and confirm update. 8. Open RESTClient Tool from your Chrome or Firefox browser. 9. Enter values: Field Name URL Methods Header POST Content-Type: application/atom+xml; charset=utf-8 X-SMP-APPCID: <Unique string> Note <Unique string> not registered SMP, If you have already registered, delete it in SMP and then use it, the following body will use it. Body <?xml version="1.0" encoding="utf-8"?> <entry xmlns=" xmlns:m=" xmlns:d=" <category term="applications.connection" scheme=" <content type="application/xml"> <m:properties> <d:applicationconnectionid><unique string></d:applicationconnectionid> <d:devicetype>iphone</d:devicetype> </m:properties> </content> </entry> 10. Choose Send to get the response from RESTClient tool. After the system Dialog box will pop up asking to select a certificate, select a user certificate. You will get status 201 Create in response. Now, you have established a connection with SMP. 11. Get some data from Endpoint, Enter values: Field Name URL SAP SE or an SAP affiliate company. All rights reserved.

29 Field Name Methods Header GET Content-Type: application/atom+xml; charset=utf-8 X-SMP-APPCID: <Unique string> Accept: application/xml,application/atom+xml 12. Choose Send to get the response from RESTClient tool. You will get status 200 OK in response. 3.4 Single Sign-on for Agentry This step can only be done after you created and deployed you Agentry application. Note that the way this is configured is not technically SSO. The Client device logs into the Agentry Server using the supplied user name and password for the Agentry Client. You supply the user name and password to the Client. These get passed on to the Agentry Server, which then logs on to the Panel, and uses these same credentials. The Client does not have the SSO ticket, unlike in a true SSO configuration. The Agentry Server logs into the ticket portal and the portal issues the SSO cookie. The Agentry Server then sends the cookie to the SAP back end server as its back end credentials Check the SSO2 Prerequisites As the prerequisite, we need to configure the SAP Enterprise Portal to issue Logon Ticket as Application Help Function-Oriented View Security User Authentication and Single Sign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web SAP SE or an SAP affiliate company. All rights reserved. 29

30 Based Access Using Logon Tickets Using Logon Tickets with AS Java Configuring the AS Java to Issue Logon Tickets; and also configure the SAP Back-End to accept Logon Ticket as Application Help Function-Oriented View Security User Authentication and Single Sign-On Integration in Single Sign-On (SSO) Environments Single Sign-On for Web-Based Access Using Logon Tickets Using Logon Tickets with AS ABAP Configuring AS ABAP to Accept Logon Tickets; then we can use web browser to check. 1. In web browser, remove the cookie MYSAPSSO2 if exists. 2. Access input the username and password, after login, check that the MYSAPSSO2 cookie appears. 3. Do not close the web browser, access the Config Panel link, for example End>:<Port>/sap/bc/webdynpro/syclo/core_config_wb?sap-client=<Client>&saplanguage=EN, you will login to it directly, without need of inputting username/password Importing Portal CA Root Certificate into SMP Keystore 1. In the SMP Server OS, copy the CA Root Certificate as $SMP_HOME\Server\configuration\portalroot.cer 2. Import the CA Root Certificate into the keystore keytool -keystore smp_keystore.jks -importcert -file root.cer -alias portalroot 3. For question Trust this certificate?", input yes Changing Agentry Security Profile to Add SSO2 Authentication Provider 1. In choose the SETTINGS tab. 2. On the SECURITY PROFILES sub-tab, choose agentry. 3. On the Edit Security Profile dialog box, check that No Authentication Challenge already exists, and then choose New. 4. On the Add Authentication Provider dialog box, choose HTTP/HTTPS Authentication, and then choose Create. 5. On the Authentication Provider Settings HTTP/HTTPS Authentication screen, input URL as and then choose Save. 6. On the Edit Security Profile dialog box, choose Save Configuring SSO2 in the JavaBE.Ini File 1. In JavaBE.ini, in the section [LOGON_METHOD], change LOGON_METHOD=USER_AUTH_SSO 2. In the section [USER_AUTH_SSO], change PORTAL_URL= 3. Save the JavaBE.ini and then restart the SMP Server, confirm the Work Manager application can be started SAP SE or an SAP affiliate company. All rights reserved.

31 3.4.5 Check SSO2 in Agentry Clients In Agentry clients, input username & password of Portal Authentication Provider instead of Back-End Business Suite; and if you already logged in with Back-End Business Suite credentials, the client was encrypted with that credential locally, so you should reset client SAP SE or an SAP affiliate company. All rights reserved. 31

32 4 Appendix This section describes some useful ways how to handle certificates. 4.1 Importing CA Root Certificates Importing a CA Root Certificate into Windows If you check the properties of a certificate and you see in the tab Certification path the status: "The issuer of this certificate could not be found." you might forgot to import the Root CA certificate into your computer s certificate store. Download the Root CA certificate (usually a.cer or.crt file) to your computer and follow the described steps. 1. Open Start Run and execute certmgr.msc, 2. Navigate in the tree to Trusted Root Certification Authorities node. 3. Right click on node "Trusted Root Certification Authorities" choose All Tasks Import and choose the downloaded Root CA certificate and go through the Certificate Import Wizard by always clicking Next. 4. After that you should see your newly imported certificate under Trusted Root Certification Authorities Certificates Importing a CA Root Certificate into IOS Apple provides the iphone Utility free of charge. This utility can be used to create profiles with attached certificates. These profiles can be installed on an idevice which is connected via cable. 1. Download the iphone Utility for Windows for Mac 2. Install the utility and start it 3. Connect your iphone or ipad to your computer 4. In the utility click on Profiles listed under Library 5. Click on the New button to create a new profile 6. Specify a display name (for example NewProfileForCACert) and a unique identifier (for example com.test.ca) 7. Scroll down and choose Credentials from the property list 8. Click on Configure and select the CA Root certificate (If you cannot find your certificate here, make sure that you imported it to your computer s certificate store in advance as described in section Importing a CA Root Certificate into Windows ) 9. Select your device on the left side listed under Devices 10. Choose the tab Profiles and click on the Install button beside your new created profile (Make sure, that your device is unlocked, otherwise you will get an error message) 11. Install the certificate on your device, by simply clicking Install at the profile installation dialog and confirming the message, that this certificate will be imported. 12. Verify that the certificate got imported by open Settings / General / Profile on your device (Here you can also remove the certificate if you do not need it any longer. ) SAP SE or an SAP affiliate company. All rights reserved. Appendix

33 Note If you are using SAP Afaria in your mobile landscape you can create a new Credentials Policy and push the certificate file onto Afaria managed ios devices Importing a CA Root Certificate into Android Android provides the user the possibility to import certificates from the phone s internal storage 1. Copy the certificate file (.cer or.crt) from your computer to the root of your device s internal storage 2. Open the Android Settings and go to Personal > Security > Credential storage > Install from storage 3. Choose your certificate file and install it (Displayed are only certificates which, you did not install before and which are placed in the root directory of the device s internal storage) 4. Verify if the certificate got successfully imported by navigating in the Android Settings screen to Personal > Security > Credential storage > Trusted credentials Note If you did not set up a pattern, PIN or password to protect your device, you will be prompted to set one up. After the certificate import the certificate file in your root directory will be deleted. Appendix 2015 SAP SE or an SAP affiliate company. All rights reserved. 33

34 SAP SE or an SAP affiliate company. All rights reserved. Appendix

35

36 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.