Security Guide Document version: 1.0 – 2015-10-26
SAP Manufacturing Execution 15.1
CUSTOMER
Document History
Caution
Before you start the SAP Manufacturing Execution (SAP ME) 15.1 implementation, make sure you have the latest version of this document. You can find the latest version at the following location: service.sap.com/ securityguide
SAP Busin Business ess Suite Appl Applicat ications ions
SAP Manuf Manufactu acturing ring .
The following table provides an overview of the most important document changes. Table 1 Version
Date
Description
1. 0
2015-10-26
First version
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
2
All rights reserved.
SAP Manufacturing Execution 15.1
Document History
Content
1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
2
Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4 4.1 4.2 4.3
User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Ma Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6 6.1 6.2
Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7
Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
8
Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
9
Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
Security Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
11
Configuring Web Service Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
10 10 12 12
23
CUSTOMER SAP Manufacturing Execution 15.1
Content
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
3
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
4
All rights reserved.
SAP Manufacturing Execution 15.1
1
Introduction
Caution
This guide does not replace the daily operations handbook, which we recommend customers create for their specific productive operations operations..
Target Audience ●
Technology consultants
●
System administrat administrators ors
This document is not included as part of the installation guides, configuration guides, technical operation operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the security guides provide information that is relevant for all life cycle phases.
Why Security Is Necessary With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation manipulation of your system should not result in loss of information or processing time. These demands on security apply to SAP ME. To assist you in securing SAP ME, we provide this Security Guide.
About This Document The Security Guide provides an overview of the security-relevant information that applies to SAP ME.
Overview of the Main Sections The Security Guide comprises the following main sections: ●
Before You Start This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.
●
Technical System Landscape This section provides an overview of the technical components and communication paths that are used by SAP ME.
●
User Administration and Authentication This section provides an overview of the following user administration and authentication aspects:
●
○
Recommended tools for user managemen managementt
○
User types that are required by SAP ME
○
Standard users that are delivered with SAP ME
Authorizations This section provides an overview of the authorization concept that applies to SAP ME.
●
Network and Communication Security
CUSTOMER SAP Manufacturing Execution 15.1
Introduction
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
5
This section provides an overview of the communication paths used by SAP ME and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level. ●
Data Storage Security This section provides an overview of any critical data that is used by SAP ME and the security mechanisms that apply.
●
Security for Third-Party or Additional Applications This section provides security information that applies to third-party or additional applications applications that are used with SAP ME.
●
Other Security-Relevant Information This section contains information about the following:
●
○
JavaScript
○
Java Web Start
○
ActiveX
Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information.
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
6
All rights reserved.
SAP Manufacturing Execution 15.1
Introduction
2
Before You Start
Fundamental Security Guides SAP ME is a J2EE application that runs on SAP NetWeaver AS Java. Therefore, the corresponding SAP NetWeaver Security Guide applies Guide applies to SAP ME. The SAPMEINT component runs on SAP Manufacturing Integration and Intelligence (SAP MII). Therefore, the corresponding SAP MII Security Guide applies Guide applies to the SAPMEINT component. If you are using SAP ME with SAP HANA database, SAP HANA Security Guide applies. Guide applies. Table 2: Fundamental Security Guides Title
Location
SAP NetWeaver 7.5 Security Guide
help.sap.com Plat Pl atfo form rm
SAP SA P NetW NetWea eave verr
SAP SA P Ne NetW tWea eave verr 7.5
SAP SA P NetW NetWea eave verr
Secu Se curi rity ty In Info form rmat atio ion n
Security Guide SAP MII 15.1 Security Guide
service.sap.com/securityguide Applications
SAP Manufacturing
SAP Business Suite Security Guide SAP MII
15.1 SAP HANA Security Guide
help.sap.com/hana
For a complete list of the available SAP Security Guides, see service.sap.com/securityguide
on the SAP Service
Marketplace.
Important SAP Notes The SAP Notes that apply to SAP ME are in the following table: Table 3: SAP Notes SAP Note Number
Title
1363812
SAP ME key field character restrictions
1573547
Service user authorization roles in SAP ME I ntegration
1590008
Java output encoding
2159438
Changes in JMS Authorization Mechanism
Additional Information For more information about specific topics, see the quick links as shown in the following table: Table 4: Quick Links to Additional Information Content
Quick Link on the SAP Service Marketplace
Security
/security
Security Guides
/securityguide
CUSTOMER SAP Manufacturing Execution 15.1
Before You Start
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
7
Content
Quick Link on the SAP Service Marketplace
Related SAP Notes
/notes/securitynotes
Released Platforms
/pam
Network Security
/network
Technical Infrastructure
/ti
SAP Solution Manager
/solutionmanager
SAP NetWeaver
/netweaver
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
8
All rights reserved.
SAP Manufacturing Execution 15.1
Before You Start
3
Technical System Landscape
Please see the Software Units of SAP Manufacturing Execution and Execution and System Landscape sections Landscape sections of the SAP ME 15.1 Master Guide at Guide at
service.sap.com/instguides Manufacturing Execution 15.1 .
SAP SA P Busi Busine ness ss Sui Suite te App Appli lica cati tion ons s
SAP SA P Manu Manufa fact ctur urin ing g
SAP SA P
CUSTOMER SAP Manufacturing Execution 15.1
Technical System Landscape
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
9
4
User Ad Administration an and Au Authentication
While SAP ME uses the administra administration tion and authentication mechanisms provided with the SAP NetWeaver platform to manage SAP ME users, administration is done in both in SAP NetWeaver and SAP ME 15.1. In SAP NetWeaver, you administer security-related information. In SAP ME User Maintenance and Maintenance and User Group Maintenance, you administer shop floor related information. For more information about administration of users in SAP NetWeaver, see the SAP NetWeaver 7.5 Security Guide on SAP Service Marketplace at service.sap.com/securityguide NetWeaver 7.5 Security Guide .
SAP Net NetWea Weaver ver 7.5 Sec Securi urity ty Guid Guides es
SAP
In addition to these guideline guidelines, s, below we include information about user management that specifically applies to SAP ME.
4 .1
User Ma Management
User management for SAP ME uses both the mechanisms provided with the SAP NetWeaver Application Server and SAP ME activities. For an overview of how these mechanisms apply for SAP ME, see the sections below. In addition, we provide a list of the standard users required for operating the SAP ME application.
User Administration Tools The following table shows the tools for user management and user administration with SAP ME. Table 5: User Management Tools Tool
Detailed Description
User Management Engine with SAP NetWeaver AS
For more information, see User Management Engine in the SAP
Java
Library.
User Maintenance and Maintenance and User Group Maintenance in Maintenance in
For more information, see
SAP ME 15.1
Mgmt Mg mt
help.sap.com
SAP SA P Ma Manu nufa fact ctur urin ing g Exe Execu cuti tion on
Execut Exe cution ion 15. 15.11
System Sys tem Con Config figura uratio tion n
Product Lifecycle
SAP SA P Man Manuf ufac actu turi ring ng .
User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run. The user types required for SAP ME 15.1 include: ●
Individual users: ○
●
General SAP ME users
Technical users: ○
Communication Communicatio n users are used for SITE_TO_SITE functionality
○
Communication Communicatio n user MESYS is used for SAP ME and SAP MII integration
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
10
All rights reserved.
SAP Manufacturing Execution 15.1
User Administration and Authentication
Communication Communicatio n user ADSuser is used for printing documents in SAP ME through the SAP NetWeaver
○
Adobe Document Server Server (ADS) (ADS)
Standard Users The table below shows the standard users that are necessary for operating SAP ME 15.1: Table 6 System
User ID
SAP ME SITE_ADM
IN
Type
Password
Description
SAP ME general You specify the initial
The initial user for SAP ME 15.1 with access to all
users
password in SAP
activities
NetWeaver
During the configuration of SAP ME, the SAPMECTC
Administrator during installation/ configuration of SAP ME 15.1
CTC wizard automatically creates SITE_ADMIN user with the provided password in SAP NetWeaver. In SAP ME NetWeaver, CTC automatically assigns the
SITE_ADMIN user to SAP_ME_USER, SAP_ME_INTEGRATOR, and SAP_ME_ADMINISTRATOR roles.
SAP ME,
MESYS
SAP MII
Communication You specify the initial
Used for system-to-system communication between
users
password when running
SAPMEINT and SAP ME 15.1 Core.
SAPMEINT CTC
During the configuration of SAPMEINT, the
configuration wizard
SAPMEINTCTC CTC wizard automatically creates
(SAPMEINTCTC)
MESYS user with the provided password in SAP NetWeaver on SAP MII and SAP ME instances. On SAP ME NetWeaver, CTC automatically assigns the
MESYS user to SAP_ME_USER, SAP_ME_INTEGRATOR, and ROLE_SAPMEINT roles. In SAP ME, this user has SYSTEM group and no permissions to run any activity. For more information about authorization roles, see SAP Note 1573547 SAP ME ADSuser
.
Communication You specify the initial
If you plan to print your documentation through ADS,
users
password in SAP
you have to create the ADSuser user in SAP
NetWeaver
NetWeaver UME. For information about configuration
Administrator during
of SAP NetWeaver Adobe Document Server (ADS),
creation of the user
see Creating a User for Authentication to ADS in a Java Environment section Environment section at instguidesnw NetW Ne tWea eave verr Li Libr brar ary y
service.sap.com/
SAP SA P Net NetWe Weav aver er 7. 7.5 5 Func Fu ncti tion onal al Vi View ew
NetWea Net Weaver ver by by Functio Functional nal Area Areas s Servic Ser vices es for Form Form Proce Processi ssing ng
SAP SA P SAP SA P
Adobe Ado be Docume Document nt Config Con figuri uring ng Adobe Adobe
Document Services for Form Processing (Java)
.
Recommendation
For users automatically created during installation/configuration, installation/configuration, create additional users with new user IDs and passwords.
CUSTOMER SAP Manufacturing Execution 15.1
User Administration and Authentication
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
11
Creating SAP ME General Users To create additional users for SAP ME, do the following: 1.
Create Crea te a use userr in in the the SAP NetWeaver Identity Manager tool Manager tool and assign the necessary UME security roles to this user. For more information about SAP NetWeaver UME security roles for SAP ME, see SAP NetWeaver UME Security Roles and Actions section Actions section of this guide.
2.
Log Lo g on to you yourr SAP SAP ME si site te as as SITE_ADMIN. For more information about SAP ME logon, see SAP ME 15.1 Installation Guide at Guide at instguides
SAP Busin Business ess Suite Appl Applicati ications ons
SAP Manuf Manufactu acturing ring
service.sap.com/
SAP Manuf Manufactu acturing ring Execu Execution tion 15.1 .
3.
On th the e ini initi tial al User Maintenance screen, Maintenance screen, retrieve a user ID for a user created in SAP NetWeaver UME.
4.
On the Main tab page of User Maintenance, Main tab Maintenance, add details about the user, if needed.
5.
On the User Groups tab Groups tab page, add the user to one or more user groups. For more information about SAP ME user groups, see SAP ME Standard User Groups section Groups section of this guide.
4.2
Use serr Dat ata a Sy Syn nch chro ron niza zattio ion n
SAP NetWeaver UME needs to c ontain entries for all users. These entries contain security and person-related information and are site-independent. site-independent. SAP ME contains shop-floor information for all SAP ME users. The following table provides correlation between UME and ME user statuses: Table 7 UME User Status
ME User Status
Active Account
Active: Allows a user to log on to SAP ME system with this user ID
Locked Account
Inactive: This user is temporarily inactive in SAP ME
User has been deleted in UME
Terminated: As you cannot physically delete users in SAP ME to ensure data integrity, this status is used to indicate that user has been deleted in UME.
For information about synchronization SAP NetWeaver UME with LDAP, see User Management Engine Installation guide in the SAP Library.
4.3 4. 3
Inte In tegr grat atio ion n Into Into Si Sing ngle le Sig Signn-On On En Envi viro ronm nmen ents ts
SAP ME 15.1 supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver. Therefore, the security recommendations and guidelines for user administrati administration on and authentication as described in the SAP NetWeaver Application Server Security Guide also apply to SAP ME 15.1. The most widely-used widel y-used supported supported mechanisms are listed below. ●
Secure Network Communications (SNC) SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
12
All rights reserved.
SAP Manufacturing Execution 15.1
User Administration and Authentication
●
SAP logon tickets SAP ME 15.0 supports the use of logon tickets for SSO when using a Web browser as the frontend client. In this case, users can be issued a logon ticket after they have authenticated themselves themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket. Recommendation
If you use the POD on shared terminal, turn off the SAP Logon Tickets feature, Tickets feature, since SAP ME is configured out-of-the-box with SAP Logon Ticket. In order to do that, the login module stack for SAP ME should only include BasicPasswordLoginModule in SAP NetWeaver User Authentication and Single Sign-On. The value for HTTP session timeout of PODs is configured in POD Maintenance of Maintenance of SAP ME. ●
Client certificates As an alternative to user authentication using a user ID and passwords, users using a Web browser as a frontend client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information about the available authentication mechanisms, see User Authentication and Single Sign-On at help.sap.com/nw75 SAP NetWeav NetWeaver er 7.5 Library Library SAP NetWeav NetWeaver er Library: Library: Functi Function-Or on-Oriente iented d View Solution Solu tion Life Cycl Cycle e Managem Management ent Secu Security rity and User Admi Administr nistratio ation n Admi Administr nistratio ation n for User Authe Authentica ntication tion and Single Sign-On (SSO) .
CUSTOMER SAP Manufacturing Execution 15.1
User Administration and Authentication
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
13
5
Authorizations
While SAP ME uses the authorization concept provided by the SAP NetWeaver AS Java, authorization is done in both SAP NetWeaver and SAP ME activities. Therefore, the recommendations a nd guidelines guidel ines for authorizations as described in the SAP NetWeaver AS Security Guide Java Java also also apply to SAP ME. SAP ME activities used for user authorization authorizatio n are described in the following section of this guide. The SAP NetWeaver authorization concept is based on assigning authorizations authorizations to users based on roles. For role maintenance,, use the User Management Engine’s user administration console on the AS Java. maintenance Note
For more information about how to create roles, see Role Maintenance in Maintenance in the SAP Library. For more information about creating roles, see help.sap.com/nw75 SAP SA P NetW NetWea eave verr 7.5 Lib Libra rary ry SA SAP P NetWeaver NetWe aver Compo Compositi sition on Envir Environme onment nt Admi Administr nistrator' ator's s Guid Guide e Admi Administe nistering ring Compo Compositio sition n Envir Environmen onmentt Administration of Users and Roles .
Standard Roles SAP NetWeaver UME Security Roles and Actions During deployment of SAP ME, the following SAP NetWeaver UME security roles are created to identify users who will use the system: Table 8 SAP NetWeaver UME Security Role Name
SAP NetWeaver UME Security Role Description
SAP_ME_ADMINISTRATOR
Identifies SAP NetWeaver users that are granted access to admin, integration and solution verification interfaces
SAP_ME_USER
Identifies users that are allowed to log on to the SAP ME application through the Web interface
SAP_ME_INTEGRATOR
Identifies users that are allowed to use Web service, production, site-to-site and data exchange interfaces
SAP_ME_READONLY
Supports SAP ME audit functionality. Users with the role can read all data, but is not allowed to add or edit records.
ROLE_SAPMEINT
Users with this role can see the menu SAP ME ERP Integration on Integration on the navigation pane in SAP MII. The users assigned to this role also have access to the data servers SAPMEINT and SAP ME WIP in SAP MII.
You assign these four roles to your SAP ME users to grant them corresponding rights and ability to work with the services they require. Note
As of SAP ME 15.1, the SAP_ME_USER role includes Java message service (JMS) actions needed to execute SAP ME transactions that use JMS. For more information, see SAP Note 2159438
.
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
14
All rights reserved.
SAP Manufacturing Execution 15.1
Authorizations
Caution
All the roles described in the previous table need to be manually modified before their assignment to users to eliminate the risk of losing associations. We recommend that you assign the Manage_My_Password action to all these roles. If SAP ME is undeployed undeployed,, roles that have not been modified will be deleted and associations between roles and users will be lost. For more information informatio n about about assigning roles, see Assigning Principals Principals to Roles Roles or Groups at Groups at
help.sap.com/nw75
SAP Net NetWea Weaver ver 7.5 7.5 SA SAP P NetWea NetWeaver ver 7.5L 7.5Libr ibrary ary SAP NetW NetWea eaver ver Comp Composi ositio tion n Envir Environm onment ent Administrator's Guide Administering Composition Composition Environment Environment Administration of of Users and Roles Roles . You assign UME security role actions to UME security roles to grant additional rights to your SAP ME users.
Execution of Custom User Scripts SAP ME 15.1 provides an approach to allow or deny creation and execution of custom user scripts on the application back-end. Caution
Scripting functionality is a powerful tool that allows access to generic functions and system resources, thus, authorization authorizatio n must be given to appropriate personnel only. Execution of scripts can potentially harm the system if used by unauthorized personnel. personnel. As an additional measure, ensure that logging of script creation/exe creation/execution cution is appropriatel appropriately y configured. For more information, see the Security Logging and Tracing section Tracing section of this guide. The following security role actions are available for that purpose: Table 9 SAP NetWeaver UME Security Role Action
SAP NetWeaver UME Security Role Action Description
ME.Service.ManageScript
Allows SAP ME user to create and save routings and data collection values with custom scripts and formulas
ME.Service.ExecuteScript
Allows SAP ME user to execute custom routing scripts or formulas in Data Collection parameters Collection parameters
You have to assign the actions described above to all UME security roles and users that need to create or execute routing scripts or data collection parameters with defined formulas. Proceed as follows: 1.
Log on to SAP NetWeaver Administrator Administrator using using the following URL: http://
:/nwa.
2.
Choose Co Conf nfig igur urat atio ion n SAP_ME_USER.
Secu Se curi rity ty
Iden Id enti tity ty Mana Manage geme ment nt
Sear Se arch ch Crit Criter eria ia:: Role Role and search for
3.
Choose Modify Modify..
4.
On the Assigned Actions tab Actions tab page, search for ME.Service.ManageScript and/or ME.Service.ExecuteScript in the Available the Available Actions Actions list, list, and add them to Assigned Actions. Actions.
5.
Save Sa ve yo your ur en entr trie ies. s.
For more information about assigning actions, see Assigning Principals Principals to Roles Roles or Groups at Groups at nw75
SAP Net NetWea Weaver ver 7.5 7.5
Administrator's Guide
SAP NetW NetWeav eaver er 7.5 7.5 Librar Library y
help.sap.com/
SAP NetW NetWeav eaver er Compo Composit sition ion Envi Environ ronmen mentt
Administering Composition Composition Environment Environment
Administration of of Users and Roles Roles .
CUSTOMER SAP Manufacturing Execution 15.1
Authorizations
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
15
Authorizations in SAP ME Site Authorization During installation installation of SAP ME, a master site called the global site is created. The name of the global site is indicated by an asterisk ( *). Some default values, such as system rules, can be set at the global site level, then inherited at the site level, and changed at the site level, if required. Within the system, each site operates independently independe ntly and maintains its own elements, such as materials, bills of material, and routings. In SAP ME, production data is segregated according to the site. Set of activities act ivities user has access to depends on the site the user logged on. You can grant user access to site by assigning this user to user group in User Maintenance in SAP ME. On the Permissions Permissions tab tab page of User Group Maintenance, Maintenance, you select the activities you want users in each group to be able to access. You can modify the default permissions permissions for each SAP ME standard user group to meet your specific requirements requirements.. You assign a user in specific groups to a specific site in User Maintenance in Maintenance in SAP ME. When users log on to SAP ME site for the first time, they are automatically logged logged on to their default site. To assign a default site to a user in UME, first you need to create the Default Site field Site field in SAP NetWeaver. To do this, proceed as follows: 1.
In Identity Management, Management, choose the Configuration Configuration button. button.
2.
On the Configuration Configuration screen, screen, choose the User Administrator UI tab UI tab and choose the Modify Configuration button.
3.
In the Adminstrator-Ma Adminstrator-Management nagement Custom Attributes Attributes field, field, enter the following data: SAPME:DEFAULT SITE.
4. Sa Save ve yo your ur ent entri ries es.. After you have created the Default Site field, Site field, you can assign default site to a user as follows: 1.
Log on on to SAP SAP NetWe NetWeave averr as admi adminis nistra trator tor user user..
2.
Navigate to to Identity Management and Management and select user that you want to assign default site to.
3.
Choose Modify Modify button button and on the Customized Information tab Information tab page, enter name of the site in the Default Site field. Note that you have to assign user to this site prior assigning this site as default for this user.
4. Sa Save ve yo your ur ent entri ries es.. 5.
Repeat Rep eat the these se step steps s for for each each use user. r. Note
If you create the Default Site field Site field in SAP NetWeaver UME, but do not define a default site for the user in UME User Configuration, Configuration, on the first logon the user will be redirected to the site that comes first alphabetically alphabetically in the list of sites where this user is defined. Once users logged on to SAP ME application to their default site, they can switch between SAP ME sites assigned to them in UME, using Site Selection functionality. Selection functionality. By clicking the Site Site link, link, users can view the list of their sites and choose the destination site on the Site Selection screen. Selection screen. The Site Site link link is located on the menu bar at the top right of the screen near the Logout Logout,, About About and and Help Help links. links. Once a user selects a specific site on the Site Selection screen, Selection screen, the current HTTP session of the user becomes invalidated invalidated and a new session is established for the selected site. User logon to a new session is completed by means of SAP logon tickets. You can find more information about SAP logon tickets under User Authentication and Single Sign-On [external Sign-On [external document] in the SAP Library. For more information about Site Selection, Selection, see Execut Exe cution ion
SAP Man Manufa ufactu cturin ring g Exe Execut cution ion 15. 15.11
help.sap.com
Produc Pro ductt Lifecy Lifecycle cle Mgmt Mgmt System Sys tem Con Config figura uratio tion n .
SAP SA P Manufa Manufactu cturin ring g
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
16
All rights reserved.
SAP Manufacturing Execution 15.1
Authorizations
SAP ME Standard User Groups You can use SAP ME User Group Maintenance to Maintenance to assign authorizations to users in user groups. For more information about creating user groups, see help.sap.com Produc Pro ductt Lifecy Lifecycle cle Mgmt Mgmt Execut Exe cution ion SAP Man Manufa ufactu cturin ring g Exe Execut cution ion 15. 15.11 Sys System tem Con Config figura uratio tion n .
SAP SA P Manufa Manufactu cturin ring g
The following table shows the standard user groups that are used by SAP ME: Table 10: SAP ME Standard User Groups User Group
Description
Administrators
User with permissions to all activities in SAP ME at the administrative level
Engineers
User with permissions to activities in SAP ME applicable to production engineers
Managers
User with permissions to activities in SAP ME applicable to production managers
Operators
User with permissions to activities in SAP ME applicable to production operators
Supervisors
User with permissions to activities in SAP ME applicable to production supervisors
Authorizations in SAP ERP for SAP SA P ME ERP Integration Integration (SAPMEINT) If SAP ME is integrated with SAP ERP, SAP ME is dependent on SAP ERP in terms of several master and transactional data: material master, bill of material, routing, production order, planned order, and quality inspection. SAP ERP users who work on these objects must have a ppropriate authorization authorizatio n in SAP ERP to create, modify, and export these objects. Ensure that all required authorization are provided to the SAP ERP users. For more information, see the following SAP ERP help topics: ●
Production Planning (PP): help.sap.com/erp606 Application Help Help SAP Library Library SAP ERP CrossCross Application Functions Functions SAP ERP Security Guides SAP ERP Central Central Component Security Security Guide Logistics Manu Ma nufa fact ctur urin ing g
Auth Au thor oriz izat atio ions ns
●
Materials Management (MM): help.sap.com/erp606 Application Help Help SAP Library Library SAP ERP Cross Application Functions Functions SAP ERP Security Guides SAP ERP Central Central Component Security Security Guide Logistics Materials Mater ials Manageme Management nt (MM) Purc Purchasi hasing ng and External External Service Service Procuremen Procurementt (MM-PUR, (MM-PUR, MM-SRV) MM-SRV) Inventory Management (MM-IM): Authorizations
●
Quality Management (QM): help.sap.com/erp606 Application Help Help SAP Library Library SAP ERP Cross Application Functions Functions SAP ERP Security Guides SAP ERP Central Central Component Security Security Guide Logistics Qualit Qua lity y Managem Management ent (QM) (QM)
Author Aut horiza izatio tions ns (QM) (QM)
For DRF communication, the DRF_ADM and DRF_RECEIV authorization objects are required. For more information,, see information
help.sap.com/mdg61
with wi th Mas Master ter Dat Data a Gov Gover ernan nance ce
Application Help Help
Gener Gen eral al Fun Functi ctions ons
SAP Library Library
Master Data Governance Governance
Working
Data Dat a Rep Replic licati ation on
See also SAP Note 1573547 for the authorization required for the technical user that is used to send information from SAP ME to SAP ERP.
Authorizations to View SAP MII SPC Charts from SAP ME To view SAP MII SPC charts from SAP ME, configure one of your user's roles as follows: ●
Add the role to Visiprise/SPC/DefaultChartTemplate using the SAP MII Workbench.
●
Add the role to Visiprise/SPC/DefaultQueryTemplate using the SAP MII Workbench.
●
Add the XMII_USER action to the role using SAP NetWeaver Administrator. Administrator.
CUSTOMER SAP Manufacturing Execution 15.1
Authorizations
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
17
●
Assign the role to the XMLConnector server in the SAP MII database table XMII_SERVERPRMMAP.
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
18
All rights reserved.
SAP Manufacturing Execution 15.1
Authorizations
6
Network an and Co Communication Se Security
Your network infrastructure is very important in protecting your system. Your network needs to support the communication necessary necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN, they cannot exploit well-known bugs and security holes in network services on the server machines. The network topology for SAP ME is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also Guide also apply to SAP ME. Recommendation
We highly recommend that you install SAP ME behind a corporate firewall. The following table shows the additional default ports used by SAP ME: Table 11 Port
Description
1521 15 21
Used Us ed by Or Orac acle le SQ SQL L*N *Net et Li List ste ene ner; r; th this is po port rt is ap appl plic icab able le if yo you u are usi sing ng Or Orac acle le fo forr yo you ur SAP ME databases
1433 14 33
Used Us ed by Mi Mic cro roso soft ft SQ SQL L Se Serv rve er to to lilist ste en for for re requ ques ests ts;; thi this s por portt is is ap appl pliica cabl ble e if yo you u ar are e us usin ing g MS MS SQ SQL Server for your SAP ME databases
3001 30 015 5
Used Us ed by SA SAP P HAN HANA; A; th thiis por portt is is app appli lica cabl ble e ifif you you are us usiing SA SAP P HAN HANA A for for yo your ur SA SAP P ME ME dat datab abas ases es
1099
Used for RMI communication when SAP ME SPC server is Statit
7994
Used for HTTP communication when SAP ME SPC server is Statit
8082
Used for HTTP communication when SAP ME SPC server is Statit
For a complete list, see the technical documentation provided by the database vendor.
Login Module Stack SAP ME out-of-the-box is shipped with the following configuration of login module stack: Table 12 Login Module Name
Login Module Flag
Login Module Description
Evalua Eva luateT teTick icketL etLogi oginMo nModul dule e
SUFFIC SUF FICIEN IENT T
Allows to authenticate users by SAP logon ticket
BasicP Bas icPass asswor wordLo dLogin ginMod Module ule
REQUIS REQ UISITE ITE
Allows to authenticate users by user ID and password
Crea Cr eate teTi Tick cket etLo Logi ginM nMod odul ule e
OPTI OP TION ONAL AL
Creates SAP logon ticket after successful authentication
CUSTOMER SAP Manufacturing Execution 15.1
Network and Communication Security
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
19
6.1
Comm Co mmu unic ica ati tio on Ch Chan ann nel Se Secu curi ritty
The table below shows the communication channels used by SAP, the protocol used for the connection, and the type of data transferred: Table 13: Communication Path Communication Path
Protocol Used
Type of Data Transferred
Front-end client using a certified web
HTTP
Authentication; application
Java API
Authentication; application
SAP ME Scripts to application server
RMI-P4
Application
SAP ME Scripts to SAP ME databases
JDBC
Authentication; application
SAP ME application server to SAP ME
RMI; HTTP
Application
JDBC
Application
browser to SAP ME application server SAP MII application server to SAP ME application server for SAPMEINT
SPC server when Statit is used Application server connection to SAP ME databases
HTTP, SOAP over HTTP, and RMI-P4 connections are protected using SSL protocol. RMI connections cannot be protected. JDBC connections are protected using driver-provided encryption. For more information, i nformation, see Network Security in Security in the SAP NetWeaver Application Applica tion Server Java Security Guide on Guide on SAP Service Marketplace at service.sap.com/securityguide NetWeaver 7.5 Security Guide .
6.2
SAP SA P NetWe NetWeave averr 7.5 Secu Securit rity y Guide Guides s
SAP
Comm Co mmu unic ica ati tio on Des Desti tina nati tio ons
SAP ME does not deliver pre-configured RFC or JCo destinations or ports.
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
20
All rights reserved.
SAP Manufacturing Execution 15.1
Network and Communication Security
7
Data Storage Security
SAP ME stores J2EE application data in the SAP NetWeaver 7.5 database. For more information, see the SAP NetWeaver 7.5 Security Guide on Guide on SAP Service Marketplace at service.sap.com/securityguide
SAP NetWea NetWeaver ver 7.5 Secu Security rity Guide Guides s
SAP NetWea NetWeaver ver 7.5 Secu Security rity Guide Guide .
SAP ME stores business data in WIP, ODS, and optional GODS relational databases. databases. You can c an use Microsoft SQL Server, Oracle, or SAP HANA for your SAP ME database management system. If you are using SAP HANA as your SAP ME database management system, see SAP HANA Security Guide. Guide . For more information, see documentation provided by your database vendor. When you create your database, a specific user ID with password is defined. This password and user ID is later added to Data Source in Source in SAP NetWeaver Installation Wizard. Wizard .
SAPMEINT SAPMEINT uses SAP MII 15.1 for business transactions transactions integrated with SAP ERP systems. The data exchange between SAPMEINT and the SAP ERP system is carried out using IDocs.
SAP ME Scripts SAP ME Scripts automate various tasks for the SAP ME WIP and ODS databases. These scripts are configured to run as scheduled tasks in a productive environment. Note
If you are using SAP ME with SAP HANA database, SAP ME Scripts are not applicable. During SAP ME Scripts installatio installation n all the required information information is collected from the user. Passwords for WIP/ODS/GODS WIP/ODS/GOD S databases are encrypted and then stored in the secstore.properties property file. The encryption is achieved using the iaik_jce.jar SAP NetWeaver library. The iaik_jce.jar file is not bundled with SAP ME Scripts and is located within the SAP NetWeaver server. The location of this jar file is defined at runtime using the SAP NetWeaver server system name and SID information provided by the user.
Temporary Printing Directory SAP ME provides functionality to configure a directory on the application server to which you can write files. You can configure third-party applications to retrieve and print files from this directory. For more information, see
help.sap.com
Manufactu Manu facturing ring Execu Execution tion 15.1
Prod Pr oduc uctt Life Lifecy cycl cle e Mgmt Mgmt Document Docum ent Mana Manageme gement nt .
SAP SA P Manu Manufa fact ctur urin ing g Exec Execut utio ion n
SAP SA P
CUSTOMER SAP Manufacturing Execution 15.1
Data Storage Security
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
21
8
Security fo for Ad Additional Ap Applications
If you are using Statit as your SAP ME SPC server, Statit e-Server 5.4 is required. Contact the vendor to secure Statit e-Server in your system landscape.
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
22
All rights reserved.
SAP Manufacturing Execution 15.1
Security for Additional Applications
9
Other Security-Relevant Info forrmation
JavaScript SAP ME uses JavaScript in many of the front-end web pages and you must enable it.
Java Web Start Several user interfaces in SAP ME are implemented as rich clients using Java Web Start technology. Download and execute Java Web Start.
ActiveX With Statit as your SAP ME SPC server, ActiveX controls are used in many of the front-end Web pages. If you use Statit, ActiveX controls must be enabled.
CUSTOMER SAP Manufacturing Execution 15.1
Other Security-Relevant Information
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
23
10 Se Secu curi rity ty Lo Logg ggin ing g an and d Tra raci cing ng
SAP ME uses the standard SAP NetWeaver 7.4 logging infrastructure for logging security-relevant information about logon, logout, and HTTP session time-out. For more information, see the Administrator’s Guide Guide on on the SAP Help Portal at NetWeaver 7.4 Library SAP NetWeaver Composition Environment Library .
help.sap.com/nw74
SAP
SAP ME uses Audit uses Audit Log for Log for logging maintenance changes made to audit-logged data and objects. SAP ME also uses Activity uses Activity Log for Log for logging all the shop floor activities, including production operator actions. For more information, see help.sap.com SAP SA P Busi Busine ness ss Sui Suite te Execut Exe cution ion SAP Manu Manufac factur turing ing Exec Executi ution on 15.0 15.0 .
SAP SA P Manu Manufa fact ctur urin ing g
SAP SA P Manu Manufa fact ctur urin ing g
For invalid logon events, SAP ME logs more security-relevant information in SAP NetWeaver Security Logs. Logs . In SAP ME, creation and execution of scripts are traced in SAP NetWeaver standard logs. To setup this type of tracing, choose INFO severity for trace location com.sap.me.script.ScriptBOBean in NetWeaver Log Configuration. Configuratio n. Note that location appears only after several traces are displayed. Log Productions activities and Labor Tracking data could be archived. For more information, see the SAP ME 15.0 Application Operations Guide on Guide on the SAP Help Portal at Applications
SAP Manufacturing Manufacturing
service.sap.com/instguides
SAP Business Suite
SAP Manufacturing Manufacturing Execution 15.0 .
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
24
All rights reserved.
SAP Manufacturing Execution 15.1
Security Logging and Tracing
11
Confi fig guring We Web Se Service Se Security
Security for SAP ME 15.1 web services is based on the security of SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also Guide also apply to the SAP ME 15.1 web services. Note
To provide web services access to users, the proper authorization roles must be assigned. For more information,, see information see Authorizations in this guide. Authorizations in By default, SAP ME 15.1 web services are configured with HTTP Basic Authentication over HTTP. It is possible to create additional security constraints through SAP NetWeaver Administrator. Administrator. For more information, see Configuring Individual Web Services Services at at help.sap.com/nw75 Functional View SAP NetWe NetWeaver aver by Functi Functional onal Area Areas s SAP NetWe NetWeaver aver Libr Library: ary: Funct Functionion-Orien Oriented ted View Appl Applicat ication ion Serv Server er Application Server Server Java Administering Application Application Server Server Java Administration Web Service Administration Administration Configuri Confi guring ng Web Web Servi Services ces and Web Serv Service ice Clien Clients ts Confi Configurin guring g Web Web Servi Services ces Confi Configuri guring ng Indivi Individual dual Web Services . You can configure SAP ME web services all at once with a communication profile. For more information, see Preparing Communication Profiles at Profiles at help.sap.com/nw75 Functi Fun ctiona onall View View SAP NetW NetWeav eaver er by Funct Function ional al Areas SAP NetWeaver Library: Function-Oriented Function-Oriented View View Application Server Server Application Server Server Java Administering Application Application Server Server Java Administration Web Service Administration Configuring Web Services Services and Web Service Clients . For information about assigning a communication profile to an application’s web we b services, see Configuring Web Services Exposed by Applications Applications at at help.sap.com/nw75 Functi Fun ctiona onall View View SAP NetW NetWeav eaver er by Functi Functiona onall Areas SAP NetWeaver Library: Function-Oriented Function-Oriented View View Application Server Server Application Server Server Java Administering Application Application Server Server Java Administration Web Service Administration Configuring Web Services Services and Web Web Servi Service ce Clien Clients ts Con Config figuri uring ng Web Web Servic Services es Con Config figuri uring ng Group Groups s of Web Web Servic Services es .
CUSTOMER SAP Manufacturing Execution 15.1
Configuring Web Service Security
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.
25
Typographic Conventions
Table 14 Example
Description
Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your ”. ”.
Exam Ex ampl ple e
Exa Ex amp mple le
Arrows separating the parts of a navigation path, for example, menu options
Example
Emphasized words or expressions
Example
Words or characters that you enter in the system exactly as they appear in the documentation
www.sap.com
Textual cross-references to an internet address
/example
Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Example
Hyperlink to an SAP Note, for example, SAP Note 123456 ●
Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.
Example
●
Cross-references to other documentation or published works
●
Output on the screen following a user action, for example, messages
●
Source code or syntax quoted directly from a program
●
File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools
EXAMPLE
Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE
Keys on the keyboard
CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.
26
All rights reserved.
SAP Manufacturing Execution 15.1
Typographic Conventions
www.sap.com
© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate c ompany) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.