zhongwei/gh-secondsky-sap-skills-skills-sap-btp-integration-suite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f7e6b835303921c06089c46b670540da590bced7
gh-secondsky-sap-skills-ski…/references/security.md
Zhongwei Li f7e6b83530 Initial commit
2025-11-30 08:55:05 +08:00

428 lines
14 KiB
Markdown
Raw Blame History

# Security - Comprehensive Reference
**Source**: SAP BTP Integration Suite Documentation
**Documentation**: [https://github.com/SAP-docs/sap-btp-integration-suite/tree/main/docs/ci](https://github.com/SAP-docs/sap-btp-integration-suite/tree/main/docs/ci)
**Last Updated**: 2025-11-22
---
## Table of Contents
1. [Security Overview](#security-overview)
2. [Authentication Methods](#authentication-methods)
3. [Keystore Management](#keystore-management)
4. [Credential Artifacts](#credential-artifacts)
5. [Message-Level Security](#message-level-security)
6. [Certificate Management](#certificate-management)
7. [Security Best Practices](#security-best-practices)
---
## Security Overview
### Security Layers
```
┌─────────────────────────────────────────────────────────────┐
│ Security Layers │
├─────────────────────────────────────────────────────────────┤
│ Transport Layer (TLS/SSL) │
│ ├─ Server certificates │
│ ├─ Client certificates (mTLS) │
│ └─ Cipher suites │
├─────────────────────────────────────────────────────────────┤
│ Authentication Layer │
│ ├─ Basic authentication │
│ ├─ OAuth 2.0 │
│ ├─ Client certificate │
│ ├─ SAML assertion │
│ └─ Principal propagation │
├─────────────────────────────────────────────────────────────┤
│ Message Layer │
│ ├─ Encryption (PGP, PKCS#7) │
│ ├─ Digital signatures │
│ └─ Message digest │
├─────────────────────────────────────────────────────────────┤
│ Access Control │
│ ├─ Role collections │
│ ├─ Access policies │
│ └─ Endpoint protection │
└─────────────────────────────────────────────────────────────┘
```
### Security Material Types
| Type | Purpose | Storage |
|------|---------|---------|
| Keystore | Certificates and keys | Keystore artifact |
| User Credentials | Username/password | Credential artifact |
| Secure Parameters | Sensitive config values | Secure store |
| OAuth Credentials | OAuth tokens | Credential artifact |
| PGP Keys | Encryption/signing keys | Keyring artifact |
| SSH Keys | SFTP authentication | Keystore artifact |
---
## Authentication Methods
### Inbound Authentication (Senders calling Integration Suite)
#### Basic Authentication
Username/password in HTTP header.
**Configuration**:
1. Create service instance for process integration
2. Assign `ESBMessaging.send` role
3. Use service key credentials
#### Client Certificate Authentication
X.509 certificate verification.
**Configuration**:
1. Import client CA certificate to keystore
2. Configure sender adapter for client certificate
3. Map certificate to user (Neo) or use role-based auth (CF)
#### OAuth 2.0
Token-based authentication.
**Grant Types**:
- Client Credentials (machine-to-machine)
- Authorization Code (user-delegated)
- SAML Bearer Assertion (SSO scenarios)
### Outbound Authentication (Integration Suite calling receivers)
#### Basic Authentication
```
Adapter → Authentication: Basic
→ Credential Name: [UserCredential artifact]
```
#### Client Certificate
```
Adapter → Authentication: Client Certificate
→ Private Key Alias: [Keystore alias]
```
#### OAuth 2.0 Client Credentials
```
Adapter → Authentication: OAuth2 Client Credentials
→ Token Service URL: [https://oauth.example.com/token](https://oauth.example.com/token)
→ Client ID: [from credential]
→ Client Secret: [from credential]
```
#### Principal Propagation
Forward user identity to backend systems.
**Scenarios**:
- SAP to SAP Cloud Identity
- Cloud Foundry to on-premise
- Subaccount to subaccount
**Documentation**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/basic-authentication-outbound-f26152c.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/basic-authentication-outbound-f26152c.md)
---
## Keystore Management
### Keystore Structure
```
Tenant Keystore
├── SAP Keys (managed by SAP)
│ ├── sap_cloudintegrationcertificate (client cert)
│ └── sap_cloudintegrationca (CA cert)
├── Customer Keys
│ ├── my_client_key (private key + cert)
│ ├── partner_ca_cert (CA certificate)
│ └── backend_server_cert (server certificate)
└── Key History
└── Rotated keys for reference
```
### Key Types
| Type | Content | Use Case |
|------|---------|----------|
| Key Pair | Private key + certificate | Client authentication, signing |
| Certificate | Public certificate only | Server validation, CA trust |
| SSH Key | SSH private/public key | SFTP authentication |
### Keystore Operations
**Upload Certificate**:
1. Navigate to Monitor → Manage Security → Keystore
2. Click Add → Certificate
3. Upload .cer/.crt/.pem file
4. Assign alias
**Upload Key Pair**:
1. Navigate to Keystore
2. Click Add → Key Pair
3. Upload .p12/.pfx file with password
4. Assign alias
**Renew Certificate**:
1. Upload new certificate with new alias
2. Update adapter configurations
3. Test connectivity
4. Delete old certificate after validation
**Documentation**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-keystore-entries-2dc8942.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-keystore-entries-2dc8942.md)
---
## Credential Artifacts
### User Credentials
Store username/password combinations.
**Deployment**:
1. Navigate to Monitor → Manage Security → Security Material
2. Click Add → User Credentials
3. Enter name, user, password
4. Deploy
**Usage in Adapter**:
```
Authentication: Basic
Credential Name: MyCredential
```
### OAuth2 Credentials
Store OAuth client credentials.
**Types**:
- Client Credentials Grant
- Authorization Code Grant
- SAML Bearer Assertion
**Configuration**:
- Token Service URL
- Client ID
- Client Secret
- Scope (optional)
- Token refresh settings
### Secure Parameters
Store sensitive configuration values.
**Deployment**:
1. Navigate to Security Material
2. Click Add → Secure Parameter
3. Enter name and value
4. Deploy
**Access in Script**:
```groovy
def secureStore = ITApiFactory.getService(SecureStoreService.class, null)
def value = secureStore.getSecureParameter("ParameterName")
```
**Documentation**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-security-material-b8ccb53.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-security-material-b8ccb53.md)
---
## Message-Level Security
### Encryption
#### PGP Encryption
Encrypt payload using OpenPGP standard.
**Encryptor Step**:
| Parameter | Description |
|-----------|-------------|
| Public Key Alias | Recipient's public key |
| Algorithm | AES-256, etc. |
| Armor | ASCII armor output |
**Decryptor Step**:
| Parameter | Description |
|-----------|-------------|
| Private Key Alias | Your private key |
| Signatures Required | Verify sender signature |
#### PKCS#7/CMS Encryption
Enterprise encryption standard.
**Supported Algorithms**:
- AES (128, 192, 256 bit)
- 3DES
- DES (legacy, not recommended)
### Digital Signatures
#### XML Digital Signature
Sign/verify XML documents.
**Algorithms**:
- RSA-SHA256 (recommended)
- RSA-SHA1 (legacy)
- ECDSA
**Elements**:
- Enveloped signature
- Enveloping signature
- Detached signature
#### PKCS#7/CMS Signature
Sign binary/text content.
### Message Digest
Calculate hash of message content.
**Algorithms**:
- SHA-256 (recommended)
- SHA-1 (legacy)
- MD5 (not recommended)
**Documentation**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Development/apply-message-level-security-9036c0c.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Development/apply-message-level-security-9036c0c.md)
---
## Certificate Management
### Certificate Types
| Certificate | Purpose |
|-------------|---------|
| Server Certificate | Identify server to clients |
| Client Certificate | Identify client to servers |
| CA Certificate | Trust anchor for validation |
| Signing Certificate | Digital signature creation |
| Encryption Certificate | Message encryption |
### Certificate Lifecycle
```
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ Request │ → │ Issue │ → │ Active │ → │ Renew │
│ CSR │ │ Cert │ │ Usage │ │ Before │
│ │ │ │ │ │ │ Expiry │
└─────────┘ └─────────┘ └─────────┘ └─────────┘
┌─────────┐
│ Replace │
│ & Test │
└─────────┘
```
### Certificate Renewal Best Practices
1. **Monitor Expiration**
- Set alerts for 30-day warning
- Track all certificates in inventory
2. **Prepare New Certificate**
- Generate or request before expiry
- Use same key type and size
3. **Staged Rollout**
- Import with new alias
- Update configurations
- Test in lower environments
4. **Validate**
- Verify connectivity
- Check signature validation
- Confirm encryption/decryption
5. **Cleanup**
- Remove old certificate after validation
- Update documentation
**Documentation**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/security-artifact-renewal-083fc8d.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/security-artifact-renewal-083fc8d.md)
---
## Security Best Practices
### General
1. **Use HTTPS everywhere**
- No unencrypted HTTP
- TLS 1.2+ only
2. **Rotate credentials regularly**
- Passwords: 90 days
- Certificates: Before expiry
- API keys: As needed
3. **Principle of least privilege**
- Minimal role assignments
- Specific permissions only
4. **Audit and monitor**
- Enable audit logging
- Monitor security events
- Review access regularly
### Integration Flow Security
1. **Never hardcode credentials**
```groovy
// BAD
def password = "mypassword"
// GOOD
def cred = secureStore.getUserCredential("MyCredential")
```
2. **Don't log sensitive data**
```groovy
// BAD
log.info("Password: ${password}")
// GOOD
log.info("Authentication configured")
```
3. **Validate input data**
- Check payload structure
- Validate against schema
- Sanitize user input
4. **Use secure credential artifacts**
- User Credentials for passwords
- Secure Parameters for config
- OAuth artifacts for tokens
### API Management Security
1. **Always authenticate APIs**
- API keys at minimum
- OAuth 2.0 preferred
2. **Apply threat protection**
- JSON/XML threat policies
- Regular expression validation
- Input validation
3. **Implement rate limiting**
- Quota policies
- Spike arrest
- Concurrent limits
4. **Use CORS carefully**
- Restrict origins
- Limit methods
- Validate headers
---
## Related Documentation
- **Security Guidelines**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Development/apply-the-highest-security-standards-201fd43.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Development/apply-the-highest-security-standards-201fd43.md)
- **Keystore Management**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-keystore-entries-2dc8942.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-keystore-entries-2dc8942.md)
- **Certificate Renewal**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/security-artifact-renewal-083fc8d.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/security-artifact-renewal-083fc8d.md)
- **PGP Keys**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-pgp-keys-cd478a7.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/managing-pgp-keys-cd478a7.md)
- **OAuth Configuration**: [https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/deploying-an-oauth2-client-credentials-artifact-801b106.md](https://github.com/SAP-docs/sap-btp-integration-suite/blob/main/docs/ci/Operations/deploying-an-oauth2-client-credentials-artifact-801b106.md)
Reference in New Issue View Git Blame Copy Permalink