ADM960

SAP NetWeaver Application Server

Security

.
.
PARTICIPANT HANDBOOK
INSTRUCTOR-LED TRAINING
.
Course Version: 19
Course Duration: 5 Day
e-book Duration: 12 Hours 10 Minutes
Material Number: 50151215
SAP Copyrights, Trademarks and Disclaimers

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/
corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software
vendors.
National product specifications may vary.
This course may have been machine translated and may contain grammatical errors or inaccuracies.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without
notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which
speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Typographic Conventions

American English is the standard used in this handbook.

The following typographic conventions are also used.

This information is displayed in the instructor’s presentation

Demonstration

Procedure

Warning or Caution

Hint

Related or Additional Information

Facilitated Discussion

User interface control Example text

Window title Example text

© Copyright. All rights reserved. iii

© Copyright. All rights reserved. iv
Contents

vii Course Overview

1 Unit 1: Security Overview

2 Lesson: Evaluating Security Concepts

6 Lesson: Outlining the Security Roadmap
18 Lesson: Describing the Training Environment

24 Unit 2: NetWeaver AS Components and Communication Mechanisms

25 Lesson: Determining the Key Points of Network Security

32 Lesson: Installing and Configuring SAProuter
40 Lesson: Installing and Configuring SAP Web Dispatcher

56 Unit 3: NetWeaver AS Security Operations

58 Lesson: Explaining the Secure Store

68 Lesson: Explaining Secure Storage in File System
72 Lesson: Outlining Authorizations and Security Policies
87 Lesson: Managing Users in SAP Systems
103 Lesson: Securing the Message Server and the Internet
Communication Manager (ICM)
112 Lesson: Securing the SAP GUI
117 Lesson: Monitoring SAP Systems Security
130 Lesson: Describing Application Lifecycle Management
137 Lesson: Segregating System Administration Duties
139 Lesson: Managing Transport Management System Users
141 Lesson: Monitoring Security with SAP Solution Manager

152 Unit 4: Basics of Authentication and Single Sign-On

153 Lesson: Discussing Authentication for SAP NetWeaver AS

157 Lesson: Discussing Authentication for SAP Netweaver AS Java
161 Lesson: Discussing Single Sign-On with Active Directory
166 Lesson: Discussing Single Sign-On with SAP Logon Tickets

174 Unit 5: RFC Security

175 Lesson: Securing the RFC Gateway

187 Lesson: Enabling SNC for SAP NetWeaver AS ABAP
205 Lesson: Reducing the Attack Surface: RFC Communication and
Unified Connectivity

© Copyright. All rights reserved. v

 215 Unit 6: Secure Sockets Layer (SSL)

216 Lesson: Discussing SSL for SAP

225 Lesson: Discussing SSL for SAP Management Console
227 Lesson: Discussing SSL for SAP NetWeaver AS ABAP
235 Lesson: Discussing SSL for SAP NetWeaver AS Java

241 Unit 7: Integration B2B

242 Lesson: Discussing Process Integration and Orchestration

247 Lesson: Discussing Web Services Security in ABAP

254 Unit 8: Infrastructure

255 Lesson: Protecting Operative System Security

258 Lesson: Protecting Database Security

© Copyright. All rights reserved. vi

Course Overview

TARGET AUDIENCE
This course is intended for the following audiences:

Technology Consultant

© Copyright. All rights reserved. vii

© Copyright. All rights reserved. viii
 UNIT 1 Security Overview

Lesson 1
Evaluating Security Concepts 2

Lesson 2
Outlining the Security Roadmap 6

Lesson 3
Describing the Training Environment 18

UNIT OBJECTIVES

Evaluate computer security and major sources of threats

Identify challenges and solutions for the implementation of infrastructure security

Identify and locate the different instances available

© Copyright. All rights reserved. 1

 Unit 1
Lesson 1
Evaluating Security Concepts

LESSON OVERVIEW
This lesson describes the security threats to a system and its security safeguards. This lesson
also explains how to categorize security measures (IT-based and Environment-based) to
secure the system environment from the many different risk categories.

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Evaluate computer security and major sources of threats

Security Requirements

Figure 1: The Big Picture

Safeguards, threats, and goals are closely related. Threats compromise certain security
goals, and safeguards protect your system against these threats. Thus, when implementing
security, you need to consider the safeguards regarding the goals and the threats.
Security requirements arise due to the following reasons:

Government Regulations
For example, in the USA the SOX legal framework establishes disclosure obligations for
organizations’ financial statements. More recently in EU countries, GDPR regulation had
a major impact regarding how sensitive data should be handled.
Protection of Intellectual Property
For example, pharmaceutical companies and formulas for innovative drugs.
Trust Relationship between Business Partners
For example, legally binding documents — such as a purchase order sent electronically.
Continuous Business Operations

© Copyright. All rights reserved. 2

 Lesson: Evaluating Security Concepts

For example, the availability of an uninterrupted power supply.

Protection of Image
For example, a leak of internal mails with derogatory comments about individuals or
organizations.
Human Behavior
For example, someone discloses their account and password to a helpful neighbor.

Security can optimize administration processes in the following ways:

Increase efficiency through Single Sign-On.

For example, less user password unlock/ reset help-desk tickets.

Enforce trust and accountability with Digital Signatures.

For example, ensure the authenticity of an IRS declaration.

Figure 2: Threats and Goals

The threats shown in the figure above are only a subset of known threats. A major source for
security concern is social engineering, where sensitive information is exposed casually or
picked up without going through the correct channels. For example, being asked to disclose
your user and password.

IT Security Goals
The following goals are achieved through IT security measures:

Availability

Authentication

Authorizations

Confidentiality

Integrity

© Copyright. All rights reserved. 3

Unit 1: Security Overview

Non-repudiation

In detail, these goals entail the following:

Availability
Availability ensures that the users can access their resources whenever they need them.
When determining requirements regarding the availability of resources, you should
consider the costs that result from unplanned downtime. For example, loss of customers,
costs for unproductive employees, and overtime. Some damage cannot be fully factored
in terms of money, such as loss of reputation (for example, a website-defacing attack,
with some embarrassing content).
Authentication
Authentication determines the real identity of the user. You can use the following
authentication mechanisms:

Authentication using user ID and password

Authentication using a smart card

Authentication using a smart card and PIN

Authentication using Single Sign-On mechanisms

Authorization
Authorization defines the rights and privileges of the identified user. It also determines
the functions that a user can access. The application must be programmed to check
whether a user is authorized before that user can access a function. For example, update
your own IBAN number, but not your colleague’s IBAN. Within SAP’s current context,
application authorizations can be determined in the application layer or database layer
(more relevant for HANA-based systems).
Confidentiality
Confidentiality ensures that the user’s history and communication is kept confidential.
Information and services need to be protected from unauthorized access. The
authorizations to read, change, or add information or services, must be granted explicitly
to only a few users and other users must be denied access. If you post something on the
Internet, the confidentiality of information is at risk. For example, access to your tax
records.
Integrity
Integrity ensures that the user information, which has been transmitted or stored, has
not been altered. Programs and services should execute successfully and provide
accurate information. Thus, people, programs, or hardware components should not
modify programs and services. For example, a signed contract.
Non-repudiation
Repudiation is the process of denying that you have done something. Whereas, non-
repudiation ensures that people cannot deny their actions. Non-repudiation allows you to
successfully conduct legally binding business transactions. For example, submitting a
bank payment order electronically.

Environmental Security Concepts, Threats, and Goals

Security does not only refer to system attacks. The human factor is also a major concern for a
comprehensive approach to security. Many of the goals are common to system security
threats, but other goals will also be relevant, focusing mainly on mitigation strategies for risk
and the ability to provide an audit trail.

© Copyright. All rights reserved. 4

 Lesson: Evaluating Security Concepts

Accountability
Such as, who performed an action that had a negative impact in the organization?
For example, a sales operation made with an abnormally high discount.

Compliance
Such as, who identified the risks (or their absence) for specific business processes? Who sets
the limit for small purchases that can be performed without approvals? Who makes the
decision of whether or not to implement a mitigation control?
For example, a periodic review of small purchases, their frequency, their accumulated
amount, and so on.
The following are examples of environmental threats. They are not focused on in this training,
but they should not be neglected due to their potential impact in the IT landscape.

Accidents
This can range from hardware failure to random events. For example, a trainee that
doesn’t properly classify accounting documents, leading to non-compliant profit and loss
reports. Or a construction worker that accidentally cuts a fiber-optic cable.
Natural Disasters
Environmental threats that might compromise the availability of the system. For
example, a flood that forces an electrical grid shutdown.
Fraud
An unauthorized person gains access to a system with stolen accounts and passwords,
or performs activities that they are not meant to do through excessive authorizations. For
example, changing their own basic wage.
Infrastructure
Environmental threats that might compromise the availability of the system. For
example, the absence of a proper cooling system that forces a server to power off.
Errors
This can range from improper training to simple random sporadic events. For example,
an accounting clerk that doesn’t properly classify accounting documents, leading to non-
compliant profit and loss reports that trigger a fine from the tax authority.
Procedures
The different ways to conduct any system activity, from development (for example, no
proper source code quality checks, which leads to functions being vulnerable to code
injections) to normal operations (for example, unrestricted access to websites where you
can download “infected” software).

LESSON SUMMARY
You should now be able to:

Evaluate computer security and major sources of threats

© Copyright. All rights reserved. 5

 Unit 1
Lesson 2
Outlining the Security Roadmap

LESSON OVERVIEW
The purpose of this lesson is to raise awareness about the many topics that a Security
Administrator needs to address and to point out some of the solutions SAP can provide.

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Identify challenges and solutions for the implementation of infrastructure security

Password Policy

Figure 3: Securing the IT Landscape: The What and How

A security roadmap requires a two-step analysis:

What do you need to protect?

How can you protect your vulnerable spots?

Figure 4: Implementing a Password Policy

© Copyright. All rights reserved. 6

 Lesson: Outlining the Security Roadmap

SAP systems provide different options for enforcing robust choices. For many years the
major concern was the application layer, but with the introduction of products like SAP S/
4HANA it's now common to find information consumers connecting directly to the database.

Figure 5: Password Policy Parameters for SAP NetWeaver AS ABAP 7.52

Complexity Rules
For example, system parameters and policies that set the mandatory use of capitals,
digits, and other characters, for all users or for distinct users.
Expiration Rules
For example, the concept of common or technical users (such as, the dialog or system
user in ABAP), and the parameters or policies that allow the system to enforce those
rules.
Reusability Rules (Password History)
For example, parameters that prevent a user from reusing the last known passwords.

Figure 6: Non-allowed Passwords in SAP HANA

Prevention of Dictionary Attacks (Denied Passwords)

For example, dictionary maintenance tools for disallowing specific passwords, such as
the customizing recorded in table USR40 for SAP Netweaver AS ABAP, or in the SAP
HANA table _SYS_PASSWORD_BLACKLIST.

© Copyright. All rights reserved. 7

Unit 1: Security Overview

Authentication

Figure 7: Authentication Methods

SAP systems are compliant with industry standard authentication mechanisms, such as
SAML. They also provide their own methods for authentication, for example, SAP Logon
Tickets.

Figure 8: Authentication Methods in SAP HANA 2.0

Encryption

Figure 9: Data and Communication Encryption

SAP provides libraries that allow encryption, several communications protocols (for example,
the Secure Network Communication libraries for RFC communication), and facilities to store
digital certificates (for example, the Secure Store files). SAP systems support database
encryption methods (such as HANA persistence layer encryption).

© Copyright. All rights reserved. 8

 Lesson: Outlining the Security Roadmap

Figure 10: SAP HANA 2.0 Persistence Layer Encryption

Threat Detection

Figure 11: Tools to Identify System and Application Security Threats

SAP systems contain auditing and tracing tools that allow a system administrator to
recognize potential threats. These functionalities can be complemented with the capabilities
of Solution Manager to evaluate security configurations, and recommend corrective
measures and patches. SAP products can also have their security capabilities extended
through integration with partner software solutions.

Virus Scan Interface

The SAP NetWeaver Virus Scan Interface (NW-VSI) allows external anti-virus and content
security solutions to integrate with SAP application servers. The Virus Scan Adapter is built by
the anti-virus solution provider, based on SAP templates in the Software Development Kit
(SDK) for Virus Scan Adapters. This standardized process provides a transparent job division
between SAP data to be scanned (SAP know-how), and the actual virus scan (Anti Virus
know-how). Additionally, it allows SAP customers to easily switch between anti-virus and
content security solutions, based on their business needs.
Version 2.0 of NW-VSI not only covers the signature-based classical AV protection, but also
supports the detection of malicious file formats, file format classification, and detection of
active content inside of a file, such as script in files. The use-case for these enhancements is
the protection of web applications against XSS in files (cross-site scripting in files). SAP note:
1693981 describes the problems about script inside of documents that are uploaded into SAP
systems.

© Copyright. All rights reserved. 9

Unit 1: Security Overview

The integration of VSI is not only available in the NetWeaver core platform, but in all SAP web
application servers. The figure about VSI shows left, the different options that AV partners
have, and right, the different SAP integrations.
For more information, see SAP Note 817623 (Frequent questions about VSI in SAP
applications).

Threat Analytics

Figure 12: Data Acquisition and Data Mining for IT Security

Most SAP tools that allow you to capture security relevant information can also work as a data
warehouse system, where analytical tools can be employed for finding patterns and
preemptively address potential threats.

Recognizing Threats: Enterprise Threat Detection

Figure 13: Recognizing Threats: Enterprise Threat Detection Capabilities

SAP Enterprise Threat Detection leverages SAP HANA big data processing capabilities,
together with the real-time data acquisition provided by SAP HANA Streaming Analytics, to
capture events from the network and business applications.

© Copyright. All rights reserved. 10

 Lesson: Outlining the Security Roadmap

Figure 14: Monitoring Enterprise Threat Detection

Enterprise Threat Detection provides real-time data analysis and dashboard panels, from
which you can drill-down to the event details.

Figure 15: Enterprise Threat Detection Alert Example

From the alerts, you can trigger a ticket-based investigation process. In the example shown
above, a system where single-sign on is the only allowed method to access experienced logon
through basic authentication (logon ID and password). An investigation should take place to
determine if someone has accessed a valid user/password pair and is trying to bypass
existing security mechanisms.
Want to know more?

Note:
SAP releases new versions of its own products frequently so some of the links
below might not be up to date when your training takes place. Ask your instructor
for the current link.

For more information, see https://help.sap.com/viewer/p/

SAP_ENTERPRISE_THREAT_DETECTION .

© Copyright. All rights reserved. 11

Unit 1: Security Overview

Recognizing Threats: Access Control

Figure 16: Risk and Mitigation Controls Reporting in GRC Access Control

SAP GRC Access Control can evaluate the existing authorization concept and identify risks
related to excessive authorizations. For each access risk a mitigation control can be
established.
Unusual authorizations needed to perform emergency tasks in SAP NetWeaver AS ABAP
systems can be granted temporarily through firefighter users that are subject to extended
activity logging.
Security roles design and review workflows ensure that risk mitigation takes place and a
periodic review process is triggered. The review will address the content of the role (does it
have the right authorizations) and the role assignments (is it assigned to the right persons).
Example: John is a Windows system administrator, the company policies prevent him from
accessing human resources data like the employee's IBAN. The SAP ERP user assigned to
him is unable to retrieve IBAN data from the system, but as a system administrator he has
enough authorizations to browse the data through the database layer. GRC Risk Analysis
reports detected that combining the authorizations from his Windows environment, together
with his SQL Server authorizations and ABAP authorizations the access to data lead to a
potential security risk.
Want to know more?

Note:
SAP releases new versions of its own products frequently so some of the links
below might not be up to date when your training takes place, ask your instructor
for the current link.

For more information, see https://help.sap.com/viewer/p/SAP_ACCESS_CONTROL .

© Copyright. All rights reserved. 12

 Lesson: Outlining the Security Roadmap

Recognizing Threats: Process Control

Figure 17: SAP GRC Process Control Continuous Control Monitoring

SAP GRC Process Control provides, when possible through the existing IT systems, control
automation. One example is the execution of the GRC Access Control risk analysis reports.
The Process Control approach allows you to have automatic or non-automatic controls that
provide full coverage for existing threats, but it also implements a quality review for the
existing controls, the most critical controls should be subject of testing. Some examples:
You are collecting firewall logs, but are you evaluating their content?
You have physical access monitoring, but is the existing control effective? One real-life story:
In one of the largest IT companies in the world, employees were requested to open their bag
or backpack … if the bag or backpack had the company logo …. and only if they had the official
company logo, but nobody was forbidden, not even “politely advised”, to carry other bags or
backpacks without the company logo in or out of the company premises.
SAP GRC Process Control integrates with SAP GRC Risk Management for a more
comprehensive risk management strategy and an adequate translation of risk variables (like
probability and impact) into a potential financial loss assessment.
Want to know more?

Note:
SAP releases new versions of its own products frequently so some of the links
below might not be up to date when your training takes place, ask your instructor
for the current link.

For more information, see:

https://help.sap.com/viewer/p/SAP_PROCESS_CONTROL

https://help.sap.com/viewer/p/SAP_RISK_MANAGEMENT

© Copyright. All rights reserved. 13

Unit 1: Security Overview

Managing Threats: Audit Management

Figure 18: Key Features of SAP Audit Management

With the introduction of more strict and demanding regulations, the challenges of compliance
require proper resource allocation to mitigate the exposure of company to lawsuits and
potential financial loss.
Example: the GDPR regulation establishes ambitious response times for disclosure of data
breach events.
SAP Audit Management provides the tools to conduct your auditing activities. The purpose of
this tool is to allow you to establish a plan that addresses your risks, allocates resources, and
defines an execution timeline.
SAP Audit Management allows you to trigger investigative procedures if coupled with other
SAP solutions like SAP Business Integrity Screening.
Want to know more?

Note:
SAP releases new versions of its own products frequently so some of the links
below might not be up to date when your training takes place, ask your instructor
for the current link.

For more information, see:

https://help.sap.com/viewer/p/SAP_ASSURANCE_AND_COMPLIANCE_SOFTWARE_-
_SAP_AUDIT_MANAGEMENT

https://help.sap.com/viewer/p/SAP_BUSINESS_INTEGRITY_SCREENING

Note:
Some products like SAP Audit Management have versions optimized for SAP S/
4HANA. For more information, see the SAP Help site and expand the Product
Hierarchy.

© Copyright. All rights reserved. 14

 Lesson: Outlining the Security Roadmap

User Provisioning: LDAP Integration

Figure 19: SAP NetWeaver AS Java: LDAP as a Datasource for Users

SAP NetWeaver systems can retrieve users from a LDAP repository. The communication can
be bi-directional giving the option to have users being created in the LDAP engine or in the
SAP NetWeaver AS. Information regarding authorizations can also be stored in the LDAP
repository and retrieved by the SAP NetWeaver AS system. Other products like the SAP
HANA database can also use the LDAP repository to store user authorizations.

User Provisioning: Identity Management

Figure 20: HR-Driven User Provisioning with Compliance Assurance

The SAP Identity Management solution provides a robust approach for the user and
authorizations provisioning processes. SAP IDM can manage users and authorization
assignments for SAP and non-SAP products, through workflows that provide a fully auditable
approval process.
Some of the major advantages of SAP IDM are:

© Copyright. All rights reserved. 15

Unit 1: Security Overview

Integration with SAP GRC – the approval workflow can request a Risk Analysis assessment
to ensure that the authorizations being assigned will not lead to non-mitigated access
risks.

Integration with SAP HR – usage of HR triggers the provisioning/deprovisioning of users

and authorizations based on events like hiring, retirement, and transfers across
departments.

Want to know more?

Note:
SAP releases new versions of its own products frequently so some of the links
below might not be up to date when your training takes place, ask your instructor
for the current link.

For more information, see https://help.sap.com/viewer/p/SAP_IDENTITY_MANAGEMENT .

User Authentication: SAP Single Sign On

Figure 21: Authentication Into SAP Netweaver AS Using the Secure Login Client

SAP Single Sign On ensures transparent authentication into your applications. During this
training you will have the chance to use one of its components, the Secure Login Client, with
which you will access Java- and ABAP-based environments.
Some of the features available include two-factor authentication or the integration with
existing Public Key Infrastructure (PKI) in your organization.
Want to know more?

Note:
SAP releases new versions of its own products frequently so some of the links
below might not be up to date when your training takes place, ask your instructor
for the current link.

© Copyright. All rights reserved. 16

 Lesson: Outlining the Security Roadmap

For more information, see https://help.sap.com/viewer/p/SAP_SINGLE_SIGN-ON .

LESSON SUMMARY
You should now be able to:

Identify challenges and solutions for the implementation of infrastructure security

© Copyright. All rights reserved. 17

 Unit 1
Lesson 3
Describing the Training Environment

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Identify and locate the different instances available

Available Instances

Figure 22: ADM960 System Landscape

Figure 23: Attack Surface for a Java NetWeaver Environment (Application Server Instances)

© Copyright. All rights reserved. 18

 Lesson: Describing the Training Environment

Figure 24: Attack Surface for a Java NetWeaver Environment (Java Central Services Instance)

The training landscape contains a Solution Manager 7.20 system. The figures above show the
entry points for the Java stack present in the system.

Figure 25: Attack Surface for an ABAP NetWeaver Environment (Application Server Instances)

Figure 26: Attack Surface for an ABAP NetWeaver Environment (ABAP Central Services Instance)

The training landscape contains several SAP NetWeaver systems of type single stack (ABAP
only). The figures above exemplify the entry points for the ABAP stack present in the system.

© Copyright. All rights reserved. 19

Unit 1: Security Overview

Figure 27: Attack Surface for SAP Web Dispatcher

As well as the available ABAP and Java engines, the training landscape also contains several
SAP Web Dispatcher instances, used for load balancing purposes.

LESSON SUMMARY
You should now be able to:

Identify and locate the different instances available

© Copyright. All rights reserved. 20

 Unit 1

Learning Assessment

1. How can a hacker find information regarding your SAP landscape?

2. How can the SAP Management Console be reached?

3. How can you find which communication ports are enabled for each IP address?

4. What measures you can take to prevent a dictionary-based attack?

5. SAP Single Sign On does not provide two-factor authentication mechanisms.

Determine whether this statement is true or false.

X True

X False

6. How can SAP GRC Access Control help you find the actual risks in your IT landscape?

7. How can SAP Identity Management verify the risk associated with an authorization
request?

© Copyright. All rights reserved. 21

 Unit 1

Learning Assessment - Answers

1. How can a hacker find information regarding your SAP landscape?

He can scan for well-known port ranges. With ports like 5xx13 or 5xx14, he can try to reach
the SAP administration console to find more details.
Correct! He can scan for well-known port ranges. With ports like 5xx13 or 5xx14, he can try
to reach the SAP administration console to find more details.

2. How can the SAP Management Console be reached?

http://hostname:5<sysnr>13 or https://hostname:5<sysnr>14
Correct! Use http://hostname:5<sysnr>13 or https://hostname:5<sysnr>14 .

3. How can you find which communication ports are enabled for each IP address?

Log on to the SAP Administration Console, authenticate with a valid SAP administration,
wait for the tree to refresh, and search for access points on any of the available instances.
For each port, you will see the IP address where it’s listening, and if the port is active or
not.
Correct! Log on to the SAP Administration Console, authenticate with a valid SAP
administration, wait for the tree to refresh, and search for access points on any of the
available instances. For each port, you will see the IP address where it’s listening, and if
the port is active or not.

4. What measures you can take to prevent a dictionary-based attack?

SAP NetWeaver AS ABAP table USR40 allows the definition of non-admissible passwords.
Similar facilities exist in other SAP products like SAP HANA or SAP NetWeaver AS Java.
Correct! SAP NetWeaver AS ABAP table USR40 allows the definition of non-admissible
passwords. Similar facilities exist in other SAP products like SAP HANA or SAP NetWeaver
AS Java.

5. SAP Single Sign On does not provide two-factor authentication mechanisms.

Determine whether this statement is true or false.

X True

X False

Correct! Two-factor authentication is supported.

© Copyright. All rights reserved. 22

 Unit 1: Learning Assessment - Answers

6. How can SAP GRC Access Control help you find the actual risks in your IT landscape?

SAP GRC Access Control can perform analysis across multiple systems. SAP data can be
retrieved from the database layer or the application layer and both should be evaluated,
together with the operative system layer. For many RDBMS, having a privileged user at
operative system level is the first step to acquire data.
Correct! SAP GRC Access Control can perform analysis across multiple systems. SAP
data can be retrieved from the database layer or the application layer and both should be
evaluated, together with the operative system layer. For many RDBMS, having a privileged
user at operative system level is the first step to acquire data.

7. How can SAP Identity Management verify the risk associated with an authorization
request?

SAP Identity Management can request the Risk Analysis assessment from SAP GRC
Access Control.
Correct! SAP Identity Management can request the Risk Analysis assessment from SAP
GRC Access Control.

© Copyright. All rights reserved. 23

 UNIT 2 NetWeaver AS
Components and
Communication
Mechanisms

Lesson 1
Determining the Key Points of Network Security 25

Lesson 2
Installing and Configuring SAProuter 32

Lesson 3
Installing and Configuring SAP Web Dispatcher 40

UNIT OBJECTIVES

Determine network security for SAP systems

Install and configure SAProuter

Install and configure SAP Web Dispatcher

© Copyright. All rights reserved. 24

 Unit 2
Lesson 1
Determining the Key Points of Network
Security

LESSON OVERVIEW
This lesson explains the various aspects of network security in an SAP system landscape. It
also introduces SAProuter and SAP Web Dispatcher, both of which play an important role in
network architecture.

Business Example
You need to ensure basic network security for an SAP system landscape. For this reason, you
require an understanding of the following:

The network components

The ports used by the SAP NetWeaver Application Server (SAP NetWeaver AS)

Network filtering

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Determine network security for SAP systems

Basic Network Topology for SAP Systems

SAP systems are implemented as client-server frameworks built in three levels: database
server level, application server level, and the presentation level (front ends). Depending on the
size of your SAP system, your physical network architecture may or may not reflect this
three-tier framework. For example, a small system may not have separate application and
database server machines (the work processes run on the same machine as the database).
The system may also only have a limited number of front ends in a single subnet connected to
the server machine. However, in a large SAP system, several application servers usually
communicate with the database server, as well as many front ends. Therefore, the physical
topology of your network can vary from simple to complex.
There are several possibilities to consider when organizing your network topology. The
topology can vary from a single LAN segment to multiple IP subnets. By placing your SAP
system servers in a separate subnet, you increase the access control to your server LAN,
thereby increasing the security level of your system.

Network Services
The servers are the most vulnerable part of your network infrastructure and you should take
special care to protect them from unauthorized access. However, there are several network
services that allow server access, and you should take appropriate precautions when using
these services.

© Copyright. All rights reserved. 25

Unit 2: NetWeaver AS Components and Communication Mechanisms

A typical UNIX or Windows server machine runs many network services of which only a few
are needed for running an SAP system. Disable any of these network services on the server
net that you do not need. Sometimes these services contain known errors that unauthorized
users may be able to take advantage of to gain unauthorized access to your network. In
addition, by disabling unused network services, you also decrease the vulnerability of your
network to denial of service attacks.
For a list of well-known port numbers, see the list provided by the Internet Assigned Numbers
Authority (IANA) at http://www.iana.org/assignments/service-names-port-numbers/
service-names-port-numbers.xml . To list the active services and open ports on a UNIX or
Windows server run the command netstat -a .

SAP Network Services

SAP systems also offer various network services in their own infrastructures. As with general
network services, we also recommend disabling any SAP services that you do not need. In
older SAP systems you might find insecure services exposed, for example telnet in earlier
SAP Netweaver AS Java systems.
For more information about the ports used by SAP NetWeaver products, see TCP/IP Ports of
All SAP Products on the SAP Help Portal at http://help.sap.com/viewer/ports .

Using Firewall Systems for Access Control

The firewall is a system of hardware and software components that define which connections
can pass back and forth between communication partners. By using a firewall system, for
example, between your intranet and the Internet, you can allow a defined set of services to
pass through the different network zones while keeping other services out. For example, you
can allow users in your company's intranet to use internet services such as mail or http, but
not other services such as telnet.
There are two primary firewall types:

Packet filters - the functions used for packet filtering are typically available with routers.
The router's primary function is to route network traffic based on the source or destination
IP addresses, TCP ports, or protocols used. In this way, certain requests are routed to the
server that can best handle the request. For example, mail requests are routed to the
company's mail server. By using the router's packet filtering functions, you can also
restrict traffic based on this information, for example, to block requests using undesired
protocols completely, for example telnet. However, the packet filter is not able to filter
information sent at the application level.

Application-level gateways - contrary to packet filters, application-level gateways or

proxies work at the application level. They can permit or reject requests based on the
content of the network traffic. For example, does the request contain known exploits?

Third-Party Application-Level Gateways

When using a third-party application-level gateway, the gateway must meet the following
criteria:
Because SAP systems generate absolute URLs based on the host and port information found
in the host header name, the host header name must not be changed by the application
gateway.
SAP does not support the unification of multiple back-end systems under one external
hostname configured on the application-level gateway.

© Copyright. All rights reserved. 26

 Lesson: Determining the Key Points of Network Security

If external systems are to be integrated in the SAP NetWeaver landscape using URLs (for
example, with a portal), then the URLs must be accessible from internal and external systems
under the same name.

Application-Level Gateways Provided by SAP

SAProuter and SAP Web Dispatcher are examples of application-level gateways that you can
use for filtering SAP network traffic.

SAProuter
You can use the SAProuter for routing and filtering traffic. You can use it to do the following:

Filter requests based on the IP address or protocol.

For example, you can reject any requests that do not use SAP protocols.

Require that a password is sent with the request.

Require that secure authentication and data encryption occurs at the network layer using
Secure Network Communications (SNC).

When using SAProuter, you only have to open a single port on the firewall for SAP protocols,
which corresponds to the port on the machine running SAProuter. All connections using the
SAP protocols are then required to pass through this port (default 3299).

SAP Web Dispatcher

Use SAP Web Dispatcher for load balancing and filtering HTTP(S) requests to SAP NetWeaver
Application Server (AS).
The rules to use for filtering the requests are contained in a file in the file system on the server
where SAP Web Dispatcher runs.
SAP Web Dispatcher also supports the use of the Secure Sockets Layer (SSL) protocol to
secure the communications at the transport level.

Network Security for SAP Systems

The figure, Typical Network Components, shows the most common network components of
an SAP system landscape.

© Copyright. All rights reserved. 27

Unit 2: NetWeaver AS Components and Communication Mechanisms

Figure 28: Typical Network Components

Many SAP systems are based on SAP NetWeaver AS. An understanding of the ports and
protocols used by SAP NetWeaver AS makes you aware of the ports and protocols used in the
majority of SAP installations.
The following are examples of communication that occur in a typical NetWeaver-based
landscape:

Connection from SAP GUI for Microsoft Windows or Java to the AS ABAP-based SAP
system

Connection from the Web browser to the SAP system

Connections from the AS ABAP-based SAP system to print servers, for example, using
SAPSprint

Connections between SAP systems

Connections between SAP systems and third-party applications

The SAP system uses many ports to establish connections in the system. These ports are
determined by the operating system process involved and the instance number to which the
process belongs.

© Copyright. All rights reserved. 28

 Lesson: Determining the Key Points of Network Security

SAP NetWeaver AS – Ports

Figure 29: Ports Commonly Used by SAP NetWeaver AS

The figure, Ports Commonly Used by SAP NetWeaver AS, shows the important ports of SAP
NetWeaver AS.
SAP GUI for Microsoft Windows connects to the ABAP system by using the dispatcher
process on the application server. The dispatcher uses the port 32$$, where $$ stands for
the instance number. SAP Logon, as a part of SAP GUI, communicates with the ABAP
message server.
The SAP NetWeaver AS port is defined by an entry sapms<SID> in the services file of the
operating system. In older SAP NetWeaver releases the default port was 36$$. The ABAP
system also communicates with the SAP GUI by using remote function call (RFC). The
gateway process uses port 33$$ to establish the connection (default for insecure
communication).
The external RFC clients, for example, other SAP systems or third-party applications, connect
to the gateway process.
The Internet Communication Manager (ICM) uses the default port 80$$ for the HTTP
protocol. This port helps to establish a connection with a Web browser.
The process involved in starting and stopping the SAP system is SAPSTARTSRV. It can be
called using the default port 5$$13 (HTTP access) or 5$$14 (HTTPS access).
The SAP program SAPSprint handles the SAP system print requests sent by the spool work
process. SAPSprint listens on default port 515.
When you connect a Web browser to the SAP NetWeaver AS for Java (old versions 7.0x), the
Java dispatcher is called on the default HTTP port 5$$00. The Software Deployment Manager

© Copyright. All rights reserved. 29

Unit 2: NetWeaver AS Components and Communication Mechanisms

(SDM) is remotely accessed on the default port 5$$18. In the newer SAP NetWeaver AS for
Java versions, the Java Dispatcher is replaced with the ICM, which is called on default HTTP
port 5$$00. For SAP NetWeaver versions 7.1x and higher, SDM no longer exists and the
dispatcher component was replaced by Internet Communication Manager.

Note:
For a complete list of ports relevant to your landscape, go to http://help.sap.com
and search for the Security Guides that match not only your application
components, but also their patch levels if applicable.

Network Filtering

Figure 30: Network Filtering

Network filtering is the fundamental requirement for secure SAP systems. Network filtering
reduces the attack surface to the minimum number of services that the end users access. The
remaining services must then be configured securely.
Network filtering is required between the end-user network and the SAP systems to secure
the SAP operations.

Note:
For more information, see the SAP NetWeaver Security Guide.

The actual network architecture depends on infrastructure components, such as SAProuter,

SAP Web Dispatcher, SAP Host Agent, and the SAP Solution Manager Diagnostics Agent, to
name some of the most common ones. These infrastructure components need to be
considered for architecture planning. Access to SAP DIAG, SAP RFC, SAP Message Server,
and HTTPS is frequently necessary, but the infrastructure components impact the network
filtering implementation. With the introduction of the new User Experience (UX), SAP GUI and
its associated protocols and ports are no longer the preferred option and HTTP(S) will
become more relevant in the future. A similar evolution will affect the role of the gateway:
RFC-based interfaces have given place to web-service-based interfaces and, more recently,
OData services.

© Copyright. All rights reserved. 30

 Lesson: Determining the Key Points of Network Security

Network Architecture

Figure 31: Network Architecture

Administrative access to the SAP systems is provided from an administration network. This
network is allowed to access the SAP systems with administrative protocols such as Secure
Shell (SSH), Remote Desktop Manager (RDP), and database administration. Access to the
administrative network must be properly secured by common security concepts, for example,
allowing administrative access to the SAP systems only from dedicated subnets or dedicated
workstations.

LESSON SUMMARY
You should now be able to:

Determine network security for SAP systems

© Copyright. All rights reserved. 31

 Unit 2
Lesson 2
Installing and Configuring SAProuter

LESSON OVERVIEW
This lesson explains the installation and configuration of SAProuter. This lesson also explains
various load balancing techniques.

Business Example
You need to install and configure SAProuter to connect to an SAP system. For this reason,
you require the following knowledge:

An understanding of SAProuter

An understanding of load balancing with SAP NetWeaver Application Server (SAP

NetWeaver AS)

How to install and configure SAProuter

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Install and configure SAProuter

© Copyright. All rights reserved. 32

 Lesson: Installing and Configuring SAProuter

SAProuter

Figure 32: SAProuter as Proxy for SAP Protocol

SAProuter software functions as an intermediate station among various SAP systems and
programs. SAProuter functions as a proxy that has properties of an application-level gateway
when used in SAP protocols.
SAProuter allows you to connect to an SAP system without a direct network connection
between the client computer and application server. The SAP GUI (for Microsoft Windows and
Java) connects to the SAProuter that forwards all the packets to the application server, or to
another SAProuter.
As illustrated in the figure, SAProuter as Proxy for SAP Protocol, when using SAProuter in an
SAP system landscape, you only open the SAProuter port (default port 3299), instead of the
corporate firewall, for all ports and protocols used by an SAP system. You can configure
SAProuter to allow communications based only on the SAP protocol, coming from specific IP
addresses, and directed to the SAP systems.

Note:
In the OSI 7 layer model, the Network Interface (NI) layer forms the upper part of
the transport layer, and is the part nearest to the applications. This means that NI
uses TCP or UDP. The protocol is also known as the SAP Protocol. SAP protocol is
the technical foundation for protocols like Dynamic Information and Action
Gateway (DIAG) and remote function call (RFC). It is also referred to as NI.

© Copyright. All rights reserved. 33

Unit 2: NetWeaver AS Components and Communication Mechanisms

SAProuter makes it easier to administer the networking aspects of the SAP landscape. To
make changes at the SAP system level, such as installing an additional instance that provides
additional ports, you do not need to change the configuration of the corporate firewall. The
SAP administration can reconfigure the SAProuter to incorporate the changes.

SAProuter Functionality
Controls and logs connections to your SAP system.

Can restrict access to other selected SAProuters.

Can restrict access to encrypted connections from a known partner.

Note:
SAP router does not support scenarios for communication based on non-SAP
protocols.

Caution:
SAProuter does not replace a firewall. You can use it in addition to the corporate
firewall. For more information about SAProuter, see SAP Note 30289.

SAProuter and Remote Support

Figure 33: SAProuter and Remote Support

© Copyright. All rights reserved. 34

 Lesson: Installing and Configuring SAProuter

Note:
SAP has established and operates a dedicated PKI to allow Secure Network
Connections (SNC) and Single Sign-On (SSO) to access customer systems
remotely. The dedicated CA only issues temporary generated certificates for the
user SAPSUPPORT with a validity of 8 hours. This new secure remote access
scenario is part of the SAP standard support package and eliminates the need to
maintain the target user credentials in the Customer Remote Logon Depot
(formerly Secure Area). For more information, see SAP Note 2562154.

SAProuter enables a secured connection between the customer network and SAP support.
The figure, SAProuter and Remote Support, shows a connection between SAProuters at the
customer site and the SAP site. This connection is secured by Secure Network
Communication (SNC), and allows SAP support to access the SAP systems at the customer
site.
SAP Solution Manager is one of the few products that relies on the availability of SAProuter.
SAProuter doesn't need to be deployed in a highly available infrastructure but regular
application lifecycle management activities will require it, for example, Earlywatch services.

SAProuter Installation and Configuration

Figure 34: SAProuter Configuration – Route Permission Table

SAProuter has no specific installation or configuration tool provided. The installation can be
done with or without the use of encryption and typically involves a folder where the binaries
are copied, followed by a sequence of command line actions to start/stop SAProuter (done
by saprouter command), generate certificates for encryption (done by sapgenpse command),

© Copyright. All rights reserved. 35

Unit 2: NetWeaver AS Components and Communication Mechanisms

a text editor for manually building the saprouttab configuration file and optionally operative
system configuration to start SAProuter automatically. For more information, see SAP Note
30289.

Figure 35: SAProuter 7.53 - Support Packages and Patches

The latest version of SAProuter can be used with older releases.

Figure 36: Crypto Library for SNC Connections

One of the most common requirements related to the SAProuter is the implementation of
Secure Network Communications between an organization landscape and the SAP support
landscape. The SAP Common Cryptographic Library allows the encryption of network traffic.
SAP provides the SAProuter certificates for its customers and these should be renewed every
year.

© Copyright. All rights reserved. 36

 Lesson: Installing and Configuring SAProuter

Figure 37: Crypto Library Additional Information

SAP Common Cryptographic Library is required for establishing encryption in many SAP
products besides SAProuter. Bringing the latest patches addresses potential risks and new
functionality

Figure 38: Crypto Corrections and Fixes Detailed Information

You can find the latest SAProuter at https://launchpad.support.sap.com/#/softwarecenter/

support/index . Search for SAProuter . From the maintenance components, pick the archive
suitable for your operative system.
To install SAProuter, extract the downloaded package to a file system directory on the host.
For example, on a Microsoft Windows host, create directory: <drive>:\usr\sap
\saprouter . Copy executable files saprouter.exe and niping.exe into this directory.

© Copyright. All rights reserved. 37

Unit 2: NetWeaver AS Components and Communication Mechanisms

SAProuter can be installed as a Microsoft Windows service. For more information, see the
exercise, Install SAProuter, and SAP Notes 41054 and 525751.
SAProuter uses the route permission table to control the specific IP addresses and
subnetworks that are permitted or denied access to a particular network. By default, the route
permission table is a file called saprouttab in the installation directory of SAProuter. The file
contains a list of connections that are denied or permitted access to a particular network.
The figure, SAProuter Configuration – Route Permission Table, shows standard entries that
appear in the route permission table (such as P, S, D, <source host>, <target host>,
<service>, and <password>).

Table 1: Functions of Standard Entries in the Route Permission Table

Field names Description

D Denies the connection.

P Permits the connection.

S Permits only connections based on SAP pro-

tocol.

<source host> Specifies the host name or IP address of the

client. For example, the host on which the
SAP GUI is running.

<target host> Specifies the host name or IP address of the

target. For example, the host on which the
SAP system is running.

<service> Specifies the service name or port number of

the communication target.

<password> Specifies the password needed to use this

route. Specifying the password is optional.

Note:
You can use wildcard characters (*) to enter host names and services. For
security reasons, we recommend that you do not use wildcards in P and S entries.

Hint:
The first match in the saprouttab file is decisive. This means that the order of the
entries is important and the D entries should be at the top of the list. If no entries
match, permission is denied.

If the communication is to be secured by means of SNC, the saprouttab file entries must be
specified with KT, KD, KS, and KP. The SAProuter must be started with the option -K.

© Copyright. All rights reserved. 38

 Lesson: Installing and Configuring SAProuter

Note:
For more information about secure communication using the SAProuter, see the
SAP help library.

To connect to an SAP system using SAProuter, you must enter the following SAProuter
string:
/H/<host of SAProuter/S/<port of SAProuter>/W/<password>/H/<target
host>
Entering /S/<port of SAProuter> is optional in the router string if SAProuter uses the
default port 3299. You must enter the password with /W/<password> if a password is set in
the saprouttab file.

SAProuttab Sample File

An saprouttab file example can be seen below.
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

# SNC connection to local system for R/3-Support

# R/3 Server: 192.168.1.1
# R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200

# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2
# Default WTS port: 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.2 3389

# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3
# Default Telnet port: 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.3 23

# SNC connection to local Portal system for URL access, if applicable

# Portal server: 192.168.1.4
# Port number: 50003
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.4 50003

# Access from the local Network to SAP

P 192.168.*.* 194.39.131.34 3299

# deny all other connections

D***

LESSON SUMMARY
You should now be able to:

Install and configure SAProuter

© Copyright. All rights reserved. 39

 Unit 2
Lesson 3
Installing and Configuring SAP Web Dispatcher

LESSON OVERVIEW
With the rising use of Web-based applications and the need for customers to access SAP
applications via the Web, the set up and configuration of SAP Web dispatcher has become
much more important. This lesson addresses these topics.

Business Example
You need to install the SAP Web Dispatcher. For this reason, you require the following
knowledge:

An understanding of the SAP Web Dispatcher

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Install and configure SAP Web Dispatcher

SAP NetWeaver AS and Load Balancing

Figure 39: Client-Based Load Balancing (Not Recommended)

In client-based load balancing, the user contacts the message server, and the message is
redirected to one of the application servers. The user remains on this application server
during the session. The user has a direct connection to the application server, which means
there is no problem with session persistence or using Secure Socket Layer (SSL). However,

© Copyright. All rights reserved. 40

 Lesson: Installing and Configuring SAP Web Dispatcher

the user is not always directed to the same server, so the URL varies and bookmarks are
invalid. In addition, if the user switches to another server, he has to authenticate again.
When you use SSL, each server must have its own server certificate, which increases the
costs and administrative overheads. In client-based load balancing, SSL is suitable for small
intranet landscapes. Client-based load balancing is not recommended for productive
systems.

Server-Based Load Balancing

Figure 40: Server-Based Load Balancing

Server-based load balancing uses load balancers in front of the back-end servers. As a result,
the user has only one URL that is used to access the application server.
The options available for load balancing are as follows:

SAP Web Dispatcher

Web switch

Reverse proxy

Combination of more than one load balancing techniques (complex scenario)

Alternative load balancing techniques are as follows:

Hardware load balancer

Other network load balancing devices

© Copyright. All rights reserved. 41

Unit 2: NetWeaver AS Components and Communication Mechanisms

Load Balancing with the SAP Web Dispatcher

Figure 41: Load Balancing with the SAP Web Dispatcher

The SAP Web Dispatcher is a load balancing and application proxy solution for SAP
NetWeaver AS. The SAP Web Dispatcher is an easy-to-use solution.
The characteristics of the SAP Web Dispatcher are as follows:

It uses the message server to determine the current state.

It uses SAP logon groups to determine which requests (ABAP or Java) are directed to
which server.

The advantages of the SAP Web Dispatcher are as follows:

It is available free of charge with SAP NetWeaver AS.

It requires minimal configuration and administration.

It supports the features of SAP NetWeaver AS out-of-the-box.

The SAP Web Dispatcher is a program that runs on a host and is connected to the Internet or
intranet.
All required information for a basic configuration is gathered during the installation process.
The installation tool only establishes the connection to the first back-end system.

Configuration Example for Connections to Multiple Back-end systems From One SAP
Web Dispatcher
wdisp/system_0 = SID=EX1, EXTSRV=https://cp.hana.ondemand.com:443,
SRCURL=/sap/dfa/help/, SRCSRV=*:*, PROXY=proxy:8080,
STANDARD_COOKIE_FILTER=OFF
wdisp/system_1 = SID=EX2, EXTSRV=https://xray.hana.ondemand.com:443,
SRCURL=/resources/sap/dfa/help/, SRCSRV=*:*, PROXY=proxy:8080,
STANDARD_COOKIE_FILTER=OFF
wdisp/system_2 = SID=S4D, MSHOST=s4dhost.wdf.sap.corp, MSPORT=8104,
SSL_ENCRYPT=2, SRCURL=/sap/es/

© Copyright. All rights reserved. 42

 Lesson: Installing and Configuring SAP Web Dispatcher

wdisp/system_3 = SID=FSD, MSHOST=fsdhost.wdf.sap.corp, MSPORT=8104,

SSL_ENCRYPT=2, SRCURL=/
wdisp/system_conflict_resolution = FIRST_MATCH

Load Balancing Alternative: Web Switch

Figure 42: Load Balancing Alternative – Web Switch

Advantages of using load balancing techniques other than the SAP Web Dispatcher (such as
Web switch) include the following:

They provide additional features that are not available with the SAP Web Dispatcher, such
as authentication.

They enable reuse of an existing infrastructure.

They provide a unified Web infrastructure for all Web systems that include both SAP
systems and non-SAP systems.

Disadvantages of using load balancing techniques other than the SAP Web Dispatcher include
increased costs, less integration with SAP NetWeaver AS, and increased configuration and
maintenance overhead.

© Copyright. All rights reserved. 43

Unit 2: NetWeaver AS Components and Communication Mechanisms

Load Balancing Alternative: Reverse Proxy

Figure 43: Load Balancing Alternative – Reverse Proxy

With the reverse proxy, you can route incoming requests to different services based on the
URL path. For example, in the figure, Load Balancing Alternative – Reverse Proxy, the
requests containing the path /other are directed to static Web pages located on the Web
server. If the request is directed to a path under /sap , the reverse proxy directs the request to
the SAP NetWeaver AS host456 . The requests that contain the path /store are directed to
host789 . In this way, you can activate various services on various hosts that are all accessible
using the same HTTP(s) port.

© Copyright. All rights reserved. 44

 Lesson: Installing and Configuring SAP Web Dispatcher

Load Balancing: Complex Scenario

Figure 44: Load Balancing: Complex Scenario

You can optimize the security and availability of systems by combining various load-balancing
techniques. For example, in the figure, Load Balancing: Complex Scenario, Web switches are
used at the end of the communication path. Therefore, the Web switch does not need to be
highly trusted or handle session persistence. If SSL is used, the connection is passed on to the
SAP Web Dispatcher, which is considered more trusted. The SAP Web Dispatcher handles the
load balancing and session persistence for the connections to SAP NetWeaver AS at the back
end. If SSL is used, it can be terminated at the SAP Web Dispatcher so that the SAP Web
Dispatcher can perform URL filtering.

© Copyright. All rights reserved. 45

Unit 2: NetWeaver AS Components and Communication Mechanisms

SAP Web Dispatcher

Figure 45: SAP Web Dispatcher

Common Features of SAP Web Dispatcher

SAP Web Dispatcher is a load balancer and reverse proxy that can be used with different web
application server backends:

SAP NetWeaver Application Server ABAP

SAP NetWeaver Application Server Java

SAP HANA XS, both in the "Classic" and "Advanced" flavor, any web server

Note:
SAP HANA comes with an internal Web Dispatcher that acts as web server for
the HANA XS Classic server and cannot be used as load balancer or reverse
proxy for other systems. The above statements do not apply to this specific Web
Dispatcher.

The SAP Web Dispatcher is most commonly used to balance the load of requests from the
user’s Internet browser, although this is not its only use.
The SAP Web Dispatcher can be used to load-balance any HTTP-based requests. If, for
example, SAP NetWeaver AS provides a Web service (WS), which is consumed by another
server, the SAP Web Dispatcher is required to distribute the requests from the Web service
clients to the server nodes of SAP NetWeaver AS.
As of Release 7.2, one SAP Web Dispatcher can be used for multiple SAP systems.

© Copyright. All rights reserved. 46

 Lesson: Installing and Configuring SAP Web Dispatcher

Features of the SAP Web Dispatcher

Server selection and load balancing

Forwards incoming stateful or stateless HTTP(S) requests to an appropriate SAP
NetWeaver AS for processing.

URL filtering
Maintains a URL permission table to control which requests are rejected or accepted.

Web caching
Improves response times and offloads the application server by using the SAP Web
Dispatcher as a Web cache.

Modification of HTTP requests

Manipulates inbound HTTP requests on the basis of defined rules.
Manipulates HTTP header fields, filtering requests, and redirecting requests and URL
values.

Secure Socket Layer (SSL)

Forwards, terminates, and (re)encrypts requests depending on its SSL configuration.

You can configure the SAP Web Dispatcher to use as many of these features as necessary.

SAP Web Dispatcher Details

Figure 46: SAP Web Dispatcher Details for an SAP NetWeaver AS for ABAP System

© Copyright. All rights reserved. 47

Unit 2: NetWeaver AS Components and Communication Mechanisms

An SAP NetWeaver AS-based SAP system consists of one or more instances where HTTP(S)
requests are processed. Using the SAP Web Dispatcher, you have a single point of access for
HTTP(S) requests in your system. The SAP Web Dispatcher balances the load so that the
requests are distributed over all the instances. In addition, you can increase the security of
your system landscape by using the additional features of the SAP Web Dispatcher, for
example, URL filtering.

SAP Web Dispatcher Installation

The SAP Web Dispatcher is backwards compatible. This means that the SAP Web Dispatcher
release can be higher or the same as the SAP system (kernel) release. The patch level can
also differ from the patch level of the back-end system.
SAP Note 908097 lists the allowed combinations of SAP Web Dispatcher releases and SAP
system releases. Besides that, this SAP Note provides paths to installation media, update
details and documentation.
The SWPM-based installation of SAP Web Dispatcher requires SAP archives (.SAR files) of
the SAP Web Dispatcher, the SAP Host Agent.

Figure 47: SAP Web Dispatcher Support Packages and Patches

Hint:
You can determine the current version of your SAP Web Dispatcher installation
as follows:

By executing sapwebdisp -v

By analyzing the most recent developer trace file (by default, dev_webdisp)

By launching the Version Info dialog in SAP MC or SAP MMC

See the SAP Library for installation guides on SAP Help Portal at http://help.sap.com .

© Copyright. All rights reserved. 48

 Lesson: Installing and Configuring SAP Web Dispatcher

To use the SAP Web Dispatcher as a load balancer for SAP NetWeaver AS, you must specify
the information about the message server of the SAP system during installation. The
message server provides further information about the SAP system to the SAP Web
Dispatcher. In an SAP NetWeaver AS for ABAP-based or SAP NetWeaver AS for ABAP+Java-
based system, the SAP Web Dispatcher uses the ABAP message server. In an SAP NetWeaver
AS for Java-based system, the SAP Web Dispatcher uses the Java message server.

SAP Web Dispatcher Security

To guarantee maximum security when the SAP Web Dispatcher is used, we recommend the
following measures:

Use the latest version of the SAP Web Dispatcher.

Configure your own error pages to ensure that the end user does not see the technical
reason for the error.

Use the SAP Web Dispatcher as a URL filter with the white lists (only the specified URLs
are allowed).

Filter the following URLs because they provide the details of the infrastructure and the
configuration: /sap/public/icman/* , /sap/public/icf_info/* , and /sap/wdisp/info .

Increase security for the Web Administration Interface by performing the following tasks:
- Use a dedicated port (a separate port is used for the content port).
- Use SSL.
- Allow administration tasks to be performed under a specific host name or IP address
that is accessed from the internal network only.

For more information about security when using the SAP Web Dispatcher, see SAP Note
870127.
Use the Authentication Handler to configure the SAP Web Dispatcher to reject specific URLs.
Set up the access restrictions with the icm/HTTP/auth_<xx> profile parameter. Filter
requests using the SAP Web Dispatcher according to the following criteria:

URL

Client IP address

Server IP address

User name or user group and password

String search in the URL

© Copyright. All rights reserved. 49

Unit 2: NetWeaver AS Components and Communication Mechanisms

SAP Web Dispatcher: URL Filtering

Figure 48: SAP Web Dispatcher: URL Filtering

By setting the icm/HTTP/auth_<xx> parameter, for example, icm/HTTP/auth_0 =

PREFIX=/, PERMFILE=permissionfile.txt, FILTER=SAP , you can specify permitted
and prohibited requests in the permissionfile.txt file. You can control which specific IP
addresses and subnetworks are permitted and denied access to a particular network. You can
also permit or deny specific URL patterns. The permissionfile.txt file contains a list of
connections that are denied or permitted access to a particular network.
The entries in the file appear as follows:
P/S/D <URI pattern> <User> <Group> <Client IP> <Server IP>, where D denotes denies, P
denotes permits the following connection mentioned in the file, and S permits only the
connections that use HTTPS protocol. The IP address (pattern) of the clients is entered as
<Client IP> and the IP address of the application server host is entered as <Server IP>. <URI
pattern> specifies the URL prefix of the request, for example, /sap/public/info. With <User>
or <Group>, you can allow a pattern for a user or group known to the SAP Web Dispatcher, for
example, for administration of the SAP Web Dispatcher. Wildcard characters (*) can be used.

Hint:
The first matching line starts the processing. This means that the order of the
entries is important. Note that the URL pattern is case-sensitive. Create the table
as a positive list. Permit all the URLs that are to be allowed and, at the end of the
table, add an entry D /* * * * * to deny all other connections.

© Copyright. All rights reserved. 50

 Lesson: Installing and Configuring SAP Web Dispatcher

LESSON SUMMARY
You should now be able to:

Install and configure SAP Web Dispatcher

© Copyright. All rights reserved. 51

 Unit 2

Learning Assessment

1. In saprouttab, what does a line starting with S mean?

2. How can you specify a custom port for SAProuter?

3. In which port does SAProuter listen by default?

4. How can you protect a connection through SAProuter without using encryption?

5. How can you restrict access to specific URLs in the Web Dispatcher?

6. Name three options for restricting access in the permission file Web Dispatcher?

7. SAP Web Dispatcher can only load-balance connections to SAP Netweaver AS systems. Is
this statement correct?

© Copyright. All rights reserved. 52

 Unit 2: Learning Assessment

8. What is the effect of having the line D /* * * * * at the beginning of the filter rules file?

© Copyright. All rights reserved. 53

 Unit 2

Learning Assessment - Answers

1. In saprouttab, what does a line starting with S mean?

It permits communication through the SAP protocol.

Correct! A line starting with S permits communication through the SAP protocol.

2. How can you specify a custom port for SAProuter?

Use the parameter -S

Correct! Use the parameter -S.

3. In which port does SAProuter listen by default?

3299
Correct! SAProuter listens in port 3299 by default.

4. How can you protect a connection through SAProuter without using encryption?

saprouttab entries should include a password, and the SAProuter string sent from the
client must provide the password with the parameter /W.
Correct! saprouttab entries should include a password, and the SAProuter string sent
from the client must provide the password with the parameter /W .

5. How can you restrict access to specific URLs in the Web Dispatcher?

Use the parameter icm/HTTP/auth_0 to specify a text file with the access rules.
Correct! Use the parameter icm/HTTP/auth_0 to specify a text file with the access rules.

6. Name three options for restricting access in the permission file Web Dispatcher?

URL, client IP address, server IP address

Correct! Three options are URL, client IP address, and server IP address.

© Copyright. All rights reserved. 54

 Unit 2: Learning Assessment - Answers

7. SAP Web Dispatcher can only load-balance connections to SAP Netweaver AS systems. Is
this statement correct?

Access to SAP HANA and other web servers can be load balanced with SAP Web
Dispatcher.
Correct! Access to SAP HANA and other web servers can be load balanced with SAP Web
Dispatcher.

8. What is the effect of having the line D /* * * * * at the beginning of the filter rules file?

All connections will be blocked by the Web Dispatcher.

Correct! All connections will be blocked by the Web Dispatcher.

© Copyright. All rights reserved. 55

 UNIT 3 NetWeaver AS Security
Operations

Lesson 1
Explaining the Secure Store 58

Lesson 2
Explaining Secure Storage in File System 68

Lesson 3
Outlining Authorizations and Security Policies 72

Lesson 4
Managing Users in SAP Systems 87

Lesson 5
Securing the Message Server and the Internet Communication Manager (ICM) 103

Lesson 6
Securing the SAP GUI 112

Lesson 7
Monitoring SAP Systems Security 117

Lesson 8
Describing Application Lifecycle Management 130

Lesson 9
Segregating System Administration Duties 137

Lesson 10
Managing Transport Management System Users 139

Lesson 11
Monitoring Security with SAP Solution Manager 141

© Copyright. All rights reserved. 56

 UNIT OBJECTIVES

Explain cryptography and the secure store

Explain secure storage in the file system

Outline authorizations and password policy parameters

Outline security policy maintenance

Work with security-relevant task lists

Set up user security in SAP systems

Secure the message server and the Internet Communication Manager (ICM)

Secure the SAP GUI

Monitor security in SAP systems

Describe SAP Patch Day and SAP Solution Manager

Describe the process of moving to SAP HANA-based SAP NetWeaver systems

Describe how to prevent system administrators from accessing sensitive data

Enforce non-standard passwords for the Transport Management System

Analyze the security monitoring capabilities of SAP Solution Manager

© Copyright. All rights reserved. 57

 Unit 3
Lesson 1
Explaining the Secure Store

LESSON OVERVIEW
This lesson explains how to implement security measures in SAP systems with Secure Socket
Layer (SSL) and Secure Network Communications (SNC).

Business Example
You want to implement security measures in SAP systems. For this reason, you need an
understanding of the following:

SSL and SNC

Personal Security Environment (PSE)

Digital signatures in SAP systems

How to use the Trust Manager

How to use the Key Storage Service

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Explain cryptography and the secure store

© Copyright. All rights reserved. 58

 Lesson: Explaining the Secure Store

Cryptography and the Secure Store

Secure Socket Layer (SSL)

Figure 49: SSL: Server Authentication

HTTPS is the protocol indicator for HTTP over SSL in the URL. SSL uses a hybrid encryption
method.
SSL provides the following features:

Data encryption

Server authentication

Client authentication

Mutual authentication

To use SSL for server authentication, SAP NetWeaver Application Server (AS) has a private
and public key pair. In the figure, SSL: Server Authentication, when Alice connects, the server
sends its public key certificate with a digitally signed message.
In addition to verifying the validity of the certificate, Alice verifies the identity of SAP
NetWeaver AS by verifying values, such as validity dates and digital signature of the
Certification Authority (CA).
Alice only accepts the certificate if she trusts the CA that issued the certificate to SAP
NetWeaver AS.
Alice verifies the signed message sent by SAP NetWeaver AS. This message ensures that SAP
NetWeaver AS has the matching private key and is the intended server with which she wants
to communicate.
Alice generates the secret key that she encrypts using the public key of SAP NetWeaver AS
and sends the secret key to SAP NetWeaver AS.
Further communication between Alice and the server is encrypted using the secret key.

© Copyright. All rights reserved. 59

Unit 3: NetWeaver AS Security Operations

SSL: Mutual Authentication

Figure 50: SSL: Mutual Authentication

SSL with mutual authentication has the same procedure as SSL with server authentication,
except for the following additional steps:

Alice also sends her public key certificate with the encrypted secret key to SAP NetWeaver
AS.

In addition to her public key certificate, she also sends a signed message.

SAP NetWeaver AS verifies Alice’s public key certificate and signed message to
authenticate her.

As a result, both SAP NetWeaver AS and Alice are authenticated.

SSL: Uses in SAP Environments

Figure 51: SSL: Uses in SAP Environments

© Copyright. All rights reserved. 60

 Lesson: Explaining the Secure Store

SSL is used in the following SAP environments where Internet protocols are used:

Between the Web browser of a user and SAP NetWeaver AS

Between two SAP NetWeaver AS

Between SAP NetWeaver AS and a different Web server

Secure Network Communications (SNC)

The SAP proprietary protocols SAP Dynamic Information and Action Gateway (SAP DIAG)
and SAP Remote Function Call (RFC) do not cryptographically authenticate client and server
or encrypt network communication.
Due to missing authentication and encryption, external parties can attack network
communication in the following ways:

Eavesdrop passwords transmitted over the network

Intercept network traffic

Manipulate content and forward it to legitimate servers (man-in-the-middle attacks)

We recommend using SNC, as it provides the following features to mitigate the risks during
communication:

Cryptographically strong mutual authentication

Integrity protection of transmitted data

Encryption of network traffic

SNC can be used without additional partner software for all RFC communication between SAP
servers. SNC can also be used for SAP GUI communication if the SAP server and SAP GUI
clients are running on Windows. For more information about Microsoft Windows Single Sign-
On (SSO) options, see SAP Note 352295.

Table 2: Profile Parameters for SNC Levels

Profile Parameters SNC Level SNC Property
snc/ 1 Secure authentication
data_protection/min
snc/ 2 Data integrity protection
data_protection/max
snc/data_protection/ 3 Confidentiality
use

© Copyright. All rights reserved. 61

Unit 3: NetWeaver AS Security Operations

Scenarios for SNC

Figure 52: Recommended Scenarios for SNC

The following security measures must be taken during SNC implementations:

SNC is implemented between SAP GUI and ABAP systems because end user traffic may
pass through networks susceptible to network sniffing.

For production systems, we recommend deactivating non-SNC access for most SAP GUI
users ( snc/accept_insecure_gui = U ). Only a small number of emergency accounts
must be able to access the system with password login.

For RFC communication, SNC must be implemented if the network traffic is susceptible to
sniffing by end users.

Detailed requirements for SNC implementations are customer-specific.

SNC Using Generic Security Service Application Programming Interface (GSS-API)

Figure 53: SNC Using Generic Security Service Application Programming Interface (API)

SNC uses a generic GSS-API interface that is standardized by the Internet Engineering Task
Force (IETF).

© Copyright. All rights reserved. 62

 Lesson: Explaining the Secure Store

GSS-API encrypts the data at the Network Interface (NI) protocol level. NI is the SAP protocol
layer.
SSL is present in the TCP/IP layer.

SNC Products

Figure 54: SNC Products

The SAP Common Cryptographic Library is available in the SAP Download Center. You can
use this product for server-to-server communication.
SAP NetWeaver SSO is an SAP Product that enables you to use authentication and
encryption. It is perfect for use in SAP NetWeaver environments.

Secured SAP Connections

Figure 55: Secured SAP Connections

In the SAP environment, the following protocols can be secured:

HTTP (SSL) to Application Gateway: SAP Secure Login Library or partner product

DIAG, RFC (SNC) with SAPGUI: SAP NetWeaver SSO (license required) or partner product

HTTP (SSL) to SAP NetWeaver AS (and SAP Web Dispatcher): SAP Common
Cryptographic Library

© Copyright. All rights reserved. 63

Unit 3: NetWeaver AS Security Operations

DIAG, RFC (SNC) to SAProuter: SAP Common Cryptographic Library

DIAG, RFC (SNC) between SAP NetWeaver AS: SAP Common Cryptographic Library

Personal Security Environment (PSE)

Figure 56: PSE

PSE contains the following components:

Private key

Public key certificate of the server

Certificates of trusted CAs (certificate list)

© Copyright. All rights reserved. 64

 Lesson: Explaining the Secure Store

PSEs in SAP Systems

Figure 57: PSEs in SAP Systems

Separate PSEs are used for various identities or functions (separation of tasks). Each PSE
performs a specific function.

Note:
PSE files are not only used by SAP NetWeaver AS or its components (like SAP
Web Dispatcher). SAP HANA also uses PSE files for security purposes.

The functions performed by PSEs are as follows:

SNC PSE is used by SAP NetWeaver AS for SNC.

SSL server PSE is used by SAP NetWeaver AS for SSL when the SAP system acts as the
server component for the connection.

SSL client PSE is used by SAP NetWeaver AS for SSL when the SAP system acts as the
client component for the connection. The SAP system might have more than one PSE for
communication as a client.

Secure Store & Forward (SSF) applications use various PSEs to obtain the security
information that they need. For example, HTTP Content Server and SAP NetWeaver AS
use different PSEs to sign logon tickets.

To meet the requirements for various functions, the server needs to have different names.
The Distinguished Name (DN) specified for a PSE identifies the server for the corresponding
function when using this PSE.

© Copyright. All rights reserved. 65

Unit 3: NetWeaver AS Security Operations

Caution:
Restrict access to the table SSF_PSE_D by assigning the table to a dedicated
table-authorization group. End users must not have access to this new table-
authorization group. For more information about protecting access to key tables,
see SAP Note 1485029. Restrict file system access to PSE files from ABAP
programs. For more information about protecting access to PSE files using an
additional authority check, see SAP Note 1497104.

Digital Signature in SAP Systems

Figure 58: SSF and Digital Signatures

SSF provides security for SAP data and documents in the following cases:

Data leaves the SAP system, for example, online orders, payments, or transfer of business
information.

Data is stored on non-secure media, for example, an external database, diskettes, or

archives.

Data is transmitted over non-secure networks, such as the Internet.

Data security is associated with persons and individuals, for example, digital signatures.

SSF provides data integrity, privacy, authentication, and non-repudiation in business

transactions. Data can be signed or encrypted in the SAP system and transferred to other
media. SSF uses the standard Public Key Cryptographic Standard #7 (PKCS#7). As a result,
data can also be processed by non-SAP systems.

© Copyright. All rights reserved. 66

 Lesson: Explaining the Secure Store

Digital Signatures used by SSF for Protection of Data

User signatures
- Authenticity and integrity
Alice’s document (for example, a business order) is authentic, is signed by her, and has
not been changed.
- Non-repudiation
Alice cannot deny having signed the document.

System signatures
- Document integrity
A document (for example, an archived document) has not been changed.

LESSON SUMMARY
You should now be able to:

Explain cryptography and the secure store

© Copyright. All rights reserved. 67

 Unit 3
Lesson 2
Explaining Secure Storage in File System

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Explain secure storage in the file system

Secure Storage in the File System

Figure 59: Display Profile Parameter

Secure storage in the file system (SSFS) is used in ABAP systems to secure credentials,
example: the credentials for communication with the database system. Currently, the
procedure is supported by the following databases:

Sybase ASE: SAP Note 1643080

Oracle: SAP Note 1622837

SAP HANA: SAP Note 2154997

SAP MaxDB: SAP Note 2148115

For more information about availabilities and required database-specific configuration steps,
see the relevant notes.
In this case, you can decide to replace the platform-specific mechanism for storing the
password of the ABAP database user with a standardized procedure. To do this, you store
user and password information in an encrypted manner in SSFS. Ensure that the SAP system
and its tools can still connect to the database successfully after the changeover, and then
remove the old password storage. Optionally and to ensure the greatest possible security, you
can define an external encryption key.

© Copyright. All rights reserved. 68

 Lesson: Explaining Secure Storage in File System

Figure 60: Administration of the Secure Storage

Transaction SECSTOREallows you to manage the encrypted keys. The encrypted data
contains information for several types of communication, for example, RFC destinations.
The confidentiality of the data in the secure storage in the database is safeguarded
exclusively by the usage of an individual encryption key in the file system. During the
installation of the SAP system, Software Provisioning Manager (SWPM) will display the
individual key.

Secure Storage in SAP NetWeaver AS for ABAP

In special situations, applications or system functions need a way to securely store user and
password information. The secure storage is an ABAP-kernel function for storing encoded
data. The function is used by applications in the SAP system to securely store access data
such as passwords for external systems.
The following SAP applications use the secure storage to store passwords:

Web Service Security

Remote Function Call (RFC) destinations

Internet Communication Framework (ICF) services

Change and Transport System (CTS)

SAPphone

SAPconnect

Generic Request and Message Generator (GRMG)

© Copyright. All rights reserved. 69

Unit 3: NetWeaver AS Security Operations

Secure Storage in SAP NetWeaver AS for ABAP (SECSTORE)

Figure 61: Secure Storage in AS ABAP (SECSTORE)

As of Release 7.00, transaction SECSTORE(report RSECADMIN) is the central maintenance

tool for secure storage in AS ABAP. This tool offers checks for the records (using the check
feature of the kernel) and allows migration of records for changed global key and system-
dependent data.
You can check the entries in the secure storage across clients in transaction SECSTORE
(without seeing their contents).

Data Check

Figure 62: Data Check

© Copyright. All rights reserved. 70

 Lesson: Explaining Secure Storage in File System

Hint:
If after a system copy you face problems with credentials (for example, TMS RFC
destinations report the wrong credentials), call transaction SECSTOREand check
the entries. If necessary, delete the defective entries. They will be regenerated
when the RFC is called again.

LESSON SUMMARY
You should now be able to:

Explain secure storage in the file system

© Copyright. All rights reserved. 71

 Unit 3
Lesson 3
Outlining Authorizations and Security Policies

LESSON OVERVIEW
This lesson provides an overview of authorizations in SAP systems and explains the rules for
password management in SAP systems.

Business Example
You want to define authorizations in an SAP system. For this reason, you require an
understanding of the following:

The authorization concept of Application Server ABAP (AS ABAP) and Application Server
Java (AS Java)

Password management in AS ABAP

Secure store in AS ABAP and AS Java

Configuring password parameters

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Outline authorizations and password policy parameters

Outline security policy maintenance

Work with security-relevant task lists

© Copyright. All rights reserved. 72

 Lesson: Outlining Authorizations and Security Policies

Authorizations and Password Policy Parameters

SAP NetWeaver AS for ABAP Authorization

Figure 63: SAP NetWeaver AS for ABAP Users and Authorization – Introduction

SAP uses a positive authorization concept. Positive authorization means that an authorization
or an access must be granted so that a user can execute actions or tasks. However, the
concepts and terms differ in SAP NetWeaver AS for ABAP and SAP NetWeaver AS for Java.
A user can log on to an SAP system client if they know the user and password for a user
master record.
Every time the user calls a transaction, an authorization check occurs in the SAP system. If a
user attempts to start a transaction for which that user is not authorized, the system rejects
the user with an appropriate message.
If the user starts a transaction for which they have authorization, the system displays the
initial screen of the transaction. The user can enter the data and perform various tasks on this
screen. The system performs additional authorization checks for data and actions that need
to be protected.

© Copyright. All rights reserved. 73

Unit 3: NetWeaver AS Security Operations

Authorization Objects

Figure 64: Authorization Objects

Authorization objects protect actions and the access to data in the SAP system. They are
delivered by SAP and are available in the SAP system. They are divided into various object
classes.
Authorization objects enable complex checks that involve multiple conditions before allowing
you to perform an action. The conditions are specified in the authorization fields of the
authorization objects and are linked for the check. Authorization objects and their fields have
descriptive and technical names. For example, the authorization object User Master
Maintenance: User Groups (technical name: S_USER_GRP) contains two fields: Activity
(technical name: ACTVT) and User Group in User Master Record (technical name:
CLASS). The authorization object S_USER_GRP protects the user master record. An
authorization object includes up to 10 authorization fields.
An authorization is associated with only one authorization object. The authorization contains
the value for the fields for the authorization object. An authorization is a permission to
perform a certain action in the SAP system. The action is defined based on the values of the
individual fields of an authorization object. For example, authorization B for authorization
object S_USER_GRP enables all user master records that are not assigned to the SUPER user
group to be displayed.
There can be multiple authorizations for one authorization object. Some authorizations are
delivered by SAP, but most are created to meet customer-specific needs.

© Copyright. All rights reserved. 74

 Lesson: Outlining Authorizations and Security Policies

Role Maintenance

Figure 65: Role Maintenance

Role maintenance (transaction PFCG, previously known as Profile Generator) simplifies the
process of creating and assigning the authorization to users. In role maintenance, related
transactions are selected. For the selected transactions, role maintenance creates the
authorizations with the required fields. A role can be assigned to various users. Changes to a
role affect multiple users. Users can be assigned various roles.
The user menu contains entries such as transactions, URLs, and reports. These entries are
assigned to the user through the roles.

© Copyright. All rights reserved. 75

Unit 3: NetWeaver AS Security Operations

SAP NetWeaver AS for Java Authorization

Figure 66: Authorization Concept of SAP NetWeaver AS for Java

You can use authorizations to control which users can access a Java application and which
actions are permitted for a user. Authorizations are combined as roles and then assigned to a
user or a user group by an administrator. The SAP NetWeaver Identity Management (SAP
NetWeaver ID Management) and Visual Administrator tools are used to assign authorizations.
Authorization checks are built into the Java application. In the Java application, you can
differentiate authorization checks with different objectives.
Access to an application is protected by checking whether the appropriate JEE security role is
assigned to the requesting user. If the user does not have the required security role, an error
message is displayed and access is denied. If the user has access to the system, the individual
activities can be protected. When requesting a special activity, for example, Delete, the
system checks whether the required JEE security role or User Management Engine (UME)
permission is assigned. You can control access to object instances, such as folders and
documents, using the Access Control List (ACL).
With all types of authorization checks specified, the developer must define the authorizations
query in the application. The developer decides which type of authorization check is to be
used. After implementation, the application determines which JEE security roles, UME
permissions, or UME ACLs are used.

© Copyright. All rights reserved. 76

 Lesson: Outlining Authorizations and Security Policies

Caution:
In SAP NetWeaver 7.0, UME roles are administered using SAP NetWeaver ID
Management, and J2EE security roles are administered using the Visual
Administrator. In SAP NetWeaver AS for Java 7.1 and later, JEE security roles are
mapped to server roles (UME roles) in a particular deployment descriptor of the
application.

J2EE security roles are a part of the J2EE standard. UME roles are an (SAP) extension of the
J2EE security roles. You can define the same authorization checks with J2EE security roles
and UME roles. However, it is easier and more precise to assign authorizations with UME
roles. A UME role comprises various authorization objects, whereas J2EE consists of one
object. In comparison to one UME role, many J2EE security roles must be assigned for the
same authorization. Always use UME roles, except in cases in which J2EE security roles are
sufficient.

Note:
A role in the ABAP environment is roughly equivalent to a UME role. An
authorization object in the ABAP environment can be compared to a security role
or UME permission.

Password Rules in SAP NetWeaver AS for Java

Figure 67: Password Rules in SAP NetWeaver AS for Java

© Copyright. All rights reserved. 77

Unit 3: NetWeaver AS Security Operations

Password rules in SAP NetWeaver AS for Java are controlled by UME parameters. The most
important parameters can be changed by the system administrator in the UME Configuration
UI.

Hint:
In the SAP NetWeaver AS for ABAP+Java (dual stack) system, you need to
maintain the password parameters at SAP NetWeaver AS for ABAP and SAP
NetWeaver AS for Java. The password parameters are not synchronized
automatically.

Password Management in SAP NetWeaver AS for ABAP

Like all systems with password-based logon, SAP systems store password information in
some form. SAP systems do not store passwords as they are, but use one-way functions to
calculate password hashes. These password hashes are stored in the database. The system
verifies a user password using the one-way function to calculate the password hash and
compare it to the stored value. Since it is a one-way function, the password cannot be
calculated from the stored password hashes. All systems using this method are subject to
password dictionary attacks or password brute-force attacks if the password hashes are
retrieved from the system. Security measures, such as strong password rules, must be taken
to significantly reduce the probability of successful password cracking attacks.
You must configure a strong password policy according to your corporate policy.

SAP NetWeaver AS for ABAP Password Rules

Table 3: Password Rules

The following table lists AS ABAP password rules defined by the customer and the rules
predefined in the SAP system:
Rules Defined by the Customer Rules Predefined in the SAP System

Minimum length First character cannot be ! or ?

Special characters, digits First three characters may not be identi-

cal
Validity
Password cannot be PASSor SAP*
Password may not be set to a value con-
tained in lock list (table USR40) Passwords are case-sensitive in SAP Net-
Weaver AS for ABAP 7.00 and later

Passwords can be up to 40 characters

long, as of SAP NetWeaver AS for ABAP
7.00

Apart from the predefined password rules, you can influence user passwords in the following
ways:

Using the system profile parameters to assign a minimum length for the passwords and
define how often the user has to set new passwords.

Entering prohibited passwords in table USR40.

© Copyright. All rights reserved. 78

 Lesson: Outlining Authorizations and Security Policies

Table USR40 is maintained with transaction SM30. Entries may contain wildcard characters
such as ? for one character and * for a character string.

System Profile Parameters

You can control the password policies with profile parameters starting with login. The table,
System Profile Parameters and Applicable Values, shows the most relevant profile
parameters.

Table 4: System Profile Parameters and Applicable Values

System Profile Parameters Applicable Values: Applicable Values:
Default Allowed

Minimum length of the logon password: login/ 6 3–40

min_password_lng

Minimum number of digits/letters/specials: log- 0 0–40

in/min_password_digits/_letters/_spe-
cials

Minimum number of lowercase/uppercase: log- 0 0–40

in/min_password_lowercase/_uppercase

Maximum number of days a password (set by the 0 0–24000

admin) can be unused (idle): login/pass-
word_max_idle_initial

Maximum number of days a password (set by the 0 0–24000

user) can be unused (idle): login/pass-
word_max_idle_productive

Existing password must comply with current poli- 0 0/1

cy (checked during logon): login/pass-
word_compliance_to_current_policy

Number of different characters between old and 1 1–40

new password: login/min_password_diff

Password expiration time in days: login/pass- 0 0–1000

word_expiration_time

End session after number of incorrect logons: 3 1–99

login/fails_to_session_end

Lock user after number of incorrect logons: log- 5 1–99

in/fails_to_user_lock

Automatic unlock at midnight: login/ 0 0/1

failed_user_auto_unlock

Deactivation of multiple dialog logons: login/ 0 0/1

disable_multiple_gui_login

List of excepted users for multi logon: login/ List of user IDs List of user IDs
multi_login_users

© Copyright. All rights reserved. 79

Unit 3: NetWeaver AS Security Operations

System Profile Parameters Applicable Values: Applicable Values:

Default Allowed

Number of passwords (chosen by the user, not 5 1–100

the administrator) that the system stores and the
user is not permitted to use again: login/pass-
word_history_size

Note:
The default values of certain profile parameters have been changed in SAP
NetWeaver AS for ABAP 7.00 and later. For more information about profile
parameters, see SAP Note 862989.

In SAP NetWeaver AS for ABAP 7.00 and later, the password hash algorithm has been
changed. More secure hash values can be generated that are not backward-compatible, and
that make reverse engineering attacks difficult. By default, new systems generate a
backward-compatible hash value and a new hash value. However, you can configure the
system so that only the new hash value is generated. The new hash value is not backward-
compatible. You can set the degree of backward compatibility with the profile parameter
login/password_downwards_compatibility .

Note:
For more details on backward compatibility, see SAP Note 1023437.

If you are using non-backward-compatible passwords, communication with older systems

may cause problems where the older system calls the newer system. For more information
about dealing with incompatible passwords, see SAP Note 792850.

Security of Password Hashes

In addition to a strong password policy, you can ensure the security of the password hashes
by taking the following actions:

Restrict access to tables containing password hashes (USR02, USH02, and in later
releases USRPWDHISTORY) by changing the table authorization group of these tables.
Non-administrative users must not have access to this new table authorization group.

Activate the latest password hashing mechanism (code version) available for your release.
Downward-compatible password hashes must not be stored in Releases 7.0 and higher.

Note:
For more information about protecting read access to password hash value
tables, see SAP Note 1484692.

Profile Parameter Settings for Password Hashes

Table 5: Profile Parameters for Password Hashes

The following profile parameters are used to activate the latest hashing mechanism:

© Copyright. All rights reserved. 80

 Lesson: Outlining Authorizations and Security Policies

Releases Recommended Profile Pa- Code Version

rameters
Up to 4.5 No special profile parameter B
needed
4.6 to 6.40 login/password_charset = 2 E
7.00 to 7.01 login/password_down- F
wards_compatibility = 0
7.02 and higher login/password_down- H
wards_compatibility = 0

Caution:
After activating the latest password hashing mechanism, redundant password
hashes must be deleted from the relevant tables. For more information about
recommended settings for password hash algorithms, see SAP Note 1458262.

If you use Central User Administration (CUA), you must ensure that the CUA system has at
least the same or a higher release than all attached systems and that relevant SAP Notes are
implemented. For more information about CUA and passwords, see SAP Notes 1300104,
1306019, and 1022812.

Security Policies Maintenance

SECPOL: Defining Security Policies for Netweaver ABAP Systems
Instance profile parameters allow IT administrators to set global policies for the entire
system. For different groups of users, a more tailored approach can be useful.

Table 6: Available Attributes for Security Policies

Attribute Purpose Default Value

CHECK_PASS- Check the Password Blacklist 1

WORD_BLACKLIST
MIN_PASSWORD_DIGITS Minimum Number of Digits 0
MIN_PASSWORD_LENGTH Minimum Password Length 6
MIN_PASSWORD_LETTERS Minimum Number of Letters 0
MIN_PASSWORD_LOWER- Minimum Number of Lower- 0
CASE case Letters
MIN_PASSWORD_SPECIALS Minimum Number of Special 0
Characters
MIN_PASSWORD_UPPER- Minimum Number of Upper- 0
CASE case Letters
MIN_PASS- Minimum Wait Time for Pass- 1
WORD_CHANGE_WAITTIME word Change

© Copyright. All rights reserved. 81

Unit 3: NetWeaver AS Security Operations

Attribute Purpose Default Value

MIN_PASSWORD_DIFFER- No. of Different Chars When 1

ENCE Changing
PASS- Password Change Req. for 1
WORD_CHANGE_FOR_SSO SSO Logons
PASSWORD_CHANGE_IN- Interval for Regular Password 0
TERVAL Changes
PASSWORD_COMPLI- Password Change After Rule 0
ANCE_TO_CURRENT_POLI- Tightening
CY
PASSWORD_HISTORY_SIZE Size of the Password History 5
DISABLE_PASSWORD_LOG- Disable Password Logon 0
ON
DISABLE_TICKET_LOGON Disable Ticket Logon 0
MAX_FAILED_PASS- Maximum Number of Failed 5
WORD_LOGON_ATTEMPTS Attempts
MAX_PASSWORD_IDLE_INI- Validity of Unused Initial 0
TIAL Passwords
MAX_PASS- Validity of Unused Produc- 0
WORD_IDLE_PRODUCTIVE tion Passwords
PASSWORD_LOCK_EXPIRA- Automatic Expiration of Pass- 0
TION word Lock
SERVER_LOGON_PRIVILEGE Logon if server_logon_re- 0
striction=1
TENANT_RUNLEVEL_LOG- Logon for Each Tenant Runle- 0
ON_PRIVILEGE vel > 0

The attributes available for security policies definitions allow system administrators to
override settings made with instance profile parameters.

Figure 68: Step 1/3 Creating a Security Policy

The first step involves calling transaction SECPOL and create a new security policy. Security
policies are customizing objects and can easily be transported from one system to another.

© Copyright. All rights reserved. 82

 Lesson: Outlining Authorizations and Security Policies

Figure 69: Step 2/3 Assigning Attributes for a Security Policy

The second step establishes the attributes relevant for each security policy.

Figure 70: Step 3/3 Assigning a Security Policy

The third step applies a security policy to a specified user. Mass maintenance can be
performed with transaction SU10.

Table 7: Comparison Between Policy Attributes and Profile Parameter Functionality

Policy Attribute Profile Parameter

Transportable Manual Configuration

Assignable to Individual Users System/ Instance-Wide Setting
Immediately Effective Requires a Server Restart

User Management: Defining Security Policies for Netweaver Java Systems

Netweaver Java Systems are shipped with two pre-configured policies (Default and Technical
User). New policies can be set by system administrators.

© Copyright. All rights reserved. 83

Unit 3: NetWeaver AS Security Operations

Figure 71: Step 1/2 Defining a Security Policy

To define a new policy access the User Management configuration and adapt the available
parameters.

Figure 72: Step 2/2 Assigning a Security Policy

The policy can be assigned to individual users in the General Information tab.

© Copyright. All rights reserved. 84

 Lesson: Outlining Authorizations and Security Policies

STC01 - Task List Manager for Configuration

Figure 73: Task List for Configuring Single Sign-On Across ABAP Systems

It is possible to automate configuration tasks, using the task manager for technical
configuration (transaction STC01). The task manager guides you through extensive
configuration processes by means of predefined task lists, and allows you to customize them.
Documentation is available for each step in the task list. Some steps will require input
parameters.
The task list monitor (transaction STC02) allows you to verify if a task list was executed and
which messages were logged by the system.
In the following example, we will use a task list to verify if the basic configuration for SSL is
complete.

Figure 74: Choose Relevant Task List 1/4

© Copyright. All rights reserved. 85

Unit 3: NetWeaver AS Security Operations

Figure 75: Review Actions to be Performed 2/4

Figure 76: Execute Task List 3/4

Figure 77: Execute Task List 4/4

LESSON SUMMARY
You should now be able to:

Outline authorizations and password policy parameters

Outline security policy maintenance

Work with security-relevant task lists

© Copyright. All rights reserved. 86

 Unit 3
Lesson 4
Managing Users in SAP Systems

LESSON OVERVIEW
This lesson provides an overview of authorizations in SAP systems and explains the rules for
password management in SAP systems.

Business Example
You want to define authorizations in an SAP system. For this reason, you require an
understanding of the following:

The authorization concept of Application Server ABAP (AS ABAP) and Application Server
Java (AS Java)

Password management in AS ABAP

Secure store in AS ABAP and AS Java

Configuring password parameters

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Set up user security in SAP systems

© Copyright. All rights reserved. 87

Unit 3: NetWeaver AS Security Operations

Setup of User Security in SAP Systems

User Administration in SAP NetWeaver Application Server (AS) for ABAP

Figure 78: User Maintenance (Transaction SU01) – User Master Record

User Maintenance (transaction SU01) and Role Maintenance (transaction PFCG) are the most
important tools for an SAP NetWeaver AS for ABAP-based system. When creating a new user
master record with transaction SU01, the required fields are Last name on the Address tab
page and Initial password on the Logon data tab page.
On the Logon data tab page, the User Group for Authorization Check implements delegated
user administration. A user master record in a user group can be changed only by an
administrator with the authorization to modify the user group. If a user master record is not
assigned to a group, any user administrator can change this user master record. The Validity
Period specifies the beginning and end of the validity of the user master record.
A user can log on to the SAP system if a user master record with a valid password exists. The
user master record determines the actions that individual users are allowed to perform in the
SAP system.
When maintaining user master records, you need to assign authorization to the users in the
form of roles and profiles.
User master records are client-specific.

SAP Authorization
SAP authorization protects transactions, programs, and services in SAP systems from
unauthorized access. On the basis of SAP authorization, the administrator assigns
authorizations to individual users that determine which actions they can execute in the SAP
system after they have logged on to the system and authenticated themselves.

© Copyright. All rights reserved. 88

 Lesson: Managing Users in SAP Systems

To access business objects or execute SAP transactions, a user requires corresponding

authorizations, as business objects or transactions are protected by authorization objects.
The authorizations represent instances of generic authorization objects and are defined
depending on the activity and responsibilities of the employee. The authorizations are
combined in an authorization profile that is associated with a role. The user administrators
then assign the corresponding roles using the user master record, so that the user can use
the appropriate transactions for his or her tasks.
The following authorization objects are required to create and maintain user master records:

S_USER_GRP: user master maintenance: assign user groups

S_USER_PRO: user master maintenance: assign authorization profile

S_USER_AUT: user master maintenance: create and maintain authorization

With suitable authorization, a user is able to maintain personal data by choosing

System User profile Own data (transaction SU3).

User Administration in SAP NetWeaver AS for Java

Figure 79: SAP NetWeaver AS for Java User Stores

SAP NetWeaver AS for Java provides an open architecture, based on service providers, to
store user and group data.
SAP NetWeaver AS for Java is delivered with the following service providers, known as user
stores:

Database Management System (DBMS) provider

DBMS provides user and authorization data storage in the system database.

Universal Description, Discovery, and Integration (UDDI) provider

UDDI provides storage through external service providers.

User Management Engine (UME) provider

UME provider enables connection of the integrated UME.

© Copyright. All rights reserved. 89

Unit 3: NetWeaver AS Security Operations

The DBMS and UDDI providers implement standards and guarantee the J2EE conformity of
SAP NetWeaver AS for Java. The SAP-defined UME is installed as user storage during the
installation of SAP NetWeaver AS for Java. The SAP-defined UME is the recommended option
for most SAP customers. The user and the authorization concept can be installed and
operated flexibly only on the basis of the UME user storage.

Purpose of the UME

The UME provides centralized user management for all Java applications and can be
configured to work with user management data from multiple data sources. It is seamlessly
integrated in the J2EE engine of SAP NetWeaver AS for Java as its default user store and can
be administered using the SAP NetWeaver AS for Java administration tools.
The UME adds business value by enabling customers to leverage their existing system
infrastructure by accessing user-related data on an existing corporate directory, an SAP
NetWeaver AS for ABAP system, a database, or any combination of these. In addition, it
reduces administrative overhead by allowing customers to perform centralized user
administration.

Data Sources
The UME supports the following data sources as storage locations for user data:

System database

Directory Service (Lightweight Directory Access Protocol (LDAP) server)

ABAP-based SAP system (as of AS ABAP 6.20)

SAP delivers preconfigured data source combinations. These preconfigured data source
combinations can be used without further adjustments or can be adapted according to the
specific needs of the customer.

Hint:
The data source of the system database is always connected to the UME for all
data source configurations delivered by SAP. Certain information (for example,
the UME roles) is always kept in the database.

© Copyright. All rights reserved. 90

 Lesson: Managing Users in SAP Systems

SAP NetWeaver AS for Java – SAP NetWeaver Identity Management (SAP NetWeaver ID
Management)

Figure 80: SAP NetWeaver AS for Java: User Management Administration Console

The most important tool for a user administrator in an SAP NetWeaver AS for Java system is
identity management. The identity management tool is used for all data sources and is
implemented as an application running in a Web browser (based on Web Dynpro Java).
You can start identity management in the following ways:

Use the URL http(s)://<hostname>.<domain>:<http(s) port>/useradmin .

Use the SAP NetWeaver Administrator (URL /nwa ), Configuration Security Identity
Management .

Use the path User Administration Identity Management in a portal.

Hint:
The function scope available in identity management depends on the Java
authorizations of the current user.

© Copyright. All rights reserved. 91

Unit 3: NetWeaver AS Security Operations

Central User Administration (CUA)

Figure 81: CUA

CUA distributes user master records between SAP systems. The administration of an SAP
system landscape is performed from one central system. You can display an overview of all
user data in the SAP system landscape. All user data is stored in the standard SAP tables
(USR*) that contain the user master record data.
Use CUA if you have a complex landscape with several clients and systems to synchronize the
user data or if a user works in more than one system and uses the same user ID in all the
systems. Data that can be distributed with CUA includes data about the user master record,
such as address, logon data, user fixed values, and user parameters.
The system (security) administrator logs on to CUA and assigns roles or profiles and systems
to the user in CUA. You no longer need to log on to each system to make system-specific
assignments of activity groups and profiles.
Roles and authorization profiles can be transported but are not maintained from the CUA.
They are created and modified in the subsystems.

© Copyright. All rights reserved. 92

 Lesson: Managing Users in SAP Systems

CUA and LDAP Synchronization

Figure 82: CUA and LDAP Synchronization

Prior to release 6.10, SAP systems could communicate with LDAP, but required an
independent, external component called LDAP Connector. As of release 6.10, SAP systems
can communicate directly with a directory server using LDAP.

SAP NetWeaver Identity Management

Figure 83: Identity Management

Role of Identity Management in SAP NetWeaver

Identity management is an integral part of the SAP NetWeaver technology platform for the
following reasons:

It enables efficient and secure management of identity information.

It supports both SAP-only and heterogeneous system landscapes.

© Copyright. All rights reserved. 93

Unit 3: NetWeaver AS Security Operations

It integrates with the SAP NetWeaver platform and business applications.

It complements integrated SAP NetWeaver security frameworks.

Enterprises usually have a variety of SAP and non-SAP systems. By default, every system has
its own separate user management. Separate user management involves a large degree of
manual effort for the user administrator to administer the user information and role
assignments in each system.
However, employees of an enterprise have to perform different business process tasks.
These tasks require certain authorizations or roles in the system landscape. The source of
employee information is usually the SAP ERP Human Capital Management (SAP ERP HCM)
system. SAP ERP HCM triggers actions such as on-boarding and change of position, location,
or name. These changes must be reflected in the system landscape.

Identity Management Yesterday – Partial Centralization

Figure 84: Identity Management Yesterday – Partial Centralization

Before SAP offered SAP NetWeaver ID Management, user management was centralized using
the CUA. A limitation of CUA is that it is only supported for ABAP-based systems. For
interoperability with Java systems that use an LDAP directory both as a user store and for
integration with non-SAP applications, users are synchronized with an LDAP directory using
the ABAP LDAP connector. Central management for a heterogeneous system landscape was
only possible by using a third-party identity management product.

© Copyright. All rights reserved. 94

 Lesson: Managing Users in SAP Systems

SAP NetWeaver Identity Management – Holistic Approach

Figure 85: SAP NetWeaver Identity Management – Holistic Approach

Driven by business processes, with SAP NetWeaver ID Management, SAP offers integrated
identity management capabilities for a heterogeneous system landscape. SAP NetWeaver ID
Management uses a central identity store to consolidate identity data from different source
systems (for example, SAP ERP Human Capital Management (HCM)) and distributes this
information to the different target systems. The distribution handles user accounts and role
assignments of SAP and non-SAP applications. You can define various rule sets for the
assignment of roles to users, which means that role assignment can be automatically
performed based on attributes of the identity.
An important feature of SAP NetWeaver ID Management is the availability of approval
workflows to distribute the responsibility for authorization assignments to various business
process owners and managers of employees. The integration of SAP ERP HCM as one of the
possible source systems for identity information is one of the key functionalities to enable
business-driven identity management. With the audit functionality of the solution, the auditor
can check employee system authorizations from a central location. Both the current
authorizations and the previous settings can be examined. The data within SAP NetWeaver ID
Management can be accessed using services and standard protocols, such as LDAP.

Comparison between CUA and SAP NetWeaver Identity Management

Table 8: CUA versus SAP NetWeaver Identity Management

Functionality CUA SAP NetWeaver ID Manage-
ment
Target systems ABAP only SAP and non-SAP
Workflow support No Yes
Rule-based access manage- No (except the rarely used Yes
ment HR Org. rule engine)

© Copyright. All rights reserved. 95

Unit 3: NetWeaver AS Security Operations

Functionality CUA SAP NetWeaver ID Manage-

ment
Modeling of role hierarchy No Yes
Cross-system role assign- Only through HR Org Yes
ments
LDAP directory integration LDAP synchronization Yes
Support for all user attributes Yes Yes
Password management Initial passwords Yes, including workflow sup-
port

The following points highlight the relationship between SAP NetWeaver ID Management and
the CUA:

SAP NetWeaver ID Management is the strategic solution for managing identities in SAP
and non-SAP environments.

SAP NetWeaver ID Management can replace the CUA in order to manage user IDs in the
non-SAP system landscape.

SAP continues to support the CUA in its current functionality according to the SAP
maintenance rules.

A connector is available that connects SAP NetWeaver ID Management to the CUA.

Standard Users in SAP NetWeaver AS for ABAP

In SAP NetWeaver AS for ABAP and SAP NetWeaver AS for Java-based systems, several
standard users with preconfigured authorizations are available directly after installation. To
ensure system security, users must be provided with a strong password and monitored
regularly.

Table 9: Important Default Users in SAP NetWeaver AS for ABAP

Client 000 001 066 New
User SAP* SAP* SAP* (SAP*)
DDIC DDIC EARLYWATCH
SAPCPIC SAPCPIC

Note:
Check users with the RSUSR003 report for standard passwords.

When an SAP NetWeaver AS for ABAP-based system is installed, the default clients are as
follows:

Client 000 is used for special administrative purposes. SAP imports the Customizing
settings into this client during the upgrade process or when applying Support Packages.
Client 000 must not be used for Customizing, data input, or development.

© Copyright. All rights reserved. 96

 Lesson: Managing Users in SAP Systems

Client 066 was created during system installation in the past. It was used to deliver
services by SAP Active Global Support. This client is no longer used, and can be safely
removed. For more information on this client, see SAP Note 7312 - Client 066 for
EarlyWatch.

Client 001 is a copy of client 000, and was created during system installation in the past. It
can be used as the productive client. However, if you have decided to use other clients as
productive clients, rather than client 001, you can safely remove client 001.

Caution:
Prior to deleting a client, especially in the case of client 001, you must check that
there are no active users on the client. This is particularly relevant in older
Exchange Infrastructure/Process Integration systems that picked up client 001
for productive usage. You can use report RSUSR200 on the User Information
System (transaction SUIM) or the Workload Statistics (transaction ST03N) to
check if there has been user activity. Within transaction ST03N, you can use the
analysis view Settlement Statistics to determine which clients have been used,
and which users have been used the clients.

Note:
To find out which clients you have in your system, use transaction SCC4. To
display the contents of the T000 table, use transaction SM30.

Depending on the client, several standard users may already be prepared. User SAP* is a
superuser for initial access to the system. The user DDIC is required for certain installation
and upgrade tasks, software logistics, and the ABAP Dictionary. The passwords of user SAP*
and DDIC of clients 000 and 001 (not in 066) are set during the installation process. In older
installation routines, passwords were not set during the installation process and the user had
the default passwords 06071992 (for SAP*) and 19920706 (for DDIC). The user
EARLYWATCH is used by the SAP EarlyWatch specialists and has access to monitoring and
performance data. The default password for user EARLYWATCH is SUPPORT . The user
SAPCPIC is used for communication purposes. The default password for user SAPCPIC is
ADMIN. For more information on SAPCPIC, see SAP Note 29276.

Caution:
You must change the passwords of standard users to strong ones.

In addition to changing the passwords of standard users, you must perform the following
steps:

1. Create a new superuser. Deactivate only SAP* by locking the SAP* user and removing
authorizations.

2. Assign standard users to the SUPER group so that standard users can only be modified by
administrators who are authorized to change users in the SUPER group.

3. Lock users DDIC and EARLYWATCH and unlock them only when necessary.

Do not delete DDIC or its profiles. DDIC is needed for certain installation and upgrade tasks,
software logistics, and the ABAP Dictionary. Deleting the DDIC user may result in loss of

© Copyright. All rights reserved. 97

Unit 3: NetWeaver AS Security Operations

functions in tasks related to the installation and upgrade of software logistics and the ABAP
Dictionary.
To log on to a newly created client (a client with no user master record at all and no user
SAP*), use the SAP* kernel mechanism. In the kernel, a hardcoded user with password pass
is implemented. This system access is not affected by authorization checks.
The SAP* kernel mechanism can be controlled by using the login/no_automatic_user_sapstar
profile parameter. As of SAP NetWeaver AS 7.00 (SAP NetWeaver 7.0), the default value of
this profile parameter has been changed to 1, which means that the SAP* kernel mechanism
is deactivated. In older releases, the SAP* kernel mechanism was activated by default (value
0) and had to be deactivated when the kernel was not needed. For more information on
deactivating the automatic SAP* user, see SAP Note 68048.

Caution:
To ensure this mechanism is not misused, create a new user SAP* in all the
clients of your systems and set the login/no_automatic_user_sapstar profile
parameter to value 1. An existing user master record SAP* must not be deleted
from any client.

Hint:
Use the RSUSR003 report to make sure that the user SAP* has been created in
all clients and that the default passwords have been changed for the standard
users.

Standard Users in SAP NetWeaver AS for Java

Field Data Source

User Database LDAP Server Dual Stack Remote
(ABAP+Java)
Administration Administrator Administrator J2EE_ADMIN J2EE_ADMIN_<
user SID>
Guest user Guest Guest J2EE_GUEST J2EE_GST_<SID
>
Communication SAP<SID>DB Freely definable SAPJSF SAPJSF_<SID>
user to data
source

© Copyright. All rights reserved. 98

 Lesson: Managing Users in SAP Systems

Activating the UME Emergency User

Figure 86: Activating the UME Emergency User

The figure, Activating the UME Emergency User, illustrates the process used for the
activation.

Note:
Please note the difference between user store and data source. SAP delivers
multiple user stores, which include the UME and the DBMS user store. In turn, the
UME can use different data sources for storing the user information.

© Copyright. All rights reserved. 99

Unit 3: NetWeaver AS Security Operations

User Types in SAP NetWeaver AS for ABAP

Figure 87: User Types in SAP NetWeaver AS for ABAP

When creating new users, you can choose between different user types. The user type affects
what the user can do and how the user’s password is handled.
The user type is an important property of a user.
The following user types are available in AS ABAP:

Dialog
A normal Dialog user is used for all logon types by just one person. During a dialog logon,
the system checks for expired or initial passwords, and the user has the opportunity to
change the password. Multiple dialog logons are checked and logged.

System
The System user type is used for dialog-free communication within a system; for
background processing within a system; and for Remote Function Call (RFC) users for
various applications, such as Application Link Enabling (ALE), Workflow, the Transport
Management System (TMS), and CUA. It is not possible to use this type of user for a dialog
logon. Users of this type are exempted from the usual settings for the validity period of a
password. Only user administrators can change the password.

Note:
For more information, see SAP Note 622464: Change: Password change req.
entry for SYSTEM user type.

Communication
Use the Communication user type for dialog-free communication between systems. This
type of user cannot be used for a dialog logon. The usual settings for the validity period of a
password apply to users of this type.

Service

© Copyright. All rights reserved. 100

 Lesson: Managing Users in SAP Systems

A user of the Service type is a dialog user that is available to a larger, anonymous group of
users. In general, you must only assign highly restricted authorizations to users of this
type. Service users are used, for example, for anonymous system accesses using the SAP
Internet Transaction Server (ITS) or Internet Communication Framework (ICF) service.
The system does not check for expired or initial passwords during logon. Only the user
administrator can change the password. Multiple logons are permitted in the system.

Reference
As with the Service user, a Reference user is a general user not specific to a particular
person. You cannot use a Reference user to log on. A Reference user is used only to assign
additional authorizations. You can specify a Reference user for a Dialog user for additional
authorization on the Roles tab page.

User Types in SAP NetWeaver AS for Java

As in SAP NetWeaver AS for ABAP, UME also distinguishes between various user types.

Table 10: UME User Types

User Type Logon to SAP Net- Password Change Mapped ABAP User
Weaver AS for Java Types (with ABAP
System as Data
Source)
Standard Possible Yes Dialog
Technical users Possible No System
Internal service user Not possible – –
Unknown (only with Depends on SAP Net- Depends on SAP Net- Communication,
data source ABAP) Weaver AS for ABAP Weaver AS for ABAP Service, and Refer-
user type user type ence

Hint:
User types are also called security policy profiles.

Specify the security policy profile (user type) when you create a user with identity
management (you cannot create the Unknown type). In the case of existing users,
subsequent changes to the user type are only possible with restrictions.

Note:
The last column in the table is only relevant if you are operating a UME with an
ABAP system as the data source. Changes to the user type of an ABAP user are
mapped to the corresponding UME user master record (and vice versa, if the UME
has write access to the ABAP system).

As of SAP NetWeaver AS for Java 7.01, you can create your own security policy profiles (user
types) in the UME configuration UI. For example, you may create your own set of strong
password rules for special administrator users. In an SAP NetWeaver AS for ABAP+Java, the

© Copyright. All rights reserved. 101

Unit 3: NetWeaver AS Security Operations

security policy profiles (user types) created for customers are mapped to the ABAP Dialog
user type.

The Internet Communication Manager User and the Web Dispatcher Administrator
During installation an administrative user for ICM is created. To manage this user or create
additional ICM users you will need the command line utility icmon . The procedure is the same
as for the webadm user in SAP Web Dispatcher, the only relevant difference is the usage of
the command line utility wdispmon .

LESSON SUMMARY
You should now be able to:

Set up user security in SAP systems

© Copyright. All rights reserved. 102

 Unit 3
Lesson 5
Securing the Message Server and the Internet
Communication Manager (ICM)

LESSON OVERVIEW
This lesson provides an overview of fundamental security measures on a front-end system.
The lesson also introduces the security features of SAP GUI for Microsoft Windows.

Business Example
To ensure the security of the front-end computer, you need to configure security features of
SAP GUI for Microsoft Windows. For this reason, you require an understanding of the
following:

Front-end security

Security settings of SAP GUI for Microsoft Windows

How to maintain security settings in SAP GUI for Microsoft Windows

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Secure the message server and the Internet Communication Manager (ICM)

Security Configuration for the Message Server and the ICM

ICM on SAP NetWeaver AS for ABAP

Figure 88: ICM on SAP Netweaver AS for Java

© Copyright. All rights reserved. 103

Unit 3: NetWeaver AS Security Operations

Figure 89: ICM on SAP Netweaver AS for ABAP

The ICM ensures communication between an SAP system and the external platform using the
HTTP, HTTPS, and SMTP protocols. As a server, the ICM can process external requests that
have URLs with the server or port combination to which the ICM responds. The ICM then calls
the corresponding local handlers, such as the file handler or the server cache handler, to
perform the necessary task.
Internet Communication Framework (ICF) provides the framework for implementing the
applications for the ICM. ICF consists of the interfaces that enable the SAP NetWeaver AS to
function as a Web server or a Web client.

ICM Monitor (Transaction SMICM)

Figure 90: ICM Monitor (Transaction SMICM)

Transaction SMICMperforms the following functions:

Monitors the ICM

Views threads

Views active services and ports

© Copyright. All rights reserved. 104

 Lesson: Securing the Message Server and the Internet Communication Manager (ICM)

Views trace files

Views memory pipe information

Displays the cache content and statistics

Restarts the ICM

Figure 91: ICF (Transaction SICF)

ICF provides a framework to the user for developing the Business Server Pages (BSPs) for the
SAP NetWeaver AS Internet applications.
Applications are organized in a hierarchical tree.
Use transaction SICF to create and maintain BSPs, and to create and maintain virtual hosts
for the SAP NetWeaver AS. Use transaction SE80 to create and test BSPs.

© Copyright. All rights reserved. 105

Unit 3: NetWeaver AS Security Operations

ICM Profile Parameters

Figure 92: ICM Profile Parameters

Table 11: Requirements and Mechanisms for ICM Profile Parameters

Requirements Mechanisms

Scalability Load balancing

Access control Network zones, using virtual hosts

Confidentiality Encryption

Identifying users User authentication

Protecting individual services Activate or deactivate services

Web-Enabled Content Management

ABAP systems offer Web-enabled content that can be accessed using Web browsers. This
content is managed by SAP ICF and maintained using transaction SICF. Some ICF services
can be misused, which may allow unauthorized access to system functionality.

© Copyright. All rights reserved. 106

 Lesson: Securing the Message Server and the Internet Communication Manager (ICM)

Figure 93: Reducing Attack Surface by Limiting ICF Services

Handling Web-Enabled Content in SAP ICF

Only ICF services that are required for business scenarios need to be enabled. Not every
ICF service needs to be enabled in SAP production systems.

Short-term recommendation: Review at least the ICF services that do not require user
authentication. This includes all services in /sap/public as well as services with stored
logon data.

Short-term recommendation: Deactivate at least the ICF services that are listed in the
table if they are not used in your business scenarios.

SICF Service SAP Note

/sap/bc/soap/rfc SAP Note 1394100

/sap/bc/echo SAP Note 626073

/sap/bc/FormToRfc SAP Note 626073

/sap/bc/report SAP Note 626073

/sap/bc/xrfc SAP Note 626073

/sap/bc/xrfc_test SAP Note 626073

/sap/bc/error SAP Note 626073

/sap/bc/webrfc SAP Note 865853

/sap/bc/bsp/sap/certreq SAP Note 1417568

/sap/bc/bsp/sap/certmap SAP Note 1417568

/sap/bc/gui/sap/its/CERTREQ SAP Note 1417568

/sap/bc/gui/sap/its/CERTMAP SAP Note 1417568

/sap/bc/bsp/sap/bsp_veri SAP Note 1422273

/sap/bc/IDoc_XML SAP Note 1487606

/sap/bc/srt/IDoc SAP Note 1487606

© Copyright. All rights reserved. 107

Unit 3: NetWeaver AS Security Operations

Virtual Hosts

Figure 94: Using Virtual Hosts

Virtual hosts are used to set up individual HTTP service trees from several IP addresses. The
user specifies virtual hosts by using profile parameter is/HTTP/virt_host_<xx>.

IP Address Host Name

10.20.30.40 intranet.mycompany.com

25.20.50.60 myhost.mycompany.com

Define whether there must be several virtual hosts using the is/HTTP/virt_host_<n> =
<host1>:port1;<host2>:<port2>;...; profile parameter, where <n> stands for numbers 0-9. The
profile parameter can be changed statically in the instance profile, or dynamically using
transaction RZ11. Transaction RZ11 also contains parameter documentation. Note that
parameter is/HTTP/virt_host_0 = *:*; is set and cannot be changed. As a result, if no other
virtual host is found, the default host number is 0. The default host shows up in the HTTP
service tree for transaction SICF as default_host . Initially, this was the only virtual server.
Each user accesses the tree that corresponds to the user’s virtual host. To avoid namespace
conflicts, all other hosts provided by SAP begin with SAP.
As of SAP NetWeaver AS 7.10, the ICM replaces the Java dispatcher in SAP NetWeaver AS for
Java. The ICM for SAP NetWeaver AS for Java can be configured using the profile of the Java
instance. The same options are available as for SAP NetWeaver AS for ABAP.
Transaction SMICM is not available on a Java system; therefore, the ICM is monitored using
the administration framework of the ICM.
The ICM administration framework is accessed using the http(s)://server:port/sap/admin
URL. For administrative access to the ICM administration framework, a special user is
necessary. These users are maintained in a text file, which defaults to /usr/sap/
<SID>/SYS/global/security/data/icmauth.txt . You can maintain this file using the
icmon program, which is installed in the exe directory of SAP NetWeaver AS. For more
information, go to http://help.sap.com and search for icmon.

© Copyright. All rights reserved. 108

 Lesson: Securing the Message Server and the Internet Communication Manager (ICM)

The SAP Management Console uses the administrative interface of the ICM to show
information regarding the ICM. To use this information, in SAP MMC, navigate to the ICM
node beneath the application server node.

SAP Message Server Security

Figure 95: Message Server Configuration Parameters

SAP Message Server is a system component that provides two services. The server manages
SAP communication between the application servers of a single SAP system and also
provides load-balancing information to clients, such as the SAP GUI. In standard installations
before SAP Release 7.0, both clients and application servers used the same message server
port for communication. As of Release 7.0, default installations automatically split the
message server port into an internal port (used for application server connections) and an
external port (used for end user connections). This is defined using the rdisp/mshost , rdisp/
msserv, and rdisp/msserv_internal profile parameters.
Without appropriate security measures, malicious programs on client machines can
potentially access the message server to disrupt application server communication. This can
potentially lead to privilege escalation. Therefore, SAP strongly recommends that you
implement the security measures to mitigate the risks of unauthorized SAP Message Server
access.

© Copyright. All rights reserved. 109

Unit 3: NetWeaver AS Security Operations

Figure 96: Message Server Available Ports

In addition to access restrictions for SAP Message Server, we recommend that you restrict
access to remote message server monitoring (ms/monitor = 0).

Message Server Access Control List (ACL)

The ms/acl_info parameter specifies a file with access rights to the message server
(default: /usr/sap/<SID>/SYS/global/ms_acl_info ; for Microsoft Windows, the file
extension must be .DAT).
If the file exists, it must contain all machine names, domains, IP addresses, and subnet masks
for the application servers that are allowed to log on to the message server. You can either list
the names or enter each name in a separate line. This file does not affect external clients that
only want to retrieve information from the message server, which is always possible.
The HOST entries must have the syntax: HOST= [*| ip_adr | host_name |
Subnet_mask | Domain ] [, ...].

HOST Entry Description

HOST=* All hosts are allowed

HOST=host1, host2 Logons allowed from host1 and host2

HOST=*.sap.com All hosts in the sap.com domain can log on

HOST=147.45.56.32 Hosts with this IP address can log on

HOST=147.45.56.* Hosts with this subnet can log on

Caution:
Set the file system access authorizations for the file to a value that prevents
unwanted modifications.

© Copyright. All rights reserved. 110

 Lesson: Securing the Message Server and the Internet Communication Manager (ICM)

You can read the file in transaction SMMS(SMMS Goto Security Settings Access
Control ).

LESSON SUMMARY
You should now be able to:

Secure the message server and the Internet Communication Manager (ICM)

© Copyright. All rights reserved. 111

 Unit 3
Lesson 6
Securing the SAP GUI

LESSON OVERVIEW
This lesson provides an overview of fundamental security measures on a front-end system.
The lesson also introduces the security features of SAP GUI for Microsoft Windows.

Business Example
To ensure the security of the front-end computer, you need to configure security features of
SAP GUI for Microsoft Windows. For this reason, you require an understanding of the
following:

Front-end security

Security settings of SAP GUI for Microsoft Windows

How to maintain security settings in SAP GUI for Microsoft Windows

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Secure the SAP GUI

© Copyright. All rights reserved. 112

 Lesson: Securing the SAP GUI

SAP GUI Security

Front-End Security

Figure 97: Front-End Security Overview

The figure, Front-End Security Overview, highlights the components of an SAP environment.
To ensure front-end security in an SAP environment, various measures must be taken at the
front end, such as operating system (OS) patching, virus scanner, and an intrusion prevention
system. To prevent SAP GUI for Microsoft Windows from performing operations that might
put the security of the workstation at risk, you can use the security settings of the SAP GUI
system.
SAP NetWeaver AS for ABAP-based SAP systems can access security-critical functionality on
SAP GUI user workstations with the permission of the user (for example, uploading or
downloading files, changing Microsoft Windows registry, and executing programs). SAP GUI
for Microsoft Windows 7.10 introduced the possibility of alerting users in the event of security
access from ABAP systems. The option of alerting users to security events can be enabled by
the security administration in the system but the users need to confirm the access requests.
This alerting option can lead to many security alerts.
SAP GUI for Microsoft Windows improves the granularity and flexibility of security event
handling. This improvement is implemented using configurable security rules. SAP GUI for
Microsoft Windows offers a default set of security rules that can be extended by customers.
This feature mitigates the risk of malicious attacks on SAP GUI for Microsoft Windows
workstations from ABAP systems that have been compromised.

© Copyright. All rights reserved. 113

Unit 3: NetWeaver AS Security Operations

Caution:
We strongly recommend implementing the following security measures:

Deploy the latest SAP GUI for Microsoft Windows version and patch level on
all the user workstations.

Activate SAP GUI for Microsoft Windows security rules using at least the
security rule setting Customized and default action Ask.

SAP GUI for Microsoft Windows – Security Settings

A default security configuration is delivered with SAP GUI for Microsoft Windows that
suppresses many potentially malicious actions and permits the actions that are required.
However, this configuration must be adapted to the requirements of your company. The SAP
GUI for Microsoft Windows security module supports the administrator both in creating a
configuration and in distributing this configuration file by providing a central repository.

SAP GUI for Microsoft Windows Security Module – Status Levels

The SAP GUI for Microsoft Windows security module has the following status levels:

Disabled

Customized

Strict Deny

If the status level is set to Disabled, no security checks take place. Each request received from
the back-end system to read, write, or execute a program is immediately executed. In this
case, the user is not aware that an action triggered by the back-end system is being
performed. Therefore, this setting involves the danger of undesirable actions that are
executed remaining undetected, which may cause damage.

Caution:
We recommend avoiding the Disabled status level. It is suitable only for
restricted system situations.

The Strict Deny status level denies the execution of each individual action triggered by the
back-end system unless explicitly permitted by a rule defined by SAP. The SAP rules permit,
for example, the user to call help for the application. In practice, it is often not possible to use
this setting because many SAP applications access resources on the client machine, such as
downloads, uploads, and the execution of programs.
The Customized status level is the default setting when you install SAP GUI for Microsoft
Windows. When a request for an action is received from a back-end system, SAP GUI for
Microsoft Windows searches the list of security rules entered to evaluate the request. The
security rules are processed in accordance with their order in the list.
Whenever a request to perform an action is received, SAP GUI automatically works through
the list of rules from top to bottom. If a suitable rule is found, SAP GUI terminates the search.
This means that rules below this point that may also apply are ignored. If there is a rule
relating to the requested action, SAP GUI proceeds as defined in this rule. If there are no
settings in the rules with regard to a particular action request, SAP GUI selects the default
action defined. The default action is usually the query dialog that lets the user decide whether

© Copyright. All rights reserved. 114

 Lesson: Securing the SAP GUI

to execute ( Default Action = Ask). However, you can also choose to permit action requests for
which there are no rules ( Default Action = Allow).

Security Rules

Figure 98: SAP GUI for Microsoft Windows – Security Rules

To create and manage the security rules, in the SAP GUI Options - SAP Logondialog box,
choose Security Settings . In SAP GUI, choose Customize Local
Layout Options Security Security Settings .
Security rules can have the following origins:

SAP

Administrator

User

Rules of SAP origin are created by SAP and installed together with SAP GUI for Microsoft
Windows. Neither users nor administrators can edit these rules or change their sequence.
These rules are taken into account only if the status has been set to Customized. These rules
protect important local objects that are required for the operation of SAP GUI for Microsoft
Windows. These objects include registry values or specific files that contain configuration
information.
Rules of Administrator origin are created by the administrator, who is responsible for
distributing SAP GUI for Microsoft Windows. A user cannot change these rules.
A user of SAP GUI for Microsoft Windows can create additional security rules of User origin
for the local working environment.

© Copyright. All rights reserved. 115

Unit 3: NetWeaver AS Security Operations

Rules can be generated by executing security-relevant actions if the status is set to

Customized and the default action is set to Ask. In this case, if there is no rule, a query is
shown (at the place where we define the rules) for the requested action. The options available
to the user depend on the action to be performed. For example, the system attempts to
execute a file on the client PC. If the user’s decision applies only to the current situation and
the user chooses Allow/Deny this one time , there are no consequences for future queries of
this type. However, if the user makes a permanent decision and chooses Always allow or
Always allow in this context , a security rule is automatically generated that corresponds
exactly to the present situation. This rule is added to the end of the existing list of rules and is
taken into account for subsequent requests of this type.
In a second variant of the query dialog box, there are two additional options (for example,
when uploading files using SAP GUI for Microsoft Windows): Always permit in this context for
this file type and Always permit for this file type . These two options also lead to the creation of
a security rule against which subsequent requests are checked. In this way, security rules can
be automatically generated while running the operation.

Hint:
You can also manually create rules in Security Settings . To do this, scroll down
the list of rules and select the empty entry at the bottom. The Insert button is
then active.

Administration of Security Settings

Security rules that are created for a large number of users or front ends are centrally stored in
a server by an administrator. The administrator can use the Microsoft Windows registry
values below the registry key [HKEY_LOCAL_MACHINE\Software\SAP\SAPGUI Front\SAP
Frontend Server\Security] to configure the behavior of the security module.

Note:
For more information, see SAP Library for SAP GUI for Windows Security Guide on
SAP Help Portal at http://help.sap.com .

To create a rule file as an administrator, you use the rule editor in the Security node of the
Options dialog box. The administrator then needs to copy the generated saprules.xml file from
the files system directory %APPDATA%\SAP\Common to the location specified in the
registry value.

Caution:
Do not replace the saprules.xml file in the installation directory of SAP GUI for
Microsoft Windows 7.30 or higher. This file is overwritten during a subsequent
installation, for example, by a patch.

LESSON SUMMARY
You should now be able to:

Secure the SAP GUI

© Copyright. All rights reserved. 116

 Unit 3
Lesson 7
Monitoring SAP Systems Security

LESSON OVERVIEW
This lesson describes how to use the security audit log to monitor SAP systems. It also
describes how to use the User Information System in the SAP system. In addition, it describes
the alert monitor.

Business Example
You want to monitor SAP systems using various SAP monitoring tools. For this reason, you
require an understanding of the following:

Security monitoring

Application Server ABAP (AS ABAP) and Application Server Java (AS Java) security audit
logs

How to set up the security audit log in ABAP and Java

How to configure the system trace

How to use security audit logs and the User Information System

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Monitor security in SAP systems

Monitoring Security
Security Monitoring Overview
SAP systems can become insecure if previously applied security configurations are reverted
or disabled. Security configuration monitoring is therefore recommended to regularly verify
applied security configurations (recommended at least once a month). Identified deviations
must be realigned. SAP offers various granularities for security configuration monitoring.
The configuration tools and techniques that can be set up through SAP Solution Manager are
as follows:

SAP EarlyWatch Alert service

EarlyWatch Alert (EWA) is a tool that monitors the essential administrative areas of SAP
components and keeps customers up to date on their performance and stability. As part of
EWA, SAP also provides selected checks on security-relevant configuration (including the
implementation status of relevant SAP Security Notes). For more information, see SAP
Note 863362 and SAP Library for SAP EarlyWatch Alert on the SAP Help Portal at http://
help.sap.com .

SAP Security Optimization Service (SOS)

© Copyright. All rights reserved. 117

Unit 3: NetWeaver AS Security Operations

SOS is designed to check the security of your SAP system. This service comprises a
system analysis and the resulting recommendations for system settings. It addresses
system and Customizing settings that impact system security. In addition, it focuses on
internal and external system security.
To improve the internal security, many critical authorization combinations are checked.
External security is improved by checking the access possibilities to your system and the
authentication methods used. This service checks the configuration of an SAP system on
predefined security topics. For more information, see SAP Library for SAP SOS on the SAP
Help Portal at http://help.sap.com .

SAP Computing Center Management System (CCMS)

CCMS is a general framework to monitor an SAP system and raise alerts for events. CCMS
can be customized to monitor security-critical settings and alert you in the event of
changes.

SAP Solution Manager Diagnostics (SMD)

SMD Configuration Validation Reporting delivers a generic framework to verify
configurations of connected managed SAP systems. This framework is used to define
expected system configurations according to policies and guidelines and compare them
against the actual configuration of managed SAP systems. For more information about
Configuration Validation, see SAP Library on SAP Help Portal at http://help.sap.com .

Recommended Security Measures for SAP Systems

To ensure that SAP systems are secure, the following security measures are recommended:

Define which security configurations must be monitored.

Implement a solution to monitor relevant security configurations and provide an alert in

the event of deviations.

SAP NetWeaver AS for ABAP Security Audit Log

Figure 99: Security Audit Log – Audit Log Event Filter

© Copyright. All rights reserved. 118

 Lesson: Monitoring SAP Systems Security

The security audit log is a tool designed for auditors who need to take a detailed look at what
occurs in the SAP system. By activating the audit log, you keep a record of those activities in
SAP NetWeaver AS for ABAP-based systems that you consider relevant for auditing. This
information is recorded daily in an audit file on each application server. To determine the
information to be written in this file, the audit log uses filters stored in the memory in a control
block, which is used to save the audit logs in the memory.
When an event occurs that matches an active filter (for example, a transaction starts), the
audit log generates a corresponding audit message and writes the message to the audit file. A
corresponding alert is sent to the CCMS alert monitor. Details of the events are provided in
the audit analysis report of the security audit log.
The security audit log is active only if you use transaction SM19to maintain and activate the
profiles.
In the profile parameter FN_AUDIT, the eight + symbols represent the date, which is
automatically substituted with the current date by the system.
If rsau/max_diskspace/per_file is used, the rsau/local/file parameter is no longer
valid and is not analyzed. Instead, the parameters DIR_AUDIT and FN_AUDIT are used. The
rsau/max_diskspace/per_file parameter defines the maximum size of a single security
audit file.
The rsau/max_diskspace/local parameter specifies the maximum size of a security audit
file. If this size is reached, then the system logging of audit events is completed.
The rsau/selection_slots parameter specifies the number of selection units that are set
using transaction SM19and checked by the system during processing of filters to allow for the
security audit log.

Information Recorded in the Security Audit Log

Successful and unsuccessful dialog logon attempts

Successful and unsuccessful Remote Function Call (RFC) logon attempts

RFC calls to function modules

Successful and unsuccessful transaction starts

Successful and unsuccessful report starts

Changes to user master records

Changes to the audit configuration

Caution:
The security audit log contains personal information that may be protected by
data protection regulations. Before using the security audit log, ensure that you
adhere to the data protection laws that apply to your area of application.

You can specify the information you want to audit in filters, with which you can do one of the
following:

Create and save permanently in the database in static profiles

© Copyright. All rights reserved. 119

Unit 3: NetWeaver AS Security Operations

You use this procedure to create profiles of security audit filters in the database of SAP
NetWeaver AS for ABAP. All nodes of a cluster use identical filters for determining which
events to record in the audit log. You create profiles for different auditing scenarios. Once
activated, the SAP NetWeaver AS for ABAP loads the profile when the system starts. The
SAP NetWeaver AS for ABAP uses the filters defined in the profiles to write events to the
security audit log. By default, no security audit log is activated. To create some statics
profiles, you must set the profile parameter rsau/enable and restart the system.

Change dynamically on one or more application servers

You use this procedure to change the filter settings currently in use, without having to
restart the SAP NetWeaver AS for ABAP. The system distributes these changes to all
active application servers.

To determine what you want to audit, you create the selection criteria by calling transaction
SM19.
For each selection criterion that you want to define, choose the user, audit classes, client, and
security levels. The security levels selected specify the levels of events (audit messages) to be
included in the audit log. Messages with the chosen level and higher levels are included in the
log.
For example, if you select low, then all the messages with a security level of low, average, and
high are included in the selection. If you select high, only high-level messages are included.
High-level messages and the Only Critical option describe events involving a high-level
security risk, such as unauthorized access attempts. All audit events are defined in the
system log messages with the prefix “AU”. You can view the assignment of the events to audit
classes and security levels using the system log message maintenance (transaction SE92).
You can also modify these definitions.
For the client and user entries, you can use * as a wildcard for all clients or users. If by default
a partially generic entry, such as 0* or ABC*, is not possible, you can activate the profile
parameter rsau/user_selection . This enables the use of ABAP patterns asterisk (*) for
any character string, plus sign (+) for any single character, and number sign (#) to escape
wildcards, spaces at the end of strings, and so on. Otherwise, only the asterisk (*) is a
wildcard.
For each selection criteria you apply to your audit, you select the Selection Active tab page.
After specifying the selection criteria, save the data. For the application server to use the
profile at the next server start, choose Profile Activate . The name of the active profile
appears in the Active Profile field.

© Copyright. All rights reserved. 120

 Lesson: Monitoring SAP Systems Security

Figure 100: Security Audit Log – Audit Configuration Selection Criteria

The figure, Security Audit Log – Audit Configuration Selection Criteria, shows the initial
screen for the security audit logs. For each selection criteria that you want to define, choose
the client, user names, audit classes, and events.
The events selection specifies the levels of events (audit messages) that you want to include
in the audit log. Messages with the chosen level and higher levels are included in the log. If you
select All, all messages with a security level of low, average, and high are included in the
selection. If you select Only Critical , only high-level messages are included.

Figure 101: Security Audit Log: Security Audit Profile Parameters

© Copyright. All rights reserved. 121

Unit 3: NetWeaver AS Security Operations

The security audit log is active only if you use transaction SM19to maintain and activate the
profiles. Set the profile parameters as shown in the figure, Security Audit Log: Security Audit
Profile Parameters.
To display the profile parameters in transaction SM19, choose Environment Profile
parameter . Auditing is activated only if the rsau/enable parameter is set. Audit profile
activation is also achieved by dynamically activating an audit profile in transaction SM19.
In the profile parameters DIR_AUDIT and FN_AUDIT, describe the path and name of the audit
files. The eight + symbols represent the date, which is automatically substituted with the
current date by the system.
The rsau/max_diskspace/per_file parameter specifies the maximum size of one
security audit file. If this size is reached, the system creates the next file. For example, you
could restrict the size to 650 MB to fit one file on one CD during archiving.
If the rsau/max_diskspace/per_file parameter is set to 0, parameters rsau/local/
file and rsau/max_diskspace/local are valid and analyzed.

Figure 102: Security Audit Log: Audit Log Transaction SM20N

The security audit log produces a report on the activities that have been recorded in the audit
file. You can analyze a local server, a remote server, or all servers in your SAP system.
To display the initial screen, run transaction SM20or transaction SM20N, starting with Release
6.10. The initial screen is designed in a similar way to the system log (transaction SM21).
The following information is provided on the initial screen:

Time

Work process

Client

© Copyright. All rights reserved. 122

 Lesson: Monitoring SAP Systems Security

User

Transaction code

Terminal ID

Message number

Text describing event

Security Audit Log – Audit Log Details

Figure 103: Security Audit Log: Audit Log Details

The limitations of the security audit log are as follows:

An RFC has no terminal.

The Microsoft Windows Terminal Server maps all events to a single terminal ID.

The time, user ID, and transaction code are displayed in the audit log. You can identify the
terminal ID and track the hacker, as shown in the figure, Security Audit Log: Audit Log Details.
The text in the figure provides the reason for the unsuccessful logon.

Note:
For more information, see SAP Note 173743.

© Copyright. All rights reserved. 123

Unit 3: NetWeaver AS Security Operations

SAP NetWeaver AS for Java Security Audit Log

Figure 104: SAP NetWeaver AS for Java Security Audit Log

The security audit log of the SAP NetWeaver AS for Java contains a log of important security
events, such as successful and failed user logons and the creation or modification of users,
groups, and roles.
This information is used by auditors to track changes made in the system. By default, the log
files are available at /usr/sap/<SID>/<Instance>/j2ee/cluster/serverX/
security_audit.X.log . They can be viewed with SAP NetWeaver Administrator, in the log
viewer.

Note:
For more information, see SAP Library for SAP NetWeaver online documentation
on the SAP Help Portal at http://help.sap.com and search for the security audit
log of the SAP NetWeaver AS for Java.

User Information System

You can use the User Information System (transaction SUIM) to obtain an overview of the
authorizations and users in your SAP system at any time using the search criteria that you
define. In particular, you can display lists of users with critical authorization.

Hint:
To explicitly search for authorizations that contain the full authorization asterisk
(*), you need to enter a number sign (#) before the asterisk, that is, #*.
Otherwise, the system searches for any values.

Functions of the User Information System

Compare roles and users.

Display change documents for the authorization profile of a user.

Display the transactions contained in a role.

© Copyright. All rights reserved. 124

 Lesson: Monitoring SAP Systems Security

Create where-used lists.

Note:
You must regularly check the lists that are important. Define a monitoring
procedure and corresponding checklists to ensure that you continually review
your authorization plan. Determine which authorizations are critical and regularly
review which users have these authorizations in their profiles.

You access the User Information System by running transaction SUIM. You can find the
elements of the authorization system using various selection criteria.

Figure 105: User Information System: Transaction SUIM

The User Information System provides an overview of user master records, authorizations,
profiles, roles, and change dates.
You can display lists to answer the following questions:

What authorization rights are assigned to the users?

What changes have been made to the authorization profile of a user?

Which roles contain a particular transaction?

Table 12: ABAP Standard Reports and Features

You can use the following ABAP standard reports to access the user information directly:

© Copyright. All rights reserved. 125

Unit 3: NetWeaver AS Security Operations

ABAP Standard Report Features

RSUSR004 Restricts user values to the simple profiles
and authorization objects.
RSUSR007 List users whose address data is incomplete
RSUSR012 Search authorizations, profiles, and users
with specified object values
RSUSR020 Profiles by complex selection criteria
RSUSR030 Authorizations by complex selection criteria
RSUSR040 Authorization objects by complex selection
criteria
RSUSR050 Comparisons
RSUSR060 Where-used lists
RSUSR061 Enter authorization fields
RSUSR100 Change documents for users
RSUSR101 Change documents for profiles
RSUSR102 Change documents for authorizations
RSUSR200 List of users according to logon date and
password change
RSUSR300 Set external security name for all users

System Trace

Figure 106: System Trace: Special Recording

Use the system trace transaction ST01 to track several types of operations in an SAP system.

© Copyright. All rights reserved. 126

 Lesson: Monitoring SAP Systems Security

The following components can be monitored using the SAP system trace:

Authorization checks

Kernel functions

Kernel modules

Database accesses (SQL trace)

Table buffers

RFC calls

Lock operations (client side)

The last four components can be monitored using performance analysis (transaction ST05).
There are two ways of selecting the traces you want to display. On the initial screen, you can
select the components to be logged and additional filters, if required. You can reuse the filters
and restrictions from the traces that have these settings when the traces are evaluated.
You must start tracing by setting the trace options that you require on the trace options
screen. If you start from the set menu on the main screen, then your trace includes all the
active users, which can affect system performance.
The system trace function only traces the internal SAP system activity of the local application
server to which you are currently logged on. The system trace function only works if it can
write to the trace file in the instance log directory at operating system level, for
example: /usr/sap/DVEBMGS00/log . Ensure that there is enough disk space, and that
access authorizations are set correctly.
If you want to protect a trace from being overwritten later, choose Goto Save from the
menu. On the next screen, you can create a short text for a trace and choose whether the new
file that is created specifically for this trace must be automatically created, or whether you
want to specify a file name yourself. If you do not specify an absolute path, a file of this name
is created in the log directory. In the case of automatic file creation, the system determines
the file name and stores the file in the log directory. Unlike in a manually created file, the F4
help can be used to search for the file from the analysis screen, which is an advantage.

Note:
If you choose automatic creation, you can delete the file again in this transaction
(use the Delete button on the analysis screen). This is not possible if you specify a
file name manually. If you want to delete this file, you need to delete it at the
operating system level.

To display a trace, choose Analyze. You can obtain more information about any entry by
selecting that entry.

© Copyright. All rights reserved. 127

Unit 3: NetWeaver AS Security Operations

Alert Monitor

Figure 107: Alert Monitor: Current Administrator Concerns

The monitoring architecture, a solution within SAP NetWeaver, centrally monitors any IT
environment, from individual systems through networked SAP NetWeaver solutions, to
complex IT landscapes incorporating several hundred systems. The monitoring architecture
is provided in SAP NetWeaver and can be used immediately after installation. You can easily
extend the architecture to include SAP and non-SAP components.
Alerts form a central element of monitoring. Alerts quickly and reliably report errors, such as
values exceeding or falling below a particular threshold value or that an IT component has
been inactive for a defined period of time. These alerts are displayed in the Alert Monitor; this
reduces the system administration workload because the system administrator now only
needs to watch the error messages instead of endless system data. The Alert Monitor is
therefore the central tool with which you can efficiently administer and monitor distributed
SAP NetWeaver solutions or client and server systems. The Alert Monitor displays problems
quickly and reliably to ensure that the appropriate analysis tool is used at the right time.
The following features are listed under the security section of the monitoring tree:

Logon

RFC logon

Transaction start

Report start

RFC call

User master records

System

© Copyright. All rights reserved. 128

 Lesson: Monitoring SAP Systems Security

Miscellaneous

Figure 108: Alert Monitor: Alert Monitoring Tree

The Alert Monitor checks various components of your SAP system. Use transaction RZ20 to
call the Alert Monitor.
The Alert Monitor uses thresholds and rules to generate alerts whenever an abnormal
condition occurs in your SAP system or its environment. Alerts direct your attention to critical
situations. The Alert Monitor reports alerts up through the monitoring tree. The color of a
monitoring tree element (MTE) always represents the highest alert in all MTEs in its branch.
Some screen elements in the alert monitoring tree are as follows:

The open Alerts view shows what has happened in the system since it was last checked.

The current status view shows the most recent values.

The display Alert shows the history of the alert values.

Any problems or errors are displayed in red. Warnings are displayed in yellow. According to
the threshold values, green means that there are no problems. You can use properties to
customize the threshold values for red and yellow alerts. To start the analysis tool, you
double-click the alert text that you want to analyze. To display information about certain types
of alert, select the checkbox next to the alert and then choose display detailed Alerts . The
complete Alert button resets the alerts displayed on the screen.

LESSON SUMMARY
You should now be able to:

Monitor security in SAP systems

© Copyright. All rights reserved. 129

 Unit 3
Lesson 8
Describing Application Lifecycle Management

LESSON OVERVIEW
This lesson describes some aspects to take into account when planning your maintenance
activities and changes that the SAP HANA environment brings.

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe SAP Patch Day and SAP Solution Manager

Describe the process of moving to SAP HANA-based SAP NetWeaver systems

SAP Patch Day and SAP Solution Manager

Figure 109: SAP Patch Day Information

© Copyright. All rights reserved. 130

 Lesson: Describing Application Lifecycle Management

Figure 110: SAP Solution Manager and SAP Patch Day Information

Figure 111: SAP Solution Manager System Recommendations (1/4)

© Copyright. All rights reserved. 131

Unit 3: NetWeaver AS Security Operations

Figure 112: SAP Solution Manager System Recommendations (2/4)

Figure 113: SAP Solution Manager System Recommendations (3/4)

© Copyright. All rights reserved. 132

 Lesson: Describing Application Lifecycle Management

Figure 114: SAP Solution Manager System Recommendations (4/4)

SAP HANA-Based SAP NetWeaver Systems

Integrated Database User Management
As of SAP NetWeaver Application Server ABAP 7.40 it is possible to manage database users
from ABAP user management.

Figure 115: Database User Management within SU01

Currently the possibility to manage DBMS users is implemented only for SAP HANA as
database system. It is however possible to connect any other database system that is
supported by the SAP NetWeaver AS ABAP by a customer implementation of the class
interface IF_DBMS_USER. The implementation for SAP HANA is done in class
CL_DBMS_USER_HDB.
SAP NetWeaver AS ABAP and the DBMS have independent security policies. You can create
all possible security policies in SAP NetWeaver AS ABAP to match any security policy in SAP
HANA. You cannot create all possible security policies in SAP HANA to match any security
policy in SAP NetWeaver AS ABAP.

© Copyright. All rights reserved. 133

Unit 3: NetWeaver AS Security Operations

Figure 116: Database Connection Configuration with DBCO

For managing users in the HANA database, you need to provide the connection details in
transaction DBCO. One HANA user needs to be provided with the following privileges:

System privileges: CATALOG READ, ROLE ADMIN, USER ADMIN

Object privileges: EXECUTE for the procedures GRANT_ACTIVATED_ROLE,

REVOKE_ACTIVATED_ROLE

Figure 117: Maintenance View USR_DBMS_SYSTEM

The next configuration step requires that you specify the ABAP client where the database
users will be managed. This can be done in transaction SM30 (maintenance view
USR_DBMS_SYSTEM).

© Copyright. All rights reserved. 134

 Lesson: Describing Application Lifecycle Management

Figure 118: Report RUSR_DBMS_USERS

The mass maintenance for database users can be done by calling report
RUSR_DBMS_USERS.

Core Data Services Authorizations

The new ABAP dictionary objects allows a programmer to push down to the database the
authorization checks. This will change drastically the way that authorizations for reading/
writing data are designed.

Figure 119: Transaction SACM

In Access Control Management (transaction ACM) you can review the existing Access
Controls and run troubleshooting tools.

© Copyright. All rights reserved. 135

Unit 3: NetWeaver AS Security Operations

Figure 120: Access Controls for Core Data Services Views

To find out which Access Controls you can also query table TADIR for all objects with type
DCLS. An S/4 release 1610 system contains more than 1.600 access controls. One example
for their usage is when you wish to expose a CDS view directly through a Fiori application.

Figure 121: Example of an Access Control

The Access Control objects can be maintained only with ABAP DevelopmentTools for Eclipse.

Figure 122: Example of an Access Control with ABAP Authorization Objects

An ABAP programmer has the option to reuse existing ABAP authorization objects instead of
filtering accesses based on column values provided by the CDS view.

LESSON SUMMARY
You should now be able to:

Describe SAP Patch Day and SAP Solution Manager

Describe the process of moving to SAP HANA-based SAP NetWeaver systems

© Copyright. All rights reserved. 136

 Unit 3
Lesson 9
Segregating System Administration Duties

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe how to prevent system administrators from accessing sensitive data

Segregation of System Administration Duties

Figure 123: Critical Authorizations for DBA Administration in DBACOCKPIT (1/2)

Common administration and monitoring activities require access to the DBACOCKPIT tool,
but nevertheless the ability to run queries in the SQL editor should not allow a database
administrator to access sensitive data. ABAP authorizations can help on this but at the
database level several solutions are available. For example, the SAP S/4HANA installation
procedure generates a DBACOCKPIT user with limited authorizations. The DBACOCKPIT user
can be configured for the connection between the ABAP database monitoring tools and the
HANA layer.

© Copyright. All rights reserved. 137

Unit 3: NetWeaver AS Security Operations

Figure 124: Critical Authorizations for DBA Administration in DBACOCKPIT (2/2)

LESSON SUMMARY
You should now be able to:

Describe how to prevent system administrators from accessing sensitive data

© Copyright. All rights reserved. 138

 Unit 3
Lesson 10
Managing Transport Management System
Users

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Enforce non-standard passwords for the Transport Management System

Change and Transport System Security

Verifying the TMSADM User

Figure 125: Report RSUSR003

The Transport Management System configuration automatically generates the user

TMSADM, in older versions this user had a well know password. To check if the old password
still exists you can use report RSUSR003 to verify user TMSADM.

© Copyright. All rights reserved. 139

Unit 3: NetWeaver AS Security Operations

Setting the TMSADM Password

Figure 126: STMS Initial Configuration

Recent versions of SAP Netweaver AS ABAP request a password for the user TMSADM while
configuring the Transport Management system. Older or non-updated versions do not
prompt at all or allow old standard passwords to be kept.

Figure 127: Report TMS Update PWD OF TMSADM

Report TMS_UPDATE_PWD_OF_TMSADM allows you to update the TMSADM password in

the generated RFC destinations. If you are using domain links please refer to note 1801805 for
further information.

LESSON SUMMARY
You should now be able to:

Enforce non-standard passwords for the Transport Management System

© Copyright. All rights reserved. 140

 Unit 3
Lesson 11
Monitoring Security with SAP Solution
Manager

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Analyze the security monitoring capabilities of SAP Solution Manager

EarlyWatch Alert (EWA)

Business Example
You are working as an administrator responsible for security configurations. Switching to
several SAP systems for parameter validations can be time-consuming. Using reports from a
central position in an SAP landscape gives you an insight into a variety of security-relevant
configurations. For this reason, you require an understanding of the following:

The capabilities of EarlyWatch Alert (EWA)

The Security Optimization Service (SOS)

The Configuration Validation feature of SAP Solution Manager

The capabilities of Solution Manager Parameter Reporting

How to use the parameter reporting feature of SAP Solution Manager.

EarlyWatch Alert (EWA)

Monitoring a system landscape is a complex task of significant importance for every company
that operates one or more SAP systems. The complexity increases with every additional
system, component, or extension. SAP Solution Manager, SAP’s service and support
platform, helps you efficiently implement, monitor, and operate SAP security-relevant
parameters throughout the SAP system landscape. There are several methods, tools, and
service offerings by SAP to provide fine grain monitoring capabilities and recommendations
for security improvements.
The Computer Center Management System (CCMS) monitoring architecture is used as a
basis to collect information in the landscape from the SAP system. It offers a flexible
framework into which extensive monitoring and administration functions can be easily added.
The elements of the monitoring architecture function are largely independent of each other.
These elements can be further developed and adjusted independently of each other. Based
on the monitoring architecture, the CCMS in SAP Solution Manager, SAP’s service and
support platform, ensures central and efficient monitoring of SAP.
SAP EarlyWatch is a special service in SAP Solution Manager systems offered for regular,
proactive system diagnosis. With EarlyWatch Alert (EWA), SAP offers the customer a
proactive service that identifies standard problems before they become acute. Suitable
countermeasures are recommended in the resulting reports.

© Copyright. All rights reserved. 141

Unit 3: NetWeaver AS Security Operations

The EarlyWatch family includes EWA on each of the production systems and SAP EarlyWatch
on Solution Manager as a remote service.

Hint:
EWA identifies potential security problems at an early stage. The underlying
concept of EWA is to ensure smooth operation of individual SAP systems by
keeping you informed of their status. In addition, it allows you to take action
before severe technical problems occur.

EWA is a diagnostic tool to monitor your most important business processes and systems.
EWA helps to identify potential problems early, avoid bottlenecks, and monitor the
performance of your systems. Using this mechanism, the security status can be validated for
a predefined set of parameters on a weekly basis. The EWA report also displays an alert when
security-critical SAP Notes are missing or are not applied on the analyzed system.
EWA is included in the maintenance agreement with SAP at no extra cost. By running and
monitoring EWA, you can increase system stability, performance, and security for your entire
solution landscape. EWA monitors solutions in SAP and non-SAP systems in SAP Solution
Manager. SAP Solution Manager processes the EWA reports.

EWA Functionalities
Depending on the status of your system, EWA triggers services such as SAP EarlyWatch
Check. SAP EarlyWatch Checks are automatically triggered by EWA in cases of red flags in
EWA. SAP EarlyWatch Check is performed over a remote connection by a technical service
engineer. Your system is analyzed during the service. The service engineer also diagnoses
particularly complex problems and develops solutions. Each productive system is entitled to a
maximum of two SAP EarlyWatch Checks per year within your maintenance agreement with
SAP (valid for SAP customers with Standard Support agreement).

Security Optimization Service (SOS)

SAP SOS is designed to verify and improve the security of SAP systems. SAP SOS identifies
potential security issues and recommends mitigation strategies. This service comprises a
system analysis and the resulting recommendations for system settings. It addresses system
and Customizing settings that impact your system security. SAP SOS focuses on internal and
external system security.
To improve internal security, many critical authorization combinations are tested. External
security is improved by checking the methods of accessing your system and checking the
authentication methods used. To prepare the session, a questionnaire must be completed.
The results of the tests on various system components are used to produce
recommendations for optimizing the configuration of the system or component being
analyzed.

Hint:
SAP SOS can be used at any time. The best time is during the end of the go-live
phase. The service is also useful when preparing for internal and external audits.
It can be rerun to confirm that the applied changes in the system configuration
have been successful and that no new vulnerabilities have appeared.

© Copyright. All rights reserved. 142

 Lesson: Monitoring Security with SAP Solution Manager

The underlying concept of SAP SOS is to ensure smooth operation of your SAP solution by
taking action before severe security problems occur. This test consists of hundreds of checks
based on the SAP Security guidelines and the knowledge of the SAP Security consultants.

Figure 128: SOS Process Flow

Configuration Validation
With Configuration Validation within SAP Solution Manager, SAP offers a tool to validate
various kinds of software configuration items. Configuration Validation helps to standardize
and harmonize configuration items within the ABAP and Java systems, using a single
configuration item repository within SAP Solution Manager. Configuration Validation uses the
centrally stored configuration data to validate a large number of systems using a subset of the
collected configuration data.
The following questions must be answered:

Are all systems at a certain operating system patch level or database patch level?

Have the security policies been applied?

Are the security default settings in place?

To answer these questions, a target system can be defined as a reference system for
comparing values. This target system can be either a real system or a virtual set of manually
maintained configuration items. Based on this reference system, settings are compared in a
consistency check. For some settings, such as STANDARD_USERS and the SAP NetWeaver
Gateway configuration, additional predefined checks can be performed, which are not
consistency-based.
For more information about SAP Solution Manager 7.20, go to https://blogs.sap.com/
2017/03/07/solution-manager-update-new-media-center-for-solman-7.2/ .

© Copyright. All rights reserved. 143

Unit 3: NetWeaver AS Security Operations

LESSON SUMMARY
You should now be able to:

Analyze the security monitoring capabilities of SAP Solution Manager

© Copyright. All rights reserved. 144

 Unit 3

Learning Assessment

1. Security rules can have which of the following origins?

Choose the correct answers.

X A SAP

X B Customized

X C Administrator

X D User

2. In Application Server ABAP (AS ABAP) and Application Server Java (AS Java) based
systems, several standard users, with preconfigured authorizations, are available directly
after installation.
Determine whether this statement is true or false.

X True

X False

3. What are the available user types in SAP NetWeaver Application Server (AS) for ABAP?
Choose the correct answers.

X A Workflow

X B Dialog

X C System

X D User Administrator

© Copyright. All rights reserved. 145

Unit 3: Learning Assessment

4. Which of the following password rules in Application Server ABAP (AS ABAP) are defined
by the customer?
Choose the correct answers.

X A First three characters may not be identical

X B Minimum length

X C First character cannot be ! or ?

X D Special characters and digits

5. What can you do to enforce secure connection from SAP GUI users, but allow some
exceptions?

6. Which protocols can be secured with Secure Network Communications?

Choose the correct answers.

X A DIAG

X B SOAP

X C RFC

X D HTTP

7. Where can you maintain the list of non-allowed passwords in SAP Netweaver AS for
ABAP?
Choose the correct answers.

X A Transaction SM63for table USR40

X B Transaction SM30for table MARA

X C Transaction SM30for table USR40

X D Transaction SE45 for table USR42

8. When running an operative system command from SAP Netweaver AS for ABAP which
authority is applied?

© Copyright. All rights reserved. 146

 Unit 3: Learning Assessment

9. When using transaction SECPOLto set password complexity, you need to restart the SAP
system for the changes to take effect.
Determine whether this statement is true or false.

X True

X False

10. Which types of ABAP users can use a logon screen?

Choose the correct answers.

X A Reference

X B Communication

X C Dialog

X D Service

11. How can you reset the password for user icmadm?

12. How can you avoid exposing the message server?

13. In which transactions can you start an ABAP authorization trace?

Choose the correct answers.

X A SE80

X B ST01

X C STAUTHTRACE

X D SM45

© Copyright. All rights reserved. 147

 Unit 3

Learning Assessment - Answers

1. Security rules can have which of the following origins?

Choose the correct answers.

X A SAP

X B Customized

X C Administrator

X D User

Correct! Security rules can come from the administrator, the user, or SAP.

2. In Application Server ABAP (AS ABAP) and Application Server Java (AS Java) based
systems, several standard users, with preconfigured authorizations, are available directly
after installation.
Determine whether this statement is true or false.

X True

X False

Correct! In AS ABAP- and AS Java-based systems, several standard users, with

preconfigured authorizations, are available directly after installation.

3. What are the available user types in SAP NetWeaver Application Server (AS) for ABAP?
Choose the correct answers.

X A Workflow

X B Dialog

X C System

X D User Administrator

Correct! The available user types are dialog and system.

© Copyright. All rights reserved. 148

 Unit 3: Learning Assessment - Answers

4. Which of the following password rules in Application Server ABAP (AS ABAP) are defined
by the customer?
Choose the correct answers.

X A First three characters may not be identical

X B Minimum length

X C First character cannot be ! or ?

X D Special characters and digits

Correct! The minimum length and the special characters and digits are defined by the
customer in AS ABAP.

5. What can you do to enforce secure connection from SAP GUI users, but allow some
exceptions?

Use parameter snc/accept_insecure_gui = U .

Correct! Use parameter snc/accept_insecure_gui = U .

6. Which protocols can be secured with Secure Network Communications?

Choose the correct answers.

X A DIAG

X B SOAP

X C RFC

X D HTTP

Correct! DIAG and RFC can be secured with SNC.

7. Where can you maintain the list of non-allowed passwords in SAP Netweaver AS for
ABAP?
Choose the correct answers.

X A Transaction SM63for table USR40

X B Transaction SM30for table MARA

X C Transaction SM30for table USR40

X D Transaction SE45 for table USR42

Correct! You can maintain the list of non-allowed passwords in SAP Netweaver AS for
ABAP in transaction SM30for table USR40.

© Copyright. All rights reserved. 149

Unit 3: Learning Assessment - Answers

8. When running an operative system command from SAP Netweaver AS for ABAP which
authority is applied?

The authority of operative system user <sid>adm.

Correct! The authority of operative system user <sid>adm is applied.

9. When using transaction SECPOLto set password complexity, you need to restart the SAP
system for the changes to take effect.
Determine whether this statement is true or false.

X True

X False

Correct! Only RZ10 requires a restart.

10. Which types of ABAP users can use a logon screen?

Choose the correct answers.

X A Reference

X B Communication

X C Dialog

X D Service

Correct! Dialog and service users can use a logon screen.

11. How can you reset the password for user icmadm?

In the command prompt, start program icmon with option -a.

Correct! In the command prompt, start program icmon with option -a.

12. How can you avoid exposing the message server?

Write an ACL into the file ms_acl_info.

Correct! Write an ACL into the file ms_acl_info.

© Copyright. All rights reserved. 150

 Unit 3: Learning Assessment - Answers

13. In which transactions can you start an ABAP authorization trace?

Choose the correct answers.

X A SE80

X B ST01

X C STAUTHTRACE

X D SM45

Correct. You can start an ABAP authorization trace in transactions ST01 and
STAUTHTRACE .

© Copyright. All rights reserved. 151

 UNIT 4 Basics of
Authentication and
Single Sign-On

Lesson 1
Discussing Authentication for SAP NetWeaver AS 153

Lesson 2
Discussing Authentication for SAP Netweaver AS Java 157

Lesson 3
Discussing Single Sign-On with Active Directory 161

Lesson 4
Discussing Single Sign-On with SAP Logon Tickets 166

UNIT OBJECTIVES

Activate session security

Adapt the logon procedure for SAP NetWeaver Java systems

Customize the SAP logon ticket issued by SAP NetWeaver Java systems

Configure an SAP Netweaver ABAP AS for Single Sign on with Active Directory

Configure an SAP NetWeaver Java AS for single sign-on with SAP logon tickets

© Copyright. All rights reserved. 152

 Unit 4
Lesson 1
Discussing Authentication for SAP NetWeaver
AS

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Activate session security

Session Handling
Stateful Web applications store the application state on the application server. During
communication, only the key to this state is included with each request. The key to the state is
also called session identifier or short session ID. In general, the session ID can be transferred
as a cookie, through a URL parameter, or as a hidden form field.
In addition to the application state, a security state and a corresponding security session may
exist. A security session starts with logging on to the system and ends with logging off the
system. SAP security session IDs are transmitted only through non-persistent cookies.
An attacker can obtain the session ID of the victim and can then act on behalf of the victim,
with the complete set of the victim’s authorizations in the attacked system.

Types of Session Attack

The following types of attack exploit session-handling vulnerabilities:

Session Hijacking
During this type of attack, the attacker steals a valid session ID of the victim. The attacker
then sends a request with this session ID to the server. This can be performed, for
example, by sniffing the network traffic. In some scenarios, the session ID is a part of the
URL. URLs with session IDs can be hijacked if the victim stores the URL in the bookmarks
or sends the URL through e-mail. Assuming the session ID is still valid, the attacker can
act with the full set of the victim’s authorizations.
Session Fixation
During this type of attack, the attacker sets the session ID for a certain user before the
user is authenticated by the application. This can be done by manipulating the URL that is
used by the user to access the Web application. As a result, after user authentication,
both the attacker and the victim know the session ID and can work on the system under
the same user ID.
Session Riding
With this type of attack, the attacker uses the victim’s user agent to send requests to an
application server, resulting in undesired and potentially harmful actions. We strongly
recommend that you implement the session security settings on production systems to
improve session security.

© Copyright. All rights reserved. 153

Unit 4: Basics of Authentication and Single Sign-On

Session Security
Generally, an ABAP-based application server uses the sap-contextid cookie for identifying
both the application session and the security session.

Session Security Measures

HTTP security session management uses a new, separate cookie to identify the security
session (SAP_SESSIONID_<sid>_<client>). A security session ID and the resultant value of
the SAP_SESSIONID_<sid>_<client> cookie changes upon authentication and programmatic
re-authentication. For more information, see SAP Note 1322944. Before activating the HTTP
security session management on an AS ABAP-based system that is accessed from an SAP
NetWeaver Portal, you must apply SAP Note 1471069 to the portal.
SAP NetWeaver AS for Java uses the JSESSIONID session cookie for identifying application
and security sessions. A specific protection mechanism was developed that adds an
additional session identifier named JSESSIONMARKID. If this security mechanism is
activated, the security session is identified using the additional non-persistent cookie
JSESSIONMARKID. The JSESSIONMARKID cookie changes after authentication and
programmatic re-authentication, which counters session fixation and hijacking attacks. The
SessionIdRegenerationEnabled Java parameter is available in SAP NetWeaver 6.40 and
higher releases.
To avoid the risk of session cookies being hijacked in the network, we recommend that you
use HTTPS for all browser access from end users to SAP software systems. To prevent a
browser transmitting a session cookie over an unencrypted HTTP communication channel,
the secure cookie attribute for session cookies must be set.
For more information about how to set the SystemCookiesHTTPSProtection attribute for
Java, see SAP Note 1449940. The settings are available in SAP NetWeaver 6.40 and higher
releases.
For ABAP systems, you set parameter login/ticket_only_by_https = 1. This parameter is
available in SAP NetWeaver AS 6.10 and higher releases. After enabling this attribute, if
system cookies are required to make the application work, plain HTTP connections will no
longer work. For more information about best practices when activating the recommended
secure session handling, see SAP Note 1531399. Careful regression tests need to be
performed for modified SAP programs and custom applications after applying session
security and HTTPS protection measures.

HTTP Security Sessions

Drawbacks of Logon Tickets with SSO
Currently, logon tickets cause the following known drawbacks with Single Sign-On (SSO):

Security Issues

URLs containing sap-contextid allow access to protected resources (session

hijacking).

A stolen logon ticket (the MYSAPSSO2 cookie) allows a different user to create a new
session, even after the legitimate user has successfully logged off.

Functional Aspects

No automatic logoff is possible (inactivity timeout).

© Copyright. All rights reserved. 154

 Lesson: Discussing Authentication for SAP NetWeaver AS

Validity of logon tickets is fixed (defined by ticket issuer, default: eight hours).

Sessions cannot be terminated on the server side (for example, by an administrator).

Options to log off are only provided by SAP NetWeaver Portal (Distributed Session
Manager (DSM) Terminator).

Robustness

Conflicts with other systems that also set the MYSAPSSO2 cookie (cookie is set with
the same name domain-wide).

HTTP Session Security Activation

The idea of HTTP security sessions is to separate security sessions from application sessions.
Application sessions are only required for stateful operations (server-sided state). Security
sessions are created during logon and deleted during logoff.
In addition, the session identifier is separated from the session context. The session context is
kept at the server side (security state). The session identifier is just a reference to the session
context, transmitted through a cookie.

Steps to Activate HTTP Security Sessions

1. Start HTTP session management (transaction SICF_SESSIONS). A list of all the clients
that exist in the system displays.

2. Select the relevant line and choose Activate.

3. Monitor sessions in transaction SM05.

Hint:
The security audit log records this activation or deactivation of HTTP security
session management.

Impact of HTTP Security Sessions

URLs containing sap-contextid are no longer sufficient to gain access to protected

resources. Instead, the SAP_SESSIONID_<sid>_<client> cookie must be transmitted with
the same HTTP request.

For outbound HTTP communication, it is necessary to modify the default settings of a

destination (transaction SM59) to accept cookies.

Public services or services with configured identity will never evaluate or create security
sessions (no mixed mode).

The cookie with security session ID is host-specific. Therefore, a load-balancer is required.

With HTTP security sessions, a session inactivity timeout is introduced, as follows:

Absence of HTTP communication is treated as inactivity.

Processing incoming HTTP requests updates a Least Recently Used (LRU) timestamp.

© Copyright. All rights reserved. 155

Unit 4: Basics of Authentication and Single Sign-On

For performance reasons, the LRU timestamp is implemented using a server-specific

cache.

The cache is scanned every 60 seconds for inactive and expired sessions for each server.

Inactive or expired sessions and all associated application contexts, including the allocated
server resources, are terminated. Other server nodes are notified of this termination event.
In cases of associated Security Assertion Markup Language (SAML) sessions, no
notification is sent to the SAML Identity Provider (IdP).

In cache-full situations, the system creates security sessions with a fixed validity period.
An emergency reaction results in system log entries.

During start-up and controlled shutdown, each server instance deletes its own security
contexts (SEC_CONTEXT_COPY table). The last server triggers the system-wide
termination of the security context (SECURITY_CONTEXT table).

LESSON SUMMARY
You should now be able to:

Activate session security

© Copyright. All rights reserved. 156

 Unit 4
Lesson 2
Discussing Authentication for SAP Netweaver
AS Java

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Adapt the logon procedure for SAP NetWeaver Java systems

Customize the SAP logon ticket issued by SAP NetWeaver Java systems

Java Login Modules

Java Authentication and Authorization Service (JAAS)
JAAS is implemented in the SAP NetWeaver Java system to support different logon
procedures. Depending on the requirement and scenario, this enables you to choose the
appropriate logon procedure.

Figure 129: Java Login Modules

Logon ticket and Assertion ticket are SAP-specific procedures. The assertion ticket is only
used for system-system communication. The implementation of JAAS in SAP NetWeaver AS
for Java is based on logon modules. A logon module is a concrete implementation of the flow
logic of the authentication. Several logon modules can be combined to make a logon module
stack (also called an authentication stack).

Logon Procedure Configuration

As system administrator, you can adjust the logon procedures for the delivered applications.
For this purpose, you can maintain the policy configuration of the corresponding application
in SAP NetWeaver Administrator ( http://host:port/nwa ), as follows: Configuration
Security Authentication and Single Sign-On .

© Copyright. All rights reserved. 157

Unit 4: Basics of Authentication and Single Sign-On

Figure 130: Logon Procedure Configuration

Using the policy configuration, a login module or an authentication stack can be assigned to
an application to determine the logon procedure for this application. The delivered
authentication stacks can be found in the policy configuration, for example, ticket under the
Template type.
The following table shows the effects of different flags during an authentication process.
Modules are executed one after the other until authentication is established. If the sequence
of login modules listed in the stack is completed, and no authentication takes place, then
access will be denied.

Flag Required to Succeed Description

OPTIONAL No Authentication proceeds

down the list if the module
has succeeded or failed.

REQUIRED Yes Authentication proceeds

down the list of modules if
the module has succeeded or
failed.

REQUISITE Yes If successful, the authentica-

tion proceeds down the list.
Otherwise, control returns to
the application (the authenti-
cation does not proceed).

SUFFICIENT No If the authentication is suc-

cessful, control returns to ap-
plication.
Otherwise, the authentication
proceeds.

Logon Ticket
In the standard delivery, the SAP NetWeaver AS for Java uses logon tickets in the logon
procedure. The authentication stack ticket, which is used first, checks whether there is a valid

© Copyright. All rights reserved. 158

 Lesson: Discussing Authentication for SAP Netweaver AS Java

logon ticket (EvaluateTicketLoginModule). If there is not a valid logon ticket, the user must
enter the user ID and password (BasicPasswordLoginModule). A logon ticket is issued if the
entries are correct (CreateTicketLoginModule). The logon ticket is sent from the browser in
the standard system for each request. It goes to the same domain of the issuing system and
can therefore be used to log on to other systems with Single Sign-On (SSO).
The logon ticket is a session cookie. This means that the cookie is not saved, rather it is only
held in the working memory. It is deleted when the browser session finishes. The logon ticket
contains the data shown in the figure.

Assertion Tickets
Assertion tickets are an extension of logon tickets. The main differences are as follows:

Unlike logon tickets, assertion tickets are not stored temporarily.

Assertion tickets are only valid for 2 minutes.

Assertion tickets are issued directly for the respective target system.

Older systems interpret the assertion ticket as a logon ticket. Therefore, the configuration for
SSO is along the same lines as the configuration for logon tickets. The application area of the
assertion tickets is first and foremost system-system communication, via RFC or HTTP. For
example, in SAP NetWeaver Java, destinations can use the assertion ticket as a logon
method. In SAP NetWeaver Java, it is possible to use the logon modules
CreateAssertionTicketLoginModule and EvaluateAssertionTicketLoginModule, as well as the
policy configuration evaluate_assertion_ticket to issue and verify assertion tickets. An
assertion ticket is issued when a connection to a remote system is established.

UME Properties for the SAP Logon Ticket

Figure 131: Java Properties for the User Management Engine

To customize the Java properties, start the Configtool and choose View Configuration Edit
Mode. Expand the folders cluster_config system custom_global cfg services
com.sap.security.core.ume.service .

© Copyright. All rights reserved. 159

Unit 4: Basics of Authentication and Single Sign-On

Some of the most relevant parameters are as follows:

login.ticket_lifetime
Lifetime of the SAP Logon Ticket (in format: <hours>:<minutes>).

login.ticket_client
Dummy client written to the SAP Logon Ticket (default 000).
SAP NetWeaver AS Java does not have clients, as AS ABAP does. For SSO, from SAP
NetWeaver AS Java to SAP NetWeaver AS ABAP, the client ID must also be entered in the
ACL.

ume.login.mdc.hosts
The logon ticket can also be sent to other domains. The value will specify the target hosts.

ume.logon.security.relax_domain.level
Number of subdomains to be removed (a value of 2 means that the SAP Logon Tickets
issued by a system on the wdflbmt7211.wdf.sap.corp host are sent to servers in the
sap.corp domain). This allows a ticket to be recognized across multiple servers in the same
domain.

ume.logon. security.enforce_secure_cookie
If true, the logon ticket is only sent if SSL is used (default false).

LESSON SUMMARY
You should now be able to:

Adapt the logon procedure for SAP NetWeaver Java systems

Customize the SAP logon ticket issued by SAP NetWeaver Java systems

© Copyright. All rights reserved. 160

 Unit 4
Lesson 3
Discussing Single Sign-On with Active
Directory

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Configure an SAP Netweaver ABAP AS for Single Sign on with Active Directory

Single Sign-On with Active Directory

Business Example
Your company uses Active Directory and Kerberos to provide single sign-on capabilities for
several applications. You want to implement your company standards to SAP NetWeaver
systems.

Restrictions on Current Training Environment

The current training environment does not support demonstrations for this procedure. This
how-to procedure is provided for your reference in your own company networks.

How-To Procedure
In the following example, the SAP NetWeaver system is running on a host called twdf3115 and
a domain called ADTWDFVM1100.DEMO.SAP. The SAP host was added to the domain.

Figure 132: Step 1 – Verify the Active Directory Configuration

Ensure that the Active Directory prerequisites are fulfilled. Users should be available in the
active directory, a security principal should be assigned, and key tabs should have been
generated for each SAP server.

© Copyright. All rights reserved. 161

Unit 4: Basics of Authentication and Single Sign-On

Figure 133: Step 2 – Call the SNCWIZARD Transaction in your ABAP Environment

Figure 134: Step 3 - Provide the Distinguished Name for the Server

Figure 135: Step 4 – Review the Configuration Changes

© Copyright. All rights reserved. 162

 Lesson: Discussing Single Sign-On with Active Directory

Figure 136: Step 5 – Restart your SAP System

After the system restart, call transaction SNCWIZARDagain. Browse until you reach the final
screen, showing the Complete button. No other configuration steps are required.

Figure 137: Step 6 – SNCWIZARD Shows Existing Configuration

Figure 138: Step 7 – Wizard-Based Configuration is Complete

© Copyright. All rights reserved. 163

Unit 4: Basics of Authentication and Single Sign-On

Figure 139: Step 8 – Import the Key Tab into your Secure Store

In a command window, execute the following commands, after changing to the following
directory: D:\usr\sap\PCC\DVEBMGS20\sec
set SECUDIR=D:\usr\sap\PCC\DVEBMGS20\sec

The SAP server SID is PCC and the instance number 20. The installation was performed on
drive D.
sapgenpse keytab -p SAPSNCSKERB.pse -x PsePassword1 -X Secret1 -a
SAP/KerberosDCC3115@ADTWDFVM1100.DEMO.SAP

sapgenpse seclogin -p SAPSNCSKERB.pse -x PsePassword1 -O SAPServicePCC

-N

Figure 140: Step 9 – Install the Secure Client

A default installation is enough for each laptop where single sign-on will be used. These
laptops should be domain members.

© Copyright. All rights reserved. 164

 Lesson: Discussing Single Sign-On with Active Directory

Figure 141: Step 10 – Maintain Canonical Name for Users Eligible for Single Sign-On

Figure 142: Step 11 – Configure your SAP GUI Connection

The SAP GUI needs to be configured for users logged into the domain. In the example, the
user logged will be: adtwdfvm1100\twdf3115_pcc_tstusr.

LESSON SUMMARY
You should now be able to:

Configure an SAP Netweaver ABAP AS for Single Sign on with Active Directory

© Copyright. All rights reserved. 165

 Unit 4
Lesson 4
Discussing Single Sign-On with SAP Logon
Tickets

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Configure an SAP NetWeaver Java AS for single sign-on with SAP logon tickets

Single Sign-On with SAP Logon Tickets

Figure 143: SAP Logon Tickets: SAP Solution Manager

Logon tickets represent the user credentials.

The UME of the SAP NetWeaver AS for Java server issues a logon ticket to a user after
successful initial authentication. The logon ticket itself is stored as a nonpersistent cookie in
the web browser on the client and is sent with each request of that client. It can then be used
by external applications, such as SAP systems, to authenticate the portal user to those
external applications without any further user logons being required.
Logon tickets contain information about the authenticated user. They contain no passwords.

Logon Ticket
The SAP logon ticket contains:

SAP NetWeaver AS user ID

© Copyright. All rights reserved. 166

 Lesson: Discussing Single Sign-On with SAP Logon Tickets

If configured and used: a mapped user ID for other applications

Authentication scheme of the user

Ticket validity period (default value = 8 hours)

Information identifying the issuing system

Digital signature

The UME of the SAP NetWeaver AS for Java server issues an SAP logon ticket for the internet
domain or the internet subdomain of the portal server only.

Ticket Verification with SAP Systems

When a user calls an external application, their logon ticket is passed on to the appropriate
application or information system where it is checked to see if it is valid. To work with SAP
logon tickets, the external application must perform the following tasks:

The external system must make sure that a trusted server has issued the ticket.

The digital signature in the ticket needs to be verified. The first two steps require the digital
certificate of the issuing server.

If the ticket is valid, the appropriate user ID contained in it must be extracted.

LESSON SUMMARY
You should now be able to:

Configure an SAP NetWeaver Java AS for single sign-on with SAP logon tickets

© Copyright. All rights reserved. 167

 Unit 4

Learning Assessment

1. Which of the following authentication mechanisms are used in SAP NetWeaver?

Choose the correct answers.

X A User ID and password

X B Secure Network Communications (SNC)

X C Secure Socket Layer (SSL) and X.509 client certificates

X D Java Authentication and Authorization Service (JAAS)

X E Security Assertion Markup Language (SAML)

X F Simple Object Access Protocol (SOAP)

X G SAP logon tickets

2. A logon ticket used for authentication contains which of the following data?
Choose the correct answers.

X A User ID

X B Password

X C ID of the issuing system

X D Digital signature of the issuing system

X E Validity period

3. Logon tickets are stored as a non-persistent session cookie in the Web browser.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 168

 Unit 4: Learning Assessment

4. The template ticket can be used to configure the logon modules.

Determine whether this statement is true or false.

X True

X False

5. Mutual authentication can be used to access SAP NetWeaver Application Server for
ABAP.
Determine whether this statement is true or false.

X True

X False

6. How can you secure authentication using logon tickets in SAP Netweaver AS for ABAP?

7. How can you activate HTTP security sessions?

8. When using HTTP security sessions how frequently does the system check for expired
sessions?
Choose the correct answers.

X A Every 5 seconds

X B Every 30 seconds

X C Every 60 seconds

X D Every 240 seconds

9. What is the meaning of the REQUISITE flag in an SAP login module?

© Copyright. All rights reserved. 169

Unit 4: Learning Assessment

10. How can you prevent an SAP Netweaver AS for Java from sending an authentication
cookie if the connection is insecure?

© Copyright. All rights reserved. 170

 Unit 4

Learning Assessment - Answers

1. Which of the following authentication mechanisms are used in SAP NetWeaver?

Choose the correct answers.

X A User ID and password

X B Secure Network Communications (SNC)

X C Secure Socket Layer (SSL) and X.509 client certificates

X D Java Authentication and Authorization Service (JAAS)

X E Security Assertion Markup Language (SAML)

X F Simple Object Access Protocol (SOAP)

X G SAP logon tickets

Correct! All of these options, except SOAP, are used in SAP NetWeaver.

2. A logon ticket used for authentication contains which of the following data?
Choose the correct answers.

X A User ID

X B Password

X C ID of the issuing system

X D Digital signature of the issuing system

X E Validity period

Correct! A logon ticket used for authentication contains the user ID, the ID and digital
signature of the issuing system, and the validity period. It does not contain the password.

3. Logon tickets are stored as a non-persistent session cookie in the Web browser.
Determine whether this statement is true or false.

X True

X False

Correct! Logon tickets are stored as a non-persistent session cookie in the Web browser.

© Copyright. All rights reserved. 171

Unit 4: Learning Assessment - Answers

4. The template ticket can be used to configure the logon modules.

Determine whether this statement is true or false.

X True

X False

Correct! The template ticket can be used to configure the logon modules.

5. Mutual authentication can be used to access SAP NetWeaver Application Server for
ABAP.
Determine whether this statement is true or false.

X True

X False

Correct! Mutual authentication can be used to access SAP NetWeaver Application Server
for ABAP.

6. How can you secure authentication using logon tickets in SAP Netweaver AS for ABAP?

Parameter login/ticket_only_by_https = 1 will force the usage of encryption when cookies

are sent for authentication purposes.
Correct! Parameter login/ticket_only_by_https = 1 will force the usage of encryption when
cookies are sent for authentication purposes.

7. How can you activate HTTP security sessions?

Transaction SICF_SESSIONS allows activation on each available client.

Correct! Transaction SICF_SESSIONS allows activation on each available client.

8. When using HTTP security sessions how frequently does the system check for expired
sessions?
Choose the correct answers.

X A Every 5 seconds

X B Every 30 seconds

X C Every 60 seconds

X D Every 240 seconds

Correct! The system checks for expired sessions every 60 seconds.

© Copyright. All rights reserved. 172

 Unit 4: Learning Assessment - Answers

9. What is the meaning of the REQUISITE flag in an SAP login module?

If it fails authentication is canceled.

Correct! If it fails authentication is canceled.

10. How can you prevent an SAP Netweaver AS for Java from sending an authentication
cookie if the connection is insecure?

Use the parameter ume.logon. security.enforce_secure_cookie = true .

Correct! Use the parameter ume.logon. security.enforce_secure_cookie = true .

© Copyright. All rights reserved. 173

 UNIT 5 RFC Security

Lesson 1
Securing the RFC Gateway 175

Lesson 2
Enabling SNC for SAP NetWeaver AS ABAP 187

Lesson 3
Reducing the Attack Surface: RFC Communication and Unified Connectivity 205

UNIT OBJECTIVES

Verify SAP Gateway security

Outline RFC callback whitelist protection

Configure SNC for SAP NetWeaver AS ABAP

Configure SNC for other SAP components

Set up data collection for RFC enable function modules

© Copyright. All rights reserved. 174

 Unit 5
Lesson 1
Securing the RFC Gateway

LESSON OVERVIEW
This lesson explains interface security. It also explains how Remote Function Call (RFC)
communication and RFC connections can be secured. In addition, this lesson elaborates on
the concept of security in Internet Communication Manager (ICM) and SAP Message Server.

Business Example
You need to set up interface security in an SAP system. For this reason, you require an
understanding of the following:

The configuration of trusted RFC connections between SAP systems

How to secure the SAP Gateway process and the Application Server ABAP (AS ABAP)
Message Server

How to restrict Web-enabled content

How to activate the logging of security events

How to configure trusted RFC

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Verify SAP Gateway security

Outline RFC callback whitelist protection

© Copyright. All rights reserved. 175

Unit 5: RFC Security

SAP Gateway Security

Figure 144: Categories of RFC Communication

SAP Gateway is a technical component of the application server that manages

communication for the SAP RFC-based functionality. RFC communication can be categorized
into three different scenarios, as shown in the figure, Categories of RFC Communication.
The various scenarios of RFC communication (as shown in the figure, Categories of RFC
Communication) are as follows:

ABAP RFC
The most frequently used RFC functionality in customer installations is provided by ABAP
remote-enabled function modules. For instance, technologies such as Business
Application Programming Interface (BAPI), Application Link Enabling (ALE), and
Intermediate Document (IDoc) are provided by ABAP and use RFC as the underlying
communication protocol.
The mechanisms used to secure the communication are based on end user authentication
and authorization checks in the ABAP system (for example, the S_RFC authorization
object in the called system and the S_ICF authorization object in the calling system). SAP
Gateway does not perform additional security checks.

Registered RFC server program

The RFC server programs use the SAP RFC library and integrate ABAP systems with non-
ABAP systems that provide RFC functions.
The external RFC server programs are registered by the administrators while configuring
the RFC destinations at SAP Gateway; these server programs can later be accessed by

© Copyright. All rights reserved. 176

 Lesson: Securing the RFC Gateway

RFC clients through the same SAP Gateway. This RFC client is actually the ABAP system in
which the external RFC server program is registered. This is configured in transaction
SM59in RFC destinations of type T with the Registered Server Program technical setting.
One example for this use case is SAP NetWeaver Search and Classification (TREX).
SAP and partner companies are developing various integration technologies, one of which
is known as a registered RFC server program. Typically, registered RFC servers do not
perform user authentication or authorization checks. Registration of RFC server programs
and RFC client access to these servers is controlled through SAP Gateway access control
lists ( secinfo for releases up to 4.6 and reginfo in higher releases).

Started RFC server program

The started RFC server programs are also built with the SAP RFC library, but instead of
being registered at SAP Gateway, they reside on the host of the application server. SAP
Gateway launches these RFC server programs triggered by RFC client requests.
For example, SAP Gateway uses the remote shell and RFC to start transaction SAPXPG
,
which runs the external command or program.
SAP default configurations only start these RFC server programs locally. You can change
this configuration in transaction SM59in RFC destinations of type T with the Start on
Explicit Host technical setting. The SAP Gateway options can point explicitly to the local
SAP Gateway or be left blank. Again, in most cases, started RFC servers do not perform
user authentication or authorization checks. As in the case of registered RFC servers,
access to these started RFC servers is controlled through SAP Gateway access control
lists (ACLs), secinfo for all releases.

Caution:
For system security, it is of utmost importance that you create and maintain the
SAP Gateway ACL properly. ACL files do not exist in default installations.

As a result, no restrictions exist regarding RFC server registration, access to registered RFC
servers, or to the starting of RFC server programs in default installations. This can
compromise the system. SAP provides guidelines on how to set up ACLs, minimum SAP
kernel patch levels, and configuration switches.

Security Measures for SAP Gateway

Set the profile parameters gw/sec_info , gw/reg_info , gw/reg_no_conn_info (SAP

Notes 1408081 and 1444282), and, if relevant, gw/prxy_info (SAP Note 1848930).

Create the secinfo and reginfo ACL files (SAP Notes 1408081 and 1425765). If needed,
create the prxy_info file (SAP Note 1848930).

Reload ACL files dynamically on each application server to activate changes.

If necessary, missing configurations can be identified in the following ways:

- Activation of the SAP Gateway logging and log file review (SAP Note 910919)
- Analysis of the error messages shown on the RFC client

Gateway Security Configuration

Set the parameters and provide the files secinfo and reginfo .
The parameters required after the system update are as follows:

© Copyright. All rights reserved. 177

Unit 5: RFC Security

gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo

gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo

gw/reg_no_conn_info = 15

For a Microsoft Windows operating system, the files must have the .DAT extension.

Caution:
Because important security information is stored in this file, the system
administrator must take care to define the file authorization correctly. For
example, the administrator should set read-only authorization for the file owner
and no authorization for all other users.

With SAP Gateway Monitor (transaction SMGW

), you can monitor and administer SAP
Gateway. Choose Goto Expert Functions External Security to display, create, and reload
the secinfo and reginfo files.
If your communication processes flow across 3 systems, with one being used as a gateway,
you might need to configure the prxy_info file.

Figure 145: Gateway Monitor (Transaction SMGW)

In Gateway Monitor, to configure the gateway, choose Goto Expert Functions Logging.
For example, select the event Security checkbox and choose Activate .

© Copyright. All rights reserved. 178

 Lesson: Securing the RFC Gateway

Note:
To implement the recommendations from the previous section, work through all
the SAP Notes and documentation mentioned. Each customer has different
requirements and a different environment, so the information given in the SAP
Notes and documentation may not exactly fit.
SAP NetWeaver 7.40 includes a new framework, Unified Connectivity (UCON), for
securing RFCs. RFCs are a central communication technology of SAP NetWeaver
AS for ABAP and all ABAP-based systems.
The UCON basic security scenario for RFC provides both a simple process and a
toolset, allowing you to drastically reduce the number of Remote-Enabled
Function Modules (RFMs) that can be accessed from outside, thus dramatically
reducing the potential attack surface. UCON is the recommended new approach
to make your RFC communication more secure.
For more information, go to: http://scn.sap.com/docs/DOC-53844.
Additionally, SAP Consulting provides a service that offers to efficiently rename
and reauthorize RFC interface user accounts with a best practice approach,
utilizing the Xiting Authorizations Management Suite as a tool for creating
reusable interface roles. The service also helps to document interface usage and
creates proper authorization proposal values ( SU24) for function module / RFC
interface calls.
For more information, see SAP Note 1682316 .

© Copyright. All rights reserved. 179

Unit 5: RFC Security

Security Configuration for Gateway

Figure 146: Product Overview

RFC is an SAP proprietary protocol. It is the main integration technology between SAP
systems and is also used in integrations with non-SAP systems. Increasingly, other
integration technologies such as Web services complement RFC. RFC connections between
systems are maintained in RFC destinations. RFC destinations are maintained in destination
source systems that point to destination target systems.

© Copyright. All rights reserved. 180

 Lesson: Securing the RFC Gateway

RFC Connections

Figure 147: RFC Connections

RFC communication partners can be SAP systems and external application programs. In all
cases, RFCs are possible in both directions, that is, the SAP system can be both a client and a
server. The RFC protocol supports synchronous, asynchronous, and transaction-oriented
communication.
By default, the SAP Gateway runs on each SAP NetWeaver AS for ABAP instance. In some
cases, such as when an RFC call to a Microsoft Windows-based RFC server is needed, you
need to install a standalone gateway. You can use the Gateway Monitor (transaction SMGW ) to
monitor activities on local SAP gateways. For outgoing connections from an SAP system, the
RFC destination is maintained using transaction SM59.
In SAP systems with SAP NetWeaver AS for ABAP 7.00 and later, authorization object
S_RFC_ADM is added for maintaining RFC destinations. RFC destinations cannot be created
and maintained without authorization object S_RFC_ADM.

© Copyright. All rights reserved. 181

Unit 5: RFC Security

SAP System as an RFC Client

Figure 148: SAP System as an RFC Client

The following connection types (partner system or program) are possible:

R/2 connections
Partner system is an R/2 system.

R/3 connections
Partner system is a different SAP system.

TCP/IP connections
Partner is an external RFC program based on TCP/IP.

For connections to other SAP systems, you need to specify full logon data, such as the user
name, password, and client. This logon data is used to log on to a destination system under a
defined user name without checking the password. As a result, you must restrict access to
transaction SM59and the contents of table RFCDES must be regularly controlled. You must
not store the password at the RFC destination.
Improper management of RFC destinations leads to privilege escalation. Access to the
SAP_ALL profile in production systems may be gained due to the use of inadequately
configured RFC destinations in development systems. These risks can be mitigated by
following the guidelines to maintain ABAP connections (type 3) and logical connections (type
L) in transaction SM59.

RFC Destination Types

To securely manage ABAP and logical RFC destinations, the following categories are defined:

1. Destinations that store technical connectivity configuration without stored credentials and
without trust relationships between the systems (they require user authentication for
each access).

© Copyright. All rights reserved. 182

 Lesson: Securing the RFC Gateway

2. Destinations with technical connectivity configuration using stored credentials (that is,
client, user, and password).

3. Destinations with technical connectivity configuration using trusted system logon

(Trusted or Trusting RFC).

All three categories of RFC destinations can be used between systems of the same security
classification (for example, from one production system to another). These categories are
also allowed to be used from systems of higher security classification to systems of lower
security classification (for example, from one production system to a development system).

Caution:
As a general guideline, destinations from systems of lower security classification
to systems of higher security classification are not allowed to store user
credentials or to use trusted system logon (for example, from a development
system to a production system).

These destinations are only allowed to store technical connectivity configuration and
authenticate the user for each access. One exception to this general guideline is Transport
Management System (TMS) destinations. If the TMS destinations are required, they must be
considered a security risk and must only be used after thorough risk analysis.

Caution:
It is generally forbidden for systems of higher security classification to trust
systems of lower security classification.

If the risk analysis is not performed, then the security level of the trusting system is reduced
to the security level of the trusted system. Particularly in production environments, users
stored in RFC destinations must only have the minimum authorization in the destination
target that is required for the business scenario executed by means of that destination.
We recommend using dedicated accounts for each scenario wherever possible. Inspect the
SAP Security Guide of an application to get information about required authorizations. It is a
common misunderstanding to assume that assigning SAP_ALL privileges to users in
destinations with stored credentials is secure as long as the user is not of the DIALOG type.

© Copyright. All rights reserved. 183

Unit 5: RFC Security

Figure 149: ABAP RFC Communication Recommendations

ABAP RFC Communication Recommendations

You must take the following security measures to mitigate the risk of unauthorized access
through RFC destinations:

Analyze all system trust relationships between ABAP systems using transactions SMT1
and SMT2. Identify the trust relationships in which systems of higher security classification
trust systems of lower security classification (for example, test to production or
development to production). Remove this system trust wherever possible.

Identify RFC destinations with stored user credentials from systems of lower security
classification to systems of higher security classification (using the RSRFCCHK report).
The stored credentials must be removed wherever possible to enforce user authentication
for every access.

Create a list of RFC destinations with stored credentials. Ensure that user accounts have
minimum authorizations (particularly not SAP_ALL) assigned in the destination target and
that the user type is set to SYSTEM.

© Copyright. All rights reserved. 184

 Lesson: Securing the RFC Gateway

Trusted RFC

Figure 150: Trusted Relationships Between SAP NetWeaver AS for ABAP-Based SAP Systems

SAP systems can establish trusted relationships with each other. If a calling (sending) SAP
system is known to the called (receiving) system as a trusted system and the user who issued
the RFC call is defined in both of the systems, no password is supplied. The calling SAP
system must be registered with the called SAP system as a trusted system. The called system
is the trusting system.
Trusted relationships among various SAP systems have the following advantages:

Single Sign-On (SSO) is possible beyond system boundaries.

No passwords are transmitted in the network.

The timeout mechanism protects against replay attacks.

User-specific logon data is checked in the trusting system.

The trust relationship is not mutual, which means that this relationship is applicable in one
direction only. To establish a mutual trust relationship between two partner systems, you
must define each of the two trusted systems in the corresponding partner systems.
To enable the trusted systems to operate properly, the systems must have the same security-
level requirements and user administration. Before you can define a trusted system, you must
create a destination for this system in the trusting system. To do so, use transaction SMT1, or
choose Extras Trusted systems on the RFC destination overview screen (transaction
SM59). In the trusted systems, destinations for trusting systems are automatically created.
These destinations are used when you display trusting systems through Extras Trusting
systems (transaction SMT2).
The user using the trusted RFC must have the corresponding authorizations in the trusting
system (the S_RFCACLauthorization object). In addition, you can configure the system to
perform an authorization check on the transaction code from the calling system. To do this,
you need to choose the Use transaction code option on the trusted system entry in

© Copyright. All rights reserved. 185

Unit 5: RFC Security

transaction SMT1. Once you choose this option, an authorization check is performed in the
called system for the transaction code (the RFC_TCODEfield of the S_RFCACL authorization
object). You can check the authorizations for the logged on users in the trusting system in
advance by using the AUTHORITY_CHECK_TRUSTED_SYSTEM function module.
To prevent others from making changes to your trusted RFC destination, select the
Destination not modifiable checkbox on the Administration tab page of the destination in
transaction SM59. To make the destination modifiable again, double-click the checkbox.
Destinations must be kept consistent. For this reason, you are not allowed to change the ID of
the target system, the system number, or the destination name.

LESSON SUMMARY
You should now be able to:

Verify SAP Gateway security

Outline RFC callback whitelist protection

© Copyright. All rights reserved. 186

 Unit 5
Lesson 2
Enabling SNC for SAP NetWeaver AS ABAP

LESSON OVERVIEW
This lesson explains how to set up and maintain SAP Secure Network Communication (SNC)
for SAP NetWeaver AS for ABAP.

Business Example
To secure Dynamic Information and Action Gateway (DIAG) and Remote Function Call (RFC)
communication, you need to set up SAP SNC. For this reason, you require an understanding
of the following:

SAP SNC and how it is configured

How to enable SAP SNC on SAP NetWeaver AS for ABAP

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Configure SNC for SAP NetWeaver AS ABAP

Configure SNC for other SAP components

SNC Configuration for Other SAP Components

Figure 151: SAP SNC on SAP NetWeaver AS for Java

This figure, SAP SNC on SAP NetWeaver AS for Java, shows the SAP SNC configuration to
connect the SAP NetWeaver AS for ABAP system with the SAP NetWeaver AS for Java
system.

© Copyright. All rights reserved. 187

Unit 5: RFC Security

Enabling SAP SNC on SAP NetWeaver AS for Java

Figure 152: Roadmap: Enabling SAP SNC on SAP NetWeaver AS for Java

Enabling SAP SNC on SAP NetWeaver AS for Java involves almost identical steps to those
used for SAP NetWeaver AS for ABAP. In fact, the same PSE created for SAP NetWeaver AS
for ABAP can be used for SAP NetWeaver AS for Java. The SAP NetWeaver AS for Java
parameters for SAP SNC are set differently, based on the Java applications.
You create one PSE and distribute it to all application servers. Alternatively, you can also use
the command line tool SAPGENPSE to create the PSE at the operating system level for the
SAP NetWeaver AS for Java. Do not use a mixed approach to maintain the PSE. If you use
SAPGENPSE, always use SAPGENPSE.
SAP NetWeaver AS for Java can also use the CommonCryptoLib for cryptographic functions
such as secure communication using SSL and secure communication using SAP SNC (for
RFC server connections). As with SAP NetWeaver AS for ABAP, there are two deployment
options for CommonCryptoLib: using the Java kernel or from a download from SAP Service
Marketplace.
If there is a scenario where SAPCRYPTOLIB is used instead of the CommonCryptoLib, make
sure the SAPCryptographic library files are in the following locations.

Copy the library to <AS_Java_install_dir>

Copy the license ticket to <AS_Java_install_dir>/sec

Copy the sapgenpse.exe to <AS_Java_install_dir>

Set the environment variable SECUDIR to the sec subdirectory. This is also the directory in
which the PSE of SAP NetWeaver AS for Java and credentials are located.

© Copyright. All rights reserved. 188

 Lesson: Enabling SNC for SAP NetWeaver AS ABAP

PSE Creation and Credentials Assignment Using the SAPGENPSE.exe Tool

The PSE can be created or imported using the SAPGENPSE tool. You use the following
command to create a new certificate:
sapgenpse get_pse –p <SID>.pse –noreq –x <PIN><DISTINGUISHED_NAME>
To open the PSE of the server and create credentials, you use the following command:
sapgenpse seclogin –p <SID>.pse -x <PIN><DISTINGUISHED_NAME> -O <user
id>
Use the following command to import the certificate:
sapgenpse maintain_pk –a <filename_for_appserv_cert> -p
<AppServPSE>.pse -x <PIN>

Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for Java

Figure 153: Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for Java

To exchange the public key certificates, you perform the following steps:

1. Export the public-key certificate of SAP NetWeaver AS for Java using the SAPGENPSE
tool, as follows:
Sapgenpse export_own_cert –o <filename_for_appserv_cert> -p
<AppServPSE>.pse –x <PIN>

2. Export the public-key certificate of SAP NetWeaver AS for ABAP using transaction
STRUST.

3. Import the PSE of SAP NetWeaver AS for Java into SAP NetWeaver AS for ABAP.

4. Import the PSE of SAP NetWeaver AS for ABAP into SAP NetWeaver AS for Java.

Maintain the system ACL on the SAP NetWeaver AS for ABAP as follows:

© Copyright. All rights reserved. 189

Unit 5: RFC Security

In the SAP NetWeaver AS for ABAP, you maintain the ACL using transaction SM30
(SNCSYSACL table or the VSNCSYSACL view, type=E). Enter the SAP SNC name of SAP
NetWeaver AS for Java and activate the entry for RFC.

Save the data.

Java Connector (JCo) for SAP NetWeaver AS for Java

The SAP NetWeaver AS for Java uses the Java Connector (JCo) to communicate with the SAP
NetWeaver AS for ABAP.
The JCo needs the following information to use the SAP SNC connection:

SNC library path

This path can also be defined using the SNC_LIB system environment variable of the user
who starts SAP NetWeaver AS for Java (usually SAPService<SID>).

Level of protection
This is the level of protection to use in the connection; possible values are 1, 2, and 3.

My SNC name
This optional parameter makes sure that the SAP SNC name is used for the connection.

Partner’s SNC name

This parameter is required and is used to identify the partner SAP NetWeaver AS for
ABAP. You can find the application server’s SAP SNC name in the profile parameter snc/
identity/as .

Note:
The setting of these SAP SNC parameters for JCo depends on various
applications. Each of these applications has its own way of setting up the
parameters. Refer to the documentation of the specific application to determine
how to set these up correctly. For example, the User Management Engine (UME)
sets the SNC parameters in the UME properties. In the scenario of Java iViews in
SAP Enterprise Portal, you set the SAP SNC parameters in the system object
associated with that Java iView. Other applications may use the Destination
service in SAP NetWeaver Administrator.

© Copyright. All rights reserved. 190

 Lesson: Enabling SNC for SAP NetWeaver AS ABAP

SAP SNC on SAProuter

Figure 154: SAP SNC and SAProuters

The connection between the adjacent SAProuters can be protected using SAP SNC. The
SAProuters authenticate each other and exchange encrypted messages. Therefore, a secure
tunnel for communications is established between components that may not be able to use
SAP SNC. A single SAProuter can act as both the initiator and acceptor for an SAP SNC-
protected connection.
To set up SAP SNC-protected connections between two SAProuters, you must establish an
SAP SNC environment in both of the SAProuters and configure SAP SNC for the connection in
the SAProuter’s route permission table.
To establish an SAP SNC environment, proceed as follows:

Set up the environment variable SNC_LIB to the path and file name of the external library
on the SAProuter host.

Start the SAProuter with the option -K <SNC of the SAProuter>

- For example, SAP SNC name on host1: “p:CN=saprout1, OU=TEST01,

O=myCompany, C=US”

- saprouter -r -K "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" &

SAP SNC Details in the SAProuter Route Permission Table

To configure SAP SNC in the SAP route permission table, the following types of entries need
to be set up:

Key-Target (KT) entry specifies the designated SAProuter to SAProuter connection, which
uses SAP SNC.
KT <SNC partnername> <dest host> <dest serv>

KP, KD, and KS entries are similar to the normal P, D, and S entries, but are used mainly
for SAP SNC connections. They specify the hosts and services that are allowed to
communicate with one another. As with normal P, S, and D entries, you can also specify a
password for the connection.
K<P/D/S> “SNC name of source host” <dest host> <dest serv>
<password>

© Copyright. All rights reserved. 191

Unit 5: RFC Security

Caution:
The order of the entries in the route permission table is important. For incoming
connections, the SAProuter applies the first matching entry it finds. If a matching
P, D, or S entry precedes an SAP SNC entry, then the SAProuter ignores the SAP
SNC entry.

The SAProuter accepts an incoming connection if it finds a corresponding entry in its route
permission table. For normal incoming connections where SAP SNC is not used, SAProuter
identifies the communication partner using the source host (IP address) and the destination
(host and service). For SAP SNC connections coming from an SAProuter, it uses the source
SAProuter’s SNC name for identification.

Figure 155: Example of Setting SAP SNC Details in the SAProuter Route Permission Table

In the example, there are two SAProuters, one on host1, and the other on host2. The two
routers need to communicate with each other using SAP SNC. Both SAProuters are started.
SAProuter on host1 initiates SAP SNC for all connections to host2 using KT =
"p:CN=saprout2, OU=TEST01, O=myCompany, C=US" host2 * and accepting all
connections using P * * * .
SAProuter on host2 accepts only SAP SNC connections from host1, which directs to either a
dispatcher or a gateway with system number 00. KP "p:CN=saprout1, OU=TEST01,
O=myCompany, C=US" * sapdp00 .

© Copyright. All rights reserved. 192

 Lesson: Enabling SNC for SAP NetWeaver AS ABAP

SAP SNC for SAP GUI for Microsoft Windows

Figure 156: Configuring SAP GUI SNC

In a standard SAP setup, users enter their SAP user name and password on the SAP GUI
logon screen. SAP user names and passwords are transferred through the network without
encryption. To secure connections between your front end and your ABAP system, SAP GUI
can be used together with an external security product or with SAP NetWeaver Single Sign-On
Secure Login Client. Kerberos tokens or certificates can be sent through SAP GUI and Secure
Login Client to the SAP SNC interface. The Secure Login Library then encrypts all
communication between the front end and the SAP servers, providing a secure SSO from the
end user to the SAP NetWeaver AS.
To configure SAP SNC with SAP GUI for Microsoft Windows, proceed as follows:

If Secure Login Client is used with SAP GUI, the Secure Login Library must be configured.
Configuration is set up differently based on whether an X.509 certificate or Kerberos
Token (Service Principle Name) is used.

Environment variable SNC_LIB on the front end is set to the path and file name of the SAP
SNC library.

In SAP Logon, SAP SNC options (SAP SNC name, quality of protection, and SAP SNC
activation) need to be set up in the SAP Logon Advanced Options.

To set up SAP SNC profile parameters in SAP NetWeaver AS for ABAP and maintain SAP SNC
names for those users who will be using the SAP GUI, proceed as follows:

The steps to enable SAP SNC for SAP GUI for Microsoft Windows are similar to steps for
enabling SAP SNC on SAP NetWeaver AS for ABAP.

To maintain the SNC information of dialog users, use transaction SU01.

To maintain non-dialog users, enter SNC information in the USRACLEXT table using
transaction SM30.

SNC Configuration for SAP NetWeaver AS ABAP

Privacy Protection: SAP SNC
Connections that use SAP protocols, such as RFC and DIAG, use SAP SNC for encryption.

© Copyright. All rights reserved. 193

Unit 5: RFC Security

SAP SNC provides privacy protection for the following communication paths:

Between two SAP NetWeaver AS for ABAP systems

Between SAP NetWeaver AS for ABAP and SAP NetWeaver AS for Java

Between SAP GUI and SAP NetWeaver AS for ABAP

Between SAProuters

You must configure the SAP SNC and install the security libraries on each SAP NetWeaver
component that is about to become a communication partner. SAP SNC can also be used
with an external security product.
SAP SNC provides the following features:

Authentication between SAP components

Integrity protection

Privacy protection

Trust When Using SAP SNC

Figure 157: Establishing Trust When Using SAP SNC

When using SAP SNC, the components need to identify and trust each other.
The options to establish a trust relationship for server-to-server communication are as
follows:

Use the same PSE for all components.

- All the communicating servers or components share the same identity, which means
that the components share the public and private key pair and the associated
Distinguished Name (DN). Since all the components use the same identity, the trust
relationships between the components are automatically established.

© Copyright. All rights reserved. 194

 Lesson: Enabling SNC for SAP NetWeaver AS ABAP

- The advantage of using the same PSE for all components is that it is easy to configure.
- The disadvantage of using the same PSE for all components is that the communication
is less transparent because all the components have the same identity and name.

Use individual PSEs and exchange public-key certificates.

- Each server possesses its own identity, which means that each server has its own
public and private key pair and DN.
- The trust relationships are established among communication partners by exchanging
the public-key certificates with each component that needs to be trusted. For example,
the two participating SAP NetWeaver AS for ABAP systems will need to exchange
certificates to trust each other. SAP NetWeaver AS for ABAP and SAP NetWeaver AS
for Java can also exchange certificates.
- The advantage of using individual PSEs is that the communication is transparent
because each component has its own identity.
- The disadvantage of using individual PSEs is that more configuration effort is needed.

SAP SNC Implementation

In the previous releases, SAP provided various tools to secure the system and its
communications and to manage the Single Sign-On (SSO): SAP Security Library, SAP
Cryptographic Library, Secure Login Library (part of SAP Netweaver SSO).
The SAP Cryptographic Library (SAPCRYPTOLIB) was the default security product provided
by SAP in the past for encryption with SAP systems. The SAP Cryptographic Library supports
encryption functions and the use of digital signatures in SAP Systems. SNC or for Secure
Sockets Layer (SSL) scenarios are supported using SAPCRYPTOLIB.
The Secure Login Library is a component of the SAP SSO product. It is used as cryptography
and security library for SAP NetWeaver AS for ABAP providing SSO through SNC using
Kerberos tokens or X.509 certificates as well as supporting digital signatures according to the
Secure Store and Forward (SSF) interface.
The SAP Security Library (SAPSECULIB) supports digital signatures using the SSF interface
for creating and verifying digital signatures within SAP systems, but not for encrypting data.
As of SAP Netweaver 7.40 some major security enhancements were made on System
Security: interfaces, Basis, authentication, and so on. SAP has released a new cryptographic
library called CommonCryptoLib. CommonCryptoLib is the technical successor of the SAP
Cryptographic Library (SAPCRYPTOLIB). This new cryptographic library provides a single
security library, which can be used in all scenarios supported by the previous security libraries

Table 13: CommonCryptoLib Scenarios

SAP Security SAP Crypto- Secure Login Common- SSO License
Library graphic Library Crypto-Lib Required

SAP SNC – X. X X X X
509
SAP SNC – X X X
Kerberos
SPNEGO/ X X X
ABAP
SSL/TLS X X

© Copyright. All rights reserved. 195

Unit 5: RFC Security

SAP Security SAP Crypto- Secure Login Common- SSO License

Library graphic Library Crypto-Lib Required

Secure Store X X X X
& Forward
(SSF)
STRUST X X
Hardware Se- X X
curity Module
(HSM)
FIPS 140–2 X
Certification
was Achieved
(See SAP
Note:
1848999)

Deployment Options for the CommonCryptoLib

The new CommonCryptoLib replaces the SAP Cryptographic Library. It comes with the latest
kernel of SAP NetWeaver AS for ABAP. Beginning with Kernel 7.20 PL88, no specific Kernel
patch is required to use CommonCryptoLib. The library is fully compatible with
SAPCRYPTOLIB and SAPSECULIB.

Note:
For the according ABAP kernel patch levels, refer to SAP Note 1848999 . You must
not use CommonCryptoLib if you are running Kernel releases prior to 7.20 PL88,
as CommonCryptoLib is not fully compatible with such old releases. Use
SAPCRYPTOLIB 5.5 PL38 in such cases.

There are two deployment options for CommonCryptoLib:

Via the ABAP kernel

Via download from SAP Service Marketplace

Beginning with SAP SSO 2.0 SP3, the Secure Login Library is no longer required since its
features are now all included in the CommonCryptoLib. This means that as of release 2.0 SP3,
a newly installed SAP SSO uses the CommonCryptoLib as the default cryptographic library
for SAP SNC and SPNEGO for ABAP.

Note:
NWSSO for CommonCryptoLib 2.0 is very different from SAP NetWeaver SSO
(use of the tool sapgenpse, abandoning of the tool snc, use of specific .xml
configuration files for specific features, and so on). For more details, refer to the
SAP documentation NWSSO for CommonCryptoLib 2.0

© Copyright. All rights reserved. 196

 Lesson: Enabling SNC for SAP NetWeaver AS ABAP

Figure 158: COMMONCRYPTOLIB

Note:
The two SAPCRYPTOLIB variants (old or new) can be recognized by their names.
Instances of the old library are called SAPCRYPTOLIB 5.5.5 plXX (for example,
5.5.5pl38), while the newer variant of the SAPCRYPTOLIB is named
CommonCryptoLib 8 (CCL) and uses the format 8.<major>.<minor> (for example,
8.4.31). For SAP NetWeaver 74X, a SAPCRYPTOLIB in the new variant
CommonCryptoLib 8 is a fixed component of the delivery (kernel CD).
CommonCryptoLib 8 is also part of the new 72x kernel patches (in the download
from SAP Service Marketplace, in the packages SAPEXE and dw_utils).
For more details, refer to SAP Note 2072638 - Dependencies between
CommonCryptoLib and SAP Kernel Package.
To determine the CommonCryptoLib version, you can use transaction
STRUST Environment Display SSF Version.
CommonCryptoLib fixes can be patched independently from SAP Kernel
Packages as follows:

1. Download CommonCryptoLib either as a part of the corresponding dw_utils or

dw_sar package, or as an alone standing product from the Download Center.

2. Extract the CommonCryptoLib files: SAPCRYPTOLIBP_<version>-

<platformID>.SAR under DIR_CT_RUN

3. Restart the application server.

Manual Installation of SAP Cryptographic Library SAPCRYPTOLIB

If there are scenarios where SAPCRYPTOLIB has to be used instead of CommonCryptoLib,
check to make sure you have the latest version using the following methods:

Download the SAP Cryptographic Library from SAP Service Marketplace.

© Copyright. All rights reserved. 197

Unit 5: RFC Security

Extract the contents of the SAP Cryptographic Library installation package.

The SAP Cryptographic Library installation package contains the library file (sapcrypto.dll for
Microsoft Windows or libsapcrypto.so (or sl) for UNIX), a license ticket, and a command line
configuration tool, sapgenpse.exe.
Copy the library and the sapgenpse command line tool in the directory $DIR_EXECUTABLE
on all application servers. Earlier versions of SAPCRYPTO 5.5.5 (pl32 and below) require a
separate license ticket file (ticket), which must be in the directory $DIR_INSTANCE/sec.
Set the environment variable SECUDIR in the environment of the user <sid>adm (or
SAPService<SID> or both) in the directory $DIR_INSTANCE/sec on all application servers.

Note:
In most situations, the ticket file is not required in the latest version, but SAP
NetWeaver AS for Java looks for the file and NWA complains if it does not exist.

Figure 159: Roadmap: Enabling SAP SNC on SAP NetWeaver AS for ABAP

The figure, Roadmap: Enabling SNC on SAP NetWeaver AS ABAP, shows the steps for
enabling SAP SNC on SAP NetWeaver AS for ABAP.

Configure SAP SNC on SAP NetWeaver AS for ABAP using SSO Wizard (transaction
SNCWIZARD)
If the new SAP Cryptographic library (CommonCryptoLib) version 8.4.20 or higher is used,
the SAP SSO wizard (transaction SNCWIZARD) enables you to set up a default configuration
for SAP SNC and SPNego on your SAP NetWeaver AS for ABAP.

© Copyright. All rights reserved. 198

 Lesson: Enabling SNC for SAP NetWeaver AS ABAP

The SAP SSO wizard (transaction SNCWIZARD

) simplifies the configuration process with the
following steps:

Defines the SAP SNC identity. The default value is CN=<system_ID>.

Sets the profile parameters for SAP SNC and SPNego in the default profile.

Note:
You can also manually change the default settings made by the wizard in
transaction RZ10.

Maintains Kerberos and X.509 credentials.

Creates an SAP SNC PSE if it does not exist.

To check your current SAP SNC and SPNego configuration, you can use transaction
SNCCONFIG. It shows the SAP SNC state of an application server instance and its SAP SNC
and SPNego profile parameters.

Trust Manager Profile Parameters

To use the SAP Common Cryptographic Library, system profile parameters need to be set up
properly so that the Trust Manager can access the correct libraries.
The parameters sec/libsapsecu and ssf/ssfapi_lib require the location of SAPCryptolib. The
ssf/name parameter must be set to SAPSECULIB.
For 740 Kernels and 72x Kernel (patches) created after Q2 2014, there is a known predefined
variable "$(SAPCRYPTOLIB)", where the platform-specific shared library prefix and filename
extension is supplied by the Kernel. You can use ABAP report RSPARAM to lookup the current
profile parameter settings including the following.

ssf/name = SAPSECULIB

ssf/ssfapi_lib = $(SAPCRYPTOLIB)

sec/libsapsecu = $(SAPCRYPTOLIB)

snc/gssapi_lib = $(SAPCRYPTOLIB)

Note:
In Secure Store and Forward (SSF), digital signatures and document encryption
are used. SAPSECULIB supports the security functions for digital signatures and
document encryption.

You use transaction RZ10 to maintain the profile parameters in the instance profile and
restart the application servers.

Table 14: Profile Parameters and Sample Values

Profile Parameters Value
sec/libsapsecu Path and file name of the SAP Cryptographic
Library

© Copyright. All rights reserved. 199

Unit 5: RFC Security

Profile Parameters Value

ssf/ssfapi_lib Path and file name of the SAP Cryptographic
Library
ssf/name SAPSECULIB

The Trust Manager uses the security library, SAPSECULIB, by default. This library is delivered
and installed in the SAP system.
The ssf/name parameter must be set to SAPSECULIB.

Note:
In Secure Store and Forward (SSF), digital signatures and document encryption
are used. SAPSECULIB supports the security functions for digital signatures and
document encryption.

Creation of SAP SNC PSE and Credentials

To use Trust Manager to create and maintain PSE for SAP NetWeaver AS for ABAP, the
following options are available:

Create a new PSE using Trust Manager on this SAP NetWeaver AS.

Create PSE on a different server, for example, on the other communication partner, SAP
NetWeaver AS, and import the PSE using Trust Manager.

Figure 160: Maintaining the SNC PSE and Credentials: Trust Manager

The figure, Maintaining the SNC PSE and Credentials: Trust Manager, shows how to create
and import PSE using Trust Manager.

© Copyright. All rights reserved. 200

 Lesson: Enabling SNC for SAP NetWeaver AS ABAP

You can use the Trust Manager, transaction STRUST, to maintain the SAP SNC PSE in the
following ways:

In transaction STRUST, select the SNC PSEnode. In the context menu, choose Create. Fill
the necessary fields and save the PSE.

To use SAP SNC, you must assign a password to the PSE. To create the credential, choose
Assign Password . If you do not assign the password for the PSE, Trust Manager will have
problems later.

Alternatively, if you want to use an existing PSE that was created from another SAP
NetWeaver AS, you can copy SAPSNCS.pse from your SECUDIR to the SECUDIR of the
target system. In transaction STRUST, choose PSE Import .

Note:
If you have assigned the Distinguished Name (DN) using the snc/identity/as
profile parameter, the DN will then be displayed when the PSE is created.

Trust Manager and Command Tool SAPGENPSE

The sections of the Trust Manager screen and their functions are as follows:

The left frame shows the available PSEs that you can maintain.

The upper section is used for PSE maintenance. In this section, you can create the
certificate requests, import the corresponding responses from the Certificate Authority
(CA), import trusted certificates into the PSE’s certificate list, and export the owner of the
PSE’s public-key certificate into the clipboard.

The lower section is used as a clipboard for certificates. For example, you can view and
export a certificate from one PSE and import the certificate into the certificate list of
another PSE.

For more information, see the application help under Help Application Help or the online
documentation Security Guide Network and Transport Layer Security at http://
help.sap.com .
In addition to using the Trust Manager to create or maintain the PSE, you can also use the
command tool SAPGENPSE to perform the following tasks:

Create PSE using SAPGENPSE

.

Create credentials using SAPGENPSE

.

You can also create a PSE on a different system with transaction STRUSTand move it to
another system.
To create a PSE using SAPGENPSE
, proceed as follows:

Set the environment variable SECUDIRto $(DIR_INSTANCE)/sec .

Use the command:

sapgenpse get_pse –p <SID>.pse –noreq –x <PIN><DISTINGUISHED_NAME>

Create credentials for the user of SAP Application Server Quality Assurance System (QAS)
using SAPGENPSE :

© Copyright. All rights reserved. 201

Unit 5: RFC Security

sapgenpse seclogin -p <SID>.pse -x <PIN> -O <user_ID>

Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP

Figure 161: Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP

You can use the same PSE for both the communicating systems. As shown in the figure,
Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP, in the first case,
both servers share the same identity and automatically trust each other. Alternatively, in the
second case, both servers use individual PSEs and exchange public-key certificates with each
other.
On both the communicating application servers, perform the following steps to export and
import certificates:

Use the Trust Manager to export the SAP AS certificate and import it to the other system.

To export the certificate of the server, go to transaction STRUSTand choose SNC PSEand
the certificate. Choose Export certificate and save it to a destination as a local file.

To import the certificate, go to transaction STRUST, choose SNC PSEand the certificate
from its source (for example, the file system), and choose Add to certificate list .

SNC Profile Parameters

The transaction code RZ10 is used to set the SAP SNC-relevant profile parameters in the
instance profile. Setting the profile parameter snc/enable to 1 activates SAP SNC on the
application server.
If this parameter is set but the SAP SNC PSE and credentials do not exist, then the application
server will not start. For this reason, setting the SAP SNC parameters should be the last step
in the configuration procedure.
Ensure the SAP SNC PSE and the corresponding credentials exist for the application server.

© Copyright. All rights reserved. 202

 Lesson: Enabling SNC for SAP NetWeaver AS ABAP

Figure 162: SAP SNC Profile Parameters

If Secure Login Library is used, set snc/gssapi_lib to secgss.dll in the SLL directory.

Caution:
For production systems, we recommend deactivating non-SAP SNC access for
most SAP GUI users (snc/accept_insecure_gui=U ). Only a small number of
emergency accounts must be able to access the system with password logon. (In
transaction SU01, use the Unsecure communication permitted (user specific)
option on the SNC tab page.

Setup of Access Control List (ACL) Entries

In addition to identifying the communication partner using the trust relationship, the AS ABAP
also checks the ACLs. These lists specify explicitly which other systems are allowed to
connect to this system using SAP SNC.

© Copyright. All rights reserved. 203

Unit 5: RFC Security

Figure 163: Set up ACL Entries

Note:
The SAP SNC name is the DN given in the server’s certificate, with a p: prefix.

The ACLs involved in the process are as follows:

System ACL
Enter the SAP SNC name of the remote system and activate the types of communication
that are allowed for this system to connect. For example, RFC, CPIC, DIAG, user
authentication using certificates, or user authentication using other external
authentication mechanisms, such as PAS.
To maintain the system ACL, use transaction SNC0or table maintenance transaction SM30
in the SNCSYSACL table or VSNCSYSACL view (type=E).

Extended User ACL

An entry for SAP NetWeaver AS is needed to use WebRFC, for example with PAS. The
entry specifies which users from the system can log on using the SAP SNC connection.

To maintain the extended user ACL, use the table maintenance transaction SM30.

LESSON SUMMARY
You should now be able to:

Configure SNC for SAP NetWeaver AS ABAP

Configure SNC for other SAP components

© Copyright. All rights reserved. 204

 Unit 5
Lesson 3
Reducing the Attack Surface: RFC
Communication and Unified Connectivity

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Set up data collection for RFC enable function modules

RFC Communication and Unified Connectivity

Business Example
Your company runs one S/4 system, where some interfaces use BAPIs for reading and writing
data into your database. After examining the available BAPIS, you are sure that hundreds of
BAPIs will never be called. However, you cannot pin point which RFC enabled functions
modules are in use in the productive environment. Enabling detailed traces is not deemed as a
feasible option.

Blocking Unwanted Access

Figure 164: Blocking Remote Function Modules

Once UCON is activated any RFC enabled function module that is not assigned to a
Communication Assembly will be blocked. Authorizations can bring a second layer of security
for distinct communication users.

© Copyright. All rights reserved. 205

Unit 5: RFC Security

Software Lifecycle Management

Figure 165: What Happens when a New Function Module is Imported?

New function modules can be coded by developers, other will be made available through
corrective or evolutive maintenance provided by SAP (example: support package, feature
pack or even just a note).

Figure 166: Import Usage Statistics into the Development Environment

The findings from a productive system can be sent to a non-productive environment.

Developers can incorporate into their development practices the assignment of new function
modules to Communication Assemblies.

Step by Step Procedure: Capturing RFC Activity in a Productive Environment

RFC enabled function modules need to be assigned to a Communication Assembly, this will
allow you to filter which ones should be externally available. The overall process involves
picking up function module candidates, assigning them to Communication Assemblies and
logging their usage.
Hint: For a more visual presentation How-To Videos are available at: https://
wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=448476438

© Copyright. All rights reserved. 206

 Lesson: Reducing the Attack Surface: RFC Communication and Unified Connectivity

Figure 167: Step 1 — Profile Parameters

Unified connectivity is not enabled by default. Set the parameter ucon/rfc/active to 1.

Figure 168: Step 2 — Data Collection Jobs

After the profile parameter is enabled you need to review your standard jobs definition.
Access transaction SM36 and ensure that the SAP_UCON_MANAGEMENT job is running in
your system.

© Copyright. All rights reserved. 207

Unit 5: RFC Security

Figure 169: Step 3 – Transaction UCONPHTL

In the transaction UCONPHTL you can identify which function modules exist in the system.

Figure 170: Step 4 – Selecting the Inspection Client and Setting the Retention Period

Note that, besides your working clients (productive, golden, ….), several technical tools will
demand access to client 000. Be sure that the retention period is large enough, as some
functionality might only experience seasonal usage (for example: fiscal year closing).

© Copyright. All rights reserved. 208

 Lesson: Reducing the Attack Surface: RFC Communication and Unified Connectivity

Figure 171: Step 5 – Set the Duration for Logging and Evaluation Periods

A reasonable approach is to start with a small window (at least two months for logging, as
there is a good chance that some interfaces will only run in monthly basis).

Figure 172: Step 6 – Logging RFC Activity

At an early stage, allow all function modules to be logged. Later, assign them to a
Communication Assembly.

Figure 173: Step 7 – Assigning RFC Modules to a Communication Assembly

LESSON SUMMARY
You should now be able to:

Set up data collection for RFC enable function modules

© Copyright. All rights reserved. 209

 Unit 5

Learning Assessment

1. While enabling SAP Secure Network Communication (SNC) on the SAP NetWeaver
Application Server, the environment variable SECUDIR should be set to the location of the
license ticket.
Determine whether this statement is true or false.

X True

X False

2. What is the correct sequence for the steps to enable SAP SNC on SAP NetWeaver AS for
Java?
Arrange these steps into the correct sequence.

0 Install the SAP Cryptographic Library and license ticket.

0 Create or import the SAP SNC PSE.

0 Create credentials.

0 Establish trust relationships.

0 Set SAP SNC profile parameters.

0 Restart SAP NetWeaver AS for Java.

3. The secinfo file of SAP Gateway can be used to control the start-up of an external Remote
Function Call (RFC) to secure the RFC connection.
Determine whether this statement is true or false.

X True

X False

© Copyright. All rights reserved. 210

 Unit 5: Learning Assessment

4. Which files are used to secure the SAP RFC Gateway?

Choose the correct answers.

X A secinfo

X B reginfo

X C sapinfo

X D prxyinfo

5. Which ABAP authorization object is needed to maintain RFC destinations?

Choose the correct answer.

X A S_RFC_ADM

X B S_RFC_ABAP

X C S_ADM_RFC

X D S_RFC_ACL

6. Where can you check the existence of RFC trust relationships in ABAP systems?
Choose the correct answers.

X A Transaction SE38

X B Transaction SMT0

X C Transaction SMT1

X D Transaction SMT2

7. For a user to be allowed to log on with a trusted RFC connection, which authorization
object needs to be granted?
Choose the correct answer.

X A S_RFC_ADM

X B S_RFC_ABAP

X C S_ADM_RFC

X D S_RFC_ACL

© Copyright. All rights reserved. 211

 Unit 5

Learning Assessment - Answers

1. While enabling SAP Secure Network Communication (SNC) on the SAP NetWeaver
Application Server, the environment variable SECUDIR should be set to the location of the
license ticket.
Determine whether this statement is true or false.

X True

X False

Correct! While enabling SAP Secure Network Communication (SNC) on the SAP
NetWeaver Application Server, the environment variable SECUDIR should be set to the
location of the license ticket.

2. What is the correct sequence for the steps to enable SAP SNC on SAP NetWeaver AS for
Java?
Arrange these steps into the correct sequence.

1 Install the SAP Cryptographic Library and license ticket.

2 Create or import the SAP SNC PSE.

3 Create credentials.

4 Establish trust relationships.

5 Set SAP SNC profile parameters.

6 Restart SAP NetWeaver AS for Java.

3. The secinfo file of SAP Gateway can be used to control the start-up of an external Remote
Function Call (RFC) to secure the RFC connection.
Determine whether this statement is true or false.

X True

X False

Correct! The secinfo file of SAP Gateway can be used to control the start-up of an external
RFC to secure the RFC connection.

© Copyright. All rights reserved. 212

 Unit 5: Learning Assessment - Answers

4. Which files are used to secure the SAP RFC Gateway?

Choose the correct answers.

X A secinfo

X B reginfo

X C sapinfo

X D prxyinfo

Correct! The secinfo, reginfo, and prxyinfo files are used to secure the SAP RFC Gateway.

5. Which ABAP authorization object is needed to maintain RFC destinations?

Choose the correct answer.

X A S_RFC_ADM

X B S_RFC_ABAP

X C S_ADM_RFC

X D S_RFC_ACL

Correct! S_RFC_ADM is needed to maintain RFC destinations.

6. Where can you check the existence of RFC trust relationships in ABAP systems?
Choose the correct answers.

X A Transaction SE38

X B Transaction SMT0

X C Transaction SMT1

X D Transaction SMT2

Correct! You can check the existence of RFC trust relationships in ABAP systems in
transactions SMT1and SMT2.

© Copyright. All rights reserved. 213

Unit 5: Learning Assessment - Answers

7. For a user to be allowed to log on with a trusted RFC connection, which authorization
object needs to be granted?
Choose the correct answer.

X A S_RFC_ADM

X B S_RFC_ABAP

X C S_ADM_RFC

X D S_RFC_ACL

Correct! Authorization object S_RFC_ACL needs to be granted.

© Copyright. All rights reserved. 214

 UNIT 6 Secure Sockets Layer
(SSL)

Lesson 1
Discussing SSL for SAP 216

Lesson 2
Discussing SSL for SAP Management Console 225

Lesson 3
Discussing SSL for SAP NetWeaver AS ABAP 227

Lesson 4
Discussing SSL for SAP NetWeaver AS Java 235

UNIT OBJECTIVES

Describe SSL for SAP

Enable SSL for the SAP Management Console

Enable SSL for SAP NetWeaver AS ABAP

Enable SSL for SAP NetWeaver AS Java

© Copyright. All rights reserved. 215

 Unit 6
Lesson 1
Discussing SSL for SAP

LESSON OVERVIEW
This lesson explains how to configure Secure Socket Layer (SSL) for the SAP NetWeaver
Application Server (SAP NetWeaver AS) component.

Business Example
You want to secure HTTP communication. For this reason, you require an understanding of
SSL, SSL server, and SSL client.

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Describe SSL for SAP

SSL for SAP

Figure 174: Product Overview

The figure, Product Overview, provides an overview of SSL.

© Copyright. All rights reserved. 216

 Lesson: Discussing SSL for SAP

Encryption Using SSL

Figure 175: Encryption Using SSL

To secure HTTP connections in SAP NetWeaver AS, you can use SSL for encryption.
SAP NetWeaver AS can act as the server or the client component of the HTTP connection in
the following ways:

Users connecting to SAP NetWeaver AS using their Web browser.

SAP NetWeaver AS connecting to another SAP NetWeaver AS.

SAP NetWeaver AS connecting to another Web server.

Recommendations for Implementing SSL in SAP NetWeaver AS

Usage of HTTPS is recommended for all browser access from end users to SAP systems.
End users must not use HTTP to access SAP systems.

HTTPS must be implemented for communication between SAP systems, if the network
traffic is susceptible to sniffing by end users.

HTTPS must be implemented to terminate on infrastructure components (for example,

load balancers, reverse proxies) in the server network. Alternatively, SAP systems must be
configured to directly support HTTPS or SSL server.

Access to the table SSF_PSE_D must be restricted by assigning the table to a dedicated
table authorization group. End users must not have access to this new table authorization
group. For more information about protecting read access to key tables, see SAP Note
1485029.

Access to Personal Security Environment (PSE) files from ABAP programs must be
restricted. For more information about protecting access to PSE, see SAP Note 1497104.

Similar to Secure Network Communications (SNC), SSL in SAP NetWeaver AS for ABAP also
uses the SAP Common Cryptographic Library to perform the cryptographic functions. For
SSL, you must also use the SAP Common Cryptographic Library. The SAP Common
Cryptographic Library is available for download from the SAP Download Center.

© Copyright. All rights reserved. 217

Unit 6: Secure Sockets Layer (SSL)

ICM Parameters for SSL Profile

Figure 176: ICM Parameters for SSL Profile

The icm/server_port_<xx> parameters specify which protocol uses which port.

The sequence numbers and protocols for ICM and SSL profile parameter listings must
correspond.
The possible values for VCLIENT are as follows:

VCLIENT=0
In the case of HTTPS, you can additionally specify the parameter VCLIENT=0 to notify the
SSL server that no SSL client verification is needed.

VCLIENT=1
In this case, the server asks the client to transfer a certificate. If the client does not send a
certificate, authentication is performed by another method, for example, basic
authentication (default setting).

VCLIENT=2
In this case, the client must transfer a valid certificate to the server; otherwise, access is
denied.

Note:
This server-specific value overrides the value that is set with parameter icm/
HTTPS/verify_client . If you specify the SSL configuration with SSLCONFIG,
you must not set the value of VCLIENT.

The sec/libsapsecu and ssf* parameters are necessary for the Trust Manager.

© Copyright. All rights reserved. 218

 Lesson: Discussing SSL for SAP

The ssl/ssl_lib parameter specifies where the SAP Common Cryptographic Library is
located.

PSE for Identities

Figure 177: PSE for Identities

The SAP NetWeaver AS can be the server component or the client component for
connections.
Depending on the server’s role for these connections, SAP NetWeaver AS has a different
identity.
For each identity, there is a separate PSE. For example, there is an SSL server PSE, an SSL
client PSE, and a PSE for SNC.

© Copyright. All rights reserved. 219

Unit 6: Secure Sockets Layer (SSL)

SSL Server

Figure 178: Distinguished Name of the Server

For each identity, the SAP NetWeaver AS uses a different distinguished name due to the
restrictions on the corresponding name.
For example, when using the SSL server PSE, the common name (CN) in the distinguished
name of the server must correspond to the fully-qualified host name used to access the
server. As a result, different hosts within the same system may need to have different names
and different SSL server PSEs.
When using the SSL client PSE, the server functions as a system and not as a server, and uses
the <SID> as the CN.

© Copyright. All rights reserved. 220

 Lesson: Discussing SSL for SAP

SSL Server PSE

Figure 179: SSL Server PSE

Individual hosts can use the following types of SSL server PSEs:

Standard

Individual

Shared

The standard SSL server PSE is used to create individual SSL server PSEs for each host.
However, a host may also use this standard PSE for its SSL server PSE.
The CN part of the distinguished name must correspond to the fully-qualified host name that
is used to access the server. As a result, servers that are accessed using the same host name
alias can share PSEs.

© Copyright. All rights reserved. 221

Unit 6: Secure Sockets Layer (SSL)

Servers that Use the Standard PSE

Figure 180: Servers that use the Standard PSE

The standard SSL server PSE contains a wildcard as the host name in the distinguished name.
Servers that share the SSL server PSE have the same key pair and identity. Having the same
key pair and identity saves costs when obtaining the corresponding SSL server certificates.
For example, when the user contacts the SSL server through the URL https://
host123.mydomain.com:8444 , the CN of the server is *.mydomain.com . The user receives
a warning or error in the Web browser that the names do not match.
As a result, it is inconvenient to use standard SSL server PSE for individual servers. Only use
this scenario when users can access the server, regardless of the mismatched names.

Servers that Use Individual PSEs

Figure 181: Servers that use Individual PSEs

To avoid warnings or error messages, you can use individual PSEs for individual servers
instead of using the host name of the server as CN in the distinguished name.

© Copyright. All rights reserved. 222

 Lesson: Discussing SSL for SAP

To use individual PSEs, users must be able to directly access SAP NetWeaver AS. As a result,
these PSEs are not useful when you need to manage your SAP NetWeaver AS systems using
load balancing devices or network zones.

Servers that Share a PSE

Figure 182: Servers that Share a PSE

For cases in which you have a load balancer or any other device in front of the SAP NetWeaver
AS, you can have the servers sharing one PSE. When setting up this PSE, you use the host
name of the device as the CN part of the distinguished name of the application server.

SSL Client

Figure 183: SSL Client PSE – 1

© Copyright. All rights reserved. 223

Unit 6: Secure Sockets Layer (SSL)

For connections in which SAP NetWeaver AS is the client component, SAP NetWeaver AS
uses a different PSE called the SSL client PSE.
You can use different types of SSL client PSE, depending on the scenario.
By default, the server uses the standard SSL client PSE. Note that this PSE must exist for SSL
to work. When using this PSE, SAP NetWeaver AS will be authenticated using the identity
associated with this PSE.
The anonymous SSL client PSE is available to use for connections where only server-side
authentication and data encryption are necessary. No client authentication is needed. The
anonymous SSL client PSE is used only as a container for the list of Certification Authorities
(CAs) that the server trusts when accessing the other server.
You can create individual SSL client PSEs for additional identities. Use these PSEs for cases
where you want SAP NetWeaver AS to function as an individual identity, for example, when
accessing a specific application, such as a banking application.
Contrary to the SSL server PSE, the SSL client PSE is used by all application server instances
in the system.

SSL Client PSE – Determination

Figure 184: SSL Client PSE – 2

You specify which connections use which identity and PSE when you set up the HTTP
destination using transaction SM59. For each connection, you can specify a different PSE.

LESSON SUMMARY
You should now be able to:

Describe SSL for SAP

© Copyright. All rights reserved. 224

 Unit 6
Lesson 2
Discussing SSL for SAP Management Console

LESSON OVERVIEW
This lesson describes the procedure to secure access to the SAP Management Console.

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Enable SSL for the SAP Management Console

SSL for the SAP Management Console

To establish a secure communication, go to Properties in the SAP Windows Management
Console or Settings in the SAP Java Management Console.

Figure 185: Enabling HTTPS for SAP Windows Management Console 1

© Copyright. All rights reserved. 225

Unit 6: Secure Sockets Layer (SSL)

Figure 186: Enabling HTTPS SAP Windows Management Console 2

Sapstartsrv (as of 720 patch 45) allows you to specify network ACL lists, using the profile
parameters service/http/acl_file and service/https/acl_file. After you set the profile
parameters, or change the ACL lists, you must restart the affected sapstartsrv to activate the
changes. SAP Note 1495075 describes the syntax of the ACL files.

Trusted Connection with the PKI System

As of SAP Kernel Release 742, sapstartsrv automatically initializes a system PKI (information
available in http://scn.sap.com/community/security/blog/2015/04/04/secure-server-
communication-in-sap-netweaver-as-abap ), which assigns a sap_system_pki_instance
certificate (saved via a PIN in the secure storage) to each instance. Clients that authenticate
themselves with a certificate of the system PKI of the system are automatically authorized to
execute all Web service methods. With the option "-systempki <profile>", sapcontrol offers
this option ("-prot NI_HTTPS" is implicitly activated). Usage requires access to the central
secure storage and sap_system_pki_instance.pse via the configuration of the specified
profile.

LESSON SUMMARY
You should now be able to:

Enable SSL for the SAP Management Console

© Copyright. All rights reserved. 226

 Unit 6
Lesson 3
Discussing SSL for SAP NetWeaver AS ABAP

LESSON OVERVIEW
The lesson explains the process of configuring the Secure Socket Layer (SSL) on SAP
NetWeaver by creating SSL client Personal Security Environment (PSE) and SSL server PSE.

Business Example
You want to enable SSL on SAP NetWeaver Application Server (SAP NetWeaver AS) to
reinforce the security of the system. For this reason, you require knowledge of how to
perform the following tasks:

Create SSL server PSE

Create SSL client PSE

Configure SSL for Application Server ABAP (AS ABAP)

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Enable SSL for SAP NetWeaver AS ABAP

SSL for SAP NetWeaver AS ABAP

The Secure Sockets Layer (SSL) protocol is used to secure HTTP connections to and from
SAP NetWeaver Application Server (AS) for ABAP.

Authentication and Encryption with SSL

The data being transferred between the two parties (client and server) is encrypted, and
the two partners can be authenticated.

If users need to transfer their account information, SSL can be used to authenticate the
users and encrypt the information during transfer.

© Copyright. All rights reserved. 227

Unit 6: Secure Sockets Layer (SSL)

To Create SSL Client PSE

Figure 187: Roadmap to Create SSL Client PSE

The figure, Roadmap to Create SSL Client PSE, shows the steps to create an SSL client PSE.

1. Create the standard SSL client PSE.

Figure 188: Create the Standard SSL Client PSE

a) Use the Trust Manager, transaction STRUST, to maintain the SSL client PSEs.
Use the <SID> as the Common Name (CN) part of the DN.

b) If the server functions as a client component for connections where SSL is used,
create a certificate request and send it to your CA.

© Copyright. All rights reserved. 228

 Lesson: Discussing SSL for SAP NetWeaver AS ABAP

Import the corresponding response into the standard SSL client PSE.

c) Establish trust relationships by importing the CA root certificates from CAs that you
trust into the certificate list of the PSE.

2. Create the anonymous SSL Client PSE.

Figure 189: Create the Anonymous SSL Client PSE

The anonymous SSL client PSE is optional. You need this PSE for connections where the
SAP NetWeaver AS is not to be authenticated for the connection.
The Common Name part of the Distinguished Name is automatically determined by the
system as CN=anonymous .
The SAP NetWeaver AS is not authenticated when using this PSE, so you do not need to
use a certificate signed by a CA. You can skip the certificate request handling steps.
However, you need to establish the trust relationships by importing the trusted CA root
certificates into certificate list of the PSE.

3. Create an individual SSL client PSE.

Figure 190: Create an Individual SSL Client PSE

© Copyright. All rights reserved. 229

Unit 6: Secure Sockets Layer (SSL)

a) To create and activate an individual SSL client PSE, you need to make an entry in the
SSL client identity table. On the Trust Manager screen, to access the table, choose
Environment SSL Client Identities .

b) Use the Trust Manager to maintain the PSE. There are no restrictions on the
Distinguished Names for individual SSL client PSEs.

c) After creating the SSL client PSE(s), restart the Internet Communication Manager
(ICM).

4. Assign connection with SSL client PSE.

Figure 191: Assign Connection with SSL Client PSE

a) Create the HTTP connection using transaction SM59. There are two types of HTTP
connection:

HTTP connection to an external server (connection type G)

HTTP connection to an ABAP system (connection type H)

Note:
The only difference between these two connection types is the available
logon procedures. The technical settings are identical.

b) Under Technical settings , specify the host, URL, and HTTPS port to use for the target
system.

c) Specify the authentication method to use for the logon under Logon/Security options.

d) For SAP NetWeaver AS connections, Type H, specify the following logon methods:

If SSL client authentication is to be used, select Basic Authentication .

Otherwise, you can select SAP standard or SAP Trusted Systems.

e) Activate SSL and specify which SSL identity to use for the connection.

© Copyright. All rights reserved. 230

 Lesson: Discussing SSL for SAP NetWeaver AS ABAP

f) Specify the language or target client, if these values are different from the default
values.

g) If you want SSO to another SAP NetWeaver AS, you must maintain a user mapping in
the target system using the table USREXTID.
This table maps the client SAP NetWeaver AS‘s DN to the user ID used for the
connection.

h) Test the connection.

SAP Web Dispatcher and SAP Fiori Landscapes

As part of an SAP Fiori system landscape, SAP Web Dispatcher is a critical component.
HTTP(S) requests from the end users are targeting the SAP Web Dispatcher, which acts as a
reverse proxy and distributes the requests to the front-end server respective back-end
server.
To set up the communication channel between clients and SAP Web Dispatcher, configure
SAP Web Dispatcher to support SSL and configure the SAP Web Dispatcher server port.
We recommend using the Web Admin UI of SAP Web Dispatcher to configure SSL support.
As a high-level overview, these are the required steps to configure the SAP Web Dispatcher
for SSL when the connection is terminated at the SAP Web Dispatcher and SSL is used:

1. Create the SAP Web Dispatcher's PSE(s) and certificate request(s). Create an SSL server
PSE if the incoming connections use SSL. Create an SSL client PSE if the outgoing
connections use SSL. Create both if both connections use SSL.2.

2. Perform the following steps for each of the PSEs you created in the previous step:

a. Send the certificate request(s) to a CA to be signed.

b. Import the certificate request response(s) into the PSE.

c. Create credentials for the SAP Web Dispatcher.

3. For SSL outbound connections, import a CA root certificate into the SSL client PSE of the
SAP Web Dispatcher. Use the same CA root certificate for the CA that issued the SSL
server certificate to the AS ABAP application server.

4. Set the profile parameters.

5. Restart SAP Web Dispatcher.

6. Test the connection.

SAP Web Dispatcher and AS ABAP

If SAP Web Dispatcher also uses SSL for the connection to the AS ABAP system (re-
encryption), then it also needs to possess a key pair to use for this connection. This
information is stored in its SSL client PSE.
You have different options to establish a trust between SAP Web Dispatcher and an AS ABAP
system. One approach is that you export the SSL server certificate from the AS ABAP system
and import it to the SAP Web Dispatcher client PSE.
A more convenient approach is that you have a common Certification Authority (CA) in place:

1. Use this CA to sign the SSL server certificate of AS ABAP (transaction STRUST).

2. Import the root certificate of the same CA into the SAP Web Dispatcher client PSE.

© Copyright. All rights reserved. 231

Unit 6: Secure Sockets Layer (SSL)

Single Sign-On and the SAP Web Dispatcher in an SAP Fiori Landscape
The authentication concept for SAP Fiori apps comprises initial user authentication on the
ABAP front-end server, followed by authentication of all requests to back-end systems.

Initial Authentication
When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP
front-end server by the SAP Fiori launchpad. During launch, the ABAP front-end server
authenticates the user by using one of the supported single sign-on (SSO) mechanisms. We
recommend setting up SSO, thereby enabling users to start SAP Fiori apps using their single,
existing credentials. As a fallback option, initial authentication can be based on the users'
passwords on the ABAP front-end server. SAP provides a dedicated logon handler for form-
based logon. After initial authentication on the ABAP front-end server, a security session is
established between the client and the ABAP front-end server.

Authentication for Requests in the Back-End Systems

After initial authentication, a security session is established between the client and the ABAP
front-end server. Transactional apps can then send OData requests through the ABAP front-
end server towards the ABAP back-end server. OData requests towards the ABAP back-end
server are then communicated securely by trusted RFC and no additional authentication is
required.
For search in SAP Fiori launchpad, applications send InA search requests from the client to
the SAP HANA database. These requests can be authenticated with Kerberos/SPNego, X.509
certificates, or logon tickets. You can configure the ABAP front-end server to issue logon
tickets after initial authentication, or you can use your existing portal to do so.
The following authentication and SSO mechanisms are supported for SAP Fiori apps:

X.509 Certificates
If you have implemented a public-key infrastructure (PKI) for user authentication in your
organization, you can use X.509 certificates by configuring the required back-end systems
(ABAP or SAP HANA) to accept X.509 certificates.
Authentication with X.509 certificates provide the following advantages:

It does not require an issuing system during logon, which means that it works well in
internet-facing scenarios.

It is also supported for logon to the SAP GUI. Using X.509 certificates for both SAP GUI
and HTTP access simplifies the SSO setup within your system landscape.

X.509 certificates must be distributed to the workstations and devices that are used to
access SAP Fiori apps. For mobile devices, this distribution can be performed centrally by a
mobile device management software, for example SAP Mobile Platform.

Kerberos/SPNego
If you access SAP Fiori apps from within your corporate network, you can enable Kerberos/
SPNego authentication for the ABAP front-end server. This authentication is especially
recommended, if you already have a Kerberos/SPNego infrastructure in place, for example, if
you use Microsoft Active Directory.
Kerberos/SPNego authentication provides the following advantages:

© Copyright. All rights reserved. 232

 Lesson: Discussing SSL for SAP NetWeaver AS ABAP

It simplifies the logon process by reusing credentials that have already been provided, for
example, during logon to the Microsoft Windows workstation. A separate logon to the
ABAP front-end server is not required.

It is also supported for logon to the SAP GUI. Using Kerberos for both SAP GUI and HTTP
access simplifies the SSO setup within your system landscape.

It is supported by a growing number of mobile device vendors.

During logon, Kerberos/SPNego authentication requires access to an issuing system (for

example, Microsoft Active Directory). As this system is typically located within the corporate
network, Kerberos/SPNego cannot be used for most internet-facing deployment scenarios.
To enable SSO with Kerberos/SPNego authentication from outside your corporate network,
you might have to set up a VPN connection.
Kerberos/SPNego is available with the SAP SSO product, which also provides additional
authentication mechanisms, such as X.509 certificates or an SAML Identity Provider.

SAML 2.0
If you have implemented Security Assertion Markup Language (SAML) version 2.0 as the
method of SSO within your organization, you can configure the ABAP front-end server for use
with SAML 2.0.
This authentication method provides the following advantages:

It includes extensive federation capabilities, which means that it works well in scenarios
with federated user domains, where trust configuration can be complicated.

It includes extensive user mapping capabilities that enable you to map SAP users based on
identity attributes, such as the SAP user name attribute or a user's e-mail address. This
means that SAML 2.0 works well for scenarios with multiple user domains.

During logon, SAML 2.0 authentication requires access to an issuing system (Identity
Provider). To enable SSO with SAML 2.0 in internet-facing deployment scenarios that
leverage its federation capabilities, you must ensure that the SAML Identity Provider is
securely accessible from outside your corporate network.

Logon Tickets
For logon tickets, you must configure the ABAP front-end server to issue logon tickets.
Alternatively, you can use an existing system, such as a portal, in your landscape that already
issues logon tickets. In addition, you must configure the required back-end systems (ABAP or
SAP HANA) to accept logon tickets. You must also ensure that users in the ABAP system
have the same user names as the database users in SAP HANA; user mapping is not
supported. As logon tickets are transferred as browser cookies, you can only use this
authentication mechanism if all systems in your system landscape are located within the
same DNS domain.

SSO Using X.509 Client Certificates

Authentication with X.509 certificates use a Public Key Infrastructure (PKI) to securely
authenticate users. After users receive their X.509 certificates from a certificate issuing
Certification Authority (CA), they can use them to securely access SAP NetWeaver, as well as
non-SAP systems. The SAP NetWeaver and the non-SAP system can authorize access
requests, based on an established trust relationship with the CA. In addition, users can use
their X.509 certificates to authenticate their access to systems located on the internet and
within your company intranet. Thereby, you can use certificates for authentication in open
environments such as the Internet.

© Copyright. All rights reserved. 233

Unit 6: Secure Sockets Layer (SSL)

The SAP Web Dispatcher usually terminates SSL connections and later re-encrypts the traffic
to send it to the AS ABAP system. Because of the re-encryption the HTTP request that must
be authenticated is received on an SSL connection that was initiated with SAP Web
Dispatcher’s client certificate.
Therefore, SAP Web Dispatcher must forward the original client certificate (the browser
certificate) to the AS ABAP system. This is achieved by putting the original client certificate
into an HTTP request header field (by default SSL_CLIENT_CERT).
The AS ABAP system cannot simply take a client certificate from an HTTP request header,
because otherwise attackers are able to use abducted certificates. Therefore, the AS ABAP
system is only allowed to accept client certificates that have been forwarded by a trusted
intermediary.
The configuration of SSL certificate forwarding in SAP Web Dispatcher consists of three
parts:

The client (browser) must send its certificate.

The SAP Web Dispatcher must accept and forward the client’s certificate.

The AS ABAP system must accept the forwarded certificate.

LESSON SUMMARY
You should now be able to:

Enable SSL for SAP NetWeaver AS ABAP

© Copyright. All rights reserved. 234

 Unit 6
Lesson 4
Discussing SSL for SAP NetWeaver AS Java

LESSON OVERVIEW
This lesson explains how to enable Secure Socket Layer (SSL) for SAP NetWeaver Application
Server Java (SAP NetWeaver AS Java).

Business Example
To secure the HTTP communication, you need to configure SSL on SAP NetWeaver AS Java.
For this reason, you require an understanding of the following:

How to enable SSL on SAP NetWeaver AS Java

How to configure SSL for SAP NetWeaver AS Java

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Enable SSL for SAP NetWeaver AS Java

SSL for SAP NetWeaver AS Java

The SAP NetWeaver Application Server (AS) for Java supports the use of transport layer
security for network communications. It uses SSL for some protocols, such as HTTP, P4, and
LDAP.

Security Features of SSL at the Network Layer

Authentication
With server-side authentication, the server identifies itself to the client when the
connection is established, which reduces the risk of server impersonation to gain
information from clients.
With mutual authentication, both the client and the server are authenticated when the
connection is established. For example, you use client-side authentication at SSL level to
authenticate users with client certificates instead of with user IDs and passwords.

Data integrity
The data being transferred between the client and the server is protected, so that any
manipulation of the data is detected.

Data privacy
The data being transferred between the client and the server is also encrypted, which
provides privacy protection. An eavesdropper cannot access the data.

© Copyright. All rights reserved. 235

Unit 6: Secure Sockets Layer (SSL)

To Enable SSL on SAP NetWeaver AS for Java

1. Choose a specific SSL port.

2. Generate a public and private key pair.

3. Send certificate signing request (CSR) request to the Certification Authority (CA).

4. Import the CSR response.

5. Import the public certificate of the CA.

6. Restart the instance.

LESSON SUMMARY
You should now be able to:

Enable SSL for SAP NetWeaver AS Java

© Copyright. All rights reserved. 236

 Unit 6

Learning Assessment

1. Which of the following options are the components of a Personal Security Environment
(PSE)?
Choose the correct answers.

X A Public and private key pair

X B Digital signatures

X C Public-key certificate of the server

X D SAP Security Library

2. Which of the following is not done to create Secure Socket Layer (SSL) server Personal
Security Environment (PSE)?
Choose the correct answer.

X A Create the standard SSL server PSE

X B Establish the necessary trust relationships

X C Create individual PSEs

X D Specify the PSE for each application server to use individual PSEs

3. Who must certify the public key of the SAP NetWeaver AS for Java key pair to use a key
pair for SSL?
Choose the correct answer.

X A SAP user

X B SUPER user

X C Certification Authority (CA)

X D The SSL client

© Copyright. All rights reserved. 237

Unit 6: Learning Assessment

4. The SAP Web Dispatcher supports the use of SSL using which of the following?
Choose the correct answer.

X A SAP Common Cryptographic Library

X B OpenSSL

X C Kerberos

X D Windows NT LM Service

5. What is the meaning of the parameter VCLIENT = 2?

6. Which parameter can be used to restrict non-encrypted access to the SAP Host Agent
sapstartsrv program?

7. Which keystore view contains backup copies of the default key pair and trusted
certificates for SSL?

8. Which HTTP header field is used by SAP Web Dispatcher to forward a certificate?

© Copyright. All rights reserved. 238

 Unit 6

Learning Assessment - Answers

1. Which of the following options are the components of a Personal Security Environment
(PSE)?
Choose the correct answers.

X A Public and private key pair

X B Digital signatures

X C Public-key certificate of the server

X D SAP Security Library

Correct! A PSE contains a public and private key pair and the public-key certificate of the
server.

2. Which of the following is not done to create Secure Socket Layer (SSL) server Personal
Security Environment (PSE)?
Choose the correct answer.

X A Create the standard SSL server PSE

X B Establish the necessary trust relationships

X C Create individual PSEs

X D Specify the PSE for each application server to use individual PSEs

Correct! To create an SSL sever PSE, you do not need to create individual PSEs.

3. Who must certify the public key of the SAP NetWeaver AS for Java key pair to use a key
pair for SSL?
Choose the correct answer.

X A SAP user

X B SUPER user

X C Certification Authority (CA)

X D The SSL client

Correct! The CA must certify the public key in this case.

© Copyright. All rights reserved. 239

Unit 6: Learning Assessment - Answers

4. The SAP Web Dispatcher supports the use of SSL using which of the following?
Choose the correct answer.

X A SAP Common Cryptographic Library

X B OpenSSL

X C Kerberos

X D Windows NT LM Service

Correct! SAP Web Dispatcher supports the use of SSL using the SAP Common
Cryptographic Library.

5. What is the meaning of the parameter VCLIENT = 2?

The client must transfer a valid certificate to the server; otherwise, access is denied.
Correct! The client must transfer a valid certificate to the server; otherwise, access is
denied.

6. Which parameter can be used to restrict non-encrypted access to the SAP Host Agent
sapstartsrv program?

service/http/acl_file
Correct! service/http/acl_file can be used to restrict non-encrypted access to the SAP
Host Agent sapstartsrv program.

7. Which keystore view contains backup copies of the default key pair and trusted
certificates for SSL?

service_ssl
Correct! service_ssl contains backup copies of the default key pair and trusted certificates
for SSL.

8. Which HTTP header field is used by SAP Web Dispatcher to forward a certificate?

SSL_CLIENT_CERT
Correct! SSL_CLIENT_CERT is used by SAP Web Dispatcher to forward a certificate.

© Copyright. All rights reserved. 240

 UNIT 7 Integration B2B

Lesson 1
Discussing Process Integration and Orchestration 242

Lesson 2
Discussing Web Services Security in ABAP 247

UNIT OBJECTIVES

Discuss how to protect interface communication

Explain web services security in ABAP

© Copyright. All rights reserved. 241

 Unit 7
Lesson 1
Discussing Process Integration and
Orchestration

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Discuss how to protect interface communication

Interface Security
The primary purpose of a process integration/process orchestration (PI/PO) landscape is to
enable business partners and applications to exchange messages (typically business
documents).
The PI/PO environment can have many different adapters deployed. These adapters allow the
PI/PO system to receive messages from the communication source and deliver them to the
target system(s), using multiple technical formats (for example, IDOC, XML, CSV, and EDI).
The available security configurations are adapter-dependent.

Securing Communication Channels

Figure 192: Receiver CIDX Adapter (1/2)

© Copyright. All rights reserved. 242

 Lesson: Discussing Process Integration and Orchestration

Figure 193: Receiver CIDX Adapter (2/2)

The CIDX adapter enables business transactions to be executed between CIDX trading
partners based on Chem eStandards specifications.
The adapter implements the transport, packaging, and routing of CIDX business messages
and signals as defined in the Chem eStandards envelope and security specifications (based
on RNIF 1.1 specifications).
The transport protocols to be used are HTTPS and HTTP. With HTTPS, client authentication is
possible for the sender party and the receiver party.
The adapter supports the security functions of the RNIF 1.1 business transaction dialog:
Authentication, authorization, and non-repudiation. Confidentiality is be ensured by using
transport-level encryption, for example, HTTPS.
The CIDX adapter supports detached signatures based on the PKCS#7 specification and
RNIF1.1 transport binding. The validation of signatures and trustworthiness of the associated
public key can be based on a hierarchical trust model or a direct trust model. The hierarchical
trust model is restricted to certificates directly signed by a root CA. There is no support for
the handling of certificate revocation lists.
The adapter supports non-repudiation of origin and content as well as non-repudiation of
receipt.

© Copyright. All rights reserved. 243

Unit 7: Integration B2B

Figure 194: Receiver FTP Adapter

The PI/PO system is installed with a file adapter that provides data transfer through file
sharing (such as NFS mounts) or through an FTP protocol. This adapter provides an FTPS
protocol for secure communication. An SFTP adapter is available for deployment (needs to be
downloaded and installed, for more information see SAP Note 1690557).

Figure 195: Receiver HTTP Adapter

The HTTP adapter handles HTTP requests, in which the message header data is transported
using URL parameters, and the HTTP body only contains the message payload.
The transport protocols to be used are HTTPS and HTTP. The authentication methods
available are anonymous logon, basic authentication, and authentication by certificate (when
using SSL).

© Copyright. All rights reserved. 244

 Lesson: Discussing Process Integration and Orchestration

Figure 196: Receiver REST Adapter

The REST adapter offers the usage of OAuth 2.0.

Figure 197: Receiver SOAP Adapter

The SOAP adapter allows digitally signed messages. Signature validation or decryption can be
activated in the channel configuration. The Java keystore views of the actual certificate for
signature validation or decryption are configured in the sender agreement associated with the
channel.

© Copyright. All rights reserved. 245

Unit 7: Integration B2B

Figure 198: Receiver WS Adapter (1/2)

Figure 199: Receiver WS Adapter (2/2)

Depending on the SAP NetWeaver version and also on the existence of an ABAP Integration
Engine, the list of adapters will be different. Most adapters run on the Java Adapter Engine but
the ABAP Integration Engine also offers adapters for Web Services, IDoc, and Plain HTTP
communication.

LESSON SUMMARY
You should now be able to:

Discuss how to protect interface communication

© Copyright. All rights reserved. 246

 Unit 7
Lesson 2
Discussing Web Services Security in ABAP

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Explain web services security in ABAP

Web Services Security in ABAP

Figure 200: SOA Management

You can configure security settings for the service provider and service consumer for the
runtime of Web services.
To edit the security settings for service providers:

1. From the main screen of SOA Manager, go to the Service Administration tab.

2. Select Web Service Configuration .

3. Search for a service definition.

4. Choose the internal name of the service definition to display details.

5. Choose the Edit binding icon for a selected binding.

The provider security settings are displayed on the first tab.

© Copyright. All rights reserved. 247

Unit 7: Integration B2B

Security Settings
You can edit the following settings:

Security Area Description

Transport Level Security The level of security provided for the trans-
port layer, that is, the transport of messages.
You can use either HTTP or HTTPS.
Message Level Security The level of security provided for each mes-
sage.
Messages can be secured using an XML sig-
nature/certificate and XML encryption with
either symmetric or asymmetrical keys. Us-
ing Secure Conversation, messages are se-
cured with a pre-defined symmetrical key.
The key is reused in further calls.

Authentication Method Description

No Authentication Select whether or not authentication is re-
quired to use the Web service. You can use
Transport Channel Authentication or Mes-
sage Authentication (but not both).
Transport Channel Authentication Authentication information is found in the
HTTP header.

User ID/Password

X.509 SSL Client Certificate

Single Sign On using SAP Assertion Ticket

For more information, on SAP Help Portal, go

to SAP NetWeaver Security Guide SAP
NetWeaver Single Sign-On.

Message Authentication Authentication information is found in the

SOAP header.

User ID/Password
Authentication with WS Security User-
name Token

X.509 SSL Client Certificate

Authentication with a signed SOAP mes-
sage, user authentication by certificate

Single Sign-on using SAML

© Copyright. All rights reserved. 248

 Lesson: Discussing Web Services Security in ABAP

Authentication Method Description

Authentication with a signed SAML asser-

tion

To use an external security token service to

receive or request a SAML 1.1 token, select a
Token Issuer.
For more information, on SAP Help Portal, go
to SAP NetWeaver Security Guide SAP
NetWeaver Single Sign-On.

Figure 201: Simplified Service Configuration (1/2)

The SOAMANAGER transaction offers several simplified configuration options for securing web
services. The API settings allow you to set the default settings for authentication methods.

© Copyright. All rights reserved. 249

Unit 7: Integration B2B

Figure 202: Simplified Service Configuration (2/2)

The Configuration tab lists the existing service definitions and their authentication methods.

Figure 203: Function Module BAPI_USER_GET_DETAIL

SAP Netweaver AS for ABAP allows remote-enabled function modules to be exposed as web
services.

© Copyright. All rights reserved. 250

 Lesson: Discussing Web Services Security in ABAP

Figure 204: Create Web Service for Function Module

When generating a web service from an existing function module, the wizard allows you to set
security options.

LESSON SUMMARY
You should now be able to:

Explain web services security in ABAP

© Copyright. All rights reserved. 251

 Unit 7

Learning Assessment

1. Give an example of an adapter that provides non-repudiation capabilities.

2. Give an example of an adapter that supports OAuth authentication.

3. To implement SFTP communication in a PI system which actions are required?

4. In a SOAP message, where can the authentication information be found?

© Copyright. All rights reserved. 252

 Unit 7

Learning Assessment - Answers

1. Give an example of an adapter that provides non-repudiation capabilities.

CIDX adapter
Correct! CIDX adapter provides non-repudiation capabilities.

2. Give an example of an adapter that supports OAuth authentication.

REST adapter
Correct! REST adapter supports OAuth authentication.

3. To implement SFTP communication in a PI system which actions are required?

You need to download and install the SFTP adapter.

Correct! You need to download and install the SFTP adapter.

4. In a SOAP message, where can the authentication information be found?

In the SOAP header

Correct! The authentication information can be found in the SOAP header.

© Copyright. All rights reserved. 253

 UNIT 8 Infrastructure

Lesson 1
Protecting Operative System Security 255

Lesson 2
Protecting Database Security 258

UNIT OBJECTIVES

Protect operative system security from an infrastructure point of view

Protect database security from an infrastructure point of view

© Copyright. All rights reserved. 254

 Unit 8
Lesson 1
Protecting Operative System Security

LESSON OVERVIEW
This lesson promotes the discussion of operative system security-relevant issues and lists a
few opportunities for improvement. Most activities to be performed in an SAP landscape are
vendor dependent and SAP often refer to the vendor for detailed information.

Business Example
You are aware that gaining access to the operative system allows you to reach the databases
and access data. You need to find details about how you can increase your operative system
security.

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Protect operative system security from an infrastructure point of view

Microsoft Windows Security

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

Microsoft Windows: Useful Topics

Verify sapservice<SID> permissions.

Apply security recommendations and updates as recommended by the operative system

vendor.

Enable the built-in firewall.

Table 15: Microsoft: The Basics

Article Subject

SAP Note 1837765 Security policies for <SID>adm and sapser-

vice<SID> on Windows

sapservice<SID> Permissions
ABAP programs and ABAP users can start operating system commands and scripts with the
permissions of sapservice<SID>.

© Copyright. All rights reserved. 255

Unit 8: Infrastructure

This user should be denied interactive logon. Since SAP NetWeaver 7, sapservice<SID> no
longer needs to be a local administrator. For managing the SAP system, the user <sid>adm is
available.

Patching
SAP does not have detailed recommendations regarding Microsoft operating systems. The
operating system vendor recommendations should be followed unless there is a known issue
reported in SAP documentation.

Protecting SAP Systems on Windows Using Firewalls

SAP recommends using firewalls and Access Control Lists (ACLs) on network routers to
protect SAP systems and databases from being attacked.
Windows has a built-in firewall which should be enabled by default in productively used
landscapes.
SAP does not recommend installing firewalls between SAP application server instances
(ABAP or Java) and the database. The rationale behind this recommendation is related to
connection troubleshooting. Keep in mind that most databases can be accessed through
encrypted communication.

Linux and Unix Security

Note:
This topic provides complimentary information. It does not address operative
system fundamentals.

Linux and Unix: Useful Topics

X Server: Is it needed?

Apply security recommendations and updates as recommended by the operative system

vendor.

Look for how-to guides regarding operative system hardening on SAP environments.

X Window System
There are security issues involved with the use of X Window System. Therefore, for an SAP
system installation, check if you need to have the corresponding X server running on an SAP
application server. If not, then disable this service. Otherwise, take precautions according to
the vendor to protect this service. On Linux, X is started with -nolisten tcp by default, which
avoids these issues.

iSeries Security

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

© Copyright. All rights reserved. 256

 Lesson: Protecting Operative System Security

iSeries: Useful Topics

Use SSH instead of the menu-based interface for operations.

Secure telnet5250 communication for support and other administration activities.

Table 16: iSeries: The Basics

Article Subject

SAP Note 1966316 IBM i: Configuring SSH access for SIDADM

with correctly set ILE and PASE environment
SAP Note 2016103 Secure AS/400 connection to AS/400 cus-
tomer
SAP Note 2030412 Configuring Secure 5250 Remote Support
Connections

SSH for iSeries SAP Administration

Simple SAP administration tasks, such as editing SAP profiles, and the subsequent starting
and stopping of the system, can also be carried out in the UNIX environment provided by the
SSH server. An SSH connection can also be opened for support, in addition to a Telnet
connection.
The SSH server must be running on the IBM i. You start it with the command STRTCPSVR
SERVER(*SSHD) and stop it with the command ENDTCPSVR SERVER(*SSHD). If you want to
run it constantly, you should configure an automatic start of the SSH server in the IPL.

Secure Telnet 5250 SAP Router Connections

You require a secure AS/400-5250 connection for your system so that you can benefit from
support sessions.

Enable 5250 security on your IBM i.

Configure your SAP router to allow port 922 to your IBM i.

Configure and open an SAP Secure AS/400 Remote Support Connection.

LESSON SUMMARY
You should now be able to:

Protect operative system security from an infrastructure point of view

© Copyright. All rights reserved. 257

 Unit 8
Lesson 2
Protecting Database Security

LESSON OVERVIEW
This lesson promotes the discussion of database system security-relevant issues. It also
identifies some of the most relevant opportunities for improvement, such as:

Encryption of network traffic.

Encryption of the persistence layer.

GDPR-relevant configurations, such as preventing unauthorized access to business data

by database administrators.

Business Example
You want to secure your database resources and ensure that database administrators will not
access business data.

LESSON OBJECTIVES
After completing this lesson, you will be able to:

Protect database security from an infrastructure point of view

IBM DB2 for i

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

DB2 for i: Useful Topics

Database user authorizations for DBACOCKPIT.

Table 17: DB2 for i: The Basics

Article Subject

SAP Note 2031950 IBM i: Authorities for remote database con-

nections

DBA Cockpit Segregation of Duties

Though it is always possible to access a remote DB2 for IBM i database with the user profile
<SID>ADM or a user profile that is a member of <SID>OWNER, this approach implies that
every application using that secondary connection would also have full access to any table of
the SAP system <SID>.

© Copyright. All rights reserved. 258

 Lesson: Protecting Database Security

If you want to avoid this situation, you must configure another user profile on the remote
system. You must enter this user profile as a connecting user in the configuration of the
secondary connection.
The minimum set of authorities that the user profile needs depends on the main usage
purpose of the secondary connection:

If you plan to use the enhanced DBA Cockpit screens from within the monitoring system,
give the user profile the authority *USE for the database library used by the SAP Database
Performance Collector for IBM i on the remote system (SAPDB4M or SAPDB4M<nnn> on
systems with independent ASPs). To allow changing configuration values through the DBA
Cockpit, the user profile must have authority *CHANGE on the tables CONFIG and
SCHEDULE in that database library.

If you plan to use the SAP Performance Warehouse extractors for a remote ABAP system,
the user profile must have the same authority configuration as for the enhanced DBA
Cockpit screens. It must also have the authority *USE for the database library of the
remote ABAP system (R3<SID>DATA) and the authority *USE for the tables DD02L and
DD03L in that library.

IBM DB2 for Linux, Unix, and Windows

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

DB2 for Linux, Unix, and Windows: Useful Topics

Enable segregation of duties: prevent database administrators from accessing business

data.

Encrypt communication between the database server and the client application.

Use native encryption to secure the database files.

Table 18: DB2 LUW: The Basics

Article Subject

SAP Note 1555903 Supported IBM DB2 Database Features

SAP Note 1678159 DB6: Role-Based Security Concept

Segregation of Duties: Role-Based Security Concept

The new role-based security concept for database users offers a solution for the following
business scenarios:

In an SAP system, you have default administrator users. With the role-based security
concept, it is easier to create additional, individual administration users for all persons
involved in monitoring and administration. As a result, it is possible to track the changes or
activities of the individual administrators for security audits.

© Copyright. All rights reserved. 259

Unit 8: Infrastructure

The new role-based concept provides different roles for monitoring or administration.
These roles can be used to restrict user privileges according to the organizational tasks.
No individual person should have more privileges than required.

In SAP Solution Manager, remote database connections are used to manage the
databases in the landscape. The new role-based security concept can add an additional
security layer to protect business data.

If you want to work with separation of duties, you should consider the following restrictions
that apply in this scenario:

If performance tuning and administration users also need the ability to perform EXPLAIN
statements on tables that they cannot access, you need to assign the EXPLAIN authority
to them. Hence, you can perform a separation of duties without removing the EXPLAIN
function from the user privileges of administrators.

With the Separation of Duties feature enabled, system administrators cannot use the Test
Execute function because they do not have a SELECT privilege for business tables. In
addition, it is not possible to verify distribution statistics of all tables used by a problematic
SQL statement.

Data Encryption in Client-Server Communication

DB2 allows you to encrypt data communication between client and server.

Native Encryption
Native database encryption for the DB2 database server is available as of DB2 10.5 FP5 and
higher. With native database encryption, the database system itself encrypts the data before
it calls the underlying file system to write that data to disk. Native database encryption is
suitable for protecting data in cases of either physical theft of disk devices or privileged user
abuse.
As of SL Toolset 1.0 SPS 26 (Software Provisioning Manager 1.0 SP 26), you can set up DB2
native encryption during SAP system installation or system copy using the installation wizard.
For more information, see your relevant installation guide or system copy guide.

IBM DB2 for z/OS

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

DB2 for z/OS: Useful Topics

Enable data stream encryption to secure communication between the database driver and
the database.

Connect your application server to the database using certificates.

Table 19: DB2 for z/OS: The Basics

Article Subject

SAP Note 1862520 Passwordless certificate-based database

logon

© Copyright. All rights reserved. 260

 Lesson: Protecting Database Security

Network Encryption and Certificate-based Logon

SAP Netweaver ABAP AS can connect to the database using certificates instead of passwords
for the login procedure. Additionally, SSL/TLS can be used for encrypting data transfer.
Please refer to SAP Note 1862520.
With DB2 for z/OS this can be accomplished using DRDA data stream encryption. Both, the
IBM Data Server Driver for CLI and JDBC support this on the client side. DB2 for z/OS takes
advantage of the integrated hardware cryptographic coprocessors on IBM Z and of the z/OS
integrated cryptographic service facility (ICSF) to encrypt and decrypt the data stream by
hardware means. Therefore, the performance impact of encrypting the data stream is low on
the DB2 for z/OS side. However, be aware that the performance impact on the client side is
larger.

Microsoft SQL Server

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

Microsoft SQL Server: Useful Topics

Secure the database files with transparent data encryption.

Encrypt communication between the application server and the database.

Table 20: Microsoft SQL Server: The Basics

Article Subject

SAP Note 555223 FAQ: Microsoft SQL Server in NetWeaver

based systems
SAP Note 1380493 SQL Server Transparent Data Encryption
(TDE)
SAP Note 1570930 SQL Server network encryption with SAP

SQL Server Transparent Data Encryption

SQL Server Transparent Data Encryption (TDE) is a transparent data encryption process to
protect data in SQL server database and log files. SQL Server TDE protects data stored in the
database from unauthorized access in the following cases:

Theft of database backups

Loss of database backups

Unauthorized copy of database files

Theft of database files

Unsafe disposal or transport of disk or backup media

Since TDE is completely transparent to SAP applications, no configuration changes are

needed for SAP applications. Applying TDE to an existing database is done on the database
level only. There are no immediate impacts on the functionality of SAP applications. However,

© Copyright. All rights reserved. 261

Unit 8: Infrastructure

there could be performance impacts, impacts in HA/DR measures, and impacts for
homogenous system copies.

SQL Server Network Encryption

The encryption mechanism is handled between the SQL Native Access Client (SNAC) and
SQL Server, and is therefore transparent to the application layer.
The CPU overhead of SSL encryption used to be significant many years ago. Nowadays, with
advances in the performance of Intel and AMD commodity servers, this is usually no more
than a few percent.

Oracle

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

Oracle: Useful Topics

Connect your application server with SSFS.

Precautions with the PUBLIC role.

SoD: Capabilities of Oracle Database Vault.

Secure communication with network encryption and data integrity.

Secure your database files with transparent database encryption.

Table 21: Oracle: The Basics

Article Subject

SAP Note 105047 Support for Oracle functions in the SAP envi-
ronment
SAP Note 973450 Oracle network encryption and data integrity
SAP Note 1355140 Using Oracle Database Vault in an SAP envi-
ronment
SAP Note 1622837 Secure connection of AS ABAP to Oracle via
SSFS
SAP Note 1868094 Overview: Oracle Security SAP Notes
SAP Note 1875799 Database Vault: Access to selected SAP ta-
ble
SAP Note 2218115 Oracle Database Vault for SAP NetWeaver
SAP Note 2553347 Oracle Database Role PUBLIC
SAP Note 2591575 Using Oracle Transparent Data Encryption
(TDE) with SAP NetWeaver

© Copyright. All rights reserved. 262

 Lesson: Protecting Database Security

Secure Connection to Oracle via SSFS

Previously, the connection of the SAP system (Application Server ABAP), and of SAP tools
that use the ABAP database interface (R3trans, R3load, and so on), to the database via
SQLNet (using the database alias name, for example, TNS) worked in such a way that an OPS
$ connection (with the database user OPS$<SID>ADM) that was authorized by the operating
system user <sid>adm was created first ("connect /@TNS"). This permitted access to the
SAPUSER table, and to this table only. It contains the encrypted password for the actual
database connection of the SAP database user (default name SAPSR3).
As of Release 11g, OPS$ remote connect (using the TNS alias name) is no longer supported
by future Oracle versions. As of kernel release 7.20, SAP introduces a new method of securely
storing the database password and for connecting to the database: Secure Storage in File
System (SSFS). The encrypted password for the SAP database user is no longer stored in the
database, but in the file system.

Oracle Database Role PUBLIC

Several documents can be found from Oracle (MOS notes), SAP (SAP notes), and other
sources that discuss and describe which privileges can or should be revoked from PUBLIC.
Before doing that, you are advised to read SAP Note 2553347.
Whenever you revoke roles or privileges from PUBLIC, you should always keep track of these
changes in a script so that you can undo the changes and grant the privileges back if needed,
as unexpected problems might happen in SAP environments.

Oracle Database Vault

With Oracle Database Vault, sensitive data of the SAP application can be protected from
unauthorized access by highly-privileged database users (for example, database
administrators) via the SQL interface.
SAP provides a PL/SQL script dv_policy.sql that configures the SAP NetWeaver Database
Vault standard policy. This policy considers SAP BR*Tools which requires that certain
database accounts and database roles are created in the database.
The SAP NetWeaver Database Vault standard policy consists of the following elements:

A realm that protects SAP application data of the SAP NetWeaver ABAP Stack from DBA
access (ABAP Stack Realm).

A realm that protects SAP application data of the SAP NetWeaver Java Stack from DBA
access (Java Stack Realm).

A realm that manages access to SAP BR*Tools dictionary tables to SAP BR*Tools
administrators (BRTOOLS Realm).

A rule/ rule set that prevents administrators with access to the SAP application realm
from accessing the data.

Database Vault and the SAP NetWeaver Database Vault standard policy protect sensitive SAP
application data from unauthorized access through high privileges database users. However,
if a user has been granted the privilege to access the data of a table directly (table privilege),
then access to this table will not be blocked by Database Vault. When you use Oracle
Database Vault to prevent database administrators from accessing SAP application data, you
must ensure that these users are not granted access to SAP tables through a table privilege
(GRANT SELECT ON SAPSR3.<TABLE> TO <DBA>).

© Copyright. All rights reserved. 263

Unit 8: Infrastructure

For Database Vault installations it is recommended to configure the Secure Store for SAP
BR*Tools, and to use BRT$ADM as the default administration user for SAP BR*Tools instead
of OPS$ users.

Oracle Network Encryption and Data Integrity

You want to encrypt the data traffic between the SAP application and Oracle database, and
you want to ensure the integrity of the transferred data.
The Oracle database provides various procedures for encrypting data traffic and provides
crypto-checksum procedures that ensure data integrity. Encryption processes protect data
from unauthorized read access, and checksum procedures detect data corruption. In
combination, this guarantees secure data transfer.

Table 22: Oracle 12.1 Supported Algorithms

Algorithms for Network Encryption Algorithms for Data Integrity

AES256 SHA1
AES192 SHA256
AES128 SHA384
— SHA512

Oracle Transparent Data Encryption

Oracle Transparent Data Encryption (TDE) enables you to encrypt sensitive data stored in
tables and tablespaces. After the data is encrypted, this data is transparently decrypted for
authorized users or applications when they access this data. TDE helps protect data stored on
media (also called data at rest) if the storage media or data file is stolen.
To prevent unauthorized decryption, TDE stores the TDE master encryption keys (or just
encryption keys) in a security module external to the database, called a keystore or a TDE
keystore.

SAP Adaptive Server Enterprise

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

SAP Adaptive Server Engine: Useful Topics

Connect your application server with SSFS.

Database encryption.

Network encryption.

Auditing and granular permissions.

© Copyright. All rights reserved. 264

 Lesson: Protecting Database Security

Table 23: SAP Adaptive Server Engine: The Basics

Article Subject

SAP Note 1643080 SYB: Database connect information for Syb-

ase ASE
SAP Note 2106688 SYB: Granular Permissions in SAP ASE
SAP Note 2280166 Hardware Security Module on SAP ASE
SAP Note 2401066 How to configure an encrypted database
without using SWPM - SAP ASE for Business
Suite
SAP Note 2481596 SYB: Encrypted data transfer between SAP
system and SAP ASE database
SAP Note 2519034 How to calculate extra memory needed for
enabling database encryption - SAP ASE 16.0
SAP Note 2593925 SYB: Enable SSL in SAP ASE with SAP Busi-
ness Suite manually
SAP Note 2689692 SYB: decryption information stored in a
Hardware Security Module (HSM)
SAP Note 2717834 SYB: Discretionary Access Control configura-
tion options offered by SWPM
SAP Note 2742692 SYB: Filter ASE audit records before archiv-
ing
SAP Note 2742711 SYB: Spool audit events into file in the file
system

Secure Connection to SAP Adaptive Server Engine via SSFS

The database connect information is stored securely in the Secure Storage in File System (AS
ABAP).

Database Encryption
SAP ASE version 16.0 introduces the ability to encrypt entire databases, providing protection
for an entire database without affecting existing applications.
Once you encrypt a database, all its data, indexes, and transaction logs become encrypted.
This encryption is transparent, so that users can perform operations on tables, indexes, and
so on, as usual, without noticing any differences. Earlier versions of SAP ASE allow only
column encryption.
The Software Provisioning Manager has the ability to install a fully encrypted database with
the use of a master key start-up file. To increase the security level, a Hardware Security
Module should be used instead of the master key start-up file in the file system.

Network Encryption
SSL encryption is supported starting with SAP ASE Version 16.0 SP02 PL06 HF1 and higher.
The Software Provisioning Manager 1.0 SP 21 offers to set up SAP ASE with SSL encrypted
data transfer.

© Copyright. All rights reserved. 265

Unit 8: Infrastructure

The installation option for creating a new SAP system shows a dialog screen with the check
box Enable encrypted data transmission with SSL and an input field for the SSL password.
The installer generates the necessary SSL certificates and applies them to SAP ASE and the
SAP system.
Starting with ASE release 16 SP03 PL4 the backup server is also able to use SSL encrypted
data transfer. The Software Provisioning Manager offers a corresponding check box if this
ASE version (or later) is used.

Segregation of Duties and Auditing: Granular Permissions, Discretionary Access Control

(DAC)
Granular permissions provide DBAs with the functionality to avoid security breaches and have
tighter control over which users can access sensitive data.
Grantable system privileges enable you to enforce the following security concepts:

The separation of duties, which requires - for specific sets of operations - that no single
individual is allowed to execute all operations within the set.

The principle of least privilege, which requires that all users in an information system
should be granted as few privileges as required to do the job.

In SAP Business Suite Systems on SAP ASE, granular permissions are enabled when the
system is installed on >= SAP ASE 16.0 SP03, when SAP ASE is upgraded to a version >=
16.0.
Starting with ASE 16.0, the SAP installer creates the database sybsecurity with one data
device for collecting ASE configuration changes per default. It is also possible to enable
further auditing options to detect penetration of the system and misuse of resources. The
SAP installer also allows for the creation of the optional database sybsecurityarchive for audit
record archiving.

SAP HANA

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

SAP HANA: Useful Topics

Secure DBACOCKPIT and prevent unauthorized access to data.

Connect your application server with SSFS.

Backup encryption.

Persistence layer encryption.

Securing HANA inter-service communication.

Table 24: SAP HANA: The Basics

Article Subject

SAP Note 1640741 FAQ: "DB users for the DBA Cockpit for SAP
HANA"

© Copyright. All rights reserved. 266

 Lesson: Protecting Database Security

Article Subject

SAP Note 2000003 FAQ: SAP HANA

SAP Note 2154997 Migration of hdbuserstore entries to ABAP
SSFS
SAP Note 2159014 FAQ: SAP HANA Security
SAP Note 2183363 Configuration of SAP HANA internal network
SAP Note 2222200 FAQ: SAP HANA Network
SAP Note 2250144 FAQ: SAP HANA Secure User Store
SAP Note 2400005 FAQ: SAP HANA Persistence
SAP Note 2444090 FAQ: SAP HANA Backup Encryption

Secure Connection to SAP HANA via SSFS

SAP HANA Secure Store is used to store the connectivity information for the HANA Database
Instance an SAP NetWeaver Applications Server Instance is connecting to. It retrieves the
connection information from the HANA client-side hdbuserstore. The SAP HANA user store
(hdbuserstore) can be used to store user logon information to allow client applications to
connect to SAP HANA without having to enter a user's password explicitly (as in SAP MaxDB).

Backup Encryption
SAP HANA backups are encrypted using a symmetrical encryption algorithm (AES-256) with
so-called backup encryption root keys (BEK) (key length = 256 bit). These backup encryption
root keys are stored in the instance Secure Store in the File System (instance SSFS).
Native backup encryption to the file system, or using third-party backup tools (Backint), is
supported from SAP HANA 2.0 SPS 01. Full, delta, and log backups can be encrypted.
Data in data snapshots is encrypted as part of data volume encryption, not as part of backup
encryption.

Persistence Layer Encryption

If data volumes are encrypted, all pages that reside in the data area on disk are encrypted
using the AES-256-CBC algorithm. Pages are transparently decrypted as part of the load
process into memory. When pages reside in memory they are therefore not encrypted and
there is no performance overhead for in-memory page accesses. When changes to data are
persisted to disk, the relevant pages are automatically encrypted as part of the write
operation.
Pages are encrypted and decrypted using 256-bit page encryption keys. Page keys are valid
for a certain range of savepoints and can be changed by executing SQL statements. After
data volume encryption has been enabled, an initial page key is automatically generated. Page
keys are never readable in plain text, but are encrypted themselves using a dedicated data
volume encryption root key, which is generated randomly during installation.
If redo logs are encrypted, log entries are encrypted using the AES-256-CBC algorithm before
they are written to disk. Log entries are encrypted and decrypted using a 256-bit long root
key, which is generated randomly during installation.
The data volume encryption and redo log root keys are stored using the Secure Storage in the
File System (SSFS) functionality and are automatically retrieved from there.

© Copyright. All rights reserved. 267

Unit 8: Infrastructure

The data volume encryption feature does not encrypt the contents of data and log backups.
To encrypt data and log backups, backup encryption must be enabled. If backup encryption is
not enabled, only data that has been encrypted internally in the database (that is,
independently of the data volume encryption feature) is encrypted in backups. For example,
data stored in the secure internal credential store is encrypted in backups.

Securing HANA Internal Network

In single-host systems, the listeninterface parameter in section [communication] must be set
to .local.
A multihost SAP HANA production system must have a separate network for internal
communication. The parameter listeninterface in section [communication] must be set
to .internal or contain a CIDR netmask.

SAP MaxDB

Note:
This topic provides complementary information. It does not address operating
system fundamentals.

SAP MaxDB: Useful Topics

Connect your application server with SSFS.

Encrypt communication between the client application and the X_Server process.

Table 25: SAP MaxDB: The Basics

Article Subject

SAP Note 1377148 FAQ: SAP MaxDB backup / recovery

SAP Note 2148115 SSFS CONNECT to SAP MaxDB
SAP Note 2625951 MaxDB Data Encryption

Secure Connection to SAP MaxDB via SSFS

SAP MaxDB now also supports the SSFS CONNECT (ABAP Secure Store). The CONNECT
data is then stored in the SSFS_<SAPSYSTEMNAME>.DAT file in the <rsec_ssfs_datapath>
directory. Only the password must be encrypted. All other data can be stored in legible form.
A correction is available for the following SAP DBSL libraries:

742 Patch Level 111

743 Patch Level 20

Network Encryption
Connections to databases on the local computer use shared memory. For remote
connections established through the X_Server, communication between the client application
and X_Server can use SSL/TLS.

© Copyright. All rights reserved. 268

 Lesson: Protecting Database Security

Backup Encryption
MaxDB version 7.8 allowed you to encrypt backups using different algorithms. For more
information, refer to the syntax of the command backup_template_create. MaxDB version 7.9
had this feature removed, as stated in the documentation. Even for version 7.8 encrypted
backups are no longer recommended. Please refer to the FAQ: SAP MaxDB backup/ recovery.

LESSON SUMMARY
You should now be able to:

Protect database security from an infrastructure point of view

© Copyright. All rights reserved. 269

 Unit 8

Learning Assessment

1. How can you delete audit log tables, such as DBTABLOG, in a MaxDB database running in
a Unix environment?

2. Why would sapservice<SID> be denied interactive logon rights in a Windows

environment?

3. In an IBM i system, how can you reach the system and perform administration activities
without using unsafe communication protocols?

4. Name three database systems that can benefit from SSFS?

5. When using DB2 for i, which library contains business data belonging to an SAP Netweaver
ABAP AS?

6. Once role-based security and segregation of duties is enabled in a DB2 for Linux, Unix, and
Windows database, how can a DBA perform index tuning?

© Copyright. All rights reserved. 270

 Unit 8: Learning Assessment

7. DB2 for z/OS client benefits from hardware encryption. Therefore, the performance
impact of securing communications is negligible.
Determine whether this statement is true or false.

X True

X False

8. When running an SAP Netweaver ABAP AS with Microsoft SQL Server, which component
handles encryption on the client side?
Choose the correct answers.

X A JDBC

X B SNAC

X C DBSL shared library

9. With SAP Adaptive Server Enterprise you need to manually configure encryption for the
communication layer and the persistence layer.
Determine whether this statement is true or false.

X True

X False

10. SAP HANA persistence layer encryption has minimal impact on performance. Is this
statement correct?

11. How can you implement backup encryption in SAP MaxDB?

© Copyright. All rights reserved. 271

 Unit 8

Learning Assessment - Answers

1. How can you delete audit log tables, such as DBTABLOG, in a MaxDB database running in
a Unix environment?

Any OS user that can impersonate <sid>adm can retrieve xuser keys to change the
database content. Once you can log in or su to <sid>adm, you can use the sqlcli utility to
change the database with the xuser keys available.
Correct! Any OS user that can impersonate <sid>adm can retrieve xuser keys to change
the database content. Once you can log in or su to <sid>adm, you can use the sqlcli utility
to change the database with the xuser keys available.

2. Why would sapservice<SID> be denied interactive logon rights in a Windows

environment?

SAP administration activities are performed by <sid>adm.

Correct! SAP administration activities are performed by <sid>adm.

3. In an IBM i system, how can you reach the system and perform administration activities
without using unsafe communication protocols?

For common SAP administration tasks, you can enable ssh. For operative system
administration tasks, with users like QSECOFR, you can secure telnet5250
communication.
Correct! For common SAP administration tasks, you can enable ssh. For operative system
administration tasks, with users like QSECOFR, you can secure telnet5250
communication.

4. Name three database systems that can benefit from SSFS?

There are four correct options: Oracle, SAP Adaptive Server Enterprise, SAP HANA, and
SAP MaxDB.
Correct! There are four correct options: Oracle, SAP Adaptive Server Enterprise, SAP
HANA, and SAP MaxDB.

5. When using DB2 for i, which library contains business data belonging to an SAP Netweaver
ABAP AS?

R3<SID>DATA
Correct! R3<SID>DATA contains business data belonging to an SAP Netweaver ABAP AS.

© Copyright. All rights reserved. 272

 Unit 8: Learning Assessment - Answers

6. Once role-based security and segregation of duties is enabled in a DB2 for Linux, Unix, and
Windows database, how can a DBA perform index tuning?

The EXPLAIN authority needs to be assigned to the relevant objects.

Correct! The EXPLAIN authority needs to be assigned to the relevant objects.

7. DB2 for z/OS client benefits from hardware encryption. Therefore, the performance
impact of securing communications is negligible.
Determine whether this statement is true or false.

X True

X False

Correct. IBM Z contains cryptographic coprocessors on the server side. The SAP
Netweaver AS will run on a remote server, where the client will also be located.

8. When running an SAP Netweaver ABAP AS with Microsoft SQL Server, which component
handles encryption on the client side?
Choose the correct answers.

X A JDBC

X B SNAC

X C DBSL shared library

Correct! SNAC handles encryption on the client side.

9. With SAP Adaptive Server Enterprise you need to manually configure encryption for the
communication layer and the persistence layer.
Determine whether this statement is true or false.

X True

X False

Correct. If using an updated version of SWPM, encryption can be enabled at installation

time.

© Copyright. All rights reserved. 273

Unit 8: Learning Assessment - Answers

10. SAP HANA persistence layer encryption has minimal impact on performance. Is this
statement correct?

There is no absolute answer. If a system is mostly used for reporting activities (read
operations) and all data required is resident in memory, the impact is marginal and not
noticeable. If that same system performs heavy ETL operations, commit performance and
savepoint performance will suffer. In a mixed workload scenario, and in absence of sizing
problems, encryption should have minimal impact (on average).
There is no absolute answer. If a system is mostly used for reporting activities (read
operations) and all data required is resident in memory, the impact is marginal and not
noticeable. If that same system performs heavy ETL operations, commit performance and
savepoint performance will suffer. In a mixed workload scenario, and in absence of sizing
problems, encryption should have minimal impact (on average).

11. How can you implement backup encryption in SAP MaxDB?

You will need to rely on third party solutions. For example, the files generated by the
backup to file system can be placed in an encrypted file system.
Correct! You will need to rely on third party solutions. For example, the files generated by
the backup to file system can be placed in an encrypted file system.

© Copyright. All rights reserved. 274