welcome to this sap presentation which will cover the

1

Welcome to this SAP presentation which will cover the Security features of SAP

NetWeaver Gateway Productivity Accelerator for Microsoft or GWPAM for short.

In this session, the following topics will be covered:

An overview of the Authentication Mechanisms used with GWPAM

Step by Step instructions on how to implement each of the Authentication Mechanisms

Step by Step instructions on how to roll-out the Group Policy across a domain

And lastly, validating the Group Policy Roll-Out

3

GWPAM provides easily pluggable libraries to handle security and single sign-on for

applications.

The different types of authentication mechanisms supported are Basic, SAML 2.0 and X509.

Let’s take a look at each of the options……..

Basic Authentication

The basic authentication method is where the user name and password is set directly in the

code or by using the adm file.

Basic Authentication should only be used in a development/test environment.

SAML2.0

The Security Assertion Markup Language (SAML) version 2.0 is a standard for the

communication of assertions about principals, typically users. The assertion can include the

means by which a subject was authenticated, attributes associated with the subject, and an

authorization decision for a given resource.

X.509

An X.509 client certificate is a digital "identification card" for use in the Internet, also known

as a public-key certificate. A user who accesses the SAP Web Application Server and

presents a valid certificate is authenticated on the server using the SSL protocol. The

information contained in the certificate is passed to the server and the user is logged on to

the server based on this information. User authentication takes place in the underlying

protocols and no user ID and password entries are necessary.

Additional information on SAML 2.0 and X.509 can be found in the SAP Help Portal using

the links in this document

4

To use the Basic authentication as the security mechanism to interact with SAP NW Gateway,

the following changes would need to be completed in the generated code:

1. From the Solution Explorer, navigate to Project folder SAP Service Reference

App.config.

2. Double click the App.config to open it.

3. Change the “SSO” value in App.config file to “BASIC”

4. Fill in the User Name and Password for basic authentication in the

HandleSAPConnectivity method in BusinessConnectivityHelper class.

5

To use the SAML 2.0 SSO authentication as the security mechanism to interact with SAP NW

Gateway, the following changes would need to be completed in the generated code:


App.config.


3. Change the “SSO” value in App.config file to “SAML20” and provide the appropriate

value for the “client”

Additional information on SAML 2.0 configuration can be found on the SAP Help Portal at

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/fram

eset.htm

6

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/frameset.htm




To use the X.509 certificate SSO authentication as the security mechanism to interact with SAP

NW Gateway, the following changes would need to be completed in the generated code:

1. The user machine should have a X.509 certificate whose root certificate is trusted by

SAP NW Gateway.


App.config.


4. Change the “SSO” value in App.config file to “X509” and provide the appropriate value

for the “client” as shown in the diagram

5. Enter the name of the Trusted Issuer Certificate

Additional information on the X.509 configuration can be found on the SAP Help Portal at:

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/co

ntent.htm

7

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/content.htm

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/a8/d9d53a9aa9e933e10000000a114084/content.htm

Configuration for Security can be maintained in both the Group Policy Administrative Template

file (ADM) or the app.config file. However, if both are maintained the entries in the app.config

file will be given preference.

In order for the Group Policy Administrative Template file (ADM) to always be given preference

the ‘Service Section’ in the App.config file must be commented out


App.config.


3. Find the ‘Service Section’ and comment out the complete section

8

This section provides the steps to roll-out the policy based configuration across a domain.

By default each GWPAM project created will contain an administrative template file and the

templates will be attached to the generated solution. The administrative template file can be

found in the “SAP Service Reference” folder with the .adm file extension.

You can add/modify/delete the entries in this template file as required and save it as a .adm file.

The file will then be used by the domain administrator to roll-out the policy globally.

9

To copy the .adm file to the Domain server navigate to C:\....\Documents\Visual Studio

2010\Projects\(Project Name)\(Project Name)\SAP Service Reference

1. Right click on the .adm file and select Copy

2. Paste it in a location on the Domain server

10

1. In the domain server navigate to Start Programs Administrative Tools Group Policy

Management. The Group Policy Management screen appears.

2. Expand Domains System (name of the system) and select Group Policy Objects in the

tree region.

3. Right click on the Group Policy Objects and select ‘New’ from the resulting dropdown list.

4. Enter the name for your new Group Policy Object and select ‘OK’.

11

1. The newly created policy will be displayed under the Global Policy Objects folder in the

tree region

2. Right click on the new group policy object and select ‘Edit’ from the dropdown list……the

Group Policy Management Editor screen will appear

12

1. Expand User Configuration Policies and select Administrative Templates.

2. Right click on Administrative Templates and select Add/Remove Templates. The

Add/Remove Templates window appears.

3. Select ‘Add’ to locate your template (.adm file)

4. Navigate to the location where the .adm file was saved.

Ensure that you are adding the correct template file.

On adding a incorrect file the tree region will not display the new folder under Classic

Administrative Templates folder.

5. The Group Policy template will added to the Classic Administrative Templates folder

13

1. Close the Add/Remove Templates window. A new folder will appear under Classic

Administrative Templates folder in the tree region.

2. Expand the new folder and select the Service Details folder. The details region displays

the services settings available in the template file.

3. Double click on the settings to open the Properties window and enable the setting by

selecting the ‘Enabled’ radio button.

4. Provide the URL, Client and SSO Options.

5. Click Apply and close the Properties window then close the Group Policy Management

Editor.

14

1. Navigate to the policy you have created in the Group Policy Management screen under

Group Policy Objects. The details region displays the details of the policy.

2. Choose Settings tab. The details you provided in the Properties window will be displayed

in the settings view of the Group Policy Objects

15

The next step is to setup the security filter. The filter assigns the policy to the objects, for

example Groups, Users, Computers, etc.

1. Click the Scope tab in the details region.

2. Click Add in the Security Filtering region.

The Authenticated Users in Security Filtering window should be removed if you do not

want the Group Policy to be applied for all authenticated users in the domain.

The Select User, Computer, or Group window appears.

3. Enter the name of the user in the Enter the object name to select and click Check Names to

populate the matching names.

4. Select the required user and click OK to add it.

16

1. Click and drag the new policy under Group Policy Objects to the domain system listed

under Domains to create a link between the policy and the domain.

A confirmation message displays confirming the linking. Click OK to proceed.

17

1. The policy is now listed under the selected domain.

2. Right click on the policy listed under the domain and select Enforced to activate it. A check

mark appears indicating that it is selected.

18

The verification of the policy roll-out should be done for the user that was included in Security

Filtering region. The verification must be done on the client machine.

To verify the policy roll-out in the client machine proceed as follows:

1. Log on to a client machine that is connected to the domain and log in with a user for whom

the policy is applicable.

2. Open the command prompt and run the GPUPDATE /force command to synchronize the

policy, in case it is not already synchronized.

3. Open the Registry Editor navigate to HKEY_CURRENT USER Software Policies

4. The policy you created will be available under the Policies folder and the details region will

displays the corresponding registry entries.

19

www.sap.com

© 2013 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP

products and services mentioned herein as well as their respective

logos are trademarks or registered trademarks of SAP AG in Germany

and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as

well as their respective logos are trademarks or registered trademarks

of Business Objects Software Ltd. Business Objects is an SAP

company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL

Anywhere, and other Sybase products and services mentioned herein

as well as their respective logos are trademarks or registered

trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are

registered trademarks of Crossgate AG in Germany and other

countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if

any. Nothing herein should be construed as constituting an additional

warranty. .