SAP Mobile - Webinar Series SAP Mobile Platform 3.0 Security Concepts and Features Dirk Olderdissen Solution Expert, Regional Presales EMEA SAP Brought to you by the Customer Experience Group 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 1
SAP Mobile Platform 3.0 Enablement SCN is our chosen channel to publish all information that you need to successfully install and run the SAP Mobile Platform 3.0. On our Enablement Pages, you find links to White Papers, How-To Guides, Blogs and other resources: http://scn.sap.com/docs/doc-49476 Webinars complement these published resources: http://scn.sap.com/docs/doc-55282 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 2
Agenda SMP3 security overview Certificates in the mobile space Two-factor authentication Agentry security concepts Networking This presentation is referring to the software version of SMP3-server-SP04 and SMP-SDK-SP05 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 3
SMP 3 Security Overview
SAP Mobile Platform communication types With SMP3, depending on the client technology you use, different communication protocols will apply REST API (OData) Native OData SDK Hybrid SDK (aka Kapsel / incl. Fiori Client plugins) Agentry Used with SAP Workmanager, Rounds etc not covered today MBO runtime (SUP & SMP2.x) Mobiliser (Banking and some SAP B2C applications) SAP Partner Custom SAP Mobile Platform SDK SAP Mobile Platform 3.0 OData Agentry MBO run time Mobiliser 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 5
SMP Data transport encryption The SMP client traffic is encrypted. SMP is using TLS encryption. The encryption is established before data is sent to the mobile device. Standards based encryption allows usage of regular reverse proxies and other industry standard security infrastructure SMP Application HTTPS SLL/TLS SMP Server 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 6
SMP Registration ID check SMP applications need to present a valid RegistrationID The RegistrationID is created during the app enrolment process The app presents this RegistrationID on every connection with the SMP server The ID allows the SMP Server to uniquely identify each Application (for security + management + data handling) SMP Application ID ID SMP Server * Application registration is not available for Agentry and Mobilizer applications as of SMP v3 SP04 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 7
Authentication The app needs to authenticate against SMP and against the backend The app needs to present credentials for authentication The authentication on SMP is configurable (CSI frame work) Authentication in the DMZ is supported Integration with 3 rd party security providers possible (Reverse Proxy, RSA, CA Siteminder, ) SMP Application SMP Server U Reverse U1 U2 U3 EIS Proxy 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 8
SMP SDK on device security SAP Mobile Platform SDK provides components to ease creation of secure apps Logon Manager to handle registration, authentication and credential handling for native and hybrid applications Secure data storage (Data Vault) App configuration and debugging (SDK) Secure credential sharing across applications (Client Hub) SMP Application SDK components SMP Server 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 9
SMP 3 and Common Security Infrastructure (CSI) SMP provides different authentication providers* that can be used in the Security Configurations NoSecurity / Anonymous LDAP/AD X.509 User Certificate HTTP/HTTPS basic authentication Kerberos User role authorization Provider SAML (planned road map feature, disclaimer applies) Authentication providers can also be combined* E.g. Use LDAP for authentication and HTTPAuth to generate a SSO2 token Application Configuration @ApplicationID App Registration Security Configuration Security Configuration LDAP HTTP Authentication Data Source Definition Corp LDAP SAP Netweaver EIS * http://help.sap.com/saphelp_smp303svr/helpdata/en/7b/ffc3f470061014ad5c804d241e1e7c/content.htm ** http://help.sap.com/saphelp_smp303svr/helpdata/en/7c/2f88d5700610148f4896f27b789761/content.htm 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 10
Certificates in the mobile space
Certificates in the mobile space - concepts Certificates need to be available on the mobile side. Certificate distribution is a vital part of certificate based authentication. Commonly used distribution types : Application specific certificates The same certificate in each app type Only authenticates the source of the application => controlled application distribution required (MDM) App App App C C C C C C User specific certificates Every app/user has an individual certificate on the device/app Strong authentication of the user App App 1 2 1 2 3 App 3 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 12
Application specific certificate deployment Application specific certificates Easy to implement, as the cert can be integrated during development MDM deploys with the applications (that include the cert) 1. Certificate is integrated into the application 2. Application is distributed to the mobile application with MDM (gives control over who receives the application) 2 SMP Client MDM Development App C 1 Reverse Proxy SMP Server 3 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 13
User certificate deployment - challenges User specific certificates need to be enrolled individually to each app/device Technology needed to securely enroll the certificate On ios, apps do NOT have access to the user certificates in the OS keystore On standard Android, no solid concept of a keystore exists In consequence, the certificate needs to be deployed INTO the application? PKI SMP Client Reverse Proxy SMP Server 3 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 14
User certificate deployment - with SAP Mobile Secure User specific certificates with SAP Mobile Secure SAP Mobile Secure (and SAP Afaria) can distribute user certificates into SMP SDK based applications. The SMP SDK has this certificate distribution option built in SAP Mobile Secure can connect to corporate CA s => SAP Mobile Secure provides an API (Static Link Library) that has been integrated into the SMP SDK. Mobile Secure PKI Mobile Secure SMP Client Reverse Proxy SMP Server 3 SAP Help: Native SDK acquiring certificates from Afaria 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 15
User certificate deployment - with 3 rd party certificate providers User specific certificates and 3 rd party certificate providers The SMP SDK provides an API, that allows integration with 3 rd party certificate providers This is a custom effort where implementation details depend on the 3 rd party certificate provider in use The provider part on the mobile side will need to be part of the mobile application SAP Help: Hybrid SDK 3 rd party certificate provider SAP Help: Native SDK 3 rd party certificate provider 3 rd Party PKI 3 rd Party SMP Client Reverse Proxy SMP Server 3 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 16
Two Factor authentication Native OData SDK + Hybrid SDK
SMP 3 (OData+Hybrid) + VPN Factor 1 To establish the VPN and the required authentication would be one factor. Factor 2 The user authentication (e.g. U:PW) in the SMP client is used for client access, SMP server authentication and backend authentication. Additional built in identification is the AppConnectionID (App registration). SMP Client SMP Server 3 U VPN U EIS VPN Client Gateway U 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 18
SMP 3 (OData+Hybrid) + built in application certificate Factor 1 The SMP client can be created with a certificate built in. This certificate would be the same for all deployed clients and not updateable. HTTPS mutual certificate based authentication against the reverse proxy Factor 2 The user authentication in the SMP client is used for SMP server authentication and backend authentication. Additional built in identification is the AppConnectionID (App registration) Using the same certificate on all clients provides less security compared to individual user certificates, but may be a workable compromise for customers without a fully integrated PKI. SMP Client CC Auth Provider SMP Server 3 U CC Reverse U EIS Proxy U 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 19
SMP 3 (OData+Hybrid) + user certificates Factor 1 The SMP client can authenticate with user certificates. HTTPS mutual certificate based authentication against the reverse proxy. Certificate distribution can be done via SAP Afaria (built in feature) or 3 rd party tools and cert import API Factor 2 The user authentication in the SMP client is used for SMP server authentication and backend authentication. Additional built in identification is the AppConnectionID (App registration) Security Cookies can also implemented to additionally secure traffic between client-proxy-smp or for SSO use. SMP Client UC SMP Server 3 U UC Reverse U EIS Mobile Secure Auth Provider Proxy U 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 20
SMP 3 (OData+Hybrid) + 3 rd party authentication (e.g Token based)* Factor 1 The SMP client queries from the user the U:PW and a one time token. Reverse proxy verifies the combination (U:Token or U.PW:Token) against the 3 rd party authentication provider Security cookie is issued for down stream traffic authentication Factor 2 SMP validates the security cookie against the 3r party authentication provider SMP authenticates user credentials against authentication provider e.g. AD, LDAP Additional built in identification is the AppConnectionID (App registration) SI SMP Client SMP Server 3 U Reverse C EIS U SI Auth Provider Proxy U U * Possible for custom apps, most SAP pre-built apps do not support this as of today SAP Help: SMP3 integration with CA Siteminder 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 21
Agentry Security Concepts
SMP3 Agentry - Data transport encryption The SMP Agentry client traffic is HTTPS encrypted SMP is using HTTPS (TLS) encryption. The encryption is established before data is sent to the mobile device. Standards based encryption allows usage of regular reverse proxies and other industry standard security infrastructure. Initial HTTPS endpoint is then the proxy component and not the SMP server. SMP Agentry client traffic uses websockets Agentry Application HTTPS SLL/TLS Websockets Proxy SMP3 Server 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 23
SMP3 Agentry - Authentication options The SMP Agentry client provides multiple authentication modes 1. User name + Password o The user credentials are transmitted in the HTTP header (HTTPS encrypted). o They should be usable by the proxy and SMP 2. Server certificates o The Agentry client can validate the HTTPS server certificate (proxy or SMP) against the device cert root store. 3. Client certificates o The Agentry application can present a certificate during the HTTPS authentication (mutual certificate based authentication) o Today (as of November 2014) this application certificate is deployed with the binary Agentry client (one cert for all clients) o Future versions will support individual client certificates (X.509) road map feature Agentry Application HTTPS SLL/TLS Websockets Proxy SMP3 Server 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 24
Two-Factor authentication - Agentry Client + VPN Factor 1 The authentication to establish the VPN can be considered one factor Factor 2 The user authentication in the Agentry client (SAP User) is used for client access, SMP server authentication and backend authentication. Agentry Client SMP Server 3 U VPN U EIS VPN Client Gateway U 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 25
Two Factor authentication - Agentry Client + built in client certificate Factor 1 The Agentry client can be deployed with a certificate that the customer can define in the deployment process This certificate is the same for all deployed Agentry binary clients* Factor 2 The user authentication in the Agentry client (SAP User) is used for client access, SMP server authentication and backend authentication. This is the second factor Using the same certificate on all clients provides less security compared to individual certificates. Agentry Client CC Auth Provider SMP Server 3 U CC Reverse U EIS Proxy U * Support for individual user certificates is a road map feature 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 26
Agentry Client (SDK SP06*) + specific client certificate** Factor 1 The user / device certificate would be used to establish a mutual authenticated HTTPS connection. Certificate sources WindowsOS: Certificate is pulled from the Windows Certificate Store*** Other (Android, ios) With the OpenUI interface, individual certificates would be imported into the Agentry client. The import process is a custom effort, as the available cert infrastructure varies from customer to customer. Factor 2 The user authentication in the Agentry client (SAP User) is used for client access, SMP server authentication and backend authentication. Agentry Client OpenUI custom integration SMP Server 3 U UC UC Reverse U EIS Cert provider *SMP SDK SP06 is not yet released (roadmap disclaimer applies) **Individual client certificate support is a road map feature currently scheduled for SMP3 SDK SP06; ***Needs further qualification, please research; 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 27 Auth Provider Proxy U SAP Help: OpenUI API calls
Networking
Firewall Firewall SMP3 and Push Notifications The SMP server can integrate with native push notification services. The backend sends a notification to the SMP server SMP contacts the vendor specific notification service in the internet The notification service notifies the device APNS GCM MPNS WNS BIS/BES Reverse Proxy SMP EIS Link: SAP help application push notifications 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 29
Firewall Firewall SMP3 and DMZ With SMP3, the used protocols and traffic content has gotten much easier to integrate with industry standard reverse proxies SMP3 SDK does authenticate on the HTTP(s) layer. X.509, Kerberos, SAML* and HTTP Basic auth is currently supported Protocols now fit more easily into the expected traffic pattern of industry standard reverse proxy protocol filters, when compared to SUP. Reverse Proxy needs to support Websockets for Agentry / MDD applications OData offline uses HTTP(s) with binary payload (replication / Mobilink) Reverse Proxy SMP EIS *SMP SDK SP05 supports SAML, for SMP3 server SP04 SAML is a road map feature 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 30
SMP communication with 3 rd party authentication integration U1 1 6 Proxy 2 3 Auth U1 4 5 ID U1 U2 SMP DB Auth U2 EIS Auth Steps taken before any data is sent to the mobile application 1. Transport Encryption is established when the client connects 2. Proxy authenticates client credentials with user repository (Auth Provider) 3. Proxy redirects traffic with authentication marker (e.g. Cookie) and SMP Application registration (App ID) is verified 4. SMP server validates authentication marker (cookie or credentials) 5. Backend user ID (U2) and authentication marker (e.g. MySAPSSO2) are looked up and used for EIS auth 6. Data source (EIS) delivers data via SMP + Proxy Application Registration ID U1 ISP Credentials U2 Data Tier Credentials * Process does not apply to Agentry and Mobilizer applications 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 31
Summary
Summary - SMP Security layers 1. Device password o Enforced by MDM, encrypts local data storage 2. App password o Encrypts app storage and secrets 3. Server credentials Authorization o App registration Authentication o Certificate o Username + PW o One time PW 4. TLS transport encryption 1 2 3 4 1 2 3 4 5 1. Outer firewall 2. Reverse Proxy o Initial Authentication, e.g. certificate based 3. Inner firewall 4. SMP o o 5. Backend o Validation of proxy authentication (e.g. cookie) Secondary credential authentication Authentication of backend credentials / roles Exemplary setup reflects common scenarios as implemented with many customers 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 33
Thank you Contact information: Dirk Olderdissen Solution Advisor Expert dirk.olderdissen@sap.com 2014 SAP SE or an SAP affiliate company. All rights reserved.
2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2015 SAP SE or an SAP affiliate company. All rights reserved.