Security on SAP NetWeaver Portal

Security is paramount in the IT industry. Enterprise portals – the interfaces between company networks and the Internet – particularly need to be protected from unauthorized access. Various forms of authentication pledge to fend off potential intruders. An evaluation of the various procedures helps companies make the right choice.



Companies that set up a portal on the Internet are confronted with the question of how to configure access. They need to ensure that unauthorized persons cannot use the portal. So if they make information available on the portal to employees, partners, customers, or subcontractors, they have to be able to identify users beyond doubt. Many companies used to rely on static passwords, but these cannot adequately protect business-critical data from misuse.

Modern, secure authentication involves two things: what users have and what they know. Users have a token – such as a USB stick or number generator – or a card, and they must also enter a password or a PIN. Currently, two common procedures enable such a two-factor check: the one-time password and authentication using a certificate. Both technologies are highly secure, simple to use, and easy to maintain. Furthermore, they ensure stable operation.


Finding the right solution

To find the most suitable solution for an enterprise portal, a company first needs to compare the pros and cons of both technologies, bearing in mind that the one-time password method and the certificate solution take different approaches.

With the password method, portable hardware generates a passcode at each logon that is valid only once. For example, the company RSA, headquartered in Bedford, Massachusetts, provides a token called SecurID that generates numeric passcodes. Chips from other providers (such as Kobil, Vasco, and Aladdin) are not time-synchronized, but instead generate codes at the touch of a button.

Password generators usually come in the form of key rings but are available in other formats, too. The SecurID token, for example, is available as a credit-card-sized device with an integrated keypad for entering the PIN directly into the device. Password-generation software can also be installed on mobile phones.

All one-time password methods require a PIN as well as the code to log on to the portal. The application side needs a server that calculates the valid token code using an algorithm and compares it with what the user entered. As a rule, authentication servers from all providers are accessible using the RADIUS (Remote Authentication Dial-In User Service) protocol. So to use one of these password methods with the SAP NetWeaver Portal component, the user must enable authentication based on RADIUS.


Plugging into the portal

Smart cards and USB sticks with digital certificates are alternatives to the password method. A great hurdle to using smart cards for authentication in enterprise portals is that the user's PC must have a card reader. Such readers are not widely available, so the smart card is not usually the first choice for accessing data away from the office.

In contrast, USB sticks with digital certificates are more manageable and flexible. No bigger than a mechanical key, they combine smart card and reader in a handy device. However, the smart card concept loses points because it is inflexible and cumbersome: Even though the reader is integrated into the USB drive, the related driver must be installed on the work station. This considerably restricts its use on the road, especially because, in general, only administrators are authorized to install the software.

Hardware provider Kobil, headquartered in Worms, Germany, is breaking new ground. Kobil's mIDentity is a USB drive that incorporates a card, a reader, and flash memory. It includes both the required driver and other software, such as an Internet browser, making it ideal for users who have preconfigured access to SAP NetWeaver Portal. They can authenticate themselves using mIDentity without having administrator rights or installing software on their local PC. The solution is compatible with practically all PC operating systems (Windows, Linux, and Mac OS X).

Because the key works according to the zero-footprint principle, once the USB drive has been unplugged, no data remains on the PC that could be accessed by intruders.

As well as the question of usability and flexibility, companies must look at how the selected procedure can be integrated into SAP NetWeaver Portal from an IT perspective. The one-time password method involves more work because authentication using the RADIUS protocol is not within the functional scope of the portal. This approach requires installing additional software or delegating authentication to a feeder component connected with the portal.

The feeder component may be a proxy system: The proxy server transfers the user ID in the HTTP header to the portal server, and the actual access check takes place in SAP NetWeaver Portal using the HTTP header login module. However, authentication using the HTTP header is problematic from a security point of view. Apart from the proxy, no server should be authorized to log users on using the HTTP headers. To prevent the header's being transferred, the proxy system should log on to the portal using a client certificate, and this certificate should be configured to reject HTTP headers from other sources.


Integrating the check into SAP NetWeaver

Another way to integrate the one-time password method into SAP NetWeaver Portal is to use additional software. SAP security expert SecurIntegration, headquartered in Cologne, Germany, provides such a module: The SI EP/Agent, based on JAAS (Java Authentication and Authorization Service), enables authentication with one-time password products from various providers directly on the SAP portal.

Because authentication with a certificate token uses the procedures provided in the SSL protocol, integrating this checking mechanism into SAP NetWeaver is easy. Digital certificates are part of the portal's functional scope, and most Web applications can handle digital certificates too. This also facilitates the integration of applications from other providers into the portal's single-sign-on function.

When a company is selecting an access mechanism, the degree of security is an important criterion. In this respect, the USB solutions come out on top. In particular, they protect more effectively from man-in-the-middle attacks, in which the intruder positions himself or herself between the communicating partners to intercept the token code: When access is verified using a certificate, the portal operator does not depend on the user's recognizing the man-in-the-middle attack. The man-in-the-middle is detected and locked out from the server side by authentication by both parties, based on the SSL protocol.

Operating either access mechanism requires a technical infrastructure as well as a token. USB devices use a public key infrastructure (PKI) for generating and administrating the keys. One-time password methods use the authentication server. The PKI-based access check still functions even if the infrastructure breaks down, but the one-time password method depends on the availability of the authentication server. The demands on the central system are thus considerably greater.

On the client side, however, one-time passwords have the significant advantage of not requiring the installation of additional devices or programs and are independent of local software. With USB solutions – particularly when a client outside the operator's administrative sovereignty accesses the portal – the user must install a driver to gain access. Kobil's USB solution offers an interesting alternative.