Introducing Secure Access and Authentication

Objective

After completing this lesson, you will be able to describe the elements of Secure Access and Authentication in the networking context, including the network topology and protocol, the Secure Network communication, and the SAP Cryptographic Libraries.

Network Topology and Protocol

A network topology refers to the arrangement of nodes (such as servers, workstations, and other devices) and the connections between them in an SAP system. This can include the physical layout of the network, and the logical connections between different components of the SAP landscape, such as SAP ERP, SAP S/4HANA, SAP BW, and others.

Common network topologies in SAP environments include:

  1. Client/server topology: In this setup, clients (user workstations or mobile devices) communicate with servers hosting SAP applications and databases.
  2. Distributed topology: This topology involves distributing SAP resources and services across multiple geographic locations, typically using multiple data centers or cloud regions.
  3. Hybrid topology combines on-premises and cloud-based SAP resources, allowing flexibility and scalability.

A well-designed network topology ensures reliable, high-performance access to SAP applications and data for users and stakeholders. It also plays a critical role in SAP systems' security and data protection.

Diagram showing the paths from SAP GUI via SAProuter and Browser via SAP Web Dispatcher to reach servers running GW, ICM, and AS ABAP or AS Java services. HTTP uses black arrows, and RFC/DIAG uses blue arrows.

Network protocols are a set of rules and conventions governing the communication and exchange of data between devices/communication partners on a network. These protocols define how devices send, receive, and process data, allowing for seamless communication and interoperability between different types of hardware and software. Various protocols are used when telephoning compared to broadcasting. In computer communication, other issues are handled at different levels.

Some common network protocols include:

  1. Internet Protocol (IP): This protocol is responsible for routing and addressing data packets across the internet or any other network. It assigns a unique IP address to each device on the network, allowing them to send and receive data to and from other devices.
  2. Transmission Control Protocol (TCP): TCP is a connection-oriented protocol that ensures the reliable delivery of data packets. It manages data transmission between devices by establishing and maintaining a connection, error-checking, and retransmitting lost or corrupted packets.
  3. User Datagram Protocol (UDP): UDP is a connectionless protocol that is faster but less reliable than TCP. It is often used for time-sensitive applications such as video streaming or online gaming, prioritizing speed over error-checking and retransmitting.
  4. Hypertext Transfer Protocol (HTTP): HTTP is a protocol for transferring hypertext documents (such as web pages) over the internet. It is the foundation of data communication for the World Wide Web and defines how web browsers and servers interact.
  5. File Transfer Protocol (FTP): FTP is a protocol for transferring files between a client and a server on a network. It provides a set of commands for accessing, transferring, and managing files and directories on a remote server.

These are just a few examples of the many network protocols, each serving a specific purpose and crucial in enabling communication and data exchange across networks.

The protocols deal with the following issues:

  • How many volt pulses is a 0 and 1?
  • How to determine the end of a message?
  • How to handle lost messages?
  • How to identify computers?
  • How to connect to a computer?
  • How do applications communicate on a network?

Secure Network Communication

Secure Network Communication (SNC) is a software layer provided by the SAP architecture that supports an interface to external security products, which can provide more security functions that are not directly available in the SAP system. SNC can be applied to connections that use SAP protocols (diag, rfc, or cpic). SNC secures the communication pathway between various SAP components and provides various levels of security protection:

  • Authentication protection: Verification of the communication partner identity.
  • Integrity protection: Validating that no changes or manipulation of the data has occurred.
  • Privacy protection: Encrypted end-to-end communications.

Privacy protection includes authentication and integrity protection.

Diagram showing SAP GUI communicating through a firewall and SAProuter to AS ABAP and AS Java servers. Arrows indicate data flow, with security and connection icons throughout the process.

SNC provides privacy protection for the following communication paths:

  • Between two SAP NetWeaver AS ABAP systems
  • Between SAP NetWeaver AS ABAP and SAP NetWeaver AS Java
  • Between SAP GUI and SAP NetWeaver AS ABAP
  • Between SAP routers

You must configure the SNC and install the security libraries on each SAP NetWeaver component that is about to become a communication partner. SNC can also be used with an external security product.

SAP Cryptographic Libraries

The SAP Cryptographic Library is SAP's default security library product for performing encryption functions in SAP systems. It provides robust cryptographic functions, supports a range of security protocols, and integrates seamlessly with various SAP components, helping businesses protect sensitive data and maintain trust with their stakeholders.

SAP cryptographic libraries provide cryptographic services essential for securing SAP applications and data. The key features can be summarized as follows:

  1. Encryption and Decryption: SAP cryptographic libraries offer tools to transform data into a secure format (encryption) and revert it to its original form (decryption), ensuring confidentiality.
  2. Digital Signatures: They enable the creation and verification of digital signatures, helping ensure data authenticity and integrity.
  3. Hashing: The libraries provide hashing functions to generate unique, fixed-size strings from data, which can be used for verifying data integrity.
  4. Secure Communication: They support secure communication protocols, like SSL/TLS, to protect data transmitted over networks.
  5. Compliance: The libraries are designed to meet various security standards and regulatory requirements, ensuring compliance for businesses using SAP systems.
  6. Key Management: Efficient management of cryptographic keys is facilitated, helping maintain cryptographic operations' security and integrity.

For example, you can use it to provide Secure Network Communications (SNC) between various SAP server components or use the Secure Sockets Layer (SSL) protocol with the AS ABAP. In essence, SAP cryptographic libraries are crucial for safeguarding SAP applications and data against unauthorized access and tampering.

The two primary cryptographic libraries SAP provides as a safeguard to be deployed onto your systems are the following:

SAPCRYPTOLIB

SAP CryptoLib is a long-standing Cryptographic Library used in many SAP applications. It is the foundation for various security features, such as encryption, digital signatures, and secure communication protocols. Here are its main functions:

  1. Secure Communication: Supports secure protocols such as SSL/TLS for encrypting data transmitted over networks.
  2. Encryption and Decryption: Provides strong encryption and decryption functionalities to protect sensitive data.
  3. Digital Signatures: Facilitates the creation and verification of digital signatures, ensuring data authenticity and integrity.
  4. Key Management: Manages cryptographic keys efficiently to maintain security.
  5. Compliance: Designed to meet various regulatory and security standards.

CommonCryptoLib

CommonCryptoLib (CCL) is the successor to SAP CryptoLib and offers enhanced features and broader compatibility. While SAPCRYPTOLIB has a long-standing presence and remains used for many functions, CommonCryptoLib represents the future, offering enhanced features, better performance, and compatibility with the latest security standards. It is more advanced and flexible and often recommended for newer implementations. Its features include:

  1. Enhanced Security Protocols: Supports not only SSL/TLS but also other modern cryptographic protocols.
  2. Wider Algorithm Support: Includes a more extensive range of encryption, hashing, and digital signature algorithms.
  3. Integration: Better integration with various SAP components and external systems.
  4. Performance Improvements: Optimized for better performance in cryptographic operations.
  5. Backward Compatibility: This provides backward compatibility with older applications that use SAP CryptoLib.
  6. Advanced Key Management: More advanced tools and options for managing cryptographic keys.

Lesson Summary

In summary, SAP CryptoLib is an older library that provides essential cryptographic functions for SAP systems. At the same time, CommonCryptoLib is the modern, enhanced version offering improved performance, broader algorithm support, and better integration capabilities. Both are crucial for maintaining the security of SAP applications and data.

Transitioning to CommonCryptoLib is recommended for new implementations to utilize its advanced capabilities.

For more information on the SAP Cryptographic Library, see SAP Note 1848999.

For more information about using the library for SSL, see Configuring the AS ABAP for Supporting SSL.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn