SAP BusinessObjects Mobile Mobile Security Guide

SAP BusinessObjects Mobile Mobile Security Guide

Below you will find brief information for BusinessObjects Mobile. This document provides comprehensive guidance on security measures implemented in the SAP BusinessObjects Mobile solution. It covers user management, data protection, network and communication security, and application server security, providing insights into the purpose and implementation of these security mechanisms. This guide is a valuable resource for administrators and users alike, ensuring a secure and reliable mobile experience for accessing and managing business intelligence information.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

SAP BusinessObjects Mobile Security Guide | Manualzz
SAP BusinessObjects Mobile
Document Version: 4.x.x - 2013-05-02
Mobile Security Guide
Table of Contents
1
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1
Why is Security Necessary?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2
About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2
Understanding the Mobile System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
3
User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1
Authentication (Identity Management). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2
3.1.1
Importance of Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2
Supported Authentication Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authorization (Access Management). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.1
Importance of Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.2
Authorization in SAP BusinessObjects Mobile applications. . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4
Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.1
Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2
4.1.1
Understanding DMZ and Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
4.1.2
DMZ and Firewall Support in the Mobile System Infrastructure. . . . . . . . . . . . . . . . . . . . . . . .12
Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2.1
Significance of HTTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2.2
HTTPS Support in the Mobile System Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5
Security of Application Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1
Reverse Proxy Support in the Mobile System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.2
URL Mapping Implemented on the Mobile Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6
Support for Security Deployments On the Web Application Server. . . . . . . . . . . . . . . . . . . . . . . . 16
6.1
Installing the x509 Certificate on Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
7
User Data Protection and Privacy Measures Implemented in SAP BusinessObjects Mobile. . . . . . 21
7.1
Features of Application Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
Table of Contents
1
Introduction
1.1
Why is Security Necessary?
Mobility is redefining the workplace and the borders between personal and professional, home and office, and
device and application are fast disappearing. The number of devices connected to the internet is crossing millions.
As the landscape of mobile devices is growing, the threats faced by them are also multiplying. Mobile Application
stores are targets for attackers who are looking to maximize the effectiveness and reach of their malicious
applications.
Innumerable sorts of security attacks have been witnessed by the software systems over the years. As such, it is
essential to identify the vulnerabilities and potential attack points that an attacker may target in a system, and
apply adequate security mechanisms to protect the platform and application data.
For Business Intelligence applications, the various security challenges must be addressed by both the BI platform
and the mobile devices.
SAP BusinessObjects Mobile implements the basic security mechanisms to ensure the safety of network,
communication channels, application data, user data, plus the protection of many other aspects of the mobile
system landscape.
1.2
About this Document
This guide provides an overview of all aspects of the security strategy provided by the SAP BusinessObjects
Mobile solution. It explains user management, data protection, network and communication security, application
server security and the purpose of implementing the various security measures.
Security is implemented both at the level of SAP BusinessObjects Mobile applications (clients) and at the overall
Mobile system (landscape) level.
Mobile Security Guide
Introduction
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
3
2
Understanding the Mobile System
Landscape
The figure below depicts the technical and security landscape of the SAP BI Mobile system :
SAP BI Mobile consists of a client-side application for mobile devices and a Mobile server component that
communicates with the SAP Business Intelligence (BI) platform server. Using Mobile SAP BI applications,
professionals on the move can access business intelligence information from a mobile device, such as a
Smartphone or Tablet.
The SAP BusinessObjects Mobile applications (for iOS, Android and Blackberry) are designed specifically to meet
the screen size and interactivity constraints of the mobile devices. Business Intelligence documents (including
Web Intelligence, Crystal Reports, Dashboards and other types) are displayed on the device with native rendering,
single-tap access and device-appropriate user interactivity.
To access SAP BI platform content via the iPhone, iPad, Android or Blackberry devices, users need to download
the SAP BusinessObjects Mobile application to their devices.
Although SAP BusinessObjects Mobile can work on data infrastructures like GPRS, the best performance is
experienced on 3G and 3G+ Wifi networks.
Note
●
4
Except the optional components (indicated in the figure), all entities depicted in the figure above of the
Mobile system landscape are essential. Omitting any of them, may lead to insecurity of the network,
services, data and users of the Mobile system.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
Understanding the Mobile System Landscape
●
The importance and role of reverse proxy and certain other Mobile system entitles shown in the figure
above are explained in other sections of this guide.
Mobile Security Guide
Understanding the Mobile System Landscape
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
5
3
User Management
User Management includes the authentication or identity management of users and the authorization or access
managment of system or application data. In the SAP BusinessObjects mobile system landscape, user
management is implemented at both the BI platform level and the Mobile for android application level.
The administrator creates user accounts and manages existing user accounts. This involves setting the
authentication type, assigning a user role and assigning the user to a pre-defined group. By assigning a user to
groups or otherwise, the administrator can control the rights of individual users or groups of users for accessing
specific objects (documents) and performing various actions on the objects, such as downloading objects,
refreshing objects, scheduling objects and viewing object instances.
3.1
Authentication (Identity Management)
3.1.1
Importance of Authentication
Implementing proper identity management or authentication is the first step towards ensuring a secure
application. Using various authentication techniques such as phishing, eavesdropping, wiretapping, stealing,
social engineering or reproduction of fingerprints, an attacker can easily gain invalid access to valuable system
resources and data.
Authentication means validating the identity claimed by a user through the information that he or she knows (as in
the case of passwords) or some other data that the system has based on his or her actions in the recent past (as
in the case of session cookies), and other mechanisms.
The user's identity must only be corroborated on fields that
●
Have been set by a trusted system, for example an application server or an Identity Provider.
●
Are signed or integrity protected and cannot be modified by an attacker as such.
A secure system protects sensitive authentication information of users by techniques such as password hashing
for storage, encryption for data transfer and careful cookie management to avoid illegal access.
3.1.2
Supported Authentication Types
The SAP BusinessObjects Mobile software uses standard authentication types to validate user identity. Before
setting up the user accounts and groups within BI platform, the administrator needs to decide the type of
authentication that he or she wants to use.
SAP BusinessObjects Mobile applications support the following authentication types:
Authentication Type
Description
Enterprise
This is the default authentication and is automatically
enabled when the system is first installed. This should be
used by the administrator when he or she prefers to create
6
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
User Management
Authentication Type
Description
distinct accounts and groups for use within the BI platform,
or when there is no existing hierarchy of users and groups in
an LDAP directory server or Windows AD server.
LDAP
If an LDAP directory server is setup, the administrator can
use existing LDAP user accounts and groups on the BI
platform. When he or she maps the LDAP accounts to the BI
platform, users are able to access BI platform applications
with their LDAP user name and password. This eliminates the
need to re-create individual user and group accounts within
the BI platform.
Windows AD
The administrator can use existing Windows AD user
accounts and groups in the BI platform. When an AD account
is mapped to the BI platform, users are able to log on to BI
platform applications with their AD user name and password.
This eliminates the need to recreate individual user and
group accounts within the BI platform.
SAP
The administrator can map existing SAP roles to BI platform
accounts. When doing so, users are able to log on to BI
platform applications with their SAP credentials. This
eliminates the need to recreate individual user and group
accounts within the BI platform.
For the application to authenticate the user with the types mentioned above, the administrator must:
●
Ensure that the appropriate prerequisites are satisfied.
●
Perform additional configuration steps on the SAP BusinessObjects BI platform server and SAP
BusinessObjects Mobile server.
For the details of these prerequisites and additional configuration information, refer to the Administrator and
Report Designer's Guide available at http://help.sap.com/bomobileios
Note
User authentication can be manual (explicit) or Single Sign On (SSO). The authentication types described
above are supported for manual authentication. The SAP BusinessObjects Mobile applications do not support
SSO at this point in time. However, it is may be implemented in near future.
3.2
3.2.1
Authorization (Access Management)
Importance of Authorization
Authorization limits the accessibility of a software or platform's data to a particular set of users who can perform
specific actions based on the rights or permissions granted to them. The goal of authorization is to ensure that
users perform only legitimate actions. Authorization defines what a user can do and is critical for data protection,
fraud prevention and general legislation compliance.
Mobile Security Guide
User Management
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
7
Authorization is often explained using the analogy of locks and keys. The assets of a system are protected by
locks. Users get keys (rights or permissions) to open locks.
This concept is illustrated in the following example:
In the following figure, each lock represents an authorization attribute or condition imposed by the administrator
that must be met by the user to access the asset. All locks of an asset need to be "opened" to access or work on
an asset. The locks and their respective keys are depicted by the same color code:
●
Asset 1: Neither Bob nor John have sufficient keys to unlock the asset. As such, neither of them can access
Asset 1.
●
Asset 2: Bob has the required (red and yellow) keys to unlock the asset. John does not have the red key.
Hence, Bob can access Asset 2, while John cannot.
●
Asset 3: Only the yellow key is required to unlock the asset. Both Bob and John have the yellow key and so
both of them can access Asset 3.
3.2.2 Authorization in SAP BusinessObjects Mobile
applications
In the SAP BuisnessObjects Mobile system, individual users or groups can access the BI platform content based
on the rights granted to them by the application administrator.
Users can hold the rights of only a BI Viewer,which means they can access and perform specific actions on the
documents, but not modify or upload them from their devices.
The application administrator must grant the following minimum rights to authorize the user:
●
Object level rights:
Users must have the following minimum rights:
View rights for folders, categories and documents: This right enables users to access the required folders
and categories; download documents, view documents and synchronize the downloaded documents with
the mobile server.
Refresh rights for documents: This right authorizes users to refresh the documents.
●
8
Application level rights:
The administrator must grant users the following rights at the application level:
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
User Management
Rights to log on to Web Intelligence
Rights to enable formatting for reports
Note
The administrator grants rights to individual users from the Central Management Console (CMC) on the BI
platform.
●
For information on how to assign mobile specific user rights using the CMC, refer to the Mobile Server
deployment guide available at https://websmp203.sap-ag.de/~sapidb/011000358700001280592012E/
xi4sp5_mob_inst_deploy_en.pdf
●
For information on how the access rights are assigned in general, see the Business Intelligence Platform
Administrator 's Guide available at http://help.sap.com/businessobject/product_guides/boexir4/en/
xi4sp6_bip_admin_en.pdf
Mobile Security Guide
User Management
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
9
4
Network and Communication Security
4.1
Network Security
Network hosts in a mobile system landscape provide various services to the internet such as web, email,
application files and confidential information and are vulnerable to attack by hackers, intruders and all sorts of
malicious users. This section gives an overview of the security mechanisms that are applied to protect the
components of the mobile system network.
4.1.1
Understanding DMZ and Firewall
A DMZ, or De militarized Zone, is a physical or logical subnetwork that contains and exposes an
organization's external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to
add an additional layer of security to an organization's local area network (LAN). This means that an external
attacker only has access to equipment in the DMZ, rather than any other part of the network.
In a network, the hosts most vulnerable to attack are those that provide services to users outside of the local area
network, such as e-mail, web and Domain Name System (DNS) servers. Because of the increased potential of
these hosts being attacked, they are placed into their own sub-network to protect the rest of the network if an
intruder were to succeed in attacking all of them.
Hosts in the DMZ have limited connectivity to specific hosts in the internal network but communication with other
hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both
the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and
the internal network clients.
A DMZ configuration typically provides security from external attacks.
Note
A DMZ is also referred to as a Perimeter Network.
Any service that is being provided to users on the external network can be placed in the DMZ. The most common
of these services are:
●
Web servers
●
Mail servers
●
FTP servers
●
VoIP(Voice over Internet Protocol) servers
Architecture
There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single
firewall, also known as the three legged model, and with dual firewalls.
10
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
Network and Communication Security
Single Firewall
A single firewall with at least three network interfaces can be used to create a network architecture containing a
DMZ. The external network is formed from the Internet Service Provider(ISP) to the firewall on the first network
interface, the internal network is formed from the second network interface, and the DMZ is formed from the third
network interface. The firewall becomes a single point of failure for the network and must be able to handle all of
the traffic going to the DMZ as well as the internal network.
The figure below illustrates the single firewall architecture.
Notice that the various service hosts are placed within the DMZ.
Dual Firewall
This implementation uses two firewalls to create a DMZ. The first firewall (also called the "front-end" firewall)
must be configured to allow traffic destined for the DMZ only. The second firewall (also called "back-end" firewall)
allows only traffic from the DMZ to the internal network. Dual firewalls provide a more secure infrastructure.
In some organizations, the two firewalls are provided by two different vendors. If an attacker manages to break
through the first firewall, it may take more time to break through the second one if it is made by a different vendor,
and thus less likely to suffer from the same security vulnerabilities if any are found.
Mobile Security Guide
Network and Communication Security
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
11
The figure below illustrates the dual firewall architecture.
4.1.2 DMZ and Firewall Support in the Mobile System
Infrastructure
The SAP BusinessObjects Mobile server supports deployments in the DMZ environment. The SAP
BusinessObjects Mobile client on the extranet interacts with the SAP BusinessObjects BI platform server on the
intranet using the DMZ environment.
To enable this deployment, perform the following:
1.
Configure the -requestPort and -port parameters for the following servers:
○
CMS (for authentication, querying InfoStore, and browsing the repository)
○
Web intelligence report server
○
Adaptive processing server
2.
Open the listening ports (-requestPort parameter) for the servers mentioned above on the internal firewall.
3.
Open the Web application server port on the external firewall.
The communication between the SAP BusinessObjects Mobile client and SAP BusinessObjects Mobile server uses
the HTTPS protocol. The SAP BusinessObjects Mobile server communicates with SAP BusinessObjects BI
platform Central Management Server (CMS), Web Intelligence Servers, and Adaptive Processing Servers in Corba
mode.
12
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
Network and Communication Security
4.2
Communication Channel Security
4.2.1
Significance of HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol (HTTP) with
Secure Socket Layer (SSL) or Transport Layer security (TLS) protocol. HTTPS provides secure identification of a
web server in the network and encrypted communication between the interacting entities (client and server or
two servers). HTTPS connections are used for sensitive transactions on the World Wide Web and corporate
information systems.
HTTPS is syntactically identical to the HTTP scheme used for normal HTTP connections, but it also signals the
browser to use an added encryption layer of SSL/TLS to protect the traffic. SSL is especially suited for HTTP
since it can provide some protection even if only one side of the communication is authenticated. This is the case
with HTTP transactions over the Internet, where typically only the server is authenticated (by the client examining
the server's certificate).
The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable
protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used
and that the server certificate is verified and trusted.The trust inherent in HTTPS is based on major certificate
authorities that come pre-installed in browser software.
4.2.2
HTTPS Support in the Mobile System Infrastructure
The SAP BusinessObjects Mobile server supports encrypted communication with the SAP BusinessObjects
Mobile client. To encrypt the communication between the SAP BusinessObjects Mobile application (on
device) and the SAP BusinessObjects Mobile server, you must configure HTTPS on your Web Application
Server.
For information on how to configure HTTPS, refer to the documentation of your Web Application Server.
Note
We recommend that you configure HTTPS on your Web application server to ensure the security of the
communication channel in your set up.
Mobile Security Guide
Network and Communication Security
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
13
5
Security of Application Servers
Access to the SAP BusinessObjects Business Intelligence platform servers and the SAP BusinessObjects Mobile
server is secured by setting up reverse proxy servers in the system. This section explains the architecture of
reverse proxy servers and how they are implemented in the mobile infrastructure.
5.1
Reverse Proxy Support in the Mobile System Landscape
Significance of Reverse Proxy Servers
Like a proxy server, a reverse proxy server is an intermediary between the client and the Web application server,
but it is used the other way around. Instead of providing a service to internal users wanting to access an external
network, a reverse proxy server provides an external network with indirect access to internal resources. For
example, back office application access, such as an email system, could be provided to external users (to read
emails while outside the company) but the remote user would not have direct access to his email server. Only the
reverse proxy server can physically access the internal email server.
Reverse proxy is an extra layer of security, which is particularly recommended when internal resources need to be
accessed from the outside. Usually such a reverse proxy mechanism is provided by using an application layer
firewall.
Like a proxy server, reverse proxy also provides efficiency advantages such as load distribution, caching of static
and dynamic content, and content compression. From the perspective of security, it gives the following
advantages to the system :
●
Reverse proxies hide the existence and characteristics of the original server(s).
●
Application firewall features of a reverse proxy can protect against common web-based attacks. Without a
reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
●
In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is
instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware.
Implementation in the Mobile Landscape
The mobile platform is deployed in an environment with one or more reverse proxy servers. The reverse proxy
server communicates with SAP BusinessObjects Mobile client(s) and is typically deployed in front of the SAP
BusinessObjects Mobile server in order to hide the mobile and BI platform servers behind a single IP address. This
configuration routes all Internet traffic that is addressed to private web application servers through the reverse
proxy server, hiding private IP addresses.
Because the reverse proxy server translates the public URLs to internal URLs, it must be configured with the URLs
of the Mobile platform applications that are deployed on the internal network. Once reverse proxy is enabled for
the server, the client can access the mobile application using the appropriate reverse proxy URL.
14
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
Security of Application Servers
5.2
URL Mapping Implemented on the Mobile Server
When users add Mobile server connections in the SAP BI application on their mobile device, they specify the
Mobile <Server-URL> for each connection. After creating connections, when the user chooses a connection, the
application creates a specific request URL to invoke the Web application server (Mobile server).
Users need not enter the complete URL for a Mobile server. Instead, the application re-constructs the URLs in the
following manner:
●
If the user enters: x.com:8080 in the <Server-URL> field, the application contacts http://x.com:8080/
MobileBIService/MessageHandlerServlet using HTTP POST.
●
If the user enters: http://x.com:8080 in the <Server-URL> field, the application contacts http://
x.com:8080/MobileBIService/MessageHandlerServlet using HTTP POST.
●
If the user enters: https://x.com:8080 in the <Server-URL> field, the application contacts https://
x.com:8080/MobileBIService/MessageHandlerServlet using HTTPS POST.
Note
1.
If a user is setting up a reverse proxy server, all communications recieved over the URL: http://
external-hostname:port/MobileBIService/MessageHandlerServlet must be mapped to
http://internal-hostname:port/MobileBIService/MessageHandlerServlet . All the query
parameters in the URL (such as ?x=a&y=b) must also be mapped.
2.
If user is setting up a load balancer, he/she must ensure that cookie-based persistence (for session data) is
set up for the server that first serves the client request. If the load balancer faces issues with cookie-based
persistence, ensure that IP based persistence is set up.
Mobile Security Guide
Security of Application Servers
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
15
6 Support for Security Deployments On the
Web Application Server
Ensure that you have implemented either of the following scenarios on your Web application server (on which you
have installed the SAP BusinessObjects Mobile server):
●
Basic authentication (for example Siteminder)
●
Form based authentication (for example Siteminder, Webseal)
●
X509 certificate (two way client certificate)
When users add connections to the SAP Mobile server (with either of the above security deployments) using the
SAP BusinessObjects Mobile application on their devices, they see a security interface which asks for
authentication. The following sections explain the three scenarios listed above.
a. Basic Authentication
1.
Using the Settings screen of the application, users add a connection to the CMS with basic authentication
deployed on it. (As an administrator, you provide the specific server details to the application users.)
2.
On choosing the new connection in the Settings screen, the application displays the basic Authentication
dialog box, asking the user to enter his/her credentials:
3.
User is logged in to the connection, and can browse the BI documents available on the server.
b. Form Based Authentication
1.
Using the Settings screen of the application, users add a connection to the CMS with form based
authentication deployed on it. (As an administrator, you provide the specific server details to the application
users.)
2.
On choosing the new connection in the Settings screen, the application displays a form, asking the user to
provide additional information:
16
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
Support for Security Deployments On the Web Application Server
Note
The form fields can be customized on the Web application server and UI features such as company logo
can be included in the form. The form configured on the Web application server is displayed in the same
way as in the application in a container on device.
3.
User is logged in to the connection, and can browse the BI documents available on the server.
c. Certificate Based Authentication
1.
Users first install the X509 certificate on the device. Information on how to install the certificate is provided in
the sub-topic of this chapter.
2.
Using the Settings screen of the application, users add a connection to the CMS with certificate based
authentication deployed on it. (As an administrator, you provide the specific server details to the application
users.)
3.
When you choose the new connection in the Settings screen, the application displays a dialog box stating that
the connection requires a certificate:
Mobile Security Guide
Support for Security Deployments On the Web Application Server
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
17
User chooses Yes to display the certificate.
4.
Application displays the available certificates and asks for the right certificate:
5.
User selects the certificate (installed in step 1) from the list.
6.
User is logged in to the connection, and can browse the BI documents available on the server.
Note
1.
Installed certificates can be removed from the application by choosing the
Certificates
2.
6.1
Clear Data
Remove
option in the Settings screen.
The application supports basic authentication and certificate based authentication for hyperlink
objects as well.
Installing the x509 Certificate on Device
For adding or accessing a certificate based connection in the application, users need to first install the certificate
on their device. SAP BusinessObjects Mobile applications support the set ups that are deployed based on
the x 509 certificate.
x 509 certificate is usually of the format "<>.p12" or "<>.cert"
The procedures below are for users who install the certificate (received via email or accessed from a Web
application server) on their device:
18
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
Support for Security Deployments On the Web Application Server
Installing the certificate received as an email attachment
1.
On your desktop, download the certificate (*.p12) file.
2.
Change the certificate file extension from ".p12" to ".mcert" and send it to the email account configured on
your device.This ensures that the certificate file is in a recognizable format for the application.
3.
On your device, double-click the certificate that you emailed to your account.
The application is launched.
●
If the certificate is not password protected, a message appears on the screen saying that the certificate is
installed successfully.
●
If the certificate is password protected, a dialogue box appears on the screen asking you to enter the
password. For the installation to complete successfully, enter the password and choose OK.
The message for successful certificate installation appears.
Note
If the certificate you are installing already exists on your device, on performing step 3 in the above task, a
dialogue box appears saying: "This certificate <ID> already exists". If you want to delete the existing certificate
from the app, choose Delete in the dialogue box. Else, choose Cancel.
Installing the certificate hosted on a Web Application Server
1.
On your device, access either of the following links emailed to you by the administrator:
SAPBI://action=downloadcert&certurl=<Download URL>
SAPBI://action=downloadcert&certurl=<Download URL>&Password=abc123
2.
If you access the first link above:
The application is launched and the certificate file is downloaded from the URL location (certurl).
A dialogue box appears asking you to enter the password. Enter the password and choose OK.
The certificate is installed successfully on the device.
Note
If the certificate is not password protected, the application is installed directly on accessing the link.
3.
If you access the second link above:
The application is launched and the certificate file is downloaded from the URL location (certurl).
The certificate is directly installed on the device.
Note
Since the password is already included in the URL, the application does ask the user for the password. In
this case, if the certificate is not password protected, the parameter for password is ignored by the
application.
An example of the parameter "Download URL" is http://10.208.107.248:8080/Resource/I087312.p12 ;
Mobile Security Guide
Support for Security Deployments On the Web Application Server
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
19
where 10.208.107.248:8080 is the IP address and port of the Web application server machine and
I087312.p12 is the certificate file.
Note
If the certificate you are installing already exists on your device, on accessing any of the two links, a dialogue
box appears saying: "This certificate <ID> already exists". If you want to delete the existing certificate from the
application, choose Delete in the dialogue box. Else, choose Cancel.
20
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
Support for Security Deployments On the Web Application Server
7
User Data Protection and Privacy
Measures Implemented in SAP
BusinessObjects Mobile
User data is the data or information which is personal to an individual user. In the context of the SAP
BusinessObjects Mobile applications, this includes the downloaded reports and application logon credentials of
the user. To ensure the security of user data, the following features are implemented on the software:
●
The downloaded documents are persisted on the device as encrypted files. The downloaded content is
encrypted using the FIPS compliant AES algorithm. For iPad/iPhone devices with iOS version 5.0.1 or above,
these encrypted documents are not uploaded to iCloud.
●
Users have the same authorizations as defined on the SAP Business Intelligence (BI) platform server, even for
the downloaded or offline documents.
●
Users have the option of saving their password for a connection in the application. However, in the server
configuration, this option is disabled by default (savePassword=false). If a user enables the Save
Password option while configuring the connection on his or her device, the password is encrypted using the
FIPS compliant AES algorithm and stored with the iOS keychain.
Note
For information on the password enhancements implemented in the application, see the sub-topic of this
chapter.
●
In the default configuration of the application, the option to download and view documents locally on the
device is disabled. (offlineStorage=false). Users can only access the documents available on the server
in online mode of working.
Based on requirements, administrator can enable this option in the server configuration file.
Note
You access the server available BI documents using the Browse screen of the application. When you add
these documents to the Home screen, they are downloaded and become available in the device's local
memory.
●
If offline storage of documents is enabled, there is a "Time to Live" parameter in the server configuration file,
with a default value of 365 days (offlineStorage.ttl=365). This means that the downloaded documents
expire after 365 days and are automatically removed from the local memory of device. The administrator can
choose to set a lower value for ttl (for example 5 days) based on the specific data protection requirements.
●
For BI documents having private or confidential data, administrators can secure the documents by assigning
them to a "Confidential" category on the BI platform. Users can access a secure document only while they are
connected to the Mobile server. Once users log off from the server, the secure document is deleted from the
device memory.
Note
1.
For information on configuring the various security parameters (such as savePassword and
offlineStorage) on the Mobile server; and on securing BI documents, refer to the Administrator and
Report Designer's guide available at http://help.sap.com/bomobileios or at http://help.sap.com/
bomobileandroid
Mobile Security Guide
User Data Protection and Privacy Measures Implemented in SAP BusinessObjects
Mobile
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
21
2.
Advanced capabilities such as wiping the application data from the device are not supported in the SAP
BusinessObjects Mobile software at this point in time.
7.1
Features of Application Password
The application password acts as a source of input for encryption of user data, where other users cannot decrypt
the data without this input.
Here are some features of the SAP BusinessObjects Mobile application password:
●
By default, the application password is not enabled in the application, until users add a connection to the BI
platform server. When users add a BI platform server connection, the application forces them to create an
application password (this is because user specific or personal information comes on the device only after a
connection is created).
However, if users have not created a single connection, yet, they wish to enable the application password,
they can do so using the Settings screen of the application.
Note
The above behavior applies if the user has performed a fresh installation of the application. If a user has
upgraded the existing installation with a newer version of the application from the iTunes store, server
connections would already exist in the application, and so the password would remain enabled.
●
Password prerequisites:
Password length must be minimum eight characters.
For entering the password, the application allows a maximum of twenty attempts. If the attempts exceed
this number, the application forces the user to reset the application.
Note
Resetting the application erases the application password and all the SAP BI content downloaded on the
device.
●
By choosing the Clear Data Remove Application Data option in the of the Settings screen, all BI data of
the application is deleted from the local memory. However, this does not delete the application password.
●
Users can change the password and set the "Application password timeout" parameter using the Settings
screen.
Note
The Application password timeout parameter defines the duration of inactivity. Once this is exceeded, the
application forces the user to enter the password to resume the application activity. This applies to the
scenario when the user has switched over to other applications, and returns to the SAP BusinessObjects
Mobile application after some time.The default value of this parameter is 5 minutes.
●
The following lines of code in the clientsettings.properties file on the Mobile server, help you
customize the password settings in the application:
savePassword=true
offlineStorage=true
22
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
Mobile Security Guide
User Data Protection and Privacy Measures Implemented in SAP BusinessObjects
Mobile
offlineStorage.ttl=365
offlineStorage.appPwd=true
If you set savePassword=true, the Save Password option appears in the Connection settings screen of the
application. Otherwise, it does not appear for the user.
If for a server, the administrator has set the value of offlinestorage.appPwd parameter to true, users
cannot disable the application password (for the particular server connection) while using the application. If
this parameter has the false (default) value, users can disable the application password using the
(Settings) screen of the application.
Other parameters associated with offline storage (such as "time to live") apply to the password as well.
Note
For information on the workflow of a particular action (such as disabling application password), use the
embedded Help provided in the application.
Mobile Security Guide
User Data Protection and Privacy Measures Implemented in SAP BusinessObjects
Mobile
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
23
www.sap.com/contactsap
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that are
set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP AG in Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.

advertisement

Key Features

  • User Management
  • Data Protection
  • Network and Communication Security
  • Application Server Security
  • DMZ and Firewall Support

Frequently Answers and Questions

What are the supported authentication types in SAP BusinessObjects Mobile?
SAP BusinessObjects Mobile supports authentication types like Enterprise, LDAP, Windows AD, and SAP. The administrator can choose the relevant authentication based on the existing infrastructure.
How is data protection implemented in SAP BusinessObjects Mobile?
Downloaded documents are encrypted using FIPS compliant AES algorithm, and user passwords are also encrypted using the same algorithm and stored with the iOS keychain. Offline storage of documents is disabled by default, but can be enabled with specific settings. Secure documents are automatically deleted from the device memory after user logout.
What is the purpose of a DMZ and firewall in the mobile system infrastructure?
A DMZ creates a secure zone for external services, separating them from the internal network. The SAP BusinessObjects Mobile server supports deployment in a DMZ environment, where the communication between the client and server is secured with HTTPS protocol.

Related manuals

Download PDF

advertisement