Reverse Invoke Security

I have a client running IS 4.6 (actually SAP BC). He now wants to deploy applications externally using https to .dsp pages. The organisation is very paranoid about security, so I have proposed using RI. I have passed the security team much documentation, but there is one quesion I cannot answer.

Mention is made on pages 139-140 (SAP BC 4.7 Administration Guide)of “messages” flowing from the “reverse invoke” BC Server in the DMZ to the BC Server inside the firewalled network. I would like to see a list of valid message types that can pass across this interface. If the receiving software can interpret insecure and/or generic commands then this would be a security violation.

can anyone help me on ‘list of message types’ or ‘insecure commands’. I cannot find any documentation on this. And this is the last issue from preventing my project going ahead.

Thanks

Graham Moisley

I think your only option there is to ask support@webmethods.com
The thing you’ll be asking about is SOCK (or if you’re using SSL between the internal and proxy: SSLSOCK)

Aside from that I’m not sure on the messages that pass back along the RI connection (I’d be interested though: if you get something back from support I’d like a look too: nathan AT customware DOT net as I’ve always wondered about exactly what goes on in that connection but haven’t had the need to know for a customer before).

Regards,
Nathan Lee
WmUnit - The webmethods testing framework.
http://www.customware.net/wmunit

Graham,

Support should have a document that describes this proprietary format. You should be able to get this.

If not I might have it somewhere and could send it to you later this week.

Let me know.

regards,
Jordy

Graham,

The messages that flow from the Reverse Invoke proxy server to the internal server are service invocation requests–the original request packaged up with some metadata about the request (e.g. HTTP basic auth header).

Take a quick second and determine whether you really need to use Reverse Invoke. What are the security requirements? Could a standard reverse proxy work just as well?

cheers,
Ed