This topic was last updated on: June 05, 2009
The Microsoft BizTalk Adapter 3.0 for mySAP Business Suite supports either SAP Secure Network Communications (SNC) or user name password credentials to help secure communication between it and the SAP server. User name password credentials only provide authorization for the connection to the SAP system; they do not provide any security on the data exchanged over the connection. You cannot use both SNC and user name password credentials simultaneously.
SAP Secure Network Communications
Secure Network Communications (SNC) is a software layer in the SAP system architecture that can help provide application-level security on data exchanged between the SAP client and a SAP application server.
SNC provides the following advantages:
- SNC targets application-level, end-to-end security. SNC helps secure all communications between two SNC-protected components (for example, between the SAPgui and an SAP System application server).
- You can implement additional security features that the SAP System does not directly provide (for example, Single Sign-On or the use of smart cards for authentication).
- You can customize your SNC implementation. You can use the security product of your choice and choose the algorithms you want to use.
- You can change the security product at any time without affecting SAP System business applications.
To use SNC, you must configure both the SAP server and the client running the SAP adapter.
.gif) Important |
|---|
| You should not use SNC if you will be using logon tickets to connect to an SAP system. For more information on logon tickets, see SAP Logon Tickets. |
Support for Impersonation
The SAP system supports impersonation by providing two connection string properties – EXTIDDATA and EXTIDTYPE. While using SNC, one can impersonate another SAP user identified by EXTIDDATA, where the EXTIDDATA can be a username, a token, or such kind. The kind of EXTIDDATA is specified by EXTIDTYPE. The SAP adapter supports impersonation by providing two binding properties, ExternalIdentificationData and ExternalIdentificationType. For more information about these binding properties, see Working with BizTalk Adapter 3.0 for mySAP Business Suite Binding Properties.
.gif) Note |
|---|
| You can use impersonation to connect to an SAP system only if you set UseSnc to true in the SAP connection URI. For more information about the SAP connection URI, see The SAP System Connection URI. |
The SAP system issues logon tickets to enable Single Sign-On on other systems. After the SAP system authenticates a user, it issues a logon ticket that can be used on other systems for authentication. Henceforth, users do not need to provide a username and password for authentication.
The SAP adapter enables adapter clients to connect to an SAP system using logon tickets. The SAP adapter exposes two new binding properties, LogOnTicketType and LogOnTicketPassword. For more information about these binding properties, see Working with BizTalk Adapter 3.0 for mySAP Business Suite Binding Properties.
You must consider the following points before using logon tickets to connect to an SAP system:
- Logon tickets are not supported when using the SAP adapter with BizTalk Server.
- Logon tickets should not be used if you are using SNC for authentication. For more information about SNC, see SAP Secure Network Communications.
User Name Password Credentials
You can supply user name password credentials to the adapter in the connection URI. The adapter uses these credentials to authenticate the user on the SAP system when it opens the connection. These credentials provide a level of authorization for the connection to the SAP system; however, they do not provide message-level or transport-level authentication (or authorization) for data traveling across the network.
For this reason, you must provide a security mechanism to help ensure appropriate levels of authorization, authentication, data privacy, and data integrity for data exchanges between the adapter and the SAP system.
| Important |
|---|
| The SAP adapter surfaces the AcceptCredentialsInUri binding property. This property determines whether SAP system credentials are permitted in the connection URI. By default, AcceptCredentialsInUri is false and the SAP adapter throws an exception if credentials are included in the URI. For more information, see Working with BizTalk Adapter 3.0 for mySAP Business Suite Binding Properties. |
One possible mechanism for helping to provide more security across the network is Internet Protocol Security (IPsec). IPsec is a framework of open standards for protecting communications over Internet Protocol (IP) networks. For more information about IPsec and about using IPsec with Microsoft products, see the Microsoft TechNet article "IPsec" at http://go.microsoft.com/fwlink/?LinkId=89732.
The user name and password are specified as clear text in the connection URI. The SAP adapter provides a number of methods through which you can more securely supply these credentials.
Security Concerns for Inbound Scenarios
Any listener that has access to a SAP program ID can potentially receive all SAP artifacts (RFCs, IDOCs, and tRFCs) sent to that program ID. If more than one listener is registered to the program ID, SAP will randomly assign artifacts that arrive at that program ID to one of the listeners. You should, therefore, guarantee that only listeners that you want to receive messages by using a specific program ID have access to that program ID. Furthermore, because SAP randomly sends artifacts to listeners attached to a program ID, it is a best practice to dedicate program IDs to a single listener.
Concepts
Best Practices
Other Resources
Security and Protection