Security overview
Introduction
Neptune Designer runs inside SAP NetWeaver systems and uses the Internet Communication Framework (ICF) to handle the server-client communication. Therefore, securing a Neptune Application is identical to other NetWeaver solutions based on ICF.
There are also a great number of solutions that provide increased security on top of NetWeaver such as the SAP Mobile Platform (Both on-premise and Cloud edition) and Mocana MAP that can be used together with Neptune Applications.
Communication
It is of paramount importance that any communication between an external network and the SAP Backend systems is encrypted. SSL (HTTPS) should be used to ensure the integrity of data. For more information check Transport Layer Security
To further protect the backend data there are several options and here is information about the most common scenarios:
Network zones
It is recommended to protect your system landscape through zone security. This will protect your sensitive data and only allow access through the DMZ (demilitarised zone) and firewalls will protect your backend systems from undesired access.
Read more at Using Multiple Network Zones
Reversed Proxy
A reversed proxy protects you with an additional security layer and has the ability to mask your backend servers for external clients.
Reverse Invoke
Reverse invoke ensures that external connections cannot get through the firewall. All communication must be opened from the internal network.
Relative information at SAP NetWeaver 7.3 EHP1
VPN
To gain external access to the internal network a VPN (Virtual private network) solution can also be used to provide encryption and tunnelling security.
User Access
To access functions and data in a backend NetWeaver system the user needs to be authenticated.
This depends on the individual customer setup. Authentication against the SAP Netweaver ABAP Stack is handled by SAP Standard in the ICF and not managed by Neptune.
SAP Logon Tickets
The most common logon to SAP systems from web clients is the use of SSO2 tickets. The user needs to provide a username and password to access the initial SAP system node and will receive a MYSAPSSO2 cookie that can give access to multiple SAP systems.
Relative information at SAP NetWeaver 7.0 EHP2
SAML 2.0
SAML 2.0 is a Single Sign-on solution that requires an identity provider that manages the identity information for the service providers.
Relative information at SAML 2.0
Client Certificates
Using X.509 client certificates is another option for user authentication. This solution authenticates the application and no username or password is required.
Relative information at SAP NetWeaver 7.0 EHP2