Smaller Business Partner and Subsidiary Integration

With this variant, SAP NetWeaver uses the Partner Connectivity Kit (PCK) as an endpoint for B2B communication to support smaller business partner and subsidiary integration.

The PCK is basically a J2EE-based Adapter Engine that is able to run without an Integration Server, Integration Builder, or System Landscape Directory. The PCK targets inter-enterprise communication between business partners where one partner does not employ the full PI usage type, but instead uses the smaller-scale PCK.

The following security aspects apply:

?      Communication

The PCK communicates with the Integration Server of the bigger business partner or parent company by using the XI protocol.

See also: Communication

?      Security roles

The PCK offers different security roles that are deployed during the installation of the PCK together with the corresponding J2EE components and that are assigned to the user PCKUSER created during installation.

If several users are to work with the PCK, create different users for them and assign each user to the specific role required.

?      Single sign-on

For the PCK single sign-on configuration, see Single Sign-On Configuration for the PCK.

?      Service user for message exchange: authentication and authorization

Each messaging communication is executed under a messaging service user that must be authenticated for each individual communication path and that must have the appropriate authorizations in the respective messaging target component. For the sender PCK, the user is obtained by directory configuration in the PCK.

User identity propagation should not be used for B2B communication, because external users cannot be distinguished from internal users.

In receiver PCK, only the security role xi_af_receiver of the J2EE component sap.com/com.sap.aii.af.ms.app*MessagingSystem allows the execution of incoming messages.

The user PCKRECEIVER is created during installation of the PCK with the security role xi_af_receiver. This user can be used for testing purposes. However, we strongly recommend that you create separate messaging users with the corresponding role representing individual business systems in a productive environment.

For certain adapters in the PCK, access control lists (ACLs) can be defined in the Integration Directory.

See also: Service Users for Message Exchange

?      Auditing message execution

The PCK has a runtime persistence layer for short-term storage of executed messages and an archiving component for long-term storage. It uses SAP NetWeaver Application Server Java (AS-Java) for this purpose. To archive XML messages, you can define rules and schedule the archiving jobs.

See also: Auditing

?      Message-level security

Message-level security allows you to digitally sign or encrypt documents exchanged between systems or business partners. It improves communication-level security by adding security features that are particularly important for inter-enterprise communication. Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.

However, message-level security is not guaranteed across the entire communication path of a message, but only for the intended B2B connections, which can be the following communication paths when the PCK is involved:

0       XI protocol

¦       PCK to Integration Server

¦       Integration Server to PCK

0       SOAP protocol

¦       SOAP sender to PCK

¦       PCK to SOAP receiver

0       Mail protocols

¦       Mail server to PCK (IMAP4/POP3)

¦       PCK to mail server (IMAP4/SMTP)

See also: Message-Level Security

For non-repudiation purposes, signed messages are stored in a dedicated archive, the non-repudiation archive. It contains data to prove the validity of the signature. The PCK uses the J2EE message archive for this purpose.

See also: Archiving Secured Messages

?      Network security

Depending on the usage scenario, the risk assessment of the network infrastructure, and a company’s security policy, appropriate security measure should be taken.

The most critical case is where PI is used for B2B messaging and the business partner sends HTTP messages over Internet connections that are not secure. In this case, we strongly recommend that you use secure messaging connections and security components such as firewalls and application gateways to prevent attackers from eavesdropping or modifying messages.

Depending on the security requirements, a dedicated Integration Server for B2B messaging can be added in a separate network zone. This provides enhanced security because it impedes direct access from the Internet to the more critical A2A Integration Server and A2A Adapter Engines.

See also:

Network and Communication Security

Network Zones

?      Monitoring and tracing

In a PCK environment, monitoring is performed by the local message display tool.

In this tool, you can restrict the monitoring permissions by three security roles called Display, Modify, and Payload. The Display role allows only message header monitoring, whereas the Payload role also allows payload monitoring.

In the monitored PCK, component sap.com/com.sap.xi.mdt*mdt is assigned to the corresponding security roles.

Besides being monitored, message payloads can also be traced, depending on the trace configuration in the corresponding SAP NetWeaver Administrator. As each message execution in the PCK includes a generic messaging service and an adapter-specific service, each message can be traced by both services.

See also: J2EE-Based Messaging Components