SAP Public Sector Admin Guide: Implementation & Security

Administrator's Guide for SAP for Public Sector Document version: 1.2 – 2016-04-05 CUSTOMER SAP Multichannel Foundation for Utilities and Public Sector Document History Caution Before you start the implementation, make sure you have the latest version of this document. You can find the latest version at the following location: service.sap.com/publicsector . The following table provides an overview of the most important document changes: Table 1 Version Date Description 1.2 2016-04-05 SAP Multichannel Foundation for Utilities and Public Sector 1.0 SP6 2 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Document History Content 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4 Application Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 SAP Multichannel Foundation for Utilities and Public Sector Content CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 3 4 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector 1 Getting Started This document is a single source of information for the implementation of SAP Multichannel Foundation for Utilities and Public Sector. It contains implementation information, security information, and operation information only for SAP for Public Sector. The document for utilities is on the SAP Service Marketplace under SAP for Utilities. Related Information For more information about implementation topics not covered in this guide, see the following content: Table 2 Content Location Installation and upgrade guides service.sap.com/instguides Released platforms and technology-related topics service.sap.com/platforms Platform availability matrix service.sap.com/pam Network security service.sap.com/securityguide High availability sdn.sap.com/irj/sdn/ha Performance service.sap.com/performance Support package stacks, latest software versions, patches service.sap.com/sp-stacks Unicode technology sdn.sap.com/irj/sdn/i18n SAP Notes service.sap.com/notes SAP Software Distribution Center service.sap.com/swdc SAP Online Knowledge Products service.sap.com/rkt Related Guides For more information about relevant applications, see the following content: Table 3 Title Location SAP NetWeaver 7.0 Master Guide service.sap.com/installNW70 SAP NetWeaver Technical Operations Guide help.sap.com/nw74 System Administration and Maintenance Information SAP NetWeaver Gateway Security Guide SAP NetWeaver Gateway Technical Operations Guide help.sap.com/nwgateway Security Information help.sap.com/nwgateway System Administration and Maintenance Information SAP Multichannel Foundation for Utilities and Public Sector Getting Started CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 5 SAP Notes You must read and implement the following SAP Notes before you start the installation. These SAP Notes contain the most recent information and are prerequisites for installing SAP Multichannel Foundation for Utilities and Public Sector. You can find the most current versions of the SAP Notes at service.sap.com/notes . Table 4 Number Title 1942072 SAP NetWeaver Gateway 2.0 Support Package Stack 1964240 * User Self Service: Check Password Security Policy Fixes 1988794 * User Self Service Enhancement: Resetting Password Using Email ID of the User 2000713 * User Self Service: User is Unable to Change the Password 2004762 * User Self Service: Reset Credentials with Autogenerated Password 2025549 * User Self Service: Improving the Error Message Shown to End User 2028105 * 2287733 User Self Service: Short Dump While Checking Password Collective Fixes for Both Backend and UI for Multichannel Utilities for Public Sector SP06 Note *These SAP Notes are required if you have installed IW_BEP SP08 or the corresponding SAP_GWFND support pack. Recommendation We recommend that you implement the following SAP Notes: Table 5 6 Number Title 1509851 ICF Logoff Service with Redirect URL 853878 HTTP WhiteList Check (security) CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Getting Started 2 Installation SAP ERP Server 1. You need to install SAP Public Sector Collection and Disbursement (PSCD)/Tax and Revenue Management (TRM) based on SAP ERP 6.0 EHP5 or higher. 2. Install IW_BEP SP11. If you are installing on SAP NetWeaver 7.4, you need to install SAP_GWFND 740 SP12 instead of IW_BEP. Note For more information on the compatibility of the various SAP Gateway components, see SAP Note 1942072 3. . Install add-on UMCERP01. SAP Gateway Server 1. For SAP NetWeaver versions prior to SAP NetWeaver 7.40, you need to install GW_CORE SP04 and IW_FND SP04. If you are installing on SAP NetWeaver 7.4, you need to install SAP_GWFND SP06. Note For more information on the compatibility of the various SAP Gateway components, see SAP Note 1942072 2. . For SAPUI5 add-ons, install UISAPUI5 SP13 or higher and UI_INFRA SP08 or higher. Note UISAPUI5 and UI_INFRA can be delivered with the SAP_UI add-on. In this scenario, SAP_UI SP13 or higher must be installed. If you installed SAP_UI 740 or higher, UISAPUI5 and UI_INFRA do not need to be installed as they are already included. 3. Install UMCUI501 add-on. Optional UI5 components include UI5_731 SP05 for team provider and other UI5 components depending on your UI approach. Hardware Sizing An SAP Gateway sizing guide is available on the SAP Service Marketplace at service.sap.com/sizing . You can refer to the SAP ERP sizing guide, too. You can use the quick sizer tool to calculate hardware for the system landscape. SAP Multichannel Foundation for Utilities and Public Sector Installation CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 7 3 Configuration To configure your SAP PSCD/TRM system as a standalone system, you need to maintain roles, users, and activations in the system. SAP NetWeaver System Settings To ensure that online users are authenticated correctly, you need to set the correct AS profile parameters related to HTTP security session management on AS ABAP. You use the sessions transaction. Sample values for HTTP session parameters are as follows: ● login/create_sso2_ticket=2 ● login/accept_sso2_ticket=1 ● login/ticketcache_off=0 ● login/ticket_only_by_https=1 ● icf/user_recheck=1 Note These parameters may be different according to your session security configuration. SAP Gateway Activation To check if SAP NetWeaver Gateway is activated, choose the following path in Customizing SAP NetWeaver Gateway OData Channel Configuration Activate or Deactivate SAP NetWeaver Gateway . Maintaining System Aliases for SAP ERP To create system aliases for SAP ERP, proceed as follows: 1. Using the RFC destinations transaction, create trusted RFC connections to the appropriate systems. 2. On the Logon and Security tab pages, choose Current User. 3. Use the Customizing transaction and open the SAP Reference IMG. 4. Navigate to SAP NetWeaver Gateway OData Channel Configuration SAP System Aliases and create the system aliases for SAP ERP. Connection Settings Manage Registering Services OData channel implementations retrieve the data from SAP Business Suite, which is a backend system. You use the OData services that are defined by SAP. You can redefine the OData services according to your requirements. Once an OData service is defined in the backend system, the service must be registered or activated on SAP Gateway. To register services in the SAP NetWeaver Gateway Hub system, proceed as follows: 1. Using the service maintenance transaction, select Add Service. 2. Select the SAP ERP system then select Get Services. 3. Add the following services: ○ 8 USERMANAGEMENT CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Configuration ○ USERREQUESTMANAGEMENT ○ ERP_FMCA_MC_SRV ○ ERP_FMCA_MC_PUBLIC_SRV 4. Select a package in the customer namespace for the objects created during the services registration. 5. For each registered service, select ICF Node pushbutton and then select Configure (SICF). 6. For additional security, navigate to the Logon Data tab page and adjust the security parameters as necessary. Create PFCG Role for Reference User for SAP Gateway Hub System To execute the user self service, the system needs to be set up with users and authorizations for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the reference user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector. Procedure 1. In transaction PFCG, create a new role ZMCF_REF_USR using the /IWBEP/RT_USS_INTUSR template. 2. Add the authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name), you must ensure that the following entries exist: 3. Add authorization object S_RFCACL. Table 6 Program ID Object Type Object Name R3TR IWSG ERP_FMCA_MC_SRV R3TR IWSG USERMANAGEMENT Note The name of the authorization role is provided as an example only. You can choose any other name in the customer namespace. To ensure that the object names appear in the F4 Help, you must register and activate the OData Services mentioned in the preceding table in transaction/IWFND/MAINT_SERVICE and then execute the service in the SAP NetWeaver Gateway client. For more information, see the section Registering Services. You must ensure that values relevant to the current business scenarios are provided for authorization objects that do not have predefined values for authorization fields in the templates. Note Depending on whether external user management is to be used, it may make sense to define two reference users. One reference user for users who are not authorized to create users and another reference user who is allowed to create users in the SAP Gateway Hub System. Note If you want to use the external user management scenario, you must add additional authorization objects that allow you to create or maintain users in the gateway server. This process can be triggered from the ERP system. SAP Multichannel Foundation for Utilities and Public Sector Configuration CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 9 Create Reference User in SAP Gateway Hub System Procedure To execute the user self service, the system needs to be set up with users and the required authorization for those users. Users also have to be created and maintained using SAP NetWeaver ABAP AS User Management, using transaction SU01. A reference user is a standard SAP user with the “Reference” user type created in the SAP Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. This user is used by the user management service as a template to create other users in the system. 1. In transaction SU01, create user MCF_REF_USR. Note The name of the user is provided as an example. You can use any other name, but you must make sure that the same name is maintained for the service in transaction SICF. 2. On the Logon Data tab page, specify the user’s type as L - Reference. 3. Specify the alias for the user as MCF_REFERENCE_USER. 4. On the Roles tab page, assign the role ZMCF_REF_USR created previously. Creating Users in SAP ERP 1. Create a role containing the authorizations for your scenario. The following list contains the required authorization objects for the UI template to work without further modification. Table 7 Object Technical Name Authorization check for RFC user S_RFCACL Authorization object for trusted-trusting system definition S_RFC_TT Business partner: BP roles B_BUPA_RLT Business partner relationships: Relationship categories B_BUPR_BZT Banks: general maintenance authorization F_BNKA_MAN Banks: general maintenance authorization by country F_BNKA_MAO Authorization check for RFC access S_RFC Authorization encryption card master B_CARD_SEC Check at start of external services S_SERVICE Transaction code check at transaction start S_TCODE BC-SRV-KPR-BDS: authorizations for document set S_BDS_DS ArchiveLink: authorizations for access to documents S_WFAR_OBJ Partner contact management B_PCONTACT Authorization object for the activities (EBPP) F_ACT_EBPP FICA document management service: Company code F_KKDM_BUK areas 10 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Configuration Object Technical Name FICA document management service: Document type F_KKDM_DOT Authorization for interest posting F_KKINTER FICA doc in contract accts rec and pay: CoCode F_KKKO_BUK authorization FICA doc in contract accts rec and pay: business area auth F_KKKO_GSB FICA contract account: company code authorization F_KKVK_BUK FICA contract acct: contract acct type authorization F_KKVK_VKT FICA special functions for FSCM biller direct F_KK_EBPP FICA special functions F_KK_SOND PSCD beleg: contract object type authorization F_PSDO_VGT PSCD facts: fact type parts F_PSFA_CAT PSCD facts: authorization for a fact set F_PSFA_SET PSCD facts: fact set parts F_PSFA_TYP Authorization object public sector form handling, FB type F_PSFH_FBT Authorization object public sector, form handling, form F_PSFH_FVW view Authorization object public sector form handling, status F_PSFH_STA PSCD contract object: object type authorization F_PSOB_VGT Payment cards B_CCARD Unmasked display of credit card numbers B_CCSEC SAP gateway: User self service management /IWBEP/URB Authorizations: Role check S_USER_AGR User master maintenance: User groups S_USER_GRP User master maintenance: Authorization profile S_USER_PRO User master maintenance: System-specific assignments* S_USER_SAS * You use either authorization object S_USER_SAS or (S_USER_AGR, S_USER_GRP, S_USER_PRO). Make the following entries for the authorization object S_SERVICE and authorization field SRV_NAME: Table 8 2. Program ID Object Type Object Name R3TR IWSV ERP_FMCA_MC_SRV R3TR IWSV /IWBEP/USERMANAGEMENT Using the user maintenance transaction, create the MCF users with the user type Communications Data. SAP Multichannel Foundation for Utilities and Public Sector Configuration CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 11 3. Using function module FMCA_MC_USER_CREATE, link your user to its corresponding business partner ID. Business Configuration Use transaction SCPR20 to activate the BC set FMCA_MC_SETTING. This generates sample configuration entries for the Customizing step and Public Sector Maintain Settings for Business Processes . SAP Multichannel Foundation for Utilities Activating Forgotten Password To activate the forgotten password, perform the following steps: Create PFCG Role for Service User for SAP Gateway Hub System To execute the user self service, the system needs to be setup with users and authorizations for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the service user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector. Procedure 1. In transaction PFCG, create a new role ZMCF_FORGOTTEN_PW_USER . 2. Add the required authorization objects: 3. ○ /IWFND/SRV ○ S_SECPOL ○ S_TCODE ○ S_RFCACL ○ S_RFC_TT ○ S_RFC ○ S_SERVICE You must ensure that the following entries exist for the authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name): Table 9 Program ID Object Type Object Name R3TR IWSG USERREQUESTMANAGEMENT Note The name of the authorization role is provided as an example only. You can choose any other name in the “customer namespace”. To ensure that the object names appear in the F4 Help, you must register and activate the OData Services mentioned in the preceding table in the transaction/IWFND/MAINT_SERVICE and then execute the service in the SAP NetWeaver Gateway client. For more information, see Registering Services. 4. Limit the authorization values for all authorization objects to the necessary values relevant to the required business scenario. Create PFCG Role for Service User in the SAP ERP System To execute the user self service, the system needs to be set up with users and authorization for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this 12 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Configuration step, a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the service user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector. Procedure 1. In the transaction PFCG, create a new role ZMCF_FORGOTTEN_PW_USER using the templates /IWBEP/ RT_USS_SRVUSR. 2. You must ensure that the following entries exist for the authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name): 3. 4. ○ Program ID: R3TR ○ Object Type: IWSV ○ Object Name: /IWBEP/USERREQUESTMANAGEMENT 0001 Limit the authorization values for all authorization objects to the necessary values relevant to the current business scenarios. Check Customizing using the transaction SPRO under the path SAP NetWeaverApplication ServerSystem AdministrationUsers and AuthorizationsSet Customizing Switch in Table PRGN_CUST . If CHECK_S_USER_SAS is specified as YES, the authorization object S_USER_SAS must be manually added to the PFCG role for the service user. Create Service User in SAP Gateway Hub System Procedure To execute the user self service, the system needs to be set up with users and the required authorizations for those users. Users also have to be created and maintained using SAP NetWeaver ABAP AS User Management, using transaction SU01. A service user is a standard SAP user with the “Service” user type created in the SAP Gateway Hub and also in the SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData Service/IWBEP/USERREQUESTMANAGEMENT. 1. In transaction SU01, create the user MCF_SRV_USR1. Note The name of the user is provided as an example. You can use any other name, but you must make sure that the same name is maintained for the service in transaction SICF. 2. On the Logon Data tab page, specify the user’s type as S - Service. 3. On the Roles tab page, assign the role ZMCF_FORGOTTEN_PW_USER created previously. Create Service User in the SAP ERP System To execute the user self service, the system needs to be set up with users and the required authorization for those users. Users also have to be created and maintained using SAP NetWeaver ABAP AS User Management, using transaction SU01. A service user is a standard SAP user with the “Service” user type created in the Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData service /IWBEP/USERREQUESTMANAGEMENT_0001. Procedure 1. In transaction SU01, create the user MCF_SRV_USR1. SAP Multichannel Foundation for Utilities and Public Sector Configuration CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 13 Note The name of the user is provided as an example. You can use any other name, but you must make sure that the same name is maintained for the service in transaction SICF. 2. On the Logon Data tab page, specify the user’s type as S - Service. 3. On the Roles tab page, assign the role ZMCF_FORGOTTEN_PW_USER created previously.. Set Service User in SICF Node for Public OData Services Procedure To define the service user in the ICF Node for USERREQUESTMANAGEMENT, proceed as follows: 1. In transaction SICF, find the node /default_host/sap/opu/odata/sap/USERREQUESTMANAGEMENT. 2. Under Logon Data, specify logon settings for the SAP Gateway Hub system for the service user: 3. ○ Client: SAP Gateway Hub system client ○ User: MCF_SRV_USR1 ○ Password: MCF_SRV_USR1 user’s password Disable Cross-Site Request Forgery (CSRF) for USERREQUESTMANAGEMENT ICF node since the service is executed in the context of the service user. To disable CSRF validation on the Service Data tab page of the ICF node, select GUI Configuration and add the parameter ~CHECK_CSRF_TOKEN with value 0. Activating Anonymous Form Submission or Payments To activate the anonymous form submission or payments, perform the following steps: Create PFCG Role for Service User for SAP Gateway Hub System To execute the user self service, the system needs to be setup with users and authorizations for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to the service user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector. Procedure 1. In transaction PFCG, create a new role ZMCF_ANONY_SERV_USER. 2. Add the required authorization objects: 3. ○ /IWFND/SRV ○ S_SECPOL ○ S_TCODE ○ S_RFCACL ○ S_RFC_TT ○ S_RFC ○ S_SERVICE You must ensure that the following entries exist for the authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name): 14 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Configuration Table 10 Program ID Object Type Object Name R3TR IWSG ERP_FMCA_MC_PUBLIC_SRV Note The name of the authorization role is provided as an example only. You can choose any other name in the “customer namespace”. To ensure that the object names appear in the F4 Help, you must register and activate the OData Services mentioned in the preceding table in transaction/IWFND/MAINT_SERVICE and then execute the service in the SAP NetWeaver Gateway client. For more information, see Registering Services. 4. Limit the authorization values for all authorization objects to the necessary values relevant to the required business scenario. Create PFCG Role for Service User in the SAP ERP System To execute the user self service, the system needs to be set up with users and authorization for those users. This is a mandatory step, since the scenario does not work if the users do not have the required authorizations. In this step, a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the service user. This ensures that the user can perform the related tasks when using the services for SAP Multichannel Foundation for Utilities and Public Sector. Procedure 1. In transaction PFCG, create a new role ZMCF_ANONY_SERV_USER. 2. You must ensure that the following entries exist for the authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function module name): 3. ○ Program ID: R3TR ○ Object Type: IWSV ○ Object Name: ERP_FMCA_MC_PUBLIC_SRV 0001 Add the following authorization objects: Table 11 Object Technical Name Authorization check for RFC user S_RFC Authorization check for RFC user (for example, trusted S_RFCACL system) BC-SRV-KPR-BDS: Authorizations for document set S_BDS_DS Authorization object for the activities (EBPP) F_ACT_EBPP General ledger: Authorization for segment F_FAGL_SEG FI-CA document in contract accounts rec. and pay.: F_KKKO_BUK CoCode Authorization FI-CA document in contract accounts rec. and pay.: F_KKKO_GSB Business area authorization FI-CA contract account: Company code authorization SAP Multichannel Foundation for Utilities and Public Sector Configuration F_KKVK_BUK CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 15 Object Technical Name FI-CA contract account: Contract account type F_KKVK_VKT authorization FI-CA special functions for FSCM biller direct F_KK_EBPP FI-CA processing locks F_KK_LOCK PSCD document: Contract object type authorization F_PSDO_VGT Authorization object public sector form handling, F.B type F_PSFH_FBT Authorization object public sector form handling, Form F_PSFH_FVW view Authorization object public sector form handling, Status 4. F_PSFH_STA Limit the authorization values for all authorization objects to the necessary values relevant to the required business scenarios. Create Service User in SAP Gateway Hub System Procedure To execute the user self service, the system needs to be set up with users and the required authorizations for those users. Users also have to be created and maintained using SAP NetWeaver ABAP AS User Management, using transaction SU01. A service user is a standard SAP user with the “Service” user type created in the SAP Gateway Hub and also in the SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData ServiceERP_FMCA_MC_PUBLIC_SRV. 1. In transaction SU01, create the user MCF_SRV_USR2. Note The name of the user is provided as an example. You can use any other name of your choice but you must make sure that the same name is maintained for the service in transaction SICF. 2. On the Logon Data tab page, specify the user’s type as S - Service. 3. On the Roles tab page, assign the role ZMCF_ANONY_SERV_USER created previously. Create Service User in the SAP ERP System To execute the user self service, the system needs to be set up with users and the required authorization for those users. Users also have to be created and maintained through SAP NetWeaver ABAP AS User Management, using transaction SU01. A Service User is a standard SAP user with the “Service” user type created in the Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData service ERP_FMCA_MC_PUBLIC_SRV_0001. Procedure 1. In transaction SU01, create user MCF_SRV_USR2. Note The name of the user is provided as an example. You can use any other name, but you must make sure that the same name is maintained for the service in transaction SICF. 2. 16 On the Logon Data tab page, specify the user’s type as S - Service. CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Configuration 3. On the Roles tab page, assign the role ZMCF_ANONY_SERV_USER created previously. Note If you want to send a confirmation e-mail after an anonymous payment or form submission, maintain an email address for the service user. Set Service User in SICF Node for Public OData Services Procedure To define the service user in the ICF Node for ERP_FMCA_MC_PUBLIC_SRV, proceed as follows: 1. In transaction SICF, find the node /default_host/sap/opu/odata/sap/ERP_FMCA_MC_PUBLIC_SRV. 2. Under Logon Data, specify logon settings for the SAP Gateway Hub system for the service user: 3. ○ Client: SAP Gateway Hub system client ○ User: MCF_SRV_USR2 ○ Password: MCF_SRV_USR2 user’s password Disable Cross-Site Request Forgery (CSRF) for ERP_FMCA_MC_PUBLIC_SRV ICF node since the service is executed in the context of the service user. To disable CSRF validation on the Service Data tab page of the ICF node, select GUI Configuration and add the parameter ~CHECK_CSRF_TOKEN with the value 0. External User Management Setting up external user management is included in Customizing under the path: Public Sector Management SAP Multichannel Foundation for Utilities and Public Sector Maintain Settings for External User Management For more information, see help.sap.com/nwgateway . Quick Testing of OData Services ERP_FMCA_MC Procedure It is sometimes necessary to perform a quick test on OData services to see how the entities work. By performing the following steps, you can test OData services with your user using the SAP Gateway client or Google Chrome’s Advanced Rest client: Note You must ensure that you have a user with the same username in transaction SU01 in the SAP Gateway Hub and SAP ERP systems. 1. Use transaction SU01 in the SAP ERP system, open your user, and select Goto References in the menu. 2. Create a new reference for your user, and set the object type to BUS1006. 3. Set the key to the business partner ID which has test data that you want to use to test the OData services. 4. In the SAP Gateway client, execute a GET request on the ERP_FMCA_MC service for the OData entity Account. You should receive the data for the business partner that you assigned to yourself when performing the GET account. If you did not receive the data, perform an analysis on the user authorization log in transaction SU53 to see if you are missing any authorizations for your user. SAP Multichannel Foundation for Utilities and Public Sector Configuration CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 17 Note You must ensure that the test user does not exist in the production environment. 18 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Configuration 4 Application Operations SAP Multichannel Foundation for Utilities and Public Sector is delivered with a default project for OData Services. The default project is called ERP_FMCA_MC and you can modify it by accessing the data model and creating additional entities, entity attributes, and navigation properties. You can create your own project. You use this BAdI definition to create new or modify existing OData entity implementations. The purpose of this BAdI is to provide an implementation specific to the entity name. The base class of implementation classes for all entities is CL_ISU_UMC_ODATA_ABSTRACT. By default, all BAdI implementations are active and flagged as default implementations. The default implementation is executed automatically. This BAdI is filter-dependent, and the filter is based on the name of the entity. For example, the filter for the account entity is ENTITY_NAME=Account. SAP Gateway Service Model Extensibility in SAP ERP As mentioned in an earlier section, the extensibility of SAP Multichannel for Utilities and Public Sector is based on the BAdI FMCA_MC_ODATA. SAP standard delivery consists of two OData services in SAP ERP, namely, ERP_FMCA_MC and ERP_FMCA_MC_PUBLIC_SRV. In the standard delivery we follow the rules listed below: 1. If the BAdI implementation of an entity is identical for both ERP_FMCA_MC and ERP_FMCA_MC_PUBLIC_SRV, the BAdI implementation only maintains filter entity_name = requested entity, for example Account. 2. If an entity has different BAdI implementations for ERP_FMCA_MC and ERP_FMCA_MC_PUBLIC_SRV, then the implementation for ERP_FMCA_MC_PUBLIC_SRV maintains the filters service_name = ERP_FMCA_MC_PUBLIC_SRV and entity_name = requested entity, while the implementation for ERP_FMCA_MC maintains the filters entity_name = requested entity and service_name <> ERP_FMCA_MC_PUBLIC_SRV. Therefore, when you extend ERP_FMCA_MC to derive a Z service for the entities you choose to expose, there are two options: 1. A new BAdI implementation is created for the entity with your own implementation class, you must maintain filter values in the BAdI implementation filters entity_name = requested entity and service_name = Z service 2. No new BAdI implementation is created, and the applicable SAP implementation with the correct filter values is called. The SAP Gateway service model can be extended at the following different levels: ○ OData entity field extension ○ OData entity logic extension ○ Addition of new OData entities If you want to add new fields to an entity, the following approach can be used. Each OData entity is based on a DDIC structure that you can see by accessing the Service Builder (transaction SEGW). This DDIC structure has a subset of fields originating from the API. The names of the fields correspond to those in the API; however, the labels for data elements are displayed on the UI. By creating an append structure, you can add fields from the API, and then regenerate the model in the Service Builder. By doing so, no further coding is required for GET operations, although further adjustments may be required for POST, PUT, and DELETE operations in the OData entity implementation class. To overwrite standard behavior, create a new BAdI implementation with the required filter value. This implementation is then called instead of the standard one. The BAdI definition is based on the interface SAP Multichannel Foundation for Utilities and Public Sector Application Operations CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 19 IF_ISU_UMC_ODATA_BADI. This interface has only one method get_instance, which provides an instance of a Multichannel service implementation class to the standard data provider class (class with the suffix DPC_EXT). You can define your own entity-based service implementation class using the inheritance from the existing class that was assigned to the BAdI implementation. In your service implementation class, you can redefine all the methods of both the IF_ISU_UMC_ODATA_BADI and IF_ISU_UMC_ODATA_IMPL interfaces to replace the functions provided by SAP with your own functions. Some implementation classes also provide additional methods that you can redefine. If your implementation is inherited or based on the SAP standard BAdI implementation, we recommend that you call super-class methods whenever possible. This ensures that subsequent corrections or updates delivered by SAP are integrated within the implementation. If a new entity is needed, you can enhance the existing SEGW model with new entities and follow the SAP BAdI concept. In some cases, business entity instances may logically belong together and need to be handled or processed together in the same logical unit of work. For example, on moving out of a premise, an update of two or more entities could be required and must be processed together in a single request (all or none). SAP Gateway can be used to process such scenarios with its capability to execute multiple operations in a single request, including retrieval and change. In the delivered OData Service for SAP Multichannel Foundation for Utilities and Public Sector, batch processing is already enabled. Therefore, it is possible to use $batch to collect a fixed number of operations (get, create, update, delete) of an OData Service in one single HTTP POST request. Example The following example has four GET calls in a batch. Batch Request Header POST /sap/opu/odata/sap/ERP_FMCA_MC_SRV/$batch Content-Type: multipart/mixed;boundary=batch_11d6-7608-09f8 Batch Request Body --batch_11d6-7608-09f8 Content-Type: application/http Content-Transfer-Encoding: binary GET Accounts('1000001530')/AccountAlerts/$count HTTP/1.1 Accept-Language: en Accept: application/json MaxDataServiceVersion: 2.0 DataServiceVersion: 2.0 --batch_11d6-7608-09f8 Content-Type: application/http Content-Transfer-Encoding: binary GET Accounts('1000001530')/ContractAccounts?$format=json& $expand=ContractAccountBalance HTTP/1.1 Accept-Language: en Accept: application/json MaxDataServiceVersion: 2.0 DataServiceVersion: 2.0 20 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Application Operations --batch_11d6-7608-09f8 Content-Type: application/http Content-Transfer-Encoding: binary GET Accounts('1000001530')/FilingObligations/$count?$filter=FormBundleSubmitted%20eq %20%27%27%20%20and%20ClearingReason%20eq%20%27%27%20 HTTP/1.1 Accept-Language: en Accept: application/json MaxDataServiceVersion: 2.0 DataServiceVersion: 2.0 --batch_11d6-7608-09f8 Content-Type: application/http Content-Transfer-Encoding: binary GET Accounts('1000001530')/FormBundles/$count?$filter=StatusID%20eq%20%27Draft%27%20 HTTP/1.1 Accept-Language: en Accept: application/json MaxDataServiceVersion: 2.0 DataServiceVersion: 2.0 --batch_11d6-7608-09f8— By using batch processing, you can improve performance, since OData Service operations can be grouped in one round trip. However, batch processing is more complex than standalone OData Service operations, and may not always be beneficial. We suggest reviewing your use cases on an individual basis, to evaluate the benefits of batch processing. For more examples, see SAP Note 1869434 . If you have to execute specific business logic before processing a “changeset” in a batch, you must overwrite the framework method /IWBEP/IF_MGW_APPL_SRV_RUNTIME~CHANGESET_BEGIN. In the implementation of SAP Multichannel Foundation for Utilities and Public Sector OData Services, this method was redefined in the class CL_ERP_FMCA_MC_DPC_EXT. For example, the redefined method sets a flag for each session to indicate the batch mode that will be used by the SAP Multichannel Foundation for Utilities and Public Sector redefined /IWBEP/IF_MGW_APPL_SRV_RUNTIM methods at a subsequent stage. CREATE_ENTITY is one such example and also performs basic validation on whether an operation is allowed in a batch process. This is due to the fact that SAP Gateway is solely responsible for commit and rollback for batch processing, so if an operation uses an API that has its own commit or rollback logic, such an operation should not be included in a batch. /IWBEP/ IF_MGW_APPL_SRV_RUNTIME~CHANGESET_END can be redefined for logic after a “changeset” is processed. Recommendation SAP recommends you use batch processing in the SAPUI5 Web application. For more examples, see SAP Note 1869434 . Consuming OData Batch Request from SAP UI Since the SAPUI5 control ODataModel supports batch processing, SAPUI5 applications can consume the OData service in batches. You might need to use one or more of the following methods: SAP Multichannel Foundation for Utilities and Public Sector Application Operations CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 21 ● addBatchChangeOperations ● clearBatch ● addBatchReadOperations ● createBatchOperation ● setUseBatch For more information about ODataModel, see sapui5.hana.ondemand.com/sdk/#docs/api/symbols/ sap.ui.model.odata.ODataModel.html . The following code snippet is an example of a batch request from the SAP Multichannel Foundation for Utilities and Public Sector Application. Figure 1 22 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Application Operations Figure 2 Error Message Handling Error message handling in SAP Multichannel Foundation for Utilities and Public Sector follows OData protocol and SAP Gateway approaches. OData entities should return standardized HTTP codes to inform the client about the status of the request. SAP Gateway runtime checks that the payload and resource URL are consistent. For example, when a character field is provided, the runtime returns an error with HTTP code 500. If a resource is addressed incorrectly, the runtime produces the HTTP status code 500 again. For other error situations, service implementation needs to provide error handling. If a technical exception is raised, HTTP status code is 500 (server error) with an exception message appended to it; if it is a business-related application error, the HTTP code is 400. Each entity calls a certain API or BAPI to execute business logic and this API returns a list of error messages propagated using SAP Gateway in the payload. The following table describes various error situations and the associated HTTP status codes: Table 12 Scenario Sample Request Response Behavior Handling Level* Authorization failure on GETAccounts(‘X’) 404 not found with no Service implementation accessing an entity with a specific error message wrong key GET entity by key not found GETAccounts(‘X’) 404 not found with no Entity implementation specific error message GET entity set not found GETInvoices 200 with empty payload Entity implementation GET with navigation A(‘x’)/B GETAccounts(‘X’)/ 200 with empty payload Service implementation not found StandardAccountAddre ss SAP Multichannel Foundation for Utilities and Public Sector Application Operations CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 23 Scenario Sample Request POST POSTAccountAddressDe 404 not found due to pendentEmail Response Behavior Handling Level* Entity implementation authorization issues 400 bad request due to business logic issues 201 created on success with payload with a newly created entity returned UPDATE UPDATEAccountAddress 404 not found due to DependentEmail Entity implementation authorization issues 400 bad request due to business logic issues 200 no success with updated entity returned in payload DELETE DELETEAccountAddress 404 not found due to DependentEmail Entity implementation authorization issues 400 bad request due to business logic issues 204 no content on success Entities for which keys are Expand on entities that do GETAccounts(‘X’)? not have keys filled in the $expand=AccountAddre not filled in source are source entity, A(‘x’) ssDependentEmail,Acc ignored, payload still $expand=B,C ountAddressDependent returned with 200 Service implementation Phone Not properly formed URL, GETAccounts(‘X’)/ 500 server error with a payload NotExistingResource specific error message SAP Gateway *Handling levels are as follows: ● SAP Gateway runtime ● Service implementation (data provider and abstract classes from which all entities inherit) ● Entity implementation (specific OData entity implementation class) It is possible to change the error logic for a specific entity by redefining the methods HANDLE_BUSINESS_ERROR or HANDLE_TECHNICAL_ERROR where a mapping can be provided from API error messages to friendly messages on the UI. Alternatively, to implement a generic mapping for error messages for all entities, you can define an implicit enhancement point at the start of the methods HANDLE_BUSINESS_ERROR and HANDLE_TECHNICAL_ERROR in the abstract class CL_ISU_UMC_ODATA_ABSTRACT. SAP Multichannel Foundation for Utilities and Public Sector Solution Monitoring Monitoring is an essential task in managing SAP technology. Alert Monitoring To monitor errors and alert messages in SAP Gateway and in the backend systems, use the error log transactions. 24 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Application Operations Trace and Log Files Trace files and log files are essential for analyzing problems. SAP Multichannel Foundation for Utilities and Public Sector follows the approach used by SAP NetWeaver Gateway. For more information, see help.sap.com/nwgateway . SAP Multichannel Foundation for Utilities and Public Sector Management SAP provides you with an infrastructure to help your technical support consultants and system administrators effectively manage all SAP components and complete all tasks related to technical administration and operation. For more information, see help.sap.com/netweaver . Certain components or scenarios used by this application can be configured and tools are available for adjusting these components. For more information, see help.sap.com/nwgateway . SAP UI5 Sample Application Configuration When you install the add-on UMCUI501 for SAP Gateway, you receive a sample SAP UI5 application, FMCAUI5_MOBILE. This is an example of how OData services are consumed within SAP Multichannel Foundation for Utilities and Public Sector. You must be running the following SAPUI5-related add-ons: ● UISAPUI5 (with this add-on, SAP UI5 JavaScript library is installed) ● UI_INFRA ● Optional SAP UI5 components UI5_731 SP5 for team provider and other SAP UI5 components depending on the UI implementation approach FMCAUI5_MOBILE Application The FMCAUI5_MOBILE application is stored as a BSP application under the MIME repository path /sap/bc/bsp/sap/FMCAUI5_MOBILE. It contains a set of CSS, HTML, and JavaScript files packaged into a BSP application and uploaded to the server using a team provider Eclipse plugin. To copy the application and upload it to the server again, you use report /UI5/UI5_REPOSITORY_LOAD. SAP NetWeaver Gateway Service Configuration The FMCAUI5_MOBILE application calls OData services from SAP ERP; therefore, ERP_FMCA_MC_SRV and / IWBEP/USERMANAGEMENT services need to be configured to point to a backend system (SAP system alias) using the service maintenance transaction in SAP NetWeaver Gateway. For more information, see help.sap.com/nwgateway . Logon Configuration The HTML logon page is prepared dynamically as a server response by the ABAP class /UI2/CL_SRA_LOGIN. It is set on Error Pages Logon Errors System Logon Configuration Logon Layout and Procedure Implementation in SICF configuration for the node /default_host/sap/bc/ui5_ui5/sap/ Custom fmcaui5_mobile. For more information about SICF configuration, see help.sap.com/nwgateway . The template_login page represents an HTML page with certain parameters that are dynamically set and the final HTML page is provided to the browser. The following code snippet is from the template_login.html page supplied with the sample application: SAP Multichannel Foundation for Utilities and Public Sector Application Operations CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 25 Note @sys_form_name_login and all items that start with @ are the parameters that are replaced during runtime by the HTM_LOGIN method of the /UI2/CL_SRA_LOGIN class. Users are only logged in once they have entered their user ID and password and choose the log-on option. A form is prepared with certain set fields in the client and is posted to the server. If authentication is completed successfully, the user is brought to the index.html page of the Web application. If it fails, error messages are returned instead of the parameter @sys_messages_text and shown on the UI. Logon Logic Figure 3: Logon Logic When the browser accesses the path of the SAP UI5 application, a request is sent to the server; the request is processed based on the SICF Customizing for SAP UI5 Web applications. This Customizing mentions the availability of a custom implementation for the logon layout and procedure and the HTM_LOGIN method of /UI2/ CL_SRA_LOGIN class is executed. It searches for the login.properties file in the UMCUI5 Web application directory. In the login.properties file, it searches for a way to load the template_login page (see screenshot below). 26 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Application Operations Figure 4: Login Properties File The template_login page represents an HTML page with certain parameters that are dynamically set and the final HTML page is provided to the browser. The following code snippet is from the template_login.html page supplied with the sample application: Figure 5: Code Sample from template_login.html page Note @sys_form_name_login and all items that start with @ are the parameters that are replaced during runtime by the HTM_LOGIN method of the /UI2/CL_SRA_LOGIN class. Users are only logged in once they have entered their user ID and password and choose the log-on option. A form is prepared with certain set fields in the client and is posted to the server. If authentication is completed successfully, the user is brought to the index.html page of the Web application. If it fails, error messages are returned instead of the parameter @sys_messages_text and shown on the UI. Logout Configuration There is no specific logout page. SAP UI5 needs to execute navigation to the standard logout ICF node /sap/ public/bc/icf/logoff with a redirect URL. You can define an external alias for this ICF node with the same SAP Multichannel Foundation for Utilities and Public Sector Application Operations CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 27 name for which you define a logout redirect ( error pages entire server. Logoff Page For more information about the logout redirect, see SAP Note 1509851 whitelist as described in SAP Note 853878 Redirect to URL ). This affects the . We recommend applying an HTTP . Note Not all log out functionality is available in releases prior to SAP NetWeaver 7.02. UMCUI5_MOBILE Foundation Application The foundation application is stored under the MIME repository path /sap/public/bc/ui2/ umcui5_mobile_foundation. The foundation files are loaded manually into the MIME repository. The foundation JavaScript library is required by both the private and public applications. Custom UI Theme To apply a custom theme for the SAPUI5 mobile application, execute the JavaScript code sap.ui.getCore().applyTheme("myThemeName");. An example of the dynamic theme switch is in the ActionSheetController.js file in the home component for the responsive UI. 28 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Application Operations 5 Security This section provides security-relevant information applicable to SAP Multichannel Foundation for Utilities and Public Sector. The system landscape of SAP Multichannel Foundation for Utilities and Public Sector is built from SAP ERP and SAP NetWeaver Gateway so the corresponding security guides apply. Technical System Landscape The following figure illustrates the technical system landscape for SAP Multichannel Foundation for Utilities and Public Sector. Figure 6: Technical System Landscape for SAP Multichannel Foundation for Utilities and Public Sector UMCERP01 is the SAP ERP add-on that groups business processes. A sample SAPUI5 template is hosted on the SAP NetWeaver Gateway. The UI application communicates with the SAP NetWeaver Gateway using OData protocol. The SAP NetWeaver Gateway dispatches the calls to specific backend systems. Data, Data Flow, and Processes The following figure illustrates the data flow when a user logs onto SAP Multichannel Foundation for Utilities and Public Sector. SAP Multichannel Foundation for Utilities and Public Sector Security CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 29 Figure 7: Data Flow The following table lists the security aspects to consider for each process step. Table 13 Step Description Security Measure 1 User logs on with user name and HTTPS communication protocol password 2 User credentials sent SAP NetWeaver user management 3 Retrieves user accounts Communication using HTTPS and synchronous RFC to trusted destination Recommendation To protect users from being locked after several failed login attempts, we recommend that you set the parameter login/failed_user_auto_unlock to remove user locks at midnight. This is maintained in the CCMS profile maintenance tool. For more information, see SAP NetWeaver at help.sap.com/nw_platform . User Administration and Authentication SAP Multichannel Foundation for Utilities and Public Sector adopts the user management and authentication mechanisms provided by SAP NetWeaver, specifically SAP NetWeaver Application Server ABAP (SAP NW AS ABAP). Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide apply to this solution. The SAP NetWeaver Application Server ABAP Security Guide contains the following information: ● User management concept, tools, and required users ● User authentication and single sign-on 30 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Security ● Authorization and roles Starting from SAP NetWeaver Gateway SP07, a set of OData Services are available that expose some of the functionality of SAP NetWeaver User Management and enhances it with User Request Management that allows online users to request the creation of user accounts. User Creation and Activation for Standalone SAP ERP When you create users on the SAP Gateway system and on the application backend system, the main user record is stored in SAP Gateway with an active password and communications data user type. Users with the same name are created in SAP ERP with no password and a communications data user type. Users in the Back End Systems and SAP Gateway Application users are relevant for the backend system. In the SAP backend systems, users are created without a password. This protects the users against incorrect or insecure password handling. Users also require a user ID for the SAP Gateway layer. They must have the same user name as the users in the backend system. The user authorizations trigger the application services in the backend system. By default, all application users are created with the same username in SAP Gateway and in the backend systems. SAP Multichannel Foundation for Utilities and Public Sector does not use single sign-on (SSO). SAP NetWeaver provides SSO so customers may use it if necessary. For more information, see SAP NetWeaver at help.sap.com/nw_platform help.sap.com/netweaver , help.sap.com/nwgateway , and . Password Rules and Security Policy Password rules define what form a password can take in SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP. Some rules are predefined in the system, while others you can configure with the security policy or with profile parameters. For more information, seehelp.sap.com/nw_platform , and then choose Identity Management User and Role Administration of Application Server ABAP Configuration of User and Role Administration First Installation Procedure Logon and Password Security in SAP NetWeaver Application Server ABAP Password Rules . Authorizations SAP Multichannel Foundation for Utilities and Public Sector uses the authorization concept provided by SAP NetWeaver Application Server ABAP. The recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server ABAP Security Guide apply to SAP Multichannel Foundation for Utilities and Public Sector. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator transaction on the Application Server ABAP (AS ABAP). Session Security Protection For SAP NetWeaver 7.0 and higher, we recommend you activate HTTP security session management using the respective transaction. In particular, it is recommended that you activate extra protection of security-related cookies. ● The HttpOnly flag instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser does not reveal the cookie to a third party. ● The secure flag tells the browser to send the cookie only if the request is being sent over a secure channel, such as HTTPS. This helps protect the cookie from being passed over unencrypted requests. SAP Multichannel Foundation for Utilities and Public Sector Security CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 31 You configure these additional flags with the following profile parameters: Table 14 Profile Parameter Recommended Value Description Comment icf/ 0 Add HttpOnly flag Client-dependent 1 Add Secure flag Client-independent set_HTTPonly_flag_on _cookies login/ ticket_only_by_https Recommendation We recommend upgrading to SAP NetWeaver 7.02 or higher as the logout feature is not available to users using earlier SAP NetWeaver versions. User request data is stored in SAP NetWeaver Gateway for processing. Depending on your business needs and local regulations, you can delete some user requests after certain periods of time. SAP Multichannel Foundation for Utilities and Public Sector is built on SAP NetWeaver Gateway. To ensure your data is protected and inaccessible, see the data protection and privacy information provided by SAP NetWeaver Gateway. Network and Communication Your network infrastructure is extremely important in protecting your system and it needs to support your business communication without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws at the operating system level and application level or network attacks, such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, intruders cannot compromise the machines and gain access to the backend system’s database or files. Also, if users are not able to connect to the LAN, they cannot exploit well-known bugs and security holes in network services on the server machines. The network topology for SAP Multichannel Foundation for Utilities and Public Sector is based on SAP NetWeaver. The security guidelines and recommendations described in the SAP NetWeaver Security Guide apply to SAP Multichannel Foundation for Utilities and Public Sector. Communication Channel The following table illustrates the communication channels used by SAP Multichannel Foundation for Utilities and Public Sector, the protocols used for the connection, and the data types transferred. Table 15 Communication Path Protocol Used Data Types Transferred Data Requiring Special Protection Web browser acting as HTTPS frontend client to SAP Application data and security Application data and security credentials credentials Application data Application data NetWeaver Gateway SAP NetWeaver Gateway to RFC SAP backend systems and among each other RFC connections can be protected using SNC. HTTP connections are protected using the SSL protocol. It is important to use HTTPS protocol in all cases so that sensitive information is encrypted. To ensure that in SICF node (for the UI application and all the services), you need to set SSL flag on the Logon Data tab page. 32 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Security For more information, see SAP Note, 510007 . Network Internet access to your SAP ERP backend system from SAP Multichannel Foundation for Utilities and Public Sector is secured by an application-level gateway in the corporate network DMZ, as described in the SAP NetWeaver Security Guide. Communication Destinations The following table illustrates an overview of the communication destinations used by SAP Multichannel Foundation for Utilities and Public Sector. Table 16 Destination Delivered Type User, Authorizations Description Connection to SAP Yes RFC User ID Used by service user to ERP system create user account in SAP ERP system (trusted RFC connection) Internet Communication Framework Security Security for SAP Multichannel Foundation for Utilities and Public Sector consists of SAP NetWeaver Gateway OData services and HTML5/SAP UI5-based web-enabled content managed by the Internet Communication Framework (ICF) (transaction SICF). You must activate the ICF services required for the applications that you want to use. Note You can also activate these services during the technical configuration. The SAP Multichannel Foundation for Utilities and Public Sector solution relies on the following services in SAP ERP: FMCAUI5_MOBILE: An HTML5/SAP UI5-based web-enabled interface to access the OData services. ERP_FMCA_MC_PUBLIC_SRV: Anonymous OData Service from SAP ERP system. ERP_FMCA_MC: OData services from the SAP ERP system The application also uses the service USERMANAGEMENT, USERREQUESTMANAGEMENT from SAP NetWeaver Gateway. More Information For more information about ICF and OData service activation, see the RCF/ICF Security Guide at help.sap.com/ netweaver under SAP NetWeaver 7.0 Including Enhancement Package 1 Security Guides for Connectivity and Interoperability Technologies. SAP NetWeaver Security Guide Data Protection and Privacy Since the SAP Multichannel Foundation for Utilities and Public Sector solution collects and processes online users’ personal data, it is often required to comply with legal regulations or public standards such as data privacy. In this instance, the user interface may need to be adjusted. For example, a check box has to be added to obtain the online user’s consent before an account is created. SAP Multichannel Foundation for Utilities and Public Sector Security CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 33 The SAP Multichannel Foundation for Utilities and Public Sector application uses session cookies. For more information, see Session Security Protection [external document]. Recommendation We recommend activating secure session management. We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred. User request data is stored in SAP Gateway for processing. Depending on business needs and local regulations, you can delete some user requests after certain periods of time. The SAP Multichannel Foundation for Utilities and Public Sector solution is built on SAP Gateway. To ensure your data is protected and cannot be accessed by anyone, we recommend that you see the Guide on Data Protection and Privacy provided by SAP NetWeaver at help.sap.com/netweaver Security Information SAP NetWeaver Gateway Security Guide . under SAP NetWeaver Gateway 2.0 Read Access Logging (RAL) Read Access Logging (RAL) is used to monitor and log read access to sensitive data. It is often required to comply with legal regulations or public standards such as data privacy. Since the application relies on the underlying business suite to save sensitive data, we highly recommend reading the documents for the underlying platforms and activating the RAL according to your specific requirements. For more information, see help.sap.com/saphelp_nw74/helpdata/en/54/69bbeab2e94c93b9031584711d989d/ frameset.htm . More Information ● For more information about deleting user requests, see the SAP Help Portal at help.sap.com/nwgateway . In the SAP NetWeaver Gateway Developer Guide, choose OData Channel Advanced Features User Self Service Configuration Settings for User Self Service User Self Service IMG Activities (see User Request Cleanup Customizing Activity). ● For more information about data protection and privacy, see the SAP Help Portal at help.sap.com/ nwgateway ● . In the SAP NetWeaver Gateway Security Guide, choose Data Protection and Privacy. For information about configuration settings for User Self Service, see the SAP Help Portal at help.sap.com/ nwgateway . In the SAP NetWeaver Gateway Developer Guide, choose OData Channel Features User Self Service Configuration Settings for User Self Service . Advanced OData Services Security SAP Multichannel Foundation for Utilities and Public Sector accesses backend data using OData. OData is a standardized protocol for creating and consuming data APIs. OData builds on core protocols such as HTTP and commonly accepted methodologies such as REST. The result is a uniform way of exposing full-featured data APIs. REST web services rely on HTTP semantics. Therefore, they use PUT and DELETE HTTP methods for update and delete operations. If an application-level gateway (reverse proxy) is used, it must be configured to enable the HTTP methods for the SAP NetWeaver Gateway OData services. To secure the consumption of OData services, we recommend using batch mode for OData service requests. In batch mode, all OData service requests are encapsulated into POST requests. Without this, navigation, filter, and other properties are visible in the URL. This means they can be bookmarked and present in the browser history and potential sensitive data can be hacked. 34 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector Security Other Security-Related Information Error Handling ICM or SAP Web dispatcher creates HTTP error messages in the standard system and sends them to the client. For security reasons, the details should not be made available to Internet users. Some profile parameters, such as is/HTTP/show_detailed_errors and icm/HTTP/error_templ_path, affect the contents of the error pages of the ICM or SAP Web dispatcher. Vulnerabilities Clickjacking, also known as a “UI Redress Attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. There are different solutions against clickjacking attacks, such as setting the X-Frame-Options, HTTP header field, frame buster Java script, and others. The X-Frame-Options can be set with the instance profile parameter:ict/ perm_response_header=<name>:<value> We support the following values: ● DENY (no hosting frame allowed) ● SAMEORIGIN (only same origin allowed) ● ALLOW-FROM (hostname.example.com ) If this solution is not applicable, inclusion of JavaScript code in HTML pages can actively block pages to be embedded in a frame. The following is an example of the code: Figure 8 Sensitive Information in Browser Cache A technical limitation has been identified that some PDF files are cached by browsers. This may cause security issues when the PDF files have sensitive information. This issue has been investigated and a solution is being implemented at this time. Contact SAP for information about the availability of this solution. Payment Card Security The Payment Card Industry Data Security Standard (PCI-DSS) was jointly developed by major credit card companies to create a set of common industry security requirements to protect cardholder data. Compliance SAP Multichannel Foundation for Utilities and Public Sector Security CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 35 with this standard is relevant for companies processing credit card data. For more information, see www.pcisecuritystandards.org . This application relies on the underlying SAP Business Suite to store or process payment card information. For general information and measures to ensure payment card security, see the Payment Card Security Guide on SAP Service Marketplace at service.sap.com/securityguide Card Security on the left-hand side panel. under SAP Business Suite Applications Payment Note The PCI-DSS covers more than those steps and considerations. Complying with the PCI-DSS is the customer’s responsibility. In addition to the other measures, it is important to make an access log and mask the payment card numbers when they are displayed or transmitted. This can be handled by SAP Business Suite in Customizing under Cross-Application Components Payment Cards Basic Settings Make Security Settings for Payment Cards . For current information about PCI-DSS, see SAP Note 1609917 . CAPTCHA A CAPTCHA is a program that protects Websites against bots by generating and grading tests that humans can pass but current computer programs cannot. There are many CAPTCHA services available online, such as Google’s ReCAPTCHATM. It is strongly recommended that you integrate the CAPTCHA service into the application to further protect some public services, for example, User Registration, Anonymous Bill Payment, and so on. Note CAPTCHA integration involves extending the OData Model, which is detailed in an earlier chapter. Virus Scan Interface The virus scan interface can be used to include external virus scanners in the SAP system to increase security, especially when uploading files from an unknown source is allowed. The virus scan interface can be used to restrict file types that can be uploaded to the system. It is important that the virus scan is configured and activated in the system. For details about enabling antivirus scans, see the SAP Library at help.sap.com/saphelp_nw74/helpdata/en/4e/ 2606c3c61920cee10000000a42189c/frameset.htm and help.sap.com/saphelp_nw74/helpdata/en/ b5/5d22518bc72214e10000000a44176d/content.htm . More Information For more information, see help.sap.com/nw_platform (7.01) Configuration Profiles Maintaining Profiles and choose Technical Operations for SAP NetWeaver Changing and Switching Profile Parameters . Security-Relevant Logging and Tracing For more information about security logs for the SAP NetWeaver Gateway, see help.sap.com/nwgateway choose SAP NetWeaver Gateway Developer Guide OData Channel APIs and Coding Logging In SAP NetWeaver Gateway . 36 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. and SAP Multichannel Foundation for Utilities and Public Sector Security Typographic Conventions Table 17 Example Description <Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”. Example Example Arrows separating the parts of a navigation path, for example, menu options Example Emphasized words or expressions Example Words or characters that you enter in the system exactly as they appear in the documentation www.sap.com Textual cross-references to an internet address /example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web 123456 Hyperlink to an SAP Note, for example, SAP Note 123456 Example ● Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options. Example ● Cross-references to other documentation or published works ● Output on the screen following a user action, for example, messages ● Source code or syntax quoted directly from a program ● File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE EXAMPLE Keys on the keyboard SAP Multichannel Foundation for Utilities and Public Sector Typographic Conventions CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. 37 38 CUSTOMER © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. SAP Multichannel Foundation for Utilities and Public Sector www.sap.com © Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

SAP Public Sector Admin Guide: Implementation & Security

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib