Security overview

Introduction

Neptune Designer runs inside SAP NetWeaver systems and uses the Internet Communication Framework (ICF) to handle the server-client communication. Therefore, securing a Neptune Application is identical to other NetWeaver solutions based on ICF.

There are also a great number of solutions that provide increased security on top of NetWeaver such as the SAP Mobile Platform (Both on-premise and Cloud edition) and Mocana MAP that can be used together with Neptune Applications.

Communication

It is of paramount importance that any communication between an external network and the SAP Backend systems is encrypted. SSL (HTTPS) should be used to ensure the integrity of data. For more information check Transport Layer Security

To further protect the backend data there are several options and here is information about the most common scenarios:

Network zones

It is recommended to protect your system landscape through zone security. This will protect your sensitive data and only allow access through the DMZ (demilitarised zone) and firewalls will protect your backend systems from undesired access.

Read more at Using Multiple Network Zones

Reversed Proxy

A reversed proxy protects you with an additional security layer and has the ability to mask your backend servers for external clients.

Reverse Invoke

Reverse invoke ensures that external connections cannot get through the firewall. All communication must be opened from the internal network.

Relative information at SAP NetWeaver 7.3 EHP1

VPN

To gain external access to the internal network a VPN (Virtual private network) solution can also be used to provide encryption and tunnelling security.

User Access

To access functions and data in a backend NetWeaver system the user needs to be authenticated.

This depends on the individual customer setup. Authentication against the SAP Netweaver ABAP Stack is handled by SAP Standard in the ICF and not managed by Neptune.

SAP Logon Tickets

The most common logon to SAP systems from web clients is the use of SSO2 tickets. The user needs to provide a username and password to access the initial SAP system node and will receive a MYSAPSSO2 cookie that can give access to multiple SAP systems.

Relative information at SAP NetWeaver 7.0 EHP2

SAML 2.0

SAML 2.0 is a Single Sign-on solution that requires an identity provider that manages the identity information for the service providers.

Relative information at SAML 2.0

Client Certificates

Using X.509 client certificates is another option for user authentication. This solution authenticates the application and no username or password is required.

Relative information at SAP NetWeaver 7.0 EHP2