https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097727#M1616046 <HTML><HEAD></HEAD><BODY><P>PCI DSS stands for Payment Card Industry Data Security Standard. They have a website where you can find all requirements but it's s bit more complicated. There are some books as well. You can find some articles here on SDN about PCI DSS but they usually address just encryption of credit card details. I am not sure if PCI DSS is relevant for you environment. </P><P></P><P>Web dispatcher is just reverse proxy. So client connects to web dispatcher and web dispatcher connects to back end system on behalf of user. The outbound connections don't go through web dispatcher. They directly connect to target system.</P><P></P><P>Cheers</P></BODY></HTML> Tue, 19 Jul 2011 10:42:13 GMT mvoros 2011-07-19T10:42:13Z https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097724#M1616043 <HTML><HEAD></HEAD><BODY><P>We have a network as follows:</P><P></P><P>Internet --- apache ---firewall --- webdispatcher -- EP-- (ECC, BI, ...etc.)</P><P></P><P>1) We configure the SSL in that way so that all certificates (inbound) will be terminated at the webdispatcher.</P><P></P><P>And inside the firewall there is no more any SSL measurement OR any other alike secured links.</P><P></P><P>Is this design safe enough?</P><P></P><P></P><P>2) The info outbound will use the same SSL from webdispatcher above?</P><P></P><P>Thanks a lot!</P></BODY></HTML> Sun, 17 Jul 2011 03:02:00 GMT https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097724#M1616043 Former Member 2011-07-17T03:02:00Z https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097725#M1616044 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>1) depends on your requirements. For example PCI DSS requires that credit card number is always encrypted during transmission. Your set up is not enough to comply with PCI DSS but it might be OK for your environment.</P><P></P><P>2) I am not sure what you mean by this question but if you are asking about outbound SSL connections from your system then they are not related to web dispatcher.</P><P></P><P>Cheers</P></BODY></HTML> Mon, 18 Jul 2011 23:55:08 GMT https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097725#M1616044 mvoros 2011-07-18T23:55:08Z https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097726#M1616045 <HTML><HEAD></HEAD><BODY><P>Thanks for your help.</P><P></P><P>1) Could you direct me to some blogs about PCI DSS configuration in SAP systems?</P><P></P><P>2) If outbound message does not go thru webdispatcher, what route it takes?</P><P></P><P></P><P>Thanks again!</P></BODY></HTML> Tue, 19 Jul 2011 10:19:07 GMT https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097726#M1616045 Former Member 2011-07-19T10:19:07Z https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097727#M1616046 <HTML><HEAD></HEAD><BODY><P>PCI DSS stands for Payment Card Industry Data Security Standard. They have a website where you can find all requirements but it's s bit more complicated. There are some books as well. You can find some articles here on SDN about PCI DSS but they usually address just encryption of credit card details. I am not sure if PCI DSS is relevant for you environment. </P><P></P><P>Web dispatcher is just reverse proxy. So client connects to web dispatcher and web dispatcher connects to back end system on behalf of user. The outbound connections don't go through web dispatcher. They directly connect to target system.</P><P></P><P>Cheers</P></BODY></HTML> Tue, 19 Jul 2011 10:42:13 GMT https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097727#M1616046 mvoros 2011-07-19T10:42:13Z https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097728#M1616047 <HTML><HEAD></HEAD><BODY><P>If you use tokenization and the webdispatcher is a part of the same (hardened) security zone as the SAP server systems, then you should be fine to terminate ssl at the dispatcher.</P><P></P><P>You should plan this in advance as retro-fitting is expensive (in performance and hardware terms).</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Tue, 19 Jul 2011 21:34:53 GMT https://community.sap.com/t5/application-development-and-automation-discussions/no-ssl-inside-fire-wall/m-p/8097728#M1616047 Former Member 2011-07-19T21:34:53Z