An SAP Mobile Platform deployment introduces a multilayer approach to corporate security designed for mobility.
End-to-end data encryption support is based on Transport Layer Security (TLS) and Secure Sockets Layer (SSL), which secures client/server communication using digital certificates and public-key cryptography.
Each runtime service uses its own communication port (secured and unsecured). Security for this tier secures both the server components that provide these services and service communications.
Key SAP Mobile Platform security features for devices include the encryption of data, the implementation of login screens, and the use of DataVault to store sensitive data.
Application security is based mainly on the mapping of a mobile business object (MBO) package to a security configuration. A security configuration defines the authentication, authorization, attribution, and auditing security provider for an application package's access control and activities. For example, for an application, an administrator may create a security configuration that points to the LDAP server for authentication and authorization, and does not associate any provider for attribution and auditing.
Single sign-on (SSO) enables mobile device application users to enter credentials only once to gain access to all resources, including servers, packages, and data sources related to that application. SAP Mobile Platform supports SSO authentication for mobile clients that access data from an SAP enterprise information system (EIS) using either X.509 certificates or SSO logon tickets (SSO2). In addition, administrators can use their SSO system of choice with SAP Mobile Platform to achieve end-to-end integration across client applications and Enterprise Information Systems (EIS) resources.In addition to supporting X.509 certificate security, SAP Mobile Platform expands single sign-on support to third-party and standard single sign-on mechanisms. With expanded single sign-on support, SAP Mobile Platform enables the authentication framework to accept HTTP headers and cookies propagated by the client or a proxy server and then authenticate and propagate the user to the EIS.
SAP Mobile Platform supports Afaria device management and security functionality. Client applications can generate certificate requests which in turn are passed through Afaria to the corporate PKI system for CA signature. If Afaria is not deployed, the process for generating and provisioning client certificates follows the standard corporate certificate request and renewal process. Afaria device management and security functionality includes features such as remote device locking, remote data cleanup, data fading (a feature that enables the IT administrator to lock, wipe, or reset a device that has not communicated with the corporate network or Afaria server after a predetermined number of days), and password expiration management. Even without Afaria, the SAP Mobile Server administrator can lock or unlock devices from accessing applications deployed to the server.
The SAP Mobile Platform Common Security Infrastructure (CSI) provides an extensible model for integrating with existing security infrastructure. CSI login modules conform with Java JAAS, which enables SAP Mobile Platform to integrate with LDAP, Microsoft AD, SiteMinder, etc. For additional information about developing a custom authentication or authorization provider, see Security API in Developer Guide: SAP Mobile Server Runtime.