Network and Communication Security

The portal is dependent on the NetWeaver Application Server for Java (AS for Java) for network communication. The portal network and communication security concept is covered by the security concept for the AS for Java. For more information, see SAP NetWeaver Application Server Java Security Guide.

Network Architecture

The network architecture you use, depends on how sensitive the applications and data are that you can access through the portal. Many different architectures are possible. For a portal installation that requires a medium level of security or higher, we recommend you use an architecture with multiple network zones. In this network architecture, the portal server and its underlying AS for Java are located in the inner DMZ. Any backend systems such as SAP systems are located in the high security area. User persistence stores such as a corporate directory server or an ABAP-based SAP system are also located in the high security area.

Search and Classification (TREX)

If you are using Search and Classification (TREX) with your portal installation, we suggest that you install the TREX server on a host separate from the portal server. Separate the two servers with a packet-filtering firewall. For optimum security, the TREX server should only be accessible by the portal and not by normal users. For more information on TREX security, see Search and Classification (TREX) Security Guide.

Backend Communication

Client browsers interact with the portal through iViews. The client browser may request information that is not on the portal server. The portal does one of the following depending on the iView being used:

?     The portal or the host AS for Java connects directly to backend systems by either Remote Function Call (RFC) or HTTP.

Protect this communication by enabling Secure Network Communication (SNC) or Secure Sockets Layer (SSL) for the iView.

?     The portal triggers a direct connection between the client browser and the backend system.

The iView calls the relevant page within an iFrame by means of a redirect (HTTP code 30x) or JavaScript. Protect this communication by enabling SSL for the iView. Where possible, do not include sensitive information in the redirect, such as user name and password. When the iView uses SAP GUI for Windows or SAP GUI for Java, the communication uses dialog (DIAG) protocol which you can protect with SNC.

Neither the portal nor the AS for Java provides a proxy function.

iView Types and Backend Connection

iView Type

Examples

Connection

SAP Connector-Based

RFC

BAPI

Client-Portal-Backend

SAP Application

SAP transaction

Business Server Page (BSP)

Business Warehouse (BW) report

Crystal Enterprise reports

Internet Application Component (IAC)

Client-Backend

When in caching mode, BW caches responses on the portal server, thus the connection is Client-Portal-Backend

Database

Java Database Connectivity (JDBC)

Client-AS for Java-Backend

Web-based URL

Client-Backend (default)

When the iView property Fetch mode is server-side, then:

Client-Portal-Backend

XML-based

RSS

Busdoc

Client-Backend (default)

When the iView property Fetch mode is server-side, then:

Client-Portal-Backend

Web Dynpro

Client-AS for Java-Backend

If you have set up a network architecture with one or more firewalls, and your portal integrates iViews that initiate client-backend communication, you must set up access for the client through the firewalls to the application server in the backend. In the external facing portal scenario, you must configure a translation table (publishing rules) of the application gateway. This enables the application gateway to pass the external address of the backend system to the client browser. You must set the iView property, WAS Host Name to match the external address of the backend system.