English Book: http://www.sappress.com/product.cfm?account=&product=H2919
German Book: http://www.sap-press.de/1444
How it all began
The idea for this book came from my WS-I Sample Application Blog Series: Securing the WS-I Sample Application in which I wrote about my experiences with developing and interoperability testing in the security and Web services area with the SAP NetWeaver Application Server. The blog was picked up by the eagle-eyed SAP PRESS team, and the initial idea was born of creating a practice-oriented workshop in the form of an SAP PRESS Essentials Guide that would deal with developers’ questions on the topic of SAP security. Right from the start, I was particularly focused on using a comprehensive, realistic enterprise scenario to present this sometimes complex subject matter in as clear a manner as possible. It quickly became clear in the planning phase that the scope of this topic was simply too large for the format of the SAP PRESS Essentials Guides, so the concept for this book was created.
I must admit that during the writing process, I realized that even this larger framework did not allow me to describe all the security functions of SAP NetWeaver. Nonetheless, I hope that the extensive range of information I have chosen to include in the book meets your expectations and that it will teach you one overriding thing in conjunction with the scenario used in the book: Security can be pretty cool!
You may be smiling wryly and thinking that this statement could only come from someone who has nothing else to do all day. It is true that compared to sophisticated UI technologies or cool mashups, security is less likely to get either users or developers really excited. After all, most of the work in this area takes place in the background, without the user even knowing that it is happening. However, considering that modern security technology has so many benefits-for example, enabling completely transparent access to internal and external systems within an enterprise portal while complex systems transform identity data, check authorizations, and encrypt messages on a cross-platform level in the background – users, too, should at least acknowledge this work 😉
I wrote the book mainly with those professionals in mind who, in their daily work, create artifacts that are incomprehensible to outsiders and who greatly value the creativity involved in what they do – software developers. To them, a few lines of code are often more meaningful than a hundred words, and for this reason, this book contains quite a lot of program listings. Therefore, first and foremost, this book is intended for people who work in SAP development and are faced with the exciting and difficult task of planning and implementing a security concept. It addresses both the internal security aspects of an application and how applications in conjunction with SAP NetWeaver Application Server up to and including Release 7.0 are integrated into an existing environment. The CD that comes with this book contains complete auxiliary materials for all the examples and the enterprise scenario, including source code, project files etc.
The enterprise scenario presented in this book gives you a cohesive overview of a typical security situation. The scenario uses a fictitious company to demonstrate how an enterprise application that is initially designed only for internal use can be gradually adapted in response to constantly changing business requirements and how new components can be added to this kind of application. The scenario forms the backbone of the book: The topics that are explained by means of theory and brief examples are included in the scenario and reflected there in practice-oriented situations. Each chapter finishes with an exercise. In these exercises, you get the chance to implement and test the extensions to the scenarios as described in the chapter, using the relevant development tools and runtime components. Cooperation with customers and partners plays a particularly important role in the enterprise scenario depicted in the book. Therefore, security standards and interoperability are two central aspects. Diversity as a characteristic applies just as much in the IT world as it does in the real world, so, to be genuinely realistic, a scenario must be designed to be as heterogeneous as possible. For this reason, during the course of the exercises, you will also use some common non-SAP tools and learn how to integrate these with SAP NetWeaver using open security standards.
The following chapter overview gives you an initial idea of the structure of the book and its focal points:
Chapter 1, Introduction, gives an overview of the overall structure and the scenario. It also explains how to setup the development environment based on the SAP NetWeaver 7.0 (2004s) ABAP and Java trial versions from SDN.
Chapter 2, Security Fundamentals, provides a brief and concise explanation of the most important basic concepts such as digital signatures, cryptography or PKI that are necessary for understanding subsequent chapters. Chief among these concepts are service-oriented architecture (SOA) and a concept that uses SOA as a basis, enterprise SOA, which has new and changing requirements in the context of security.
Chapter 3, Authentication and Authorization in SAP NetWeaver Application Server Java, is divided into three topic areas. The first of these describes the security functions that are supported by the Java EE standard and that are relevant to application development with the SAP NetWeaver Application Server Java and implements these functions in the enterprise scenario as a practical example. The second topic is the central User Management Engine (UME) and its programming interface. Here, too, you gain practical experience of the theoretical concepts in the enterprise scenario and the exercises. The third and final part of this chapter deals with advanced authentication using the JAAS framework.
Chapter 4, Single Sign-On (SSO), looks at the concept of a single authentication step in SAP system landscapes. Because there are several possible technical solutions in this area, this chapter first presents the SAP logon ticket and describes how it is used in conjunction with the integration of third-party software into the SAP NetWeaver Portal. The second part of the chapter deals with SSO and the concept of Identity Federation in a cross-enterprise context. The enterprise scenario and the exercise is used to implement a federated identity network on the basis of the Security Assertions Markup Language standard and its support in SAP NetWeaver in conjunction with a role-based UI in Web Dynpro.
Chapter 5, Identity Provisioning, looks at how identities are managed in distributed environments and presents the Identity Management APIs in SAP NetWeaver on the basis of the SPML standard. Based on the development work in Chapter 4, in this chapter cross-enterprise identity management functions are added to the single sign-on solution in the enterprise scenario.
Chapter 6, Secure Web Services, first explains the many terms and industry standards in the area of security and Web Services. A particular focus point here is the Web Services Security standard, which from the developer’s viewpoint is managed for ABAP and Java in the SAP NetWeaver Application Server. In the enterprise scenario in this chapter, in line with the principles of service orientation, the business processes are optimized and securely integrated on the basis of cross-enterprise Web services. The book does justice to the inherent heterogeneity of SOAs by using the Web service platform in Microsoft® .NET 3.0, the Windows Communication Foundation, and the Apache Axis open-source project, as well as the SAP NetWeaver Application Server ABAPTM and Java.
The Appendix describes all the necessary measures for creating, authenticating, and distributing the encryption keys for the enterprise scenario in the ABAP and Java stack. The complexity of the scenario makes it necessary to use a central certificate authority that is built with the aid of the open-source tool, OpenSSL.
A long journey
After 12 months, 600 pages, several hundred lines of code and many, many coffees, I can say that I had great fun writing this book and developing the scenario. Special thanks goes to the fantastic developer community of the SAP Developer Network that was always a great source of inspiration for me and the people who make things happen behind the scenes. I hope you will pick up some of the enthusiasm I feel for this subject and will enjoy reading The Developer’s Guide to SAP NetWeaver Security!