Sg Sapme 150 Final

Security GuideDocument version: 1.1 2014-10-31

SAP Manufacturing Execution 15.0

CUSTOMER

Document History

CautionBefore you start the SAP Manufacturing Execution (SAP ME) 15.0 implementation, make sure you have the latest version of this document. You can find the latest version at the following location: service.sap.com/securityguide SAP Business Suite Applications SAP Manufacturing .

The following table provides an overview of the most important document changes.

Table 1Version Date Description1.0 2014-05-16 First version1.1 2014-10-31 The Network and Communication Security section was updated.

2

CUSTOMER Copyright 2014 SAP SE or an SAP affiliate company.All rights reserved.

SAP Manufacturing Execution 15.0Document History

Content

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.1 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.2 User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.3 Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

6 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196.2 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

7 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

8 Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

9 Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

10 Security Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

11 Configuring Web Service Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

SAP Manufacturing Execution 15.0Content

CUSTOMER Copyright 2014 SAP SE or an SAP affiliate company.

All rights reserved. 3

1 Introduction

CautionThis guide does not replace the daily operations handbook, which we recommend customers create for their specific productive operations.

Target Audience Technology consultants System administrators

This document is not included as part of the installation guides, configuration guides, technical operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the security guides provide information that is relevant for all life cycle phases.

Why Security Is NecessaryWith the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply to SAP ME. To assist you in securing SAP ME, we provide this Security Guide.

About This DocumentThe Security Guide provides an overview of the security-relevant information that applies to SAP ME.

Overview of the Main SectionsThe Security Guide comprises the following main sections: Before You Start

This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.

Technical System LandscapeThis section provides an overview of the technical components and communication paths that are used by SAP ME.

User Administration and AuthenticationThis section provides an overview of the following user administration and authentication aspects: Recommended tools for user management User types that are required by SAP ME Standard users that are delivered with SAP ME

AuthorizationsThis section provides an overview of the authorization concept that applies to SAP ME.

Network and Communication Security

SAP Manufacturing Execution 15.0Introduction



This section provides an overview of the communication paths used by SAP ME and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

Data Storage SecurityThis section provides an overview of any critical data that is used by SAP ME and the security mechanisms that apply.

Security for Third-Party or Additional ApplicationsThis section provides security information that applies to third-party or additional applications that are used with SAP ME.

Other Security-Relevant InformationThis section contains information about the following: JavaScript Java Web Start ActiveX

Trace and Log FilesThis section provides an overview of the trace and log files that contain security-relevant information.

6


SAP Manufacturing Execution 15.0Introduction

2 Before You Start

Fundamental Security GuidesSAP ME is a J2EE application that runs on SAP NetWeaver 7.4 AS Java. Therefore, the corresponding SAP NetWeaver 7.4 Security Guide applies to SAP ME.The SAPMEINT subcomponent runs on SAP Manufacturing Integration and Intelligence (SAP MII) 15.0. Therefore, the corresponding SAP MII 15.0 Security Guide applies to the SAPMEINT subcomponent.Table 2: Fundamental Security GuidesTitle Location

SAP NetWeaver 7.4 Security Guide help.sap.com SAP NetWeaver SAP NetWeaver Platform SAP NetWeaver 7.4 Security InformationSecurity Guide

SAP MII 15.0 Security Guide service.sap.com/securityguide SAP Business Suite Applications SAP Manufacturing Security Guide SAP MII 15.0

For a complete list of the available SAP Security Guides, see service.sap.com/securityguide on the SAP Service Marketplace.

Important SAP NotesThe SAP Notes that apply to SAP ME are in the following table:Table 3: SAP NotesSAP Note Number Title

1363812 SAP ME key field character restrictions

1573547 Service user authorization roles in SAP ME Integration

1590008 Java output encoding

Additional InformationFor more information about specific topics, see the quick links as shown in the following table:Table 4: Quick Links to Additional InformationContent Quick Link on the SAP Service Marketplace

Security /security

Security Guides /securityguide

Related SAP Notes /notes/securitynotes

Released Platforms /pam

Network Security /network

Technical Infrastructure /ti

SAP Manufacturing Execution 15.0Before You Start



Content Quick Link on the SAP Service Marketplace

SAP Solution Manager /solutionmanager

SAP NetWeaver /netweaver

8


SAP Manufacturing Execution 15.0Before You Start

3 Technical System Landscape

The following figure shows an overview of the technical system landscape for SAP ME 15.0:

Figure 1: SAP ME 15.0 System Landscape

The following software components are available for SAP ME 15.0: SAP ME ore SAP ME subcomponents:

SAP ME ERP Integration (SAPMEINT) SAP ME Scripts

SAP ERP SAP MII 15.0

For more information about the technical system landscape, see the resources listed in the following table:Table 5Topic Guide SAP Service Marketplace Address

Technical description for SAP ME 15.0

SAP ME 15.0 Master Guide service.sap.com/instguides SAP Business Suite Applications SAP Manufacturing SAP Manufacturing Execution 15.0

Technical description for SAP NetWeaver 7.4

SAP NetWeaver 7.4 service.sap.com/instguidesnw SAP NetWeaver 7.4 Installation

Technical description for SAP MII 15.0

SAP MII 15.0 Master Guide service.sap.com/instguides SAP Business Suite Applications SAP Manufacturing SAP Manufacturing Integration and Intelligence SAP MII 15.0

SAP Manufacturing Execution 15.0Technical System Landscape



4 User Administration and Authentication

While SAP ME uses the administration and authentication mechanisms provided with the SAP NetWeaver platform to manage SAP ME users, administration is done in both in SAP NetWeaver and SAP ME 15.0. In SAP NetWeaver, you administer security-related information. In SAP ME User Maintenance and User Group Maintenance, you administer shop floor related information.For more information about administration of users in SAP NetWeaver, see the SAP NetWeaver 7.4 Security Guide on SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver 7.4 Security Guides SAP NetWeaver 7.4 Security Guide .In addition to these guidelines, below we include information about user management that specifically applies to SAP ME.

4.1 User ManagementUser management for SAP ME uses both the mechanisms provided with the SAP NetWeaver Application Server and SAP ME activities. For an overview of how these mechanisms apply for SAP ME, see the sections below. In addition, we provide a list of the standard users required for operating the SAP ME application.

User Administration ToolsThe following table shows the tools for user management and user administration with SAP ME.Table 6: User Management ToolsTool Detailed Description

User Management Engine with SAP NetWeaver AS Java

For more information, see User Management Engine in the SAP Library.

User Maintenance and User Group Maintenance in SAP ME 15.0

For more information, see help.sap.com SAP Business SuiteSAP Manufacturing SAP Manufacturing Execution SAP Manufacturing Execution 15.0 System Configuration .

User TypesIt is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.The user types required for SAP ME 15.0 include: Individual users:

General SAP ME users Technical users:

Communication users are used for SITE_TO_SITE functionality Communication user MESYS is used for SAP ME and SAP MII integration

10


SAP Manufacturing Execution 15.0User Administration and Authentication

Communication user ADSuser is used for printing documents in SAP ME through the SAP NetWeaver Adobe Document Server (ADS)

Standard UsersThe table below shows the standard users that are necessary for operating SAP ME 15.0:Table 7System User ID Type Password Description

SAP ME SITE_ADMIN

SAP ME general users

You specify the initial password in SAP NetWeaver Administrator during installation/configuration of SAP ME 15.0

The initial user for SAP ME 15.0 with access to all activitiesDuring the configuration of SAP ME, the SAPMECTC CTC wizard automatically creates SITE_ADMIN user with the provided password in SAP NetWeaver. In SAP ME NetWeaver, CTC automatically assigns the SITE_ADMIN user to SAP_ME_USER, SAP_ME_INTEGRATOR, and SAP_ME_ADMINISTRATOR roles.

SAP ME, SAP MII

MESYS Communication users

You specify the initial password when running SAPMEINT CTC configuration wizard (SAPMEINTCTC)

Used for system-to-system communication between SAPMEINT and SAP ME 15.0 Core.During the configuration of SAPMEINT, the SAPMEINTCTC CTC wizard automatically creates MESYS user with the provided password in SAP NetWeaver on SAP MII and SAP ME instances. On SAP ME NetWeaver, CTC automatically assigns the MESYS user to SAP_ME_USER, SAP_ME_INTEGRATOR, and ROLE_SAPMEINT roles. In SAP ME, this user has SYSTEM group and no permissions to run any activity.For more information about authorization roles, see SAP Note 1573547.

SAP ME ADSuser Communication users

You specify the initial password in SAP NetWeaver Administrator during creation of the user

If you plan to print your documentation through ADS, you have to create the ADSuser user in SAP NetWeaver UME. For information about configuration of SAP NetWeaver Adobe Document Server (ADS), see Creating a User for Authentication to ADS in a Java Environment section at service.sap.com/instguidesnw SAP NetWeaver 7.4 SAP NetWeaver Library Functional View SAP NetWeaver by Functional Areas Adobe Document Services for Form Processing Configuring Adobe Document Services for Form Processing (Java) .

RecommendationFor users automatically created during installation/configuration, create additional users with new user IDs and passwords.




Creating SAP ME General UsersTo create additional users for SAP ME, do the following:1. Create a user in the SAP NetWeaver Identity Manager tool and assign the necessary UME security roles to

this user.For more information about SAP NetWeaver UME security roles for SAP ME, see SAP NetWeaver UME Security Roles and Actions section of this guide.

2. Log on to your SAP ME site as SITE_ADMIN.For more information about SAP ME logon, see SAP ME 15.0 Installation Guide at service.sap.com/instguides SAP Business Suite Applications SAP Manufacturing SAP Manufacturing Execution 15.0 .

3. On the initial User Maintenance screen, retrieve a user ID for a user created in SAP NetWeaver UME.4. On the Main tab page of User Maintenance, add details about the user, if needed.5. On the User Groups tab page, add the user to one or more user groups. For more information about SAP ME

user groups, see SAP ME Standard User Groups section of this guide.

4.2 User Data SynchronizationSAP NetWeaver UME needs to contain entries for all users. These entries contain security and person-related information and are site-independent. SAP ME contains shop-floor information for all SAP ME users. The following table provides correlation between UME and ME user statuses:Table 8UME User Status ME User Status

Active Account Active: Allows a user to log on to SAP ME system with this user ID

Locked Account Inactive: This user is temporarily inactive in SAP ME

User has been deleted in UME Terminated: As you cannot physically delete users in SAP ME to ensure data integrity, this status is used to indicate that user has been deleted in UME.

For information about synchronization SAP NetWeaver UME with LDAP, see User Management Engine Installation guide in the SAP Library.

4.3 Integration Into Single Sign-On EnvironmentsSAP ME 15.0 supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server Security Guide also apply to SAP ME 15.0.The most widely-used supported mechanisms are listed below. Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

12



SAP logon ticketsSAP ME 15.0 supports the use of logon tickets for SSO when using a Web browser as the frontend client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

RecommendationIf you use the POD on shared terminal, turn off the SAP Logon Tickets feature, since SAP ME is configured out-of-the-box with SAP Logon Ticket. In order to do that, the login module stack for SAP ME should only include BasicPasswordLoginModule in SAP NetWeaver User Authentication and Single Sign-On.The value for HTTP session timeout of PODs is configured in POD Maintenance of SAP ME.

Client certificatesAs an alternative to user authentication using a user ID and passwords, users using a Web browser as a frontend client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information about the available authentication mechanisms, see User Authentication and Single Sign-On at help.sap.com/nw74 SAP NetWeaver 7.4 Library SAP NetWeaver Library: Function-Oriented ViewSolution Life Cycle Management Security and User Administration Administration for User Authentication and Single Sign-On (SSO) .




5 Authorizations

While SAP ME uses the authorization concept provided by the SAP NetWeaver AS Java, authorization is done in both SAP NetWeaver and SAP ME activities. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide Java also apply to SAP ME. SAP ME activities used for user authorization are described in the following section of this guide.The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the User Management Engines user administration console on the AS Java.

NoteFor more information about how to create roles, see Role Maintenance in the SAP Library.

For more information about creating roles, see help.sap.com/nw74 SAP NetWeaver 7.4 Library SAP NetWeaver Composition Environment Administrator's Guide Administering Composition EnvironmentAdministration of Users and Roles .

Standard RolesSAP NetWeaver UME Security Roles and ActionsDuring deployment of SAP ME, the following SAP NetWeaver UME security roles are created to identify users who will use the system:Table 9SAP NetWeaver UME Security Role Name SAP NetWeaver UME Security Role Description

SAP_ME_ADMINISTRATOR Identifies SAP NetWeaver users that are granted access to admin, integration and solution verification interfaces

SAP_ME_USER Identifies users that are allowed to log on to the SAP ME application through the Web interface

SAP_ME_INTEGRATOR Identifies users that are allowed to use Web service, production, site-to-site and data exchange interfaces

SAP_ME_READONLY Supports SAP ME audit functionality. Users with the role can read all data, but is not allowed to add or edit records.

ROLE_SAPMEINT Users with this role can see the menu SAP ME ERP Integration on the navigation pane in SAP MII. The users assigned to this role also have access to the data servers SAPMEINT and SAPMEWIP in SAP MII.

You assign these four roles to your SAP ME users to grant them corresponding rights and ability to work with the services they require.

CautionAll the roles described in the previous table need to be manually modified before their assignment to users to eliminate the risk of losing associations. We recommend that you assign the Manage_My_Password action to

14


SAP Manufacturing Execution 15.0Authorizations

all these roles. If SAP ME is undeployed, roles that have not been modified will be deleted and associations between roles and users will be lost.

For more information about assigning roles, see Assigning Principals to Roles or Groups at help.sap.com/nw74 SAP NetWeaver 7.4 SAP NetWeaver 7.4 Library SAP NetWeaver Composition EnvironmentAdministrator's Guide Administering Composition Environment Administration of Users and Roles .You assign UME security role actions to UME security roles to grant additional rights to your SAP ME users.

Execution of Custom User ScriptsSAP ME 15.0 provides an approach to allow or deny creation and execution of custom user scripts on the application back-end.

CautionScripting functionality is a powerful tool that allows access to generic functions and system resources, thus, authorization must be given to appropriate personnel only.Execution of scripts can potentially harm the system if used by unauthorized personnel. As an additional measure, ensure that logging of script creation/execution is appropriately configured. For more information, see the Security Logging and Tracing section of this guide.

The following security role actions are available for that purpose:Table 10SAP NetWeaver UME Security Role Action SAP NetWeaver UME Security Role Action Description

ME.Service.ManageScript Allows SAP ME user to create and save routings and data collection values with custom scripts and formulas

ME.Service.ExecuteScript Allows SAP ME user to execute custom routing scripts or formulas in Data Collection parameters

You have to assign the actions described above to all UME security roles and users that need to create or execute routing scripts or data collection parameters with defined formulas. Proceed as follows:1. Log on to SAP NetWeaver Administrator using the following URL: http://

:/nwa.2. Choose Configuration Security Identity Management Search Criteria: Role and search for

SAP_ME_USER.3. Choose Modify.4. On the Assigned Actions tab page, search for ME.Service.ManageScript and/or

ME.Service.ExecuteScript in the Available Actions list, and add them to Assigned Actions.5. Save your entries.

For more information about assigning actions, see Assigning Principals to Roles or Groups at help.sap.com/nw74 SAP NetWeaver 7.4 SAP NetWeaver 7.4 Library SAP NetWeaver Composition EnvironmentAdministrator's Guide Administering Composition Environment Administration of Users and Roles .

Authorizations in SAP MESite AuthorizationDuring installation of SAP ME, a master site called the global site is created. The name of the global site is indicated by an asterisk (*). Some default values, such as system rules, can be set at the global site level, then




inherited at the site level, and changed at the site level, if required. Within the system, each site operates independently and maintains its own elements, such as materials, bills of material, and routings.In SAP ME, production data is segregated according to the site. Set of activities user has access to depends on the site the user logged on. You can grant user access to site by assigning this user to user group in User Maintenance in SAP ME.On the Permissions tab page of User Group Maintenance, you select the activities you want users in each group to be able to access. You can modify the default permissions for each SAP ME standard user group to meet your specific requirements.You assign a user in specific groups to a specific site in User Maintenance in SAP ME. When users log on to SAP ME site for the first time, they are automatically logged on to their default site. To assign a default site to a user in UME, first you need to create the Default Site field in SAP NetWeaver. To do this, proceed as follows:1. In Identity Management, choose the Configuration button.2. On the Configuration screen, choose the User Administrator UI tab and choose the Modify Configuration

button.3. In the Adminstrator-Management Custom Attributes field, enter the following data: SAPME:DEFAULT SITE.4. Save your entries.

After you have created the Default Site field, you can assign default site to a user as follows:1. Log on to SAP NetWeaver as administrator user.2. Navigate to Identity Management and select user that you want to assign default site to.3. Choose Modify button and on the Customized Information tab page, enter name of the site in the Default Site

field.Note that you have to assign user to this site prior assigning this site as default for this user.

4. Save your entries.5. Repeat these steps for each user.

NoteIf you create the Default Site field in SAP NetWeaver UME, but do not define a default site for the user in UME User Configuration, on the first logon the user will be redirected to the site that comes first alphabetically in the list of sites where this user is defined.

Once users logged on to SAP ME application to their default site, they can switch between SAP ME sites assigned to them in UME, using Site Selection functionality. By clicking the Site link, users can view the list of their sites and choose the destination site on the Site Selection screen. The Site link is located on the menu bar at the top right of the screen near the Logout, About and Help links. Once a user selects a specific site on the Site Selection screen, the current HTTP session of the user becomes invalidated and a new session is established for the selected site. User logon to a new session is completed by means of SAP logon tickets. You can find more information about SAP logon tickets under User Authentication and Single Sign-On [external document] in the SAP Library.For more information about Site Selection, see help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Execution SAP Manufacturing Execution 15.0 System Configuration .

SAP ME Standard User GroupsYou can use SAP ME User Group Maintenance to assign authorizations to users in user groups. For more information about creating user groups, see help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Execution SAP Manufacturing Execution 15.0 System Configuration .The following table shows the standard user groups that are used by SAP ME:

16



Table 11: SAP ME Standard User GroupsUser Group Description

Administrators User with permissions to all activities in SAP ME at the administrative level

Engineers User with permissions to activities in SAP ME applicable to production engineers

Managers User with permissions to activities in SAP ME applicable to production managers

Operators User with permissions to activities in SAP ME applicable to production operators

Supervisors User with permissions to activities in SAP ME applicable to production supervisors

Authorizations in SAP ERP for SAP ME ERP Integration (SAPMEINT)If SAP ME is integrated with SAP ERP, SAP ME is dependent on SAP ERP in terms of several master and transactional data: material master, bill of material, routing, production order, planned order, and quality inspection.SAP ERP users who work on these objects must have appropriate authorization in SAP ERP to create, modify, and export these objects.Ensure that all required authorization are provided to the SAP ERP users. For more information, see the following SAP ERP help topics: Production Planning (PP): help.sap.com/erp606 Application Help SAP Library SAP ERP Cross-

Application Functions SAP ERP Security Guides SAP ERP Central Component Security Guide LogisticsManufacturing Authorizations

Materials Management (MM): help.sap.com/erp606 Application Help SAP Library SAP ERP Cross-Application Functions SAP ERP Security Guides SAP ERP Central Component Security Guide LogisticsMaterials Management (MM) Purchasing and External Service Procurement (MM-PUR, MM-SRV)Inventory Management (MM-IM): Authorizations

Quality Management (QM): help.sap.com/erp606 Application Help SAP Library SAP ERP Cross-Application Functions SAP ERP Security Guides SAP ERP Central Component Security Guide LogisticsQuality Management (QM) Authorizations (QM)

For DRF communication, the DRF_ADM and DRF_RECEIV authorization objects are required. For more information, see help.sap.com/mdg61 Application Help SAP Library Master Data Governance Working with Master Data Governance General Functions Data ReplicationSee also SAP Note 1573547 for the authorization required for the technical user that is used to send information from SAP ME to SAP ERP.

Authorizations to View SAP MII SPC Charts from SAP METo view SAP MII SPC charts from SAP ME, configure one of your user's roles as follows: Add the role to Visiprise/SPC/DefaultChartTemplate using the SAP MII Workbench. Add the role to Visiprise/SPC/DefaultQueryTemplate using the SAP MII Workbench. Add the XMII_USER action to the role using SAP NetWeaver Administrator. Assign the role to the XMLConnector server in the SAP MII database table XMII_SERVERPRMMAP.




6 Network and Communication Security

Your network infrastructure is very important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, there is no way for intruders to compromise the machines and gain access to the backend systems database or files. Additionally, if users are not able to connect to the server LAN, they cannot exploit well-known bugs and security holes in network services on the server machines.The network topology for SAP ME is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to SAP ME.

RecommendationWe highly recommend that you install SAP ME behind a corporate firewall.

The following table shows the additional default ports used by SAP ME:Table 12Port Description

1521 Used by Oracle SQL*Net Listener; this port is applicable if you are using Oracle for your SAP ME databases

1433 Used by Microsoft SQL Server to listen for requests; this port is applicable if you are using MS SQL Server for your SAP ME databases

1099 Used for RMI communication when SAP ME SPC server is Statit

7994 Used for HTTP communication when SAP ME SPC server is Statit

8082 Used for HTTP communication when SAP ME SPC server is Statit

For a complete list, see the technical documentation provided by the database vendor.

Login Module StackSAP ME out-of-the-box is shipped with the following configuration of login module stack:Table 13Login Module Name Login Module Flag Login Module Description

EvaluateTicketLoginModule SUFFICIENT Allows to authenticate users by SAP logon ticket

BasicPasswordLoginModule REQUISITE Allows to authenticate users by user ID and password

CreateTicketLoginModule OPTIONAL Creates SAP logon ticket after successful authentication

18


SAP Manufacturing Execution 15.0Network and Communication Security

6.1 Communication Channel SecurityThe table below shows the communication channels used by SAP, the protocol used for the connection, and the type of data transferred:Table 14: Communication PathCommunication Path Protocol Used Type of Data Transferred

Front-end client using IE to SAP ME application server

HTTP Authentication; application

SAP MII application server to SAP ME application server for SAPMEINT

Java API Authentication; application

SAP ME Scripts to application server RMI-P4 Application

SAP ME Scripts to SAP ME databases JDBC Authentication; application

SAP ME application server to SAP ME SPC server when Statit is used

RMI; HTTP Application

Application server connection to SAP ME databases

JDBC Application

HTTP, SOAP over HTTP, and RMI-P4 connections are protected using SSL protocol.RMI connections cannot be protected.JDBC connections are protected using driver-provided encryption.For more information, see Network Security in the SAP NetWeaver Application Server Java Security Guide on SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver 7.4 Security Guides SAP NetWeaver 7.4 Security Guide .

6.2 Communication DestinationsSAP ME does not deliver pre-configured RFC or JCo destinations or ports.

SAP Manufacturing Execution 15.0Network and Communication Security



7 Data Storage Security

SAP ME stores J2EE application data in the SAP NetWeaver 7.4 database.For more information, see the SAP NetWeaver 7.4 Security Guide on SAP Service Marketplace at

service.sap.com/securityguide SAP NetWeaver 7.4 Security Guides SAP NetWeaver 7.4 Security Guide .SAP ME stores business data in WIP, ODS, and optional GODS relational databases. You can use Microsoft SQL Server 2005/X86 64 bit, Microsoft SQL Server 2008 SP1/X86 64 bit, Oracle 10.2.05 64 bit, Oracle 11.2 64 bit, or Oracle 11.2 32 bit for your SAP ME database management system. For more information, see technical documentation provided by the database vendor.When you create your database, a specific user ID with password is defined. This password and user ID is later added to Data Source in SAP NetWeaver Installation Wizard.

SAPMEINTSAPMEINT uses SAP MII 15.0 for business transactions integrated with SAP ERP systems. The data exchange between SAPMEINT and the SAP ERP system is carried out using IDocs.

SAP ME ScriptsSAP ME Scripts automate various tasks for the SAP ME WIP and ODS databases. These scripts are configured to run as scheduled tasks in a productive environment.During SAP ME Scripts installation all the required information is collected from the user. Passwords for SQL SERVER/ORACLE WIP/ODS/GODS databases are encrypted and then stored in the secstore.properties property file. The encryption is achieved using the iaik_jce.jar SAP NetWeaver library. The iaik_jce.jar file is not bundled with SAP ME Scripts and is located within the SAP NetWeaver server. The location of this jar file is defined at runtime using the SAP NetWeaver server system name and SID information provided by the user.

Temporary Printing DirectorySAP ME provides functionality to configure a directory on the application server to which you can write files. You can configure third-party applications to retrieve and print files from this directory.For more information, see help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Execution SAP Manufacturing Execution 15.0 Document Management .

20


SAP Manufacturing Execution 15.0Data Storage Security

8 Security for Additional Applications

If you are using Statit as your SAP ME SPC server, Statit e-Server 5.4 is required. Contact the vendor to secure Statit e-Server in your system landscape.

SAP Manufacturing Execution 15.0Security for Additional Applications



9 Other Security-Relevant Information

JavaScriptSAP ME uses JavaScript in many of the front-end web pages and you must enable it.

Java Web StartSeveral user interfaces in SAP ME are implemented as rich clients using Java Web Start technology. Download and execute Java Web Start.

ActiveXWith Statit as your SAP ME SPC server, ActiveX controls are used in many of the front-end Web pages. If you use Statit, ActiveX controls must be enabled.

22


SAP Manufacturing Execution 15.0Other Security-Relevant Information

10 Security Logging and Tracing

SAP ME uses the standard SAP NetWeaver 7.4 logging infrastructure for logging security-relevant information about logon, logout, and HTTP session time-out.For more information, see the Administrators Guide on the SAP Help Portal at help.sap.com/nw74 SAP NetWeaver 7.4 Library SAP NetWeaver Composition Environment Library .SAP ME uses Audit Log for logging maintenance changes made to audit-logged data and objects. SAP ME also uses Activity Log for logging all the shop floor activities, including production operator actions.For more information, see help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Execution SAP Manufacturing Execution 15.0 .For invalid logon events, SAP ME logs more security-relevant information in SAP NetWeaver Security Logs.In SAP ME, creation and execution of scripts are traced in SAP NetWeaver standard logs. To setup this type of tracing, choose INFO severity for trace location com.sap.me.script.ScriptBOBean in NetWeaver Log Configuration. Note that location appears only after several traces are displayed.Log Productions activities and Labor Tracking data could be archived. For more information, see the SAP ME 15.0 Application Operations Guide on the SAP Help Portal at service.sap.com/instguides SAP Business Suite Applications SAP Manufacturing SAP Manufacturing Execution 15.0 .

SAP Manufacturing Execution 15.0Security Logging and Tracing



11 Configuring Web Service Security

Security for SAP ME 15.0 web services is based on the security of SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the SAP ME 15.0 web services.

NoteTo provide web services access to users, the proper authorization roles must be assigned. For more information, see Authorizations in this guide.

By default, SAP ME 15.0 web services are configured with HTTP Basic Authentication over HTTP. It is possible to create additional security constraints through SAP NetWeaver Administrator.For more information, see Configuring Individual Web Services at help.sap.com/nw74 Functional View SAP NetWeaver by Functional Areas SAP NetWeaver Library: Function-Oriented View Application ServerApplication Server Java Administering Application Server Java Administration Web Service AdministrationConfiguring Web Services and Web Service Clients Configuring Web Services Configuring Individual Web Services .You can configure SAP ME web services all at once with a communication profile. For more information, see Preparing Communication Profiles at help.sap.com/nw74 Functional View SAP NetWeaver by Functional Areas SAP NetWeaver Library: Function-Oriented View Application Server Application Server JavaAdministering Application Server Java Administration Web Service Administration Configuring Web Services and Web Service Clients .For information about assigning a communication profile to an applications web services, see Configuring Web Services Exposed by Applications at help.sap.com/nw74 Functional View SAP NetWeaver by Functional Areas SAP NetWeaver Library: Function-Oriented View Application Server Application Server JavaAdministering Application Server Java Administration Web Service Administration Configuring Web Services and Web Service Clients Configuring Web Services Configuring Groups of Web Services .

24


SAP Manufacturing Execution 15.0Configuring Web Service Security

Typographic Conventions

Table 15Example Description Angle brackets indicate that you replace these words or characters with appropriate entries

to make entries in the system, for example, Enter your .

Example Example Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in the documentation

www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

Cross-references to other documentation or published worksExample Output on the screen following a user action, for example, messages

Source code or syntax quoted directly from a program File and directory names and their paths, names of variables and parameters, and

names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

SAP Manufacturing Execution 15.0Typographic Conventions



www.sap.com

Copyright 2014 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE's or its affiliated companies' strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

SAP Manufacturing Execution 15.0Table of Contents1 Introduction2 Before You Start3 Technical System Landscape4 User Administration and Authentication4.1 User Management4.2 User Data Synchronization4.3 Integration Into Single Sign-On Environments

5 Authorizations6 Network and Communication Security6.1 Communication Channel Security6.2 Communication Destinations

7 Data Storage Security8 Security for Additional Applications9 Other Security-Relevant Information10 Security Logging and Tracing11 Configuring Web Service SecurityCopyright and Trademarks

Sg Sapme 150 Final

Documents

Transcript of Sg Sapme 150 Final