Application Gateway with Apache

(1)

Nghia Nguyen

SAP NetWeaver RIG Americas,

SAP Labs, LLC

Application Gateway

with Apache

(2)

Introduction

Session Objectives and Requirements Use Cases and Scenarios

Configuring the Applications

Wrap-Up

Troubleshooting Security Configuration Resources

Limitations

(3)

Introduction

Wrap-Up

Limitations

(4)

 SAP AG 2006, RAFP20 - EFP / 4

Enterprise Security Requirements

Enterprise applications need protection for proprietary and

confidential information and systems.

These requirements are driven not only by the desire to protect

against unwanted access, but also by regulatory constraints

regarding personal privacy.

(5)

 SAP AG 2006, RAFP20 - EFP / 5

Acronym

SAP ERP – SAP Enterprise Resource Planning

SAP CRM – SAP Customer Relationship Management

SAP SRM – SAP Supplier Relationship Management

ITS – Internet Transaction Server

ICF – Internet Communication Framework

ICM – Internet Communication Manager

IAC – Internet Application Component

(6)

 SAP AG 2006, RAFP20 - EFP / 6

Data and Application Security

Data security is required to protect proprietary or personal

information from unauthorized access. This includes:

Restricting application users from accessing data they are not

authorized to see. It also includes

Encryption of data to prevent unauthorized access to the data by users

outside the application

Application security is required to ensure that:

Only authorized users are allowed to access the system Data security is maintained inside the application

(7)

 SAP AG 2006, RAFP20 - EFP / 7

Safeguards Versus Threats

Client Masquerading Eavesdropping Tampering Denial of Service Planting OS Application Application Level Vulnerabilities Penetration Spoofing Network ENCRYPTION AUTHENTICATION PATCHES APP.-GATEWAY AUTHENTICATION FIREWALL VIRUS DETECTION Alice Alice Social Engineering TRAINING Server OS-Cracking OS-HARDENING FIREWALL

(8)

 SAP AG 2006, RAFP20 - EFP / 8

Data Flow – Why we need proxies….

Browser Portal SAP System t Browser Portal SAP System 1 iView Request 1

Compute Target URL

Run Web-Application 2 2 3 Target Request 3 4 4

(9)

 SAP AG 2006, RAFP20 - EFP / 9

What is an Application Gateway ?

Application that acts as a “middle man” between your computer and

the Internet resources you are accessing (e.g. Web sites, FTP

archives)

No direct connection between client of the local network & server on

the Internet (or vice versa)

Relays traffic between actual client and actual server while doing

checks and access controls that typical client & server SW do not

support

(10)

 SAP AG 2006, RAFP20 - EFP / 10

Possible Features of an Application Gateway

Pre-authentication and authentication

Is the user permitted to access the server / service / URL?

Validity of a service request / URL

Is access to the requested URL via the Internet permitted? Does the request contain no known exploits?

Is the source of the request permitted (sender address)?

Integrity and correctness of the message (for example SOAP)

Is the destination for the SOAP message known and is access to it via

the Internet permitted?

Is the sender permitted?

Auditing

Other (non-security related)

Combining different information sources under one external name

(11)

 SAP AG 2006, RAFP20 - EFP / 11

URL Generation

A common issue with proxies is the matter of URL generation by the

backend (proxied) applications.

When applications generate URLs to other applications or to

themselves, you must ensure that all hostnames can be resolved by the client browser.

Proxies such as Apache provide the ProxyPreserveHost directive

that ensures the hostname requested by the client is passed all the

way through to the application.

Generated URL’s will be based on the proper hostname, which is

resolvable to the client.

SAP NetWeaver 04 and 2004S systems have configuration

capabilities that provide a mechanism for controlling what

hostname is returned to the client.

(12)

Introduction

Wrap-Up

Limitations

(13)

 SAP AG 2006, RAFP20 - EFP / 13

Session Objectives

As a result of this session, you will be able to:

Provide an alternative solution for multi-backend system Understand the basic role of an Application Gateway

(14)

 SAP AG 2006, RAFP20 - EFP / 14

Requirements

Have the Apache HTTP Server?

Have access to the “httpd.conf” for modification Have permission to restart the web server

Understand basic regular expression

Have multiple SAP NetWeaver Usage Type install

Have permission to create/change system definition

(15)

Introduction

Wrap-Up

Limitations

(16)

 SAP AG 2006, RAFP20 - EFP / 16

Common Use Cases

Supplier Portal / Customer Portal

It is very common that applications such as mySAP SRM or mySAP

CRM are used in Internet-facing scenarios to facilitate direct access to company data by that companies suppliers or customers.

Business Process Integration

The continued evolution of process integration between companies and

business units further moves the requirement for access to backend applications from direct person to application access to more complex interactions which often invoke transactional business processes

(17)

 SAP AG 2006, RAFP20 - EFP / 17

Internet-facing Scenario – Basic

Basic scenarios allow direct access from the Internet to backend systems.

A more secure configuration is to place an application gateway

between the user and the backend system

see the SAP TechED session

(18)

 SAP AG 2006, RAFP20 - EFP / 18

Internet-facing Scenario – Advanced

• multiple entry points • multiple protocols • multiple applications

(19)

 SAP AG 2006, RAFP20 - EFP / 19

Case 1: Single SAP NetWeaver Portal

Case 2: Multiple SAP NetWeaver Portal

(20)

 SAP AG 2006, RAFP20 - EFP / 20

Configuration Scenarios 2/2

Case 3: Single SAP NetWeaver Portal with multiple SAP

ERP/CRM/SRM

Case 4: Multiple SAP NetWeaver Portal with multiple SAP

(21)

Introduction

Wrap-Up

Limitations

(22)

 SAP AG 2006, RAFP20 - EFP / 22

Limitations

Not able to hide all aspect of sap hostname

In the Request Method and Referer URL

Examples:

_{Request Method URL}

/sap(cz1TSUQlM2FBTk9OJTNhSE9TVE5BTUVfV0FKXzAwJTNhTTQ4MmRGT2dIWU1lcFltT GdQS0RSWUNtMHpvcm9mZGdXX1lxUXl1eC1BVFQ=)/bc/gui/sap/its/it13/~flNUQVRFPTE4N TI2LjAwMi4wMS4wMQ== HTTP/1.1 _{Referer URL} http://<PortalHostname>:9020/sap(cz1TSUQlM2FBTk9OJTNIT1NUTkFNRV9XQUpfMDAlM2F NNDgyZEZPZ0hZTWVwWW1MZ1BLRFJZQ20wem9yb2ZkZ1dfWXFReXV4LUFUVA==)/bc/gu i/sap/its/it13/~flNUQVRFPTE4NTI2LjAwMi4wMS4wMQ==

_{Result (Base64 Decode)}

s=SID%3aANON%3aHOSTNAME_WAJ_00%3aM482dFOgHYMepYmLgPKDRYCm0zorofdg

(23)

Introduction

Wrap-Up

Limitations

(24)

 SAP AG 2006, RAFP20 - EFP / 24

Enterprise Portal System Configuration

Using Proxies Instead of Direct Connection in the Landscape

Manager

We typically build R3 connections using the REAL HOST

information!

When we use proxies to access these back-end systems we use

the hostname of the proxy instead of the SAP NetWeaver AS when we define the system connection

(25)

 SAP AG 2006, RAFP20 - EFP / 25

Accessing ITS Services with a Proxy

Without any configuration of ITS services or HTTPURLLOC, a client who requests an ITS service through a proxy will simply be redirected to the real SAP NetWeaver AS host.

The URLs generated by the ICF will use the SAP NetWeaver AS hostname.

Once the configuration is maintained, the client will never see information regarding the actual hostname of the SAP NetWeaver AS.

This should be the hostname of your proxy server!

(26)

 SAP AG 2006, RAFP20 - EFP / 26

Apache Proxy Tip

Apache configuration is fairly trivial: You simply modify the

httpd.conf to include a proxy rule for the backend system.

ProxyPass /sap http://ls4089.wdf.sap.corp:50089/sap ProxyPassReverse /sap http://ls4089.wdf.sap.corp:50089/sap

But there’s a twist ...

This rule falls over when the ICM puts session information into the URLs;

then you need to add a rewrite rule.

(27)

 SAP AG 2006, RAFP20 - EFP / 27

Possible Options

Option A - Multiple Apache ports

Assign an Apache port to each system

Administration and Security

Must monitor and open more port for the WAN

Option B - Multiple Apache Virtual Host

Assign a virtual host to each system

Administration and Security

More system alias to maintain for the WAN

* SAP does not endorse or promote these configuration settings. These possible solutions will only provide an option to some of the common issues.

(28)

 SAP AG 2006, RAFP20 - EFP / 28

Case 1: Single SAP NetWeaver Portal

Simple configuration level requires simple rules

Apache’s Rule

ProxyPass /irj http://<full hostname>:<port>/irj

ProxyPass /logon http://<full hostname>:<port>/logon

ProxyPass /webdynpro http://<full hostname>:<port>/webdynpro ProxyPassReverse /irj http://<full hostname>:<port>/irj

ProxyPassReverse /logon http://<full hostname>:<port>/logon

ProxyPassReverse /webdynpro http://<full hostname>:<port>/webdynpro

RewriteRule ^/(sap.*) http://<backend hostname>:<port>/$1 [P,L]

Application Server

(29)

 SAP AG 2006, RAFP20 - EFP / 29

Case 2: Multiple SAP NetWeaver Portal

Moderate configuration level requires moderate rules

Apache’s Rule

RewriteCond %{HTTP_HOST} ^.*?<alias hostname>.*

RewriteRule ^/(.*) http://<full hostname>:<port>/$1?%{QUERY_STRING} [P,L] RewriteCond %{HTTP_HOST} ^.*?<alias hostname>.*

RewriteRule ^/(.*) http://<full hostname>:<port>/$1?%{QUERY_STRING} [P,L]

Proxy

(30)

 SAP AG 2006, RAFP20 - EFP / 30

Case 3: Single SAP NetWeaver Portal with multiple SAP

ERP/CRM/SRM

Complex configuration level requires complex rules

Apache’s Rule

RewriteCond %{HTTP_HOST} ^.*?<alias hostname>.*

RewriteRule ^/(.*) http://<full hostname>:<port>/$1?%{QUERY_STRING} [P,L] RewriteCond %{HTTP_HOST} ^.*?<alias hostname>.*

RewriteRule ^/(.*) http://<full hostname>:<port>/$1?%{QUERY_STRING} [P,L] ProxyPass /irj http://<full hostname>:<port>/irj

ProxyPass /logon http://<full hostname>:<port>/logon

ProxyPass /webdynpro http://<full hostname>:<port>/webdynpro ProxyPassReverse /irj http://<full hostname>:<port>/irj

ProxyPassReverse /logon http://<full hostname>:<port>/logon

ProxyPassReverse /webdynpro http://<full hostname>:<port>/webdynpro

Proxy Portal

Application Server

(31)

 SAP AG 2006, RAFP20 - EFP / 31

Case 4: Multiple SAP NetWeaver Portal with multiple SAP

ERP/CRM/SRM

Complex configuration level requires complex rules

Apache’s Rule

Almost the same as case 3 just add more rules for each system

Application Server

Proxy

(32)

Introduction

Wrap-Up

Limitations

(33)

 SAP AG 2006, RAFP20 - EFP / 33

Common Issues

Hostname and Domains

Don’t blame SAP for issues with cookies and certificates if you do not

maintain your servers with real hostnames and in the same domain. The rules for cookie and certificate handling are defined in RFC 2616 for

HTTP/1.1

The configuration isn’t trivial

Setup is the most common source of connectivity issues

Users and Authorizations

Double check all users and ensure they can logon interactively prior to

testing the same action through SSO

Protocols

(34)

 SAP AG 2006, RAFP20 - EFP / 34

Tracing the Security Communication

Several SAP Notes address the topic of tracing and logging for Security Communication:

Note 457222 – Gathering Security Trace Information Note 495911 – Trace Analysis for Logon Problems Note 320991 – Error Codes for Logon (list)

Note 791205 – Single Sign-On Using SAP Logon Tickets

You need to trace the communication through all components: Client – browser based such as httpwatch

Proxy – native tools/capabilities of the proxy

Portal – enable http tracing in the http provider service of the dispatcher ABAP – sm50 and related methods described in the above notes

(35)

Introduction

Wrap-Up

Limitations

(36)

 SAP AG 2006, RAFP20 - EFP / 36

SAP Notes

Note 833960 Supported Application Gateway Configurations Note 693220 Recommendations for the security of ITS services Note 725931 Security: ITS, security-relevant settings for IACs Note 596698 EP 6.0: Session Release Agent - Typical Problems Note 709038 SAP ITS Release 6.40: SAP Integrated ITS

Note 457222 – Gathering Security Trace Information Note 495911 – Trace Analysis for Logon Problems Note 320991 – Error Codes for Logon (list)

(37)

 SAP AG 2006, RAFP20 - EFP / 37

Guides and Documentation

Security @ SAP –

http://service.sap.com/security

NetWeaver Security Guide –

http://help.sap.com/saphelp_nw04/helpdata/en/8c/2ec59131d7f84ea5

14a67d628925a9/frameset.htm

Enable SAP GUI for HTML with Integrated ITS

https://websmp204.sap-ag.de/~sapdownload/011000358700003584472004E/WebGui_NW04.p

df

(38)

 SAP AG 2006, RAFP20 - EFP / 38

Resources

_{Public Web:}

www.apache.org www.sap.com

SAP Developer Network: www.sdn.sap.com

SAP Customer Services Network: www.sap.com/services/

_{Related SAP Education Training Opportunities}

(39)

 SAP AG 2006, RAFP20 - EFP / 39

Resources (cont.)

_{Related Workshops/Lectures from SAP TechEd 2005}

AGS200 Increasing Infrastructure Security Using

Application Gateways

AGS250 Authentication use the SAP NetWeaver User

Management Engine

(40)

Introduction

Wrap-Up

Limitations

(41)

 SAP AG 2006, RAFP20 - EFP / 41

Demo Landscape

Host: ssphlrig600 Host: ssphlrig602

Host: cdphl827

Alias:ssphlrig600-1

Host: cdphl607

Alias:ssphlrig600-2

Note: Click on the “Reference” link on the top right corner of this Articulate session and select “Demo Session” to start the demo

(42)

Introduction

Wrap-Up

Limitations

(43)

 SAP AG 2006, RAFP20 - EFP / 43