This document is intended to give some guidelines regarding securing external (internet) access to applications created with the Neptune Application Designer.

Introduction


The Neptune Application Designer runs inside SAP Netweaver systems and uses the Internet Communication Framework (ICF) to handle the server client communication. Therefore securing a Neptune Application is identical to other Netweaver solutions based on ICF.

There are also a great number of solutions that provide increased security on top of Netweaver such as the SAP Mobile Platform (Both on premise and Cloud edition) and Mocana MAP that can be used together with Neptune Applications.


Communication


It is of paramount importance that any communication between an external network and the SAP Backend systems is encrypted. SSL (HTTPS) should be used to ensure integrity of data.

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/5f/0f558b8a7841049139f0fb558ac62c/content.htm?frameset=/en/f3/780118b9cd48c7a668c60c3f8c4030/frameset.htm


To further protect the backend data there are several options and here is information about the most common scenarios:


Network zones

It is recommended to protect your system landscape through zone security. This will protect your sensitive data and only allow access through the DMZ (demilitarized zone) and firewalls will protect your backend systems from undesired access.

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/aa/37ff4fa187622fe10000000a44176d/content.htm?frameset=/en/f3/780118b9cd48c7a668c60c3f8c4030/frameset.htm


Reversed Proxy

A reversed proxy protects you with an additional security layer and has the ability to mask your backend servers for external clients.

http://help.sap.com/saphelp_nw73/helpdata/en/09/184dff9cf845658091dd141844d0aa/content.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/42/d548e630b6473ce10000000a114e5d/content.htm

 

Reverse Invoke 

Reverse invoke ensures that external connections cannot get through the firewall. All communication must be opened from the internal network.

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/46/d5491e2d2b65d0e10000000a155369/frameset.htm


VPN

To gain external access to the internal network a VPN (Virtual private network) solution can also be used to provide encryption and tunneling security.

 

User access

To access functions and data in a backend Netweaver system the user needs to be authenticated.

This depends on the individual customer setup. It is very important to determine where the end users of the application have access and know their credentials.


SAP Logon Tickets

The most common logon to SAP systems from a web clients is the use of SSO2 tickets. The user needs to provide a username and password to access the initial SAP system node and will receive a MYSAPSSO2 cookie that can give access to multiple SAP systems.

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/813d713ca85766e10000000a421937/content.htm?frameset=/en/46/631b92250b4fc1855686b4ce0f2f33/frameset.htm


SAML 2.0

SAML 2.0 is a Single Sign-on solution that requires an identity provider that manages the identity information for the service providers.

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/6d45fc91e84ef1bf0152f2b947dc35/frameset.htm


Client Certificates

Using X.509 client certificates is another option for user authentication. This solution authenticates the application and no username or password is required.

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/b1/07dd3aeedb7445e10000000a114084/content.htm?frameset=/en/17/6d45fc91e84ef1bf0152f2b947dc35/frameset.htm


SAP Mobile Platform Cloud Edition

For customers without a system landscape already prepared for secure external communication we recommend trying out the SAP Mobile platform Cloud Edition as a fast, secure solution with low initial cost where only the SAP Cloud Connector (SCC) needs to be installed on premise.

http://scn.sap.com/community/mobile/blog/2013/07/22/why-the-sap-mobile-platform-cloud-edition-will-help-mobilizing-enterprises