securityRunTime

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on all things SAP.

SOA-based Security Solutions

The core of our Security Framework is SAMI or Security, Automation, Management, and Infrastructure. This solid foundation is made flexible via the adapter container. So your solution is fast, flexible and user friendly.

Security

Our Security Framework provides a multitude of functions, which may be used by all adapters and applications. Basic Security Services are provided with the Security component of SAMI. These include basic functions of the entity, access and key management. Additional infrastructure functions like cryptographic algorithms are available, and may be loaded into the system as adapters. Once loaded, functionality is available immediately.

Entity & Key Management

Our Security Framework offers Entity Management, which enables central administration of users, server, roles and rights. As mutual basis user credentials and authorization profiles are available system-wide. the integrated Key Management enhances the solution with certificates. A complete PKI (with own CA) enables certificate-based actions like authentications, signatures and encryptions, down to user level. Per mouse click certificates may be issued, distributed, renewed and revoked, and adapter data from Meta Directories (e.g. LDAP, MS AD) may be linked as easily as certificates from existing Certificate Authorities. With our Security Framework, you will be able to use existing data from different sources within one solution.

Cryptography Algorithms & Basic Security

The Security Framework provides standard implementations of algorithms for cryptographic operations in the complete securityRunTime. Popular hashing and encryption methods may be used easily. The capsulation enables easy exchange of libraries to fulfill export restrictions or even higher security requirements without code changes.

Secured web service communication is ensured by utilizing standard compliant implementations of W3C and OASIS standards. WS-Security, XMLEncryption/ Signature as well as SAML.

Logging

Standardized logging in distributed systems is a pre-condition for efficient system maintenance. The Security Framework provides a logging for each component on basis of Log4J, and the daily rolling log-files enable analyses and error search.

Automation

Automated functions distinguishes our Security Framework. True Security Policy automation is found within the Automation component of SAMI. The Security Rule created by the Policy Generator is combined with the model and applied to the Security Services. The realization of the Policy (Policy Enforcement) may be done locally as well as centrally. With the SAMI foundation, you already receive the Security infrastructure, including a “Security Service Bus” implementation. This complements standard ESB implementations. Administration, distribution and provisioning of the Security Policy are immediately available and automated. You can also develop and integrate security solutions through functional adapters.

In distributed systems, efficiency is achieved by automating configuration, deployment and realization of security, without programming effort. Instead of manually programming security functionality, you’ll be able to define security processes with the local Workflow Editor, which is integrated by default.

Our Security Framework relies on existing standards for modeling and realization. But it enhances the existing BPEL standard with security elements. You can model your complete security processes and dynamic security policies through an integrated visual modeler. Legal requirements and regulations (like PCI [Payment Card Industry] Data Security Standard) can be modeled once and applied to existing services afterwards.

Connected visual modeling tools make it easy to combine security functionalities and form a Composite Security Application. This way you can embed a security component into the design phases of business processes. Modeling is realized by an integrated BPEL Engine, which is able to execute BPEL scripts, extended with security elements. Even the dynamic parameterization is possible.

Management

For many application scenarios, SRT can manage without central administration. Workflow Engine configuration may be easily done via web interfaces at the Policy Enforcement Point. In addition to this, basic functions for entity and key management are available.

Company-wide entity or key management may be enhanced with a management part. Enhanced with management, the securityRunTime becomes a Security Broker, which enables centralized administration and control of the complete securityRunTime via Security Rules. Security Rules are generated at the push of a button on based on the current configuration and distributed automatically.

Administration

The administration enables a central administration of the complete security solution. Administrator and Super-Administrator accounts may be set up for global security rules including roll-out, validity, distribution options and notifications.

Security Repository

The Security Broker requires data persistence to access entity data, configuration and security rules. In order to grant this, all data are stored in a central repository. Encryption and signatures protect data against unauthorized access and manipulation. Existing databases may be used for the repository by automatically configure them via database scripts.

Policy Provider

The Policy Provider generates system-wide security rules at the push of a button. The complete configuration of entities, rights, roles and certificates is written in the security rules and is available at the Policy Enforcement Point after Push/Pull distribution. The risk of a Single-Point-of-Failure is avoided by distributing risk and having multiple back up functionalities.

Workflow

With the SRT management functionality, the workflow configuration may be done centrally. Analogous to the local workflow editor, it is possible to centrally administrate and roll-out the processes at the Policy Enforcement Point.

Remote Access

The communication between the Security Broker and administration interfaces is done via secure Web Services. Functions like setting-up users and assigning roles are called up via Web Services. Remote Access acts as Service Provider, which provides administrative web services. The access to services is protected by certificate authentication. By using Web Service Security Standards, a dedicated administration concept may be realized on a granular function/service level by authenticating the administrator as service requestor on basis of XMLS signatures in connection with the PKI.

The administration may be done flexibly via Eclipse PlugIns, Web Sites or even mobile applications.

Under Management functions for administration the security solution are combined. An administration enables the configuration of all components and adapters while in modeling the sequence of the Security Processes is defined. The Policy Generator creates the system-wide Security Rules, which enables a dynamic Security Policy of administration and modeling.

Infrastructure

Our Security Framework integrates its core components with the insights of the OSGi framework. The results is that the adapter concept is realized, enabling functionality loading during runtime.

Adapter Handling

Flexibility and adaptability are essential components of any emerging solutions today. Our Security Framework uses an innovative Adapter Concept. Loaded into your system with an Adapter Loader, specific Adapters are available immediately. Don’t use them anymore? Simply remove them. Our Adapter Concept lets you tailor the tool to your specific, dynamic needs.

For the security-minded, certified adapters are validated through a Security Check that checks adapter signatures. In principle, an unsigned adapter could be loaded into your system as well.

Network and Basic Infrastructure

Most SOA implementations are based on common network technologies. Like other leading solutions, our Security Framework utilizes these standards and we’ve implemented support for http, http(s) und XML/SOAP directly in the infrastructure. Other auxiliary functions (like http-Wrapper, Object-Handler, Proxies, etc.) are also provided so that you can easily integrate conventional solutions into the Security Framework.