Date post: | 06-Jul-2018 |
Category: |
Documents |
Upload: | nguyendung |
View: | 225 times |
Download: | 1 times |
Security Guide
SAP NetWeaver Master Data Management GDS 2.1
Document Version: 1.05 – 2017-03-24
CUSTOMER
SAP NetWeaver Master Data Management Global Data Synchronization Option 2.1
2
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved
SAP NetWeaver Master Data Management
Typographic Conventions
Typographic Conventions
Type Style Description
Example Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example Emphasized words or expressions.
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
Example Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example Exact user entry. These are words or characters that you enter in the system exactly as
they appear in the documentation.
<Example> Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
EXAMPLE Keys on the keyboard, for example, F2 or ENTER .
SAP NetWeaver Master Data Management
Document History
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 3
Document History
Version Date Change
1.04 2015-11-12 Added content from SAP Note 1905286 stating that the modification of
initial passwords is mandatory.
Moved the document content to a new template.
1.05 2017-03-24 Updated for SP05.
Added section Digital Asset Management.
4
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved
SAP NetWeaver Master Data Management
Table of Contents
Table of Contents
1 Introduction ................................................................................................................................... 5
2 Before You Start ............................................................................................................................ 7
3 Technical System Landscape ...................................................................................................... 9
4 User Administration and Authentication ................................................................................. 10 4.1 User Management ............................................................................................................................... 10 4.2 User Data Synchronization .................................................................................................................. 13 4.3 Integration into Single Sign-On Environments .................................................................................. 13
5 Authorizations ............................................................................................................................. 14
6 Network and Communication Security ..................................................................................... 17 6.1 Communication Channel Security ...................................................................................................... 17 6.2 Network Security ..................................................................................................................................18 6.3 Communication Destinations ..............................................................................................................19
7 Data Storage Security ................................................................................................................ 22
8 Digital Asset Management ......................................................................................................... 23
9 Security for Additional Applications ........................................................................................24 9.1 AS2 Adapter for SAP NetWeaver Exchange Infrastructure 3.0 / Process Integration ................ 24
10 Other Security-Relevant Information ....................................................................................... 26
11 Security-Relevant Logging and Tracing ................................................................................... 27
12 Appendix ....................................................................................................................................... 28
SAP NetWeaver Master Data Management
Introduction
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 5
1 Introduction
Caution
This guide does not replace the administration or operation guides that are available for productive
operations.
Target Audience
Technology consultants
Security consultants
System administrators.
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas
the Security Guides provide information that is relevant for all life cycle phases.
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation of your system should not result in loss of information or processing time.
These demands on security apply likewise apply to the Global Data Synchronization (GDS) business scenario. To
assist you in securing the business scenario, we provide this Security Guide.
About this Document
The Security Guide provides an overview of the security-relevant information that applies to the business
scenario. If the business scenario consists of several application components, then it contains an overall overview
as well as the individual guides for each of the underlying application components.
Overview of the Main Sections
The Security Guide comprises the following main sections:
Before You Start
This section contains information about why security is necessary, how to use this document and references
to other Security Guides that build the foundation for this Security Guide.
Technical System Landscape
6
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Introduction
This section provides an overview of the technical components and communication paths used by the
business scenario.
User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
o Recommended tools to use for user management
o User types that are required by the business scenario
o Standard users that are delivered with business scenario
o Overview of the user synchronization strategy, if several components or products are involved
o Overview of how integration into Single Sign-On environments is possible.
Authorizations
This section provides an overview of the authorization concept that applies to the business scenario.
Network and Communication Security
This section provides an overview of the communication paths used by the business scenario and the security
mechanisms that apply. It also includes our recommendations for the network topology to restrict access at
the network level.
Data Storage Security
This section provides an overview of any critical data that is used by the business scenario and the security
mechanisms that apply.
Security for Third-Party or Additional Applications
This section provides security information that applies to third-party or additional applications that are used
with the business scenario.
Dispensable Functions with Impacts on Security
This section provides an overview of functions that have impacts on security and can be disabled or removed
from the system.
Other Security-Relevant Information
This section contains information about:
o Using a Web browser as a user front end.
Security-Relevant Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant information, for
example, so you can reproduce activities if a security breach occurs.
Appendix
This section provides references to further information.
SAP NetWeaver Master Data Management
Before You Start
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 7
2 Before You Start
Fundamental Security Guides
The global data synchronization (GDS) business scenario is built from the component applications. Therefore, the
corresponding Security Guides also apply to the business scenario. Pay particular attention to the most relevant
sections or specific restrictions as indicated in the table below.
Fundamental Security Guides
Scenario, Application or Component Security Guide Most Relevant Sections or Specific Restrictions
SAP NetWeaver Application Server SAP NetWeaver CE Security Guide, SAP NetWeaver
Application Server Java Security Guide
SAP ERP or SAP ECC SAP ERP Central Component Security Guide
SAP NetWeaver Exchange Infrastructure 7.0
Operating Systems and Database Platforms SAP NetWeaver CE Security Guide; choose Operating
System and Database Platform Security Guides.
Master Data Management (MDM) MDM 7.1 Security Guide
For a complete list of the available SAP Security Guides, see SAP Service Marketplace at
http://service.sap.com/securityguide.
Important SAP Notes
The most important SAP Notes that apply to the security of the business scenario are shown in the table below:
Title SAP Note Comment
Central Note for SAP NetWeaver
MDM GDS 2.1
1425531
For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace at
http://service.sap.com/securitynotes.
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Content Quick Link on SAP Service Marketplace or SCN
Security http://scn.sap.com/community/security
Security Guides http://service.sap.com/securityguide
8
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Before You Start
Content Quick Link on SAP Service Marketplace or SCN
Related SAP Notes http://service.sap.com/notes
http://service.sap.com/securitynotes
Released platforms http://service.sap.com/pam
Network security http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
SAP NetWeaver http://scn.sap.com/community/netweaver
SAP NetWeaver Master Data Management
Technical System Landscape
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 9
3 Technical System Landscape
Use
SAP NetWeaver MDM GDS consists of the following components:
Back-end system (SAP ERP, SAP ECC, or any other system that can send messages to PI)
SAP NetWeaver Process Integration (SAP EHP1 for NetWeaver PI 7.1)
MDM Server (Release 7.1) and underlying database (MS SQL, Oracle, or DB2)
GDS Console - Java-based application running on SAP NetWeaver Application Server (SAP NetWeaver
Application Server)
AS2 adapter (either SAP NetWeaver PI 7.3 B2B AS2 Adapter or Seeburger)
Third-party components
o 1Sync data pools
o SA2 data pools.
For more information about the technical system landscape, see the resources listed in the table below:
Topic Guide/Tool Quick Link on SAP Service Marketplace or
SCN
Technical description for GDS
and the underlying components
such as SAP NetWeaver
Master Guide http://service.sap.com/instguides
Security Security Guide http://service.sap.com/security
10
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
User Administration and Authentication
4 User Administration and Authentication
The GDS business scenario uses the user management and authentication mechanisms provided with the SAP
NetWeaver platform, in particular SAP NetWeaver Master Data Management and, where GDS is used in portal
mode, Application Server Java. Therefore, the security recommendations and guidelines for user administration
and authentication as described in the security guides for SAP NetWeaver MDM and for SAP NetWeaver
Application Server Java also apply to the GDS business scenario.
For the SAP NetWeaver Master Data Management Security Guide, see the SAP Service Marketplace at
http://service.sap.com/installmdm
For the SAP NetWeaver Application Server Java Security Guide, see http://service.sap.com/securityguide
→SAP NetWeaver→SAP NetWeaver in Detail→Security→Security in Detail→Security Guides→SAP Basis/
Web AS Security Guides→SAP NetWeaver Application Server Java Security Guide.
In addition to these guidelines, we include information about user administration and authentication that
specifically applies to the business scenario in the following topics:
User Management
This topic lists the tools to use for user management, the types of users required, and the standard users that
are delivered with the SAP NetWeaver MDM GDS.
User Data Synchronization
This topic describes how user data is synchronized with other sources.
Integration into Single Sign-On Environments
This topic describes how GDS supports Single Sign-On mechanisms.
Recommendation
We recommend that GDS is run with the default security settings delivered with MDM.
4.1 User Management
Use
User management for the GDS business scenario relies on the user management of the MDM component. This
means that the users of the GDS business scenario are stored in the MDM Server.
On a more detailed level, user management can be discussed alongside the following 2 scenarios.
GDS in Standalone Mode
GDS uses the user management capabilities of the MDM Server only. Thus the user types, roles, and password
policies of MDM also apply to the GDS business scenario. For more information about MDM user management
SAP NetWeaver Master Data Management
User Administration and Authentication
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 11
capabilities, see the security guide for MDM 7.1 on the SAP Service Marketplace at
http://service.sap.com/installmdm.
For logon purposes, the GDS business scenario uses its own logon screen.
For user administration, the user and role management screens can be used inside the GDS business scenario.
The User and Role Management menu can only be accessed by a user with the role Admin. For more information
about user and role management, see the SAP Help Portal at http://help.sap.com →SAP NetWeaver Master Data
Management, Global Data Synchronization Option.
GDS in Portal Mode
The following must be in place before the portal user can use GDS in SAP NetWeaver Portal:
The portal user must have the GDS portal role
The portal user must be mapped to a GDS User.
For more information on how to set the GDS portal role and how to configure the user mapping, see the
installation guide for GDS 2.1 on the SAP Service Marketplace at http://service.sap.com/instguides → SAP
NetWeaver Master Data Management, Global Data Synchronization Option → Installation Guide.
If GDS is running in portal mode, the capabilities of the SAP NetWeaver user management engine (UME) apply for
the user authentication. The SAP NetWeaver Portal authentication is used for authentication purposes when the
user is accessing the portal. For more information about the UME, see the SAP Help Portal at http://help.sap.com
→ User Management of SAP NetWeaver AS for Java.
In addition, GDS 2.1 uses the user defined in the MDM Server. The connection between the portal user and the
MDM user is defined with the MDM trusted connections feature. For more about trusted connections, see the
MDM 7.1 Security Guide on the SAP Service Marketplace at http://service.sap.com/installmdm →SAP NetWeaver
MDM 7.1→MDM 7.1 – Security Guide.
User Administration Tools
The table below shows the tools to use for user management and user administration with the business scenario.
User Management Tools
Tool Detailed Description Prerequisites
GDS 2.1 Console, Application
Administration, User and Role
Management
For more information, see the SAP
Help Portal at http://help.sap.com
Only a user with GDS Admin role
is able to access this tool.
MDM Console For more information, see the
security guide for MDM 7.1 on the
SAP Service Marketplace at
http://service.sap.com/installmdm
User management engine (UME)
with SAP NetWeaver AS Java
For more information about the
UME, see the SAP Help Portal at
http://help.sap.com → User
Management of SAP NetWeaver AS
for Java.
GDS 2.1 is running in portal
mode.
12
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
User Administration and Authentication
User Types
The GDS business scenario differentiates between the following two types of user:
Admin users – can access the Application Administration menu
Non-Admin users – cannot access the Application Administration menu.
Standard Users
The table below shows the standard users – sometimes referred to as technical GDS users - that are necessary to
operate the business scenario.
Standard Users
System User ID Type Initial Password Description
MDM Admin
MDM default
Admin user
<empty> or
abc123
Administrator
user initially
provided.
GDS 2.1 Console GDSAdmin
GDS Admin user <empty> or
abc123
GDS default
administrator
user. For all
workflows
launched by the
GDS business
scenario, this user
is the owner of the
workflow. Import,
export, response
processing, and
automation are
initiated with this
user during the
business scenario.
Initial Passwords are set to <empty> starting from GDS 2.1 SP04. All of these users are delivered with the
business scenario. You need to create all other business scenario users after the installation.
Recommendation
We recommend changing the user IDs and passwords for users that are automatically created during
installation. If either the user name or password is changed, update the GDS 2.1 Application Properties,
and replace the changed values. For more information about updating application properties, see the
configuration guide for GDS 2.1 on the SAP Service Marketplace at http://service.sap.com/instguides
→Industry Solutions→Industry Solution Guides→SAP for Consumer Products→SAP MDM GDS
2.1→Configuration Guide.
SAP NetWeaver Master Data Management
User Administration and Authentication
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 13
Caution
According to SAP Note 1905286, the modification of initial passwords of standard technical GDS users is a must
due to security reasons.
If you get the error message MDM is not available; contact your administrator after installation of GDS,
please check if the following application properties are set properly:
GDSCORE.mdmsystemuserpassword, MDM.AdminPassword, GDS.SystemUserPassword
Emergency User Concept
Standalone mode – For more information, see the SAP NetWeaver Master Data Management Security Guide
at http://service.sap.com/installmdm →SAP NetWeaver MDM 7.1→MDM 7.1 – Security Guide→Emergency
User
Portal mode - For more information, see the security guide for SAP NetWeaver CE on the SAP Help Portal at
http://help.sap.com.
4.2 User Data Synchronization
Use
User data synchronization only applies to the scenario, when GDS is running in portal mode. If a non-existing MDM
user logs in to the GDS Console from the portal, the user is created in MDM. During creation, no user information
is copied from the portal user. The MDM user is created with the same username as the portal user, and with the
single Everyone role.
Note
Portal users with the user name Admin and Administrator have the Admin role in MDM.
Note
An MDM user is created with a random password. A user who has the Admin role can change this
password to a known password, if needed. The password is not used for trusted connections.
4.3 Integration into Single Sign-On Environments
Use
The GDS business scenario supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver in portal
mode only. In this case, the security recommendations and guidelines for user administration and authentication
as described in the SAP NetWeaver Security Guide also apply to the business scenario.
GDS 2.1 in standalone mode does not support SSO.
14
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Authorizations
5 Authorizations
Use
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s
user administration console on the AS Java.
The authorization concept of the GDS business scenario is based on the SAP NetWeaver Master Data
Management role concept.
Every user can be assigned an arbitrary number of roles, which come from the MDM role management system. In
addition, authorization objects can be defined for every role, such as tabs, validations, screens, and so on. For the
complete list and details of authorization objects, see the chapter below.
Roles available in GDS can be assigned in the GDS console using Application Administration→User and Role
Management→User Management. On the Role Management tab, the authorization objects can be configured to
every role.
Note
For more information about how to assign and configure roles, see the SAP Help Portal at
http://help.sap.com →SAP NetWeaver Master Data Management, Global Data Synchronization Option →
Application Help → User and Role Management.
Standard Roles
The table below shows the standard roles that are used by the business scenario:
Standard Roles
Role Description
Admin Only users with this role are able to access
the Application Administration menu
the About screen.
Default
Everyone Every user of the GDS business scenario shall have
this role.
Support Provides read-only access for support purposes.
This role has all the screen authorization objects,
but none of the operation authorization objects
assigned to it.
SAP NetWeaver Master Data Management
Authorizations
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 15
Standard Authorization Objects
The table below shows the security-relevant authorization objects used by the business scenario.
Standard Authorization Objects
Authorization Object Field Value Description
Tabs List of tabs the user is
allowed to see on the detail
screen.
Tabs List of tabs the user is allowed to
see on the detail screen.
Validations List of validations the user is
allowed to run on executing
trade item validation. Note
that the automatic validation
prior to the registration is
based on the role defined in
the Application Properties.
Validations List of validations the user is
allowed to run on executing trade
item validation. Note that the
automatic validation prior to the
registration is based on the role
defined in the Application
Properties.
Screens List of menu items the user
is allowed to see in the
menu. An authorized screen
without the corresponding
operation results in a read-
only screen.
Screens List of menu items the user is
allowed to see in the menu. An
authorized screen without the
corresponding operation results in
a read-only screen.
Operations List of operations the user is
allowed to perform during
the business scenario.
Operations List of operations the user is
allowed to perform during the
business scenario.
Read only fields List of fields the user must
be unable to edit, and see
only in a read only mode.
Read only
fields
List of fields the user must be
unable to edit, and see only in a
read only mode.
Value restrictions List of restrictions that apply
for the visibility of items.
With value restrictions, it is
possible to restrict access to
items based on some
selected item attribute
values. Those items that do
not meet the value
restriction criteria are not
displayed to the user.
Value
restrictions
List of restrictions that apply for
the visibility of items. With value
restrictions, it is possible to
restrict access to items based on
some selected item attribute
values. Those items that do not
meet the value restriction criteria
are not displayed to the user.
Minimum Authorization Concept
We recommend that all users have the minimum necessary privileges that they need to perform their tasks:
Assign the Admin role only to those users who need to administer the system
Do not assign any authorization object listed above which is not needed for the user
16
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Authorizations
If applicable, specify a value restriction.
Critical Combinations of Authorizations
Note that the Admin role has special permissions in the GDS business scenario. Every user with the Admin role
has this special permission, regardless of other roles the user has.
SAP NetWeaver Master Data Management
Network and Communication Security
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 17
6 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business needs without allowing unauthorized access. A well-defined network
topology can eliminate many security threats based on software flaws (at both the operating system and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the back-end system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on
the server machines.
The network topology for the business scenario is based on the topology used by the SAP NetWeaver platform.
Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also
apply to the business scenario. Details that specifically apply to the business scenario are described in the
following topics:
Communication Channel Security
This topic describes the communication paths and protocols used by the business scenario.
Network Security
This topic describes the recommended network topology for the business scenario. It shows the appropriate
network segments for the various client and server components and where to use firewalls for access
protection. It also includes a list of the ports needed to operate the business scenario.
Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
http://help.sap.com → SAP NetWeaver Application Server Java Security Guide→Network Security
http://help.sap.com → Security Guide for Connectivity with the AS Java.
6.1 Communication Channel Security
Use
The following table shows the communication channels used by the business scenario, the protocol used for the
connection, and the type of data transferred:
Communication Path Protocol
Used
Type of Data Transferred Data Requiring Special Protection
Front-End client using SAP
GUI for Windows to
application server
DIAG All application data For example, passwords,
business data.
18
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Network and Communication Security
Communication Path Protocol
Used
Type of Data Transferred Data Requiring Special Protection
Front-End client using a Web
browser to application server
HTTP(S) All application data For example, passwords,
business data.
Application server to
application server
RFC,
HTTP(S)
Integration data Business data.
Application server to third-
party application
HTTP(S) All application data For example, passwords,
business data.
AS2 adapter to external data
pools
AS2,
HTTP
Messages from the system Encrypted messaging, digital
certificates.
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.
For more information, see the SAP Help Portal at http://help.sap.com → SAP NetWeaver Application Server Java
Security Guide→Network Security→Transport Layer Security.
Caution
When installing SAP EHP 1 for SAP NetWeaver CE 7.1 Java Application Server and SAP MDM Server on
different hosts, consider the following: the communication channel of the MDM server is not encrypted.
This means that the communication between the GDS Console and the MDM Server is not encrypted.
Caution
When using the flat file export feature of GDS 2.1 and transmitting trade items to FTP or e-mail locations
over PI, make sure that you apply the security settings for the channel (FTPS or S/MIME).
For more information, see the SAP NetWeaver Process Integration Security Guide on the SAP Service
Marketplace, at http://service.sap.com/securityguide →SAP NetWeaver 7.0 Security Guides (Complete)
→Security Guides for SAP NetWeaver According to Usage Types→Security Guide for Usage Type
PI→Network and Communication Security→FTP and FTPS.
6.2 Network Security
Services and Ports
For more information about the services and ports used by SAP NetWeaver, see the SAP Help Portal at
http://help.sap.com →SAP NetWeaver→SAP NetWeaver CE→SAP NetWeaver Composition Environment
Library→Administrator’s Guide→SAP NetWeaver CE Security Guide→Security Guides for CE Core
Components→SAP NetWeaver Application Server for Java Security Guide→Network Security.
For more information about the services and ports used by SAP NetWeaver Master Data Management, see the
security guide for MDM on the SAP Service Marketplace at http://service.sap.com/installmdm.
For more information about the services and ports used by SAP NetWeaver Exchange Infrastructure, see the SAP
Help Portal at http://help.sap.com →SAP NetWeaver→SAP NetWeaver PI/Mobile/IdM 7.1→SAP NetWeaver
SAP NetWeaver Master Data Management
Network and Communication Security
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 19
Process Integration 7.1 Including Enhancement Package 1→SAP NetWeaver Process Integration Library→Security
Guide→Security Guides for SAP NetWeaver Usage Types→SAP NetWeaver Process Integration Security Guide.
Firewall Settings
For more information about firewall settings recommended for SAP NetWeaver, see the SAP Help Portal at
http://help.sap.com →SAP NetWeaver→SAP NetWeaver CE→SAP NetWeaver Composition Environment
Library→Administrator’s Guide→SAP NetWeaver CE Security Guide→Security Guides for CE Core
Components→SAP NetWeaver Application Server Java Security Guide→Network Security.
For more information about firewall settings recommended for Master Data Management, see the security guide
for MDM on the SAP Service Marketplace at http://service.sap.com/installmdm.
6.3 Communication Destinations
Use
The table below shows an overview of the communication destinations used by the GDS business scenario.
Connection Destinations
Destination Delivered Type User, Authorizations Description
SAP ERP or
SAP ECC or
SAP ERP→SAP
NetWeaver PI
Yes RFC –
ERP
User role:
SAP_XI_APPL_SERV_USER
http://service.sap.com/instguides
→Industry Solutions→Industry
Solution Guides→SAP for
Consumer Products→SAP MDM
GDS 2.1→Configuration
Guide→Setting Up Data Transfer
ERP System to GDS Console.
SAP ERP or
SAP ECC→SAP
NetWeaver PI
<SAPSLDAPI>
Yes RFC –
TCP/IP
http://service.sap.com/instguides
→Industry Solutions→Industry
Solution Guides→SAP for
Consumer Products→SAP MDM
GDS 2.1→Configuration
Guide→Setting Up Data Transfer
ERP System to GDS Console.
SAP ERP or
SAP ECC→SAP
NetWeaver PI
<LCRSAPRFC>
Yes RFC –
TCP/IP
http://service.sap.com/instguides
→Industry Solutions→Industry
Solution Guides→SAP for
Consumer Products→SAP MDM
GDS 2.1→Configuration
Guide→Setting Up Data Transfer
ERP to GDS Console.
20
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Network and Communication Security
Destination Delivered Type User, Authorizations Description
SAP NetWeaver
PI→SAP
NetWeaver PI
Yes TCP/IP http://help.sap.com →SAP
NetWeaver→SAP NetWeaver
PI/Mobile/IdM 7.1→SAP
NetWeaver Process Integration
Library→Developer's
Guide→Integrating Applications,
Business Partners, and
Services→Tasks→Configuring
Message Processing→Working
with PCK→Configuration with the
PCK→Define Collaboration
Profile→Defining Communication
Channels→Configuring the XI
Adapter in the Integration
Directory/PCK.
SAP PI→SAP PI
<SAPSLDAPI>
Yes TCP/IP http://help.sap.com →SAP
NetWeaver→SAP NetWeaver
PI/Mobile/IdM 7.1→SAP
NetWeaver Process Integration
Library→Developer's
Guide→Integrating Applications,
Business Partners, and
Services→Tasks→Configuring
Message Processing→Working
with PCK→Configuration with the
PCK→Define Collaboration
Profile→Defining Communication
Channels→Configuring the XI
Adapter in the Integration
Directory/PCK.
SAP NetWeaver
PI→SAP ERP or
SAP ECC
Yes RFC- ERP User Role:
SAP_XI_IS_SERV_USER
Authorization Objects:
S_RFC (Activity Execute,
RFC object EDIN, object
type Function Group)
B_ALE_RECV
http://service.sap.com/instguides
→Industry Solutions→Industry
Solution Guides→SAP for
Consumer Products→SAP MDM
GDS 2.1→Configuration
Guide→Setting Up Data Transfer
ERP System to GDS Console.
SAP NetWeaver
PI→1Sync Data
Pool
Yes HTTP SSL Client http://service.sap.com/instguides
→Industry Solutions→Industry
Solution Guides→SAP for
Consumer Products→SAP MDM
GDS 2.1→Configuration
Guide→Setting Up Data Exchange
with 1Sync Data Pool.
SAP NetWeaver Master Data Management
Network and Communication Security
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 21
Destination Delivered Type User, Authorizations Description
For SAP NW PI 7.3 B2B AS2
Adapter, see SAP Notes 1695520
and 1695563 for information
about download and compatibility.
For Seeburger,
http://service.sap.com/swdc
→Download→Installations and
Upgrades→Entry by Application
Group→Adapters→Seeburger→XI-
A AS2 BY SEEB. →NW2004S-PI-A
AS2 SEEB 1.6 →Installation.
SAP ERP or
SAP ECC or
SAP ERP→SAP
NetWeaver PI
Yes RFC –
ERP
User role:
SAP_XI_APPL_SERV_USER
http://service.sap.com/instguides
→Industry Solutions→Industry
Solution Guides→SAP for
Consumer Products→SAP MDM
GDS 2.1→Configuration
Guide→Setting Up Data Transfer
ERP System to GDS Console.
22
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Data Storage Security
7 Data Storage Security
Use
For more information about the data storage security of SAP NetWeaver and components installed on this base,
see the security guide for SAP NetWeaver 7.0 on the SAP Service Marketplace at http://service.sap.com.
Additionally, for data storage security regarding data stored in MDM, see the security guide for MDM on the SAP
Service Marketplace at http://service.sap.com/installmdm.
SAP NetWeaver Master Data Management
Digital Asset Management
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 23
8 Digital Asset Management
Use
For more information about the optional Virus Scan Interface integration, see the Configuration Guide for the
Virus Scan Interface on the SAP Service Marketplace at http://service.sap.com.
For more information about configuring the maximum file size accepted by the SAP NetWeaver Application
Server, see the property setting of icm/HTTP/max_request_size_size_KB in the ICM Administration Guide on the
SAP Service Marketplace at http://service.sap.com.
24
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Security for Additional Applications
9 Security for Additional Applications
9.1 AS2 Adapter for SAP NetWeaver Exchange Infrastructure 3.0 / Process Integration
Security Features
If you use the SAP NetWeaver PI 7.3 B2B AS2 Adapter, more information is available on the SAP Help Portal at
http://help.sap.com/nwpi →Process Integration Add-Ons. SAP Notes 1695520 and 1695563 provide further
information about download and compatibility.
To learn more about the security features of the AS2 Adapter for SAP NetWeaver Exchange Infrastructure 7.1, see
the AS2 Adapter for SAP NetWeaver Exchange Infrastructure 7.1: Setup Guide on the SAP Service Marketplace at
http://service.sap.com/swdc →Download→Installations and Upgrades→Entry by Application Group→Adapters
→Seeburger→XI-A AS2 BY SEEB→NW2004S-PI-A AS2 SEEB 1.6→Installation.
Note
To access the documentation, you must extract the ZIP file on the Download tab page. In the
Configuration Guide, choose Overview→Features.
Secure Communication Channel Configuration
To secure communication channels used by the Seeburger EDIINT AS2 Adapter for SAP
Exchange Infrastructure 7.1, see the following subsections on the SAP Service Marketplace at
http://service.sap.com/swdc →Download→Installations and Upgrades→Entry by Application Group→Adapters
→Seeburger→XI-A AS2 BY SEEB→NW2004S-PI-A AS2 SEEB 1.6→Installation.
Note
To access the AS2 Adapter for SAP NetWeaver Exchange Infrastructure 3.0 Configuration Guide, you must
extract the ZIP file on the Download tab page.
In the Channel Configuration section of the configuration guide, see the following sections:
Activities
Receiver Channel (Outbound Processing)
Sender Channel (Inbound Processing)
Sender Agreement
Receiver Agreement.
SAP NetWeaver Master Data Management
Security for Additional Applications
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 25
Listener Port and URL
For information about the ports and URLs used, see the Seeburger Adapter Configuration Guide, chapter Listener
Port and URL.
Security Settings
For information about encryption and signing within the AS2 Adapter for SAP NetWeaver Exchange Infrastructure
7.1, see the SAP Service Marketplace at http://service.sap.com/swdc →Download→Installations and Upgrades
→Entry by Application Group→Adapters→Seeburger→XI-A AS2 BY SEEB→NW2004S-PI-A AS2 SEEB 1.6
→Installation.
Note
To access the AS2 Adapter for SAP NetWeaver Exchange Infrastructure 3.0 Configuration Guide, you must
extract the ZIP file on the Download tab page.
In the configuration guide, choose Security Settings→Encryption and Signing.
For information about the configuration of the secure Sockets Layer (SSL) within the AS2 Adapter for SAP
NetWeaver Exchange Infrastructure 7.1, choose Security Settings→SSL.
26
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Other Security-Relevant Information
10 Other Security-Relevant Information
Use
To use the Web browser as a user front end, you have to activate Java script (Active Scripting) to ensure a
working user interface. This could conflict with your security policy regarding Web services.
For more information about the security configuration of Web services, see the GDS 2.1 Configuration Guide on
the SAP Service Marketplace at http://service.sap.com/instguides →Industry Solutions→Industry Solution
Guides→SAP for Consumer Products→SAP MDM GDS 2.1→Configuration Guide GDS 2.1.
SAP NetWeaver Master Data Management
Security-Relevant Logging and Tracing
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved. 27
11 Security-Relevant Logging and Tracing
Use
All security-relevant log messages during the business scenario are created using the following category:
//Common//.
For more information about log and trace messages, see the GDS 2.1 Application Operations Guide on the SAP
Service Marketplace at http://service.sap.com/instguides →Industry Solutions→Industry Solution Guides→SAP
for Consumer Products→SAP MDM GDS 2.1→Application Operations Guide GDS 2.1→Trace and Log Files.
For more information about the Master Data Management security logs, see the security guide for MDM on the
SAP Service Marketplace at http://service.sap.com/installmdm.
28
CUSTOMER
©2017 SAP AG or an SAP affiliate company. All rights reserved.
SAP NetWeaver Master Data Management
Appendix
12 Appendix
You can find more information about the security of SAP applications, on the SAP Service Marketplace at
http://service.sap.com/securityguide.
www.sap.com/contactsap
© 2017 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated
companies (“SAP Group”) for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that are
set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
SAP AG in Germany and other countries. Please see
www.sap.com/corporate-en/legal/copyright/index.epx#trademark
for additional trademark information and notices.