SAP NetWeaver Application Server Java Security Guide


This guide is intended to provide you with an overview of the security aspects and recommendations that apply for the SAP NetWeaver Application Server (SAP NetWeaver AS) for Java Server technology.

The J2EE Engine is the primary engine for the usage type Application Server Java (AS-Java) of the SAP NetWeaver. Therefore, the security aspects and recommendations for the AS-Java are equally relevant to securing the J2EE Engine.

Target Audience

·        Technology consultants

·        System administrators

This guide is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for business transactions and business data management, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to the usage type AS-Java of the SAP NetWeaver platform. To assist you in securing the AS-Java, we provide this Security Guide


There is also an SAP NetWeaver Application Server ABAP Security Guide.

About this Document

This security guide provides an overview of the security-relevant information that applies to the AS-Java. It contains an overview of the security considerations for the AS-Java and links to the security administration or development functions in the J2EE Engine Administration and Development Manuals, respectively.

The Security Guide contains the following sections:

·        Before You Start

Provides links to additional information, a list of important SAP Notes and other security guides that apply to securing the J2EE Engine.

·        Technical System Landscape

Provides a brief overview of the technical system landscape of the Java systems.

·        User Administration and Authentication

Describes user management, standard user types and synchronization of user data, as well as, AS-Java authentication mechanisms and Single Sign-On integration.

·        Authorizations

Provides an overview of the authorization concepts on the J2EE Engine. The topics discussed include authorization checking on the J2EE Engine, standard User Management Engine (UME) actions and security roles.

·        Network Security

Provides an overview of the communication channels used by the J2EE Engine and the corresponding transport layer security mechanisms. We also provide an example of a secure network infrastructure using network zones and information on the standard communication ports used by the J2EE Engine.

·        Data Storage Security

Describes the aspects in maintaining the availability, confidentiality and integrity of security sensitive data stored and used by the J2EE Engine.

·        Dispensable Functions with Impacts on Security

Provides information about deactivating optional J2EE Engine services that you may not need in productive operations.

·        Other Security Relevant Information

Presents an overview of additional topics relevant to securing the J2EE Engine, such as Java Virtual Machine (JVM) security, security of the JMS service, Database connection security and security for the Software Deployment Manager (SDM).

·        Tracing and Logging

Provides a discussion of the security aspects in using the logging and tracing functions available on the J2EE Engine.