Security

An SAP Mobile Platform deployment introduces a multilayer approach to corporate security designed for mobility.

This approach ensures that:

Internal and external device users can securely connect to enterprise information systems.
Every network link that transfers corporate information and every location that stores enterprise data guarantees confidentiality.

SAP Mobile Platform security features cover:

Component Security – SAP Mobile Platform consists of multiple components that are installed on internal networks, primarily on the corporate LAN and the demilitarized zone (DMZ). Each component requires specific administration tasks to secure it.
Communication Security – Secure SAP Mobile Platform component communications to prevent packet sniffing or data tampering. Different combinations of components communicate with different protocols and different ports.
End-to-end data encryption support is based on Transport Layer Security (TLS) and Secure Sockets Layer (SSL), which secures client/server communication using digital certificates and public-key cryptography.
Authentication and Access Security – Authentication and access control is a core feature supported by all application types to control access to enterprise digital assets.

Security applies to components of the runtime landscape. See Security for additional detail for the following.

Server Security – The SAP Mobile Server provides data services to device clients by interacting with the data tier on behalf of the client. The data tier is installed with the server tier components to the internal corporate LAN. Communications with device clients are routed through an open port on the internal firewall to the Relay Server.
Each runtime service uses its own communication port (secured and unsecured). Security for this tier secures both the server components that provide these services and service communications.
Data Tier Security – The data tier consists of multiple databases that need protection. Each database contains sensitive enterprise data. This level of security involves securing the data infrastructure, then securing the databases by managing DBA passwords, granting DBA permissions, as well as encrypting data and logs.
DMZ Security – DMZ security involves controlling internet traffic to private networks. Key to this control is a proxy server, Relay Server or a third-party proxy server, which resides between inner and outer firewalls.
Device Security – Multiple mechanisms can be combined to fully secure devices. In addition to using the built-in security features of both the device or SAP Mobile Platform, SAP recommends that you also use Afaria so security features can be remotely initiated as required.
Key SAP Mobile Platform security features for devices include the encryption of data, the implementation of login screens, and the use of DataVault to store sensitive data.

Application security is based mainly on the mapping of a mobile business object (MBO) package to a security configuration. A security configuration defines the authentication, authorization, attribution, and auditing security provider for an application package's access control and activities. For example, for an application, an administrator may create a security configuration that points to the LDAP server for authentication and authorization, and does not associate any provider for attribution and auditing.

Single sign-on (SSO) enables mobile device application users to enter credentials only once to gain access to all resources, including servers, packages, and data sources related to that application. SAP Mobile Platform supports SSO authentication for mobile clients that access data from an SAP enterprise information system (EIS) using either X.509 certificates or SSO logon tickets (SSO2). In addition, administrators can use their SSO system of choice with SAP Mobile Platform to achieve end-to-end integration across client applications and Enterprise Information Systems (EIS) resources.In addition to supporting X.509 certificate security, SAP Mobile Platform expands single sign-on support to third-party and standard single sign-on mechanisms. With expanded single sign-on support, SAP Mobile Platform enables the authentication framework to accept HTTP headers and cookies propagated by the client or a proxy server and then authenticate and propagate the user to the EIS.

SAP Mobile Platform supports Afaria device management and security functionality. Client applications can generate certificate requests which in turn are passed through Afaria to the corporate PKI system for CA signature. If Afaria is not deployed, the process for generating and provisioning client certificates follows the standard corporate certificate request and renewal process. Afaria device management and security functionality includes features such as remote device locking, remote data cleanup, data fading (a feature that enables the IT administrator to lock, wipe, or reset a device that has not communicated with the corporate network or Afaria server after a predetermined number of days), and password expiration management. Even without Afaria, the SAP Mobile Server administrator can lock or unlock devices from accessing applications deployed to the server.
EIS Security – Secure interactions with EIS data sources. If you are using DCN, those notifications can be communicated to SAP Mobile Server securely.

See Security for additional information.

The SAP Mobile Platform Common Security Infrastructure (CSI) provides an extensible model for integrating with existing security infrastructure. CSI login modules conform with Java JAAS, which enables SAP Mobile Platform to integrate with LDAP, Microsoft AD, SiteMinder, etc. For additional information about developing a custom authentication or authorization provider, see Security API in Developer Guide: SAP Mobile Server Runtime.