S 4.267 Secure use of the SAP Java Stack user management

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The SAP Java stack has its own user administration system that can be used independently of the ABAP stack. The following must be considered in this case:

Configuring the user memory

The Java stack manages its users in a user memory that can be configured in version 6.30 and higher. The main user memories available include the Java stack database and the User Management Engine (UME). If the UME is used, an LDAP directory or ABAP stack can be used as user memory.

In general, it is recommended to use the ABAP stack as user memory instead of the UME. This allows users to be administrated in the ABAP stack. Access to the ABAP stack is obtained through the JavaConnector (JCo) using the authorisations of the ABAP stack user SAPJSF.

It is necessary to decide which user memory will be used during the project planning phase.

Creating an emergency administrator

Just like for the ABAP stack, an emergency administrator also must be created for the Java stack. The same organisational protection mechanisms apply to this emergency administrator as to the emergency administrator of the ABAP stack (see S 4.259 Secure use of the ABAP Stack user management).

Securing standard users

The standard Java stack users Administrator, System, and Guest must be secured in the following manner:

• A secure password must be selected. Depending on the version, the password is either selected during installation or must be assigned manually after finishing installation.
  
  The guest account (Guest user) must be disabled.

Concept for user administration

In the planning phase, a concept for user administration must be drawn up that also takes the Java stack into consideration. It must be noted when drawing up this concept that users can only be administrated using the Visual Administrator tool. By default, it is necessary to log on with administrator rights (i.e. the user must be a member of the "Administrators" group). This means, for example, that Help Desk employees connect using administrative authorisations. This can be prohibited by reconfiguring the internal authorisation structures, but this is a complex task and cannot prohibit all administrative activities.

Alternatively, users can be administrated using the web interface of the UME when the UME is used.

The Java stack allows unknown users to register themselves. When creating the concept, it must be decided whether or not this functionality should be used. A careful analysis of the risks must be conducted, because users who register themselves will be authenticated by the Java stack after registration. The users generally will not possess any additional authorisations, but some installed applications will have security vulnerabilities (for example, no authorisation check is performed when accessing using certain URLs) that could be exploited under some circumstances by self-registered users. This function must be considered a critical function, especially when using the internet. To prevent users from being able to register themselves, the UME property "ume.logon.selfreg" must be set to the value "FALSE". This is configured in the Properties file in the file system or using the "Configtool" Java stack tool. In general, concepts allowing self-registration must be planned carefully and users should not be allowed to self-register by default. It is recommended to require the security management to approve of the use of self-registration.

Access to the UME web interface

The UME web interface permits user administration using a browser. When this function is used, the following must be taken into consideration:

• By default, users and administrators are allowed to access the UME web interface. It is then possible for normal users to administrate their own user accounts (e.g. to change their passwords). Users in the "Administrators" group are able to administrate users (e.g. to create users).
• Only authorised administrators should be able to access the UME web interface for the purpose of user administration. This can be put into effect by implementing corresponding authentication requirements for the access URL.
• Consideration should be given to only permitting access to the UME web interface by authorised administrators from client computers.
• If applications use the UME to store user-specific properties (UME properties), it must be noted that these properties can be changed by the users themselves if they are granted access to the UME web interface.

Whether or not to use the UME web interface and, if so, which security-related requirements its use should be subject to must be decided in the planning phase.

Review questions:

• Has it been defined which user memory is used in SAP (Java stack database or User Management Engine)?
• Has the guest account (Guest user) been disabled for the Java stack in the SAP system?
• Is the UME web interface used securely, if it is used at all?