SAP Real-Time Offer Management 7.1 SP02 - SAP Help … · SAP Real-Time Offer Management ... (SAP CRM) (front end and server back end), and the SAP NetWeaver Business ... accessing

Security Guide

SAP Real-Time Offer Management

Document Version: 1.0 – 2016-06-10

PUBLIC

SAP Real-Time Offer Management 7.1 SP02 Target Audience: System Administrators, Technology Consultants

2

PUBLIC

© 2016 SAP AG. All rights reserved.

SAP Real-Time Offer Management 7.1 SP02

Typographic Conventions

Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles,

pushbuttons labels, menu names, menu paths, and menu options.

Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names,

transaction codes, table names, and key concepts of a programming language when they

are surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages,

names of variables and parameters, source text, and names of installation, upgrade and

database tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as they

appear in the documentation.

<Example> Variable user entry. Angle brackets indicate that you replace these words and characters

with appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .


Document History

PUBLIC

© 2016 SAP AG. All rights reserved. 3

Document History

Caution

Before you start the implementation, make sure you have the latest version of this document. You can find the

latest version at the following location: http://service.sap.com/instguides Focused Business

Solutions SAP Real-Time Offer Management .

Version Date Change

1.0 06-10-2016 Initial revision

4

PUBLIC



Table of Contents

Table of Contents

1 Introduction .................................................................................................................................................... 5

2 Before You Start............................................................................................................................................. 7

3 Technical System Landscape ....................................................................................................................... 8

4 User Administration and Authentication .................................................................................................. 10

5 Authorizations ............................................................................................................................................... 11

6 Network and Communication Security ..................................................................................................... 14

7 Data Storage Security ................................................................................................................................. 16

8 Database Security ........................................................................................................................................ 17

9 Trace and Log Files ...................................................................................................................................... 18


Introduction

PUBLIC


1 Introduction

The SAP Real-Time Offer Management (RTOM) security policy relies on external user management systems that

maintain users and map their credentials to RTOM capabilities. Part of the deployment process may involve

setting the correct authentication and authorization method, and setting the various permission groups to suit the

current customer.

All software layers and access points of the real-time decisioning (RTD) engine, including the definition of

application-level permissions for different user groups, are protected and secured.

This document is not included as part of the installation guide, configuration guide, or upgrade guide. Such guides

are only relevant for a certain phase of the software lifecycle, whereas the security guide provides information that

is relevant for all lifecycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on

security are also on the rise. When using a distributed system, you need to be sure that your data and processes

support your business needs without allowing unauthorized access to critical information. User errors,

negligence, or attempted manipulation on your system should not result in loss of information or processing time.

These demands on security also apply to RTOM. This security guide helps you to secure your RTOM application.

About this Document

The security guide provides an overview of the security-relevant information that applies to RTOM. It comprises

the following main sections:

Before You Start

This section contains information about why security is necessary, how to use this document, and references to

other security guides that provide the foundation for this security guide.

Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by RTOM.

User Administration and Authentication

This section provides an overview of user administration and authentication aspects.

Authorizations

This section provides an overview of the authorization concept that applies to RTOM.

Network and Communication Security

This section provides an overview of the communication paths used by RTOM and the security mechanisms that

apply. It also includes recommendations for the network topology to restrict access at the network level.

Data Storage Security

This section provides an overview of any critical data that is used by RTOM and the security mechanisms that

apply.

6

PUBLIC



Introduction

Trace and Log Files

This section provides an overview of the trace and log files that contain security-relevant information, for example,

so you can reproduce activities if a security breach occurs.


Before You Start

PUBLIC


2 Before You Start

Fundamental Security Guides

For a complete list of the available SAP Security Guides, see the SAP Service Marketplace at

http://service.sap.com/securityguide.

Additional Information

For more information about specific topics, use the Quick Links in the table below.

Content Quick Link on SAP Service Marketplace

Security http://service.sap.com/security

Security guides http://service.sap.com/securityguide

Related SAP notes http://service.sap.com/notes

Released platforms http://service.sap.com/platforms

SAP Solution Manager http://service.sap.com/solutionmanager

http://service.sap.com/

8

PUBLIC




3 Technical System Landscape

The figure below shows an overview of the technical system landscape of RTOM and its integration with business

applications. It includes the RTOM engine (back end), the marketing and reports in SAP CRM (if you have

integrated RTOM with marketing in SAP CRM), the integration with the Interaction Center in SAP Customer

Relationship Management (SAP CRM) (front end and server back end), and the SAP NetWeaver Business

Warehouse (SAP NetWeaver BW) repository (database).

Technical System Landscape Integration of RTOM

Note

In some customer projects, the integration with the Interaction Center in SAP CRM (front-end and server

back-end components) may be replaced by different software (in case SAP CRM is not used by these

customers).

For more information about the technical system landscape, see the resources listed in the following table:

Content Description Location on SAP Service Marketplace

SAP Real-Time

Offer Management

Installation Guide

Information about supported

languages, database installation,

RTOM installation, and completion

of the database setup

http://service.sap.com/instguides

Installation & Upgrade Guides Focused

Business Solutions SAP Real-Time Offer

Management

SAP Real-Time Information about RTOM



PUBLIC


Content Description Location on SAP Service Marketplace

Offer Management

Configuration

Guide

configuration files and

configuration parameters,

configuration of RTOM profiles

using data sources, business

object mappings, and event

configuration

SAP Real-Time

Offer Management

Application Guide

Information about the RTOM log

viewer and configuration manager

SAP Real-Time

Offer Management

Integration Guide

Information about the RTOM

application toolkit as well as

information about integrating

RTOM with marketing and the

Interaction Center (IC) in SAP

Customer Relationship

Management (SAP CRM) using

Web services.

10

PUBLIC



User Administration and Authentication

4 User Administration and Authentication

RTOM does not copy any external data related to the customer, agents, or other entities in the organization. User

information and passwords are also not stored in the system. All information is extracted in real time, resides only

in-memory, and is deleted when the user leaves the session or the session expires.

These on-demand concepts minimize the risk of someone accessing the secure data of an enterprise by hacking

into the RTOM systems.

User Management

RTOM requires SAP NetWeaver authentication types. It verifies the existence of users in a SAP NetWeaver

landscape and verifies their passwords.

The authentication configuration is set in the RTOM application server registry, under

HKEY_LOCAL_MACHINE\SOFTWARE\Ingeneo\Authenticator.

SAP NetWeaver Authentication Method

1. In the registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Ingeneo\Authenticator.

2. Set the Method registry key to SAP.

3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Ingeneo\Authenticator\SAPDestination.

4. Set the following keys to the appropriate SAP logon information:

Key Description

DestinationName SAP NetWeaver system name

Client Client name

Language Language to be used

Example

5. Under HKEY_LOCAL_MACHINE\SOFTWARE\Ingeneo\Authenticator, set:

6. Method = SAP

7. Under HKEY_LOCAL_MACHINE\SOFTWARE\Ingeneo\Authenticator\SAPDestination, set:

o DestinationName = Q0M

o Client = 558

o Language = EN


Authorizations

PUBLIC


5 Authorizations

SAP CRM Authorizations

Authorization in the SAP Real-Time Offer Management (RTOM) environment can be controlled by authorization

levels defined through the marketing in the SAP CRM authorization tools. The following authorization group

objects exist in the marketing authorization tool in SAP CRM:

Technical Name Authorization Group

Object Description

Optional

Access

Level

Affects RTOM Applications

CRM_RTOM_E_<Optional

access level>

RTOM events and

data sources

Display,

change,

delete

RTOM Application Toolkit –

Events


Data Sources

CRM_RTOM_M_<Optional

access level>

RTOM monitoring Display,

change,

delete


Jobs Log

RTOM Log Viewer


Session Viewer

CRM_RTOM_B_<Optional

access level>

RTOM business

tools

Display RTOM Application Toolkit –

Simulator

CRM_RTOM_L_<Optional

access level>

RTOM landscape Display,

change


Landscape


Deployment Parameters

CRM_RTOM_C_<Optional

access level>

RTOM configuration Display,

change,

delete


Feedback

Configuration Manager


Business Logic Studio


Recommendation Parameters

CRM_RTOM_R_<Optional

access level>

RTOM release

configuration

Change RTOM Application Toolkit –


To add this authorization

group object, apply SAP Note

1559106.

Users assigned to this

authorization group are

authorized to change the

https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1559106

12

PUBLIC



Authorizations


Object Description

Optional

Access

Level


status of offers to Released.

The MARKETING_PRO role has all the authorization group objects assigned by default and can be used as the

administrator role for the RTOM applications. Note that to be able to use RTOM applications, users must also be

assigned to the S_RFC authorization object.

When RTOM is customized at a specific customer site, authorization profiles should be created with the

appropriate access level and assigned to users. All RTOM applications that belong to the same authorization

group are assigned the same access level, according to the access level selected in the authorization group

profile.

You can access authorization profiles in transaction PFCG under Edit Display Authorizations Change

Authorization Data . Search for *RTOM and edit the relevant profiles.

When a user attempts to log on to RTOM, RTOM sends the user name and password to the SAP system. If the

details are correct, RTOM also retrieves the user authorization profile.

RTOM enables the user to use only the applications for which he or she has authorization in the defined access

level according to his or her authorization profile.

Note

Users that are authorized to use the RTOM log viewer and RTOM configuration manager always receive

full access level, no matter what access level is configured for their authorization group.

Microsoft Windows Authorizations

RTOM can use Microsoft Windows authentication and authorization if Microsoft Windows authentication was

selected as the authentication system during the installation. The RTOM applications that a user can access

depend on which groups the user is assigned to. The following authorization group objects exist:


Object Description

Optional

Access

Level


CRM_RTOM_E_<Optional

access level>

RTOM events and

data sources

READ, EDIT,

DELETE


Events


Data Sources

CRM_RTOM_M_<Optional

access level>

RTOM monitoring READ, EDIT,

DELETE


Jobs Log

RTOM Log Viewer

External Cache Viewer


Session Viewer

CRM_RTOM_B_<Optional RTOM business READ RTOM Application Toolkit –


Authorizations

PUBLIC



Object Description

Optional

Access

Level


access level> tools Simulator

CRM_RTOM_L_<Optional

access level>

RTOM landscape READ, EDIT RTOM Application Toolkit –

Landscape


Deployment Parameters

CRM_RTOM_C_<Optional

access level>

RTOM configuration READ, EDIT,

DELETE


Feedback

Configuration Manager




Recommendation Parameters

CRM_RTOM_R_<Optional

access level>

RTOM release

configuration

EDIT RTOM Application Toolkit –


Users assigned to this

authorization group are

authorized to change the

status of offers to Released.

Note

To authorize a user with the EDIT access level, the user must also be authorized with the READ access

level. To authorize a user with the DELETE access level, the user must also be authorized with the READ

and EDIT access level.

Example

To authorize a user with the READ access level for the RTOM Application Toolkit – Events and RTOM

Application Toolkit – Data Sources applications, do the following:

1. Define the CRM_RTOM_E_READ group in the domain controller.

2. Add the user to this group.

To authorize a user with the EDIT access level for the RTOM Application Toolkit – Landscape and RTOM

Application Toolkit – Deployment Parameters applications, do the following:

1. Define the CRM_RTOM_L_READ and CRM_RTOM_L_EDIT groups in the domain controller.

2. Add the user to both groups.

14

PUBLIC




6 Network and Communication Security

The real-time decisioning (RTD) engine that is the basis of SAP Real-Time Offer Management (RTOM) consists of

Distributed Component Object Model (DCOM) executables managed by the Microsoft Windows operating system.

All modules run under the credentials supplied during the installation of the system. For more information, see the

SAP Real-Time Offer Management Installation Guide.

The communication between modules uses DCOM.

The communication between workflow modules also uses TCP/IP port 700.

The RTD engine has the following entry points for consuming its services:

Knowledge definition

If you have integrated RTOM and marketing in SAP CRM, you can use the marketing UI in SAP CRM to define

new knowledge for RTOM (offers and condition groups). The protocol used for this communication channel

between the marketing UI and the RTOM server is Simple Object Access Protocol (SOAP). A Web service

published by RTOM can be accessed and used only with specific Microsoft Windows user credentials that

were supplied during the RTOM installation. (The user supplied them on the Web Service Permitted Account

installation screen.)

The user name and password for the consumer of the Web service published by RTOM are supplied under

SOA Management Service Administration Single Service Administration RTOMPublishServiceSOAP

(Consumer Proxy) Edit Consumer Security .

For more information, see the SAP Real-Time Offer Management Installation Guide and the SAP Real-Time

Offer Management Configuration Guide.

Administration activities

The RTOM application toolkit is an administrative application portal. It is a Web-based application that hosts

several sub-applications. It communicates with the server using HTTP/HTTPS.

All application user inputs go through server-side validation tests.

Online integration activities

The online integration activities use Web services. These services are mainly used to send and receive

customer transaction events. The protocol used for this communication channel is SOAP. The RTOM site Web

services can be accessed and used only with specific Microsoft Windows user credentials that were supplied

during the RTOM installation. (The user supplied them on the Web Service Permitted Account installation

screen.)

When RTOM is integrated with a generic interaction center, RTOM user name and password for the consumer

of the Web services on the RTOM site are supplied under sm59 RFC Connections INGENEO_REG Edit

.

In any other integration, the user name and password for the RTOM Web services are supplied under SOA

Management Service Administration Single Service Administration RTOMSiteAdaptorServiceSOAP

(Consumer Proxy) Edit Consumer Security .

For more information, see the SAP Real-Time Offer Management Installation Guide and the SAP Real-Time

Offer Management Configuration Guide.

https://websmp101.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000737161&









PUBLIC


Note

To change the authorized user for the RTOM Web services that was initially defined during the RTOM

installation, open the Microsoft Internet Information Server (IIS) and make the following settings:

1. Select the required RTOM Web service.

o RTOMPublish – for knowledge definition integration

o IngeneoSAPICSiteAdaptorWS – for online integration activities with the Interaction Center in SAP

CRM

o RTOMSiteAdaptorWS – for online integration activities for other SAP CRM industry solutions

2. Choose Properties ASP.NET Edit Configuration Authorization .

Change the local authorization rules. You can enable and disable access to the RTOM Web service for the

desired Microsoft Windows users.

Communication Channel Security

This section describes the communication paths and protocols used by SAP Real-Time Offer Management

(RTOM).

Encryption is used to transfer information and make it unreadable to anyone except those who possess a special

knowledge encryption key. Encryption in RTOM is accomplished by doing the following:

Setting Secure Sockets Layer (SSL) encryption on the RTOM communication channel with IC for delivering a

list of offers using the CRM_IC_RE_WS Web service

Setting SSL encryption on the RTOM application toolkit communication channel with the server

Setting the internal encryption library for all logon communication

SSL Encryption

HTTPS is a secure communications channel that is used to exchange information between a client computer and

a server. It uses SSL.

The RTOM application toolkit, a Web-based application, uses HTTPS to communicate with the server. To enable

HTTPS for the RTOM application toolkit, do the following:

1. Install a certificate authority (CA) on the IIS server’s default Web site.

2. Set up an HTTPS service in IIS for the RTOMAppsToolkitWS virtual directory.

To enable HTTPS for delivering a list of offers to IC, do the following:

1. Install the root certificate of SAPNetCA on the RTOM instance server.

2. Configure SSL for the IC Web service CRM_IC_RE_WS under SOA Management Service Administration

Single Service Administration CRM_IC_RE_WS (Service) Edit Communication Security Configuration .

For more information, see http://support.microsoft.com.

Internal Encryption for Login

The encryption for internal logon communication can be switched off and on using the configuration parameter

located in the file initialization.xml in the folder configuration\CONTENT_TYPE. For more information

about how to apply configuration changes to the system, see the section Security Configuration Mechanism for

Applying Changes. In the XML file, this type of encryption is dictated by the value of the Security.Encryption

node (possible values are TRUE and FALSE and the default installation is with the value set to TRUE).

http://support.microsoft.com/

16

PUBLIC



Data Storage Security

7 Data Storage Security

The RTOM architecture defines four types of data storage:

Knowledge storage

Experience storage

Configuration storage

Logging storage

Most of the data in each type of storage is maintained in databases (primarily the knowledge, experience, and

configuration storage types).

Each storage type uses the security tools inherited from the technology with which it is implemented. The

databases used by the storage are protected by defining users and credentials for different activities. File-based

storage is write-protected.


Database Security

PUBLIC


8 Database Security

RTOM supports the following database providers: SQL Server, MaxDB, and Oracle. RTOM connects to the

databases with a connection string. The connection string is defined in the registry in the

HKEY_LOCAL_MACHINE\SOFTWARE\Ingeneo\Database/DSN key.

The SQL Server uses Microsoft Windows authentication for its activities, so there is no need to supply a user

name and password. The connection string to MaxDB and Oracle includes a user name and password. To secure

the password, we encrypt it and save it in the

HKEY_LOCAL_MACHINE\SOFTWARE\Ingeneo\Database/Password key. RTOM decrypts the password and

concatenates it with the data source name (DSN), resulting in a complete connection string.

18

PUBLIC



Trace and Log Files

9 Trace and Log Files

Tracing and logging are integral features of RTOM. The purpose of the tracing mechanism is to monitor the

access and actions made to the knowledge and business definitions. The tracing feature applies to knowledge

changes made in the system. These changes are made in the Business Logic Studio (BLS) and Configuration

Manager applications.

There are different types of tracing or auditing activities that are logged in the system. These activities consist of

the following:

Creation of and modifications made to business/knowledge objects (such as offers and condition groups)

If RTOM is integrated with marketing in SAP CRM, the audit information is logged in marketing in SAP CRM. If

RTOM is not integrated with marketing in SAP CRM and offers and condition groups are defined in the

Business Logic Studio in the RTOM application toolkit, the audit information is logged in RTOM.

Configuration data (creation and modification)

You can, for example, create or update data sources and events in the RTOM application toolkit or edit

initialization parameters in the Configuration Manager.

Configuration publication on the RTOM server

Logon activity

When a change occurs, the information is logged. The following data is stored in the RTOM engine:

Time and date of the action

User name of the person making the change

Resource identifications that are affected (such as data source name if a data source was updated)

Short description of the change made

Configuring the Security Logging Mode

The logging configuration is stored on the database. For more information about how to apply configuration

changes to the system, see the SAP Real-Time Offer Management Configuration Guide.

Viewing the Logging and Tracing Information

To view the logging information of the system, you must use the RTOM Log Viewer application. This application is

a Microsoft Windows-based application with a similar look and feel to the default Microsoft Windows Event

Viewer. The application is used to display and navigate between the system’s different log messages.

The tracing information is located under the Audit Log categories of the Log Viewer application. Under the Audit

Log, there are audit messages that relate to the application information, such as for the RTOM Web applications,

and audit messages that relate to the configuration changes and updates.

An audit message is marked with a key icon and is registered on a separate audit event type. You can click the

message entry to display its content.



Trace and Log Files

PUBLIC


Example

<Put your example here>

A logon to the RTOM Web applications with an invalid user name or password generates a tracing

message such as the following:

Date: 6/1/2009 10:04:06 AM

Event: Application Toolkit

Logon User: RTOMSPL

Result: Failed: Login failure

In addition, RTOM logs can be viewed inside the Computing Center Management System (CCMS) at SAP. To set

up and use this viewing capability, see the SAP Real-Time Offer Management Application Operations Guide.

Security Configuration Mechanism for Applying Changes

The RTD engine configuration data is securely stored in a database with the last updated version of each

configuration file. That is, configuration files are not saved as files in the system. You can use the Configuration

Manager tool to export the entire configuration into configuration files that can be saved and edited on the

computer. The edited configuration files must be imported back into the database (using the Configuration

Manager tool) before the changed configuration takes effect.

The configuration files are written to <Installation directory>\SAP CRM\RTOM\ForEdit.

Note

The export is always made to a predefined location that is created by the application. You should not

change the structure of the folders or the location of the files under the predefined location.

To change the configuration, you use the Configuration Manager tool to import the relevant files back into the

database. The export and import of changes enables you to track the changes made in the configuration files. This

information can be viewed in an audit log where you can see information about the files that were changed, who

changed them, and the changes that were made.

For more information about the Configuration Manager tool, see the SAP Real-Time Offer Management

Application Guide.

Note

Documentation in the SAP Service Marketplace

You can find this document at the following address: http://service.sap.com/instguides




http://service.sap.com/instguides

www.sap.com/contactsap

Material Number


No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software

vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System ads, System i5, System

p, System p5, System x, System z, System z10, System z9, z10, z9,

iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,

S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise

Server, PowerVM, Power Architecture, POWER6+, POWER6,

POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,

BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2

Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,

Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are

trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and

other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems

Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered

trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C®, World Wide Web Consortium, Massachusetts

Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc.,

used under license for technology invented and implemented by

Netscape.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,

ByDesign, SAP Business ByDesign, and other SAP products and

services mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in Germany and in

several other countries all over the world. All other product and

service names mentioned are the trademarks of their respective

companies. Data contained in this document serves informational

purposes only. National product specifications may vary.

These materials are subject to change without notice. These

materials are provided by SAP AG and its affiliated companies

("SAP Group") for informational purposes only, without

representation or warranty of any kind, and SAP Group shall not be

liable for errors or omissions with respect to the materials. The only

warranties for SAP Group products and services are those that are

set forth in the express warranty statements accompanying such

products and services, if any. Nothing herein should be construed

as constituting an additional warranty.

Documents

SAP Real-Time Offer Management 7.1 SP02 - SAP Help … · SAP Real-Time Offer Management ... (SAP CRM) (front end and server back end), and the SAP NetWeaver Business ... accessing