Best practices to secure the SAP adapter
This section provides best practices that you should follow to more completely protect sensitive data when you use or develop applications that consume the Microsoft BizTalk Adapter for mySAP Business Suite.
Security Best Practices for the Connection between the SAP Adapter and the SAP system
You must ensure an adequate level of security for data exchanged between the adapter and the SAP system. The SAP adapter supports SAP Secure Network Communications (SNC). You can enable SNC or provide an alternative mechanism to help secure communication between the adapter and the SAP system.
Do not provide user name password credentials for the SAP system in the connection URI. See the following sections for alternative methods of providing credentials to the SAP adapter.
Ensure that only listeners that you want to receive SAP artifacts (RFCs, IDOCs, and tRFCs) from a SAP program ID have access to that program ID. This is because any listener that has access to a program ID can receive artifacts from that program ID.
Be aware that if multiple listeners are using a SAP program ID simultaneously, SAP will randomly choose a listener for each outgoing artifact (RFC, IDOC, or tRFC).
For more information, see Security between the SAP system and the adapter.
Security Best Practices for Consuming the SAP Adapter with BizTalk Server
Do not provide user name password credentials for the SAP system in the connection URI.
When you use the Consume Adapter Service Add-in, enter the user name password credential for the SAP system from the Security tab of the Configure Adapter dialog box.
When you configure the BizTalk WCF-Custom adapter for the SAP adapter on a send port, enter the user name password credential for the SAP system from the Credentials tab of the Configure WCF Custom Transport dialog box.
When you configure the BizTalk WCF-Custom adapter for the SAP adapter on a receive location, enter the user name password credential for the SAP system from the Other tab of the Configure WCF Custom Transport dialog box.
For more information, see Security with the SAP adapter and BizTalk Server.
Security Best Practices for Consuming the SAP Adapter with Programming Solutions
It is sometimes necessary to provide the user name password credentials for the SAP system in the connection URI; however, if possible, you should avoid doing this.
When you use the Add Adapter Service Reference Visual Studio Plug-in, enter the user name password credential for the SAP system from the Security tab of the Configure Adapter dialog box.
In WCF Channel Model programming, use the Credentials property on the channel factory to set the user name password credential for the SAP system.
In WCF Service Model programming, use the ClientCredentials property on the WCF client to set the user name password credential for the SAP system.
If an application that consumes the SAP adapter sends messages that contain sensitive database information across a process boundary to another service or client, ensure that these messages have sufficient security measures applied to provide adequate data protection in your environment.
For more information, see Secure programming with the SAP adapter.
Security Best Practices for Hosting the SAP Adapter in IIS
Hosting the SAP adapter in Microsoft Internet Information Services (IIS) as a Web service exposes operations surfaced by the SAP adapter to Web clients. These operations might involve exchanging sensitive data over the Internet, so you should take measures to help ensure that this data is as secure as possible.
WCF provides two standard bindings for HTTP transport: the BasicHttpBinding provides basic HTTP transport with no security mechanisms; the WSHttpBinding supports both transport-level and message-level security mechanisms.
You can either use the BasicHttpBinding over an HTTPS connection, or use the WSHttpBinding to help protect your data. The WCF LOB Adapter SDK includes the WCF LOB Adapter Service Development Wizard to generate WCF service for LOB artifacts. This wizard only supports use of BasicHttpBinding.
You can also develop a custom HTTP binding to leverage additional security mechanisms that your environment provides. For more information about the security features that WCF provides, see Securing Services and Clients.
Security Best Practices for WCF Diagnostic Tracing and Message Logging
WCF supports diagnostic tracing and message logging. You configure diagnostic tracing and message logging either through configuration files or by using Windows Management Instrumentation (WMI). Depending on the configuration options you set, WCF diagnostic tracing or message logging can emit sensitive information to log files, where it could potentially be exposed to observation by unauthorized users.
Follow the recommendations provided in the WCF documentation to mitigate potential security threats exposed by enabling these features. At a minimum, you should observe the following best practices for diagnostic tracing and message logging:
Do not enable “verbose” or “information” tracing in a production environment. This may lead to performance degradation. However, you must enable “warning” and “error” tracing in a production environment. If you enable tracing, you must take proper security measures to protect your data. See the WCF documentation for more information.
Ensure that log files and configuration files are protected by access control lists (ACLs).
The following warnings apply specifically to the messages that are exchanged between a client application and the SAP adapter:
WCF diagnostic tracing can log the header (but not the body) of messages exchanged with the SAP adapter. Because the message action is in the message header, this reveals the operations invoked on the SAP adapter by the client.
If WCF message logging is enabled and
logMessagesAtServiceLevel
istrue
, the message header (but not the message body) of messages exchanged between the adapter client and the SAP adapter are logged. Because the message action is in the message header, this reveals the operations that the client invoked on the SAP adapter. IflogEntireMessage
is alsotrue
, the message body will be logged. This can reveal sensitive database information.For more information about improving security when you enable diagnostic tracing, see Security Concerns and Useful Tips for Tracing. For more information about improving security when you enable message logging, see Security Concerns for Message Logging.