SAP Enterprise Portal

SAP EP ADMINISTRATION

SAP EP Basics

Installation and Post Installation

Content Administration

Administration Activities

Portal Security

 SAP AG 2002
 Portal Security

Implementing Authorization Using Permissions, Security Zones,

and UME Actions

•UME Architecture Components

•Administering Users with User Management Tool

•Configuring UME Datasource

•Configuring Portal Authentication

•Transferring Role Between Portal and SAP

•Implementing Single Sign-On to SAP

 SAP AG 2002
 Authorization on the portal can be implemented using three techniques:

• Permissions model
• Security zone concept
• AuthRequirement property

• Administrator-level permissions Design-time permissions that

control whether the administrator can create, change, or delete portal
content objects during design.
• End user–level permissions Runtime permissions that control
whether the end user can display the object during runtime.
• Role assigner permissions Applicable only to role objects; they
control whether the user or the role or group to which the user belongs
can assign roles to other users or groups, and vice versa. This
permission is usually assigned to security administrators.

 SAP AG 2002
 SAP AG 2002
 User Management Engine (UME):

Following are some of the salient features of the UME:

• The ability to store user management data in multiple repositories such as

the portal database, the Advanced Business Application Programming (ABAP)
R/3 systems, or the Lightweight Directory Access Protocol (LDAP) directory.
Users who log in to the portal could be authenticated against any combination
of these systems.
• The ability to leverage an existing LDAP directory in an organization for user
credential information. The LDAP can be used to store user data for the portal
as well as synchronize the user data of the LDAP with the central user
administration, if this has already been set up for SAP R/3 systems.
• The ability to replicate user data to an external system such as SAP R/3
from the UME of the J2EE.
• A set of UME administration tools are available for maintaining users and
groups, changing passwords, unlocking users, and assigning users to groups.
• The ability to implement a self-registration functionality whereby external
users can register on the portal and be subjected to approval by user
administrators to become fully authenticated users on that portal.

 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 Limitations When Using LDAP as a UME Data Store

• The user used to connect the UME to the LDAP must have appropriate
authorizations in the LDAP for read/write access.
• The distinguished names of the users and groups should not exceed 240
characters.
• The UME should not retrieve data from LDAP for Everyone, Authenticated Users,
and Anonymous Users. This can be resolved during the UME configuration by
configuring Unique Names of Blocked Groups.
• Similarly, you must configure the Unique Names of Blocked Users to prevent the
UME from accessing duplicate users from the LDAP directory.
• You can assign users and groups to the LDAP groups only if those users and
groups exist in the LDAP. However, you can assign LDAP users and groups to a
group in the portal database.
• You cannot search for locked users.
• If the LDAP uses a deep hierarchy, you cannot assign users or members to a
different group using the UME tool.

 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 Implementing SSL on the J2EE
Engine

Configuring the SSL on the J2EE Engine

Configuring the SSL on the J2EE engine consists of two main steps: generating
the key pair on each server of the J2EE engine and assigning the keys to a
specific SSL port.
Following are the detailed steps involved in enabling the SSL on the J2EE engine:

1. Download and deploy the SAP Java Cryptographic tool.

2. Download and install the Java Unlimited Strength Jurisdiction Policy Files.
3. Change the startup mode of the SSL provider and the key provider service.
4. Create the public and the private keys.
5. Create a certificate-signing request.
6. Submit the certificate to the Certification Authority (CA).
7. Import the certificate request response into the KeyStore.
8. Assign the key pair to the SSL port.
9. Maintain the list of trusted certificates.
10. Test the SSL connection.

 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002
 SAP AG 2002