SAP Multichannel Foundation For Utilities and Public Sector

Administrator's Guide for SAP for Public PUBLIC
Sector
2017-12-15
SAP Multichannel Foundation for Utilities and Public

Sector
Content
1 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4 Application Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
SAP Multichannel Foundation for Utilities and Public Sector

2 PUBLIC Content
1 Getting Started
This document is a single source of information for the implementation of SAP Multichannel Foundation for Utilities
and Public Sector. It contains implementation information, security information, and operation information only
for SAP for Public Sector. The document for utilities is on the SAP Service Marketplace under SAP for Utilities.
Related Information
For more information about implementation topics not covered in this guide, see the following content:
Table 1:
Content Location
Installation and upgrade guides http://service.sap.com/instguides
Released platforms and technology-related topics http://service.sap.com/platforms
Platform availability matrix http://service.sap.com/pam
Network security http://service.sap.com/securityguide
High availability http://sdn.sap.com/irj/sdn/ha
Performance http://service.sap.com/performance
Support package stacks, latest software versions, patches http://service.sap.com/sp-stacks
Unicode technology http://sdn.sap.com/irj/sdn/i18n
SAP Notes http://service.sap.com/notes
SAP Software Distribution Center http://service.sap.com/swdc
SAP Online Knowledge Products http://service.sap.com/rkt
Related Guides
For more information about relevant applications, see the following content:
Table 2:
Title Location

Getting Started PUBLIC 3
SAP NetWeaver 7.0 Master Guide http://service.sap.com/installNW70
SAP NetWeaver Technical Operations Guide http://help.sap.com/nw74 System Administration and
Maintenance Information
SAP NetWeaver Gateway Security Guide http://help.sap.com/nwgateway Security Information
SAP NetWeaver Gateway Technical Operations Guide http://help.sap.com/nwgateway System Administration
and Maintenance Information
SAP Notes
You must read and implement the following SAP Notes before you start the installation. These SAP Notes contain
the most recent information and are prerequisites for installing SAP Multichannel Foundation for Utilities and Public
Sector.
You can find the most current versions of the SAP Notes at http://service.sap.com/notes .
Table 3:
Number Title
1942072 SAP NetWeaver Gateway 2.0 Support Package Stack
1964240 * User Self Service: Check Password Security Policy Fixes
1988794 * User Self Service Enhancement: Resetting Password Using

Email ID of the User
2000713 * User Self Service: User is Unable to Change the Password
2004762 * User Self Service: Reset Credentials with Autogenerated Pass

word
2025549 * User Self Service: Improving the Error Message Shown to End
User
2028105 * User Self Service: Short Dump While Checking Password
2287733 Collective Fixes for Both Backend and UI for Multichannel Util
ities for Public Sector SP06

4 PUBLIC Getting Started
Note
*These SAP Notes are required if you have installed IW_BEP SP08 or the corresponding SAP_GWFND support
pack.
Recommendation
We recommend that you implement the following SAP Notes:
Table 4:
Number Title
1509851 ICF Logoff Service with Redirect URL
853878 HTTP WhiteList Check (security)

Getting Started PUBLIC 5
2 Installation
SAP ERP Server
1. You need to install SAP Public Sector Collection and Disbursement (PSCD)/Tax and Revenue Management
(TRM) based on SAP ERP 6.0 EHP5 or higher.
2. Install IW_BEP SP11. If you are installing on SAP NetWeaver 7.4, you need to install SAP_GWFND 740 SP12
instead of IW_BEP.
Note
For more information on the compatibility of the various SAP Gateway components, see SAP Note 1942072
.
3. Install add-on UMCERP01.
SAP Gateway Server
1. For SAP NetWeaver versions prior to SAP NetWeaver 7.40, you need to install GW_CORE SP04 and IW_FND
SP04. If you are installing on SAP NetWeaver 7.4, you need to install SAP_GWFND SP06.
Note
For more information on the compatibility of the various SAP Gateway components, see SAP Note 1942072
.
2. For SAPUI5 add-ons, install UISAPUI5 SP13 or higher and UI_INFRA SP08 or higher.
Note
UISAPUI5 and UI_INFRA can be delivered with the SAP_UI add-on. In this scenario, SAP_UI SP13 or
higher must be installed. If you installed SAP_UI 740 or higher, UISAPUI5 and UI_INFRA do not need to be
installed as they are already included.
3. Install UMCUI501 add-on.
Optional UI5 components include UI5_731 SP05 for team provider and other UI5 components depending on your
UI approach.

6 PUBLIC Installation
Hardware Sizing
An SAP Gateway sizing guide is available on the SAP Service Marketplace at http://service.sap.com/sizing . You
can refer to the SAP ERP sizing guide, too. You can use the quick sizer tool to calculate hardware for the system
landscape.

Installation PUBLIC 7
3 Configuration
To configure your SAP PSCD/TRM system as a standalone system, you need to maintain roles, users, and
activations in the system.
SAP NetWeaver System Settings
To ensure that online users are authenticated correctly, you need to set the correct AS profile parameters related
to HTTP security session management on AS ABAP. You use the sessions transaction to do so.
Sample values for HTTP session parameters are as follows:
● login/create_sso2_ticket=2
● login/accept_sso2_ticket=1
● login/ticketcache_off=0
● login/ticket_only_by_https=1
● icf/user_recheck=1
Note
These parameters may be different according to your session security configuration.
SAP Gateway Activation
To check whether SAP NetWeaver Gateway is activated, choose the following path in Customizing SAP
NetWeaver Gateway OData Channel Configuration Activate or Deactivate SAP NetWeaver Gateway .
Maintaining System Aliases for SAP ERP
To create system aliases for SAP ERP, proceed as follows:
1. Using the RFC destinations transaction, create trusted RFC connections to the appropriate systems.
2. On the Logon and Security tab pages, choose Current User.
3. Use the Customizing transaction spro and open the SAP Reference IMG .
4. Navigate to SAP NetWeaver Gateway OData Channel Configuration Connection Settings Manage
SAP System Aliases and create the system aliases for SAP ERP.

8 PUBLIC Configuration
Registering Services
OData channel implementations retrieve the data from SAP Business Suite, which is a backend system. You use
the OData services that are defined by SAP. You can redefine the OData services according to your requirements.
Once an OData service is defined in the backend system, the service must be registered or activated on SAP
Gateway.
To register services in the SAP NetWeaver Gateway Hub system, proceed as follows:
1. Using the service maintenance transaction, choose Add Service.

2. Select the SAP ERP system, and then choose Get Services.
3. Add the following services:
○ USERMANAGEMENT
○ USERREQUESTMANAGEMENT
○ ERP_FMCA_MC_SRV
○ ERP_FMCA_MC_PUBLIC_SRV
4. Choose Local Object as the package in the customer namespace for the objects created during the services
registration.
5. For each registered service, choose ICF Node, and then choose Configure (SICF).
6. For additional security, navigate to the Logon Data tab page and adjust the security parameters as necessary,
for example, the SSL parameter. Select the current user on the Logon Data tab page.
Create PFCG Role for the Reference User for the SAP Gateway Hub System
To enable user self service, the system needs to be set up with users and authorizations for these users. This is a
mandatory step, since the scenario does not work if the users do not have the required authorizations. In this step,
a PFCG role must be created to grant access authorizations to relevant business processes and then assigned to
the reference user. This ensures that the user can perform the related tasks when using the services for SAP
Multichannel Foundation for Utilities and Public Sector.
Procedure
1. In the transaction PFCG, create a new single role ZMCF_REF_USR using the /IWBEP/RT_USS_INTUSR
template.
2. Add the authorization object S_SERVICE and authorization field SRV_NAME (program, transaction or function
module name), you must ensure that the following entries exist in the category TADIR Service:
Table 5:
Program ID Object Type Object Name
R3TR IWSG ERP_FMCA_MC_SRV
R3TR IWSG USERMANAGEMENT
3. Add the authorization object S_RFCACL.

Configuration PUBLIC 9
Note
The name of the authorization role is provided as an example only. You can choose any other name in the
customer namespace. To ensure that the object names appear in the F4 Help, you must register and activate
the OData Services mentioned in the preceding table in transaction/IWFND/MAINT_SERVICE and then execute
the service in the SAP NetWeaver Gateway client. For more information, see the section Registering Services.
You must ensure that values relevant to the current business scenarios are provided for authorization objects
that do not have predefined values for authorization fields in the templates.
Note
Depending on whether external user management is to be used, it may make sense to define two reference
users. One reference user for users who are not authorized to create users and another reference user who is
allowed to create users in the SAP Gateway Hub System.
Note
If you want to use the external user management scenario, you must add additional authorization objects that
allow you to create or maintain users in the gateway server. This process can be triggered from the ERP system.
Create Reference User in SAP Gateway Hub System
Procedure
To enable user self service, the system needs to be set up with users and the required authorization for those
users. Users also have to be created and maintained using SAP NetWeaver ABAP AS User Management, using
transaction SU01. A reference user is a standard SAP user with the “Reference” user type created in the SAP
Gateway Hub and also in SAP Business Suite System with the IWBEP add-on. This user is used by the user
management service as a template to create other users in the system.
1. In transaction SU01, create user MCF_REF_USR.
Note
The name of the user is provided as an example. You can use any other name, but you must make sure that
the same name is maintained for the service in transaction SICF.
2. On the Logon Data tab page, specify the user’s type as Dialog User.
3. Specify the alias for the user as MCF_REFERENCE_USER.
4. On the Roles tab page, assign the role ZMCF_REF_USR created previously and save it.
Creating Users in SAP ERP
1. Create a role containing the authorizations for your scenario. The following list contains the required
authorization objects for the UI template to work without further modification.

Table 6:
Object Technical Name
Authorization check for RFC user S_RFCACL
Authorization object for trusted-trusting system definition S_RFC_TT
Business partner: BP roles B_BUPA_RLT
Business partner relationships: Relationship categories B_BUPR_BZT
Banks: general maintenance authorization F_BNKA_MAN
Banks: general maintenance authorization by country F_BNKA_MAO
Authorization check for RFC access S_RFC
Authorization encryption card master B_CARD_SEC
Check at start of external services S_SERVICE
Transaction code check at transaction start S_TCODE
BC-SRV-KPR-BDS: authorizations for document set S_BDS_DS
ArchiveLink: authorizations for access to documents S_WFAR_OBJ
Partner contact management B_PCONTACT
Authorization object for the activities (EBPP) F_ACT_EBPP
FICA document management service: Company code areas F_KKDM_BUK
FICA document management service: Document type F_KKDM_DOT
Authorization for interest posting F_KKINTER
FICA doc in contract accts rec and pay: CoCode authoriza F_KKKO_BUK
tion
FICA doc in contract accts rec and pay: business area auth F_KKKO_GSB
FICA contract account: company code authorization F_KKVK_BUK
FICA contract acct: contract acct type authorization F_KKVK_VKT
FICA special functions for FSCM biller direct F_KK_EBPP
FICA special functions F_KK_SOND
PSCD beleg: contract object type authorization F_PSDO_VGT

PSCD facts: fact type parts F_PSFA_CAT
PSCD facts: authorization for a fact set F_PSFA_SET
PSCD facts: fact set parts F_PSFA_TYP
Authorization object public sector form handling, FB type F_PSFH_FBT
Authorization object public sector, form handling, form view F_PSFH_FVW
Authorization object public sector form handling, status F_PSFH_STA
PSCD contract object: object type authorization F_PSOB_VGT
Payment cards B_CCARD
Unmasked display of credit card numbers B_CCSEC
SAP gateway: User self service management /IWBEP/URB
Authorizations: Role check S_USER_AGR
User master maintenance: User groups S_USER_GRP
User master maintenance: Authorization profile S_USER_PRO
User master maintenance: System-specific assignments* S_USER_SAS
* You use either authorization object S_USER_SAS or (S_USER_AGR, S_USER_GRP, S_USER_PRO).

Make the following entries for the authorization object S_SERVICE and authorization field SRV_NAME in the
category TADIR Service:
Table 7:
R3TR IWSV ERP_FMCA_MC_SRV
R3TR IWSV /IWBEP/USERMANAGEMENT
2. Using the user maintenance transaction, create the MCF users with the user type Communications Data.
3. Using function module FMCA_MC_USER_CREATE, link your user to its corresponding business partner ID. If the
business partner ID does not exist, use transaction FPP1 to enter the respective user details and save. This
generates the business partner ID.
Business Configuration
Use transaction SCPR20 to activate the BC set FMCA_MC_SETTING, if the BC set has not already been activated.

This generates sample configuration entries for the Customizing step SAP Multichannel Foundation for Utilities
and Public Sector Maintain Settings for Business Processes .
Activating a Forgotten Password
To activate a forgotten password, perform the following steps:
Create PFCG Role for Service User for SAP Gateway Hub System
To enable user self service, the system needs to be setup with users and authorizations for those users. This is a
the service user. This ensures that the user can perform the related tasks when using the services for SAP
Procedure
1. In transaction PFCG, create a new role ZMCF_FORGOTTEN_PW_USER .

2. Add the required authorization objects:
○ /IWFND/SRV
○ S_SECPOL
○ S_TCODE
○ S_RFCACL
○ S_RFC_TT
○ S_RFC
○ S_SERVICE
3. You must ensure that the following entries exist for the authorization object S_SERVICE and authorization
field SRV_NAME (program, transaction or function module name):
Table 8:
R3TR IWSG USERREQUESTMANAGEMENT
Note
“customer namespace”.
To ensure that the object names appear in the F4 Help, you must register and activate the OData Services
mentioned in the preceding table in the transaction /IWFND/MAINT_SERVICE and then execute the service
in the SAP NetWeaver Gateway client. For more information, see Registering Services.
4. Limit the authorization values for all authorization objects to the necessary values relevant to the required
business scenario.
Create PFCG Role for Service User in the SAP ERP System
To enable user self service, the system needs to be set up with users and authorization for those users. This is a

a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the
service user. This ensures that the user can perform the related tasks when using the services for SAP
Procedure
1. In the transaction PFCG, create a new role ZMCF_FORGOTTEN_PW_USER using the templates /IWBEP/
RT_USS_SRVUSR.
field SRV_NAME (program, transaction or function module name):
○ Program ID: R3TR
○ Object Type: IWSV
○ Object Name: /IWBEP/USERREQUESTMANAGEMENT 0001
3. Limit the authorization values for all authorization objects to the necessary values relevant to the current
business scenarios.
4. Check Customizing using the transaction SPRO under the path SAP NetWeaverApplication ServerSystem
AdministrationUsers and AuthorizationsSet Customizing Switch in Table PRGN_CUST . If
CHECK_S_USER_SAS is specified as YES, the authorization object S_USER_SAS must be manually added to
the PFCG role for the service user.
Create Service User in SAP Gateway Hub System
Procedure
To enable user self service, the system needs to be set up with users and the required authorizations for those
transaction SU01. A service user is a standard SAP user with the “Service” user type created in the SAP Gateway
Hub and also in the SAP Business Suite System with the IWBEP add-on. A service user should be able to access
the OData Service/IWBEP/USERREQUESTMANAGEMENT.
1. In transaction SU01, create the user MCF_SRV_USR1.
Note
3. On the Roles tab page, assign the role ZMCF_FORGOTTEN_PW_USER created previously.
Create Service User in the SAP ERP System
To enable user self service, the system needs to be set up with users and the required authorization for those
transaction SU01. A service user is a standard SAP user with the “Service” user type created in the Gateway Hub
and also in SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData
service /IWBEP/USERREQUESTMANAGEMENT_0001.
Procedure

Note
2. On the Logon Data tab page, specify the user’s type as S - Service.
3. On the Roles tab page, assign the role ZMCF_FORGOTTEN_PW_USER created previously..
Set Service User in SICF Node for Public OData Services
Procedure
To define the service user in the ICF Node for USERREQUESTMANAGEMENT, proceed as follows:
1. In transaction SICF, find the node /default_host/sap/opu/odata/sap/USERREQUESTMANAGEMENT.

2. Under Logon Data, specify logon settings for the SAP Gateway Hub system for the service user:
○ Client: SAP Gateway Hub system client
○ User: MCF_SRV_USR1
○ Password: MCF_SRV_USR1 user’s password
3. Disable Cross-Site Request Forgery (CSRF) for USERREQUESTMANAGEMENT ICF node since the service is
executed in the context of the service user. To disable CSRF validation on the Service Data tab page of the ICF
node, select GUI Configuration and add the parameter ~CHECK_CSRF_TOKEN with value 0.
Activating Anonymous Form Submission or Payments
To activate the anonymous form submission or payments, perform the following steps:
Create PFCG Role for Service User for SAP Gateway Hub System
To enable user self service, the system needs to be setup with users and authorizations for those users. This is a
the service user. This ensures that the user can perform the related tasks when using the services for SAP
Procedure
1. In transaction PFCG, create a new role ZMCF_ANONY_SERV_USER.

2. Add the required authorization objects:
○ /IWFND/SRV
○ S_SECPOL
○ S_TCODE
○ S_RFCACL
○ S_RFC_TT
○ S_RFC
○ S_SERVICE

field SRV_NAME (program, transaction or function module name) in the category TADIR Service:
Table 9:
R3TR IWSG ERP_FMCA_MC_PUBLIC_SRV
Note
“customer namespace”.
To ensure that the object names appear in the F4 Help, you must register and activate the OData Services
mentioned in the preceding table in transaction/IWFND/MAINT_SERVICE and then execute the service in
the SAP NetWeaver Gateway client. For more information, see Registering Services.
business scenario.
Create PFCG Role for Service User in the SAP ERP System
To enable user self service, the system needs to be set up with users and authorization for those users. This is a
a PFCG role has to be created to grant access authorizations to relevant business processes and assigned to the
service user. This ensures that the user can perform the related tasks when using the services for SAP
Procedure
1. In transaction PFCG, create a new role ZMCF_ANONY_SERV_USER.

field SRV_NAME (program, transaction or function module name) in the category TADIR Service:
○ Program ID: R3TR
○ Object Type: IWSV
○ Object Name: ERP_FMCA_MC_PUBLIC_SRV 0001
3. Add the following authorization objects:
Table 10:
Authorization check for RFC user S_RFC
Authorization check for RFC user (for example, trusted sys S_RFCACL
tem)
BC-SRV-KPR-BDS: Authorizations for document set S_BDS_DS
Authorization object for the activities (EBPP) F_ACT_EBPP

General ledger: Authorization for segment F_FAGL_SEG
FI-CA document in contract accounts rec. and pay.: CoCode F_KKKO_BUK

Authorization
FI-CA document in contract accounts rec. and pay.: Busi F_KKKO_GSB

ness area authorization
FI-CA contract account: Company code authorization F_KKVK_BUK
FI-CA contract account: Contract account type authoriza F_KKVK_VKT

tion
FI-CA special functions for FSCM biller direct F_KK_EBPP
FI-CA processing locks F_KK_LOCK
PSCD document: Contract object type authorization F_PSDO_VGT
Authorization object public sector form handling, F.B type F_PSFH_FBT
Authorization object public sector form handling, Form view F_PSFH_FVW
Authorization object public sector form handling, Status F_PSFH_STA
business scenarios.
Create Service User in SAP Gateway Hub System
Procedure
To enable user self service, the system needs to be set up with users and the required authorizations for those
transaction SU01. A service user is a standard SAP user with the “Service” user type created in the SAP Gateway
Hub and also in the SAP Business Suite System with the IWBEP add-on. A service user should be able to access
the OData ServiceERP_FMCA_MC_PUBLIC_SRV.
Note
The name of the user is provided as an example. You can use any other name of your choice but you must
make sure that the same name is maintained for the service in transaction SICF.
3. On the Roles tab page, assign the role ZMCF_ANONY_SERV_USER created previously.
Create Service User in the SAP ERP System
To execute the user self service, the system needs to be set up with users and the required authorization for those
users. Users also have to be created and maintained through SAP NetWeaver ABAP AS User Management, using

transaction SU01. A Service User is a standard SAP user with the “Service” user type created in the Gateway Hub
and also in SAP Business Suite System with the IWBEP add-on. A service user should be able to access the OData
service ERP_FMCA_MC_PUBLIC_SRV_0001.
Procedure
1. In transaction SU01, create user MCF_SRV_USR2.
Note
2. On the Logon Data tab page, specify the user’s type as S - Service.
3. On the Roles tab page, assign the role ZMCF_ANONY_SERV_USER created previously.
Note
If you want to send a confirmation e-mail after an anonymous payment or form submission, maintain an e-
mail address for the service user.
Set Service User in SICF Node for Public OData Services
Procedure
To define the service user in the ICF Node for ERP_FMCA_MC_PUBLIC_SRV, proceed as follows:
1. In transaction SICF, find the node /default_host/sap/opu/odata/sap/ERP_FMCA_MC_PUBLIC_SRV.

2. Under Logon Data, specify logon settings for the SAP Gateway Hub system for the service user:
○ Client: SAP Gateway Hub system client
○ User: MCF_SRV_USR2
○ Password: MCF_SRV_USR2 user’s password
3. Disable Cross-Site Request Forgery (CSRF) for ERP_FMCA_MC_PUBLIC_SRV ICF node since the service is
executed in the context of the service user. To disable CSRF validation on the Service Data tab page of the ICF
node, select GUI Configuration and add the parameter ~CHECK_CSRF_TOKEN with the value 0 and add the
parameter SYSTEMCOOKIESDATAPROTECTION and set its value to true.
4. In transaction SICF, find the node /default_host/sap/bc/ui5_ui5/sap/mcf_fmca and set the client
value to the gateway hub system client.
External User Management
Setting up external user management is included in Customizing under the path: Public Sector Management
SAP Multichannel Foundation for Utilities and Public Sector Maintain Settings for External User Management
For more information, see http://help.sap.com/nwgateway .

Quick Testing of OData Services ERP_FMCA_MC
Procedure
It is sometimes necessary to perform a quick test on OData services to see how the entities work. By performing
the following steps, you can test OData services with your user using the SAP Gateway client or Google Chrome’s
Advanced Rest client:
Note
You must ensure that you have a user with the same username in transaction SU01 in the SAP Gateway Hub and
SAP ERP systems.
1. Use transaction SU01 in the SAP ERP system, open your user, and select Goto References in the menu.
2. Create a new reference for your user, and set the object type to BUS1006.
3. Set the key to the business partner ID which has test data that you want to use to test the OData services.
4. In the SAP Gateway client, execute a GET request on the ERP_FMCA_MC service for the OData entity Account.
You should receive the data for the business partner that you assigned to yourself when performing the GET
account.
If you did not receive the data, perform an analysis on the user authorization log in transaction SU53 to see if you
are missing any authorizations for your user.
Note
You must ensure that the test user does not exist in the production environment.

4 Application Operations
SAP Multichannel Foundation for Utilities and Public Sector is delivered with a default project for OData Services.
The default project is called ERP_FMCA_MC and you can modify it by accessing the data model and creating
additional entities, entity attributes, and navigation properties. You can create your own project.
You use this BAdI definition to create new or modify existing OData entity implementations. The purpose of this
BAdI is to provide an implementation specific to the entity name. The base class of implementation classes for all
entities is CL_ISU_UMC_ODATA_ABSTRACT.
By default, all BAdI implementations are active and flagged as default implementations. The default
implementation is executed automatically. This BAdI is filter-dependent, and the filter is based on the name of the
entity. For example, the filter for the account entity is ENTITY_NAME=Account.
SAP Gateway Service Model Extensibility in SAP ERP
As mentioned in an earlier section, the extensibility of SAP Multichannel for Utilities and Public Sector is based on
the BAdI FMCA_MC_ODATA. SAP standard delivery consists of two OData services in SAP ERP, namely,
ERP_FMCA_MC and ERP_FMCA_MC_PUBLIC_SRV.
In the standard delivery we follow the rules listed below:
1. If the BAdI implementation of an entity is identical for both ERP_FMCA_MC and ERP_FMCA_MC_PUBLIC_SRV,
the BAdI implementation only maintains filter entity_name = requested entity, for example Account.
2. If an entity has different BAdI implementations for ERP_FMCA_MC and ERP_FMCA_MC_PUBLIC_SRV, then the
implementation for ERP_FMCA_MC_PUBLIC_SRV maintains the filters service_name =
ERP_FMCA_MC_PUBLIC_SRV and entity_name = requested entity, while the implementation for
ERP_FMCA_MC maintains the filters entity_name = requested entity and service_name <>
ERP_FMCA_MC_PUBLIC_SRV.
Therefore, when you extend ERP_FMCA_MC to derive a Z service for the entities you choose to expose, there are
two options:
1. A new BAdI implementation is created for the entity with your own implementation class, you must maintain
filter values in the BAdI implementation filters entity_name = requested entity and service_name = Z service
2. No new BAdI implementation is created, and the applicable SAP implementation with the correct filter values
is called.
The SAP Gateway service model can be extended at the following different levels:
○ OData entity field extension
○ OData entity logic extension
○ Addition of new OData entities
If you want to add new fields to an entity, the following approach can be used. Each OData entity is based on a
DDIC structure that you can see by accessing the Service Builder (transaction SEGW). This DDIC structure has a
subset of fields originating from the API. The names of the fields correspond to those in the API; however, the
labels for data elements are displayed on the UI.

20 PUBLIC Application Operations
By creating an append structure, you can add fields from the API, and then regenerate the model in the Service
Builder. By doing so, no further coding is required for GET operations, although further adjustments may be
required for POST, PUT, and DELETE operations in the OData entity implementation class.
To overwrite standard behavior, create a new BAdI implementation with the required filter value. This
implementation is then called instead of the standard one. The BAdI definition is based on the interface
IF_ISU_UMC_ODATA_BADI. This interface has only one method get_instance, which provides an instance of a
Multichannel service implementation class to the standard data provider class (class with the suffix DPC_EXT).
You can define your own entity-based service implementation class using the inheritance from the existing class
that was assigned to the BAdI implementation. In your service implementation class, you can redefine all the
methods of both the IF_ISU_UMC_ODATA_BADI and IF_ISU_UMC_ODATA_IMPL interfaces to replace the
functions provided by SAP with your own functions.
Some implementation classes also provide additional methods that you can redefine. If your implementation is
inherited or based on the SAP standard BAdI implementation, we recommend that you call super-class methods
whenever possible. This ensures that subsequent corrections or updates delivered by SAP are integrated within
the implementation.
If a new entity is needed, you can enhance the existing SEGW model with new entities and follow the SAP BAdI
concept.
In some cases, business entity instances may logically belong together and need to be handled or processed
together in the same logical unit of work. For example, on moving out of a premise, an update of two or more
entities could be required and must be processed together in a single request (all or none). SAP Gateway can be
used to process such scenarios with its capability to execute multiple operations in a single request, including
retrieval and change. In the delivered OData Service for SAP Multichannel Foundation for Utilities and Public
Sector, batch processing is already enabled. Therefore, it is possible to use $batch to collect a fixed number of
operations (get, create, update, delete) of an OData Service in one single HTTP POST request.
Example
The following example has four GET calls in a batch.
Batch Request Header
POST /sap/opu/odata/sap/ERP_FMCA_MC_SRV/$batch
Content-Type: multipart/mixed;boundary=batch_11d6-7608-09f8
Batch Request Body
--batch_11d6-7608-09f8
Content-Type: application/http
Content-Transfer-Encoding: binary
GET Accounts('1000001530')/AccountAlerts/$count HTTP/1.1
Accept-Language: en
Accept: application/json
MaxDataServiceVersion: 2.0
DataServiceVersion: 2.0
--batch_11d6-7608-09f8

Application Operations PUBLIC 21
GET Accounts('1000001530')/ContractAccounts?$format=json&
$expand=ContractAccountBalance
HTTP/1.1
Accept-Language: en
--batch_11d6-7608-09f8
GET Accounts('1000001530')/FilingObligations/$count?$filter=FormBundleSubmitted%20eq
%20%27%27%20%20and%20ClearingReason%20eq%20%27%27%20 HTTP/1.1
Accept-Language: en
--batch_11d6-7608-09f8
GET Accounts('1000001530')/FormBundles/$count?$filter=StatusID%20eq%20%27Draft%27%20
HTTP/1.1
Accept-Language: en
--batch_11d6-7608-09f8—
By using batch processing, you can improve performance, since OData Service operations can be grouped in one
round trip. However, batch processing is more complex than standalone OData Service operations, and may not
always be beneficial. We suggest reviewing your use cases on an individual basis, to evaluate the benefits of batch
processing.
For more examples, see SAP Note 1869434 .
If you have to execute specific business logic before processing a “changeset” in a batch, you must overwrite the
framework method /IWBEP/IF_MGW_APPL_SRV_RUNTIME~CHANGESET_BEGIN. In the implementation of SAP

Multichannel Foundation for Utilities and Public Sector OData Services, this method was redefined in the class
CL_ERP_FMCA_MC_DPC_EXT.
For example, the redefined method sets a flag for each session to indicate the batch mode that will be used by the
SAP Multichannel Foundation for Utilities and Public Sector redefined /IWBEP/IF_MGW_APPL_SRV_RUNTIM
methods at a subsequent stage. CREATE_ENTITY is one such example and also performs basic validation on
whether an operation is allowed in a batch process. This is due to the fact that SAP Gateway is solely responsible
for commit and rollback for batch processing, so if an operation uses an API that has its own commit or rollback
logic, such an operation should not be included in a batch. /IWBEP/
IF_MGW_APPL_SRV_RUNTIME~CHANGESET_END can be redefined for logic after a “changeset” is processed.
Recommendation
SAP recommends you use batch processing in the SAPUI5 Web application.
For more examples, see SAP Note 1869434 .
Consuming OData Batch Request from SAP UI
Since the SAPUI5 control ODataModel supports batch processing, SAPUI5 applications can consume the OData
service in batches. You might need to use one or more of the following methods:
● addBatchChangeOperations
● clearBatch
● addBatchReadOperations
● createBatchOperation
● setUseBatch
For more information about ODataModel, see http://sapui5.hana.ondemand.com/sdk/#docs/api/symbols/

sap.ui.model.odata.ODataModel.html.
The following code snippet is an example of a batch request from the SAP Multichannel Foundation for Utilities and
Public Sector Application.

Error Message Handling
Error message handling in SAP Multichannel Foundation for Utilities and Public Sector follows OData protocol and
SAP Gateway approaches. OData entities should return standardized HTTP codes to inform the client about the
status of the request.
SAP Gateway runtime checks that the payload and resource URL are consistent. For example, when a character
field is provided, the runtime returns an error with HTTP code 500. If a resource is addressed incorrectly, the
runtime produces the HTTP status code 500 again.
For other error situations, service implementation needs to provide error handling. If a technical exception is
raised, HTTP status code is 500 (server error) with an exception message appended to it; if it is a business-related
application error, the HTTP code is 400. Each entity calls a certain API or BAPI to execute business logic and this
API returns a list of error messages propagated using SAP Gateway in the payload.

The following table describes various error situations and the associated HTTP status codes:
Table 11:
Scenario Sample Request Response Behavior Handling Level*
Authorization failure on ac GETAccounts(‘X’) 404 not found with no specific Service implementation
cessing an entity with a wrong error message
key
GET entity by key not found GETAccounts(‘X’) 404 not found with no specific Entity implementation
error message
GET entity set not found GETInvoices 200 with empty payload Entity implementation
GET with navigation A(‘x’)/B GETAccounts(‘X’)/ 200 with empty payload Service implementation
not found StandardAccountAddress
POST POSTAccountAddressDepen 404 not found due to authori Entity implementation

dentEmail zation issues
400 bad request due to busi

ness logic issues
201 created on success with

payload with a newly created
entity returned
UPDATE UPDATEAccountAddressDep 404 not found due to authori Entity implementation

endentEmail zation issues

ness logic issues
200 no success with updated

entity returned in payload
DELETE DELETEAccountAddressDep 404 not found due to authori Entity implementation

endentEmail zation issues

ness logic issues
204 no content on success
Expand on entities that do not GETAccounts(‘X’)? Entities for which keys are not Service implementation
have keys filled in the source $expand=AccountAddressD filled in source are ignored,
entity, A(‘x’)$expand=B,C ependentEmail,AccountAd payload still returned with
dressDependentPhone 200
Not properly formed URL, GETAccounts(‘X’)/ 500 server error with a spe SAP Gateway
payload NotExistingResource cific error message
*Handling levels are as follows:
● SAP Gateway runtime

● Service implementation (data provider and abstract classes from which all entities inherit)
● Entity implementation (specific OData entity implementation class)
It is possible to change the error logic for a specific entity by redefining the methods HANDLE_BUSINESS_ERROR
or HANDLE_TECHNICAL_ERROR where a mapping can be provided from API error messages to friendly messages
on the UI. Alternatively, to implement a generic mapping for error messages for all entities, you can define an
implicit enhancement point at the start of the methods HANDLE_BUSINESS_ERROR and
HANDLE_TECHNICAL_ERROR in the abstract class CL_ISU_UMC_ODATA_ABSTRACT.
SAP Multichannel Foundation for Utilities and Public Sector Solution

Monitoring
Monitoring is an essential task in managing SAP technology.
Alert Monitoring
To monitor errors and alert messages in SAP Gateway and in the backend systems, use the error log transactions.
Trace and Log Files
Trace files and log files are essential for analyzing problems. SAP Multichannel Foundation for Utilities and Public
Sector follows the approach used by SAP NetWeaver Gateway.
SAP Multichannel Foundation for Utilities and Public Sector Management
SAP provides you with an infrastructure to help your technical support consultants and system administrators
effectively manage all SAP components and complete all tasks related to technical administration and operation.
For more information, see http://help.sap.com/netweaver .
Certain components or scenarios used by this application can be configured and tools are available for adjusting
these components.
SAP UI5 Sample Application Configuration
When you install the add-on UMCUI501 for SAP Gateway, you receive a sample SAP UI5 application,
FMCAUI5_MOBILE. This is an example of how OData services are consumed within SAP Multichannel Foundation
for Utilities and Public Sector.
You must be running the following SAPUI5-related add-ons:
● UISAPUI5 (with this add-on, SAP UI5 JavaScript library is installed)

● UI_INFRA

● Optional SAP UI5 components UI5_731 SP5 for team provider and other SAP UI5 components depending on
the UI implementation approach
FMCAUI5_MOBILE Application
The FMCAUI5_MOBILE application is stored as a BSP application under the MIME repository
path /sap/bc/bsp/sap/FMCAUI5_MOBILE. It contains a set of CSS, HTML, and JavaScript files packaged into a
BSP application and uploaded to the server using a team provider Eclipse plugin. To copy the application and
upload it to the server again, you use report /UI5/UI5_REPOSITORY_LOAD.
SAP NetWeaver Gateway Service Configuration
The FMCAUI5_MOBILE application calls OData services from SAP ERP; therefore, ERP_FMCA_MC_SRV and /
IWBEP/USERMANAGEMENT services need to be configured to point to a backend system (SAP system alias) using
the service maintenance transaction in SAP NetWeaver Gateway.
FMCAUI5_MOBILE Public Application
The logon application is stored under the MIME repository path /sap/public/bc/ui2/
fmcaui5_mobile_logon. The application HTML, image and JavaScript files are loaded manually into the MIME
repository. The SAP NetWeaver Server loads the logon UI dynamically when the browser hits the index.html
page of the FMCAUI5_MOBILE application.
Figure 1: File content of application that is loaded into browser

Logon Configuration
The HTML logon page is prepared dynamically as a server response by the ABAP class /UI2/CL_SRA_LOGIN. It is
set on Error Pages Logon Errors System Logon Configuration Logon Layout and Procedure Custom
Implementation in SICF configuration for the node /default_host/sap/bc/ui5_ui5/sap/
fmcaui5_mobile.
For more information about SICF configuration, see http://help.sap.com/nwgateway .
The template_login page represents an HTML page with certain parameters that are dynamically set and the
final HTML page is provided to the browser.
The following code snippet is from the template_login.html page supplied with the sample application:
Note
@sys_form_name_login and all items that start with @ are the parameters that are replaced during runtime by
the HTM_LOGIN method of the /UI2/CL_SRA_LOGIN class.
Users are only logged in once they have entered their user ID and password and choose the log-on option. A form
is prepared with certain set fields in the client and is posted to the server. If authentication is completed
successfully, the user is brought to the index.html page of the Web application. If it fails, error messages are
returned instead of the parameter @sys_messages_text and shown on the UI.
Logon Logic

Figure 2: Logon Logic
When the browser accesses the path of the SAP UI5 application, a request is sent to the server; the request is
processed based on the SICF Customizing for SAP UI5 Web applications. This Customizing mentions the
availability of a custom implementation for the logon layout and procedure and the HTM_LOGIN method of /UI2/
CL_SRA_LOGIN class is executed. It searches for the login.properties file in the FMCAUI5_MOBILE Web
application directory. In the login.properties file, it searches for a way to load the template_login page (see
screenshot below).

Figure 3: Login Properties File
The template_login page represents an HTML page with certain parameters that are dynamically set and the
final HTML page is provided to the browser.

The following code snippet is from the template_login.html page supplied with the sample application:
Figure 4: Code Sample from template_login.html page
Note
@sys_form_name_login and all items that start with @ are the parameters that are replaced during runtime by
the HTM_LOGIN method of the /UI2/CL_SRA_LOGIN class.
Users are only logged in once they have entered their user ID and password and choose the log-on option. A form
is prepared with certain set fields in the client and is posted to the server. If authentication is completed
successfully, the user is brought to the index.html page of the Web application. If it fails, error messages are
returned instead of the parameter @sys_messages_text and shown on the UI.
Logout Configuration
There is no specific logout page. SAP UI5 needs to execute navigation to the standard logout ICF node /sap/
public/bc/icf/logoff with a redirect URL. You can define an external alias for this ICF node with the same
name for which you define a logout redirect ( error pages Logoff Page Redirect to URL ). This affects the
entire server.
For more information about the logout redirect, see SAP Note 1509851 . We recommend applying an HTTP
whitelist as described in SAP Note 853878 .

Note
Not all log out functionality is available in releases prior to SAP NetWeaver 7.02.
UMCUI5_MOBILE Foundation Application
The foundation application is stored under the MIME repository path /sap/public/bc/ui2/
umcui5_mobile_foundation. The foundation files are loaded manually into the MIME repository. The
foundation JavaScript library is required by both the private and public applications.
Custom UI Theme
To apply a custom theme for the SAPUI5 mobile application, execute the JavaScript code
sap.ui.getCore().applyTheme("myThemeName");.
An example of the dynamic theme switch is in the ActionSheetController.js file in the home component for
the responsive UI.

5 Security
This section provides security-relevant information applicable to SAP Multichannel Foundation for Utilities and
Public Sector. The system landscape of SAP Multichannel Foundation for Utilities and Public Sector is built from
SAP ERP and SAP NetWeaver Gateway so the corresponding security guides apply.
Technical System Landscape
The following figure illustrates the technical system landscape for SAP Multichannel Foundation for Utilities and
Public Sector.

34 PUBLIC Security
Figure 5: Technical System Landscape for SAP Multichannel Foundation for Utilities and Public Sector
UMCERP01 is the SAP ERP add-on that groups business processes. A sample SAPUI5 template is hosted on the
SAP NetWeaver Gateway. The UI application communicates with the SAP NetWeaver Gateway using OData
protocol. The SAP NetWeaver Gateway dispatches the calls to specific backend systems.

Security PUBLIC 35
Data, Data Flow, and Processes
The following figure illustrates the data flow when a user logs onto SAP Multichannel Foundation for Utilities and
Public Sector.
Figure 6: Data Flow
The following table lists the security aspects to consider for each process step.
Table 12:
Step Description Security Measure
1 User logs on with user name and pass HTTPS communication protocol
word
2 User credentials sent SAP NetWeaver user management
3 Retrieves user accounts Communication using HTTPS and syn

chronous RFC to trusted destination

36 PUBLIC Security
Recommendation
To protect users from being locked after several failed login attempts, we recommend that you set the
parameter login/failed_user_auto_unlock to remove user locks at midnight. This is maintained in the
CCMS profile maintenance tool.
For more information, see SAP NetWeaver at http://help.sap.com/nw_platform .
User Administration and Authentication
SAP Multichannel Foundation for Utilities and Public Sector adopts the user management and authentication
mechanisms provided by SAP NetWeaver, specifically SAP NetWeaver Application Server ABAP (SAP NW AS
ABAP). Therefore, the security recommendations and guidelines for user administration and authentication as
described in the SAP NetWeaver Application Server ABAP Security Guide apply to this solution. The SAP
NetWeaver Application Server ABAP Security Guide contains the following information:
● User management concept, tools, and required users

● User authentication and single sign-on
● Authorization and roles
Starting from SAP NetWeaver Gateway SP07, a set of OData Services are available that expose some of the
functionality of SAP NetWeaver User Management and enhances it with User Request Management that allows
online users to request the creation of user accounts.
User Creation and Activation for Standalone SAP ERP
When you create users on the SAP Gateway system and on the application backend system, the main user record
is stored in SAP Gateway with an active password and communications data user type. Users with the same name
are created in SAP ERP with no password and a communications data user type.
Users in the Back End Systems and SAP Gateway
Application users are relevant for the backend system.
In the SAP backend systems, users are created without a password. This protects the users against incorrect or
insecure password handling. Users also require a user ID for the SAP Gateway layer. They must have the same user
name as the users in the backend system. The user authorizations trigger the application services in the backend
system.
By default, all application users are created with the same username in SAP Gateway and in the backend systems.
SAP Multichannel Foundation for Utilities and Public Sector does not use single sign-on (SSO). SAP NetWeaver
provides SSO so customers may use it if necessary.
For more information, see SAP NetWeaver at http://help.sap.com/nw_platform , http://help.sap.com/

nwgateway , and http://help.sap.com/netweaver .

Security PUBLIC 37
Password Rules and Security Policy
Password rules define what form a password can take in SAP NetWeaver Application Server (SAP NetWeaver AS)
ABAP. Some rules are predefined in the system, while others you can configure with the security policy or with
profile parameters.
For more information, seehttp://help.sap.com/nw_platform , and then choose Identity Management User
and Role Administration of Application Server ABAP Configuration of User and Role Administration First
Installation Procedure Logon and Password Security in SAP NetWeaver Application Server ABAP Password
Rules .
Authorizations
SAP Multichannel Foundation for Utilities and Public Sector uses the authorization concept provided by SAP
NetWeaver Application Server ABAP. The recommendations and guidelines for authorizations as described in the
SAP NetWeaver Application Server ABAP Security Guide apply to SAP Multichannel Foundation for Utilities and
Public Sector. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on
roles. For role maintenance, use the profile generator transaction on the Application Server ABAP (AS ABAP).
Session Security Protection
For SAP NetWeaver 7.0 and higher, we recommend you activate HTTP security session management using the
respective transaction. In particular, it is recommended that you activate extra protection of security-related
cookies.
● The HttpOnly flag instructs the browser to deny access to the cookie through client side script. As a result,
even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the
browser does not reveal the cookie to a third party.
● The secure flag tells the browser to send the cookie only if the request is being sent over a secure channel,
such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.
You configure these additional flags with the following profile parameters:
Table 13:
Profile Parameter Recommended Value Description Comment
icf/ 0 Add HttpOnly flag Client-dependent

set_HTTPonly_flag_on_co
okies
login/ 1 Add Secure flag Client-independent

ticket_only_by_https

38 PUBLIC Security
Recommendation
We recommend upgrading to SAP NetWeaver 7.02 or higher as the logout feature is not available to users using
earlier SAP NetWeaver versions.
User request data is stored in SAP NetWeaver Gateway for processing. Depending on your business needs and
local regulations, you can delete some user requests after certain periods of time. SAP Multichannel Foundation
for Utilities and Public Sector is built on SAP NetWeaver Gateway. To ensure your data is protected and
inaccessible, see the data protection and privacy information provided by SAP NetWeaver Gateway.
Network and Communication
Your network infrastructure is extremely important in protecting your system and it needs to support your
business communication without allowing unauthorized access. A well-defined network topology can eliminate
many security threats based on software flaws at the operating system level and application level or network
attacks, such as eavesdropping. If users cannot log on to your application or database servers at the operating
system or database layer, intruders cannot compromise the machines and gain access to the backend system’s
database or files. Also, if users are not able to connect to the LAN, they cannot exploit well-known bugs and
security holes in network services on the server machines.
The network topology for SAP Multichannel Foundation for Utilities and Public Sector is based on SAP NetWeaver.
The security guidelines and recommendations described in the SAP NetWeaver Security Guide apply to SAP
Communication Channel
The following table illustrates the communication channels used by SAP Multichannel Foundation for Utilities and
Public Sector, the protocols used for the connection, and the data types transferred.
Table 14:
Communication Path Protocol Used Data Types Transferred Data Requiring Special Pro
tection
Web browser acting as fron HTTPS Application data and security Application data and security
tend client to SAP NetWeaver credentials credentials
Gateway
SAP NetWeaver Gateway to RFC Application data Application data

SAP backend systems and
among each other
RFC connections can be protected using SNC. HTTP connections are protected using the SSL protocol. It is
important to use HTTPS protocol in all cases so that sensitive information is encrypted. To ensure that in SICF
node (for the UI application and all the services), you need to set SSL flag on the Logon Data tab page.
For more information, see SAP Note, 510007 .

Security PUBLIC 39
Network
Internet access to your SAP ERP backend system from SAP Multichannel Foundation for Utilities and Public Sector
is secured by an application-level gateway in the corporate network DMZ, as described in the SAP NetWeaver
Security Guide.
Communication Destinations
The following table illustrates an overview of the communication destinations used by SAP Multichannel
Foundation for Utilities and Public Sector.
Table 15:
Destination Delivered Type User, Authorizations Description
Connection to SAP ERP Yes RFC User ID Used by service user to

system create user account in
SAP ERP system
(trusted RFC connec
tion)
Internet Communication Framework Security
Security for SAP Multichannel Foundation for Utilities and Public Sector consists of SAP NetWeaver Gateway
OData services and HTML5/SAP UI5-based web-enabled content managed by the Internet Communication
Framework (ICF) (transaction SICF).
You must activate the ICF services required for the applications that you want to use.
Note
You can also activate these services during the technical configuration.
The SAP Multichannel Foundation for Utilities and Public Sector solution relies on the following services in SAP
ERP:
FMCAUI5_MOBILE: An HTML5/SAP UI5-based web-enabled interface to access the OData services.
ERP_FMCA_MC_PUBLIC_SRV: Anonymous OData Service from SAP ERP system.
ERP_FMCA_MC: OData services from the SAP ERP system
The application also uses the service USERMANAGEMENT, USERREQUESTMANAGEMENT from SAP NetWeaver
Gateway.
More Information

40 PUBLIC Security
For more information about ICF and OData service activation, see the RCF/ICF Security Guide at http://
help.sap.com/netweaver under SAP NetWeaver 7.0 Including Enhancement Package 1 SAP NetWeaver
Security Guide Security Guides for Connectivity and Interoperability Technologies.
Data Protection and Privacy
Since the SAP Multichannel Foundation for Utilities and Public Sector solution collects and processes online users’
personal data, it is often required to comply with legal regulations or public standards such as data privacy. In this
instance, the user interface may need to be adjusted. For example, a check box has to be added to obtain the
online user’s consent before an account is created.
The SAP Multichannel Foundation for Utilities and Public Sector application uses session cookies. For more
information, see .
Recommendation
We recommend activating secure session management. We also highly recommend using SSL to protect the
network communications where these security-relevant cookies are transferred.
User request data is stored in SAP Gateway for processing. Depending on business needs and local regulations,
you can delete some user requests after certain periods of time.
The SAP Multichannel Foundation for Utilities and Public Sector solution is built on SAP Gateway. To ensure your
data is protected and cannot be accessed by anyone, we recommend that you see the Guide on Data Protection
and Privacy provided by SAP NetWeaver at http://help.sap.com/netweaver under SAP NetWeaver Gateway
2.0 Security Information SAP NetWeaver Gateway Security Guide .
Read Access Logging (RAL)
Read Access Logging (RAL) is used to monitor and log read access to sensitive data. It is often required to comply
with legal regulations or public standards such as data privacy. Since the application relies on the underlying
business suite to save sensitive data, we highly recommend reading the documents for the underlying platforms
and activating the RAL according to your specific requirements.
For more information, see https://help.sap.com/saphelp_nw74/helpdata/en/

54/69bbeab2e94c93b9031584711d989d/frameset.htm .
More Information
● For more information about deleting user requests, see the SAP Help Portal at http://help.sap.com/
nwgateway . In the SAP NetWeaver Gateway Developer Guide, choose OData Channel Advanced
Features User Self Service Configuration Settings for User Self Service User Self Service IMG Activities
(see User Request Cleanup Customizing Activity).
● For more information about data protection and privacy, see the SAP Help Portal at http://help.sap.com/
nwgateway . In the SAP NetWeaver Gateway Security Guide, choose Data Protection and Privacy.

Security PUBLIC 41
● For information about configuration settings for User Self Service, see the SAP Help Portal at http://
help.sap.com/nwgateway . In the SAP NetWeaver Gateway Developer Guide, choose OData Channel
Advanced Features User Self Service Configuration Settings for User Self Service .
OData Services Security
SAP Multichannel Foundation for Utilities and Public Sector accesses backend data using OData. OData is a
standardized protocol for creating and consuming data APIs. OData builds on core protocols such as HTTP and
commonly accepted methodologies such as REST. The result is a uniform way of exposing full-featured data APIs.
REST web services rely on HTTP semantics. Therefore, they use PUT and DELETE HTTP methods for update and
delete operations. If an application-level gateway (reverse proxy) is used, it must be configured to enable the HTTP
methods for the SAP NetWeaver Gateway OData services.
To secure the consumption of OData services, we recommend using batch mode for OData service requests. In
batch mode, all OData service requests are encapsulated into POST requests. Without this, navigation, filter, and
other properties are visible in the URL. This means they can be bookmarked and present in the browser history
and potential sensitive data can be hacked.
Other Security-Related Information
Error Handling
ICM or SAP Web dispatcher creates HTTP error messages in the standard system and sends them to the client.
For security reasons, the details should not be made available to Internet users.
Some profile parameters, such as is/HTTP/show_detailed_errors and icm/HTTP/error_templ_path,

affect the contents of the error pages of the ICM or SAP Web dispatcher.
Vulnerabilities
Clickjacking, also known as a “UI Redress Attack”, is when an attacker uses multiple transparent or opaque layers
to trick a user into clicking on a button or link on another page when they were intending to click on the top-level
page. There are different solutions against clickjacking attacks, such as setting the X-Frame-Options, HTTP header
field, frame buster Java script, and others.
The X-Frame-Options can be set with the instance profile parameter:ict/

perm_response_header=<name>:<value>
We support the following values:
● DENY (no hosting frame allowed)

● SAMEORIGIN (only same origin allowed)
● ALLOW-FROM (https://hostname.example.com )

42 PUBLIC Security
If this solution is not applicable, inclusion of JavaScript code in HTML pages can actively block pages to be
embedded in a frame. The following is an example of the code:
Sensitive Information in Browser Cache
A technical limitation has been identified that some PDF files are cached by browsers. This may cause security
issues when the PDF files have sensitive information. This issue has been investigated and a solution is being
implemented at this time. Contact SAP for information about the availability of this solution.
Payment Card Security
The Payment Card Industry Data Security Standard (PCI-DSS) was jointly developed by major credit card
companies to create a set of common industry security requirements to protect cardholder data. Compliance with
this standard is relevant for companies processing credit card data. For more information, see http://
www.pcisecuritystandards.org .
This application relies on the underlying SAP Business Suite to store or process payment card information. For
general information and measures to ensure payment card security, see the Payment Card Security Guide on SAP
Service Marketplace at http://service.sap.com/securityguide under SAP Business Suite Applications
Payment Card Security on the left-hand side panel.

Security PUBLIC 43
Note
The PCI-DSS covers more than those steps and considerations. Complying with the PCI-DSS is the customer’s
responsibility.
In addition to the other measures, it is important to make an access log and mask the payment card numbers
when they are displayed or transmitted. This can be handled by SAP Business Suite in Customizing under
Cross-Application Components Payment Cards Basic Settings Make Security Settings for Payment
Cards .
For current information about PCI-DSS, see SAP Note 1609917 .
CAPTCHA
A CAPTCHA is a program that protects Websites against bots by generating and grading tests that humans can
pass but current computer programs cannot. There are many CAPTCHA services available online, such as
Google’s ReCAPTCHATM. It is strongly recommended that you integrate the CAPTCHA service into the application
to further protect some public services, for example, User Registration, Anonymous Bill Payment, and so on.
Note
CAPTCHA integration involves extending the OData Model, which is detailed in an earlier chapter.
Virus Scan Interface
The virus scan interface can be used to include external virus scanners in the SAP system to increase security,
especially when uploading files from an unknown source is allowed. The virus scan interface can be used to restrict
file types that can be uploaded to the system. It is important that the virus scan is configured and activated in the
system.
For details about enabling antivirus scans, see the SAP Library at http://help.sap.com/saphelp_nw74/
helpdata/en/4e/2606c3c61920cee10000000a42189c/frameset.htm and http://help.sap.com/
saphelp_nw74/helpdata/en/b5/5d22518bc72214e10000000a44176d/content.htm .
More Information
For more information, see http://help.sap.com/nw_platform and choose Technical Operations for SAP
NetWeaver (7.01) Configuration Profiles Maintaining Profiles Changing and Switching Profile Parameters .
Security-Relevant Logging and Tracing
For more information about security logs for the SAP NetWeaver Gateway, see http://help.sap.com/nwgateway
and choose SAP NetWeaver Gateway Developer Guide OData Channel APIs and Coding Logging In SAP
NetWeaver Gateway .

44 PUBLIC Security
Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see:
https://help.sap.com/viewer/disclaimer).

Important Disclaimers and Legal Information PUBLIC 45
go.sap.com/registration/
contact.html
© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see https://www.sap.com/corporate/en/legal/copyright.html
for additional trademark information and notices.

SAP Multichannel Foundation For Utilities and Public Sector

Uploaded by

Copyright:

Available Formats

SAP Multichannel Foundation For Utilities and Public Sector

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Multichannel Foundation For Utilities and Public Sector

Uploaded by

Copyright:

Available Formats

Administrator's Guide for SAP for Public PUBLIC

SAP Multichannel Foundation for Utilities and Public

SAP Multichannel Foundation for Utilities and Public Sector

Installation and upgrade guides http://service.sap.com/instguides

Released platforms and technology-related topics http://service.sap.com/platforms

Platform availability matrix http://service.sap.com/pam

Network security http://service.sap.com/securityguide

High availability http://sdn.sap.com/irj/sdn/ha

Support package stacks, latest software versions, patches http://service.sap.com/sp-stacks

Unicode technology http://sdn.sap.com/irj/sdn/i18n

SAP Notes http://service.sap.com/notes

SAP Software Distribution Center http://service.sap.com/swdc

SAP Online Knowledge Products http://service.sap.com/rkt

SAP Multichannel Foundation for Utilities and Public Sector

SAP NetWeaver Technical Operations Guide http://help.sap.com/nw74 System Administration and

SAP NetWeaver Gateway Security Guide http://help.sap.com/nwgateway Security Information

SAP NetWeaver Gateway Technical Operations Guide http://help.sap.com/nwgateway System Administration

and Maintenance Information

1942072 SAP NetWeaver Gateway 2.0 Support Package Stack

1964240 * User Self Service: Check Password Security Policy Fixes

1988794 * User Self Service Enhancement: Resetting Password Using

2000713 * User Self Service: User is Unable to Change the Password

2004762 * User Self Service: Reset Credentials with Autogenerated Pass­

2028105 * User Self Service: Short Dump While Checking Password

SAP Multichannel Foundation for Utilities and Public Sector

1509851 ICF Logoff Service with Redirect URL

853878 HTTP WhiteList Check (security)

SAP Multichannel Foundation for Utilities and Public Sector

SAP ERP Server

3. Install add-on UMCERP01.

SAP Gateway Server

3. Install UMCUI501 add-on.

SAP Multichannel Foundation for Utilities and Public Sector

SAP Multichannel Foundation for Utilities and Public Sector

SAP NetWeaver System Settings

Sample values for HTTP session parameters are as follows:

SAP Gateway Activation

Maintaining System Aliases for SAP ERP

To create system aliases for SAP ERP, proceed as follows:

SAP Multichannel Foundation for Utilities and Public Sector

1. Using the service maintenance transaction, choose Add Service.

Program ID Object Type Object Name

R3TR IWSG ERP_FMCA_MC_SRV

R3TR IWSG USERMANAGEMENT

3. Add the authorization object S_RFCACL.

SAP Multichannel Foundation for Utilities and Public Sector

Create Reference User in SAP Gateway Hub System

1. In transaction SU01, create user MCF_REF_USR.

Creating Users in SAP ERP

SAP Multichannel Foundation for Utilities and Public Sector

Object Technical Name

Authorization check for RFC user S_RFCACL

Authorization object for trusted-trusting system definition S_RFC_TT

Business partner: BP roles B_BUPA_RLT

Business partner relationships: Relationship categories B_BUPR_BZT

Banks: general maintenance authorization F_BNKA_MAN

Banks: general maintenance authorization by country F_BNKA_MAO

Authorization check for RFC access S_RFC

Authorization encryption card master B_CARD_SEC

2004762 * User Self Service: Reset Credentials with Autogenerated Pass

FI-CA document in contract accounts rec. and pay.: Busi F_KKKO_GSB

FI-CA contract account: Contract account type authoriza F_KKVK_VKT