Smart home system is very popular in current days that give many kind of application that make all simple and easy to control. In modern day, home machines are using wireless equipment and can be retrieved by internet that will make populations life
Agustinus Agus Purwanto, SE MM www.sunparadisehotelsmanagement.com Email: [email protected] Mobile: +62 812 9444 1224
Smart home system is very popular in current days that give many kind of application that make all simple and easy to control. In modern day, home machines are using wireless equipment and can be retrieved by internet that will make populations life
This is a mini report for a circuit available in ELECTRONICSFORU. The link is- http://www.electronicsforu.com/electronicsforu/circuitarchives/view_article.asp?sno=238&article_type=1&id=347&tt=unhot...
buku panduanFull description
A SRMS ExampleDescripción completa
Full description
ADM960 SAP NetWeaver AS – Security SAP NetWeaver - Administration
Date Training Center Instructors Education Website
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.
•
IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.
•
ORACLE® is a registered trademark of ORACLE Corporation.
•
INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered trademarks of Informix Software Incorporated.
•
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
•
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
•
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
•
JAVA® is a registered trademark of Sun Microsystems, Inc.
•
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
•
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.
Disclaimer THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE, INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTS CONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.
g20111119105135
About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study.
Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used. Type Style
Description
Example text
Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths, and options. Also used for cross-references to other documentation both internal and external.
2011
Example text
Emphasized words or phrases in body text, titles of graphics, and tables
EXAMPLE TEXT
Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example SELECT and INCLUDE.
Example text
Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, and passages of the source text of a program.
Example text
Exact user entry. These are words and characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.
Contents Course Overview ............................................................................. vii Course Goals.................................................................................vii Course Objectives ...........................................................................vii
Unit 1: Computer Security: An Overview .................................................1 Introduction to Computer Security .......................................................... 2
Unit 2: Product Overview ................................................................... 19 SAP Solutions and Applications .......................................................... 20
Unit 3: Network Basics ...................................................................... 43 Networking Concepts ...................................................................... 44 Network Security in an SAP Landscape ................................................. 59
Unit 4: Basic Security for SAP Systems ...............................................103 Securing the Front End ................................................................... 105 User Security in SAP Systems........................................................... 115 Interface Security in SAP Systems ...................................................... 158 Development Protection and Security Patches ........................................ 192 Monitoring Security in SAP Systems.................................................... 214 Monitoring and Analyzing Security with SAP Solution Manager .................... 240
Unit 5: Introduction to Cryptography ...................................................265 Cryptography ............................................................................... 266 Authentication and Digital Signatures................................................... 283 Cryptography in SAP Systems........................................................... 306
Unit 6: Secure Network Communication - SNC.......................................331 Setting Up Secure Network Communications.......................................... 332
Unit 7: Secure Socket Layer - SSL ......................................................383 Setting Up SSL for SAP NetWeaver AS ................................................ 384
Unit 8: Authentication and Single Sign-on Mechanisms in SAP Systems .....447 Understanding Authentication............................................................ 448 Configuring Single Sign-on ............................................................... 480
Glossary .......................................................................................505 Index ............................................................................................507
Course Overview This course will introduce you to the need for security in the SAP system environment. You learn about different technical safeguards that can be used to secure your SAP NetWeaver Application Server based systems.
Target Audience This course is intended for the following audiences: • • • •
SAP system administrators Technical Consultants Project team members Persons responsible for technical system security
General knowledge of technical security and SAP technology.
Course Goals This course will prepare you to: • • • • • •
Explain the need for implementing security Discuss the security threats for SAP Systems Discuss security safeguards and security policies Explain security aspects pertaining to SAP products Explain network communication and how it can be secured Execute security measures to increase security of SAP Systems
Course Objectives After completing this course, you will be able to:
List security goals and threats Discuss the security threats for SAP Systems Explain the basics of networking Secure network communication in SAP System environment Implement security measures in SAP products
Unit 1 Computer Security: An Overview Unit Overview This unit will introduce you to the basics terms of computer security. The unit lists the major security threats to a system and the security safeguards to be used against each security threat.
Unit Objectives After completing this unit, you will be able to: • •
List security goals, threats, and safeguards Categorize security measures and the necessary steps to establish a secure system environment
Unit Contents Lesson: Introduction to Computer Security......................................... 2
Lesson: Introduction to Computer Security Lesson Overview This lesson describes the security threats and security safeguards. It also explains how to categorize the security measures to secure the system environment.
Lesson Objectives After completing this lesson, you will be able to: • •
List security goals, threats, and safeguards Categorize security measures and the necessary steps to establish a secure system environment
Business Example To implement security measures a basic understanding of terms is needed.
Computer Security Concepts Goals Safeguards, threats, and goals are closely related to each other. Threats compromise certain security goals, whereas safeguards protect your system against certain threats. As a result, when implementing security, you need to consider the safeguards with reference to the goals and the threats. Security requirements for sensitive business data arise due to: • • • • • •
2
Protection of Intellectual Property Legal Issues and Contracts Trust Relationship to Business Partners Continuous Business Operations Protection of Image Correctness of Data
Security can also optimize administration processes, such as: • •
Reducing the number of password resets when using Single Sign-On Using digital signatures for approval processes
• •
The average annual loss reported are $234,244 in this year's survey. Respondents reported large jumps in incidence of password sniffing, financial fraud, and malware infection. One-third of respondents' organizations were fraudulently represented as the sender of a phishing message. Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well. 64.3 percent of respondents experienced malware infection, compared to 2008's 50 percent;
• •
•
29.2 percent experienced denial-of-service attacks, compared to 2008's 21 percent; 17.3 percent experienced password sniffing, compared to 9 percent in 2008; 13.5 percent experienced Web site defacement, compared to 2008's 6 percent; 7.6 percent experienced instant messaging abuse, down from 21 percent in 2008. •
Source: Computer Security Institute http://www.gocsi.com
The Computer Crime and Security Survey is conducted by CSI annually. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. • • • • • •
Availability: Ensures that the users can access their resources when they need the resources. When determining your requirements with reference to availability of resources, you should consider the costs resulting from unplanned downtime, for example, loss of customers, costs for unproductive employees, and overtime.
Some damage can hardly be expressed in terms of money, for example, loss of reputation. Authentication: Determines the “real” identity of the user. Different authentication mechanisms can be used in a system environment, such as: •
Authentication using user ID and password
•
Authentication using smart card
•
Authentication using a smart card and PIN.
Authorization: Defines the rights and privileges of the identified user. Determine the functions that a user can access. The application must be programmed to check whether or not a user is authorized before he or she can access a particular function. Confidentiality: Ensures that the user’s history or communication is kept confidential. Information and services need to be protected from unauthorized access. The authorization to read, change, or add information or services must be granted explicitly to only a few users. Other users are denied access. Within your company, you might trust your own users. But if you post something on the Internet, the confidentiality of information is at risk. Integrity: Ensures that the user information, which has been transmitted or stored, has not been tampered with. Programs and services need to work as expected and provide accurate information. As a result, people, programs, or hardware components should not modify programs and services. Repudiation: Represents the process of denying that you have done something. Non-repudiation: Ensures that people cannot deny their actions.
This list represents only a set of commonly known threats. One of the major threats is “social engineering”. Story: A security consultant was asked to come to a large company to evaluate the security lapses in the company. The person with whom he was supposed to work was quite busy and left the consultant alone, saying he would be back soon. After about an hour, this consultant decided to wander down to the computer room to see what was up. He could not get in because it was a secure room. As a result, he waited outside the door until someone comes along, asks if he wants to get in, swipes his card, and lets him in. Now, he is in the secure room and wants to log on to the computer. He looks around for the yellow post-it note with the administrator password on it. He finds the note posted next to the terminal and logs on to the server. He works for about 45 minutes on the computer. At around noon, some young guy working in the computer room tells him they are going to Burger King for lunch and asks if he would want them to pick up anything for him. He gives them some money and they all leave. The consultant is alone in the computer room for an hour. When they return, they bring him his lunch.
He finishes his work and goes back to the desk of the person with whom he was supposed to work. This person was quite apologetic and told him that he would pay him for the whole day but asks if he could come back the next day. This consultant says that he is done and the company has numerous security lapses. When considering security, do not always think about system attacks. An untrained employee can also be a risk if he carries out unexpected system activities accidentally. You should also consider environmental threats, such as earthquakes, which might compromise the availability of the system. Systems are penetrated when an unauthorized person gains access to them by guessing accounts and passwords. A person can violate authorizations and penetrate a system by misusing the current authorizations that were allocated or stolen. With some authorizations the hacker is allowed to access the operating system, which allows transports and other OS functions. A hacker may gain access to a system and plant a program to access to the computer. For example, you might use the code to create a new user to break into the system. A hacker can also eavesdrop without being detected. Tampering of data occurs when a hacker can grab a connection and communicate with both the client and the server. After the hacker has grabbed the connection, the hacker can change the data. A denial of service attack brings down the server and makes the server unavailable. There are several ways to make the server unavailable, such as cutting the network cable, physically destroying the server, or unplugging the server from the network. A buyer could repudiate the fact that he or she purchased an item from an online store. A hacker can deny service by flooding the system with messages so that the system cannot respond. A person can masquerade as another user. Programs can be written to modify the IP address of the source of the TCP/IP packet and trick the network into thinking that the packet is coming from within the network. This process is known as spoofing. An application can receive data that it is not expecting or prepared for. As a result, unpredictable results occur. This is known as buffer overflow and it can lead to a vulnerability within the server. Acquiring sensitive information such as usernames, passwords or credit card details by masquerading as a trustworthy entity is known as phishing.
The dymamic nature or websites causes security holes which can be used to gain elevated access privileges to sensitive page-content, session cookies and a variety of other information maintained by the browser. Cross Site Scripting (XSS) attacks are a special form of Code Injection. Another code injection technique is SQL Injection. A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
Figure 2: Threats in Client-Server Communication
Due to the open, exposed communication architecture, client-server communication is vulnerable to attacks. The client communicates with the server across the network, where attackers can eavesdrop, capture, and manipulate data. At the back-end system, applications and the operating system may contain security holes that attackers can take advantage of. In addition, one of the primary threats is social engineering, whereby the attacker often obtains sensitive information by impersonating an important person. Threats shown in the above graphic also apply to the client. In most cases, clients are difficult to control as compared to servers.
Technical safeguards such as firewalls, cryptographic algorithms and certificates Organizational safeguards such as rules or guidelines Physical safeguards such as fire detection and secured rooms and buildings
You should establish the following measures to prevent physical damage: • • • • • •
Secure the buildings Secure the server rooms Lock the servers Use underground wires Install security cameras around the building Define policies to lock doors
Figure 6: Safeguards (Technical)
There are measures available for most of the threats that have been described. The graphic shown here does not represent all the possible threats and measures. It shows an example of how you can use security measures against many of the possible threats.
One very important aspect is to regularly install security patches for applications and operating systems that are available with vendors. Many security lapses can be fixed but customers/users need to update their systems regularly.
Security Policies
Figure 7: Security Policies
A company or organization needs to define a global security policy From this general security policy a detailed IT security policy is derived. Finally, documents that describe the security configuration of specific components in the system landscape are created.
This figure above shows how you can implement security. Analyze the risks to determine the security requirements. Then look at the threats that are relevant. Determine the vulnerability to those threats and the appropriate safeguards for the threats. As part of the risk analysis, you should conduct the following activities: • • • • •
Determine your security requirements with reference to availability, confidentiality, and integrity of data. Identify the threats that could compromise your security. Determine the relevance of a threat to your company (vulnerability). After you know the risks, determine the measures or safeguards to protect your system. Measure the associated risk of a threat and the cost of securing your system against the risk. As a result, you can make a cost-benefit analysis.
The risk analysis process leads to creating Standard Operation Procedures (SOPs) and implementing safeguards. Prioritize the safeguards, if there are constraints against implementing all of them. These lead to monitoring, implementation, and education. This is not a linear process but a circular process with continuous enhancements.
System upgrades and landscape changes mean that you must adapt your security measures accordingly and continuously. Note: Security is an on-going process. You need to reassess your security policy regularly.
Lesson Summary You should now be able to: • List security goals, threats, and safeguards • Categorize security measures and the necessary steps to establish a secure system environment
Unit Summary You should now be able to: • List security goals, threats, and safeguards • Categorize security measures and the necessary steps to establish a secure system environment
Lesson: SAP Solutions and Applications Lesson Overview This lesson introduces the SAP solutions and technical components talked about in the course..
Lesson Objectives After completing this lesson, you will be able to: •
Describe the basic architecture of SAP applications based on SAP NetWeaver Application Server.
Business Example You need to understand the basic architecture of SAP applications based on the SAP NetWeaver Application Server.
SAP Solutions and Applications SAP Business Suite The SAP Business Suite is an extended family of business applications that enables companies to manage their entire value chains. The included business applications provide users with consistent results throughout the entire company network and give your company the flexibility it needs in today's dynamic market situations. The application consists of a number of different products that support cross-company processes. Note: For more information, go to http://www.sap.com/solutions/businesssuite. SAP's software portfolio is constantly extended, optimized, and tailored to the needs of the market and of customers. SAP has therefore, for example, developed many industry-specific applications over the years. The topic of integrating different business systems (even from different vendors and across company boundaries) has become increasingly important recently. Products for small to midsize businesses have also been added to SAP's family of software solutions.
The SAP Business Suite, a complete business software package that is unique worldwide, plays a central role. Many companies are already profiting from the comprehensive and flexible business applications with highly evolved functions: complete integration, industry-typical functions, unlimited scalability, and smooth collaboration via the internet. The SAP Business Suite provides: • • • • •
A complete spectrum of business solutions A technological infrastructure that combines openness and flexibility with maturity and stability Interfaces for integrating non-SAP products Components that can be adapted to meet multiple business requirements Numerous industry-specific functions
The next graphic illustrates the key components of the SAP Business Suite:
Figure 9: SAP Business Suite: Architecture
The components that make up SAP Business Suite are described in the following sections.
Core Applications The core applications of SAP Business Suite are a set of business applications that support all the essential business processes of an enterprise. They are summarized here. SAP ERP is a market-leading application for optimizing business and IT by reducing IT complexity, increasing adaptability, and delivering more IT value at a lower cost than traditional enterprise resource planning (ERP) solutions. It supports mission-critical, end-to-end business processes for finance, human capital management, asset management, sales, procurement, and other essential corporate functions. SAP ERP also supports industry-specific processes by providing industry-specific business functions that can be activated selectively via the switch framework, which keeps the application core stable and helps to ensure maximum performance. Hint: For more information see http://www.sap.com/solutions/businesssuite/erp. The SAP Customer Relationship Management (SAP CRM) application provides a comprehensive platform for marketing, sales, and service professionals to obtain complete customer intelligence that they can leverage to effectively manage customers and customer-related processes. SAP CRM enables multichannel customer interactions, including mobile smart phones, the Internet, and social media, and also offers a dedicated communications infrastructure that helps to connect all users anytime, anywhere. Hint: For more information see http://www.sap.com/solutions/businesssuite/crm. The SAP Product Lifecycle Management (SAP PLM) application helps companies manage, track, and control all product-related information over the complete product and asset lifecycle as well as throughout the extended supply chain. SAP PLM facilitates creativity and frees the process of product innovation from organizational constraints. Hint: For more information see http://www.sap.com/solutions/businesssuite/plm. The SAP Supplier Relationship Management (SAP SRM) application provides a procurement platform that helps organizations in all industries improve their centralized sourcing and contract management and interact with suppliers through
multiple channels. SAP SRM accelerates and optimizes the entire end-to-end procure-to-pay process by supporting integrated processes and enforcing contract compliance, resulting in realizable savings. Hint: For more information see http://www.sap.com/solutions/businesssuite/srm. The SAP Supply Chain Management (SAP SCM) application allows companies to adapt their supply chain processes to an ever-changing competitive environment. SAP SCM transforms traditional supply chains from linear, sequential processes into open, configurable, responsive supply networks in which customer-centric, demand-driven companies can sense and respond more intelligently and more quickly to demand-and-supply dynamics across a globally distributed environment. Hint: For more information see http://www.sap.com/solutions/businesssuite/scm.
Industry Applications SAP addresses the requirements of specific business processes for many industries by complementing the basic business processes common to all large enterprises. Support for these industry-specific processes is delivered as part of SAP ERP. Or as a separate industry application (for example, the SAP Dealer Business Management application or the SAP Reinsurance Management application) that integrates with the other applications of SAP Business Suite. The architecture and business functionality of the industry applications are a result of SAP’s in-depth understanding of industry-specific business requirements and the resulting business processes. SAP industry portfolios are continuously enhanced by adding new applications that address the highly specialized business needs of customers in very targeted markets. The following table lists the industry portfolio (as of Q3 2010):
2011
Industry Sector
Industry Portfolio
Discrete Industries
SAP for Aerospace & Defense SAP for Automotive SAP for Engineering, Construction & Operations SAP for High Tech SAP for Industrial Machinery & Components
Process Industries
SAP for Chemicals SAP for Life Sciences SAP for Mill Products
Industry Portfolio SAP for Mining SAP for Oil & Gas
Consumer Industries
SAP for Consumer Products SAP for Retail SAP for Wholesale Distribution
Service Industries
SAP for Media SAP for Professional Services SAP for Telecommunications SAP for Transportation & Logistics SAP for Utilities
Public Services
SAP for Defense & Security SAP for Healthcare SAP for Higher Education & Research SAP for Public Sector
Financial Services
SAP for Banking SAP for Insurance
Supplementary Applications Supplementary applications include applications that drive specialized business processes common to a large number of industries. They deliver a short time to value, appeal to specialized business users, and offer a high degree of process flexibility. Supplementary applications include, for example, manufacturing applications, SAP solutions for auto-ID and item serialization, and applications for mobile business.
SAP NetWeaver The SAP NetWeaver technology platform is the reliable, secure, and scalable foundation to run business applications like SAP Business Suite and SAP BusinessObjects applications to help ensure that large enterprises can perform mission-critical business processes. As the technical foundation for service-oriented architecture, SAP NetWeaver delivers a comprehensive set of middleware functions in a modular software environment with the aim of reducing IT complexity and increasing business flexibility across heterogeneous IT landscapes. SAP NetWeaver provides IT organizations with the lowest cost of operation and best business availability for SAP applications across heterogeneous IT landscapes through unified lifecycle management, identity management, secure communications, and end-to-end monitoring.
Enhancement Packages Enhancement packages for innovation without disruption: SAP has a proven way to continuously deliver innovation for SAP Business Suite and SAP NetWeaver without disruption. It comes in the form of enhancement packages that provide collections of new or improved business functions that companies can deploy in a modular fashion and on their own timetable. The strategy of enhancement packages – enabling companies to take advantage of ongoing innovations while keeping their core software stable – was introduced with the SAP ERP 6.0 application and has been proven with several enhancement packages since 2006. All core applications of SAP Business Suite are now enabled for continuous innovation through enhancement packages. In the future, SAP intends to continue to deliver enhancement packages for the core applications, minimizing the need for companies to engage in potentially disruptive upgrade projects.
Context of Applications and Components Numerous applications for business challenges are provided in the context of the SAP Business Suite. However, many applications have similar or identical requirements for business functions in subareas. Different applications therefore contain similar (software) components in parts. A component is the smallest, separately producible, deliverable, installable, and maintainable software unit. Components refer to, for example, an SAP ECC system, an SAP SCM system or also an SAP NetWeaver Portal system. The graphic provides an overview of this hierarchy (components as building blocks of solutions) using the SAP SCM application as the example.
SAP NetWeaver The SAP NetWeaver technology platform is the reliable, secure, and scalable foundation to run business applications like SAP Business Suite and SAP BusinessObjects applications to help ensure that large enterprises can perform mission-critical business processes. As the technical foundation for service-oriented architecture, SAP NetWeaver delivers a comprehensive set of middleware functions in a modular software environment with the aim of reducing IT complexity and increasing business flexibility across heterogeneous IT landscapes. SAP NetWeaver provides IT organizations with the lowest cost of operation and best business availability for SAP applications across heterogeneous IT landscapes through unified lifecycle management, identity management, secure communications, and end-to-end monitoring. NetWeaver provides customers with a flexible way to integrate and extend business processes that run across SAP, SAP -certified partner, and custom-built applications by delivering prebuilt integration content and enterprise services, with rapid deployment supported by model-driven tools. With support for business process management, mission-critical business processes can be monitored for efficiency, integrity, and security. Business users can also use SAP NetWeaver to define business rules to help ensure consistent processes across the business network. SAP NetWeaver integrates and connects people, information, and business processes across technologies and companies. It enables companies to adjust to changes quickly. SAP NetWeaver ensures that a company's crucial business processes are reliable, safe,
and scalable. Furthermore, SAP NetWeaver enables companies to maximize the benefits from the current software and systems. Nonuniform integration technologies are consolidated and predefined business content is provided thus reducing the amount of manual work required. SAP NetWeaver is based on a technology using industry standards and can be enhanced with popular development tools.
IT Practices and IT Scenarios
Figure 11: SAP NetWeaver: Technology Map – Edition 2010
SAP NetWeaver enables you to implement IT processes in a range of solution methods, called IT practices. For each practice, SAP NetWeaver supports a range of key IT activities, which can be performed using the integrated components of the platform. The focus here is not on system and technological components but on the IT and business goals of the company. IT practices enable you to reach your company's goals in individual and manageable projects, that is, in sequential steps and according to their importance. For instance, IT practices refer to the increase of user productivity through improved, cross-company collaboration, personalized access to applications and data and optimized knowledge management. IT practices show how SAP NetWeaver can be used to solve certain IT problems by means of IT scenarios. For each IT practice, SAP NetWeaver supplies corresponding IT scenarios, which act as implementation guides.
The aim of the IT scenarios is to help you as a customer, partner or service provider with the installation, configuration and operation of SAP NetWeaver as well as the operation of SAP applications, customer-specific applications and the implementation of your defined IT scenarios.
SAP NetWeaver Application Server (SAP NetWeaver AS) Almost every SAP system is based on SAP NetWeaver AS and uses it as the runtime environment. Together with the database, SAP NetWeaver AS is the application platform of SAP NetWeaver.
Figure 12: SAP NetWeaver AS as the Basis for SAP Systems
SAP NetWeaver AS is the logical result of the further development of the SAP Application Server Technology (previously: SAP Basis), whereby special attention is paid to web-based applications.
A reliable and extensively tested runtime environment, which has been developed further continuously over more than ten years A framework for executing complex business processes that meet the highest security standards A reliable and user-friendly development environment Support for open standards, including HTTP, HTTPS, SMTP, WebDAV, SOAP, SSL, SSO, X.509, Unicode, HTML, XML and WML High scalability Support for different operating system and database platforms
Since the applications delivered by SAP do not always require both runtime environments, that is, ABAP and Java, there are different installation options for SAP NetWeaver AS. These are: • • •
SAP NetWeaver AS ABAP: Complete infrastructure in which ABAP-based applications can be developed and used. SAP NetWeaver AS Java: Complete infrastructure in which J2EE-conform applications can be developed and used. SAP NetWeaver AS ABAP+Java (dual stack): Complete infrastructure in which ABAP-based and J2EE-based applications can be developed and used.
History of Selected Software Components This section provides a bit of history of a few selected software components.
Technical Basis (Application Server) Back in the days when SAP basically offered two products (SAP R/2 and SAP R/3), the development of the (technical) basis was closely linked to application development. The release names of the SAP Basis corresponded to the SAP R/3 version, for example, SAP Basis 4.0B was the technical basis for SAP R/3 4.0B. Around the turn of the millennium, the SAP portfolio grew significantly, new products were created that required more frequent changes and enhancements of the SAP Basis than SAP R/3. This marks the transition from the classic SAP Basis (last version: SAP Basis 4.6D) to SAP Web Application Server (SAP Web AS). New Internet technologies (Internet Communication Manager from SAP Web AS 6.10 onwards) and the supplementing of the classical ABAP environment with Java/JEE (from SAP Web AS 6.20 onwards) were important milestones.
SAP Web AS 6.40 forms the technical basis (“application platform”) of SAP NetWeaver 2004. SAP NetWeaver offers extensive capabilities (such as Business Warehouse), which are all based on the application platform. From SAP NetWeaver 7.0 (previously: SAP NetWeaver 2004s) the names and releases were adapted further, so now SAP NetWeaver 7.0 is based on SAP NetWeaver Application Server (SAP NetWeaver AS).
Central ERP Functions The following graphic shows the historical development for the current SAP ERP Central Component (ECC 6.0):
Figure 13: Evolution from SAP R/3 via SAP R/3 Enterprise to SAP ECC
As already mentioned, in times of SAP R/3, the technical basis and application development were interlinked, up to and including SAP R/3 4.6C. With SAP R/3 Enterprise (4.7), which is based on SAP Web AS 6.20, the concept of SAP R/3 Enterprise Extensions was introduced. A central application (previously: solution) of the SAP Business Suite is SAP ERP for Enterprise Resource Planning. The central software component of SAP ERP is SAP ERP Central Component (SAP ECC). SAP ECC 5.00 can thus be considered the technical successor of SAP R/3 Enterprise and is based on an SAP
Web AS 6.40. At the time of creating this documentation, the current version is SAP ERP 6.0 (previously: SAP ERP 2005), which also includes an SAP ECC 6.00 (that operates on the basis of SAP NetWeaver AS 7.00) and other components. Functional enhancements for the different software components are made available through enhancement packages. SAP NetWeaver AS 7.1x or 7.2x is not used as the technical basis for an SAP ECC system. Other SAP NetWeaver components, such as SAP NetWeaver Process Integration (PI) and SAP NetWeaver Composition Environment (CE) require this SAP NetWeaver AS release level.
Installation Options of SAP NetWeaver AS Depending on the application or product used, different variants of SAP NetWeaver AS are installed.
Figure 14: Installation Options of SAP NetWeaver AS
• • •
AS ABAP system: Complete infrastructure in which ABAP-based applications can be developed and used. AS Java system: Complete infrastructure for developing and using J2EE-based applications. AS ABAP+Java system: Complete infrastructure in which ABAP-based and J2EE-based applications can be developed and used. Such a system should only be installed if explicitly required by the application. For example, SAP NetWeaver PI 7.0 or SAP Solution Manager 4.0
One of the main characteristics of the SAP NetWeaver AS is that ABAP tables, programs, and application data is stored in the ABAP schema of the database while Java data is stored in the Java schema. Here, the ABAP runtime environment can access the ABAP schema of the database, and the Java runtime environment can access the Java schema. In the ABAP+Java system, the different runtime environments communicate directly via the SAP Java Connector (JCo).
AS ABAP Architecture In AS ABAP, the central instance is distinguished by the fact that the message server and the enqueue work process run there. All other instances of the system are usually called dialog instances. Alternatively, the instances are also named after the services provided. The services that an application server can provide are determined by the type of work processes it has. An application server can then take on several roles, for example, as a dialog server and simultaneously as an update server, if it provides several dialog work processes and at least one update work process. Note: An overview of the AS ABAP instances is available in SM51 (in SAP Easy Access under Tools → Administration → Monitor → System Monitoring→ Servers. You can use the transaction SM50 to display an overview of the work processes on the instance that you are logged on to; you can also display this overview by choosing Tools → Administration → Monitor → System Monitoring → Process Overview on the SAP Easy Access screen.
Figure 15: AS ABAP Architecture
The ABAP message server provides the AS ABAP with a central message service for internal communication (for example, for starting updates, requesting and removing locks, triggering background requests). The message server also provides information on which instances of the system are currently available.
The ABAP dispatchers of the individual application servers communicate via the ABAP message server, which is installed exactly once per SAP system. When you log on to the AS ABAP using the SAP GUI for Windows or the SAP GUI for Java using logon groups, the message server performs a load distribution of users to the available instances. This load distribution, which takes place during the logon procedure, is also known as logon load balancing. After the load distribution by the message server, the SAP GUI communicates directly with the dispatcher. The user remains logged on to this instance until he logs off again. Note: An overview of users who are logged on the instance to which you are also logged on, is available using transaction SM04 (Tools→ Administration → Monitor → System Monitoring→ User Overview). You can see to which instance you are logged on under System → Status. If you are accessing the AS ABAP via web protocols such as HTTP using the browser, the Internet Communication Manager (ICM) receives the request. This forwards the request to the dispatcher of its instance. Communication from other SAP systems via Remote Function Call (RFC) is accepted by the Gateway Reader (GW).
AS Java Architecture In AS Java, the central instance is distinguished by the fact that the Software Deployment Manager (SDM) runs there. The central services Message Service (MS) and Enqueue Service (ES) run in the central services instance (CS instance). All other instances of the system are usually called dialog instances. Note: The entirety of the Java environment (all processes and the database scheme) is also referred to a Java cluster, and the individual processes (dispatcher and server) as nodes of the Java cluster. You can obtain an overview of started Java processes (Java dispatcher and Java server processes as well as SDM) via the system information of the Java runtime environment ((http://:/sap/monitoring/SystemInfo, for example http://twdf1234.wdf.sap.corp:50000 → System Information)
Analogous to the AS ABAP, the message service of the AS Java provides a central message service for internal communication. The Java message service also provides the information what instances and nodes of the AS Java are available. Each node of the Java cluster can communicate directly with the message service. In the AS Java, the enqueue service holds logical locks. Each node of the Java cluster can communicate directly with the enqueue service. When the AS Java is accessed using a browser, the Java dispatcher receives requests, which are then processed by the server processes.
AS ABAP+Java Architecture For the AS ABAP+Java (meaning ABAP and Java processes in the same SAP system, under the same system ID), the same architectural principles apply as for separate AS ABAP and AS Java systems. However, there are some particularities because both runtime environments are integrated with each other in this case. Note: The AS ABAP+Java is often called “add-in installation” because it was possible to install an AS ABAP first and then supplement it with the AS Java at a later point in time. Officially “dual-stack” can be used as a short term for AS ABAP+Java.
The central instance of an AS ABAP+Java system can be recognized by the following processes: ABAP-MS, enqueue work process and SDM. The central services of the Java runtime environment (Java-MS, Java-ES) are also provided in the Java central services instance here. All other instances are usually called dialog instances. Since both runtime environments are capable of answering requests via web protocols, the Internet Communication Manager must now decide whether the request is addressed to the ABAP or the Java runtime environment. It decides this by means of the URL of the request. In case of a request to the ABAP runtime environment, for example, the call of an ABAP web dynpro, the ICM forwards the request to the ABAP dispatcher and the work processes respond to the request. If the request is a request for the Java runtime environment, for example, the call of a Java Server Page (JSP), the ICM forwards the request to the Java dispatcher and one of the server processes responds to the request. In an AS ABAP+Java system, data is also kept in separate database schemas (but in the same database installation). That is, work processes can only access ABAP data and server processes can only access Java data. In the data exchange, both runtime environments then communicate using the SAP Java Connector (JCo). This communication is necessary, for example, if billing data that is stored in the ABAP data schema is supposed to be displayed in a Java user interface.
The SAP JCo is integrated into the AS Java and is also used when an AS Java system has to communicate with a remote AS ABAP system.
Technical Parts and Topics addressed in this Course
Figure 18: Technical Parts and Topics addressed in this Course
The figure above gives an overview of the technical parts and components talked about in this course. In addition you find some topics we also address in the following units. The different security aspects involved for those parts and topics will be explained in detail in the units to come. The standalone engines SAProuter and SAP Web Dispatcher are part of SAP NetWeaver and will also be discussed in more detail later on.
Lesson Summary You should now be able to: • Describe the basic architecture of SAP applications based on SAP NetWeaver Application Server.
Related Information • • •
38
SAP Education course SAPTEC - SAP NetWeaver Application Server Fundamentals. SAP NetWeaver 7.02 online documentation, path SAP NetWeaver Library → SAP NetWeaver by Key Capability → Application Platform by Key Capability SAP Developer Network, Quick Link /irj/sdn/nw-products.
Unit 3 Network Basics Unit Overview This unit will introduce you to the basics terms and concepts of networking. The first lesson explains the different network protocols, the models they are based on, and the concept of a firewall. The second lesson transfers these topics into an SAP system environment.
Unit Objectives After completing this unit, you will be able to: • • • •
Explain basic network terms and concepts Implement recommendations for network architecture in an SAP landscape. Install and Configure SAProuter. Install and Configure SAP Web Dispatcher.
Unit Contents Lesson: Networking Concepts ..................................................... 44 Lesson: Network Security in an SAP Landscape................................ 59 Exercise 1: Install and Configure SAProuter................................. 81 Exercise 2: Install and Configure SAP Web Dispatcher.................... 85
Lesson: Networking Concepts Lesson Overview This lesson describes the basics of networks. It also describes the network communication in the SAP environment.
Lesson Objectives After completing this lesson, you will be able to: •
Explain basic network terms and concepts
Business Example You need to understand basic network terms and concepts.
Network Protocols The figure below highlights the topics talked about in this lesson. That is the communication protocols and the firewall.
A protocol is a set of rules that define how communication takes place between communication partners. Different protocols are used when telephoning compared to broadcasting. In computer communication, different issues are handled at different levels.
Protocols represent the rules that specify how the different parties may communicate. Protocols deal with the following issues: • • • • • •
How many volts pulse is a 0 and 1? How to determine the end of a message? How to handle lost messages? How to identify computers? How to connect to a computer? How do applications communicate on the network?
OSI Models Because of the heterogeneous systems and communication media available, there is the need to have a standard to enable communication between different partners.
The International Organization for Standardization (ISO) has developed a standard model for communication called the Open Systems Interconnection Model (OSI Model). Open System means that a system can communicate with any other system that follows the specified standards, formats, and semantics.
The Open Systems Interconnection (OSI) reference model describes how information from a software application in one computer moves through a network medium to a software application in another computer. The OSI reference model is a conceptual model composed of seven layers, each specifying particular network functions. The seven layers of the OSI Model are: • • • • • • •
7 - Application Layer: Enables Program-to-Program communication. 6 - Presentation Layer: Manages data representation and conversion. For example, the presentation layer converts data from EBCDIC to ASCII. 5 - Session Layer: Establishes and maintains communication channels. In practice, this layer is often combined with the Transport Layer. 4 - Transport Layer: Ensures end-to-end integrity of data transmission. 3 - Network Layer: Routes data from one node to another. 2 - Data Link Layer: Passes data from one node to another including error detection.. 1 - Physical Layer: Places data on the network media and takes the data off the network.
Data is passed down the stack from one layer to the next, until the data is transmitted across the network by the network access layer protocols. The four layers in this reference model are designed to distinguish between the different ways that the data is handled as it passes down the protocol stack from the application layer to the underlying physical network. At the remote end, the data is passed up the stack to the receiving application. The individual layers do not need to know how the layers above or below them function; the layer only need to know how to pass data to the other layers. Each layer in the stack adds control information, such as destination address, routing controls, and checksum, to ensure proper delivery of data. This control information is called a header and/or a trailer because it is placed at the beginning or end of the data to be transmitted. Each layer treats all the information that it receives from the layer above it as data and places its own header and/or trailer around that information. These wrapped messages are then passed to the layer below with additional control information, some of which may be forwarded or derived from the higher layer. When a message exits the system on a physical link, such as a wire, the original message is enveloped in multiple, nested wrappers, one for each layer of the protocol through which the data passed. When a protocol uses headers or trailers to package the data from another protocol, the process is called encapsulation.
Information sent across a network is not intended only for a computer but for a program on a computer. These programs are distinguished by their port. Every application, which receives data from a TCP/IP network acquires a TCP port, a 16-bit number (0 – 65535), which will uniquely belong to that application on that particular host. The application “listens” on that port for incoming messages. Some ports have numbers that are preassigned to services or programs by the Internet Assigned Numbers Authority (IANA). Port numbers can range from 0 through 65536 but port numbers from 0 through 1023 are reserved for privileged services and designated as well-known ports. This list of well-known port numbers specifies the port used by the server process as its contact port. By default, these well known ports are defined in the etc/services file. Command netstat -a displays all the connections and ports listening on your computer.
Firewalls A firewall is a system or a combination of systems that protects a networked system from unauthorized or unwelcome access. Firewalls can be implemented in both hardware or software or a combination of both.
Figure 25: Firewalls
There are several types of firewall techniques, which filter the traffic at different levels.
Packet filters can filter the network traffic up to the transport layer level (TCP) looking at IP addresses, port numbers and the type of protocol used. Application level gateways can analyze and control commands of the application protocol.
IP packet filtering is done using a router set up to filter the packets as they pass between the router’s interfaces. These routers can filter IP packets mainly on the following fields: • • • •
Source IP address Destination IP address TCP source port TCP destination port
Packet filters cannot filter information sent at the application level. For this an application level gateway is used.
Figure 28: Application Level Gateway
Application level gateways, do not allow any direct network connections between computers from one network to the other. Instead, all the connections from the external network must be made to the gateway, which interprets the protocol traffic and makes connections to the internal network on behalf of the outside requestor. The application level gateway consists of two TCP/IP stacks and application level proxies for each protocol in it's responsibility. The application level proxy is analyzing and controlling the commands for it's specific protocol, e.g. HTTP. It may also provide additional authentication functionality.
Figure 29: Firewall Architecture / Demilitarized Zone (DMZ)
Servers accessible from the Internet should not be connected directly to the internal network. A two-layer firewall solution provides additional security for internal networks, even if servers connected to the Internet are compromised. If a server located in the DMZ is hacked, the hacker is still not able to access all internal systems as the inner firewall is limiting access. The network zone in between the two firewalls is often called demilitarized zone (DMZ). The DMZ protects valuable resources (e.g. application systems) from direct exposure to an untrusted environment. Sometimes it is also called a perimeter network. Typically services like web servers, e-mail servers and proxys are located in the DMZ. Hint: This concept can also be applied additionally to the internal network architecture.
An intrusion detection system (IDS) is a product that automatically identifies attacks to networks or hosts. In case of an important event security administrators can be notified. There are two basic types of IDS: network based IDS and host based IDS. A network based intrusion detection system monitors and analyzes the traffic for a whole network. A host based IDS monitors and analyzes the network traffic, operation system and file system of one single host. If the two types are combined and their data is send to a central server it is called a distributed IDS. Keep in mind that no system automatically provides full security.
Intrusion Prevention System
Figure 31: Intrusion Prevention System (IPS)
An intrusion prevention system (IPS) is a considered extension of an IDS. Compared to intrusion detection systems, the IPS is placed in-line to actively prevent and block detected intrusions. The system is able to identify attacks and differences in the bit pattern of data traffic using signatures, abnormal algorithms and advanced patterns. IPS can then take actions as sending an alarm, dropping the malicious packets, resetting the connection or blocking the traffic from the offending IP address.
Suitable for intranet scenario Suitable for global load balancing Not suitable for server load balancing
Load balancing device: • • • • • •
2011
Transparent for client Always the same URL One official IP address for all application servers One server certificate for all servers Technically challenging Usually preferable
Stateful applications impose special requirements on the load balancing mechanisms. HTTP is a stateless protocol which means that the network connection does not last for the duration of a user session. The protocol itself provides no options to return a subsequent request to an already established session. While processing a request, the load balancer directs the user to a particular application server. If the load balancer directs the user to a different server for subsequent requests, then the second server would not know what had already occurred on the first server. As a result, session context information is lost. For example, if the first context holds any locks on the data, the second session cannot access these locked items. There is a conflict between the application that uses stateful information and the stateless protocol. As a result the load balancing device must ensure that all requests from an application session are always directed to the same application server.
To make sure that the client is always directed to the correct server, the application server can use a session ID that it either saves in a Web browser cookie or inserts into the URL of the user. In this case, the load balancer does not have to maintain the session information. The server information is contained in the cookie or the URL. As a result, you need access to the plain text information in the request. You cannot use SSL for encryption.
IP address of client • • •
In this case, the load balancer uses the IP address of the client to direct the user to a particular server. This method works when using encrypted traffic but there are a few problems. Proxies and alternative host names cause misleading concepts in the load balancing. For example, all users that access the IP address of a client through a specific proxy are directed to the same server.
Lesson: Network Security in an SAP Landscape Lesson Overview This lesson informs about different aspects of network security in an SAP system landscape. SAProuter and SAP Web Dispatcher are introduced as important SAP components. The usage of SAProuter and SAP Web Dispatcher have influence on the network architecture.
Lesson Objectives After completing this lesson, you will be able to: • • •
Implement recommendations for network architecture in an SAP landscape. Install and Configure SAProuter. Install and Configure SAP Web Dispatcher.
Business Example Ensure basis network security for the SAP system landscape.
Network Components The figure below shows the components talked about in this lesson.
Apart from protocols, ports and network recommendations this lesson introduces SAProuter and SAP Web Dispatcher.
Ports used by SAP NetWeaver AS Many SAP systems are based on SAP NetWeaver AS. To understand what ports and protocols SAP NetWeaver AS uses means understanding this for the majority of SAP installations. In an SAP system landscape the following types of communication does occur: • • • • •
SAP GUI for Windows or Java to the AS ABAP based SAP system Web Browser to the SAP system Connections from the AS ABAP based SAP system to print servers, for example using SAPSprint Connections between SAP systems Connections to third party applications
The SAP system needs to use a number of ports, which are determined by the operating system process involved and the instance number the process belongs to.
Figure 36: Ports used by SAP NetWeaver Application Server
The figure above shows the most important ports of SAP NetWeaver AS. SAP GUI for Windows connects to the ABAP system using the dispatcher process on the application server. The dispatcher uses the port 32$$, where $$ stand for the instance number. SAP Logon (as part of SAP GUI) communicates with the ABAP Message Server. It's port is defined by an entry sapms in the services file of the operation system. The default port is 36$$. The ABAP system also communicates with the SAP GUI using RFC. There the Gateway process is involved. It's port is 33$$. External RFC clients, for example other SAP systems or third party applications, connect to the Gateway process. The Internet Communication Manager (ICM) uses the default port 80$$ for the HTTP protocol, where a Web Browser can connect to. sapstartsrv is the process that is involved in Starting and Stopping the SAP system. It can be called using the default port 5$$13. The SAP program SAPsprint handles the SAP system print requests send out by the Spool work process. SAPsprint listens on default port 515.
When connecting with a Web Browser to the AS Java, the Java dispatcher is called on default HTTP port 5$$00. Also the Software Deployment Manager (SDM) can be accessed remotely on the default port 5$$18. Note: For a complete list of ports you can use the document TCP/IP Ports Used by SAP Applications. It is provided on the SAP Developer Network, Quick Link /irj/sdn/security, and follow the link Network and Communications Security.
Network Filtering Even from the small number of ports mentioned in the section before you can see that network filtering is a fundamental requirement for secure SAP systems. It reduces the attack surface to the least number of services required to be accessed by end users. These remaining services should then be configured securely.
Figure 37: Network Filtering
Secure SAP operation requires network filtering between end user network and SAP systems. For more information see the SAP NetWeaver Security Guide. The network services listed in the table below are required to be accessible from end-user networks in most customer's SAP installations. All other network services are typically not required and should be blocked between the end-user network and SAP systems. Network services listed below refer to the standard installation default ports. $$ is used as a place holder for the instance number of the SAP system.
The ABAP dispatcher is used by SAP GUI. The communication protocol used is SAP DIAG.
32$$
ABAP Message Server
The Message Server manages load balancing information and system internal communication.
36$$
Gateway
The Gateway manages SAP Remote Function Call (RFC) communication.
33$$
HTTPS
Secure HTTP communication from Web Browser or Web Service to SAP system.
443$$ (ICM port, not active per default) 5$$01 (Java Dispatcher port)
The actual network architecture depends on infrastructure components (e.g. SAProuter, SAP Web Dispatcher, Load Balancer), which need to be taken into account for architecture planning. These infrastructure components do not change the fact that access to SAP DIAG, SAP RFC, SAP Message Server and HTTPS is necessary, but have impact on network filtering implementation.
Administrative access to the SAP systems needs to be done from an administration network. This network is allowed to access the SAP systems with administrative protocols (e.g. SSH, RDP, database administration, etc.). Access to the administrative network must be properly secured by common security concepts (e.g. allow administrative access to the SAP systems only from dedicated subnets or dedicated workstations).
SAProuter SAProuter is a software that functions as an intermediate station between SAP systems or programs. SAProuter functions as proxy that has some properties of an application level gateway when it comes to the usage of SAP protocols. SAProuter allows you to connect to an SAP system without a direct network connection between the client computer and the application server. The SAP GUI (for Windows; for Java) connects to the SAProuter that forwards all the packets to the application server or to another SAProuter.
The figure above shows how SAProuter can be used in an SAP system landscape. Instead of opening the corporate firewall for all ports and protocols used by an SAP system only the SAProuter port (default port 3299) is opened. The SAProuter can be configured to only let pass communications based on the SAP Protocol, coming from specific IP addresses and directed to the SAP systems. Note: SAP Protocol is the technical foundation for protocols like DIAG and RFC. SAP Protocol is also called NI (Network Interface). In this scenario the SAProuter makes it easier to administrate the networking aspects of the SAP landscape. In case of changes at the SAP system level (e.g. installation of an additional instance providing additional ports) it is not necessary to involve the IT department responsible for the corporate firewall. The SAP administration can reconfigure the SAProuter to incorporate the changes.
Control and log the connections to your SAP system. Allow access from only the SAProuters you have selected. Allow only encrypted connections from a known partner. Note: SAProuter cannot be used for protocols not based on SAP Protocol, for example HTTP, telnet, or SMTP. Caution: SAProuter does not replace a firewall. You can use it in addition to the corporate firewall.
See SAP Note 30289: SAProuter documentation for more information.
SAProuter and Remote Support SAProuter also is used to enable a secured connection between the customer network and SAP Support.
Figure 40: SAProuter and Remote Support
In this scenario an SAProuter at customer site is connected to an SAProuter at SAP. The connection is secured by Secure Network Communication (SNC). Using this connection SAP Support can access the SAP systems at customer site.
SAProuter Installation and Configuration You will find the latest SAProuter on the SAP Service Marketplace, Quick Link /patches. Navigate to Support Packages and Patches → Browse our Download Catalog → Additional Components → SAPROUTER → SAPROUTER . For installing SAProuter simply extract the downloaded package to a file system directory on the host. For example on a Windows host, create the directory :\usr\sap\saprouter and copy the executables saprouter.exe and niping.exe into this directory. To install SAProuter as a Windows Service execute the command ntscmgr install SAProuter -b :\usr\sap\saprouter\saprouter.exe -p ”service -r ”. For the possible options please see SAP Note 30289: SAProuter documentation.
SAProuter uses the Route Permission Table to control which specific IP addresses and subnetworks are allowed or denied to access a particular network. The route. Per default the Route Permission Table is a file called saprouttab in the installation directory of SAProuter. The file contains a list of connections that are denied or permitted access to a particular network. Standard entries appear as follows: P/S/D
Where D denies, P permits the following connection, and S permits only connections based on SAP Protocol. As the host name or IP address of the client is entered, for example the host on which the SAP GUI is running. As the host name or IP address of the target is entered, for example the host on which the SAP system is running. specifies the service name or port number of the communication target. Optionally a can be entered that is than required to use this route. Wildcard characters (*) can be used to enter hosts and services. It is not recommended to use wildcards in P and S entries. Hint: The first match in the saprouttab is decisive. That means the order of the entries is important and D entries should be on top of the list. If no entries match, permission is denied. If the communication should be secured by Secure Network Communication (SNC) the saprouttab entries need to be specified with KT, KD, KS and KP and the SAProuter needs to be started with the option -K. To connect to an SAP system using SAProuter, you need to enter an SAProuter string. The SAProuter string looks as follows: /H//W//H/. The part /S/ can be left out, if SAProuter uses the default port 3299. With /W/ you can enter the password if a password was set in the saprouttab. For more information see SAP Note 30289: SAProuter documentation.
Figure 42: Client Based Load Balancing (Not Recommended)
The user contacts the message server and is redirected to one of the application servers. The user then remains on this server for the duration of his or her session. Because the user has a direct connection with the application server, there are no problems with session persistence or when using SSL. However, the user will not always be directed to the same server. The user may be confused because URL changes and bookmarks do not work as expected. In addition, if relative URLs are not used, then the user will be prompted for user authentication when switching servers. This may be solved using Single Sign-On. When using SSL, each server must have its own server certificate, which increases the costs and administrative overheads. In this scenario SSL is suitable for intranet landscapes but not for the Internet.
Other load balancers may be used in front of the back-end servers. As a result, the user only has one URL that is always used to access the application server. Several options for load balancing are also available: • • • •
70
SAP Web Dispatcher Web Switch Reverse Proxy Combinations
The Web Dispatcher is a load balancing and application proxy solution for SAP NetWeaver AS. It is designed for customers who do not currently have devices in place and want an easy-to-use solution. Characteristics: • •
Uses the message server to determine the current state. Uses SAP Logon Groups to determine which requests are to be directed to which server, for example, ABAP or JAVA.
Advantages: • • •
The software is delivered free of charge as part of SAP NetWeaver AS. “Near zero” configuration and administration. Supports SAP NetWeaver AS features “out-of-the-box”.
The SAP Web Dispatcher is a separate program that can run on a host that is directly connected to the Intra/Internet. It requires minimal configuration. Basically, you only need to enter the following data in the profile file for the SAP Web Dispatcher:
Hardware load balancer Web switch Reverse proxy Other network load balancing devices
Advantages • • •
Such products provide additional features that are not available with the Web Dispatcher, for example, authentication. You can use an existing infrastructure again. You have a unified Web infrastructure for all Web systems, both SAP and non-SAP.
Disadvantages • • •
72
Costs Less integrated with the SAP NetWeaver AS Configuration and maintenance overhead
With the reverse proxy, you can route incoming requests to different services based on the URL path. For example, in the above graphic, requests containing the path /other are directed to static Web pages located on the Web server. If the request is directed to a path under /sap, then the reverse proxy directs the request to the SAP NetWeaver AS host456. Requests that contain the path /store are directed to host789. In this way, you can activate different services on different hosts that are all accessible using the same HTTP(S) port.
By combining technologies, you can optimize security and availability of systems. For example, in the graphic above, Web switches are used at the furthest end of the communication path. The Web switch therefore does not need to be highly “trusted” and does not need to handle session persistence. If SSL is used, then the connection can simply be passed on to an SAP Web Dispatcher, which may be considered more “trusted”. The Web Dispatcher handles the load balancing and session persistence for the connections to the SAP NetWeaver Application Servers in the back-end. If SSL is used, then it can be terminated at the Web Dispatcher so that the Web Dispatcher can perform URL filtering.
SAP Web Dispatcher The SAP Web Dispatcher is the entry point for HTTP(S) requests into your systems based on SAP NetWeaver AS. It was developed primarily as a Software Load Balancer but over the time it has been enhanced with functions of an application level gateway. SAP Web Dispatcher can reject or accept connections. When it accepts a connection, it balances the load to ensure an even distribution across the application servers. SAP Web Dispatcher therefore contributes to security and balances the load in your SAP system. You can use SAP Web Dispatcher in AS ABAP, AS Java and AS ABAP+Java based systems.
As of Release 7.2 one SAP Web Dispatcher can be used for more than one SAP system like displayed in the figure above. SAP Note 908097: SAP Web Dispatcher: Released releases and applying patches contains the information about which SAP Web Dispatcher release can be used for which release of SAP NetWeaver AS. SAP Web Dispatcher 7.2 provides the following features: •
Server Selection and Load Balancing Forwarding of incoming stateful or stateless HTTP(S) request to an appropriate SAP NetWeaver AS for processing.
•
URL Filtering Maintain a URI Permission Table to control which requests are rejected or accepted.
•
Web Caching Use SAP Web Dispatcher as a Web Cache to improve response times and offload the application server.
•
Modification of HTTP requests Manipulate inbound HTTP requests on the basis of defined rules. You can manipulate HTTP header fields, filter requests, redirect requests and manipulate URL values.
•
Secure Socket Layer (SSL) Depending on the SSL configuration you can forward, terminate, and (re)encrypt requests.
You can configure SAP Web Dispatcher to use all, some, or one of this features.
An SAP NetWeaver AS based SAP system consists out of one or more instances where HTTP(S) requests are processed. Using SAP Web Dispatcher, you have only one single point of access for HTTP(S) requests in your system. SAP Web Dispatcher balances the load so that the requests are distributed over all instances. In addition you can increase the security of your system landscape by using the additional features of SAP Web Dispatcher (e.g. URL filtering).
SAP Web Dispatcher Installation SAP Web Dispatcher is initially installed using the SAPinst installation program. This initial installation is described in the installation guide. You can find this in SAP Service Marketplace, Quick Link /instguides. To use SAP Web Dispatcher as a load balancer you just need to specify information about the Message Server of the SAP system during the installation. Further information about the SAP system is provided by the Message Server to the SAP Web Dispatcher. In an AS ABAP or AS ABAP+Java based system the SAP Web Dispatcher uses the ABAP Message Server. In an AS Java based system the Java Message System is used.
SAP Web Dispatcher Security To guarantee maximum security when SAP Web Dispatcher is used, SAP recommends the following measures while it is in operation: • • •
•
Always use the latest version of SAP Web Dispatcher. Configure your own error pages to ensure the technical reason for the error is not shown to the end user. Use the Web dispatcher as a URL filter with white lists (which URLs are allowed). Definitely filter the following URLs as these provide details of the infrastructure and the configuration: /sap/public/icman/*, /sap/public/icf_info/*, and /sap/wdisp/info. Increase security for the Web Admin interface by – – –
using a dedicated port (not equal to the “content” port) using SSL allowing administration tasks to be done under a specific host name/IP address accessed from the internal network only
For more information see SAP Note 870127: Security note for SAP Web Dispatcher. To configure SAP Web Dispatcher to reject specific URLs the Authentication Handler can be used. With the profile parameter icm/HTTP/auth_ you can you can set up access restrictions. You can filter requests according to the following criteria: URL Client IP Address Server IP Address User name/user group and password String search in the URL
By setting the parameter icm/HTTP/auth_ for example to icm/HTTP/auth_0 = PREFIX=/,PERMFILE=permissionfile.txt,FILTER=SAP you can speciify allowed or forbidden request in the file permissionfile.txt. You can control which specific IP addresses and subnetworks are allowed or denied to access a particular network. You can allow or deny specific URL patterns. The file contains a list of connections that are denied or permitted access to a particular network. Entries appear as follows: P/S/D Where D denies, P permits the following connection, and S permits only connections using HTTPS protocol. As the IP address (pattern) of the clients is entered. As the IP address of the application server host is entered. specifies the URL prefix of the request, e.g. /sap/public/info. With or you can allow a pattern for a user or group known to the SAP Web Dispatcher, e.g. for administration of SAP Web Dispatcher.
Wildcard characters (*) can be used. Hint: The first match is decisive. The URI pattern is case sensitive. That means the order of the entries is important. Create the table as a positive list. Permit all the URLs that are to be allowed, and at the end of the table set row D /* * * * * to deny everything else. Note: In addition to the function described above the Request Manipulation Handler can be used to very flexibly define own rules for filtering, manipulating, or redirecting requests. Profile parameter icm/HTTP/mod_ is used for this. Use the latest SAP NetWeaver Library on http://help.sap.com for more information about SAP Web Dispatcher.
Exercise 1: Install and Configure SAProuter Exercise Objectives After completing this exercise, you will be able to: • Install SAProuter • Maintain the Route Permission Table • Logon to the SAP System using SAProuter
Business Example You need to install and configure SAProuter.
Task 1: Install and Configure SAProuter Install SAProuter on the operating system of your SAP system. Maintain the route permission table. Caution: As you are working on the same host with another group you need to specify a separate directory and a separate port than the default. Hint: You can use the files from the training share for this course in folder SAProuter to copy and paste command lines and the needed files. 1.
Install and start the SAProuter on the host of your SAP system. Use a route permission table (saprouttab). The installation directory should be D:\usr\sap\saprouter. The host name and its logon information is provided by your instructor.
Task 2: SAP GUI and SAProuter Test the SAProuter connection by configuring a new system entry with SAP Logon that connects to your SAP system.
2011
1.
Create a system entry in SAP Logon on your front end that enables you to connect to your SAP training system through your SAProuter using a SAProuter-string. Use this logon entry to log on to your SAP system. Can you connect to your SAP system?
2.
Change the SAP Logon entry so that the SAProuter string contains the correct password. Use this logon entry to log on to your SAP system. Can you connect to your SAP system now?
Solution 1: Install and Configure SAProuter Task 1: Install and Configure SAProuter Install SAProuter on the operating system of your SAP system. Maintain the route permission table. Caution: As you are working on the same host with another group you need to specify a separate directory and a separate port than the default. Hint: You can use the files from the training share for this course in folder SAProuter to copy and paste command lines and the needed files. 1.
Install and start the SAProuter on the host of your SAP system. Use a route permission table (saprouttab). The installation directory should be D:\usr\sap\saprouter. The host name and its logon information is provided by your instructor. a)
Log on to operating system level of your SAP system.
b)
Create the directory D:\usr\sap\saprouter.
c)
Copy the files saprouter.exe and saprouttab from the training share to your newly created directory.
d)
Open a command prompt in the saprouter directory and start SAProuter using the command, saprouter -r -S 329x, where x is 0 for system DEV and 1 for system QAS.
e)
To stop SAProuter you can use the command line saprouter -s -S 329x in another command prompt.
f)
If you like you can install SAProuter as a Windows service. For this , first stop your running SAProuter. Then enter the following command line into the command prompt, ntscmgr install SAProuter -b "D:\usr\sap\saprouter\saprouter.exe" -p "service -r -S 329x". needs to be replaced by DEV or QAS, and x by 0 for system DEV or 1 for system QAS.
To start and stop SAProuter when installed as a Windows service you need to open the Service Console, for example at Start → Programs → Administrative Tools → Services. Look up the service SAProuter from the list, select it and use the right mouse button to Start or Stop the service.
Task 2: SAP GUI and SAProuter Test the SAProuter connection by configuring a new system entry with SAP Logon that connects to your SAP system. 1.
Create a system entry in SAP Logon on your front end that enables you to connect to your SAP training system through your SAProuter using a SAProuter-string. Use this logon entry to log on to your SAP system. Can you connect to your SAP system? a)
Open SAP Logon and create a new system entry by choosing New.
b)
Select User specified system and choose Next
c)
Enter a short Description, the name of your Application Server, the System ID, the instance number of the application server (into field System Number) and finally the SAProuter String. The exact connection data will be provided by the instructor. The router string should look like /H//S/, for example /H/twdf1234/S/3290. Hint: SAP Logon will automatically add another /H/ at the end of the string.
Change the SAP Logon entry so that the SAProuter string contains the correct password. Use this logon entry to log on to your SAP system. Can you connect to your SAP system now? a)
Log on to operating system level of your SAP system. Open the file saprouttab and note the password given there. Now, log on to your SAP System using this entry.
b)
On your front end, open SAP Logon and change the system entry you created before (button Edit). Change the SAProuter String to /H//S//W//H/, for example /H/twdf1234/S/3290/W/secret/H/.
Result Congratulations! You successfully installed SAProuter and connected to your SAP system through SAProuter.
Exercise 2: Install and Configure SAP Web Dispatcher Exercise Objectives After completing this exercise, you will be able to: • Install SAP Web Dispatcher • Configure URL Filtering with SAP Web Dispatcher
Business Example Install and configure SAP Web Dispatcher.
Figure 51: Complete Scenario of the Training Landscape
Installing and configuring SAP Web Dispatcher. 1.
Using the Installation DVD extract available at the training share folder \Installation Media (DVDs)\SAP NetWeaver CE 7.20 Installation Win_x64, install a SAP Web Dispatcher system using the following settings (here and in the following, twdfSSSS.wdf.sap.corp refers to the hostname of the SAP system that is allocate to your group, see figure above): Caution: To avoid conflicts, the DEV team and the QAS team should run SAPinst consecutively! Once the first team has closed their SAPinst, the second team may start SAPinst. DEV Group
Training Share:ADM960_73\SNC\SAPCryptoLib\SAPCryptoLib.SAR
SAP Web Dispatcher Instance Number
05
15
SAP Web Dispatcher HTTP Port
8005
8015
Create Configuration for System of Size
Small
8110
2.
Update the SAP Web Dispatcher 7.20 installation using the latest SAP Web Dispatcher package offered on the training share at \Maintenance Data (SPs and Patches)\SAP Web Disp 7.20.
3.
Using SAP MC or SAP MMC, check the developer trace of your SAP Web Dispatcher. In case of an error message “SAPCAR.exe not found”, provide SAPCAR.exe and restart the SAP Web Dispatcher system.
Result Your SAP Web Dispatcher is up and running. It is already possible to launch all web based applications via the SAP Web Dispatcher.
Task 2: Using SAP Web Dispatcher Send requests that are distributed using the SAP Web dispatcher. 1.
Call the ICF service /sap/public/info using your SAP Web Dispatcher.
2.
Call the AS Java URL http://twdfSSSS.wdf.sap.corp:/webdynpro/dispatcher/local/WhoAmI/Show (this is a small application developed for this training)
Result You have seen the SAP Web Dispatcher in operation. Continued on next page
Task 3: Configure the Authentication Handler Configure your SAP Web Dispatcher to reject the service /sap/public/info. 1.
Configure your SAP Web Dispatcher to reject the service /sap/public/info by setting the parameter icm/HTTP/auth_1 = PREFIX=/,PERMFILE=permissionfile.txt and copying the prepared file permissionfile.txt to the work directory. Restart your Web Dispatcher to activate the changes. The needed files can be found in the training share folder ADM960_73\SAP Web Dispatcher.
Result The SAP Web Dispatcher rejects the service /sap/public/info. You can test this by opening a browser and call the URL http://twdfSSSS.wdf.sap.corp:/sap/public/info.
Solution 2: Install and Configure SAP Web Dispatcher Task 1: Installing SAP Web Dispatcher
Figure 52: Complete Scenario of the Training Landscape
Installing and configuring SAP Web Dispatcher. 1.
Using the Installation DVD extract available at the training share folder \Installation Media (DVDs)\SAP NetWeaver CE 7.20 Installation Win_x64, install a SAP Web Dispatcher system using the following settings (here and in the following, twdfSSSS.wdf.sap.corp refers to the hostname of the SAP system that is allocate to your group, see figure above): Caution: To avoid conflicts, the DEV team and the QAS team should run SAPinst consecutively! Once the first team has closed their SAPinst, the second team may start SAPinst.
Training Share:ADM960_73\SNC\SAPCryptoLib\SAPCryptoLib.SAR
SAP Web Dispatcher Instance Number
05
15
SAP Web Dispatcher HTTP Port
8005
8015
Create Configuration for System of Size
Small
a)
8110
At operating system level of your server, launch SAPinst from the training share folder \Installation Media (DVDs)\SAP NetWeaver CE 7.20 Installation Win_x64\Installation Master - Kernel Windows\DATA_UNITS\CE720_IM_SAPINSTGUI_X86_64_ADA\sapinst.exe. Hint: Before starting SAPinst, make sure that there is no other SAPinst process still running!
b)
Choose option SAP NetWeaver Composition Environment (CE) 7.2 → Installation Options → Standalone Engines → Web Dispatcher → Web Dispatcher and press Next.
c)
Choose Typical and press Next.
d)
For SAP System ID, enter W## and press Next. Note: Remember that ## denotes your two-digit group number.
90
e)
For Master Password, enter wgroup## (twice) and press Next.
f)
For Message Server Host, enter twdfSSSS.wdf.sap.corp. For Message Server HTTP Port, enter 8100|8110 press Next. Continued on next page
Leave Install the SAP Cryptographic Library checked and Browse to the SAPCryptoLib.SAR in training share folder ADM960_73\SNC\SAPCryptoLib\.
h)
Choose Next.
i)
On the Parameter Summary screen, press Show Detail, mark the checkbox Web Dispatcher and choose Revise.
j)
For Instance Number, enter 05|15. For HTTP Port, enter 8005|8015. For Create Configuration for System of Size, choose Small and press Next.
k)
On the Parameter Summary screen, check all parameters and press Next. Note: The pure installation runtime is about 4 minutes.
l)
After the installation completed, press OK to close SAPinst. Hint: At this time, the next team may launch SAPinst.
2.
Update the SAP Web Dispatcher 7.20 installation using the latest SAP Web Dispatcher package offered on the training share at \Maintenance Data (SPs and Patches)\SAP Web Disp 7.20. a)
Using SAP MC or SAP MMC, stop your W## system. Hint: To open the SAP MC for your SAP Web Dispatcher system, you may... • •
launch the URL http://twdfSSSS.wdf.sap.corp:5<05|15>13 launch the SAP MC shortcut on your server's desktop and navigate to File → New. Provide 05|15 as Instance Nr and twdfSSSS.wdf.sap.corp as Instance Host. You may use File → Save Landscapes to store the landscape.
In the SAP MMC, the new SAP Web Dispatcher system W## should be visible without any additional configuration steps. Right-click your W## system and choose Stop. When being asked for an operating system user, you can enter w##adm as user and wgroup## as password.
In case you have the SAP MMC still open, close it now (to prevent auto-starting any Windows service).
c)
Using the Windows Services Manager, stop the Windows service named SAPW##_<05|15>.
d)
Copy the latest SAP Web Dispatcher 7.20 package offered on the training share at \Maintenance Data (SPs and Patches)\SAP Web Disp 7.20 to your server, e.g. to D:\SAPWebDisp720##.
e)
In the left pane of the Windows Explorer, right-click that folder (e.g. D:\SAPWebDisp720##) and choose CMD Prompt Here.
f)
Within that command prompt, enter sapcar -xvf sapwebdisp_.sar to unpack the SAR archive.
g)
Copy the extracted files to D:\usr\sap\W##\SYS\exe\uc\NTAMD64.
h)
Using the Windows Services Manager, start the Windows service named SAPW##_<05|15>.
i)
Using SAP MC or SAP MMC, start your W## system. When being asked for an operating system user, you can enter w##adm as user and wgroup## as password.
j)
You may right-click the W## entry in the SAP (M)MC now and choose Version Info to determine the SAP Web Dispatcher patch level.
Using SAP MC or SAP MMC, check the developer trace of your SAP Web Dispatcher. In case of an error message “SAPCAR.exe not found”, provide SAPCAR.exe and restart the SAP Web Dispatcher system. a)
To open the SAP MC for your SAP Web Dispatcher system, you may... •
•
launch the URL http://twdfSSSS.wdf.sap.corp:. The is 50513 for the DEV group and 51513 for the QAS group. launch any SAP MC and navigate to File → New. Provide 05|15 as Instance Nr and twdfSSSS.wdf.sap.corp as Instance Host. You may use File → Save Landscapes to store the landscape.
In the SAP MMC, the new SAP Web Dispatcher system W## should be visible without any additional configuration steps. b)
Within SAP MC or SAP MMC, navigate to SAP Systems → (W##) → (twdfSSSS) → Process List. Right-click the process sapwebdisp.EXE and start analyzing the Developer Trace. Hint: You may also open the trace file (should be at D:\usr\sap\\\work\dev_wdisp) using a text editor, e.g. Notepad.
c)
Only in case of an error message similar to “*** ERROR => HttpExtractArchive: SAPCAR.exe not found in DIR_EXECUTABLE, DIR_CT_RUN”: 1. 2.
Copy SAPCAR.exe from the training share folder \Additional Programs\SAPCAR to D:\usr\sap\W##\SYS\exe\uc\NTAMD64. Restart the SAP Web Dispatcher system, e.g. using SAP (M)MC. Hint: When being asked for an operating system user, enter w##adm as user and wgroup## as password.
After the restart, verify that the error message “SAPCAR.exe not found” does not occur in the trace file.
Result Your SAP Web Dispatcher is up and running. It is already possible to launch all web based applications via the SAP Web Dispatcher. Continued on next page
Task 2: Using SAP Web Dispatcher Send requests that are distributed using the SAP Web dispatcher. 1.
Call the ICF service /sap/public/info using your SAP Web Dispatcher. a)
In your local Web browser (in the training room), enter the URL http://twdfSSSS.wdf.sap.corp:/sap/public/info.
b)
If you choose Refresh a number of times in the Web browser, you can observe that both instances are used for processing the requests. Hint: The distribution of the requests is based on the number of dialog work processes configured for each instance.
2.
Call the AS Java URL http://twdfSSSS.wdf.sap.corp:/webdynpro/dispatcher/local/WhoAmI/Show (this is a small application developed for this training) a)
If you choose Clear cookies and Refresh a number of times in the Web browser, you can observe that both instances are used for processing the requests. Hint: The distribution of the requests is based on the number of server processes configured for each instance. Web Dynpro Java is always statefull and that is why you need to clear the cookies.
Result You have seen the SAP Web Dispatcher in operation.
Task 3: Configure the Authentication Handler Configure your SAP Web Dispatcher to reject the service /sap/public/info. 1.
Configure your SAP Web Dispatcher to reject the service /sap/public/info by setting the parameter icm/HTTP/auth_1 = PREFIX=/,PERMFILE=permissionfile.txt and copying the prepared file permissionfile.txt to the work directory. Restart your Web Dispatcher to activate the changes.
The needed files can be found in the training share folder ADM960_73\SAP Web Dispatcher. a)
Logon to the operating system, where your SAP Web Dispatcher is installed and edit the instance profile. The instance profile can be found in directory D:\usr\sap\W##\SYS\profile. It should be named W##_W$$_twdfSSSS, where ## stands for your group number and $$ for the instance number.
b)
At the end of the file enter icm/HTTP/auth_1 = PREFIX=/,PERMFILE=permissionfile.txt without any line break.
c)
Copy the file permissionfile.txt from the training share folder ADM960_73\SAP Web Dispatcher into the work directory of your Web Dispatcher: D:\usr\sap\W##\W$$\work.
d)
Restart your Web Dispatcher using the SAP MC or SAP MMC.
Result The SAP Web Dispatcher rejects the service /sap/public/info. You can test this by opening a browser and call the URL http://twdfSSSS.wdf.sap.corp:/sap/public/info.
Lesson Summary You should now be able to: • Implement recommendations for network architecture in an SAP landscape. • Install and Configure SAProuter. • Install and Configure SAP Web Dispatcher.
Related Information SAP Note 30289: SAProuter documentation SAP Note 870127: Security note for SAP Web Dispatcher
Unit Summary You should now be able to: • Explain basic network terms and concepts • Implement recommendations for network architecture in an SAP landscape. • Install and Configure SAProuter. • Install and Configure SAP Web Dispatcher.
List the layers of the Open Systems Interconnection (OSI) reference model. Answer: The seven layers of the OSI Model are: • • • • • • •
2.
7 - Application Layer: Enables program-to-program communication. 6 - Presentation Layer: Manages data representation and conversion. For example, the presentation layer converts data from EBCDIC to ASCII. 5 - Session Layer: Establishes and maintains communication channels. In practice, this layer is often combined with the Transport Layer. 4 - Transport Layer: Ensures end-to-end integrity of data transmission. 3 - Network Layer: Routes data from one node to another. 2 - Data Link Layer: Passes data from one node to another. 1 - Physical Layer: Places data on the network media and takes the data off the network.
What is the need for a standard in communication technology? Answer: There is a need for a standard in communication technology because of the following reasons: • • •
3.
Different types of connection media exist, such as telephone lines, optical fibers, cables, and radio. Several types of computers and operating systems are available. Different network applications are used.
What is a firewall? Answer: A firewall is a system or a combination of systems that protects a networked system from unauthorized access. Firewalls can be implemented in both hardware or software or a combination of both.
4.
The SAP Web Dispatcher can be used as a packet filter. Answer: False The SAP Web Dispatcher can be used as a URL filter.
Unit 4 Basic Security for SAP Systems Unit Overview In this unit, you will learn about implementing user-level security by creating and authorizing users. You will also learn how to secure an RFC communication and to secure the SAP development. In addition, you will learn about system monitoring.
Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • • • • • •
Use Security Features of SAP GUI for Windows Identify the different types of users in the SAP System Control passwords in the SAP System Configure trusted RFC connections between SAP Systems Secure the Gateway process Limit Web-enabled Content Secure the AS ABAP Message Server Explain the system change options Explain the client change options Monitor the SAP System using the Security Audit Log Use the User Information System Explain the use of the Alert Monitor Understand the capabilities of the EarlyWatch Report Understand the Security Optimization Self-Service Understand the Configuration Validation feature of the Solution Manager
Unit Contents Lesson: Securing the Front End .................................................. 105 Exercise 3: Maintain Security Settings in SAP GUI for Windows 7.20 .. 111 Lesson: User Security in SAP Systems.......................................... 115
Exercise 4: Password Parameters ........................................... 149 Lesson: Interface Security in SAP Systems..................................... 158 Exercise 5: Configure Trusted RFC.......................................... 179 Exercise 6: Secure the Gateway ............................................. 185 Exercise 7: Secure the Message Server .................................... 189 Lesson: Development Protection and Security Patches....................... 192 Exercise 8: Identify Security Notes to be implemented ................... 211 Lesson: Monitoring Security in SAP Systems................................... 214 Exercise 9: Configure and Use the Security Audit Log .................... 231 Exercise 10: Use the User Information System ............................ 237 Lesson: Monitoring and Analyzing Security with SAP Solution Manager ... 240
Lesson: Securing the Front End Lesson Overview This lesson provides on overview of fundamental security measures on a front-end computer. In addition the security feature of SAP GUI for Windows 7.20 is introduced.
Lesson Objectives After completing this lesson, you will be able to: •
Use Security Features of SAP GUI for Windows
Business Example For front-end security you need to configure security features of SAP GUI for Windows.
Front-End Security The figure below highlights the components talked about in this lesson. To ensure front-end security in an SAP environment the usual measures on the front end needs to be taken care of, for example OS patching, Virus Scanner, and intrusion prevention system. A general Intrusion Prevention Software should be used on all user workstations. To prevent critical operations executed by SAP GUI for Windows you can use its Security settings.
AS ABAP based SAP systems can access security-critical functionality on SAP GUI user workstations under the permission of the user (for example upload / download files, change Windows registry, execute programs). SAP GUI for Windows 7.10 introduced the possibility of alerting users in case of such access from ABAP systems. The option of alerting on security events can be enabled but users need to confirm access requests. This can lead to many security pop-ups. SAP GUI for Windows 7.20 improves granularity and flexibility of security event handling. This is done using configurable security rules. SAP GUI for Windows 7.20 offers a default set of security rules that can be extended by customers. This mitigates the risk of malicious attacks on SAP GUI for Windows workstations from ABAP systems that have been compromised. Caution: It is strongly recommended to implement the following security measures: • •
106
The latest available SAP GUI for Windows version and patch level should be deployed on all user workstations. It should be ensured that SAP GUI for Windows security rules are activated using at least the security rule setting Customized and default action Ask.
SAP GUI for Windows 7.20: Security Settings A default security configuration is delivered with SAP GUI for Windows 7.20 that suppresses many potentially malicious actions and permits those that are clearly required. However, in most cases, it is necessary to adjust this configuration to the requirements of your individual company. The SAP GUI for Windows security module supports the administrator both in creating a configuration of this type and in distributing this file by providing a central repository. The SAP GUI for Windows security module has three status levels: Disabled Customized Strict Deny In case of Disabled, no checks take place, and each request received from the back-end system to read, write, or execute a program is immediately executed. In this case, the user is not aware that an action triggered by the back-end system is being performed. This setting therefore involves the danger that undesirable actions could be executed undetected, potentially causing damage. Caution: The setting Disabled is not recommended. It rather is suitable for restricted system situations. The setting Strict Deny denies the execution of every individual action triggered by the back-end system unless it is explicitly permitted by a rule defined by SAP. The SAP rules permit, for example, the user to call help for the application. In practice, it is often not possible to use this setting, since many SAP applications access resources on the client PC (downloads, uploads, execution of programs, and so on). Customized is the default setting when you install SAP GUI for Windows 7.20. It has the consequence that when a request for an action is received from a back-end system, SAP GUI for Window first searches the list of entered security rules to evaluate the request, if possible. The security rules are processed in accordance with their order in the list. Whenever a request to perform an action is received, SAP GUI automatically works through the list of rules from the top to the bottom. If a suitable rule is found, SAP GUI terminates its search. That is, rules below this point that could also be applicable are ignored. If there is a rule with regard to the requested action, SAP GUI is proceeding in accordance with the procedure defined in the rule. If there are no settings in the rules with regard to a particular action request, SAP GUI selects the default action, as it is defined in SAP GUI. This usually is the query dialog that leaves the decision about execution to the user (Default Action = Ask). However, you can also choose to permit action requests for which there are no rules (Default Action = Allow).
Figure 54: SAP GUI for Windows 7.20: Security Rules
You can use the Security Settings dialog in the Options dialog box of SAP GUI or SAP Logon to create and manage security rules. In SAP Logon go to Options → Security → Security Settings. In SAP GUI go to Customize Local Layout → Options → Security → Security Settings. Security Rules can have different Origins: SAP Administrator User Rules of origin SAP are created by SAP and installed together with SAP GUI for Windows. Neither users nor administrators can edit these rules or change their sequence. Only if the Status Customized has been selected, these rules are taken into account. They protect important local objects that are required for the operation of SAP GUI for Windows. These include, among other things, registry values or specific files that contain configuration information. Rules of origin Administrator can be created by the administrator who is responsible for distributing SAP GUI for Windows. A user cannot change those rules.
A user of SAP GUI for Windows can create additional security rules of origin User for the local working environment. Rules can be generated by executing security-relevant actions if the Status is Customized and the Default Action is Ask. In this case, if there is no rule, a query is shown for the requested action. The options available to the user depend on the action to be performed. For example: The system is attempting to execute a file on the client PC. If the user’s decision applies only to the current situation (Allow/Deny this one time), there are no consequences for future queries of this type. However, if the user makes a permanent decision for this type of query (Always allow, Always allow in this context), a security rule is automatically generated that corresponds to exactly the present situation. This rule is added to the end of the existing list of rules and is taken into account for subsequent requests of this type. In a second variant of the query dialog box, there are two additional options (for example, when uploading files using SAP GUI for Windows): Always permit in this context for this file type and Always permit for this file type. These two options also lead to the creation of a security rule, against which subsequent requests are checked. In this way, security rules can be automatically generated during running operation. Hint: You can also manually create rules in the Security Settings. Scroll down the whole list of rules and select the empty entry at the bottom. Now the Insert button is active.
Administration of Security Settings Security rules that are created for a large number of users or front ends can be centrally stored on a server by an administrator. The administrator can use the Windows registry values below the registry key [HKEY_LOCAL_MACHINE\Software\SAP\SAPGUI Front\SAP Frontend Server\Security] to configure the behavior of the security module. Note: See SAP Service Marketplace (http://service.sap.com) Quick Link /securityguide, path SAP NetWeaver SAP GUI for Windows → SAP GUI for Windows 7.20 Security Guide for detailed information. To create a rule file as an administrator, use the rule editor in the Security node of the Options dialog. The administrator then needs to copy the generated saprules.xml file from the files system directory %APPDATA%\SAP\Common to the location specified in the registry value. Caution: Do not replace the saprules.xml file in the installation directory of SAP GUI. This will be overwritten during a subsequent installation, for example by a patch.
Exercise 3: Maintain Security Settings in SAP GUI for Windows 7.20 Exercise Objectives After completing this exercise, you will be able to: • maintain security settings in SAP GUI for Windows 7.20
Business Example For front-end security you need to configure security features of SAP GUI for Windows.
Task 1: Check Security Settings Check the security settings of your SAP GUI for Windows installation. If necessary change the settings. Hint: This feature only is available with SAP GUI for Windows 7.20 or higher. If you do not have such a version at your training front-end you can use the SAP GUI installed on the host of your training SAP system. 1.
Check if the security setting of your SAP GUI for Windows installation is set to Status Customized and Default Action Ask. If it is not, change it to those values.
Result You checked the security settings of your SAP GUI installation.
Task 2: Create a Security Rule Create a security rule by executing an external URL from within the SAP GUI for Windows. 1.
Log on to your SAP system with SAP GUI for Windows. You should find a URL to execute in your user menu. If not, create a favorite that points to an external URL, for example http://www.sap.com. Execute this URL and create a security rule by always allowing this action.
Solution 3: Maintain Security Settings in SAP GUI for Windows 7.20 Task 1: Check Security Settings Check the security settings of your SAP GUI for Windows installation. If necessary change the settings. Hint: This feature only is available with SAP GUI for Windows 7.20 or higher. If you do not have such a version at your training front-end you can use the SAP GUI installed on the host of your training SAP system. 1.
Check if the security setting of your SAP GUI for Windows installation is set to Status Customized and Default Action Ask. If it is not, change it to those values. a)
If you are already logged on to an SAP system, use an SAP GUI window and choose Customize Local Layout → Options → Security → Security Settings. Otherwise use the Options dialog of your SAP Logon and go to Security → Security Settings.
b)
You should see the field Status. Set it to the value Customized, if it is not set already.
c)
You should see the field Default Action. Set it to the value Ask, if it is not set already.
d)
Choose Apply and OK.
Result You checked the security settings of your SAP GUI installation.
Task 2: Create a Security Rule Create a security rule by executing an external URL from within the SAP GUI for Windows. 1.
Log on to your SAP system with SAP GUI for Windows. You should find a URL to execute in your user menu. If not, create a favorite that points to an external URL, for example http://www.sap.com. Execute this URL and create a security rule by always allowing this action. a)
Log on to your SAP system using an SAP GUI for Windows 7.20.
b)
In the easy access go to your user menu by choosing Menu → User Menu.
c)
Open the folder Unit 4: Basic Security for SAP Systems and double-click the entry SAP Homepage. If there is no such folder or entry available, select the Favorites folder, right-click and choose Add other object. Select Web Address or file, enter a text and a Web address, for example http://www.sap.com and choose Continue. Now you can execute this favorite.
d) 2.
In the SAP GUI Security dialog box choose Always allow and OK. A browser opens and the URL is called.
Check if a security rule was created. a)
In the SAP GUI choose Customize Local Layout → Options → Security → Security Settings.
b)
Scroll down the whole list of rules. At the bottom of the list a rule should be available showing the URL in the Object column and User in the Origin column.
c)
You can look at more details by selecting the rule and choosing Edit.
Lesson Summary You should now be able to: • Use Security Features of SAP GUI for Windows
Related Information • • •
114
SAP Note 1483525: New security center in SAP GUI for Windows 7.20 SAP Note 147519: Maintenance strategy / deadlines SAP GUI SAP Service Marketplace (http://service.sap.com) Quick Link /securityguide, path SAP NetWeaver SAP GUI for Windows → SAP GUI for Windows 7.20 Security Guide
Lesson: User Security in SAP Systems Lesson Overview This lesson summarizes some aspects of user administration in SAP systems.
Lesson Objectives After completing this lesson, you will be able to: • •
Identify the different types of users in the SAP System Control passwords in the SAP System
Business Example XYZ Limited is using SAP Solutions based on SAP NetWeaver Application Server.
User Security in SAP Systems The figure below graphically shows the topic of this lesson. The following sections will summarize the most important aspects of user, password and authorization administration in SAP systems. The focus is on AS ABAP based SAP systems as they represent the majority of systems.
When it comes to controlling access to SAP systems some frequently asked questions (FAQ) come up: • • • • • •
What are the tools for User Administration? Which standard users exist in an SAP system? Why are there different user types? In which way are authorizations assigned to users? How can an administrator protect user accounts with strong passwords? How are passwords stored in the SAP system?
Tools for User Administration Depending on the type of SAP system installed and depending on the technical infrastructure available in the company different tools are needed for user administration.
User Administration AS ABAP For AS ABAP based system the most important tools are the User Maintenance (SU01) and the Role Maintenace (PFCG). When creating a new user master record with SU01, you must at least enter a Last name on the Address tab and an Initial password for that user on the Logon data tab.
Figure 56: User Maintenance (SU01): User Master Record
On the Logon data tab, the User Group for Authorization Check is used to implement delegated user administration. Only an administrator with fitting authorization for maintaining the given user group may then change the user master record. If a user master record is not assigned to a group, any user administrator may change this user master record. With the Validity Period the beginning and end of the validity of the user master record can be specified. A user can only log on to the SAP system if a user master record with a valid password exists. The user master record determines the actions individual users are allowed to perform in the SAP system. When maintaining user master records, you need to assign authorization to the users in the form of roles and profiles. User master records are client-specific.
The following authorization objects are required to create and maintain user master records: • • •
S_USER_GRP: user master maintenance: assign user groups S_USER_PRO: user master maintenance: assign authorization profile S_USER_AUT: user master maintenance: create and maintain authorization
With the fitting authorization a user is able to maintain its own data by selecting System → User profile → Own data (SU3).
User Administration AS Java AS Java provides an open architecture that is based on service providers to store user data and group data. AS Java is delivered with the following service providers, which are called “user stores”: • • •
DBMS provider: Storage in the system database UDDI provider: Storage via external service providers (Universal Description, Discovery and Integration) UME provider: Connection of the integrated User Management Engine
The DBMS and UDDI providers implement standards and guarantee the J2EE conformity of AS Java. The SAP-defined User Management Engine (UME) is installed as user storage during the installation of AS Java. This is the correct option for most SAP customers. The user concept and the authorization concept can only be installed and operated flexibly on the basis of the UME user storage.
The UME also supports various “data sources” as storage locations for user data: • • •
System Database Directory Service (LDAP Server) ABAP based SAP System (as of AS ABAP 6.20)
SAP delivers preconfigured data source combinations. You usually use the preconfigured data source combinations delivered by SAP without further adjustments. Hint: The System Database data source is always connected to the UME for all data source configurations delivered by SAP. Therefore, certain information (for example, the UME roles) is always kept in the database.
Figure 58: AS Java: Identity Management (formally: UME administration console)
The most important tool for a user administrator in an AS Java system is Identity Management. It is used for all data sources and is implemented as an application running in a Web browser (based on Web Dynpro Java). You can start Identity Management • • •
via the URL http(s)://.:/useradmin via the SAP NetWeaver Administrator (URL .../nwa), path System Management → Administration → Identity Management in a portal via the path User Administration → Identity Management. Hint: The function scope available in Identity Management depends on the Java authorizations of the current user.
Central User Administration
Figure 59: Central User Administration (CUA)
The Central user administration (CUA) is used to distribute user master records between SAP systems. The administration of an SAP system landscape is performed from one central system. You can display an overview of all user data in the SAP system landscape. All user data is stored in the standard SAP tables (USR*) that contain the user master record data.
Use CUA if you have a complex landscape with several clients and systems to synchronize the user data or if a user works in more than one system and uses the same user ID in all the systems. Data that can be distributed with CUA includes data about the user master record, such as address, logon data, user fixed values, and user parameters. Assign roles or profiles and systems to the user in CUA. You no longer need to log on to each system to make system-specific assignments of activity groups and profiles. Roles and authorization profiles can be transported but are not usually maintained in a central system. Different customizing settings and releases in the subsystems make it necessary to adjust activity groups individually.
Figure 60: CUA and LDAP Synchronization
Starting from release 6.10, SAP Systems can communicate with a directory server using the Lightweight Directory Access Protocol (LDAP). Data can be synchronized in both the directions. The CUA does not support AS Java based systems directly. By using a central directory server also AS Java based systems could be connected.
Enterprises today have usually a variety of different SAP and non-SAP systems. By default, every system has its own separate user management. This means a lot of manual effort for the User Administrator to administer the user information and role assignments in each system. On the other hand, employees of an enterprise need to perform different tasks of business processes. These tasks require certain authorizations/roles in the system landscape. Furthermore, the source of employee information is usually the HCM (Human Capital Management) system. On-boarding, change of position, location or name, these actions are triggered by HCM. These changes also need to be reflected in the system landscape.
Before SAP has offered SAP NetWeaver Identity Management, user management could be centralized using the Central User Administration (CUA). Limitation: CUA is only supported for ABAP-based systems. For interoperability with Java-systems that use a LDAP directory as user store and also for integration with non-SAP applications, users can be synchronized with a LDAP directory using the ABAP LDAP connector. Central management for a heterogeneous system landscape was only possible by using a third-party Identity Management product.
Figure 63: SAP NetWeaver Identity Management: Holistic Approach
With SAP NetWeaver Identity Management, SAP offers integrated identity management capabilities for a heterogeneous system landscape, driven by business processes. First of all SAP NetWeaver Identity Management uses a central identity store to consolidate identity data from different source systems, (example SAP HCM) and distributes this information to the different target systems. The distribution handles user accounts and role assignments of SAP and non-SAP applications. You can define different rule sets for the assignment of roles to users, this means that this can be performed automatically based on attributes of the identity. A very important feature of SAP NetWeaver Identity Management is the availability of approval workflows to distribute the responsibility for authorization assignments to the different business process owners and managers of the employees. The integration of HCM as one of the possible source systems for identity information is one of the key functionalities to enable business-driven identity management. With the audit functionality of the solution, the auditor can check on a central place, which employee has what authorizations in what systems. This information is also available for the past. The data within SAP NetWeaver Identity Management can be accessed using services and standard protocols, such as LDAP.
Figure 64: Comparison between the CUA and SAP NetWeaver Identity Management
What is the relationship between SAP NetWeaver Identity Management and the Central User Administration (CUA)? • • • •
SAP NetWeaver Identity Management is the strategic solution for managing identities in SAP and non-SAP environments SAP NetWeaver Identity Management can replace the CUA in order to be able to also manage user IDs in the non SAP system landscape SAP will continue to support CUA in its current functionality according to the SAP maintenance rules A connector from SAP NetWeaver Identity Management to CUA is available
Standard Users In AS ABAP and AS Java based systems several standard users with preconfigured authorizations are available directly after the installation. To ensure security of the system those users should be provided with a strong password and checked regularly.
Standard User in AS ABAP The following table presents important default users in an AS ABAP:
Check Users with Report RSUSR003 for Standard Passwords! When an AS ABAP based system is installed several clients are already prepared: •
• •
Client 000 is used for special administrative purposes. SAP imports the customizing settings into this client during the upgrade process or when applying Support Packages. Client 000 should not be used to customize, data input or development. Client 066 is used by the SAP EarlyWatch service and should not be used or deleted by the customers. Client 001 can be used for productive purpose or can be deleted. A client 001 is not always delivered. This is depending on the release and the type of SAP system. Note: To find out which clients you have in your system use transaction SCC4, or display content of table T000 using transaction SM30.
Depending on the client several standard users are already prepared in those clients. User SAP* is a superuser for initial access to the system. The user DDIC is needed for certain tasks in installation and upgrade, software logistics, and for the ABAP Dictionary. The passwords of user SAP* and DDIC of clients 000 and 001 (not in 066) are already set during the installations process. In older installation routine this was not done and the user had the default passwords 06071992 (for SAP*) and 19920706 (for DDIC). The user EARLYWATCH is used by the SAP EarlyWatch specialists and has access to monitoring and performance data. Its default password is SUPPORT. The user SAPCPIC is used for communication purposes. Its default password is ADMIN. For more information on SAPCPIC see SAP Note 29276: SAPCPIC: At which points are passwords visible. Caution: Use strong passwords for standard users. However you should change their passwords to a strong one.
In addition to change the passwords of those standard users you may • • •
create a new superuser and deactivate SAP* (lock user, remove authorizations). assign them to the group SUPER so that they only can be modified by administrators who are authorized to change users in the group SUPER. lock users DDIC and EARLYWATCH and unlock them only when necessary. Do not delete DDIC or its profiles. DDIC is needed for certain tasks in installation and upgrade, software logistics, and for the ABAP Dictionary. Deleting the user may result in loss of functions in these areas.
To log on to a newly created client (this means a client with no user master record at all (also no user SAP*) use the SAP* kernel mechanism. In the kernel a hardcoded “user” with password pass is implemented. This system access is not affected by authorization checks. This mechanism can be controlled by using the profile parameter login/no_automatic_user_sapstar. As of SAP NetWeaver AS 7.00 (SAP NetWeaver 7.0) the default value of this profile parameter has been changed to 1. This means, that this mechanism is deactivated. In older releases this mechanism was activated per default (value 0) and should be deactivated when not needed. See also SAP Note 68048: Deactivating the automatic SAP* user. Caution: To make sure that nobody can misuse this mechanism, you should create a new user SAP* in all clients of your systems and set the profile parameter login/no_automatic_user_sapstar to value 1. An existing user master record SAP* should not be deleted from any client. Hint: Use the report RSUSR003 to make sure that the user SAP* has been created in all clients and that the default passwords have been changed for the standard users.
Standard User in AS Java The following table presents important default users in an AS Java:
Caution: Protect those users with strong passwords! The initial passwords are set during the system installation. The administration user has unrestricted access to AS Java and you should therefore assign this account to only very few people and assign a carefully chosen password. If you use a client of an ABAP system as the data source, the listed user master records are located on this ABAP client (and can be viewed in SU01): In the case of a remote ABAP system, the SID of the AS Java system is incorporated in the user name. This allows you to distinguish between users if multiple AS Java systems are connected to a single ABAP client. Among other things, the guest user is used for anonymous access to AS Java, for example in order to construct the logon form in the Web browser. This user is normally locked. Do not delete this user. Activate an emergency user for the UME if the user management has been incorrectly configured and no one can log on to an application, or if all administration users are locked. This emergency user is called SAP* and can log on to any application and to the configuration tools. The SAP* user has full administration authorizations and, for security reasons, does not have a default password. You set the password as part of emergency user activation. Hint: The emergency user is generally not important in systems in which the UME runs (successfully) with the ABAP data source as you can always create a user in ABAP and give it Java administration rights.
Proceed as follows to make a correction with the SAP* user: 1.
Activate the SAP* user a) b) c)
2.
Stop all the Java instances on you system Start the Configuration Tool Navigate to the service cluster_data → Global server configuration → services → com.sap.security.core.ume.service d) Set the property ume.superadmin.activated to the value true and confirm Set. e) Set a password of your choice for the property ume.superadmin.password and confirm Set. Enter the password a second time. f) Choose Save and confirm the dialog boxes that appear. g) Start the Java instance(s) of your system. Change the configuration a)
Log on with the user SAP* and the password that you have just set Note: While the SAP* user is active, all other users are deactivated
3.
b) Correct the problem; for example, unlock the administration user Deactivate the SAP* user a) b) c) d) e) f)
Stop all the Java instances on your system Start the Configuration Tool Navigate to the service cluster_data → Global server configuration → services → com.sap.security.core.ume.service Use the Restore to default function to reset the property ume.superadmin.activated to the value false. Choose Save and confirm the dialog boxes that appear. Start the Java instance(s) of your system.
User Types When creating new users you can choose between different user types. The user types affects what the user can do and how the user's password is handled
User Types in AS ABAP The user type is an important property of a user. Different user types are available for different purposes:
Dialog A normal dialog user is used for all log-on types by just one person. During a dialog logon, the system checks for expired/initial passwords, and the user has the opportunity to change his or her own password. Multiple dialog logons are checked and logged. System Use the System user type for dialog-free communication within a system or for background processing within a system, or also for RFC users for various applications, such as ALE, Workflow, Transport Management System, Central User Administration. It is not possible to use this type of user for a dialog logon. Users of this type are excepted from the usual settings for the validity period of a password. Only user administrators can change the password. Note: See also SAP Note 622464: Change: Password change req. entry for "SYSTEM" user type. Communication Use the Communication user type for dialog-free communication between systems. It is not possible to use this type of user for a dialog logon. The usual settings for the validity period of a password apply to users of this type. Service A user of the type Service is a dialog user that is available to a larger, anonymous group of users. In general, you should only assign highly restricted authorizations to users of this type. Service users are used, for example, for anonymous system accesses using an ITS or ICF service. The system does not check for expired/initial passwords during logon. Only the user administrator can change the password. Multiple logons are permitted. Reference As with the service user, a Reference user is a general user, not specific to a particular person. You cannot use a reference user to log on. A reference user is used only to assign additional authorizations. You can specify a reference user for a dialog user for additional authorization on the Roles tab page.
User Types in AS Java In the same way as AS ABAP, the UME distinguishes between different user types which are listed in the following table: UME User Types User Type
Logon to AS Java
Password Change
Mapped ABAP user types (with ABAP system as data source)
Standard
possible
yes
Dialog
Technical users
possible
no
System
Internal service user
not possible
–
–
Unknown (only with data source ABAP)
depends on AS ABAP user type
depends on AS ABAP user type
Communication, Service and Reference
Hint: User types are also called Security Policy Profiles
You specify the user type when you create a user using Identity Management (you cannot create the type Unknown). In the case of existing users, subsequent changes to the user type are only possible with restrictions. Note: The last column in the table is only relevant if you are operating a UME with an ABAP system as the data source. Changes to the user type of an ABAP user are mapped to the corresponding UME user master record (and vice versa, if the UME has write access to the ABAP system). As of AS Java 7.01 you can create your own Security Policy Profiles (user types) in the UME configuration UI. For example you may create an own set of very strong password rule for special administrator users. In an AS ABAP+Java customer created security policy profiles are mapped to the ABAP user type Dialog.
Authorizations in SAP Systems In general SAP uses a positive authorization concept. This means that an authorization or an access has to be granted so that a user can execute actions or tasks. Nevertheless the concepts and involved terms differ in AS ABAP and AS Java.
Authorization Concept of AS ABAP A person can log on to a client of an SAP system if he or she knows the user/password combination for a user master record. There is an authorization check in the SAP system every time a transaction is called. If a user attempts to start a transaction for which he or she is not authorized, the system rejects the user with an appropriate message.
Figure 67: AS ABAP Users and Authorization: Introduction
If the user starts a transaction for which he or she has authorization, the system displays the initial screen of this transaction. Depending on the transaction called, the user can enter the data and perform various tasks on this screen. Additional authorization checks are made for data and actions that are to be protected.
Authorization objects protect actions and the access to data in the SAP system. The authorization objects are delivered by SAP and are available in the SAP System. To provide a better overview, authorization objects are divided into various object classes. Authorization objects allow complex checks that involve multiple conditions to allow a user to perform an action. The conditions are specified in the authorization fields for the authorization objects and are AND linked for the check. Authorization objects and their fields have descriptive and technical names. In the example on the diagram, the authorization object, User master maintenance: User Groups (technical name: S_USER_GRP), contains the two fields, Activity (technical name: ACTVT) and User Group in User Master Record (technical name: CLASS). The authorization Object, S_USER_GRP, protects the user master record. An authorization object can include up to 10 authorization fields. An authorization is always associated with exactly one authorization object and contains the value for the fields for the authorization object. An authorization is a permission to perform a certain action in the SAP System. The action is defined based on the values of the individual fields of an authorization object. For example, authorization B for authorization object S_USER_GRP enables displaying all the user master records that are not assigned to the user group SUPER. There can be multiple authorization for one authorization object. Some authorizations are delivered by SAP but the majority are created specifically to meet customer requirements.
Role Maintenance (transaction PFCG, previously also called Profile Generator) simplifies the process of creating authorization and assigning the authorization to users. In role maintenance, transactions that belong together from the company's point of view are selected. Role maintenance creates authorization with the required field values for the authorization objects that are checked in the selected transactions. A role can be assigned to various users. Changes to a role have an effect on multiple users. Users can be assigned various roles. The user menu contains the entries (transactions, URLs, reports, and so on) that are assigned to the user through the roles.
Authorization Concept in AS Java You can use authorizations to control which users can access a Java application, and which actions are permitted for a user. Authorizations are combined as roles and then assigned to a user or a user group by an administrator. The Identity Management and Visual Administrator tools are used to assign authorizations. Authorization checks are built into a Java application. Here you can differentiate by different objectives.
Protecting access to an application is done using the check to see whether the appropriate JEE security role is assigned to the requesting user. If the user does not have the required security role, an error message is displayed, and access is denied. The user already has access to the application when protecting access to individual activities. When requesting a special activity, for example Delete, the system checks whether the required JEE security role or UME permission is assigned (using the path UME action and UME role). Furthermore, you have the option of managing the protection of access to object instances (to folders or documents for example) using the Access Control List (ACL). With all the types of authorization check specified, the developer needs to define the authorizations query in the application. The developer decides which type of authorization check is to be used. This means in practice that the application determines which of the following, JEE security roles, UME permissions or UME ACLs, is used. Caution: In SAP NetWeaver 7.0 UME roles can only be administered using Identity Management, and J2EE security roles can only be administered using the Visual Administrator.
J2EE security roles are part of the J2EE standard. UME roles are an (SAP) extension of the J2EE security roles. You can define the same authorization checks with J2EE security roles and UME roles. However, it is easier and more precise to assign authorizations with UME roles. A J2EE security role comprises one object and UME roles many authorization objects (known as actions). This means that many J2EE security roles but perhaps only one UME role need to be assigned for the same authorizations. We recommend that you always use UME roles, except in cases in which J2EE security roles are sufficient. Note: A role in the ABAP environment is roughly equivalent to a UME role. An authorization object in the ABAP environment can be compared to a security role or a UME permission.
Password Management SAP systems need to store password information in some representation like all systems using password-based logon. SAP systems do not store passwords as such but use one-way functions to calculate so-called password hashes. These are stored in the database. The system verifies user passwords using the one-way function to calculate the hash and compare it against the stored value. Since it is a one-way function, the password itself cannot be calculated from the stored password hashes. All systems using this method are subject to password dictionary attacks or password brute-force attacks if the password hashes can be retrieved from the system. The following security measures should therefore be taken to significantly reduce the probability of successful password cracking attacks.
Password Management in AS ABAP You should configure a strong password policy according to your corporate policy.
Apart from the predefined password rules given in the figure above, there are two ways in which you can influence user passwords: • •
You can use the system profile parameters to assign a minimum length for the passwords and define how often the user has to set new passwords. Prohibited passwords can be entered in table, USR40.
Table USR40 can be maintained with transaction SM30. Entries can also contain wild-card characters. Use? for one character and * for a character string. You can control the password policies with profile parameters starting with login. The most relevant profile parameters are given in the figures below.
Figure 73: Password Control with System Profile Parameters 2/2
Note: The default values of certain profile parameters have been changed as of SAP NetWeaver AS ABAP 7.00. See SAP Note 862989: New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0) for details. As of SAP NetWeaver AS ABAP 7.00, the password hash algorithm was changed. This means that more secure hash values, which are not backward-compatible, and which make reverse engineering attacks difficult, can be generated. By default, new systems generate two hash values: a backward-compatible value and a new value. However, you can configure the system so that only the new hash value, which is not backward-compatible, is generated. You can set the degree of backward compatibility with the profile parameter login/password_downwards_compatibility Note: For more details on the downwards compatibility see SAP Note 1023437: ABAP syst: Downwardly incompatible passwords (since NW2004s). If you are using non-backward compatible passwords, communication with older systems (where the older system calls the newer system) may cause problems (see SAP Note 792850: Preparing ABAP systems to deal with incompatible passwords).
In addition to a strong password policy ensure the security of the password hashes by taking the followoing actions. •
•
Restrict access to tables containing password hashes (USR02, USH02 and in later releases USRPWDHISTORY) by changing the table authorization group of these tables. Non-administrative users must not have access to this new table authorization group. Activate the latest password hashing mechanism (code version) available for your release. Downward-compatible password hashes should not be stored in releases 7.0 and higher. Note: See SAP Note 1484692: Protect read access to password hash value tables.
To activate the latest hashing mechanism use the following profile parameters: Recommended Profile Parameter Settings for Password Hashes Releases
Recommended Profile Prarameters
Code Version
Up to 4.5
No special profile parameter needed
B
4.6 to 6.40
login/password_charset = 2
E
7.00 - 7.01
login/password_downwards_compatibility = 0
F
7.02 and higher
login/password_downwards_compatibility = 0
H
Caution: After activation of the latest password-hashing mechanism, redundant password hashes need to be deleted from the relevant tables. See SAP Note 1458262: ABAP: recommended settings for password hash algorithms. If you use SAP Central User Administration (CUA) you need to ensure that the CUA system has at least the same or a higher release than all attached systems and that additional relevant SAP Notes are implemented. See SAP Notes 1300104: CUA|new password hash procedures: Background information, 1306019: CUA: Downward-compatible passwords in old child systems, and 1022812: CUA: Initial passwords not possible for child systems.
Password Rules in AS Java Password rules in AS Java are controlled by UME parameters. The most important parameters can be changed in the UME Configuration UI.
Figure 74: Password Rules in AS Java
Hint: In an AS ABAP+Java (dual-stack) system you need to maintain the password parameters at the AS ABAP and the AS Java. They are not synchronized automatically.
Secure Store In special situations applications or system functions need a way to securely store user/password information.
Secure Storage in AS ABAP The secure storage is an ABAP-kernel function for storing encoded data. The function is used by applications in the SAP system in order to securely store access data such as passwords for external systems.
For example the following SAP applications use the secure storage to store passwords: • • • • • • •
Web Service Security RFC destinations ICF services CTS (Correction and Transport System) SAPphone SAPconnect GRMG (Generic Request and Message Generator)
Figure 75: Secure Storage in AS ABAP (SECSTORE)
Transaction SECSTORE (report RSECADMIN) is the central maintenance tool for the Secure Storage in an AS ABAP as of release 7.00. It offers checks for the records (using the check feature of the kernel) and allows migration of records for changed global key and changed system dependent data. You can check the entries in the secure storage across clients in transaction SECSTORE (without seeing their contents).
Hint: It is recommended to call up transaction SECSTORE after every System Copy and check the entries. When all entries are green, no action is necessary. When red entries are visible, a new migration key is needed to migrate the data. The installation number of the system and the system ID are used when creating the key for the secure storage. If one or more of these values changes, the data in the secure storage can no longer be read. Under certain circumstances, you can migrate the data. You need a migration key to be able to carry out the migration. If a change of the installation number is caused by importing a new license, SAP automatically generates the migration keys and sends it with the mail for the new license. For migrating the data, In transaction SECSTORE switch to the System data changed tab.
Fill the following input fields Old System Name, Old Installation Number, and Release Key and choose Execute. The migration key can be generated at SAP Service Marketplace (http://service.sap.com), Quick Link migrationkey.
For more information see SAP Notes 816861: Migrating entries in the secure storage, 828529: System copy ignores secure storage tables, and 1027439: Migrating "secure storage" across customer numbers.
Secure Storage in AS Java In AS Java based systems applications or services need to be able to store sensitive data such as passwords. To save such data in encrypted form, they can use the AS Java’s secure storage area. Data saved in this area is encrypted using a secret key that is created explicitly for the application or service. You can use the Secure Storage service in the Visual Administrator to replace an application’s secret key, for example, if you think it has been compromised. New data objects are then encrypted using the new secret key; existing objects are re-encrypted using the new key the next time they are accessed. You can also manually initiate the re-encryption of the data that is stored in the corresponding context. The system does not delete the old key, it adds a new key to the context. Therefore, to identify which key is the newer one, the creation date and a sequence number are included in the key’s identifier.
In addition to the Secure Storage service, the AS Java stores the following security-relevant information in a file in the file system: Database user SAPDB and its password Database connection information Administrator user and its password The AS Java uses the SAP Java Cryptography Toolkit to encrypt the information in the secure store using the triple DES algorithm. The encryption is performed during the AS Java installation process. Using the Config Tool you can re-encrypt the file and change the key phrase. For example, the SDM server process accesses the secure storage file to get the user name and password of the administrator user for the AS Java. Caution: As the secure storage file contains sensitive information, access to this file should be very restricted by file system permissions. It is located at \usr\sap\\SYS\global\security\data\SecStore.properties You may shortly show the Secure Storage service with Visual Administrator. Create a new connection in Visual Administrator using your course user -##. Navigate to Cluster → Server xx → Services → Secure Storage. You may also shortly show the secure store using the Config Tool.
Exercise 4: Password Parameters Exercise Objectives After completing this exercise, you will be able to: • configure password parameters
Business Example XYZ Limited wants to implement a part of their Security Policy by using strong passwords in SAP systems.
Task 1: Password Parameters in AS ABAP Set some AS ABAP profile parameters to force user to choose stronger passwords. 1.
Set some profile parameters regarding the password rules more strict. The table below makes some suggestions, but feel free to experiment. You can use transaction RZ11 or RSPFPAR to look up the current value of those parameters. Use transaction RZ10 to change the profile parameters in the Default Profile of your system. As an alternative you can edit the DEFAUTL.PFL file directly on operating system level. After the changes are saved you need to restart the SAP system to activate the settings. Check your settings by changing your password in transaction SU3. If you set parameter login/password_compliance_to_current_policy to 1 you may need to change your password directly after logging on. Password Profile Parameters Profile Parameter
Hint: If you edit the DEFAULT.PFL on operating system level, you can use a little helper file on the training share folder ADM960_72/PasswordParameters Caution: When using the helper file, remember to reload the profiles with transaction RZ10 afterwards! Utilities → Import profiles → Of active servers
Task 2: Securitiy Policy Configuration in AS Java Set some UME password parameters to force user to choose stronger passwords. Try to do the same settings like on the AS ABAP. 1.
Set some UME parameters regarding the password rules more strict. The table below makes some suggestions, but feel free to experiment. Use the UME Configuration UI to do this. Check your settings by changing your password in the AS Java Identity Management. If you select the settingEnforce Password Security Policy at Logon you may need to change your password directly after logging on. UME Parameters UME Parameter
Suggested Value
Minimum Length of Password
8
Minimum Number of Mixed Case Letters in Password
1
Minimum Number of Alphanumeric Characters in Password
Solution 4: Password Parameters Task 1: Password Parameters in AS ABAP Set some AS ABAP profile parameters to force user to choose stronger passwords. 1.
Set some profile parameters regarding the password rules more strict. The table below makes some suggestions, but feel free to experiment. You can use transaction RZ11 or RSPFPAR to look up the current value of those parameters. Use transaction RZ10 to change the profile parameters in the Default Profile of your system. As an alternative you can edit the DEFAUTL.PFL file directly on operating system level. After the changes are saved you need to restart the SAP system to activate the settings. Check your settings by changing your password in transaction SU3. If you set parameter login/password_compliance_to_current_policy to 1 you may need to change your password directly after logging on. Password Profile Parameters Profile Parameter
Hint: If you edit the DEFAULT.PFL on operating system level, you can use a little helper file on the training share folder ADM960_72/PasswordParameters
Caution: When using the helper file, remember to reload the profiles with transaction RZ10 afterwards! Utilities → Import profiles → Of active servers a)
First look up the current values of the profile parameters you want to change. Go to transaction RZ11 and enter the Param. Name, for example login/min_password_lng. Choose Display. Note the Current value. Repeat this for the other parameters you want to change.
b)
To change the parameters in the SAP system, go to transaction RZ10. By using the F4 help select DEFAULT as Profile, select Extended Maintenance and choose Change.
c)
To change an already existing parameter, for example login/min_password_lng, simply click into this row and choose Change
d)
Enter the new value in the Parameter val. field, for example 8. Choose Copy and Back.
e)
To add a new parameter choose Create. Enter the Parameter name, for example login/min_password_digits. Enter the Parameter val., for example 1. Choose Copy twice and Back.
f)
In the parameter list choose Copy and Back.
g)
Choose Save and in the popup choose No. In the Activate profile popup choose Yes. Then Continue twice.
h)
Now restart your SAP system. First stop the Dialog Instance and afterwards the Central Instance. Start in the opposite order. Log on to operating system level of your SAP system and double click the desktop shortcut SAP Management Console. In the new window right click on one instance of your system and choose Stop. After it is stopped, right click and choose Start.
i)
After the system is started again, log on and change your password in transaction SU3. If you set parameter login/password_compliance_to_current_policy to 1 you may need to change your password directly after logging on. Try to violate any parameter you set. You successfully changed some password parameters of your AS ABAP based SAP system. Continued on next page
Task 2: Securitiy Policy Configuration in AS Java Set some UME password parameters to force user to choose stronger passwords. Try to do the same settings like on the AS ABAP. 1.
Set some UME parameters regarding the password rules more strict. The table below makes some suggestions, but feel free to experiment. Use the UME Configuration UI to do this. Check your settings by changing your password in the AS Java Identity Management. If you select the settingEnforce Password Security Policy at Logon you may need to change your password directly after logging on. UME Parameters UME Parameter
Suggested Value
Minimum Length of Password
8
Minimum Number of Mixed Case Letters in Password
1
Minimum Number of Alphanumeric Characters in Password
Make sure that the Default security policy profile is selected.
e)
Now enter new values for some of the displayed parameters like suggested in the table above.
f)
Choose Save All Changes.
g)
Now choose Identity Management, enter your User ID into the search field and choose Go. Select your user and choose Modify. Try to enter a password that is not compliant to the new settings. Hint: If you selected the setting Enforce Password Security Policy at Logon you may need to change your password directly after logging off and logging on again You successfully changed some password parameters of your AS Java based SAP system.
Lesson Summary You should now be able to: • Identify the different types of users in the SAP System • Control passwords in the SAP System
Related Information SAP courses • • • • • •
ADM100 - Administration AS ABAP I ADM102 - Administration AS ABAP II ADM200 - Administration AS Java ADM800 - Administration AS Java 7.1 ADM940 - AS ABAP Authorization Concept TZNWIM - SAP NetWeaver Identity Management 7.1
SAP Notes
2011
• •
1237762: ABAP systems: Protection against password hash attacks 1253778: Central Note for SAP NetWeaver Identity Management 7.1
• •
SAP Service Marketplace (http://service.sap.com) Quick Link security. SAP Developer Network (https://www.sdn.sap.com/irj/sdn) Quick Link security
Lesson: Interface Security in SAP Systems Lesson Overview This lesson concentrates on interfaces security. It is described how RFC communication and RFC connections can be secured. Further topics are security of Internet Communication Manager and Message Server.
Lesson Objectives After completing this lesson, you will be able to: • • • •
Configure trusted RFC connections between SAP Systems Secure the Gateway process Limit Web-enabled Content Secure the AS ABAP Message Server
Business Example Ensure Interface Security of your SAP system
Introduction to Interface Security This lesson concentrates on interfaces security. It is described how RFC communication and RFC connections can be secured. Further topics are security of Internet Communication Manager and Message Server.
RFC Communication Remote Function Call (RFC) is an SAP proprietary protocol. It is the main integration technology between SAP systems and is also heavily used in integrations with non-SAP systems. Other integration technologies like web services are increasingly complementing RFC. RFC connections between systems are maintained in so-called RFC destinations. RFC destinations are maintained in destination source systems pointing to destination target systems.
RFC communication partners can be SAP systems and external application programs. In all the cases, RFCs are possible in both directions, which means the SAP system can be a client and a server. The RFC protocol supports synchronous, asynchronous, and transaction-oriented communication. By default, the SAP Gateway runs on each AS ABAP instance. In some cases, you need to install a standalone Gateway, such as when a RFC call to a Windows-based RFC server is required. You can use the gateway monitor (transaction SMGW) to monitor the activities on local SAP gateways. For outgoing connections from a SAP System, the RFC destination can be maintained using transaction SM59. In SAP systems with SAP NetWeaver AS ABAP 7.00 and higher the authorization object S_RFC_ADM for the maintenance of RFC destinations has been added. Without the authorization object S_RFC_ADM, RFC destinations cannot be created and maintained.
Several connection types (partner system/program) are possible: • • •
R/2 connections: Partner system is an R/2 System. R/3 connections: Partner system is a different SAP System. TCP/IP connections: Partner is an external RFC program based on TCP/IP.
For connections to other SAP Systems, you can specify full logon data, such as the user name, password, and client. This information could be used to log on to a destination system under a defined user name without checking the password. As a result, access to transaction SM59 should be restricted and the contents of table RFCDES should be controlled regularly. Avoid storing the password in the RFC destination. Improper management of RFC destinations can lead to privilege escalation. SAP_ALL access in production systems could potentially be gained using improperly configured RFC destinations in development systems. These risks can be mitigated by following the guidelines below to maintain ABAP connections (type 3) and logical connections (type L) in transaction SM59. The following recommendations focus on these two destination types.
To securely manage ABAP and logical RFC destinations, three different categories are distinguished. 1.
2. 3.
Destinations storing technical connectivity configuration without stored credentials and without trust relationships between the systems. They require user authentication for each access. Destinations with technical connectivity configuration using stored credentials (i.e. client, user, and password). Destinations with technical connectivity configuration using trusted system logon (Trusted / Trusting RFC).
All three categories of RFC destinations are allowed to be used between systems of the same security classification (e.g. from a production system to another production system). They are also allowed from systems of higher security classification to systems of lower security classification (e.g. from a production system to a development system). Caution: As a general guideline, destinations from systems of lower security classification to systems of higher security classification are not allowed to store user credentials or to use trusted system logon (e.g. from a development system to a production system). These destinations are only allowed to store technical connectivity configuration and authenticate the user for each access. One exception to this general guideline is TMS destinations (Transport Management System). If these destinations are required nevertheless, they must be considered a security risks and must only be used after thorough risk analysis. Caution: It should be generally forbidden from systems of higher security classification to trust systems of lower security classification. Otherwise, the security level of the trusting system is reduced to the security level of the trusted system. Particularly in production environments, users stored in RFC destinations should only have the minimum authorization in the destination target that is required for the business scenario executed over that destination. We recommend using dedicated accounts per scenario wherever possible. Inspect the SAP Security Guide of an application to get information about required authorizations. It is a common misunderstanding to assume that assigning SAP_ALL privileges to users in destinations with stored credentials is secure as long as the user is not of type DIALOG.
The following security measures should be taken to mitigate the risk of unauthorized access via RFC destinations: •
•
•
Analyze all system trust relationships between ABAP systems using transactions SMT1 and SMT2. Identify the trust relationships in which systems of higher security classification trust systems of lower security classification (e.g. test to production, or development to production). Remove this system trust wherever possible. Identify RFC destinations with stored user credentials from systems of lower security classification to systems of higher security classification (using report RSRFCCHK). The stored credentials should be removed wherever possible. This way, user authentication is enforced for every access. Create a list of RFC destinations with stored credentials and ensure that user accounts have minimum authorizations (especially not SAP_ALL) assigned in the destination target and that the user type is set to SYSTEM.
Trusted RFC SAP systems can establish trusted relationships with each other. If a calling (sending) SAP system is known to the called (receiving) system as a trusted system, no password must be supplied if the user who issued the RFC call is defined in both systems. The calling (sending) SAP system must be registered with the called (receiving) SAP system as a trusted system. The called (receiving) system represents the trusting system.
Figure 84: Trusted Relationships Between AS ABAP based SAP Systems
Trusted relationships between SAP systems have the following advantages: • • • •
Single Sign-On is possible beyond system boundaries. No passwords are transmitted in the network. Timeout mechanism protects against replay attacks. User-specific logon data is checked in the trusting system.
The trust relationship is not mutual, which means that this relationship is applicable in one direction only. To establish a mutual trust relationship between two partner systems, you must define each of the two trusted systems in the corresponding partner systems. To enable the trusted systems to operate properly, the systems should have the same security-level requirements and user administration. Before a trusted system can be defined, a destination for this system must be created in the trusting system. Therefore use transaction SMT1 or from the RFC destination overview screen (transaction SM59), choose Extras → Trusted systems. In trusted systems, destinations for trusting systems are automatically created. These destinations are used when you display trusting systems via Extras → Trusting systems (transaction code SMT2). The user using the trusted RFC must have the corresponding authorizations in the trusting system (authorization object S_RFCACL). In addition you can configure to perform an authorization check on the transaction code from the calling system. To do this you need to select the option Use transaction code on the trusted system entry in
SMT1. Only then will an authorization check be performed in the called system for the transaction code (field RFC_TCODE of the S_RFCACL authorization object). You can check the authorizations for the logged on users in the trusting system in advance, by using the function module AUTHORITY_CHECK_TRUSTED_SYSTEM. To prevent others from making changes to your trusted RFC destination, mark the checkbox Destination not modifiable in the Administration tab of the destination in SM59. To make the destination changeable again, double-click the checkbox. Note that destinations must be kept consistent. For this reason, you are not allowed to change the ID of the target system, the system number, or the destination name.
SAP Gateway Security The SAP Gateway is the technical component of the application server that manages the communication for all SAP Remote Function Call (RFC) based functionality. RFC communication can be categorized in three different scenarios as shown in the figure below.
The most frequently used RFC functionality in customer installations is provided by ABAP remote-enabled function modules. For instance, technologies like Business Application Programming Interface (BAPI), Application Link Enabling (ALE), or Intermediate Document (IDoc) are provided by ABAP and use RFC as the underlying communication protocol. Securing these ABAP connections is described in the section above. The mechanisms used to secure this communication are based on end user authentication and authorization checks in the ABAP system (e.g. authorization object S_RFC in the called system and S_ICF in the calling system). The Gateway does not perform additional security checks. 2.
Registered RFC Server Program The second-most used RFC functionality is the so-called registered RFC server programs. These use the SAP RFC library and integrate ABAP systems with non-ABAP systems that provide RFC functions. The external RFC server programs register at the Gateway and can later be accessed by RFC clients via the same Gateway. Very often this RFC client is actually the ABAP system where the external RFC server program is registered. This is configured in transaction SM59 in RFC destinations of type T with technical setting Registered Server Program. One example for this use case is the SAP NetWeaver Search and Classification (TREX). Registered RFC server programs are a very common integration technology and are being developed by SAP and partner companies. Typically, registered RFC servers do not perform user authentication or authorization checks. Registration of RFC server programs and RFC client access to these servers is controlled via Gateway access control lists (secinfo for releases up to 4.6 and reginfo in higher releases).
3.
Started RFC Server Program Finally there are so-called started RFC server programs. They are also built with the SAP RFC library but instead of registration at the Gateway they reside on the host of the application server. The Gateway launches these RFC server programs triggered by RFC client requests. One example is the start of the RFC server program SAPXPG, which is used via transaction SM49 to execute operating system commands on application servers. SAP default configurations only start these RFC server programs locally. This is configured in transaction SM59 in RFC destinations of type T with technical setting Start on Explicit Host and gateway options explicitly pointing to the local Gateway or just being blank. Again in most cases started RFC servers do not
perform user authentication or authorization checks. As in the case of registered RFC servers, access to these started RFC servers is controlled via Gateway access control lists (secinfo for all releases). Caution: For system security it is of utmost importance that the SAP Gateway access control lists (ACL) are created and maintained properly. The ACL files do not exist in default installations. Hence no restrictions exist regarding RFC server registration, access to registered RFC servers, or starting of RFC server programs in default installations. This can lead to system compromise. SAP provides guidelines on how to set up the ACLs, and minimum SAP kernel patch levels and configuration switches need to be implemented. See SAP NetWeaver 7.01 online documentation, path SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → Security Guides for Connectivity and Interoperability Technologies → Security Settings in the SAP Gateway. SAP provides a tool to create SAP gateway ACLs that cover typical usage scenarios for registered and started RFC server programs. SAP gateway logging should be activated in order to support ongoing maintenance and provide monitoring. Additionally, SAP gateway monitoring should only allow local access (gw/monitor = 1). This is the default configuration setting since release 6.40. See SAP Note 64016: Using the SAP Gateway monitor GWMON. The following security measures should be taken to protect the SAP gateway: • •
•
• •
Verify the minimum SAP kernel patch levels (SAP Note 1298433: Bypassing security in reginfo & secinfo) Set profile parameters gw/sec_info, gw/reg_info and gw/reg_no_conn_info (SAP Notes 1408081: Basic settings for reg_info and sec_info and 1444282: gw/reg_no_conn_info settings). Create secinfo and reginfo ACL files manually or with the tool. (SAP Notes 1408081: Basic settings for reg_info and sec_info and 1425765: Generation of sec_info reg_info prxy_info) Reload ACL files dynamically on each application server to activate changes. If necessary, missing configurations can be identified by – –
2011
Activation of SAP gateway logging and log file review (SAP Note 910919: Setting up Gateway logging); Analysis of the error messages shown on the RFC client.
Configuring Gateway Security To implement the recommendations from the former section carefully work through all given SAP Notes and documentation. Here we want to give the information on how to basically proceed. But as each customer has different requirements and a different environment for each system the information given here may not fit exactly. After checking and updating the system to the required kernel and Support Package level you may set the following parameters and provide the files secinfo and reginfo: gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo gw/reg_no_conn_info = 15 For a Windows operating system, the files should have the extension .DAT Caution: Since important security information is held in this file, the system administrator must take care to define the file authorization correctly. For example, read-only authorization for the file owner, and no authorization for all other users. With the Gateway Monitor (transaction SMGW), you can monitor and administrate the Gateway. Use the menu Goto → Expert Functions → External Security to display, create and reload secinfo and reginfo.
In the Gateway Monitor you can configure the gateway logging at Goto → Expert Functions → Logging. For example check the event Security and choose Activate.
The ICM ensures communication between the SAP system and the outside world using the HTTP, HTTPS, and SMTP protocols. As a server, the ICM can process requests from the Internet that have URLs with the server or port combination, which the ICM responds to. The ICM then calls the corresponding local handlers, such as the file handler or the server cache handler, to perform the necessary task. The Internet Communication Framework (ICF) provides the framework for implementing the applications for the ICM. The ICF consists of the interfaces that enable the SAP NetWeaver AS function as a Web server or a Web client.
Transaction SMICM performs the following functions: • • • • • •
Monitors the ICM. Views threads. Views active services and ports. Views trace files. Displays the cache content and statistics. Restarts the ICM.
Figure 89: Internet Communication Framework (SICF)
The ICF provides a framework for developing the SAP NetWeaver AS Internet applications Business Server Pages (BSPs). Applications are organized in a hierarchical tree. You can use transaction SICF to create and maintain BSPs. You can use this transaction to create and maintain virtual hosts for the SAP NetWeaver AS. Use also transaction SE80 to create and test the BSPs.
Scalability <-> Load balancing Access control <-> Network zones, using virtual hosts Confidentiality <-> Encryption Identifying users <-> User authentication Protecting individual services <-> Activate/deactivate services
Limiting Web-Enabled Content ABAP systems offer web-enabled content that can be accessed using web browsers. This content is managed by the SAP Internet Communication Framework (ICF) and maintained via transaction SICF. Some of the ICF services could potentially be misused, and unauthorized access to system functionality might be possible.
Figure 91: Attack Surface Reduction by limiting ICF services
The following recommendations apply for the handling of web-enabled content in the SAP Internet Communication Framework: • •
•
•
Only ICF services that are required for business scenarios should be enabled. Particularly on productive SAP systems, not all ICF services should be enabled. If it is suspected that more ICF services than necessary are activated, actual usage of ICF services can be analyzed and services can be mass maintained with releases 7.0 onwards. See SAP Note 1498575: Mass Maintenance of ICF Services. Short term: Review at least all ICF services that do not require user authentication. This includes all services in /sap/public as well as services with stored logon data. Short term: It is recommended to deactivate at least the ICF services listed in the table below if they are not used in your business scenarios.
ICF-Services to Deactivate if not in use SICF Service
Example: The SAP NetWeaver Application Server runs on the computer with the host name and IP address mappings as shown below: These IP addresses are assigned to the host names shown in the table below. IP Address
Host Name
10.20.30.40
intranet.mycompany.com
10.20.50.60
myhost.mycompany.com
You define whether there should be different virtual hosts using the profile parameter is/HTTP/virt_host_ = :port1;:;...; where stands for numbers 0,1,...9. The profile parameter can be changed statically in the instance profile or dynamically using transaction RZ11. Transaction RZ11 also contains parameter documentation. Note that parameter is/HTTP/virt_host_0 = *:*; is set and cannot be changed. As a
result, if no other virtual host is found, the default host number 0 is used. The default host shows up in the HTTP service tree for transaction SICF as default_host. Initially, this is the only virtual server. Each user accesses the tree that corresponds to his or her virtual host. To avoid namespace conflicts, all other hosts provided by SAP begin with “SAP”.
SAP Message Server Security The SAP Message Server is a system component that provides two services. On the one hand, it manages SAP communication between the application servers of one SAP system. On the other hand, it provides load-balancing information to clients like the SAP GUI. In standard installations before release 7.0, both clients and application servers use the same message server port for communication. As of release 7.0, default installations automatically split the message server port in an internal port (used for application server connections) and an external port (used for end user connections). This is defined via profile parameters rdisp/mshost, rdisp/msserv, and rdisp/msserv_internal. Without appropriate security measures, malicious programs on client machines could potentially access the message server to spoof application sever communication. This could potentially lead to privilege escalation. It is therefore strongly recommended to implement the following security measures to mitigate the risks of unauthorized SAP message server access. Securing SAP Message Server
2011
Releases
Recommended Configuration
Up to 4.5
The Message Server port (rdisp/mshost, rdisp/msserv) should be firewalled. Only network segments with SAP servers should be granted access to this port. Client networks should be blocked from accessing the Message Server. Please be aware that this has an impact on the ability to provide load balancing functionality to SAP GUI clients.
4.6
The Message Server services should be separated in two ports. See SAP Note 1421005: Network security of the message server. One port is used for SAP GUI client access (rdisp/msserv) and the other is used for access to internal server communication (rdisp/msserv_internal). Internal system communication (rdisp/msserv_internal) needs to be firewalled. Only network segments with SAP servers should be granted access to internal server communication.
Recommended Configuration Additional information is provided in the SAP NetWeaver Security Guide. See SAP NetWeaver 7.02 online documentation, path SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → Security Guides for SAP NetWeaver According to Usage Types → Security Guide for Usage Type AS → Security Settings for the SAP Message Server
6.40 and higher
In addition to the measures recommended for release 4.6, a Message Server ACL should be activated that lists all relevant network interfaces (e.g. including failover interfaces) of all application servers (ms/acl_info).
In addition to the access restrictions for the Message Server, it is recommended to restrict the access to remote message server monitoring (ms/monitor = 0). See SAP Note 821875: Security settings in the message server.
Maintaining Message Server ACL The ms/acl_infoparameter specifies a file with access rights to the Message Server (default: /usr/sap//SYS/global/ms_acl_info, for Windows the file extension should be .DAT). If the file exists, it must contain all machine names, domains, IP addresses and/or subnet masks for the application servers that are allowed to log on to the Message Server. You can either list the names or enter each name in a separate line. This file does not affect external clients that only want to retrieve information from the message server. This is always possible. The entries must have the following syntax: HOST=[*| ip_adr | host_name | Subnet_mask | Domain ] [, ...] Examples for valid entries are: HOST = * (all hosts are allowed) HOST=host1,host2 (Logons allowed from host1 and host2) HOST=*.sap.com (all hosts in the sap.com domain can log on) HOST=147.45.56.32 (hosts with this IP address can log on) HOST=147.45.56.* (hosts with this subnet can log on) Caution: Set the file system access authorizations for the file to a value that prevents unwanted modifications.
You can read the file in transaction SMMS which means that you can add, change and/or delete dynamic entries (SMMS → Goto → Security Settings → Access Control).
Exercise 5: Configure Trusted RFC Exercise Objectives After completing this exercise, you will be able to: • configure Trusted RFC
Business Example You need to configure a Trusted RFC Destination.
Task: Configure Trusted RFC Create a trusted RFC destination without saving user/password information from your system to the system of your partner group. The groups working on system DEV should create a trusted RFC to the QAS system on the same host and vice versa. The table below should clarify it. Caution: It should be generally forbidden from systems of higher security classification to trust systems of lower security classification. Group
Source System
Target System
DEV
DEV
QAS
QAS
QAS
DEV
Hint: RFC destinations names are case sensitive. 1.
Create a “normal” RFC destination in the target system to connect to your own (source) system. In the next step this destination is used to establish the trust, so that the target system trusts your system.
2.
Still in the target system, maintain your source system as a trusted system.
3.
The user that later on wants to use the trusted RFC destination needs the authorization object S_RFCACL with sufficient authorizations in the target system. Maintain those authorizations by creating a new role with transaction PFCG and assign it to your user.
Solution 5: Configure Trusted RFC Task: Configure Trusted RFC Create a trusted RFC destination without saving user/password information from your system to the system of your partner group. The groups working on system DEV should create a trusted RFC to the QAS system on the same host and vice versa. The table below should clarify it. Caution: It should be generally forbidden from systems of higher security classification to trust systems of lower security classification. Group
Source System
Target System
DEV
DEV
QAS
QAS
QAS
DEV
Hint: RFC destinations names are case sensitive. 1.
Create a “normal” RFC destination in the target system to connect to your own (source) system. In the next step this destination is used to establish the trust, so that the target system trusts your system. a)
Log on to the target system and go to transaction SM59.
b)
Choose Create. Enter the name of this destination into the RFC Destination field, for example ToSourceSystem. Choose 3 as the Connection Type and maintain a short Description. Choose Enter.
c)
Maintain the Technical Settings by entering the host name of your source system into the Target Host field and the instance number into the System Number field, for example twdf1234.wdf.sap.corp and 22 respectively.
d)
Save the destination and choose Remote Logon to verify that the destination points to the right system. The logon screen of your source system should appear.
Still in the target system, maintain your source system as a trusted system. a)
In the target system, in the initial screen of transaction SM59 choose Extras → Trusted Systems.
b)
Make sure the tab Systems whose calls are trusted is selected and choose Create.
c)
In the popup choose Continue.
d)
Enter the just created destination, for example ToSourceSystem and choose Continue. Hint: RFC destinations are case-sensitive!
e)
Choose Continue.
f)
Log on to your source system.
g)
Choose Continue two times. Finally choose Complete. Now the target system trusts the source system.
3.
The user that later on wants to use the trusted RFC destination needs the authorization object S_RFCACL with sufficient authorizations in the target system.
Maintain those authorizations by creating a new role with transaction PFCG and assign it to your user. a)
In the target system go to transaction PFCG.
b)
Enter a name into the Role field, for example TRUSTED_RFC and choose Create Single Role.
c)
Maintain a short Description, Save and choose the Authorizations tab.
d)
Choose Change authorization data.
e)
Choose Do not select templates.
f)
Choose the Manually button, enter S_RFCACL in the first Authorization object field and Continue.
g)
To keep it simple just click on the yellow triangle symbol on top of the screen and choose Execute. Normally you would maintain authorizations in detail here.
h)
Choose Generate and Execute. Then go Back.
i)
Save and choose the User tab. Enter the ID of the user you later on want to use to log on to this system by using the trusted RFC destination.
j)
Save, choose User comparison and choose Complete Comparison. You created a role and assigned it to a user, so that this user is able to connect with a trusted RFC to this system.
In your (source) system create a trusted RFC destination to the target system. Check if the destination is working without providing any log on data. a)
Log on to your (source) system and go to transaction SM59.
b)
Choose Create. Enter the name of this destination into the RFC Destination field, for example ToTargetSystem. Choose 3 as the Connection Type and maintain a short Description. Choose Enter.
c)
Maintain the Technical Settings by entering the host name of the target system into the Target Host field and the instance number into the System Number field, for example twdf5678.wdf.sap.corp and 33 respectively.
d)
Choose the Logon & Security tab.
e)
Choose Yes as the value for Trust Relationship.
f)
Save the destination and choose Remote Logon. You should directly log on to the target system without entering user / password.
Exercise 6: Secure the Gateway Exercise Objectives After completing this exercise, you will be able to: • Secure the Gateway
Business Example You need to secure the Gateway processes of your SAP system.
Task: Secure the Gateway Secure the outgoing communication by maintaining the secinfo and reginfo files. 1.
Using the Gateway Monitor (SMGW) check if there already are some restrictions maintained.
2.
Change the profile parameters in a way that each gateway of your system uses the same files. Secure the usage of external commands and registered programs by creating a secinfo.DAT and reginfo.DAT file for all your gateways. In addtion set parameter gw/reg_no_conn_info = 15 . Hint: There are already prepared files in the training share folder ADM960_72/InterfaceSecurity. Caution: When using the helper file, remember to reload the profiles with transaction RZ10 afterwards! Utilities → Import profiles → Of active servers
Result Congratulations! You secured your gateways by using secinfo.DAT and reginfo.DAT.
Solution 6: Secure the Gateway Task: Secure the Gateway Secure the outgoing communication by maintaining the secinfo and reginfo files. 1.
2.
Using the Gateway Monitor (SMGW) check if there already are some restrictions maintained. a)
Go to transaction SMGW
b)
Choose Goto → Expert Functions → External Security → Display (Sec Info) and check the displayed information.
c)
Choose Back and choose Goto → Expert Functions → External Security → Display (Reg. Info) and check the displayed information.
Change the profile parameters in a way that each gateway of your system uses the same files. Secure the usage of external commands and registered programs by creating a secinfo.DAT and reginfo.DAT file for all your gateways. In addtion set parameter gw/reg_no_conn_info = 15 . Hint: There are already prepared files in the training share folder ADM960_72/InterfaceSecurity.
Caution: When using the helper file, remember to reload the profiles with transaction RZ10 afterwards! Utilities → Import profiles → Of active servers a)
To change the parameters in the SAP system, go to transaction RZ10. By using the F4 help select DEFAULT as Profile, select Extended Maintenance and choose Change.
b)
To add a new parameter choose Create. Enter the Parameter name, for example gw/sec_info. Enter the Parameter val., for example $(DIR_GLOBAL)$(DIR_SEP)secinfo.DAT. Choose Copy twice and Back.
c)
In the parameter list choose Copy and Back.
d)
Choose Save and in the popup choose No. In the Activate profile popup choose Yes. Then Continue twice.
e)
Repeat this for all parameters you need to add.
f)
Now restart your SAP system. First stop the Dialog Instance and afterwards the Central Instance. Start in the opposite order. Log on to operating system level of your SAP system and double click the desktop shortcut SAP Management Console. In the new window right click on one instance of your system and choose Stop. After it is stopped, right click and choose Start.
g)
Log on to operating system level of your SAP system.
h)
Copy the secinfo.DAT file from the training share into the folder specified with the parameter gw/sec_info, for example D:\usr\sap\\SYS\global\. Do the same for file reginfo.DAT.
i)
In your SAP system go to transaction SMGW and choose Goto → Expert Functions → External Security → Reread (global) and afterwards Goto → Expert Functions → External Security → Display (Sec Info). You should see the content of your secinfo.DAT file. Do the same for reginfo.DAT.
Result Congratulations! You secured your gateways by using secinfo.DAT and reginfo.DAT.
Exercise 7: Secure the Message Server Exercise Objectives After completing this exercise, you will be able to: • Secure the Message Server
Business Example You need to secure the Message Server of your SAP system.
Task: Message Server Security Check the Message Server parameters and maintain the Message Server ACL. 1.
Check the Message Server parameters rdisp/msserv, rdisp/msserv_internal, ms/acl_info, and ms/monitor.
2.
Create a Message Server ACL file and put it into the directory the parameter ms/acl_info points to. Let the Message Server use the new ACL. Hint: There are already prepared files in the training share folder ADM960_72/InterfaceSecurity.
Result Congratulations! You secured your Message Server.
Solution 7: Secure the Message Server Task: Message Server Security Check the Message Server parameters and maintain the Message Server ACL. 1.
2.
Check the Message Server parameters rdisp/msserv, rdisp/msserv_internal, ms/acl_info, and ms/monitor. a)
Log on to your SAP system. Go to transaction RSPFPAR.
b)
Look for the parameters given above and note their values.
Create a Message Server ACL file and put it into the directory the parameter ms/acl_info points to. Let the Message Server use the new ACL. Hint: There are already prepared files in the training share folder ADM960_72/InterfaceSecurity. a)
Log on to the operation system of your SAP system. Copy the file ms_acl_info.DAT from the training share to the folder where parameter ms/acl_info points to, for example \user\sap\\SYS\global.
b)
In your SAP system go to transaction SMMS and choose Goto → Security Settings → Access Control → Reload.
c)
Go Back and choose Goto → Security Settings → Access Control → Display to check the new ACL.
Result Congratulations! You secured your Message Server.
Lesson Summary You should now be able to: • Configure trusted RFC connections between SAP Systems • Secure the Gateway process • Limit Web-enabled Content • Secure the AS ABAP Message Server
Lesson: Development Protection and Security Patches Lesson Overview This lesson describes the components of the SAP development system. It also explains the various system change and client change options in SAP systems.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain the system change options Explain the client change options
Business Example XYZ Limited wants to secure the SAP Software Logistic.
Lesson: Development Protection and Security Patches
Development Protection
Figure 93: System Landscape
The development system (DEV) contains the SAP standard clients, a development and customizing client (CUST), sandbox client (SAND), and test client (TEST). Because the test client does not contain realistic application data, only unit tests can be conducted in this client. The Quality Assurance System (QAS) includes a test client (QTST) and a training client (TRNG). •
•
QTST is used to test customizing configuration changes with realistic data to ensure that the changes do not affect other modules. After the changes are approved, these changes can be imported into other clients. TRNG should be set up in QAS rather than in the production system to avoid decreased performance in the production system.
The production system (PRD) contains only the production client (PROD) and the SAP standard clients. Additional clients may exist for special purposes, such as for central user management.
Enhanced Change and Transport System (Enhanced CTS) The ABAP Change and Transport System (CTS) has been enhanced with SAP NetWeaver AS ABAP 7.00 SPS 12. As well as ABAP objects, you can now also transport Java objects (J2EE, JEE) and SAP-specific non-ABAP technologies (such as Web Dynpro Java or SAP NetWeaver Portal) in your landscape
Figure 94: Enhanced Change and Transport System (Enhanced CTS)
Lesson: Development Protection and Security Patches
Supported object types: •
Java-based and J2EE-based objects
•
– Software Component Archives (SCAs) – Enterprise Application Archives (EARs) – Software Deployment Archives (SDAs) – DTR-Activities in DS (DIPs) Usage type EP (SAP NetWeaver Portal)
•
– Enterprise Portal Archives (EPAs) – Enterprise Portal Applications (PARs) – Knowledge Management objects (KM Content and KM Configurations) Usage type PI (Process Integration)
• • •
2011
– Integration Repository design objects – Integrated Directory configuration objects – ABAP Mappings SLD objects (products, software components, technical systems, and business systems) MDM (specific set of data model objects) any files
A Java transport landscape is represented by an ABAP transport landscape. The transport controller must be a physical ABAP system (at least SAP NetWeaver AS ABAP 7.00, SPS 12), in which the transport routes are configured.
Lesson: Development Protection and Security Patches
Figure 96: Different levels of control
• •
•
2011
Change Request Management in SAP Solution Manager is 100% compliant with the Enhanced Change and Transport System. On the lowest level, transports are executed with proprietary Java tools. These Java tools can be controlled by the Enhanced ABAP Change and Transport System (Enhanced CTS). This allows better control of transports. Furthermore, the documentation, tracking and troubleshooting possibilities are improved. On the next level of control, transports in the SAP NetWeaver AS ABAP can be managed by Change Request Management in SAP Solution Manager. This increases the control of the full change process, including the incident, approval process and change realization process.
From a change management perspective, depending on its role in the landscape, each system in the SAP landscape is configured differently. There are two levels of SAP change options: • •
The system change option defines whether or not customizing and development function is available in an SAP System. The client change option controls the customizing and development functionality in a system client.
If an SAP System can be globally modified using the system change option, you can specify for each software component or name space whether or not it can be modified. Customizing and development should neither be permitted in the Quality Assurance System (QAS) nor the production system (PRD). The system change option, which is displayed using transaction SE06, can be used to set up permissions for development and customizing in an SAP System. All changes to the system change options are recorded. To display the history of the system change option, choose transaction SE03 Make sure that only a few administrators can alter the system and client change option.
Lesson: Development Protection and Security Patches
Figure 98: System Change Recommendations
This shows how to set the system change option within a system landscape. You cannot develop, test, and run production within one SAP System. SAP recommends that you use at least two systems because development activities may interfere with production. It is ideal to have three SAP Systems so that the changes to the client-independent objects can be tested thoroughly without interfering with normal operation. All customizing and development is performed in the development system (DEV). After all changes have been tested, these changes can be transferred to the Quality Assurance System (QAS) for testing using the Transport Management System (TMS). After changes have been transported to QAS, the configuration undergoes more tests to ensure that the configuration does not adversely affect the other modules. When the configuration has been thoroughly tested in this system and signed off by the quality assurance team, the configuration can be transported to other system clients and the production system (PRD). The QAS should be copied periodically from the production system so that realistic data can be used. As a result, the same security level that PRD has should apply to the QAS. The real business processes are performed in PRD, which contains the company’s live data. As a result, the highest security requirements apply to the production system. The other systems in the landscape must guarantee that defective programs or incorrect customizing configurations do not adversely affect the production environment.
The client change option controls the customizing and development function available in an SAP System client. The client change option does not override the system change option. Instead, the client change option is used to fine tune the clients’ role within the SAP environment. To set or check the client change option, use the client maintenance transaction (transaction SCC4). For each client, you can set the change attributes for repository objects and client-independent customizing data independent of the setting for client-dependent customizing. The transaction, client maintenance (SCC4), works on the table T000. This table may also be maintained using transaction SM30 or SM31. The security of table T000 is critical. To protect your production client against being overwritten by a client copy, you should set the protection level in transaction SCC4 at least to level 1 no overwriting. If you want to prevent a cross-client comparison you should choose level 2 no overwriting, no external availability. In this case, the client is not available in the customizing cross-system viewer of another system.
Generally, users should not have development, customizing, or debugging authorizations in the production system. Changes should be carried out in the development system. Customizing includes the maintenance of special customizing tables. Because changes to customizing settings directly affect your production environment, the changes should be defined in the development environment and thoroughly tested. To protect customizing in the production system, do not assign table maintenance authorizations. Debugging and replace authorizations enables a user to change field values during program execution. For example, a user might change the return value for a failed authorization check and bypass the mechanism. As a result, no user should have debugging and replace authorizations. Situations may occur where changes must be directly performed in the production system. To perform such emergency changes, define a procedure, which ensures that you have supervised control over what happens. Give one user temporary change authorizations and make sure that someone approves these changes. After the user has performed the changes, remove the authorization.
Lesson: Development Protection and Security Patches
TMS Authorization
Figure 102: TMS Authorization Concept
Perform the initial configuration of the TMS on each SAP system using client 000, transaction STMS, and user authorization S_CTS_ADMIN. To prevent unauthorized access to an SAP System through the TMS: • • •
2011
The TMS authorization check is always performed in the target system. RFC destinations are generated during setup and cannot be modified. An SAP system outside the transport domain may not access systems in the transport domain.
For TMS communication, RFC destinations are generated per target system: •
TMSADM@. For this link, the system creates the user TMSADM in each SAP system, who receives very limited authorizations. This link is used for all read access and for distribution of SAP System information.
•
The destination for critical access is calculated at run time based on address information stored within TMS configuration when an SAP System is accepted in the domain accesses. If the authorization of TMSADM is not sufficient, the internal connection automatically triggers a logon screen in the target system to which a user with greater authorizations logs on. If this procedure is too time-consuming, such as in case of a large number of SAP Systems, you may provide user TMSADM with the required authorizations, that is profile S_A.TMSCFG. If an SAP System in which user TMSADM has greater authorizations is accessed, the logon procedure is suppressed. Caution: Password change for the default user TMSADM needs to be done for all systems in an SAP transport management domain at the same time. A tool is provided to assist changing the TMSADM password in a transport landscape. Systems with releases older than 4.6C should lock the user TMSADM.
See SAP Notes 1488406: Handling the generated user TMSADM, 761637: Logon restrictions prevent TMSADM logon, 1414256: Help tool for changing TMSADM password, and 1486759: Blocking unauthorized access to system using TMSADM to 4.6B
Lesson: Development Protection and Security Patches
Quality Assurance Approval
Figure 103: TMS Quality Assurance
The TMS QA approval procedure increases the quality and the availability of the production systems by enabling you to requests in the Quality Assurance System before they are delivered to subsequent systems. The system for which the QA approval procedure is activated is called the QA system. When the QA approval procedure is activated, transport requests are only forwarded to the delivery systems if all the QA approval steps are processed for each request in the QA system and each request has been approved. When you configure the QA system, you determine how many QA approval steps have to be processed for each request. If one check for an approval step is not successful, the entire request cannot be approved. You can only import completely approved requests into the delivery systems. Rejected requests are not imported into the delivery systems of the QA system.
Before you can process change requests in the TMS QA, you must configure the QA approval procedure. Ensure that the system landscape and/or transport domain is set up so that there is at least one development, one quality assurance, and one production system. The system to be configured as the QA system must have the following attributes: • •
The system must be the target of at least one consolidation. The system must deliver at least one additional system.
In the system attributes for the chosen system, the delivery after confirmation option must be set. In the approval procedure, you can define which users must provide approval so that the transport can be imported into the delivery system. After configuration, the QA worklist is automatically set up. All the requests that are then imported into the QA system are included in the QA worklist.
Lesson: Development Protection and Security Patches
Figure 105: QA Approval
To display the QA worklist, use transaction STMS and select Overview → Imports → Goto → QA worklist. The date/time at the upper-right portion of the screen indicates when the QA worklist was last updated; the upper-left portion of the screen indicates how many requests still need to be processed. The list displays the change requests corresponding to the selected approval steps. By default, the change requests corresponding to all approval steps are shown. To select the approval step whose corresponding change requests you wish to see, select Worklist → Select approval step. By double-clicking various items in the table listing the change requests, you obtain additional information about those items. The requests in a QA worklist have to be tested before they are imported into the delivery systems. The QA status, Rejected, means that one or more approval steps of a request were rejected by the person approving the requests. A request is only approved if all the approval steps have the status, Approved. Requests can only be imported into the delivery systems if all the requests ready for import have received approval according to the various approval steps. If all the requests for one project have been approved, the requests can be imported into the delivery system even if other projects still have unprocessed or rejected requests in the worklist. Requests with the QA status Rejected and unprocessed requests in the worklist are not imported into the delivery systems.
SAP recommends not rejecting requests containing errors but instead correcting the error using subsequent transports and approving the affected requests as an entire package.
Modification Browser
Figure 106: Modification Browser
An overview of all the modifications and enhancements found in your system can be displayed from the ABAP Workbench by choosing the function, Overview → Modification Browser (SE95). If you enter the number of a transport request into the field, Last transport request, the system displays only those objects of the request, which were not modified in requests created at a later date. If you insert the request number in the field, Request/Task, all the modified objects of the object list are displayed. You can use the Note Assistant to import notes into your system and apply the correction instructions contained therein. In the Modification Browser, you can expand a subtree below each note, which contains the objects involved in the note correction. Standard objects that are supported by the Modification Assistant during modification or upgrade can be displayed by selecting the With Modification Assistant checkbox. All other objects are listed under the Without Modification Assistant category.
Lesson: Development Protection and Security Patches
Business Add-Ins provide you with an overview of all the enhancements and modifications taking place in your system. Appends can be append structures, append views, or append search helps. The Color key button displays a list of colors. You can also undo the changes by selecting Reset to original. The Reset to original function can also be used with objects that were modified without using the Modification Assistant. Using this function causes the object to be deleted from the modification overview. If no original is available for the object, it is now treated as an SAP original. Modifications may be lost while upgrading.
Security Patch Management As with all software and despite thorough testing, ABAP systems may have software bugs that can cause functionality issues but may also be security critical. The common method to deliver small software fixes are SAP Notes. For security critical issues, SAP releases SAP Security Notes. A comprehensive list of all released SAP Security Notes is available in the SAP Service Marketplace Quick Link /securitynotes. Based on feedback from customers and SAP user groups, SAP has launched a regular SAP Security Patch Day, scheduled for the second Tuesday of every month, to ensure that security fixes for all SAP products subject to support through SAP Service Marketplace are available to be downloaded. This has the following advantages: • • •
Better planning for SAP Security Notes implementation with this dedicated, regular schedule More efficient review and selection of SAP Security Notes relevant for your organization More efficient patching of SAP systems as it is on the same day as with other software providers
On the SAP Security Patch Day, we will provide the fixes in form of notes on SAP Service Marketplace. Security fixes for SAP NetWeaver based products are also delivered with the support packages of these products. For all notes with high or very high priority we provide this service for the support packages from the last 18 months. See SAP Service Marketplace Quick Link /SecurityPatchDay.
To ensure that required SAP Security Notes are installed on ABAP systems, the following security measures are recommended: •
•
210
As a minimum, regularly (at least once a month in the week after an SAP Security Patch Day) review the SAP EarlyWatch Alert report which allows you to check if relevant SAP Security Notes are missing. Due to technical restrictions, the report can currently not check all SAP Security Notes automatically. See SAP Note 888889: Automatic checks for security notes using RSECNOTE. Those notes which are checked automatically are flagged in the list of SAP Security Notes on the SAP Service Marketplace. Implement SAP Security Notes which have not yet been implemented. In addition, regularly review the released SAP Security Notes to identify security notes where implementation cannot be checked automatically via SAP EarlyWatch Alert (e.g. SAP Notes with general configuration guidelines).
Lesson: Development Protection and Security Patches
Exercise 8: Identify Security Notes to be implemented Exercise Objectives After completing this exercise, you will be able to: • Identify Security Notes to be implemented
Business Example You need to find out which security notes you need to implement.
Task 1: Use RSECNOTE Use report RSECNOTE to check security notes that need to be implemented into your system. 1.
Execute report RSECNOTE in transaction SA38.
Task 2: Use Security Notes Search on SAP Service Marketplace Search for security notes on SAP Service Marketplace. 1.
2011
Log on to SAP Service Marketplace Quick Link /securitynotes and list security notes from the last 30 days.
Solution 8: Identify Security Notes to be implemented Task 1: Use RSECNOTE Use report RSECNOTE to check security notes that need to be implemented into your system. 1.
Execute report RSECNOTE in transaction SA38. a)
Log on to your ABAP based system and go to transaction SA38.
b)
Enter RSECNOTE as Program and choose Execute. In the resulting list a yellow status says that a note needs to be implemented.
Task 2: Use Security Notes Search on SAP Service Marketplace Search for security notes on SAP Service Marketplace. 1.
212
Log on to SAP Service Marketplace Quick Link /securitynotes and list security notes from the last 30 days. a)
Open a browser and enter the URL http://service.sap.com/securitynotes.
b)
Log on with your S-User.
c)
Click on Security Notes Search. You get a list of security notes from the last 30 days.
Lesson: Monitoring Security in SAP Systems Lesson Overview This lesson describes how to use the security audit log to monitor SAP Systems. It also describes how to use User Information System (UIS) in the SAP System. In addition, it describes the Alert Monitor.
Lesson Objectives After completing this lesson, you will be able to: • • •
Monitor the SAP System using the Security Audit Log Use the User Information System Explain the use of the Alert Monitor
Business Example You need to monitor and analyze security in your SAP system.
Overview SAP systems can become insecure again if previously applied security configurations are reverted or disabled. Security configuration monitoring is therefore recommended to regularly verify applied security configurations (recommended at least once a month). Identified deviations need to be realigned. SAP offers different granularity for security configuration monitoring. To ensure that SAP systems are in a secure state, the following security measures are recommended: • •
Define which security configurations must be monitored Implement a solution to monitor relevant security configurations and alert in case of deviations
AS ABAP Security Audit Log The Security Audit Log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP system. By activating the audit log, you keep a record of those activities in AS ABAP-based systems you consider relevant for auditing. This information is recorded daily in an audit file on each application server. To
determine what information should be written to this file, the audit log uses filters, which are stored in memory in a control block. When an event occurs that matches an active filter (for example, a transaction start), the audit log generates a corresponding audit message and writes it to the audit file. A corresponding alert is also sent to the CCMS alert monitor. Details of the events are provided in the Security Audit Log's audit analysis report.
The security audit log is only active if you use transaction SM19 to maintain and activate the profiles. In the profile parameter FN_AUDIT, the eight + symbols represent the date, which is automatically substituted with the current date by the system. If the rsau/max_diskspace/per_file is used, the rsau/local/file parameter is no longer valid and will not be analyzed. Instead, the parameters, DIR_AUDIT and FN_AUDIT, are used. The rsau/max_diskspace/local parameter specifies the maximum size of a security audit file. If this size is reached, then the system logging of audit events is completed.
The rsau/selection_slots parameter specifies the number of selection units that are set using transaction SM19 and checked by the system during processing. • • • • • • •
Successful and unsuccessful dialog logon attempts Successful and unsuccessful RFC logon attempts RFC calls to function modules Successful and unsuccessful transaction starts Successful and unsuccessful report starts Changes to user master records Changes to the audit configuration Caution: The Security Audit Log contains personal information that may be protected by data protection regulations. Before using the Security Audit Log, make sure that you adhere to the data protection laws that apply to your area of application!
To determine what you want to audit, create selection criteria by calling transaction SM19. For each selection criteria that you want to define, select the user, audit classes, client, and security levels. The selection of the security levels specifies the levels of events (audit messages) that you want to include in the audit log. Messages with the chosen level and higher levels are included in the log. For example, if you select low, then all the messages with a security level of low, average, and high are included in the selection. If you select high, then only high-level messages are included. High-level messages describe events where a high-level security risk is involved, such as unauthorized access attempts. All audit events are defined in the system log messages with the prefix AU. You can view the assignment of the events to audit classes and security levels using the system log message maintenance transaction (SE92). You can also modify these definitions. For the client and user entries, you can use * as a wildcard for all clients or users. However, a partially generic entry, such as 0* or ABC*, is not possible. For each selection criteria you want to apply to your audit, place a check mark in the selection active column. After specifying the selection criteria, save the data. For the application server to use the profile at the next server start, select Profile → Activate. The name of the active profile appears in the active profile field.
To determine what you want to audit, create the selection criteria by calling transaction SM19. For each selection criteria that you want to define, select the Client, User names, Audit classes, and Events. The Events selection specifies the levels of events (audit messages) that you want to include in the audit log. Messages with the chosen level and higher levels are included in the log. If you select All, all messages with a security level of low, average, and high are included in the selection. If you select Only critical, only high-level messages are included. The Only Critical option describes the events where a high-level security risk is involved, such as unauthorized access attempts. All audit events are defined in the system log messages with the prefix AU. You can view the corresponding assignment of the events to audit classes and security levels using the system log message maintenance transaction SE92. You can also modify these definitions for your own purposes. For the Client and User names entries, you can use * as a wildcard for all clients or users. However, a partially generic entry, such as 0* or ABC*, is only possible if profile parameter rsau/user_selection is activated. For each selection criteria you want to apply to your audit, place a check mark in the Filter Active column. After specifying the selection criteria, save the data. For the application server to use the profile at the next server start, select Profile → Activate. The name of the active profile appears in the Active profile field.
The security audit log is only active if you use transaction SM19 to maintain and activate the profiles. Set the profile parameters as shown above. To display the profile parameters in transaction SM19, select Environment → Profile parameter . Only if the rsau/enable parameter is set, the auditing is activated. This can also be achieved by dynamically activating an audit profile in transaction SM19. In the profile parameters, DIR_AUDIT and FN_AUDIT , describe the path and name of the audit files. The eight + symbols represent the date, which is automatically substituted with the current date by the system. The rsau/max_diskspace/per_file parameter specifies the maximum size of one security audit file. If this size is reached, the system creates the next file. For example, you could restrict the size to 650 MB to fit one file on one CD during archiving. The rsau/selection_slots parameter specifies the number of selection units that are set using transaction SM19 and checked by the system during processing. If the rsau/max_diskspace/per_file parameter is set to 0, parameters, rsau/local/file and rsau/max_diskspace/local, are valid and will be analyzed.
The security audit log produces a report on the activities that have been recorded in the audit file. You can analyze a local server, a remote server, or all the servers in your SAP system. To display the initial screen, call transaction SM20 or transaction SM20N starting with Release 6.10. It is designed similar to the system log (transaction SM21). The following information is provided: • • • • • • • •
2011
Time Work process Client User Transaction code Terminal ID Message number Text describing event
The time, user ID, and transaction code are displayed in the audit log. In this example, you can identify the terminal ID and track the hacker. The text provides the reason for unsuccessful logon. For additional information, see SAP Note 173743: SecAudit: Changing parameters does not perform.
AS Java Security Audit Log The security audit log of the SAP NetWeaver AS Java contains a log of important security events, such as successful and failed user logons, and creation or modification of users, groups and roles. This information is used by auditors to track changes made in the system. Per default the log files are available at /usr/sap///j2ee/cluster/serverX/security_audit.X.log.. They can be viewed with SAP NetWeaver Administrator, Visual Administrator and Log Viewer.
For more information see SAP NetWeaver online Documentation, path SAP NetWeaver Library → SAP NetWeaver by Key Capability → Security → System Security → System Security for AS Java Only → Security Audit Log of the AS Java.
Figure 113: User Information System: What is monitored?
You can use the User Information System (transaction SUIM) to obtain an overview of the authorizations and users in your SAP system at any time using search criteria that you define. In particular, you can display lists of users to whom authorizations classified as critical are assigned. Hint: To explicitly search for authorizations that contain the full authorization asterisk (*), you need to enter a number sign (#) before the asterisk, that is, search for #*. Otherwise, the system searches for any values.
You can also use the User Information System to: • • • •
Compare roles and users Display change documents for the authorization profile of a user Display the transactions contained in a role Create where-used lists Note: We recommend that you regularly check the various lists that are important for you. Define a monitoring procedure and corresponding checklists to make sure that you continually review your authorization plan. We especially recommend you determine which authorizations you consider critical and regularly review which users have these authorizations in their profiles.
Access the user information system by calling transaction SUIM. You can find the elements of the authorization system using different selection criteria.
Figure 114: User Information System: Transaction SUIM
You can get an overview of user master records, authorization, profiles, roles, and change dates.
You can display lists to answer various questions. For example: • • •
What authorization rights are assigned to the users? What changes have been made to the authorization profile of a user? Which roles contain a particular transaction?
You can also use special reportings to access the various information directly, such as: • • •
RSUSR004: Restrict User Values to the Following Simple Profiles and Authorization Objects. RSUSR007: List Users Whose Address Data is Incomplete RSUSR008_009_NEW: With Critical Authorizations (New Version) This report replaces the reports RSUSR008 and RSUSR009 You can continue to use the old programs RSUSR008 and RSUSR009 until SAP Web AS 6.40.
Search authorizations, profiles, and users with specified object Profiles by Complex Selection Criteria Authorizations by Complex Selection Criteria Authorization Objects by Complex Selection Criteria Comparisons Where-used lists Enter Authorization Fields Change Documents for Users Change Documents for Profiles Change Documents for Authorizations List of Users According to Logon Date and Password Change Set external security Name for All Users
Use the system trace transaction ST01 to track several types of operations in a SAP System. The following components can be monitored using the SAP system trace: • • • • • • •
The last four components can also be monitored using performance analysis (transaction ST05). There are two ways of selecting what traces you want displayed. On the initial screen, select the components to be logged and additional filters if required. You can reuse the filters and restrictions from the traces that have these settings when the traces are evaluated. You should start tracing by setting the trace options that you need in the trace options screen. If you start from the set menu on the main screen, then your trace includes all the active users, which can affect the system performance.
The system trace function only traces the internal SAP System activity of the local application server to which you are currently logged on. The system trace function only works if it can write at operating system level to the trace file in the instance log directory, for example, /usr/sap/DVEBMGS00/log. Ensure that there is enough disk space and access authorizations are set correctly. If you want to protect a trace from being overwritten later, choose Goto -> Save from the menu. On the next screen, you can create a short text for a trace and choose whether the new file that is created specifically for this trace should be automatically created or whether you want to specify a file name yourself. If you do not specify an absolute path, a file of this name is created in the log directory. In the case of automatic file creation, the system determines the file name and stores the file in the log directory. The advantage of this is that, unlike a manually created file, the F4 help can be used to search for the file from the analysis screen. Note: If you choose automatic creation, you can delete the file again in this transaction (use the (Delete) button on the analysis screen). This is not possible if you specify a file name. If you want to delete this kind of file, you have to do so at operating system level. To display a trace, select Analyze. You can obtain more information about any entry by selecting the entry.
Figure 116: Alert Monitor: Administrator Concerns Now
The monitoring architecture, a solution within SAP NetWeaver, centrally monitors any IT environments - from individual systems through networked SAP NetWeaver solutions, to complex IT landscapes incorporating several hundred systems. It is provided in SAP NetWeaver and can be used immediately after installation. You can easily extend the architecture to include SAP and non-SAP components. Alerts form a central element of monitoring. They quickly and reliably report errors such as values exceeding or falling below a particular threshold value or that an IT component has been inactive for a defined period of time. These alerts are displayed in the Alert Monitor; this reduces the workload for the system administration, since they now only need to watch the error messages, instead of endless system data. The Alert Monitor is therefore the central tool with which you can efficiently administer and monitor distributed SAP NetWeaver solutions or client/server systems. The Alert Monitor displays problems quickly and reliably. This ensures that the appropriate analysis tool is used at the right time.
The Alert monitor uses thresholds and rules to generate Alerts whenever an abnormal condition occurs in your SAP System or its environment. Alerts direct your attention to critical situations. The Alert monitor reports alerts up through the monitoring tree. The color of a monitoring tree element (MTE) always represents the highest alert in all MTEs in its branch. • • •
The open Alerts view shows what has happened in the system since it was last checked. The current status view shows the most recent values. The display Alert shows the history of the alert values.
Any problems or errors are displayed in red. Warnings are displayed in yellow. Green means that, according to the threshold values, there are no problems. You can use properties to customize the threshold values for red and yellow alerts. To start the analysis tool, double-click the alert text that you want to analyze. To display information about certain types of alerts, select the check box next to the alert and then choose display detailed Alerts. The complete Alert button resets the alerts displayed on the screen.
Exercise 9: Configure and Use the Security Audit Log Exercise Objectives After completing this exercise, you will be able to: • configure and use the Security Audit Log of AS ABAP • use the Security Audit Log of AS Java
Business Example You need to monitor system security.
Task 1: Security Audit Log of AS ABAP Configure and use the Security Audit Log 1.
Set up the Security Audit Log for your system. The Security Audit Log should trace incorrect logon attempts for all users and all security relevant actions of one single user (you can choose your own user ID).
2.
Now try to logon with an incorrect password. What can you see in the Security Audit Log (SM20N)?
3.
Is an alert raised in one of the security alert monitors (RZ20)?
4.
Permanently activate the Security Audit Log by setting the profile parameter rsau/enable to 1 (transaction RZ10). You need to restart the system to activate the changes. Hint: If you like, you can edit the DEFAULT.PFL directly on operating system level. There is a file provided in the training share folder ADM960_72/SecurityAuditLog/ for copy and paste. Caution: When using the helper file, remember to reload the profiles with transaction RZ10 afterwards! Utilities → Import profiles → Of active servers
Task 2: Security Audit Log of AS Java Analyze the AS Java Security Audit Log of your training system. 1.
In the SAP NetWeaver Administrator (NWA) display the security_x.log. Hint: As of AS Java audit information is written to the separate log file security_audit_x.log.
Result Your displayed the AS Java security audit log.
Solution 9: Configure and Use the Security Audit Log Task 1: Security Audit Log of AS ABAP Configure and use the Security Audit Log 1.
Set up the Security Audit Log for your system. The Security Audit Log should trace incorrect logon attempts for all users and all security relevant actions of one single user (you can choose your own user ID). a)
Log on to your SAP system and go to transaction SM19.
b)
Choose Create and enter a Profile name, for example PROFILE1. Choose Continue.
c)
Select Filter active. Enter the Client and your User ID. Select all Audit classes.
d)
Choose the Filter 2 tab.
e)
Select Filter active.
f)
Select the Audit classes Dialog Logon and RFC/CPIC Logon. Deselect Other events. From the Events drop down select Only Critical.
g)
Choose Save.
h)
Confirm the popup with Yes.
i)
Choose Activate. If you look at the Dynamic configuration tab, you can see that the profile is already active on all instances of your system. To make these settings permanent, you need to set the profile parameter rsau/enable to 1 and restart the system (see step 4).
Now try to logon with an incorrect password. What can you see in the Security Audit Log (SM20N)? a)
Start the logon screen of your SAP system and enter any user and password combination that will probably not work. Repeat this several times with different data.
b)
Now log on to your SAP system with your user and go to transaction SM20N.
c)
Click on the system ID on the left and choose Reread Audit Log. In the log you should see Logon Failed ... messages from the user ID you entered before. In addition you should see many messages for your user.
3.
4.
Is an alert raised in one of the security alert monitors (RZ20)? a)
Go to transaction RZ20.
b)
Expand the SAP CCMS Monitor Templates tree and double click on the Security monitor.
c)
Expand the trees until you see the Logon monitor attribute. You should see a red alert with a Logon Failed ... message.
Permanently activate the Security Audit Log by setting the profile parameter rsau/enable to 1 (transaction RZ10). You need to restart the system to activate the changes. Hint: If you like, you can edit the DEFAULT.PFL directly on operating system level. There is a file provided in the training share folder ADM960_72/SecurityAuditLog/ for copy and paste.
Caution: When using the helper file, remember to reload the profiles with transaction RZ10 afterwards! Utilities → Import profiles → Of active servers a)
First look up the current values of the profile parameters you want to change. Go to transaction RZ11 and enter the Param. Name, for example rsau/enable. Choose Display. Note the Current value.
b)
To change the parameters in the SAP system, go to transaction RZ10. By using the F4 help select DEFAULT as Profile, select Extended Maintenance and choose Change.
c)
To add a new parameter choose Create. Enter the Parameter name, for example rsau/enable. Enter the Parameter val., for example 1. Choose Copy twice and Back. Ignore the wrong warning, that the parameter is not set identically on all servers.
d)
In the parameter list choose Copy and Back.
e)
Choose Save and in the popup choose No. In the Activate profile popup choose Yes. Then Continue twice.
f)
Now restart your SAP system. First stop the Dialog Instance and afterwards the Central Instance. Start in the opposite order. Log on to operating system level of your SAP system and double click the desktop shortcut SAP System Management Console. In the new window right click on one instance of your system and choose Stop. After it is stopped, right click and choose Start.
g)
After the system is started again, log on and check in SM19 if the Security Audit Log is running.
Task 2: Security Audit Log of AS Java Analyze the AS Java Security Audit Log of your training system. 1.
In the SAP NetWeaver Administrator (NWA) display the security_x.log. Hint: As of AS Java audit information is written to the separate log file security_audit_x.log. a)
Start the NWA by calling the URL http://:/nwa, e.g. http://twdf1234.wdf.sap.corp:51000/nwa and log on with user -00.
b)
Navigate to System Management → Monitoring → Logs and Traces and select Expert from the
