Security Considerations Between the SAP System and the Adapter
The Microsoft BizTalk Adapter for mySAP Business Suite supports either SAP Secure Network Communications (SNC) or user name password credentials to help secure communication between it and the SAP server. User name password credentials only provide authorization for the connection to the SAP system; they do not provide any security on the data exchanged over the connection. You cannot use both SNC and user name password credentials simultaneously.
Secure Network Communications (SNC) is a software layer in the SAP system architecture that can help provide application-level security on data exchanged between the SAP client and a SAP application server.
SNC provides the following advantages:
- SNC targets application-level, end-to-end security. SNC helps secure all communications between two SNC-protected components (for example, between the SAPgui and an SAP System application server).
- You can implement additional security features that the SAP System does not directly provide (for example, Single Sign-On or the use of smart cards for authentication).
- You can customize your SNC implementation. You can use the security product of your choice and choose the algorithms you want to use.
- You can change the security product at any time without affecting SAP System business applications.
To use SNC, you must configure both the SAP server and the client running the SAP adapter.
- For information about configuring SNC on the SAP server, see http://go.microsoft.com/fwlink/?LinkId=129824.
- On the computer having the SAP client DLLs and SAP adapter installed, you must also have the SNC related DLLs. For more information about these DLLs, see the BizTalk Adapter Pack installation guide.
- To configure the adapter to use SNC, you must set the UseSnc parameter in the SAP connection URI. For more information about the SAP connection URI, see The SAP System Connection URI. Also, you must set the SncLibrary and the SncPartnerName binding properties. For more information about the SAP adapter binding properties, see Working with BizTalk Adapter for mySAP Business Suite Binding Properties.
You can supply user name password credentials to the adapter in the connection URI. The adapter uses these credentials to authenticate the user on the SAP system when it opens the connection. These credentials provide a level of authorization for the connection to the SAP system; however, they do not provide message-level or transport-level authentication (or authorization) for data traveling across the network.
For this reason, you must provide a security mechanism to help ensure appropriate levels of authorization, authentication, data privacy, and data integrity for data exchanges between the adapter and the SAP system.
|The SAP adapter surfaces the AcceptCredentialsInUri binding property. This property determines whether SAP system credentials are permitted in the connection URI. By default, AcceptCredentialsInUri is false and the SAP adapter throws an exception if credentials are included in the URI. For more information, see Working with BizTalk Adapter for mySAP Business Suite Binding Properties.|
One possible mechanism for helping to provide more security across the network is Internet Protocol Security (IPsec). IPsec is a framework of open standards for protecting communications over Internet Protocol (IP) networks. For more information about IPsec and about using IPsec with Microsoft products, see the Microsoft TechNet article "IPsec" at http://go.microsoft.com/fwlink/?LinkId=89732.
The user name and password are specified as clear text in the connection URI. The SAP adapter provides a number of methods through which you can more securely supply these credentials.
For information about how to more securely provide SAP system credentials in BizTalk solutions, see Security Considerations When Using the Adapter with BizTalk Server.
For information about how to more securely provide SAP system credentials in programming solutions, see Security Considerations When Programming on the Adapter.
Any listener that has access to a SAP program ID can potentially receive all SAP artifacts (RFCs, IDOCs, and tRFCs) sent to that program ID. If more than one listener is registered to the program ID, SAP will randomly assign artifacts that arrive at that program ID to one of the listeners. You should, therefore, guarantee that only listeners that you want to receive messages by using a specific program ID have access to that program ID. Furthermore, because SAP randomly sends artifacts to listeners attached to a program ID, it is a best practice to dedicate program IDs to a single listener.