Skip to Content

Considerations and Recommendations for Internet-facing Fiori apps

As a UX specialist in the S/4HANA Regional Implementation Group team I’m privileged to work with many of our S/4HANA customers.  Many of these S/4HANA customers are looking to drive the business benefits of S/4HANA by implementing Fiori at scale.  A lot of them seek our advice on how to expose their Fiori apps to the Internet.  While this provides the ease to start the Fiori apps without being on the company network or via VPN, it also creates a risk because it makes  the involved systems reachable via internet and makes them more vulnerable.  Therfore customer have to make sure they are well protected against cyberattacks.   Often customers are not aware of the essential considerations, so as a team, we have consolidated these into this single blog. We hope you find it helpful!

IMPORTANT: This blog only deals with Internet facing Fiori apps.  If you want to run your Fiori apps on mobile devices there are additional considerations for Mobile device usage. Certainly also have a look at the Fiori Client.

IMPORTANT: The security recommendations listed below can help to reduce, but do not eliminate all the risks involved.   This blog is intended for S/4HANA but other solutions like Fiori on ERP or Suite on HANA could reuse most of the recommendations.

Once you know if your Fiori applications will be hosted by systems located in the Cloud or On-Premise, you are ready to dive deeper into the considerations.

TIP: I have focussed in this blog on the On-Premise architecture.  You’ll find a comparison with SAP Fiori Cloud and some additional information at the end of the blog.

UPDATE 12/11/2018: Removed architecture section as this is customer specific.  And some smaller updates in other sections.

UPDATE 30/04/2018: The blog section “Choosing your Fiori Frontend Server Landscape Deployment Mode” has been updated with the general recommendation for SAP S/4HANA systems for an embedded SAP Front-end server deployment instead of a hub deployment.

After activating Fiori on your S/4HANA system or other SAP Solutions, you might want to enable your end-users to also access these Fiori applications directly from the Internet.  We will call this in the rest of this blog “Internet facing Fiori apps“.   The term “Internet-facing Deployment Security” is also used in the SAP Best Practices Guide: SAP S/4HANA Fiori Advanced Network and Security Configuration (MAB).

 

Architecture when your Fiori apps are hosted On-Premise

As always with On-Premise solutions you should pay attention to the general advice and recommendations detailed in the SAP NetWeaver Security Guide.  However there are some additional considerations when providing Fiori apps on the Internet.

 

Choosing your SAP Fiori front-end server Deployment Options

The general recommendation from SAP for SAP S/4HANA systems is to configure an embedded FES deployment instead of a hub deployment, see blog on SAP Fiori Deployment Options and Recommendations.  Having multiple SAP S/4HANA systems with different releases (eg. 1610 and 1709 together) connected to one FES system and sharing the same FLP is not supported by SAP, see the blog for more details.

Nevertheless, dependent on the existing system landscape and usage scenario a hub deployment in some cases might be preferable for the customer because the FES can be placed in the DMZ and therefore provides an additional security layer.

With the embedded deployment, there is no separate FES sever providing the Fiori apps and therefore the SAP S/4HANA system is exposed directly from the internet, making it vulnerable for cyber-attacks.  Therefore it is even more important to have a good firewall and network security in place. Some options and recommendations on how to do this are discussed later in the next chapter of this blog.

 

Considerations and Recommendations when exposing SAP Fiori apps to the Internet

There are multiple options for customers to bring additional security in their landscape when allowing Fiori applications to be reached via the internet.

All the involved systems like the Reverse Proxy, FES, SAP S/4HANA system are residing in the customer or hosting partner network.

Placing Your Firewall and Network Zones

A Firewall should be placed in front of the SAP Web Dispatcher, monitoring and controlling all incoming HTTP requests.  These Firewall solutions have various security features protecting the systems behind against cyberattacks and establishes a barrier between a trusted internal network and untrusted internet.  Attacks like a Distributed Denial of Service (DDoS) should be stopped by the Firewall, so they cannot reach your SAP S/4HANA system.

You can also use a network security mitigation partner to route and filter the internet connections via their network before passing it to your organization.

Firewalls can also be configured with Edge authentication to block all non-authenticated requests, which also greatly improves the security of the SAP S/4HANA system.

Configuring Your SAP Web Dispatcher Routing 

The SAP Web Dispatcher is needed for routing the network calls to correct systems.  It should only forward requests to services in the internet communication manager that are necessary to run SAP Fiori apps.  In the UI Technology Guide, chapter 3.7.2.2 Routing Rules for SAP Web Dispatcher and ABAP Front End,  where the latest recommended Web Dispatcher configuration is described.

 

NOTE: The SAP Web Dispatcher together with SAP SSO 3.0 can be configured to only pass authenticated requests, in case this is handled by your Firewall.  See this SAP Single Sign-On Configuration for Network Edge Authentication documentation for more info.

 

NOTE: You can also replace it with another reverse proxy if you have one already in your network infrastructure. The UI Technology and SAP Best Practice Configuration guides however only describe the configuration for the SAP Web Dispatcher so if you use a different reverse proxy you will have to translate these to your chosen reverse proxy.

 

Do not allow WDA and WebGUI apps

Take special care when allowing SAP GUI for HTML and WDA apps via Internet.  If you do enable these via internet make sure to regularly check and implement all related security notes.  These might require a kernel patch requiring downtime of the S/4HANA system. See also one of the next paragraphs on Managing Your Security Patches.

You can use a seperate webdispatcher instance or different configuration for internal and external access.  For internal access you could allow these WDA and WebGUI applications, while requests coming from external can be denied WDA and WebGUI access.

NOTE: Using SAP Screen Personas on top of Web Dynpro for ABAP or SAP GUI for HTML is not overriding any security concerns. See SAP Note 314568 on imitations / Restrictions / Behavior of SAP Screen Personas.

NOTE: SAP GUI for HTML and Web Dynpro for ABAP are also not guaranteed for use on mobile devices like smartphones.

  • SAP GUI for HTML.  Extract from SAP Note 314568 on the functionality / Limitations / Sp. Behaviour of : Browsers on the IOS or Android patform behave differently and lack essential features the like Java runtime, navigation concepts like right mouse click and double-click. Running transactions with SAPGUI for HTML is therefore not supported. There are SAP transactions that work, others that do not work
  • Web Dynpro for ABAP.  Extract from SAP Note 314568 on the list of known Restrictions and Browser Support : No mobile device/ Smartphone support. Exceptions for iPad in newer Releases

Encrypt all System Connectivity

When using non-encrypted network connections, the username and passwords and other sensitive network traffic can be captured by other parties.

Therefore, when enabling Fiori applications from the internet, you should always enable HTTPS end-to-end.  Check the Web Dispatcher, NetWeaver ABAP Application Server documentation on how to do this.

After enabling HTTPS you should also prohibit any HTTP connection to your ABAP based systems.  This can be done by removing the non-encrypted HTTP ICM services on ABAP Application Server like the SAP S/4HANA system, allowing only HTTPS connectivity.

Managing Passwords and Single Sign-On

Setup good password management, e.g. ensure users are required to use longer passwords including digits and special characters, and prompted to change passwords regularly.  Also look into Single Sign On to enforce the same password management settings across all the involved systems.  This can be achieved with technologies like Kerberos, SAML or X.509.

SAML is generally the preferred option for SAP Fiori as this integrates with the cloud solutions like SAP Cloud Platform.

NOTE:  There are several solutions such as SAP CoPilot, SAP CoPilot which is provided via the SAP Cloud Platform is available since SAP S/4HANA 1709 FPS1 (on-premise).

SAP also has the SAP SSO and SAP Cloud Platform Identity Authentication solutions which can be used in this context.

Whitelisting ICF node and OData Services via Activation

Only activate the necessary ICF nodes and OData services for the Fiori apps you intend to use.  Existing apps which are no longer in use anymore should be deactivated, eg. apps retired due to being replaced by a successor app as part of a release or feature pack upgrade.

Restrict the roles and authorisations of the end-users roles allowing only to what is strictly needed and in all environments available via internet. You can restrict the Fiori Roles via customizing Fiori Catalogs as described in Creating PFCG Role on Front End and Assigning Launchpad Catalogs and Groups and Creating PFCG Role on Back End for Launchpad Catalogs. 

Managing Your Security Patches

When systems are reachable from the internet it is even more important to keep these up to date and security patches should be performed regularly.

As at time of writing this blog, every second Tuesday of every month is security Patch Day at SAP, where the SAP Product Security Response Team shares a montly summary on the the fixes for vulnerabilities discovered of the last month in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.  This wiki page contains an overview of the past Security Patch day blogs.

You can implement security patch management with SAP Solution Manager and check the Early Watch (EWA) report to get an overview of the security patches to be implemented on your system.  Also the Web Dispatcher can be included, this is described Security Patch Process FAQ.

Managing System Load (Load Balancing & High Availability)

When exposing Fiori apps to the internet, you are opening a channel which can be consumed by all the company’s users as long as they can authenticate to the system.  This can translate in bigger system loads.

Therefore a correct sizing and architecture definition must be prepared from the start, considering Fiori will be the single point of access, as you don’t want to have a system-down scenario.

Make sure all systems involved are realistically sized, scalable (additional application servers or more hardware can be allocated) and are installed in a high availability setup.

Fiori Via VPN

Another option to allow Fiori from outside the company network is to use VPN.  It is important to note that network response times are very important for the usability with SAP Fiori, so the VPN provider must be evaluated carefully. 

… and More !

The SAP Mentors call and summary blog What you always wanted to know about SAP Security, but did not dare to ask! and linked recording contain a lot of good background information on how SAP handles security for its products and in the SAP IT Infrastructure and contains further considerations for customers, some of which have already been discussed above.

 

Alternative to On-Premise Fiori: SAP Cloud Platform for Fiori

An alternative for accessing SAP Fiori apps from the internet is via SAP Cloud Platform using the SAP Fiori Cloud service. With this approach the SAP Cloud Platform is the first line of defence and therefore not directly exposing the customer on-premise systems to the internet.

With SAP Fiori Cloud and the mobile services customers benefit from a cloud-based design-time and run-time environment for SAP Fiori.  The user experience (UX) artefacts are managed by SAP (e.g. regular updates to applications, SAPUI5 libraries, SAP Fiori launchpad version, development Web IDE etc.).  The users access the content securely through SAP Cloud Platform and the cloud connector.

You may find this solution particularly interesting if you do not have other internet-facing solutions in place as yet.

The available SAP Fiori Cloud apps scope is documented in the SAP Fiori apps reference library which include now also a SAP Fiori Cloud filter showing the Fiori apps supported by Fiori Cloud, this number is rapidly growing!

More information on SAP Fiori Cloud can be found here:

Thanks,

Hannes

Becoming a SAP Fiori for SAP S/4HANA guru

You’ll find much more on our SAP Fiori for SAP S/4HANA wiki

Brought to you by the S/4HANA RIG

9 Comments
You must be Logged on to comment or reply to a post.
  •  

    Thanks Hannes,

    With regards the architecture, what about on-premise (internal) access to SAP Fiori within the company?  This is the main use case initially (laptops/desktops), with mobile access also to be provided.

    From your blog are you suggesting a second Front End Server should be provisioned in the DMZ which only offers out the externally facing Fiori apps?

    We are running S/4HANA 1610 and a FES in Hub mode.

    Thanks

    • We are generally recommending embedded deployment.  I just updated the blog with some more suggestions to make also that deployment option more secure.

      Know that such a mixed setup with embedded + hub (only for internet facing) will greatly increase the effort for administration and customizing needed for Fiori, so this is not recommended.

      Regards, Hannes

       

       

       

  • Hello.

    What would be the best config for a Fiori URL on a replicated environment? Site A replicates to Site B. On failover, users need to access differente URL, or is it better to access using SAP GUI?

  • Hello Hannes,

    I am looking for recommendations regarding the follwing two options:

    1. Only the web dispatcher of an embedded S/4HANA deplyoment would reside in the DMZ. Backend+Frontend are installed in the trusted network zone.
    2. Backend+Frontend+Web Dispatcher are installed in the trusted network and a 3rd party application firewall (e.g. BigIP F5) works as a reverse proxy for the S/4HANA installation.

    The most recommedations I read so far seperated always the backend from the frontend+webdispatcher, never only the webdispatcher from the rest. Are there any disadvantages in this scenario? From my opinion it would combine the advantages of the embedded scenario with a reasonable security concept.

    This applies also for the second scenario where you of course would have additional efforts regarding the reverse proxy but this was also the case in former non-Fiori releases when you wanted to make web services of SAP applications available externally.

    Am I overlooking an aspect typical for fiori applications/setups only?

    Regards, Björn