With a virtual enterprise of composite, web services-based applications, companies can provide real-time access to sensitive enterprise resources, information, and applications to a broad range of users to solve today’s specific needs. SAP addresses this evolution with SAP NetWeaver, an open integration and application platform. As SAP customers take advantage of the virtual enterprise’s benefits – for example, connecting employees, partners, and customers to business applications through SAP NetWeaver Portal – the need to remotely connect to business applications grows.
As a mix of services, technologies and products, Sun Network Services for SAP Solutions, based on the certified “Sun Java Identity Manager” powered by SAP NetWeaver, allow organizations to open up access to internal and external users and to reap the benefits of collaborative business while protecting mission-critical systems and data.
1. System Directory Server: Managing identities
Managing identities, while balancing legal, regulatory, privacy, and security concerns, is the foundation for securing information within a loosely coupled web services architecture – as well for SAP NetWeaver environments. Therefore, Sun Network Services for SAP Solutions offers as one element the Java System Directory Server. This component is SAP interface certified for the Directory Interface for User Management. It delivers a directory infrastructure for storing and using identity profiles, user credentials like public key certificates, passwords, and pin numbers, access privileges, application resource information, and network resource information. It centralizes this information, makes the data available to multiple applications, and has the ability to synchronize with other vendors’ directory services.
The directory service’s scalability reduces costs by decreasing the number of directory systems deployed. The Java System Directory Server is a widely deployed, general-purpose LDAP (Lightweight Directory Access Protocol)-based directory server with over 1.5 billion entries. However, not every application is able to synchronize to an LDAP repository. Sun Java Identity Management Suite is capable of handling multiple repositories in cases where a centralized repository is not appropiate.
2. System Identity Manager: Defining each user’s access
Another basic step for securing enterprise data is to streamline and simplify the process of provisioning and managing user identities across all varieties of computing infrastructures and application environments. The Java System Identity Manager helps to define exactly what access each user or group requires in order to automate the provisioning and managing processes. Once the procedures are defined for each job role, the workflow for approving these processes can be defined. For example, the finance director probably needs to approve all access to the finance systems. This can be accomplished via email or another messaging service with the response directed back into the workflow. If the finance director approves, the identity manager creates the user with the appropriate authorization and access rights to the systems as defined in the provisioning process for that user role.
The Java System Identity Manager automatically synchronizes identity data across a wide range of heterogeneous applications, databases, and other data stores. This helps ensure that identity data is accurate and consistent both within and outside the boundaries of the SAP NetWeaver environment. With a role based provisioning mechanism it centrally creates and manages users. Using a common identity infrastructure, administration that normally occurs across many applications by multiple administrators, including OS, database, and SAP, can be consolidated into a single management console.
3. System Access Manager: Controlling access
Only federated identity management solutions allow administrators to effectively enforce security policy across virtual IT environments. The Sun Java System Access Manager helps enterprises to manage secure access to web applications. By using a central point of authentication, role-based access control, and single sign-on, the solution provides a scalable security model for SAP NetWeaver. Java System Access Manager is integrated with the SAP NetWeaver Portal through a policy agent that is provided as a self-contained component. It enables application servers to enforce authentication and authorization defined in the application and the identity server. When a user tries to access content on the SAP NetWeaver Portal, the policy agent intercepts the request and directs it to Java System Access Manager, which then asks the user to present credentials such as a user name and password. If they match those stored in the central directory server, Java System Access Manager verifies that the user is who that person claims to be. Next, it evaluates the policies associated with the user’s identity. Then the Java System Access Manager determines where the user is allowed to view the requested information and finally, either grants or denies the user access to the information.
4. System Secure Remote Access: More internal control, less external intrusion
It is also important that mobile employees, telecommuters, business partners, suppliers, and customers are able to access a meta portal – for example SAP NetWeaver Portal and a varying number of SAP components residing on SAP NetWeaver – from anywhere outside the corporate network. The Sun Java System Secure Remote Access enables users to access their organization’s network, as well as applications, services, and file systems – irrespective of their type – in a secure manner over a public network, for example the Internet. The solution is Internet or extranet based, so it does not require client-software installation. This gives IT managers more control over external clients accessing internal systems, and therefore provides less opportunity for external intrusion via remote clients or viruses. Based on an Internet connection as opposed to a costly virtual private network or private dial-up line, the solution lowers remote access costs and minimizes investments, for example in dedicated modems or remote access appliances.
The Sun Java System Secure Remote Access delivers encrypted communications through Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and is supported on the Solaris Operating System, Linux, and Microsoft Windows. Users log on to the portal from any available browser, enter the web URL address, then their user identification which is handled over an encrypted SSL or TLS channel between the web browser and the Java System gateway. Authentication is then proxied by the gateway, which uses the Java System Access Manager to request and confirm authentication of users. For Personal Digital Certificate authentication, the gateway obtains the client certificate and passes it to the Java System Identity Server. Once authenticated, the user is presented with a personal role-based SAP portal.
Through the services Sun helps companies on their way to the virtual enterprise to design, implement, and manage optimal integration that meets the robust requirements of SAP environments.