Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

Transcription

1 at a Glance 1 Introduction 17 2 Basic Principles of IT Security 23 3 Authentication and Authorization in SAP NetWeaver Application Server Java 53 4 Single Sign-On Identity Provisioning Secure Web Services 335 A Setting Up the Certificate Authority and Key Management in the Enterprise Scenario 497 B Referenced Literature 535 C The Author 539 Bibliografische Informationen digitalisiert durch

2 Preface Security and Service-Oriented Architectures Goals of Information Security Service-Oriented Architectures and Enterprise SOA Functional Security Requirements in a Service-Oriented Architecture Developing Security Concepts Risk Analysis Selecting Security Measures Basic Security Measures Cryptography Hash Functions Message Authentication Code Digital Signatures Digital Certificates Public Key Infrastructure Summary J2EE Application Security Authentication Authorization J2EE Security in Practice Introduction to the Enterprise Scenario OrderManager Project 69

3 3.2.3 Functional Prerequisites Role Model and Permissions Architecture Derivation of Permissions at Component Level Exercise 1: Protecting the OrderManager Application with J2EE Security Application Security in J2EE Applications Using the SAP User Management Engine API Role and Permission Model Programming Model Authentication Authorization Identity Management API Exercise 2: Implementing the Extended Permission Concept Using the UME API Java Authentication and Authorization Service JAASAPI Login Modules and Login Module Stacks Callbacks and Callback Handler Authorization with JAAS JAAS in the SAP NetWeaver AS Java Summary Basic Principles Advantages and Disadvantages Approaches to Solutions Portals Single Sign-On in the Intranet SAP Logon Ticket Verifying SAP Logon Tickets in Third-Party Software Enterprise Scenario: Single Sign-On Integration of an External Application into the Employee Portal Exercise 3: Single Sign-On Integration of AddressBook into the Employee Portal 173

4 4.3 Intercompany Single Sign-On Technical and Organizational Requirements Roles Identity Federation Security Assertion Markup Language Supporting SAML in SAP NetWeaver Enterprise Scenario: Intercompany Single Sign-On Between Retailers and Wholesalers Exercise 4: Implementing Intercompany Single Sign-On Summary Basic Principles Goals Lifecycle of Digital Identities Advantages Identity Management Systems Service Provisioning Markup Language Provisioning Model Operations Protocol and Bindings Provisioning Schema Implementations Enhancements in SPML SPML Support in SAP NetWeaver UME Provisioning Schema Use Cases Federated Identity Provisioning Enterprise Scenario: Federated Identity Provisioning Between Wholesalers and Retailers Exercise 5: Implementing Federated Identity Provisioning Summary 333

5 6.1 Architecture Basic Web Service Standards Extensible Markup Language SOAP Web Services Description Language Threats Security Standards Secure Sockets Layer and Transport Layer Security Web Services Security Web Services Trust Web Services Secure Conversation Web Services Security Policy Interoperability WS-I Basic Security Profile WS-I BSP Sample Application WS-I Testing Tools Support for Secure Web Services in SAP NetWeaver WS-Security Development Model Support in SAP NetWeaver AS Java Support in SAP NetWeaver AS ABAP Summary Outlook Testing and Error Analysis Carrying out Connection Tests Recording and Visualizing Message Flow Solving Synchronization Problems Enterprise Scenario: Process Automation with Web Services System Architecture Technical and Organizational Determining Factors Risk Analysis Security Requirements Exercise 6: Implementing the Subscenarios with WS-Security Implementing the PurchaseOrder Service

6 6.8.2 Implementing the Shipping Service Implementing the CreditRating Service Implementing the PurchaseOrder Proxy Implementing the ShippingService Proxy Implementing the CreditRating Proxy Testing the Scenario Summary 491 Appehdi A Setting Up the Certificate Authority and Key Management in the Enterprise Scenario 497 A.1 Installing the Certificate Authority 499 A.1.1 Installing and Configuring OpenSSL 499 A.1.2 Creating the Signature Key and the Root Certificate for the Certificate Authority 500 A.1.3 Importing the Root Certificate into the Windows Certificate Store 501 A.2 Creating the SecureSale SSL Key Pair for Apache Tomcat 504 A.2.1 Creating the Self-Signed SSL Key Pair 504 A.2.2 Creating the Certificate Request 505 A.2.3 Certifying the Certificate at the Certificate Authority 505 A.2.4 Importing the Root Certificate into the Java Keystore 506 A.2.5 Importing the Certified SSL Certificate into the Java Keystore 507 A.3 Setting Up the SSL Server for SecureSale in SAP NetWeaver Application Server Java 507 A.3.1 Installing the JCE Unlimited Strength Jurisdiction Policy 508 A.3.2 Installing the SAP Java Cryptographic Toolkit 509 A.3.3 Importing the CA Root Certificate 510 A.3.4 Creating the Self-Signed SSL Key Pair 511 A.3.5 Creating the Certificate Request 511 A.3.6 Certifying the SSL Key Pair at the Certificate Authority

7 A.3.7 Importing the Certified SSL Key Pair 512 A.3.8 Activating the New SSL Key Pair 513 A.3.9 Testing the New SSL Key Pair 514 A.4 Setting Up the SSL Server for SecureShipping in the SAP NetWeaver Application Server ABAP 515 A.4.1 Installing the SAP Cryptographic Library 516 A.4.2 Creating the Self-Signed SSL Key Pair 517 A.4.3 Importing the CA Root Certificate 517 A.4.4 Creating the Certificate Request 518 A.4.5 Certifying the Key Pair at the Certificate Authority 518 A.4.6 Importing the Certified Certificate 519 A.4.7 Activating the Changes 520 A.5 Creating the CompSOA SSL Key Pair 521 A.5.1 Creating the Self-Signed SSL Key Pair 521 A.5.2 Creating the Certificate Request 522 A.5.3 Certifying the Key Pair at the Certificate Authority 522 A.5.4 Importing the Root Certificate into the Keystore 522 A.5.5 Importing the Certified SSL Key Pair 522 A.6 Creating the SecureSale Web Service Key Pairs for Signatures and Encryption in the SAP NetWeaver Application Server Java 522 A.6.1 Creating the Self-Signed Signature Key Pair 523 A.6.2 Creating the Certificate Request for the Signature Key Pair 524 A.6.3 Certifying the Signature Key Pair at the Certificate Authority 524 A.6.4 Importing the Certified Signature Key Pair 524 A.6.5 Creating the Self-Signed Key Pair for Encryption 525 A.6.6 Creating the Certificate Request for the Key Pair 525 A.6.7 Certifying the Key Pair at the Certificate Authority 526 A.6.8 Importing the Certified Key Pair 526 A.7 Creating the CompSOA Web Services Keystore 526 A.7.1 Creating the Self-Signed Signature Key Pair

8 A.7.2 Creating the Certificate Request for the Signature Key 527 A.7.3 Certifying the Signature Key Pair at the Certificate Authority 528 A.7.4 Importing the Root Certificate into the Keystore 528 A.7.5 Importing the Certified Signature Key Pair 528 A.7.6 Importing the Certified SecureSale Certificate 528 A.8 Creating the SecureShipping Web Service Key Pair for Signatures 529 A.8.1 Creating the Self-Signed Signature Key Pair 529 A.8.2 Creating the Certificate Request for the Signature Key Pair 530 A.8.3 Certifying the Signature Key Pair at the Certificate Authority 530 A.8.4 Importing the Certified Signature Key Pair 530 A.9 Creating the TrustedBank Web Service Signature Key Pair 531 A.9.1 Creating the Signature Key Pair 531 A.9.2 Certifying the Key Pair at the Certificate Authority 532 A.9.3 CreatingthePKCS#12File 532 A.9.4 Importing the Certified Key Pair into the Windows Certificate Store 532 A.9.5 Importing the Signature Certificate into the SecureSale Keystore 533 B Referenced Literature 535 C The Author 539 Index 541