Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015
Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference 27 Feb 15 Yabing Li V1.0 Initial draft for review/discussion 03 Mar 15 Neeta T. V1.1 Browser security review 10 Mar 15 Marcelo A. V1.2 Review of items 3 and 4 18 Mar 15 Yabing Li V 1.3 Review chapter 2, 3 and 4.3 Reviewers Name Version reviewed Position Date Cordis Solutions Limited 2015 1 of 10 Confidential
CONTENTS 1. Purpose of This Document... 3 2. Web/mobile interface Security... 4 2.1 Browser Secruity... 4 3. Network and Communication Security... 5 4. Server Security... 7 4.1 User Authentication and Authorization... 7 4.2 Single sign on... 7 4.3 Session security... 8 4.4 Other security Aspects... 9 Cordis Solutions Limited 2015 2 of 10 Confidential
1. PURPOSE OF THIS DOCUMENT This document summarises the security for Cordis Harmony suite. The descriptions contained should not be relied upon in evaluating or recommending the software, and can be changed without notice by Cordis Solutions. Note that while the solution is designed to work with software provided by SAP and Microsoft, Cordis Solutions can give no undertakings on the functionality contained in, or performance of any software running in your environment. Cordis Solutions Limited 2015 3 of 10 Confidential
2. WEB/MOBILE INTERFACE SECURITY Cordis Gateway Apps have two user interface - Microsoft office interface and Web/Mobile interface. The following section provide information about security aspects of web/mobile interface. 2.1 BROWSER SECRUITY Cordis Apps web/mobile interface is built using SAPUI5 library which is client-side JavaScript library. Web/mobile browser is used to execute the java script and render the html, therefore browser security need be discussed. Browser security comprises several topics such as cross-site scripting, clickjacking, and local storage. A browser is, by design, an untrusted client: A server cannot rely on any information sent from a browser, as a malicious user can use a JavaScript debugger to tamper with the client code, or a proxy server like fiddler to modify request data. Input validation on the client is just for convenience purposes as the server always has to validate the data again that is received from the client. CROSS-SITE SCRIPTING Cross-Site-Scripting has become the most prominent security issue of web applications within the last years and also the most dangerous one, as it allows several ways of exploitation. Once malicious code is running within your browser, it can be used to steal your session cookies, to trigger requests within the current session, or even to exploit a known browser vulnerability to do native code execution. For SAPUI5 applications, XSS vulnerabilities can exist on different levels: Within the HTML page or custom data transports sent to the browser from the server Within the JavaScript code of the application, which is processing server responses Within the HTML renderers of SAPUI5 controls Since Cordis Gateway App web interface is built on top of SAPUI5 library, it prevents CSS by the following approach: On SAPUI5 library level, SAPUI5 can prevent cross-site scripting in the processing and rendering of controls. In the library, input validation exists for all typed element properties and output encoding is done in the renderer class of controls. On the application level, Cordis application handles proper output encoding of all content embedded in the HTML page itself, as well as for encoding JSON data sent to the client and secure processing of this data. CLICKJACKING Clickjacking, or UI redressing, tricks the user into triggering actions within an application by redirecting clicks. This is done, for example, by using an invisible iframe which is positioned above a fake UI. When the user clicks on something on the fake UI, the content of the invisible iframe handles the click. Since SAPUI5 are not be able to enable a generic clickjacking prevention, on the application level, the application needs to clarify whether embedded scenarios, for example portal, are required and add a clickjacking protection for the respective scenario. In general, Cordis Gateway apps web/mobile interface does not support an embedded scenario. In case client have this requirement, please contact with Cordis technical support for framebusting solutions. Cordis Solutions Limited 2015 4 of 10 Confidential
RFC(SNC) HTTP(S) Harmony Security Summary 3. NETWORK AND COMMUNICATION SECURITY Cordis Apps use open protocols below when communicating with different servers: 1. HTTP(S) 2. OData 3. Remote Function Calls (RFC) MS Office Client Office Version(.NET) Web Browser Client Web/Mobile Version(HTML5) Odata SAP NetWeaver Gateway Gateway Component SAP ECC SAP Backend Component DATA ENCRYPTION BETWEEN CLIENT AND SAP NETWEAVER GATEWAY Security between client and SAP Gateway server side is not sufficient if the data transported between client and server can be read, intercepted, or even modified by an attacker. Per default, HTTP communication is stateless and unencrypted and this makes it necessary to configure it in a way that it is using encrypted connections and to add session handling on top using either cookies or URL rewriting. In order to make it difficult for unauthorized persons to obtain sensitive data passing through the channel, the communicated need be encrypted especially in a production environment. I.e. Secure Sockets Layer (SSL) over HTTP and Secure Network Communications (SNC) for RFC. Sending the HTTP protocol over a SSL secured connection (HTTPS) is not only standardized, but also required for SAP applications. Cordis Gateway Apps fully supports the use of HTTPS. Cordis Solutions Limited 2015 5 of 10 Confidential
DATA ENCRYPTION BETWEEN SAP SYSTEMS Secure Network Communications (SNC) integrates SAP NetWeaver Single Sign-On or an external security product with SAP systems. With SNC, you strengthen security by using additional security functions provided by a security product that are not directly available with SAP systems. SNC protects the data communication paths between the various client and server components of the SAP system that use the SAP protocols RFC or DIAG. The SNC functions are integrated in the SAP system components (for example, the AS ABAP system kernel, SAPGUI, or the RFC library) as a layer between the kernel layer and an external library provided by SAP NetWeaver Single Sign-On (SAP Secure Login Server) or an external security product. The figure below illustrates the integration of an external library. Cordis Solutions Limited 2015 6 of 10 Confidential
4. SERVER SECURITY Since Cordis Gateway apps are using SAP Netweaver Gateway as middle layer to communicate with backend business system, the request sent from frontend will be handled by Gateway. This section provides information about security aspects on SAP Server Side. 4.1 USER AUTHENTICATION AND AUTHORIZATION Cordis gateway apps is using SAP standard mechanisms to manage the application user. It utilizes the user and role administration functions of SAP NetWeaver AS ABAP. Each user has a user master record that contains all the information about that user. In addition, the user master record consists of the authorizations included in roles and profiles that limit the scope of action of the user in the system. 4.2 SINGLE SIGN ON SAP NetWeaver Gateway supports the use of the following SSO authentication mechanisms: X.509 client certificates SAP NetWeaver Gateway recommends the use of client certificates for user authentication. Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). Security Assertion Markup Language (SAML 2.0) SAP NetWeaver Gateway also supports the use of SAML assertions for user authentication. The assertions can be issued by an Identity Provider (IdP) system, or by the SAP NetWeaver host with single sign-on capabilities. Consumer and Authentication Option X.509 Certificate SAML 2.0 Web application (HTML5, Silverlight, Flex) Recommended Desktop application (Microsoft.NET, Java) Recommended Mobile application Recommended Cloud application Recommended Social network integration Recommended Web server side (PHP/ASP.NET) Recommended We recommend the use of X.509 certificates, which are easier to configure and works very well for both interfaces of Cordis applications. With this approach, an X.509 client certificate is a digital "identification card" for use on the Internet, also known as a public-key certificate. A user who accesses the SAP Web Application Server, and presents a valid certificate is authenticated on the server using the SSL protocol. The information contained in the certificate is passed to the server, and the user is logged into the server based on this information. User authentication takes place in the underlying protocols, and no user ID and password entries are necessary. When using client certificates for user authentication, the user is re-authenticated with each request using the SSL protocol. Cordis Solutions Limited 2015 7 of 10 Confidential
There are a lot of ways to generate the clients X.509 certificates, but for environments based on Windows Servers and Microsoft Active Directory authentication a good tool is the SAP Secure Login Server/Client, which can reuse the user Windows Authentication and generate the certificates automatically (without any user interaction transparent process to the end user): The detail to configure and test SAP Secure Login Server/Client is provided in Cordis Single Sign on Summary document. 4.3 SESSION SECURITY Since Cordis Apps are using SAP NetWeaver Gateway to communicate with SAP backend, each end user will have his/her own HTTP session to facilitate the commutation. Therefore session security need be discussed. Session security topic comprises secure session management on the server side to prevent session impersonation, as well as Cross-site request forgery prevention implemented in Cordis Gateway Apps. SECURE SESSION MANAGEMENT On the SAP Netweaver Gateway Server side, activating secure session management in the Gateway host protects and prevents access to SAP logon ticket and security session cookies, through Javascript and plug-ins. Within a secure session, users can start applications that require a user logon without logging on again. When a security session ends, the system also ends all applications that are linked to this security session. Cordis Solutions Limited 2015 8 of 10 Confidential
Also, it s recommended to use Secure Session Management (transaction SICF_SESSIONS) together with other authentication methods, for example, X.509 certificates. For protection of session cookies, it s recommended to use HTTPS transport. XSRF PREVENTION Even if the data transport is secured using SSL, there are possibilities to hijack such a secure connection and sending malicious requests from the client. Cross-site request forgery and session fixation are two of the prominent examples of this class of attacks. In order to prevent Cross-site request forgery (XSRF), Cordis Gateway Apps use XSRF header to fetch token from SAP NetWeaver Gateway server. Then in all subsequent write operation, the application send the token back to server to validate the request. 4.4 OTHER SECURITY ASPECTS CROSS ORIGIN RESOURCE SHARING Usually the XMLHttpRequest for security reasons does only allow accessing resources from the same domain as the originating document. As there are a lot of web-based services available today, starting with RSS or Atom feeds, WebServices or OData services, there is a need to be able to also access data sources from different domains within the browser, which was addressed with the CORS (Cross Origin Resource Sharing) standard. This allows the server to set special headers on their responses, which are telling the XMLHttpRequest object, whether it is allowed to process the requested data or not. This CORS capability also plays an important role in SAPUI5 based applications. In case the application itself and the data visualized are coming from different servers, the CORS header has to be configured correctly on the data providing server, to allow the application server domain to access the data. Cordis Gateway apps (built using SAPUI5 library) is using CORS header on its CDN based library to be able to load additional scripts, styles, and resources from the CDN server. Cordis Solutions Limited 2015 9 of 10 Confidential