SAP NetWeaver Identity Management

7.0 SP2
?

SAP NetWeaver
Identity
Management
Security Guide
Document Version 1.13 August 2008

SAP AG
Neurottstrae 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver,
Copyright 2008 SAP AG. All rights reserved.

and other SAP products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of

No part of this publication may be reproduced or transmitted in

SAP AG in Germany and in several other countries all over the

any form or for any purpose without the express permission of

world. All other product and service names mentioned are the

SAP AG. The information contained herein may be changed

trademarks of their respective companies. Data contained in this

without prior notice.

document serves informational purposes only. National product

specifications may vary.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software
vendors.
These materials are subject to change without notice. These
Microsoft, Windows, Outlook, and PowerPoint are registered

materials are provided by SAP AG and its affiliated companies

trademarks of Microsoft Corporation.

("SAP Group") for informational purposes

only, without representation or warranty of any kind, and SAP

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,

Group shall not be liable for errors or omissions with respect to

MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,

the materials. The only warranties for SAP Group products and

pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner,

services are those that are set forth in the express warranty

WebSphere, Netfinity, Tivoli, and Informix are trademarks or

statements accompanying such products and services, if any.

registered trademarks of IBM Corporation in the United States

Nothing herein should be construed as constituting an additional

and/or other countries.

warranty.

Oracle is a registered trademark of Oracle Corporation.

Disclaimer
UNIX, X/Open, OSF/1, and Motif are registered trademarks of

Some components of this product are based on Java. Any code

the Open Group.

change in these components may cause unpredictable and severe

malfunctions and is therefore expressively prohibited, as is any

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

decompilation of these components.

VideoFrame, and MultiWin are trademarks or registered

trademarks of Citrix Systems, Inc.

Any Java Source Code delivered with this product is only to be

used by SAPs Support Services and may not be modified or

HTML, XML, XHTML and W3C are trademarks or registered

altered in any way.

trademarks of W3C, World Wide Web Consortium,

Massachusetts Institute of Technology.
Documentation on SAP Service Marketplace
Java is a registered trademark of Sun Microsystems, Inc.

You can find this documentation at

service.sap.com/securityguide

JavaScript is a registered trademark of Sun Microsystems, Inc.,

used under license for technology invented and implemented by
Netscape.
MaxDB is a trademark of MySQL AB, Sweden.

Typographic Conventions

Icons

Type Style

Represents

Icon

Example Text

Words or characters quoted from

the screen. These include field
names, screen titles,
pushbuttons labels, menu
names, menu paths, and menu
options.

Example

Cross-references to other
documentation.

Recommendation

Example text

Emphasized words or phrases in

body text, graphic titles, and
table titles.

Syntax

EXAMPLE TEXT

Technical names of system

objects. These include report
names, program names,
transaction codes, table names,
and key concepts of a
programming language when
they are surrounded by body
text, for example, SELECT and
INCLUDE.

Example text

Output on the screen. This

includes file and directory names
and their paths, messages,
names of variables and
parameters, source text, and
names of installation, upgrade
and database tools.

Example text

Exact user entry. These are

words or characters that you
enter in the system exactly as
they appear in the
documentation.

<Example text>

Variable user entry. Angle

brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.

EXAMPLE TEXT

Keys on the keyboard, for

example, F2 or ENTER.

Meaning
Caution

Note

Contents
1

INTRODUCTION................................................................................................................ 1
1.1

Target Audience ........................................................................................................ 1

1.2

Why Is Security Necessary? ..................................................................................... 1

1.3

About this Document................................................................................................. 2

1.3.1 Overview of the Main Sections....................................................................... 2

BEFORE YOU START....................................................................................................... 3

2.1

Important SAP Notes ................................................................................................ 3

2.2

Additional Information ............................................................................................... 3

2.3

External security information..................................................................................... 3

TECHNICAL SYSTEM LANDSCAPE ............................................................................... 4

3.1

Architecture ............................................................................................................... 4

3.2

Usage ........................................................................................................................ 5

USER ADMINISTRATION AND AUTHENTICATION ....................................................... 6

4.1

Identity Center database logins and roles................................................................. 6

4.2

Admin login................................................................................................................ 7

4.3

Run-time login ........................................................................................................... 7

4.4

Monitoring login ......................................................................................................... 7

4.5

Workflow login ........................................................................................................... 7

4.5.1 Using SecurID ................................................................................................ 7

4.6

Binding database users to operating system ............................................................ 8

4.7

Virtual Directory Server Login ................................................................................... 8

4.8

Integration into Single Sign-On Environments .......................................................... 8

4.8.1 Use ................................................................................................................. 8
4.8.2 Configuring the Identity Center for use with SAP Logon Tickets ................... 8

NETWORK AND COMMUNICATION SECURITY ............................................................ 9

5.1

HTTP security (SSL) ................................................................................................. 9

5.2

Database connectivity security.................................................................................. 9

5.3

Identity Center: Repository security .......................................................................... 9

5.4

Virtual Directory Server: LDAP security .................................................................... 9

5.5

Virtual Directory Server: Web Services security ....................................................... 9

5.6

Securing AS ABAP connections ............................................................................. 10

5.7

Firewall settings....................................................................................................... 10

5.8

AS ABAP connections............................................................................................. 10

5.9

AS Java connections............................................................................................... 10

5.10 External applications credentials............................................................................. 10

DATA STORAGE SECURITY ......................................................................................... 11

6.1

Use .......................................................................................................................... 11

6.2

Identity Center encryption ....................................................................................... 11

6.2.1 Runtime components and configuration UI keys.ini ..................................... 11
6.2.2 Workflow keys.ini.......................................................................................... 12
6.2.3 The encrypted data....................................................................................... 12
6.2.4 Maintaining the keys.ini file .......................................................................... 12

6.3

Password provisioning ............................................................................................ 13

6.4

Virtual Directory Server Keystores .......................................................................... 13

6.5

Configuration files.................................................................................................... 13

6.6

Configuration UI ...................................................................................................... 14

6.7

Dispatcher ............................................................................................................... 14

6.8

Event agent server .................................................................................................. 14

6.9

Workflow.................................................................................................................. 14

6.10 Monitoring................................................................................................................ 14
6.11 Virtual Directory Server configuration file................................................................ 15
6.11.1 Password protection of the configuration file ............................................... 15
6.12 Avoiding by-passing of the authorization checks in the Virtual Directory Server.... 15
7

IDENTITY CENTER WEB SERVER SECURITY AND PHP ........................................... 16

7.1

Extensions............................................................................................................... 16

7.2

Session security ...................................................................................................... 16

7.3

Additional PHP configuration .................................................................................. 17

7.4

Cross-site scripting.................................................................................................. 17

7.5

Restricting access to internal files........................................................................... 17

SECURITY ISSUES WHEN DEVELOPING A SOLUTION............................................. 18

8.1

Using a "Shell execute" pass .................................................................................. 18

8.1.1 Example........................................................................................................ 18

8.2

Using the uShell or uShellRead functions in a script .............................................. 19

8.3

Using a "To database" pass with SQL updating ..................................................... 19

OTHER SECURITY-RELEVANT INFORMATION .......................................................... 20

9.1

The Identity Center configuration UI ....................................................................... 20

9.2

Monitoring web interface ......................................................................................... 20

9.3

Possible configuration vulnerability ......................................................................... 20

9.4

Disaster recovery .................................................................................................... 20

9.5

Backup .................................................................................................................... 20

9.6

The Password Hook................................................................................................ 20

10 APPENDIX ....................................................................................................................... 22
10.1.1 Security check list for the Identity Center ..................................................... 22
10.1.2 Security check list for the Virtual Directory Server ....................................... 22

Introduction

August 2008

Target Audience

Introduction
This guide does not replace the daily operations handbook that we recommend
customers to create for their specific productive operations.

1.1

Target Audience

Technology consultants

System administrators

This document is not included as part of the Installation Guides, Configuration Guides,
Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain
phase of the software life cycle, whereby the Security Guides provide information that is
relevant for all life cycle phases.

1.2

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data,
the demands on security are also on the rise. When using a distributed system, you need to
be sure that your data and processes support your business needs without allowing
unauthorized access to critical information. User errors, negligence, or attempted
manipulation on your system should not result in loss of information or processing time.
The SAP NetWeaver Identity Management will have a central role in managing accounts and
access rights in other applications. Any unauthorized changes to data in the Identity
Management solution may therefore also affect other applications.
To assist you in securing the identity management solution, we provide this Security Guide.

SAP NetWeaver Identity Management - Identity Center

Introduction

August 2008

About this Document

1.3

About this Document

The Security Guide provides an overview of the security-relevant information that applies to
the SAP NetWeaver Identity Management, abbreviated Identity Management. This product
consists of the components Identity Center and Virtual Directory Server.

1.3.1

Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start

This section contains information about why security is necessary, how to use this
document and references to other Security Guides that build the foundation for this
Security Guide.

Technical System Landscape

This section provides an overview of the technical components and communication
paths that are used by the Identity Management.

User Administration and Authentication

This section provides an overview of the following user administration and
authentication aspects:

User types that are required by the Identity Management.

Standard users that are delivered with Identity Management.

Overview of the user synchronization strategy, if several components or

products are involved.

Integration into Single Sign-On Environments

This section provides an overview of how integration into Single Sign-On environments
is possible.

Network and Communication Security

This section provides an overview of the communication paths used by the Identity
Management and the security mechanisms that apply. It also includes our
recommendations for the network topology to restrict access at the network level.

Data Storage Security

This section provides an overview of any critical data that is used by the Identity
Management and the security mechanisms that apply.

Configuration files
This section describes how the configuration files are secured.

Identity Center web server security and PHP

This section describes how the web server for Monitoring/Workflow is secured.

Other Security-Relevant Information

This section contains information about:

Disaster recovery

Backup

Appendix
This section provides a security check list.

SAP NetWeaver Identity Management - Identity Center

Before You Start

August 2008

Important SAP Notes

Before You Start

2.1

Important SAP Notes

The most important SAP Notes that apply to the security of the SAP NetWeaver Identity
Management are shown in the table below.
Important SAP Notes
SAP Note Number

Title

1069458

SAP NetWeaver Identity Management 7.0 Identity Center

2.2

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.
Quick Links to Additional Information
Content

Quick Link on the SAP Service

Marketplace

Security

service.sap.com/security

Security Guides

service.sap.com/securityguide

SAP NetWeaver Security Guide: The

sections about SAP logon tickets and
Secure Network Communications contain
relevant information
Related SAP Notes

service.sap.com/notes

Released platforms

service.sap.com/platforms

Network security

service.sap.com/network
service.sap.com/securityguide

2.3

External security information

The following documents contain relevant security information for important external systems:
PHP Manual, section IV
Security

http://www.php.net/download-docs.php

Microsoft SQL Server

See the documentation for the database system.

Oracle Database 10g Release

2 Security

http://www.oracle.com/technology/deploy/security/databasesecurity/pdf/twp_security_db_database_10gr2.pdf

Setting up Tomcat for SSL

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

SAP NetWeaver Identity Management - Identity Center

Technical System Landscape

August 2008

Architecture

Technical System Landscape

3.1

Architecture

The figure below shows an overview of the technical system landscape for the SAP
NetWeaver Identity Management.
External repositories
LDAP

Java

External applications

Active Dir
SAP HR

etc

ABAP

App specific

SiteMinder

etc

WebServices

LDAP/WebServices

Web AS
(Java)
VDS
HTTP/S

Apache/PHP
Monitoring

Workflow

DSE
DSE
Dispatcher
(VB)
(VB)

MMC

DSE
DSE
DSE
(VB)
(VB)
(VB)

LDAP

Web AS
(Java)

<<Starts>>

Admin UI

DSE
DSE
DSE
(Java)
(Java)
(Java)

VDS

dB protocol
Config

Logs

File system

Config

Logs

File system

Stored procedures

Logs

Audit

IdS

IC database

The Identity Center database is used to hold all information about managed users and
corresponding account information. All communication between the applications and the
database uses the database libraries. In addition, external repositories are accessed from the
Identity Center and Virtual Directory Server, to create user accounts and manage access
rights. Which systems are accessed, depends on each specific implementation.

The separate components have different installation jobs, and although it is

possible to install everything (including the database) on the same server,
different servers will be used in a production environment.
The Virtual Directory Server uses separate configuration files, which may be stored in the
database. The default logging for the Virtual Directory Server is logging to the file system, but
the logging is done using Log4j, meaning that the logging is configurable.
To achieve high availability, as well as load balancing, the Identity Center solution should be
installed on multiple servers.
The database should be clustered.
Workflow and Monitoring should be stored in separate web server clusters.
At least two servers should be installed with the runtime components. Virtual Directory Server
may also be installed on these same or separate servers.
For more information about the technical system landscape, see the resources listed in the
table below.

SAP NetWeaver Identity Management - Identity Center

Technical System Landscape

August 2008

Usage
More Information about the Technical System Landscape
Topic

Guide/Tool

Install guides

SAP NetWeaver Identity Management Identity Center

Installation Overview (incl. referenced installation guides for
each component
SAP NetWeaver Identity Management Virtual Directory
Server Installation and initial configuration

Monitoring & cleanup

SAP NetWeaver Identity Management Identity Center

Implementation Guide: Monitoring and cleanup

Staging

SAP NetWeaver Identity Management Identity Center

Implementation Guide: Staging environment

Disaster recovery

SAP NetWeaver Identity Management Identity Center

Implementation Guide: Disaster Recovery

3.2

Usage

The Identity Management is used to manage accounts and access rights in other
applications. Information about all users and the corresponding accounts are held in the
Identity Center database. The Data Synchronization Engine (Java and VB) and the Virtual
Directory Server are used to manage the users in the target systems, and therefore need
enough access rights to be able to create and delete accounts and give and revoke access
rights.
The system administrators will use the Monitoring interface to monitor the operations of the
system. This interface gives access to logs and audits, but also to the identity store data,
showing information about users and accounts. Although it is not possible to change data
from the Monitoring interface, some data may be considered sensitive, and this should be
considered when giving access to the management application. Only the admin user has
access to the identity store.

SAP NetWeaver Identity Management - Identity Center

User Administration and Authentication

August 2008

Identity Center database logins and roles

User Administration and Authentication

4.1

Identity Center database logins and roles

When a new Identity Center database is created, a number of database roles and logins are
also created, as described in this section. If required, additional database logins can be
created, and given access rights, by assigning roles. This has to be done using the
corresponding database administrator tool.
In the list of roles and logins below, all start with mxmc_, this is the default prefix when
installing the Identity Center database. If a database is installed with a different prefix, all roles
and user are created accordingly.
Login

Role

Description

mxmc_oper

<None>

This login is the owner of the database, and has full

access to all tables. It should only be used for
database upgrades.

mxmc_rt

mxmc_rt_role

This login is only used by the runtime components,

and has a very limited access to the database.

mxmc_prov

mxmc_prov_role

This login is only used by the Workflow interface, and

has the necessary access rights for doing all the
provisioning operations.

mxmc_admin

mxmc_admin_role

A login with these roles has to be used when

implementing an identity management solution in the
Identity Center. It has all the necessary access rights
for creating tasks, jobs and other objects in the
database.

mxmc_delta_rw_role

It is highly recommended to create individual

database users for each person/role who needs
access to the Identity Center database, as this will
provide the necessary audit information for who made
which changes when.
mxmc_user

mxmc_user_role
mxmc_delta_r_role

A login with these roles has mostly read access to the

database, and can be used to inspect the
configuration in the Identity Center configuration user
interface or in the Monitoring web interface.
The same recommendation as for the mxmc_admin
also applies for mxmc_user.

On Microsoft SQL server, users are created in addition to logins. The users are
created in the database context, and has the same name as the login, followed
by _u, for example mxmc_admin_u.

SAP NetWeaver Identity Management - Identity Center

User Administration and Authentication

August 2008

Admin login

4.2

Admin login

The SAP NetWeaver Identity Management Identity Center Getting Started describes how to
add an Identity Center to the configuration UI, using the connection wizard. For security
reasons, the optional parameter Allow password saving should not be checked for the
Admin user. In this case, the user will be prompted for the password, every time connecting to
the database.
If several people are using the configuration UI, separate logins should be created for each
user. The mxmc_admin or mxmc_user role can be used, depending on the access required.

4.3

Run-time login

The run-time (RT) connection string must (unless the RT login is bound to an operating
system login) have the Allow password saving set, as this is running as a background
process, and there is no user to provide the password.
If using an operating system login, the service must be running at this user.

4.4

Monitoring login

When stating the Monitoring interface, the mxmc_user is the default login. If your Identity
Center database uses another prefix than mxmc, this must be changed in the configuration
file (config.xml). This is done by adding the following line:
<databaseuser>%PREFIX%_user</databaseuser>

where %PREFIX% must be replaced with the prefix of your Identity Center database, for
instance mxmc1_user.
If you need to log in to several Identity Center databases, create separate sections for each
Identity Center database in the configuration file. See SAP NetWeaver Identity Management
Identity Center: Installing Identity Center Monitoring.

4.5

Workflow login

The Workflow web application logs in using the mxmc_prov user. This is stored in an
encrypted connection string in the Workflow configuration file.
In the login screen in the Workflow, the user selects the identity store to log into, and provides
user name and password. The attribute MSKEYVALUE holds the user name and the attribute
MX_PASSWORD holds MD5 encrypted password.
Users are created either by workflow tasks, or by data being synchronized from other
applications, using the synchronization mechanisms of the Identity Center.

4.5.1

Using SecurID

The document RSA Secured Implementation Guide Administrative Interoperability found in

the folder \RSA SecurID in the installation kit of the Identity Center describes how to
configure provisioning with SecurID. Information about secure log-in to the web server is
described in documentation found on http://www.rsa.com.
The Workflow also supports a number of other authentication methods:

CA SiteMinder

CAMS

Kerberos

SAP NetWeaver Identity Management - Identity Center

User Administration and Authentication

August 2008

Binding database users to operating system

LDAP Server

RSA ClearTrust

RSA SecurID

SAML

Windows

User defined

4.6

Binding database users to operating system

On Microsoft Windows it is possible to bind a Microsoft SQL Server database login to a

Microsoft Windows login. This will avoid storing passwords in the connection string. For
details on how to do this, and how to define the connection strings, see the documentation for
the Microsoft SQL Server.

4.7

Virtual Directory Server Login

The Virtual Directory Server authenticates the users against a table of users in the Virtual
Directory Server configuration file, which holds the login name (which may be a DN, but this is
not a requirement) in addition to an MD5 encrypted password.
The Virtual Directory Server architecture allows for plugging in external authentication.

4.8
4.8.1

Integration into Single Sign-On Environments

Use

The Identity Management supports the Single Sign-On (SSO) mechanisms provided by the
SAP Web Application Server. Therefore, the security recommendations and guidelines for
user administration and authentication as described in the SAP Web Application Server
Security Guide also apply to the Identity Management.
The supported mechanisms are listed below.
SAP logon tickets
The Identity Management supports the use of logon tickets for SSO when using a Web
browser as the frontend client. In this case, users can be issued a logon ticket after they have
authenticated themselves with the initial SAP system. The ticket can then be submitted to
other systems (SAP or external systems) as an authentication token. The user does not need
to enter a user ID or password for authentication but can access the system directly after the
system has checked the logon ticket.
You can find more information under SAP Logon Tickets in the SAP Web Application Server
Security Guide.

4.8.2

Configuring the Identity Center for use with SAP

Logon Tickets

Configuration of the authentication method in the Identity Center, is done for each identity
store. In the "Workflow" tab of the identity store, select SAP Logon Tickets". For further
details, see the section Integrating Identity Center Workflow in the SAP NetWeaver Portal in
the document SAP NetWeaver Identity Management Identity Center: Installing Identity Center
Workflow.

SAP NetWeaver Identity Management - Identity Center

Network and Communication Security

August 2008

HTTP security (SSL)

Network and Communication Security

Please see the architecture figure on page 4.

5.1

HTTP security (SSL)

Security between the end user and the web application is done by securing the web server,
and is outside the scope of Identity Center security.

5.2

Database connectivity security

All connections between the components and the database uses standard database
protocols, and are defined using database connection strings.
To secure these, please use the secure connection strings, as defined by the database.

5.3

Identity Center: Repository security

Communication with the repositories uses either LDAP, database or application specific
communication. The communication options are defined for each job connecting to the given
repository.
The LDAP protocol supports simple authentication, SSL, NTLM or Kerberos.
For database connections, either JDBC or OLEDB connection strings are used, and security
is handled by the corresponding database library.
For application specific communication, security must be considered in each case.

5.4

Virtual Directory Server: LDAP security

The Virtual Directory Server supports SSL for incoming LDAP requests. This requires setting
up a keystore, holding a private key. The sections Maintaining keystore references and
Maintaining deployments in the help system for the Virtual Directory Server contains more
details.

5.5

Virtual Directory Server: Web Services security

The Virtual Directory Server uses Apache Tomcat for handling incoming web services
requests. To set up secure web services, please see the Apache Tomcat documentation.
The Virtual Directory Server supports client side and server side authentication. If only server
side is required, then you need only ONE keystore (holding a private key).
If client side authentication is required, then you will typically have one more keystore where
all trusted certificates will be stored.
On server side, Virtual Directory Server will have a pair of keystores for each of the backends
that requires SSL
The following link describes how to set up Tomcat with SSL:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

SAP NetWeaver Identity Management - Identity Center

Network and Communication Security

August 2008

Securing AS ABAP connections

5.6

Securing AS ABAP connections

Connections to AS ABAP systems use the Java Connector (JCo), which uses Remote
Function Calls (RFC). These connections can be secured using Secure Network
Communications (SNC).
For more information, see the SNC documentation on the Help Portal at
http://help.sap.com/saphelp_nw70/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frame
set.htm and the document Provisioning Framework for SAP Systems: Connectivity available
on the SAP Developer Network at https://www.sdn.sap.com/irj/sdn/security.

5.7

Firewall settings

Firewall must be open to allow database communication between the components and the
database.
Firewall must be open to allow the runtime components and Virtual Directory Server to
communication with external applications. Ports depend on communication protocol.
There are no specific requirements regarding firewall in the solution, but it is important to
protect the systems from unauthorized access.

5.8

AS ABAP connections

Connection to AS ABAP applications uses the RCF/JCo, and can be secured using Secure
Network Communication (SNC)

5.9

AS Java connections

Connections to AS Java applications, the HTTP protocol is used, and can be secured using
SSL.

5.10 External applications credentials

Make sure to set up procedures for handling password changes of the accounts in the
external applications being used by the Identity Center and the Virtual Directory Server, as
this will also require changes in the configuration.
For the Identity Center, the passwords should always be stored in a repository definition.
For the Virtual Directory Server, the passwords are stored in the single source definitions.

SAP NetWeaver Identity Management - Identity Center

10

Data Storage Security

August 2008

Use

Data Storage Security

6.1

Use

The Identity Center provides encryption to protect various information in the system. The
following information can be encrypted:

Connection strings, used to connect to the Identity Center database or other

repositories. These are always encrypted.

Passwords, which are stored in configurations. These are always encrypted.

Job constants and global constants can be encrypted if desired.

Any attribute value within the identity store can be encrypted if desired, using 3DES or
MD5. MD5 is used for the MX_PASSWORD attribute. All other attributes are in clear,
unless modified in the installation. When an attribute is encrypted, so are all historic
values for the given attribute. However, changing the encryption setting on an existing
attribute does not change any values in the identity store.

6.2

Identity Center encryption

It is recommended that 3DES encryption is used. The encryption algorithm to be used is

defined in the Tools/Options dialog in the configuration UI, and has two options:

Standard. This is a built-in proprietary with a hardcoded password. This does not
provide very high security, and is scrambling of data, more than encryption.

3DES. This uses the 3DES algorithm for encryption information.

Since the encrypted values must be accessible by runtime components without human
intervention, the encryption keys are stored in a file in the file system, called keys.ini. This
file must be accessible by the Workflow and all runtime engines in the system. Also make
sure that you do not use the default keys.ini which is installed by the Workflow, but that the
keys are updated.

The keys.ini file must be protected using file system protection, to ensure
unauthorized access. The file must be accessible by the service user running
the dispatcher and the user running the Workflow at the web server.

6.2.1

Runtime components and configuration UI keys.ini

For the runtime components and configuration UI, the keys.ini file is stored in the following
directory:
<installation directory>\KEY\keys.ini
In a default installation, this will be:
C:\Program Files\SAP\IdM\Identity Center \KEY\keys.ini

This file is not installed by the installation job.

SAP NetWeaver Identity Management - Identity Center

11

Data Storage Security

August 2008

Identity Center encryption

6.2.2

Workflow keys.ini

For the Workflow, the reference to the keys.ini file is found in the configuration file, which
is stored in:
<installation directory>\config\config.xml

The Workflow installation installs a default keys.ini file, and the reference to
this file is added to the config.xml file. The default keys.ini file should be
changed in a production environment.

6.2.3

The encrypted data

The keys.ini file can hold any number of 3DES keys. Only one of the keys is used for
encryption. The other keys are old keys, which are kept in the keys.ini file, to be able to
decrypt older data.
When data is encrypted using 3DES, the result is prefixed by {DES3} followed by the key
number used when encryption. Then the encrypted data is stored as base64. Below is a
sample of encrypted data:
{DES3}7:7d081564e69f342d81174fc8c6f19ce9
This data is encrypted using key number 7.
Data encrypted with the internal (proprietary algorithm) is prefixed with {crypt}.

6.2.4

Maintaining the keys.ini file

It is important that all components encrypting and decrypting data use the same set of
encryption keys. This section describes how to maintain the keys.ini file in a multi-server
environment.

6.2.4.1

Setting up the initial key

Start by creating a new keys.ini file using a text editor. The format of the file is shown
below. The file which is installed with the Workflow can be used as a template for this, but
make sure to change the actual keys. The simplest way of generating a new key, is to enter
the key using a text editor.

This must be exactly 48 Hex characters.

Below is a sample of the contents of the file:
[KEYS]
KEY001=78664478B8AA7899FF1009887837FFEDCCBAA77897DDA009
[CURRENT]
KEY=KEY001
Then copy this file to all servers running Workflow, runtime components or configuration UI.
Any encryption is now done using key number 1, and the encrypted data is prefixed with
{DES3}:1.

SAP NetWeaver Identity Management - Identity Center

12

Data Storage Security

August 2008

Password provisioning

6.2.4.2

Adding a new key

After some time (dictated by the security policy of your organization), a new key should be
added.
[KEYS]
KEY001=78664478B8AA7899FF1009887837FFEDCCBAA77897DDA009
KEY002=7749487289BBCBD9A9E9F888D9E8F900A98F7D543A4566B6
[CURRENT]
KEY=KEY001
Leave the current key set to 1, and then distribute the file to all relevant locations, as
described above. Now all applications are able to decrypt data, which in the future will be
encrypted with key number 2.
After the file is distributed, update the current key to key number 2, and distribute the file
again.
[KEYS]
KEY001=78664478B8AA7899FF1009887837FFEDCCBAA77897DDA009
KEY002=7749487289BBCBD9A9E9F888D9E8F900A98F7D543A4566B6
[CURRENT]
KEY=KEY002
Any new encryptions are now performed using key number 2, while old data which are still
encrypted using key number 1 can be decrypted.

6.3

Password provisioning

The MX_PASSWORD attribute is encrypted using the one-way MD5 algorithm. However, if
the Identity Center is to do password provisioning, i.e. updating passwords in target systems,
a two way encrypted password must also be saved. This is done using the attribute
MX_ENCRYPTED_PASSWORD, where the password is saved using two-way encryption.
A job updating a target system will be able to decrypt the password, and update the target
system.
The following recommendations apply:

Ensure that history is not kept for MX_ENCRYPTED_PASSWORD.

Ensure that the MX_ENCRYPTED_PASSWORD attribute is deleted when the

password has been updated in all target systems.

6.4

Virtual Directory Server Keystores

The Virtual Directory Server uses keystores for holding private and public keys, which are
used for various purposes. To set up an SSL connection over LDAP, the Virtual Directory
Server needs a private key, which is stored in a keystore. Information about the keystore,
including the password to access the private key, is stored in the Virtual Directory Server
configuration file. The Virtual Directory Server configuration file must be encrypted to protect
from unauthorized access to the keystore passwords.

6.5

Configuration files

The configuration files used by the Identity Center will in most cases contain a connection
string, which is used when the application connects to the Identity Center database.

SAP NetWeaver Identity Management - Identity Center

13

Data Storage Security

August 2008

Configuration UI

6.6

Configuration UI

The configuration data for the configuration UI, is stored in the file
<install dir>\EMSConfig.xml. It contains an encrypted connection string. By default,
the allow password saving is not set by the connection wizard, and if so the connection
string will not contain a password, and should not pose a security risk.
If you choose allow password saving, the encrypted connection string will contain the
password.
It is also possible to create a database user, which is bound to a Microsoft Windows account,
and use this for login. In this case, the connection string will not contain any sensitive
information. Consult the database documentation for information about how this is done.

6.7

Dispatcher

When creating a new dispatcher, the dispatcher .prop file contains the connection string
to the database. The key MC_JDBCURL holds the encrypted connection string.

6.8

Event agent server

When creating a new event agent server, the .prop file contains the connection string to the
database. The key MC_JDBCURL holds the encrypted connection string.

6.9

Workflow

The Workflow config file (<inst dir>\configs\config.xml) contains the password for
connecting to the database.

After installation of the Workflow, the password is not encrypted. See the
document SAP NetWeaver Identity Management Identity Center: Installing
Identity Center Workflow.

6.10 Monitoring
The Monitoring config file does not contain any connection string or password.

SAP NetWeaver Identity Management - Identity Center

14

Data Storage Security

August 2008

Virtual Directory Server configuration file

6.11 Virtual Directory Server configuration file

The Virtual Directory Server uses an XML based configuration file for storing the
configuration. All passwords used to connect to other applications are scrambled, using the
standard encryption algorithm, as 3DES is not implemented in the Virtual Directory Server. It
is therefore essential to protect the Virtual Directory Server configuration files.
The passwords used for authentication by the Virtual Directory Server (i.e. to authenticate
incoming requests) are hashed using MD5.
Any global constants can be scrambled.
The Virtual Directory Server stores the configuration in an .xml file. One Virtual Directory
Server installation may run multiple configurations, each stored in a different file.
As the configuration files contain information to connect to external applications, it is essential
that the file system security is used to protect these configuration files from unauthorized
access.
It is possible to store the Virtual Directory Server configuration in a database table. In this
case, the connection string for connecting to the database is stored in tile file
<installation directory>\.vcssettings. This connection string is scrambled, so it
is essential to protect this file using file system security.
When starting a server, a local copy of the configuration file is created on the computer
running the server. It is therefore recommended to scramble the connection strings also when
storing the configuration in the database.

6.11.1

Password protection of the configuration file

It is also recommended that you password protect the configuration file. This is done by
selecting the "Advanced" tab of the "Server properties" dialog box. This is described in the
help file of the Virtual Directory Server.

6.12 Avoiding by-passing of the authorization checks

in the Virtual Directory Server
When developing a configuration in the Virtual Directory Server, you can run the server in test
mode which by-passes all authorization checks within the Virtual Directory Server.
When running the Virtual Directory Server configuration in a production environment this
should always be turned off.
For details, see the help file for the Virtual Directory Server.

SAP NetWeaver Identity Management - Identity Center

15

Identity Center web server security and PHP

August 2008

Extensions

Identity Center web server security and PHP

7.1

Extensions

The Monitoring and Workflow applications use PHP. The default PHP installation adds a lot of
extensions which are not needed, and should be removed. The following extensions are
needed as a minimum:

Mssql or OCI8

XSL

LDAP

MCRYPT

The following configuration options should be turned off in the php.ini file, as they are not
used, and may be a security risk:

display_errors

display_startup_errors

expose_php

7.2

Session security

Consider using the following options to improve session security:

Option

Description

session.cookie_secure

If turned on, cookies will only be sent over

secure networks (SSL)

session.entropy_file
session.entropy_length

Use these setting to increase the security of

the session ID.

session.referer_check

This setting can be used to validate that the

source of the incoming session.

For details see PHP Manual, section IV Security, http://www.php.net/download-docs.php.

SAP NetWeaver Identity Management - Identity Center

16

Identity Center web server security and PHP

August 2008

Additional PHP configuration

7.3

Additional PHP configuration

This section contains PHP settings that should be turned off.

Option

Description

open_basedir

Limits the files that can be opened by PHP to

the specified directory tree.

allow_url_fopen

Enables the URL-aware fopen wrappers that

enable accessing URL object like files.

register_globals

If turned on, all EGPCS (Environment, GET,

POST, Cookie, Server) variables are
registered in the global scope.

error_log

Controls where script errors are written. The

default is to display them on the screen.
Should be set to a file that is writeable for the
Internet Guest Account.

For details see PHP Manual, http://www.php.net/download-docs.php.

7.4

Cross-site scripting

To avoid cross-site scripting, there are limitations on the use of HTML tags in the Workflow
web interface.
In general, HTML in fields and attributes will be quoted, with the following exceptions.

There is a configurable list of tags that are allowed (e.g. <b>, </b>, <i>, </i>).

HTML tags in header and footer fields are allowed. Specifically:

{

Identity Center header fields 1 through 3.

Identity Store Welcome page header and trailer

Task header and trailer

Care should be taken if using HTML code in these fields, especially if the fields contain
attribute references. Note that Identity Center header field 4, which default contains the text
Logged in as %DISPLAYNAME% is protected for this reason.

7.5

Restricting access to internal files

Access to internal files in the web server may information leaks. Thus, it is recommended to
restrict access to the folders with the internal files.
If using Microsoft Internet Information Services, this refers to the common folder.
To restrict access to the files located in this folder:
1. Open the Internet Information Services Manager and view the properties of
Web sites/Default Web Site/Workflow/common.
2. Select the "Directory Security" tab and choose "Edit" in the Anonymous access and
authentication control" group box to open the "Authentication Methods" dialog box.
3. Make sure that "Anonymous access" is disabled.

SAP NetWeaver Identity Management - Identity Center

17

Security issues when developing a solution

August 2008

Using a "Shell execute" pass

Security issues when developing a solution

This section contains information about specific security issues which should be considered
when developing a solution. SAP NetWeaver Identity Management offers a lot of very
powerful functions, and security should always be considered during implementation.
Note that this chapter does not offer a complete list of security issues. Always do a security
review of the implementation before deploying it into a production environment.

8.1

Using a "Shell execute" pass

The pass type "Shell execute" offers functionality to execute operating system commands,
where also attributes of the entry being processed can be included. Consider the following
example, which is used to create a file system directory for the user. The name of the
directory is held in the attribute USERHOMEDIRECTORY. The destination of the Shell
execute pass can look something like this:
cmd /c md %USERHOMEDIRECTORY%

In a normal case, a new directory is created for the user.

However, if an attacker is able to update the %USERHOMEDIRECTORY% attribute, and for
example, enters the following value:
dir1 && net user attacker /add /expires:never && net localgroup
administrators /add attacker

Given that the operating system user running the dispatcher has the proper authorizations,
this malicious code would result in a directory called dir1. But in addition, it will create a new
user called attacker and add this user to the administrator group.
To reduce the risk, any attributes used in a "Shell execute" pass should be parsed for
malicious code before execution. Creating a script for doing this is simple. Please see the
help system of the administrator user interface.
Also, make sure that the user running the dispatcher does not have more access rights than
required. The code executed by the "Shell execute" pass will run with the access rights of this
user.

8.1.1

Example

This sample script will remove everything after two && characters.
// Main function: ValidateParameter
function ValidateParameter(Par){
ix = Par.indexOf("&&");
if (ix > 0)
{
return Par.substring(0,ix);
}
return Par;
}

SAP NetWeaver Identity Management - Identity Center

18

Security issues when developing a solution

August 2008

Using the uShell or uShellRead functions in a script

The function can then be called like this:

8.2

Using the uShell or uShellRead functions in a

script

There are two built-in function (uShell and uShellRead) which executes an operating system
command. This should be used with care, in the same way as the "Shell execute" pass.

8.3

Using a "To database" pass with SQL updating

By selecting the SQL updating in the "To database" pass it is possible to enter any SQL
statement. Consider the following example, which is used to add a row in a database table,
based on data from the given user:
INSERT INTO users (username,userid)
VALUES (%USERNAME%,%USERID%)

However, an attacker could add the following code in the USERID attribute:
12); DELETE FROM TABLE users

This malicious code would remove all entries from the users table.
To reduce the risk, any attributes used in a "To database" pass using SQL updating should be
parsed for malicious code before execution. Creating a script for doing this is simple. Please
see the help system of the administrator user interface for details on creating scripts.
Also, make sure that the user used to connect to the database does not have extensive
access rights. The %IdentityCenter% connection string will log in to the identity center
database using the credentials of the runtime user (MXMC_RT). For passes which performs
SQL updating, it is advised to create a separate user, which has access only to the required
tables.

SAP NetWeaver Identity Management - Identity Center

19

Other Security-Relevant Information

August 2008

The Identity Center configuration UI

9
9.1

Other Security-Relevant Information

The Identity Center configuration UI

The Identity Center configuration UI (Microsoft Management Console snap-in) is intended for
implementation of a solution. It should not be made available in a production environment,
unless there are very good reasons to use it. Logs and other information can be accessed
using the Monitoring interface.

9.2

Monitoring web interface

The Monitoring web interface is not intended for external use. It must be installed in an
internal network and be available only for system administrators.

9.3

Possible configuration vulnerability

When configuring an attribute for a task, it is possible to define a default value. This default
value can contain a call to a PHP function, $FUNCTION.<php_function>$$. Provided access
to custom_functions.php, this could pose a vulnerability.

9.4

Disaster recovery

For setting up a DR solution, please see the document SAP NetWeaver Identity Management
Identity Center Implementation Guide: Disaster recovery.

9.5

Backup

All configuration information and data is stored in the Identity Center database. This database
should be backed up according to the organization's backup policy. For details about backup
and restore of an Identity Center database, see SAP NetWeaver Identity Management
Identity Center Operations Guide.

9.6

The Password Hook

The Password Hook is an optional component, which will catch password changes done in a
Microsoft Windows Domain, and forward the new passwords to the Identity Center, for
provisioning to other systems.
We strongly recommend using a single sign-on (SSO) solution to provide central
authentication for you system landscape. For SAPs SSO solution, please see here:
http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/fram
eset.htm.
If it is not possible to use SSO for some or all systems, SAP NetWeaver Identity
Managements password synchronization can be deployed to ensure that the user has the
same password in the respective or all systems which support the password synchronization
feature.
The Password Hook is implemented using the Microsoft Password Filter, as described in
http://msdn2.microsoft.com/en-us/library/ms721882%28VS.85%29.aspx.
For more information about the Password Hook, see the document SAP NetWeaver Identity
Management Password Hook Configuration Guide.

SAP NetWeaver Identity Management - Identity Center

20

Other Security-Relevant Information

August 2008

The Password Hook

The use of this component is optional. Although care is taken to make this as secure as
possible, the use of this component may raise some security issues:

It is strongly recommended to select "Encrypt password". Not only for security reasons,
but without this, a user would be able to run a program with administrator privileges
with a carefully crafted password. This is because the "CreateProcess()" function starts
your script in a valid shell. Microsoft Windows does not give the programmer any
means of escaping those shell variables, hence a password that contains shell code
can be executed as code. The encrypt option also prevents this.

Passwords are stored using two-way encryption in the identity store, normally in the
attribute MX_ENCRYPTED_PASSWORD. When deploying a solution, care must be
taken to protect the Identity Center encryption file (described in section 6.2).

If possible, the MX_ENCRYPTED_PASSWORD attribute should be deleted after the

password has been provisioned to the target systems, to reduce the risk of exposure.

For the same reason as above, attribute history should not be enabled on the
MX_ENCRYPTED_PASSWORD attribute.

Make sure access to the domain controller is limited and controlled.

When deploying, one must consider the password policy of the various systems, to
ensure that a password is accepted by all systems. This means that the user must only
choose such passwords that are in the intersection set of all password policies. In
general that will result in a fairly weak password policy.

One should also consider if it is wise to have the same password across all systems. If
the password is cracked in a low-security system, this password may also be used in a
high-security system. Also note that the total number of possible password logon
attempts increase with the number of systems with the same password (i.e. the sum of
all "permissible failed password logon attempts" of all systems).

SAP NetWeaver Identity Management - Identity Center

21

Appendix

August 2008

Security check list for the Identity Center

10 Appendix
10.1 Security check list for the Identity Center
Encryption algorithm set to 3DES (Verify in the configuration UI)
Keys.ini file updated, and distributed to all relevant systems.
Keys.ini file protected by file system.
Database security enabled where relevant.
Separate database logins for each administrator
External application security enabled where relevant.
Web server security
Disable unnecessary PHP extensions
Enable PHP session security as defined in the organization's security policy
Disable the PHP settings open_basedir, allow_url_fopen and
register_globals

If password provisioning is being used:

No history for MX_ENCRYPTED_PASSWORD
MX_ENCRYPTED_PASSWORD deleted after provisioning is done

10.2 Security check list for the Virtual Directory

Server
Protect the Virtual Directory Server configuration file(s) from unauthorized access
Verify that "Test mode" is turned off before the configuration is deployed in a
production environment

If applicable: Set up secure communication from clients to the Virtual Directory Server
If applicable: Set up secure communication to repositories

SAP NetWeaver Identity Management - Identity Center

22

Appendix

August 2008

Security check list for the Virtual Directory Server

SAP NetWeaver Identity Management - Identity Center

23