S 5.129 Secure configuration of HTTP-based services on SAP systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

A variety of services offered by an SAP system can be accessed using the HTTP interface. Access to the functions and applications of the Java stack is generally obtained using HTTP. The ABAP stack is accessible through the Internet Connection Framework (ICF) using HTTP. Generally, the HTTP interface needs to be configured securely so that accesses transmitting data worthy of protection are protected by SSL, on the one hand, and only the services needed are enabled, on the other hand.

The use of the following interfaces accessible via HTTP comes in conjunction with special risks:

• SOAP interface
• WebDAV interface
• content server interface

The following must be taken into account:

SOAP interface

The Simple Object Access Protocol (SOAP) is a protocol that can be used to access web services. The following must be taken into consideration for the SOAP interface of an SAP system:

• The SOAP interface (ABAP stack and Java stack) should only be accessible after authentication.
• SOAP access must be protected using SSL.
• The ABAP stack provides an SOAP service for calling RFC-enabled modules (ICF path: /sap/bc/soap/rfc). If this service is enabled, it is possible to call RFC modules via HTTP. This bypasses the firewall protecting the RFC ports of an SAP system. For this reason, the service should only be enabled if adequate security precautions have been taken. The same applies to the XML-based RFC service (ICF path: /sap/bc/xrfc).
• The protection offered by the Java stack using WS Security (Web Service Security, a collection of standards from the W3C and OASIS organisations) only protects the data transmitted in SOAP messages. This means it is impossible to check at the application level if the data was transmitted using an authenticated connection. For this reason, authentication data should be checked in the application itself if the identity of the sender is important. To perform this check, the SOAP messages must contain authentication data. The data must be protected against unauthorised disclosure.

In general, it is also necessary to ensure the security of the application accessed using SOAP by implementing corresponding authorisation checks.

SAP documentations can be found in S 2.346 Use of the SAP documentation.

WebDAV interface

The WebDAV (Web-based Distributed Authoring and Versioning) protocol allows users to access information using the HTTP protocol as if it was stored in a file system. WebDAV access can be provided by the ABAP stack and the Java stack when appropriate products or applications are used. The Knowledge Warehouse (KW, ICF path: /sap/bc/kw/fs) is an example of such an application for the ABAP stack, and Component Collaboration Management (CM, SAP Enterprise Portal Component) is an example for the Java stack.

Since WebDAV access may result in local file system accesses under some circumstances, the local file system must be protected against unauthorised accesses. In this case, the primary goal is to protect the data offered via WebDAV, but an attacker may also use WebDAV to access the local file system and prepare it for further attacks. For this reason, access should only be granted after authentication and should be protected using SSL. In addition, it is always necessary to ensure the authorisations have been assigned properly.

Content Server Interface

The Content Server Interface can be used to access document archives (repositories). If this interface is not protected, information and documents can be retrieved from all repositories available. The following must be taken into account:

• The Content Server Interface (ICF path /sap/bc/contentserver) should only be enabled when needed.
• Access should only be granted after authentication and should be protected using SSL.
• When accessing the administration interface, the user must be prompted to enter a password. To force users to enter a password, set the "AdminSecurity" parameter in the ContentServer.ini file to the value "1".
• It must be noted that administration must be performed outside of the SAP system (e.g. using an INI file) as well as within the SAP system using the CSADMIN transaction (and ICF settings as well).

References to additional documentation can be found in S 2.346 Use of the SAP documentation.

Review questions:

• Have only the required services been enabled for the HTTP interface in the SAP system?
• Has the HTTP interface in the SAP system been configured in such a way that data worthy of protection is protected by SSL during transmission?
• Is SOAP access in the SAP system protected using SSL?
• Is the WebDAV access only performed after authentication and protected using SSL?
• Has it been ensured that the content server interface in the SAP system is only enabled when needed?
• Is the content server interface in the SAP system only accessed after authentication and using SSL?