Professional Documents
Culture Documents
.
.
PARTICIPANT HANDBOOK
INSTRUCTOR-LED TRAINING
.
Course Version: 11
Course Duration: 5 Day(s)
e-book Duration: 9 Hours 15 Minutes
Material Number: 50144572
SAP Copyrights and Trademarks
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/
corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software
vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without
notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which
speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Typographic Conventions
Demonstration
Procedure
Warning or Caution
Hint
Facilitated Discussion
TARGET AUDIENCE
This course is intended for the following audiences:
System Administrator
Technology Consultant
Lesson 1
Evaluating Security Concepts 2
Lesson 2
Outlining the Security Roadmap 7
Lesson 3
Describing the Training Environment 11
UNIT OBJECTIVES
LESSON OVERVIEW
This lesson describes the security threats to a system and its security safeguards. This lesson
also explains how to categorize security measures (IT-based and Environment-based) to
secure the system environment from the many different risk categories.
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Security Requirements
Safeguards, threats, and goals are closely related. Threats compromise certain security
goals, and safeguards protect your system against these threats. Thus, when implementing
security, you need to consider the safeguards regarding the goals and the threats.
Security requirements arise due to the following reasons:
Government Regulations
For example, USA and SOX legal frameworks establish disclosure obligations for
organizations’ financial statements.
Protection of Intellectual Property
For example, pharmaceutical companies and formulas for innovative drugs.
Legal Issues
For example, health-care companies and patient medical history.
Trust Relationship between Business Partners
For example, legally binding documents — such as a purchase order sent electronically.
“Enterprises have continued difficulty finding qualified personnel to fill cyber security
positions.”
“Internet of Things (IoT) is replacing mobile as the emerging area of concern. Threats
resulting from mobile-device loss are down from last year, but a new challenge area
appears to be emerging — IoT.”
“Ransomware is expanding, but the processes to address it are not yet ubiquitous.”
From ISACA, “State of Cyber Security 2017: Current Trends in Workforce Development,”
February 2017, www.isaca.org/cyber/pages/state-of-cyber-security-2017.aspx
The threats shown in the figure above are only a subset of known threats. A major source for
security concern is social engineering, where sensitive information is exposed casually or
picked up without going through the correct channels. For example, being asked to disclose
your user and password.
IT Security Goals
The following goals are achieved through IT security measures:
Availability
Authentication
Authorizations
Confidentiality
Integrity
Non-repudiation
Availability
Availability ensures that the users can access their resources whenever they need them.
When determining requirements regarding the availability of resources, you should
consider the costs that result from unplanned downtime. For example, loss of customers,
costs for unproductive employees, and overtime. Some damage cannot be fully factored
in terms of money, such as loss of reputation (for example, a website-defacing attack,
with some embarrassing content).
Authentication
Authentication determines the real identity of the user. You can use the following
authentication mechanisms:
Authentication using Single Sign-On mechanisms, after one of the three previous
methods is successfully performed. For example, log into your company network and,
from there, access the available systems.
Authorization
Authorization defines the rights and privileges of the identified user. It also determines
the functions that a user can access. The application must be programmed to check
whether a user is authorized before that user can access a function. For example, update
your own IBAN number, but not your colleague’s IBAN. Within SAP’s current context,
application authorizations can be determined in the application layer or database layer
(more relevant for HANA-based systems).
Confidentiality
Confidentiality ensures that the user’s history and communication is kept confidential.
Information and services need to be protected from unauthorized access. The
authorizations to read, change, or add information or services, must be granted explicitly
to only a few users and other users must be denied access. If you post something on the
Internet, the confidentiality of information is at risk. For example, access to your tax
records.
Integrity
Integrity ensures that the user information, which has been transmitted or stored, has
not been altered. Programs and services should execute successfully and provide
accurate information. Thus, people, programs, or hardware components should not
modify programs and services. For example, a signed contract.
Non-repudiation
Repudiation is the process of denying that you have done something. Whereas, non-
repudiation ensures that people cannot deny their actions. Non-repudiation allows you to
successfully conduct legally binding business transactions. For example, submitting a
bank payment order electronically.
Accountability
Such as, who performed an action that had a negative impact in the organization?
For example, a sales operation made with an abnormally high discount.
Compliance
Such as, who identified the risks (or their absence) for specific business processes? Who sets
the limit for small purchases that can be performed without approvals? Who makes the
decision of whether or not to implement a mitigation control?
For example, a periodic review of small purchases, their frequency, their accumulated
amount, and so on.
The following are examples of environmental threats. They are not focused on in this training,
but they should not be neglected due to their potential impact in the IT landscape.
Accidents
This can range from hardware failure to random events. For example, a trainee that
doesn’t properly classify accounting documents, leading to non-compliant profit and loss
reports. Or a construction worker that accidentally cuts a fiber-optic cable.
Natural Disasters
Environmental threats that might compromise the availability of the system. For
example, a flood that forces an electrical grid shutdown.
Fraud
An unauthorized person gains access to a system with stolen accounts and passwords,
or performs activities that they are not meant to do through excessive authorizations. For
example, changing their own basic wage.
Infrastructure
Environmental threats that might compromise the availability of the system. For
example, the absence of a proper cooling system that forces a server to power off.
Errors
This can range from improper training to simple random sporadic events. For example,
an accounting clerk that doesn’t properly classify accounting documents, leading to non-
compliant profit and loss reports that trigger a fine from the tax authority.
Procedures
The different ways to conduct any system activity, from development (for example, no
proper source code quality checks, which leads to functions being vulnerable to code
injections) to normal operations (for example, unrestricted access to websites where you
can download “infected” software).
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
The purpose of this lesson is to raise awareness about the many topics that a Security
Administrator needs to address and to point out some of the solutions SAP can provide.
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Password Policy
Complexity Rules
For example, system parameters and policies that set the mandatory use of capitals,
digits, and other characters, for all users or for distinct users.
Expiration Rules
For example, the concept of common or technical users (such as, the dialog or system
user in ABAP), and the parameters or policies that allow the system to enforce those
rules.
Reusability Rules (Password History)
For example, parameters that prevent a user from reusing the last known passwords.
Prevention of Dictionary Attacks (Denied Passwords)
For example, dictionary maintenance tools for disallowing specific passwords, such as
the customizing recorded in table USR40.
Authentication
SAP systems are compliant with industry standard authentication mechanisms, such as
SAML. They also provide their own methods for authentication, for example, SAP Logon
Tickets.
Encryption
SAP provides libraries that allow encryption, several communications protocols (for example,
the Secure Network Communication libraries for RFC communication), and facilities to store
digital certificates (for example, the Secure Store files). SAP systems support database
encryption methods (such as, HANA volume encryption).
Threat Detection
SAP systems contain auditing and tracing tools that allow a system administrator to
recognize potential threats. These functionalities can be complemented with the capabilities
of Solution Manager to evaluate security configurations, and recommend corrective
measures and patches. SAP products can also have their security capabilities extended
through integration with partner software.
Uploaded and Embedded Documents and Script Vulnerabilities (Virus Scan Interface)
The SAP NetWeaver Virus Scan Interface (NW-VSI) allows external anti-virus and content
security solutions to integrate with SAP application servers. The Virus Scan Adapter is built by
the anti-virus solution provider, based on SAP templates in the Software Development Kit
(SDK) for Virus Scan Adapters. This standardized process provides a transparent job division
between SAP data to be scanned (SAP know-how), and the actual virus scan (Anti Virus
know-how). Additionally, it allows SAP customers to easily switch between anti-virus and
content security solutions, based on their business needs.
Version 2.0 of NW-VSI not only covers the signature-based classical AV protection, but also
supports the detection of malicious file formats, file format classification, and detection of
active content inside of a file, such as script in files. The use-case for these enhancements is
the protection of web applications against XSS in files (cross-site scripting in files). SAP note:
1693981 describes the problems about script inside of documents that are uploaded into SAP
systems.
The integration of VSI is not only available in the NetWeaver core platform, but in all SAP web
application servers. The figure about VSI shows left, the different options that AV partners
have, and right, the different SAP integrations.
For more information, refer to SAP note: 817623 (Frequent questions about VSI in SAP
applications) and SAP note: 1494278 (NW-VSI: Summary of Virus Scan Adapter´s for SAP
integration).
Threat Analytics
Most SAP tools that allow you to capture security relevant information can also work as a data
warehouse system, where analytical tools can be employed for finding patterns and
preemptively address potential threats.
Enterprise Threat Detection provides real-time data analysis and dashboard panels, from
which you can drill-down to the event details.
From the alerts, you can trigger a ticket-based investigation process. In the example shown
above, a system where single-sign on is the only allowed method to access experienced login
through basic authentication (login id and password).
LESSON SUMMARY
You should now be able to:
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Available Instances
Figure 13: Attack Surface for a Java NetWeaver Environment (Application Server Instances)
Figure 14: Attack Surface for a Java NetWeaver Environment (Java Central Services Instance)
The training landscape contains a Solution Manager 7.20 system. The figures above show the
entry points for the Java stack present in the system.
Figure 15: Attack Surface for an ABAP NetWeaver Environment (Application Server Instances)
Figure 16: Attack Surface for an ABAP NetWeaver Environment (ABAP Central Services Instance)
The training landscape contains several SAP NetWeaver systems of type single stack (ABAP
only). The figures above exemplify the entry points for the ABAP stack present in the system.
As well as the available ABAP and Java engines, the training landscape also contains several
SAP Web Dispatcher instances, used for load balancing purposes.
LESSON SUMMARY
You should now be able to:
Learning Assessment
3. How can you find which communication ports are enabled for each IP address?
He can scan for well-known port ranges. With ports like 5xx13 or 5xx14, he can try to reach
the SAP administration console to find more details.
http://hostname:5<sysnr>13 or https://hostname:5<sysnr>14
3. How can you find which communication ports are enabled for each IP address?
Log on to the SAP Administration Console, authenticate with a valid SAP administration,
wait for the tree to refresh, and search for access points on any of the available instances.
For each port, you will see the IP address where it’s listening, and if the port is active or
not.
Lesson 1
Determining the Key Points of Network Security 17
Lesson 2
Installing and Configuring SAProuter 22
Lesson 3
Installing and Configuring SAP Web Dispatcher 28
UNIT OBJECTIVES
LESSON OVERVIEW
This lesson explains the various aspects of network security in an SAP system landscape. It
also introduces SAProuter and SAP Web Dispatcher, both of which play an important role in
network architecture.
Business Example
You need to ensure basic network security for an SAP system landscape. For this reason, you
require an understanding of the following:
The ports used by the SAP NetWeaver Application Server (SAP NetWeaver AS)
Network filtering
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Many SAP systems are based on SAP NetWeaver AS. An understanding of the ports and
protocols used by SAP NetWeaver AS makes you aware of the ports and protocols used in the
majority of SAP installations.
The following are examples of communication that occur in a typical NetWeaver-based
landscape:
Connection from SAP GUI for Microsoft Windows or Java to the AS ABAP-based SAP
system
Connections from the AS ABAP-based SAP system to print servers, for example, using
SAPSprint
The SAP system uses many ports to establish connections in the system. These ports are
determined by the operating system process involved and the instance number to which the
process belongs.
The figure, Ports Used by SAP NetWeaver AS, shows the important ports of SAP NetWeaver
AS.
SAP GUI for Microsoft Windows connects to the ABAP system by using the dispatcher
process on the application server. The dispatcher uses the port 32$$, where $$ stands for
the instance number. SAP Logon, as a part of SAP GUI, communicates with the ABAP
message server.
The SAP NetWeaver AS port is defined by an entry sapms<SID> in the services file of the
operating system. The default port is 36$$. The ABAP system also communicates with the
SAP GUI by using remote function call (RFC). In this communication, the gateway process
with port 33$$ is involved. The process uses port 33$$ to establish the connection.
The external RFC clients, for example, other SAP systems or third-party applications, connect
to the gateway process.
The Internet Communication Manager (ICM) uses the default port 80$$ for the HTTP
protocol. This port helps to establish a connection with a Web browser.
The process involved in starting and stopping the SAP system is SAPSTARTSRV
. It can be
called using the default port 5$$13 on Java systems.
The SAP program SAPSprint handles the SAP system print requests sent by the spool work
process. SAPSprint listens on default port 515.
When you connect a Web browser to the SAP NetWeaver AS for Java (old versions 7.0x), the
Java dispatcher is called on the default HTTP port 5$$00. The Software Deployment Manager
(SDM) is remotely accessed on the default port 5$$18. In the newer SAP NetWeaver AS for
Java versions, the Java Dispatcher is replaced with the ICM, which is called on default HTTP
port 5$$00. For Netweaver versions 7.1x and upper SDM does not exist anymore.
Note:
For a complete list of ports, see the security documentation relevant for your
NetWeaver version. Go to: http://help.sap.com .
Network Filtering
Network filtering is the fundamental requirement for secure SAP systems. Network filtering
reduces the attack surface to the minimum number of services that the end users access. The
remaining services must then be configured securely.
Network filtering is required between the end-user network and the SAP systems to secure
the SAP operations.
Note:
For more information, see the SAP NetWeaver Security Guide.
Table 1: Network Services Required from End User Networks in SAP Installations
The following table lists the network services required from the end user networks in most
SAP installations:
Service Description Default port
ABAP dispatcher The ABAP dispatcher is used 32$$
by SAP GUI. The communica-
tion protocol used is SAP Dy-
namic Information and Action
Gateway (DIAG).
ABAP message server The ABAP message server 36$$
manages load balancing in-
formation and system inter-
nal communication.
Gateway The gateway manages SAP 33$$
RFC communication.
These services refer to the default ports in a standard installation. All other network services
are not required and must be blocked between the end-user network and SAP systems.
The actual network architecture depends on infrastructure components, such as SAProuter,
SAP Web Dispatcher, and the load balancer. These infrastructure components need to be
considered for architecture planning. Access to SAP DIAG, SAP RFC, SAP Message Server,
and HTTPS is necessary, but the infrastructure components impact the network filtering
implementation.
Network Architecture
Administrative access to the SAP systems is provided from an administration network. This
network is allowed to access the SAP systems with administrative protocols such as Secure
Shell (SSH), Remote Desktop Manager (RDP), and database administration. Access to the
administrative network must be properly secured by common security concepts, for example,
allowing administrative access to the SAP systems only from dedicated subnets or dedicated
workstations.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson explains the installation and configuration of SAProuter. This lesson also explains
various load balancing techniques.
Business Example
You need to install and configure SAProuter to connect to an SAP system. For this reason,
you require the following knowledge:
An understanding of SAProuter
LESSON OBJECTIVES
After completing this lesson, you will be able to:
SAProuter
SAProuter software functions as an intermediate station among various SAP systems and
programs. SAProuter functions as a proxy that has properties of an application-level gateway
when used in SAP protocols.
SAProuter allows you to connect to an SAP system without a direct network connection
between the client computer and application server. The SAP GUI (for Microsoft Windows and
Java) connects to the SAProuter that forwards all the packets to the application server, or to
another SAProuter.
As illustrated in the figure, SAProuter as Proxy for SAP Protocol, when using SAProuter in an
SAP system landscape, you only open the SAProuter port (default port 3299), instead of the
corporate firewall, for all ports and protocols used by an SAP system. You can configure
SAProuter to allow communications based only on the SAP protocol, coming from specific IP
addresses, and directed to the SAP systems.
Note:
In the OSI 7 layer model, the Network Interface (NI) layer forms the upper part of
the transport layer, and is the part nearest to the applications. This means that NI
uses TCP or UDP. The protocol is also known as the SAP Protocol. SAP protocol is
the technical foundation for protocols like Dynamic Information and Action
Gateway (DIAG) and remote function call (RFC). It is also referred to as NI.
SAProuter makes it easier to administer the networking aspects of the SAP landscape. To
make changes at the SAP system level, such as installing an additional instance that provides
additional ports, you do not need to change the configuration of the corporate firewall. The
SAP administration can reconfigure the SAProuter to incorporate the changes.
SAProuter Functionality
Controls and logs connections to your SAP system.
Note:
SAP
router does not support scenarios for communication based on non-SAP
protocols.
Caution:
SAProuter does not replace a firewall. You can use it in addition to the corporate
firewall. For more information about SAProuter, see SAP Note: 30289.
SAProuter enables a secured connection between the customer network and SAP support.
The figure, SAProuter and Remote Support, shows a connection between SAProuters at the
customer site and the SAP site. This connection is secured by Secure Network
Communication (SNC), and allows SAP support to access the SAP systems at the customer
site.
SAProuter can be installed as a Microsoft Windows service. For more information, refer to the
exercise: Install SAP Router.
SAProuter uses the route permission table to control the specific IP addresses and
subnetworks that are permitted or denied access to a particular network. By default, the route
permission table is a file called saprouttab in the installation directory of SAProuter. The file
contains a list of connections that are denied or permitted access to a particular network.
The figure, SAProuter Configuration – Route Permission Table, shows standard entries that
appear in the route permission table (such as P, S, D, <source host>, <target host>,
<service>, and <password>).
Note:
You can use wildcard characters (*) to enter host names and services. For
security reasons, we recommend that you do not use wildcards in P and S entries.
Hint:
The first match in the saprouttab file is decisive. This means that the order of the
entries is important and the D entries should be at the top of the list. If no entries
match, permission is denied.
If the communication is to be secured by means of SNC, the saprouttab file entries must be
specified with KT, KD, KS, and KP. The SAProuter must be started with the option -K.
Note:
More information about secure communication using the SAProuter can be found
in the SAP help library. You can find reference to the relevant help pages in SAP
Note: 30289.
To connect to an SAP system using SAProuter, you must enter the following SAProuter
string:
/H/<host of SAProuter/S/<port of AProuter>/W/<password>/H/<target
host>
Entering /S/<port of SAProuter> is optional in the router string if SAProuter uses the
default port 3299. You must enter the password with /W/<password> if a password is set in
the saprouttab file. For more information, see SAP Note: 30289.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
With the rising use of Web-based applications and the need for customers to access SAP
applications via the Web, the set up and configuration of SAP Web dispatcher has become
much more important. This lesson addresses these topics.
Business Example
You need to install the SAP Web Dispatcher. For this reason, you require the following
knowledge:
LESSON OBJECTIVES
After completing this lesson, you will be able to:
The SAP Web Dispatcher was developed primarily as a software load balancer, but over
time has been enhanced with the functions of an application level gateway. Additionally, it
can be used as a reverse proxy.
The SAP Web Dispatcher can reject or accept connections. When the SAP Web Dispatcher
accepts a connection, it balances the load to ensure an even distribution across the
application servers, which contributes to security in your SAP system.
You can use the SAP Web Dispatcher in SAP NetWeaver Application Server for ABAP (SAP
NetWeaver AS for ABAP), SAP NetWeaver Application Server for Java (SAP NetWeaver AS
for Java), and SAP NetWeaver AS ABAP+Java-based systems.
The SAP Web Dispatcher is most commonly used to balance the load of requests from the
user’s Internet browser, although this is not its only use.
The SAP Web Dispatcher can be used to load-balance any HTTP-based requests. If, for
example, SAP NetWeaver AS provides a Web service (WS), which is consumed by another
server, the SAP Web Dispatcher is required to distribute the requests from the Web service
clients to the server nodes of SAP NetWeaver AS.
As of Release 7.2, one SAP Web Dispatcher can be used for multiple SAP systems, as
displayed in the figure, SAP Web Dispatcher. For more details on which SAP Web Dispatcher
you can use for which release of SAP NetWeaver AS, see SAP Note 908097.
URL filtering
Maintains a URL permission table to control which requests are rejected or accepted.
Web caching
Improves response times and offloads the application server by using the SAP Web
Dispatcher as a Web cache.
You can configure the SAP Web Dispatcher to use as many of these features as necessary.
Figure 27: SAP Web Dispatcher Details for an SAP NetWeaver AS for ABAP System
An SAP NetWeaver AS-based SAP system consists of one or more instances where HTTP(S)
requests are processed. Using the SAP Web Dispatcher, you have a single point of access for
HTTP(S) requests in your system. The SAP Web Dispatcher balances the load so that the
requests are distributed over all the instances. In addition, you can increase the security of
your system landscape by using the additional features of the SAP Web Dispatcher, for
example, URL filtering.
The SAP Web Dispatcher runs under its own system ID (SID).
As part of the instance, sapstartsrv is configured and can be used to start, stop and
monitor the SAP Web Dispatcher.
Hint:
You can determine the current version of your SAP Web Dispatcher
installation as follows:
- By executing sapwebdisp -v
- By analyzing the most recent developer trace file (by default,
dev_webdisp)
- By launching the Version Info dialog in SAP MC or SAP MMC
See the SAP Library for installation guides on SAP Help Portal at: http://help.sap.com .
To use the SAP Web Dispatcher as a load balancer, you must specify the information about
the message server of the SAP system during installation. The message server provides
further information about the SAP system to the SAP Web Dispatcher. In an SAP NetWeaver
AS for ABAP-based or SAP NetWeaver AS for ABAP+Java-based system, the SAP Web
Dispatcher uses the ABAP message server. In an SAP NetWeaver AS for Java-based system,
the SAP Web Dispatcher uses the Java message server.
Configure your own error pages to ensure that the end user does not see the technical
reason for the error.
Use the SAP Web Dispatcher as a URL filter with the white lists (only the specified URLs
are allowed).
Filter the following URLs because they provide the details of the infrastructure and the
configuration: /sap/public/icman/*, /sap/public/icf_info/*, and /sap/wdisp/info .
Increase security for the Web Administration Interface by performing the following tasks:
- Use a dedicated port (a separate port is used for the content port).
- Use SSL.
- Allow administration tasks to be performed under a specific host name or IP address
that is accessed from the internal network only.
For more information about security when using the SAP Web Dispatcher, see SAP Note
870127.
Use the Authentication Handler to configure the SAP Web Dispatcher to reject specific URLs.
Set up the access restrictions with the icm/HTTP/auth_<xx> profile parameter. Filter
requests using the SAP Web Dispatcher according to the following criteria:
URL
Client IP address
Server IP address
Hint:
The first matching line starts the processing. This means that the order of the
entries is important. Please note that the URI pattern is case-sensitive. Create
the table as a positive list. Permit all the URLs that are to be allowed and, at the
end of the table, add an entry D /* * * * * to deny all other connections.
In client-based load balancing, the user contacts the message server, and the message is
redirected to one of the application servers. The user remains on this application server
during the session. The user has a direct connection to the application server, which means
there is no problem with session persistence or using Secure Socket Layer (SSL). However,
the user is not always directed to the same server, so the URL varies and bookmarks are
invalid. In addition, if the user switches to another server, he has to authenticate again.
When you use SSL, each server must have its own server certificate, which increases the
costs and administrative overheads. In client-based load balancing, SSL is suitable for small
intranet landscapes. Client-based load balancing is not recommended for productive
systems.
Server-based load balancing uses load balancers in front of the back-end servers. As a result,
the user has only one URL that is used to access the application server.
The options available for load balancing are as follows:
Web switch
Reverse proxy
The SAP Web Dispatcher is a load balancing and application proxy solution for SAP
NetWeaver AS. The SAP Web Dispatcher is an easy-to-use solution.
The characteristics of the SAP Web Dispatcher are as follows:
It uses SAP logon groups to determine which requests (ABAP or Java) are directed to
which server.
The SAP Web Dispatcher is a program that runs on a host and is connected to the Internet or
intranet.
All required information for a basic configuration is gathered during the installation process.
Advantages of using load balancing techniques other than the SAP Web Dispatcher (such as
Web switch) include the following:
They provide additional features that are not available with the SAP Web Dispatcher, such
as authentication.
They provide a unified Web infrastructure for all Web systems that include both SAP
systems and non-SAP systems.
Disadvantages of using load balancing techniques other than the SAP Web Dispatcher include
increased costs, less integration with SAP NetWeaver AS, and increased configuration and
maintenance overhead.
With the reverse proxy, you can route incoming requests to different services based on the
URL path. For example, in the figure, Load Balancing Alternative – Reverse Proxy, the
requests containing the path /other are directed to static Web pages located on the Web
server. If the request is directed to a path under /sap , the reverse proxy directs the request to
the SAP NetWeaver AS host456 . The requests that contain the path /store are directed to
host789 . In this way, you can activate various services on various hosts that are all accessible
using the same HTTP(s) port.
You can optimize the security and availability of systems by combining various load-balancing
techniques. For example, in the figure, Load Balancing: Complex Scenario, Web switches are
used at the end of the communication path. Therefore, the Web switch does not need to be
highly trusted or handle session persistence. If SSL is used, the connection is passed on to the
SAP Web Dispatcher, which is considered more trusted. The SAP Web Dispatcher handles the
load balancing and session persistence for the connections to SAP NetWeaver AS at the back
end. If SSL is used, it can be terminated at the SAP Web Dispatcher so that the SAP Web
Dispatcher can perform URL filtering.
LESSON SUMMARY
You should now be able to:
Learning Assessment
3. How can you restrict access to specific URLs in the Web Dispatcher?
4. Name three options for restricting access in the permission file Web Dispatcher?
3. How can you restrict access to specific URLs in the Web Dispatcher?
Use the parameter cm/HTTP/auth_0 to specifiy a text file with the access rules.
4. Name three options for restricting access in the permission file Web Dispatcher?
Lesson 1
Explaining the Secure Store 43
Lesson 2
Outlining Authorizations and Security Policies 54
Lesson 3
Setting Up User Security in SAP Systems 71
Lesson 4
Securing the Message Server and the Internet Communication Manager (ICM) 87
Lesson 5
Securing the SAP GUI 96
Lesson 6
Monitoring SAP Systems Security 101
Lesson 7
Describing Application Lifecycle Management 115
Lesson 8
Monitoring Security with SAP Solution Manager 121
UNIT OBJECTIVES
Secure the message server and the Internet Communication Manager (ICM)
LESSON OVERVIEW
This lesson explains how to implement security measures in SAP systems with Secure Socket
Layer (SSL) and Secure Network Communications (SNC).
Business Example
You want to implement security measures in SAP systems. For this reason, you need an
understanding of the following:
LESSON OBJECTIVES
After completing this lesson, you will be able to:
HTTPS is the protocol indicator for HTTP over SSL in the URL. SSL uses a hybrid encryption
method.
SSL provides the following features:
Data encryption
Server authentication
Client authentication
Mutual authentication
To use SSL for server authentication, SAP NetWeaver Application Server (AS) has a private
and public key pair. In the figure, SSL: Server Authentication, when Alice connects, the server
sends its public key certificate with a digitally signed message.
In addition to verifying the validity of the certificate, Alice verifies the identity of SAP
NetWeaver AS by verifying values, such as validity dates and digital signature of the
Certification Authority (CA).
Alice only accepts the certificate if she trusts the CA that issued the certificate to SAP
NetWeaver AS.
Alice verifies the signed message sent by SAP NetWeaver AS. This message ensures that SAP
NetWeaver AS has the matching private key and is the intended server with which she wants
to communicate.
Alice generates the secret key that she encrypts using the public key of SAP NetWeaver AS
and sends the secret key to SAP NetWeaver AS.
Further communication between Alice and the server is encrypted using the secret key.
SSL with mutual authentication has the same procedure as SSL with server authentication,
except for the following additional steps:
Alice also sends her public key certificate with the encrypted secret key to SAP NetWeaver
AS.
In addition to her public key certificate, she also sends a signed message.
SAP NetWeaver AS verifies Alice’s public key certificate and signed message to
authenticate her.
SSL is used in the following SAP environments where Internet protocols are used:
We recommend using SNC, as it provides the following features to mitigate the risks during
communication:
SNC can be used without additional partner software for all RFC communication between SAP
servers. SNC can also be used for SAP GUI communication if the SAP server and SAP GUI
clients run Windows. For more information about Microsoft Windows Single Sign-On (SSO)
options, see SAP Note 352295. An SNC partner product is needed to secure SAP GUI
connections in heterogeneous system landscapes (for example, servers run Advanced
Interactive eXecutive (AIX) and clients run Microsoft Windows).
SNC is implemented between SAP GUI and ABAP systems because end user traffic may
pass through networks susceptible to network sniffing.
For production systems, we recommend deactivating non-SNC access for most SAP GUI
users ( snc/accept_insecure_gui=U ). Only a small number of emergency accounts
must be able to access the system with password login.
For RFC communication, SNC must be implemented if the network traffic is susceptible to
sniffing by end users.
Figure 39: SNC Using Generic Security Service Application Programming Interface (API)
SNC uses a generic GSS-API interface that is standardized by the Internet Engineering Task
Force (IETF).
GSS-API encrypts the data at the Network Interface (NI) protocol level. NI is the SAP protocol
layer.
SSL is present in the TCP/IP layer.
SNC Products
To use SNC in other configurations, you can use SAP NetWeaver SSO or products from SAP
security partners.
The SAP Cryptographic Library is available on the SAP Service Marketplace. You can use this
product for server-to-server communication. When the SAP Cryptographic Library is
installed, it replaces the SAP Security Library (SAPSECULIB). SAPSECULIB is the default
security library for digital signatures.
Note:
These two products cannot be used simultaneously.
SAP NetWeaver SSO is an SAP Product that enables you to use authentication and
encryption. It is perfect for use in SAP NetWeaver environments. To learn more about SAP
NetWeaver SSO, visit http://help.sap.com .
As an alternative, you can use a product that has been certified for use by the SAP Software
Partner Program.
In the SAP environment, the following protocols can be secured using partner products:
HTTP (SSL) to Application Gateway: SAP Secure Login Library or partner product
DIAG, RFC (SNC) with SAPGUI: SAP NetWeaver SSO (license required) or partner product
Private key
Separate PSEs are used for various identities or functions (separation of tasks). Each PSE
performs a specific function.
The functions performed by PSEs are as follows:
SSL server PSE is used by SAP NetWeaver AS for SSL when the PSE is the server
component for the connection.
SSL client PSE is used by SAP NetWeaver AS for SSL when the PSE is the client
component for the connection.
Secure Store & Forward (SSF) applications use various PSEs to obtain the security
information that they need. For example, HTTP Content Server and SAP NetWeaver AS
use different PSEs to sign logon tickets.
File PSE contains security information (key pair and certificate list) that is stored in a local
file in the file system. The file PSE is used for creating and verifying digital signatures, but
not for encryption.
To meet the requirements for various functions, the server needs to have different names.
The Distinguished Name (DN) specified for a PSE identifies the server for the corresponding
function when using this PSE.
Caution:
Restrict access to the table SSF_PSE_D by assigning the table to a dedicated
table-authorization group. End users must not have access to this new table-
authorization group. For more information about protecting access to key tables,
see SAP Note 1485029. Restrict file system access to PSE files from ABAP
programs. For more information about protecting access to PSE files using an
additional authority check, see SAP Note 1497104.
SSF provides security for SAP data and documents in the following cases:
Data leaves the SAP system, for example, online orders, payments, or transfer of business
information.
Data security is associated with persons and individuals, for example, digital signatures.
User signatures
- Authenticity and integrity
Alice’s document (for example, a business order) is authentic, is signed by her, and has
not been changed.
- Non-repudiation
Alice cannot deny having signed the document.
System signatures
- Document integrity
A document (for example, an archived document) has not been changed.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson provides an overview of authorizations in SAP systems and explains the rules for
password management in SAP systems.
Business Example
You want to define authorizations in an SAP system. For this reason, you require an
understanding of the following:
The authorization concept of Application Server ABAP (AS ABAP) and Application Server
Java (AS Java)
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Figure 45: SAP NetWeaver AS for ABAP Users and Authorization – Introduction
SAP uses a positive authorization concept. Positive authorization means that an authorization
or an access must be granted so that a user can execute actions or tasks. However, the
concepts and terms differ in SAP NetWeaver AS for ABAP and SAP NetWeaver AS for Java.
A user can log on to an SAP system client if they know the user and password for a user
master record.
Every time the user calls a transaction, an authorization check occurs in the SAP system. If a
user attempts to start a transaction for which that user is not authorized, the system rejects
the user with an appropriate message.
If the user starts a transaction for which they have authorization, the system displays the
initial screen of the transaction. The user can enter the data and perform various tasks on this
screen. The system performs additional authorization checks for data and actions that need
to be protected.
Authorization Objects
Authorization objects protect actions and the access to data in the SAP system. They are
delivered by SAP and are available in the SAP system. They are divided into various object
classes.
Authorization objects enable complex checks that involve multiple conditions before allowing
you to perform an action. The conditions are specified in the authorization fields of the
authorization objects and are linked for the check. Authorization objects and their fields have
descriptive and technical names. For example, the authorization object User Master
Maintenance: User Groups (technical name: S_USER_GRP) contains two fields: Activity
(technical name: ACTVT) and User Group in User Master Record (technical name:
CLASS). The authorization object S_USER_GRP protects the user master record. An
authorization object includes up to 10 authorization fields.
An authorization is associated with only one authorization object. The authorization contains
the value for the fields for the authorization object. An authorization is a permission to
perform a certain action in the SAP system. The action is defined based on the values of the
individual fields of an authorization object. For example, authorization B for authorization
object S_USER_GRP enables all user master records that are not assigned to the SUPER user
group to be displayed.
There can be multiple authorizations for one authorization object. Some authorizations are
delivered by SAP, but most are created to meet customer-specific needs.
Role Maintenance
Role maintenance (transaction PFCG, previously known as Profile Generator) simplifies the
process of creating and assigning the authorization to users. In role maintenance, related
transactions are selected. For the selected transactions, role maintenance creates the
authorizations with the required fields. A role can be assigned to various users. Changes to a
role affect multiple users. Users can be assigned various roles.
The user menu contains entries such as transactions, URLs, and reports. These entries are
assigned to the user through the roles.
You can use authorizations to control which users can access a Java application and which
actions are permitted for a user. Authorizations are combined as roles and then assigned to a
user or a user group by an administrator. The SAP NetWeaver Identity Management (SAP
NetWeaver ID Management) and Visual Administrator tools are used to assign authorizations.
Authorization checks are built into the Java application. In the Java application, you can
differentiate authorization checks with different objectives.
Access to an application is protected by checking whether the appropriate JEE security role is
assigned to the requesting user. If the user does not have the required security role, an error
message is displayed and access is denied. If the user has access to the system, the individual
activities can be protected. When requesting a special activity, for example, Delete, the
system checks whether the required JEE security role or User Management Engine (UME)
permission is assigned. You can control access to object instances, such as folders and
documents, using the Access Control List (ACL).
With all types of authorization checks specified, the developer must define the authorizations
query in the application. The developer decides which type of authorization check is to be
used. After implementation, the application determines which JEE security roles, UME
permissions, or UME ACLs are used.
Caution:
In SAP NetWeaver 7.0, UME roles are administered using SAP NetWeaver ID
Management, and J2EE security roles are administered using the Visual
Administrator. In SAP NetWeaver AS for Java 7.1 and later, JEE security roles are
mapped to server roles (UME roles) in a particular deployment descriptor of the
application.
J2EE security roles are a part of the J2EE standard. UME roles are an (SAP) extension of the
J2EE security roles. You can define the same authorization checks with J2EE security roles
and UME roles. However, it is easier and more precise to assign authorizations with UME
roles. A UME role comprises various authorization objects, whereas J2EE consists of one
object. In comparison to one UME role, many J2EE security roles must be assigned for the
same authorization. Always use UME roles, except in cases in which J2EE security roles are
sufficient.
Note:
A role in the ABAP environment is roughly equivalent to a UME role. An
authorization object in the ABAP environment can be compared to a security role
or UME permission.
SAPphone
SAPconnect
Data Check
Hint:
Call transaction SECSTOREafter every system copy and check the entries. If all
entries are green, no action is necessary. If entries are red, a new migration key is
needed to migrate the data.
The installation number of the system and the system ID are used when creating the key for
the secure storage. If one or more of these values change, the data in the secure storage can
no longer be read. Under certain circumstances, you can migrate the data. To do this, you
need a migration key.
If the installation number changes because a new license is imported, SAP automatically
generates the migration key and sends the key with the mail for the new license.
Data Migration
To migrate the data, switch to the System data changed tab page in transaction SECSTORE .
Fill the Old System Name, Old Installation Number , and Release Key input fields and choose
Execute. The migration key can be generated at the SAP Service Marketplace ( http://
service.sap.com ), Quick Link /migrationkey .
Migration Key
For more information about migration entries in the secure storage, see SAP Note 816861.
For more information about how system copy ignores secure storage tables, see SAP Note
828529.
For more information about maintaining secure storage across customer numbers, see SAP
Note 1027439.
SAP NetWeaver AS for Java uses the SAP Java Cryptography Toolkit to encrypt the
information in the secure store using the triple Data Encryption Standard (DES) algorithm.
The encryption is performed during the SAP NetWeaver AS for Java installation process.
Using the configuration tool, you can encrypt the file again and change the key phrase.
Caution:
As the secure storage file contains sensitive information, access to this file must
be restricted by file system permissions. The secure storage file is located at
\usr\sap\<SID>\SYS\global\security\data\SecStore.properties .
Password rules in SAP NetWeaver AS for Java are controlled by UME parameters. The most
important parameters can be changed by the system administrator in the UME Configuration
UI.
Hint:
In the SAP NetWeaver AS for ABAP+Java (dual stack) system, you need to
maintain the password parameters at SAP NetWeaver AS for ABAP and SAP
NetWeaver AS for Java. The password parameters are not synchronized
automatically.
calculated from the stored password hashes. All systems using this method are subject to
password dictionary attacks or password brute-force attacks if the password hashes are
retrieved from the system. Security measures, such as strong password rules, must be taken
to significantly reduce the probability of successful password cracking attacks.
You must configure a strong password policy according to your corporate policy.
The following table lists AS ABAP password rules defined by the customer and the rules
predefined in the SAP system:
Rules Defined by the Customer Rules Predefined in the SAP System
Apart from the predefined password rules, you can influence user passwords in the following
ways:
Using the system profile parameters to assign a minimum length for the passwords and
define how often the user has to set new passwords.
Table USR40 is maintained with transaction SM30. Entries may contain wildcard characters
such as ? for one character and * for a character string.
List of excepted users for multi logon: login/ List of user IDs List of user IDs
multi_login_users
Note:
The default values of certain profile parameters have been changed in SAP
NetWeaver AS for ABAP 7.00 and later. For more information about profile
parameters, see SAP Note 862989.
In SAP NetWeaver AS for ABAP 7.00 and later, the password hash algorithm has been
changed. More secure hash values can be generated that are not backward-compatible, and
that make reverse engineering attacks difficult. By default, new systems generate a
backward-compatible hash value and a new hash value. However, you can configure the
system so that only the new hash value is generated. The new hash value is not backward-
compatible. You can set the degree of backward compatibility with the profile parameter
login/password_downwards_compatibility .
Note:
For more details on backward compatibility, see SAP Note 1023437.
Restrict access to tables containing password hashes (USR02, USH02, and in later
releases USRPWDHISTORY) by changing the table authorization group of these tables.
Non-administrative users must not have access to this new table authorization group.
Activate the latest password hashing mechanism (code version) available for your release.
Downward-compatible password hashes must not be stored in Releases 7.0 and higher.
Note:
For more information about protecting read access to password hash value
tables, see SAP Note 1484692.
Caution:
After activating the latest password hashing mechanism, redundant password
hashes must be deleted from the relevant tables. For more information about
recommended settings for password hash algorithms, see SAP Note 1458262.
If you use Central User Administration (CUA), you must ensure that the CUA system has at
least the same or a higher release than all attached systems and that relevant SAP Notes are
implemented. For more information about CUA and passwords, see SAP Notes 1300104,
1306019, and 1022812.
The attributes available for security policies definitions allow system administrators to
override settings made with instance profile parameters.
The first step involves calling transaction SECPOL and create a new security policy. Security
policies are customizing objects and can easily be transported from one system to another.
The second step establishes the attributes relevant for each security policy.
The third step applies a security policy to a specified user. Mass maintenance can be
perfomed with transaction SU10.
To define a new policy access the User Management configuration and adapt the available
parameters.
The policy can be assigned to individual users in the General Information tab.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson provides an overview of authorizations in SAP systems and explains the rules for
password management in SAP systems.
Business Example
You want to define authorizations in an SAP system. For this reason, you require an
understanding of the following:
The authorization concept of Application Server ABAP (AS ABAP) and Application Server
Java (AS Java)
LESSON OBJECTIVES
After completing this lesson, you will be able to:
User Maintenance (transaction SU01) and Role Maintenance (transaction PFCG) are the most
important tools for an SAP NetWeaver AS for ABAP-based system. When creating a new user
master record with transaction SU01, the required fields are Last name on the Address tab
page and Initial password on the Logon data tab page.
On the Logon data tab page, the User Group for Authorization Check implements delegated
user administration. A user master record in a user group can be changed only by an
administrator with the authorization to modify the user group. If a user master record is not
assigned to a group, any user administrator can change this user master record. The Validity
Period specifies the beginning and end of the validity of the user master record.
A user can log on to the SAP system if a user master record with a valid password exists. The
user master record determines the actions that individual users are allowed to perform in the
SAP system.
When maintaining user master records, you need to assign authorization to the users in the
form of roles and profiles.
User master records are client-specific.
SAP Authorization
SAP authorization protects transactions, programs, and services in SAP systems from
unauthorized access. On the basis of SAP authorization, the administrator assigns
authorizations to individual users that determine which actions they can execute in the SAP
system after they have logged on to the system and authenticated themselves.
SAP NetWeaver AS for Java provides an open architecture, based on service providers, to
store user and group data.
SAP NetWeaver AS for Java is delivered with the following service providers, known as user
stores:
The DBMS and UDDI providers implement standards and guarantee the J2EE conformity of
SAP NetWeaver AS for Java. The SAP-defined UME is installed as user storage during the
installation of SAP NetWeaver AS for Java. The SAP-defined UME is the recommended option
for most SAP customers. The user and the authorization concept can be installed and
operated flexibly only on the basis of the UME user storage.
Data Sources
The UME supports the following data sources as storage locations for user data:
System database
SAP delivers preconfigured data source combinations. These preconfigured data source
combinations can be used without further adjustments or can be adapted according to the
specific needs of the customer.
Hint:
The data source of the system database is always connected to the UME for all
data source configurations delivered by SAP. Certain information (for example,
the UME roles) is always kept in the database.
SAP NetWeaver AS for Java – SAP NetWeaver Identity Management (SAP NetWeaver ID
Management)
Figure 61: SAP NetWeaver AS for Java: User Management Administration Console
The most important tool for a user administrator in an SAP NetWeaver AS for Java system is
identity management. The identity management tool is used for all data sources and is
implemented as an application running in a Web browser (based on Web Dynpro Java).
You can start identity management in the following ways:
Use the SAP NetWeaver Administrator (URL /nwa ), Configuration Security Identity
Management .
Hint:
The function scope available in identity management depends on the Java
authorizations of the current user.
CUA distributes user master records between SAP systems. The administration of an SAP
system landscape is performed from one central system. You can display an overview of all
user data in the SAP system landscape. All user data is stored in the standard SAP tables
(USR*) that contain the user master record data.
Use CUA if you have a complex landscape with several clients and systems to synchronize the
user data or if a user works in more than one system and uses the same user ID in all the
systems. Data that can be distributed with CUA includes data about the user master record,
such as address, logon data, user fixed values, and user parameters.
The system (security) administrator logs on to CUA and assigns roles or profiles and systems
to the user in CUA. You no longer need to log on to each system to make system-specific
assignments of activity groups and profiles.
Roles and authorization profiles can be transported but are not maintained from the CUA.
They are created and modified in the subsystems.
Prior to release 6.10, SAP systems could communicate with LDAP, but required an
independent, external component called LDAP Connector. As of release 6.10, SAP systems
can communicate directly with a directory server using LDAP.
Enterprises usually have a variety of SAP and non-SAP systems. By default, every system has
its own separate user management. Separate user management involves a large degree of
manual effort for the user administrator to administer the user information and role
assignments in each system.
However, employees of an enterprise have to perform different business process tasks.
These tasks require certain authorizations or roles in the system landscape. The source of
employee information is usually the SAP ERP Human Capital Management (SAP ERP HCM)
system. SAP ERP HCM triggers actions such as on-boarding and change of position, location,
or name. These changes must be reflected in the system landscape.
Before SAP offered SAP NetWeaver ID Management, user management was centralized using
the CUA. A limitation of CUA is that it is only supported for ABAP-based systems. For
interoperability with Java systems that use an LDAP directory both as a user store and for
integration with non-SAP applications, users are synchronized with an LDAP directory using
the ABAP LDAP connector. Central management for a heterogeneous system landscape was
only possible by using a third-party identity management product.
Driven by business processes, with SAP NetWeaver ID Management, SAP offers integrated
identity management capabilities for a heterogeneous system landscape. SAP NetWeaver ID
Management uses a central identity store to consolidate identity data from different source
systems (for example, SAP ERP Human Capital Management (HCM)) and distributes this
information to the different target systems. The distribution handles user accounts and role
assignments of SAP and non-SAP applications. You can define various rule sets for the
assignment of roles to users, which means that role assignment can be automatically
performed based on attributes of the identity.
An important feature of SAP NetWeaver ID Management is the availability of approval
workflows to distribute the responsibility for authorization assignments to various business
process owners and managers of employees. The integration of SAP ERP HCM as one of the
possible source systems for identity information is one of the key functionalities to enable
business-driven identity management. With the audit functionality of the solution, the auditor
can check employee system authorizations from a central location. Both the current
authorizations and the previous settings can be examined. The data within SAP NetWeaver ID
Management can be accessed using services and standard protocols, such as LDAP.
The following points highlight the relationship between SAP NetWeaver ID Management and
the CUA:
SAP NetWeaver ID Management is the strategic solution for managing identities in SAP
and non-SAP environments.
SAP NetWeaver ID Management can replace the CUA in order to manage user IDs in the
non-SAP system landscape.
SAP continues to support the CUA in its current functionality according to the SAP
maintenance rules.
Note:
Check users with the RSUSR003 report for standard passwords.
When an SAP NetWeaver AS for ABAP-based system is installed, the default clients are as
follows:
Client 000 is used for special administrative purposes. SAP imports the Customizing
settings into this client during the upgrade process or when applying Support Packages.
Client 000 must not be used for Customizing, data input, or development.
Client 066 was created during system installation in the past. It was used to deliver
services by SAP Active Global Support. This client is no longer used, and can be safely
removed. For more information on this client, see SAP Note 7312 - Client 066 for
EarlyWatch.
Client 001 is a copy of client 000, and was created during system installation in the past. It
can be used as the productive client. However, if you have decided to use other clients as
productive clients, rather than client 001, you can safely remove client 001. Bear in mind
that SAP Solution Manager systems and SAP Business Warehouse systems usually use
client 001 as a productive client.
Caution:
Prior to deleting a client, especially in the case of client 001, you must check that
there are no active users on the client. You can use report RSUSR200 on the
User Information System (transaction SUIM) or the Workload Statistics
(transaction ST03N) to check if there has been user activity. Within transaction
ST03N, you can use the analysis view Settlement Statistics to determine which
clients have been used, and which users have been used the clients.
Note:
To find out which clients you have in your system, use transaction SCC4. To
display the contents of the T000 table, use transaction SM30.
Depending on the client, several standard users may already be prepared. User SAP* is a
superuser for initial access to the system. The user DDIC is required for certain installation
and upgrade tasks, software logistics, and the ABAP Dictionary. The passwords of user SAP*
and DDIC of clients 000 and 001 (not in 066) are set during the installation process. In older
installation routines, passwords were not set during the installation process and the user had
the default passwords 06071992 (for SAP*) and 19920706 (for DDIC). The user
EARLYWATCH is used by the SAP EarlyWatch specialists and has access to monitoring and
performance data. The default password for user EARLYWATCH is SUPPORT . The user
SAPCPIC is used for communication purposes. The default password for user SAPCPIC is
ADMIN. For more information on SAPCPIC, see SAP Note 29276.
Caution:
You must change the passwords of standard users to strong ones.
In addition to changing the passwords of standard users, you must perform the following
steps:
1. Create a new superuser. Deactivate only SAP* by locking the SAP* user and removing
authorizations.
2. Assign standard users to the SUPER group so that standard users can only be modified by
administrators who are authorized to change users in the SUPER group.
3. Lock users DDIC and EARLYWATCH and unlock them only when necessary.
Do not delete DDIC or its profiles. DDIC is needed for certain installation and upgrade tasks,
software logistics, and the ABAP Dictionary. Deleting the DDIC user may result in loss of
functions in tasks related to the installation and upgrade of software logistics and the ABAP
Dictionary.
To log on to a newly created client (a client with no user master record at all and no user
SAP*), use the SAP* kernel mechanism. In the kernel, a hardcoded user with password pass
is implemented. This system access is not affected by authorization checks.
The SAP* kernel mechanism can be controlled by using the login/no_automatic_user_sapstar
profile parameter. As of SAP NetWeaver AS 7.00 (SAP NetWeaver 7.0), the default value of
this profile parameter has been changed to 1, which means that the SAP* kernel mechanism
is deactivated. In older releases, the SAP* kernel mechanism was activated by default (value
0) and had to be deactivated when the kernel was not needed. For more information on
deactivating the automatic SAP* user, see SAP Note 68048.
Caution:
To ensure this mechanism is not misused, create a new user SAP* in all the
clients of your systems and set the login/no_automatic_user_sapstar profile
parameter to value 1. An existing user master record SAP* must not be deleted
from any client.
Hint:
Use the RSUSR003 report to make sure that the user SAP* has been created in
all clients and that the default passwords have been changed for the standard
users.
The figure, Activating the UME Emergency User, illustrates the process used for the
activation.
Note:
Please note the difference between user store and data source. SAP delivers
multiple user stores, which include the UME and the DBMS user store. In turn, the
UME can use different data sources for storing the user information.
When creating new users, you can choose between different user types. The user type affects
what the user can do and how the user’s password is handled.
The user type is an important property of a user.
The following user types are available in AS ABAP:
Dialog
A normal Dialog user is used for all logon types by just one person. During a dialog logon,
the system checks for expired or initial passwords, and the user has the opportunity to
change the password. Multiple dialog logons are checked and logged.
System
The System user type is used for dialog-free communication within a system; for
background processing within a system; and for Remote Function Call (RFC) users for
various applications, such as Application Link Enabling (ALE), Workflow, the Transport
Management System (TMS), and CUA. It is not possible to use this type of user for a dialog
logon. Users of this type are exempted from the usual settings for the validity period of a
password. Only user administrators can change the password.
Note:
For more information, see SAP Note 622464: Change: Password change req.
entry for SYSTEM user type.
Communication
Use the Communication user type for dialog-free communication between systems. This
type of user cannot be used for a dialog logon. The usual settings for the validity period of a
password apply to users of this type.
Service
A user of the Service type is a dialog user that is available to a larger, anonymous group of
users. In general, you must only assign highly restricted authorizations to users of this
type. Service users are used, for example, for anonymous system accesses using the SAP
Internet Transaction Server (ITS) or Internet Communication Framework (ICF) service.
The system does not check for expired or initial passwords during logon. Only the user
administrator can change the password. Multiple logons are permitted in the system.
Reference
As with the Service user, a Reference user is a general user not specific to a particular
person. You cannot use a Reference user to log on. A Reference user is used only to assign
additional authorizations. You can specify a Reference user for a Dialog user for additional
authorization on the Roles tab page.
Hint:
User types are also called security policy profiles.
Specify the security policy profile (user type) when you create a user with identity
management (you cannot create the Unknown type). In the case of existing users,
subsequent changes to the user type are only possible with restrictions.
Note:
The last column in the table is only relevant if you are operating a UME with an
ABAP system as the data source. Changes to the user type of an ABAP user are
mapped to the corresponding UME user master record (and vice versa, if the UME
has write access to the ABAP system).
As of SAP NetWeaver AS for Java 7.01, you can create your own security policy profiles (user
types) in the UME configuration UI. For example, you may create your own set of strong
password rules for special administrator users. In an SAP NetWeaver AS for ABAP+Java, the
security policy profiles (user types) created for customers are mapped to the ABAP Dialog
user type.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson provides an overview of fundamental security measures on a front-end system.
The lesson also introduces the security features of SAP GUI for Microsoft Windows.
Business Example
To ensure the security of the front-end computer, you need to configure security features of
SAP GUI for Microsoft Windows. For this reason, you require an understanding of the
following:
Front-end security
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Secure the message server and the Internet Communication Manager (ICM)
The ICM ensures communication between an SAP system and the external platform using the
HTTP, HTTPS, and SMTP protocols. As a server, the ICM can process external requests that
have URLs with the server or port combination to which the ICM responds. The ICM then calls
the corresponding local handlers, such as the file handler or the server cache handler, to
perform the necessary task.
Internet Communication Framework (ICF) provides the framework for implementing the
applications for the ICM. ICF consists of the interfaces that enable the SAP NetWeaver AS to
function as a Web server or a Web client.
Views threads
ICF provides a framework to the user for developing the Business Server Pages (BSPs) for the
SAP NetWeaver AS Internet applications.
Applications are organized in a hierarchical tree.
Use transaction SICF to create and maintain BSPs, and to create and maintain virtual hosts
for the SAP NetWeaver AS. Use transaction SE80 to create and test BSPs.
Confidentiality Encryption
Only ICF services that are required for business scenarios need to be enabled. Not every
ICF service needs to be enabled in SAP production systems.
If it is suspected that more ICF services are activated than necessary, the actual usage of
ICF services can be analyzed and services can be maintained collectively with SAP ECC 7.0
onwards. For information on mass maintenance of ICF services, refer to SAP Note
1498575.
Short-term recommendation: Review at least the ICF services that do not require user
authentication. This includes all services in /sap/public as well as services with stored
logon data.
Short-term recommendation: Deactivate at least the ICF services that are listed in the
table if they are not used in your business scenarios.
Virtual Hosts
Virtual hosts are used to set up individual HTTP service trees from several IP addresses. The
user specifies virtual hosts by using profile parameter is/HTTP/virt_host_<xx>.
10.20.30.40 intranet.mycompany.com
25.20.50.60 myhost.mycompany.com
Define whether there must be several virtual hosts using the is/HTTP/virt_host_<n> =
<host1>:port1;<host2>:<port2>;...; profile parameter, where <n> stands for numbers 0-9.
The profile parameter can be changed statically in the instance profile, or dynamically using
transaction RZ11. Transaction RZ11 also contains parameter documentation. Note that
parameter is/HTTP/virt_host_0 = *:*; is set and cannot be changed. As a result, if no other
virtual host is found, the default host number is 0. The default host shows up in the HTTP
service tree for transaction SICF as default_host. Initially, this was the only virtual server.
Each user accesses the tree that corresponds to the user’s virtual host. To avoid namespace
conflicts, all other hosts provided by SAP begin with SAP.
As of SAP NetWeaver AS 7.10, the ICM replaces the Java dispatcher in SAP NetWeaver AS for
Java. The ICM for SAP NetWeaver AS for Java can be configured using the profile of the Java
instance. The same options are available as for SAP NetWeaver AS for ABAP.
Transaction SMICM is not available on a Java system; therefore, the ICM is monitored using
the administration framework of the ICM.
In addition to access restrictions for SAP Message Server, we recommend that you restrict
access to remote message server monitoring (ms/monitor = 0). For more information, see
SAP Note 821875.
Caution:
Set the file system access authorizations for the file to a value that prevents
unwanted modifications.
You can read the file in transaction SMMS, which means that you can add, change, or delete
dynamic entries ( SMMS Goto Security Settings Access Control .
LESSON SUMMARY
You should now be able to:
Secure the message server and the Internet Communication Manager (ICM)
LESSON OVERVIEW
This lesson provides an overview of fundamental security measures on a front-end system.
The lesson also introduces the security features of SAP GUI for Microsoft Windows.
Business Example
To ensure the security of the front-end computer, you need to configure security features of
SAP GUI for Microsoft Windows. For this reason, you require an understanding of the
following:
Front-end security
LESSON OBJECTIVES
After completing this lesson, you will be able to:
The figure, Front-End Security Overview, highlights the components of an SAP environment.
To ensure front-end security in an SAP environment, various measures must be taken at the
front end, such as operating system (OS) patching, virus scanner, and an intrusion prevention
system. To prevent SAP GUI for Microsoft Windows from performing operations that might
put the security of the workstation at risk, you can use the security settings of the SAP GUI
system.
SAP NetWeaver AS for ABAP-based SAP systems can access security-critical functionality on
SAP GUI user workstations with the permission of the user (for example, uploading or
downloading files, changing Microsoft Windows registry, and executing programs). SAP GUI
for Microsoft Windows 7.10 introduced the possibility of alerting users in the event of security
access from ABAP systems. The option of alerting users to security events can be enabled by
the security administration in the system but the users need to confirm the access requests.
This alerting option can lead to many security alerts.
SAP GUI for Microsoft Windows improves the granularity and flexibility of security event
handling. This improvement is implemented using configurable security rules. SAP GUI for
Microsoft Windows offers a default set of security rules that can be extended by customers.
This feature mitigates the risk of malicious attacks on SAP GUI for Microsoft Windows
workstations from ABAP systems that have been compromised.
Caution:
We strongly recommend implementing the following security measures:
Deploy the latest SAP GUI for Microsoft Windows version and patch level on
all the user workstations.
Activate SAP GUI for Microsoft Windows security rules using at least the
security rule setting Customized and default action Ask.
Disabled
Customized
Strict Deny
If the status level is set to Disabled, no security checks take place. Each request received from
the back-end system to read, write, or execute a program is immediately executed. In this
case, the user is not aware that an action triggered by the back-end system is being
performed. Therefore, this setting involves the danger of undesirable actions that are
executed remaining undetected, which may cause damage.
Caution:
We recommend avoiding the Disabled status level. It is suitable only for
restricted system situations.
The Strict Deny status level denies the execution of each individual action triggered by the
back-end system unless explicitly permitted by a rule defined by SAP. The SAP rules permit,
for example, the user to call help for the application. In practice, it is often not possible to use
this setting because many SAP applications access resources on the client machine, such as
downloads, uploads, and the execution of programs.
The Customized status level is the default setting when you install SAP GUI for Microsoft
Windows. When a request for an action is received from a back-end system, SAP GUI for
Microsoft Windows searches the list of security rules entered to evaluate the request. The
security rules are processed in accordance with their order in the list.
Whenever a request to perform an action is received, SAP GUI automatically works through
the list of rules from top to bottom. If a suitable rule is found, SAP GUI terminates the search.
This means that rules below this point that may also apply are ignored. If there is a rule
relating to the requested action, SAP GUI proceeds as defined in this rule. If there are no
settings in the rules with regard to a particular action request, SAP GUI selects the default
action defined. The default action is usually the query dialog that lets the user decide whether
to execute ( Default Action = Ask). However, you can also choose to permit action requests for
which there are no rules ( Default Action = Allow).
Security Rules
To create and manage the security rules, in the SAP GUI Options - SAP Logondialog box,
choose Security Settings . In SAP GUI, choose Customize Local
Layout Options Security Security Settings .
Security rules can have the following origins:
SAP
Administrator
User
Rules of SAP origin are created by SAP and installed together with SAP GUI for Microsoft
Windows. Neither users nor administrators can edit these rules or change their sequence.
These rules are taken into account only if the status has been set to Customized. These rules
protect important local objects that are required for the operation of SAP GUI for Microsoft
Windows. These objects include registry values or specific files that contain configuration
information.
Rules of Administrator origin are created by the administrator, who is responsible for
distributing SAP GUI for Microsoft Windows. A user cannot change these rules.
A user of SAP GUI for Microsoft Windows can create additional security rules of User origin
for the local working environment.
Hint:
You can also manually create rules in Security Settings . To do this, scroll down
the list of rules and select the empty entry at the bottom. The Insert button is
then active.
Note:
For more information, see SAP Library for SAP GUI for Windows Security Guide on
SAP Help Portal at http://help.sap.com .
To create a rule file as an administrator, you use the rule editor in the Security node of the
Options dialog box. The administrator then needs to copy the generated saprules.xml file from
the files system directory %APPDATA%\SAP\Common to the location specified in the
registry value.
Caution:
Do not replace the saprules.xml file in the installation directory of SAP GUI for
Microsoft Windows 7.30 or higher. This file is overwritten during a subsequent
installation, for example, by a patch.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson describes how to use the security audit log to monitor SAP systems. It also
describes how to use the User Information System in the SAP system. In addition, it describes
the alert monitor.
Business Example
You want to monitor SAP systems using various SAP monitoring tools. For this reason, you
require an understanding of the following:
Security monitoring
Application Server ABAP (AS ABAP) and Application Server Java (AS Java) security audit
logs
How to use security audit logs and the User Information System
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Monitoring Security
Security Monitoring Overview
SAP systems can become unsecure if previously applied security configurations are reverted
or disabled. Security configuration monitoring is therefore recommended to regularly verify
applied security configurations (recommended at least once a month). Identified deviations
must be realigned. SAP offers various granularities for security configuration monitoring.
The configuration tools and techniques that can be set up through SAP Solution Manager are
as follows:
SOS is designed to check the security of your SAP system. This service comprises a
system analysis and the resulting recommendations for system settings. It addresses
system and Customizing settings that impact system security. In addition, it focuses on
internal and external system security.
To improve the internal security, many critical authorization combinations are checked.
External security is improved by checking the access possibilities to your system and the
authentication methods used. This service checks the configuration of an SAP system on
predefined security topics. For more information, see SAP Library for SAP SOS on the SAP
Help Portal at http://help.sap.com .
The security audit log is a tool designed for auditors who need to take a detailed look at what
occurs in the SAP system. By activating the audit log, you keep a record of those activities in
SAP NetWeaver AS for ABAP-based systems that you consider relevant for auditing. This
information is recorded daily in an audit file on each application server. To determine the
information to be written in this file, the audit log uses filters stored in the memory in a control
block, which is used to save the audit logs in the memory.
When an event occurs that matches an active filter (for example, a transaction starts), the
audit log generates a corresponding audit message and writes the message to the audit file. A
corresponding alert is sent to the CCMS alert monitor. Details of the events are provided in
the audit analysis report of the security audit log.
The security audit log is active only if you use transaction SM19to maintain and activate the
profiles.
In the profile parameter FN_AUDIT, the eight + symbols represent the date, which is
automatically substituted with the current date by the system.
If rsau/max_diskspace/per_file is used, the rsau/local/file parameter is no longer
valid and is not analyzed. Instead, the parameters DIR_AUDIT and FN_AUDIT are used. The
rsau/max_diskspace/per_file parameter defines the maximum size of a single security
audit file.
The rsau/max_diskspace/local parameter specifies the maximum size of a security audit
file. If this size is reached, then the system logging of audit events is completed.
The rsau/selection_slots parameter specifies the number of selection units that are set
using transaction SM19and checked by the system during processing of filters to allow for the
security audit log.
Caution:
The security audit log contains personal information that may be protected by
data protection regulations. Before using the security audit log, ensure that you
adhere to the data protection laws that apply to your area of application.
You can specify the information you want to audit in filters, with which you can do one of the
following:
You use this procedure to create profiles of security audit filters in the database of SAP
NetWeaver AS for ABAP. All nodes of a cluster use identical filters for determining which
events to record in the audit log. You create profiles for different auditing scenarios. Once
activated, the SAP NetWeaver AS for ABAP loads the profile when the system starts. The
SAP NetWeaver AS for ABAP uses the filters defined in the profiles to write events to the
security audit log. By default, no security audit log is activated. To create some statics
profiles, you must set the profile parameter rsau/enable and restart the system.
To determine what you want to audit, you create the selection criteria by calling transaction
SM19.
For each selection criterion that you want to define, choose the user, audit classes, client, and
security levels. The security levels selected specify the levels of events (audit messages) to be
included in the audit log. Messages with the chosen level and higher levels are included in the
log.
For example, if you select low, then all the messages with a security level of low, average, and
high are included in the selection. If you select high, only high-level messages are included.
High-level messages and the Only Critical option describe events involving a high-level
security risk, such as unauthorized access attempts. All audit events are defined in the
system log messages with the prefix “AU”. You can view the assignment of the events to audit
classes and security levels using the system log message maintenance (transaction SE92).
You can also modify these definitions.
For the client and user entries, you can use * as a wildcard for all clients or users. If by default
a partially generic entry, such as 0* or ABC*, is not possible, you can activate the profile
parameter rsau/user_selection . This enables the use of ABAP patterns asterisk (*) for
any character string, plus sign (+) for any single character, and number sign (#) to escape
wildcards, spaces at the end of strings, and so on. Otherwise, only the asterisk (*) is a
wildcard.
For each selection criteria you apply to your audit, you select the Selection Active tab page.
After specifying the selection criteria, save the data. For the application server to use the
profile at the next server start, choose Profile Activate . The name of the active profile
appears in the Active Profile field.
The figure, Security Audit Log – Audit Configuration Selection Criteria, shows the initial
screen for the security audit logs. For each selection criteria that you want to define, choose
the client, user names, audit classes, and events.
The events selection specifies the levels of events (audit messages) that you want to include
in the audit log. Messages with the chosen level and higher levels are included in the log. If you
select All, all messages with a security level of low, average, and high are included in the
selection. If you select Only Critical , only high-level messages are included.
The security audit log is active only if you use transaction SM19to maintain and activate the
profiles. Set the profile parameters as shown in the figure, Security Audit Log: Security Audit
Profile Parameters.
To display the profile parameters in transaction SM19, choose Environment Profile
parameter . Auditing is activated only if the rsau/enable parameter is set. Audit profile
activation is also achieved by dynamically activating an audit profile in transaction SM19.
In the profile parameters DIR_AUDIT and FN_AUDIT, describe the path and name of the audit
files. The eight + symbols represent the date, which is automatically substituted with the
current date by the system.
The rsau/max_diskspace/per_file parameter specifies the maximum size of one
security audit file. If this size is reached, the system creates the next file. For example, you
could restrict the size to 650 MB to fit one file on one CD during archiving.
If the rsau/max_diskspace/per_file parameter is set to 0, parameters rsau/local/
file and rsau/max_diskspace/local are valid and analyzed.
The security audit log produces a report on the activities that have been recorded in the audit
file. You can analyze a local server, a remote server, or all servers in your SAP system.
To display the initial screen, run transaction SM20or transaction SM20N, starting with Release
6.10. The initial screen is designed in a similar way to the system log (transaction SM21).
The following information is provided on the initial screen:
Time
Work process
Client
User
Transaction code
Terminal ID
Message number
The Microsoft Windows Terminal Server maps all events to a single terminal ID.
The time, user ID, and transaction code are displayed in the audit log. You can identify the
terminal ID and track the hacker, as shown in the figure, Security Audit Log: Audit Log Details.
The text in the figure provides the reason for the unsuccessful logon.
Note:
For more information, see SAP Note 173743.
The security audit log of the SAP NetWeaver AS for Java contains a log of important security
events, such as successful and failed user logons and the creation or modification of users,
groups, and roles.
This information is used by auditors to track changes made in the system. By default, the log
files are available at /usr/sap/<SID>/<Instance>/j2ee/cluster/serverX/
security_audit.X.log . They can be viewed with SAP NetWeaver Administrator, in the log
viewer.
Note:
For more information, see SAP Library for SAP NetWeaver online documentation
on the SAP Help Portal at http://help.sap.com and search for the security audit
log of the SAP NetWeaver AS for Java.
Hint:
To explicitly search for authorizations that contain the full authorization asterisk
(*), you need to enter a number sign (#) before the asterisk, that is, #*.
Otherwise, the system searches for any values.
Note:
You must regularly check the lists that are important. Define a monitoring
procedure and corresponding checklists to ensure that you continually review
your authorization plan. Determine which authorizations are critical and regularly
review which users have these authorizations in their profiles.
You access the User Information System by running transaction SUIM. You can find the
elements of the authorization system using various selection criteria.
The User Information System provides an overview of user master records, authorizations,
profiles, roles, and change dates.
You can display lists to answer the following questions:
System Trace
Use the system trace transaction ST01 to track several types of operations in an SAP system.
The following components can be monitored using the SAP system trace:
Authorization checks
Kernel functions
Kernel modules
Table buffers
RFC calls
The last four components can be monitored using performance analysis (transaction ST05).
There are two ways of selecting the traces you want to display. On the initial screen, you can
select the components to be logged and additional filters, if required. You can reuse the filters
and restrictions from the traces that have these settings when the traces are evaluated.
You must start tracing by setting the trace options that you require on the trace options
screen. If you start from the set menu on the main screen, then your trace includes all the
active users, which can affect system performance.
The system trace function only traces the internal SAP system activity of the local application
server to which you are currently logged on. The system trace function only works if it can
write to the trace file in the instance log directory at operating system level, for
example: /usr/sap/DVEBMGS00/log . Ensure that there is enough disk space, and that
access authorizations are set correctly.
If you want to protect a trace from being overwritten later, choose Goto Save from the
menu. On the next screen, you can create a short text for a trace and choose whether the new
file that is created specifically for this trace must be automatically created, or whether you
want to specify a file name yourself. If you do not specify an absolute path, a file of this name
is created in the log directory. In the case of automatic file creation, the system determines
the file name and stores the file in the log directory. Unlike in a manually created file, the F4
help can be used to search for the file from the analysis screen, which is an advantage.
Note:
If you choose automatic creation, you can delete the file again in this transaction
(use the Delete button on the analysis screen). This is not possible if you specify a
file name manually. If you want to delete this file, you need to delete it at the
operating system level.
To display a trace, choose Analyze. You can obtain more information about any entry by
selecting that entry.
Alert Monitor
The monitoring architecture, a solution within SAP NetWeaver, centrally monitors any IT
environment, from individual systems through networked SAP NetWeaver solutions, to
complex IT landscapes incorporating several hundred systems. The monitoring architecture
is provided in SAP NetWeaver and can be used immediately after installation. You can easily
extend the architecture to include SAP and non-SAP components.
Alerts form a central element of monitoring. Alerts quickly and reliably report errors, such as
values exceeding or falling below a particular threshold value or that an IT component has
been inactive for a defined period of time. These alerts are displayed in the Alert Monitor; this
reduces the system administration workload because the system administrator now only
needs to watch the error messages instead of endless system data. The Alert Monitor is
therefore the central tool with which you can efficiently administer and monitor distributed
SAP NetWeaver solutions or client and server systems. The Alert Monitor displays problems
quickly and reliably to ensure that the appropriate analysis tool is used at the right time.
The following features are listed under the security section of the monitoring tree:
Logon
RFC logon
Transaction start
Report start
RFC call
System
Miscellaneous
The Alert Monitor checks various components of your SAP system. Use transaction RZ20 to
call the Alert Monitor.
The Alert Monitor uses thresholds and rules to generate alerts whenever an abnormal
condition occurs in your SAP system or its environment. Alerts direct your attention to critical
situations. The Alert Monitor reports alerts up through the monitoring tree. The color of a
monitoring tree element (MTE) always represents the highest alert in all MTEs in its branch.
Some screen elements in the alert monitoring tree are as follows:
The open Alerts view shows what has happened in the system since it was last checked.
Any problems or errors are displayed in red. Warnings are displayed in yellow. According to
the threshold values, green means that there are no problems. You can use properties to
customize the threshold values for red and yellow alerts. To start the analysis tool, you
double-click the alert text that you want to analyze. To display information about certain types
of alert, select the checkbox next to the alert and then choose display detailed Alerts . The
complete Alert button resets the alerts displayed on the screen.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson describes some of the impacts that HANA brings to security management in
Netweaver Systems.
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Currently the possibility to manage DBMS users is implemented only for SAP HANA as
database system. It is however possible to connect any other database system that is
supported by the SAP Neweaver AS ABAP by a customer implementation of the class
For managing users in the HANA database, you need to provide the connection details in
transaction DBCO. One HANA user needs to be provided with the following privileges:
The next configuration step requires that you specify the ABAP client where the database
users will be managed. This can be done in transaction SM30 (maintenance view
USR_DBMS_SYSTEM).
The mass maintenance for database users can be done by calling report
RUSR_DBMS_USERS.
In Access Control Management (transaction ACM) you can review the existing Access
Controls and run troubleshooting tools.
To find out which Access Controls you can also query table TADIR for all objects with type
DCLS. An S/4 release 1610 system contains more than 1.600 access controls. One example
for their usage is when you wish to expose a CDS view directly through a Fiori application.
The Access Control objects can be maintained only with ABAP DevelopmentTools for Eclipse.
An ABAP programmer has the option to reuse existing ABAP authorization objects instead of
filtering accesses based on column values provided by the CDS view.
Recent versions of SAP Netweaver AS ABAP request a password for the user TMSADM while
configuring the Transport Management system. Older or non-updated versions do not
prompt at all or allow old standard passwords to be kept.
LESSON SUMMARY
You should now be able to:
LESSON OBJECTIVES
After completing this lesson, you will be able to:
The EarlyWatch family includes EWA on each of the production systems and SAP EarlyWatch
on Solution Manager as a remote service.
Hint:
EWA identifies potential security problems at an early stage. The underlying
concept of EWA is to ensure smooth operation of individual SAP systems by
keeping you informed of their status. In addition, it allows you to take action
before severe technical problems occur.
EWA is a diagnostic tool to monitor your most important business processes and systems.
EWA helps to identify potential problems early, avoid bottlenecks, and monitor the
performance of your systems. Using this mechanism, the security status can be validated for
a predefined set of parameters on a weekly basis. The EWA report also displays an alert when
security-critical SAP Notes are missing or are not applied on the analyzed system.
EWA is included in the maintenance agreement with SAP at no extra cost. By running and
monitoring EWA, you can increase system stability, performance, and security for your entire
solution landscape. EWA monitors solutions in SAP and non-SAP systems in SAP Solution
Manager. SAP Solution Manager processes the EWA reports.
EWA Functionalities
Depending on the status of your system, EWA triggers services such as SAP EarlyWatch
Check. SAP EarlyWatch Checks are automatically triggered by EWA in cases of red flags in
EWA. SAP EarlyWatch Check is performed over a remote connection by a technical service
engineer. Your system is analyzed during the service. The service engineer also diagnoses
particularly complex problems and develops solutions. Each productive system is entitled to a
maximum of two SAP EarlyWatch Checks per year within your maintenance agreement with
SAP (valid for SAP customers with Standard Support agreement).
Caution:
SAP strongly recommends activating EWA for all productive systems.
The EarlyWatch report covers the following security and authorization topics:
Data can be collected and transferred automatically for all remote sessions. EWA informs the
customer about problems with the data collection. The relevant data is sent from the satellite
systems to the central SAP Solution Manager system for processing and evaluation. EWA for
the satellite systems is also the basis for further analysis. If the overall rating of EWA is red,
the service results are automatically sent to SAP Support. In all the sections rated as yellow or
green, results are sent to SAP Support once every four weeks.
The EWA results are prerequisites for the following SAP services:
Hint:
SAP SOS can be used at any time. The best time is during the end of the go-live
phase. The service is also useful when preparing for internal and external audits.
It can be rerun to confirm that the applied changes in the system configuration
have been successful and that no new vulnerabilities have appeared.
The underlying concept of SAP SOS is to ensure smooth operation of your SAP solution by
taking action before severe security problems occur. This test consists of hundreds of checks
based on the SAP Security guidelines and the knowledge of the SAP Security consultants.
Background authorization
check
External authentication
check
Configuration Validation
With Configuration Validation within SAP Solution Manager, SAP offers a tool to validate
various kinds of software configuration items. Configuration Validation helps to standardize
and harmonize configuration items within the ABAP and Java systems, using a single
configuration item repository within SAP Solution Manager. Configuration Validation uses the
centrally stored configuration data to validate a large number of systems using a subset of the
collected configuration data.
The following questions must be answered:
Are all systems at a certain operating system patch level or database patch level?
Have any template configurations for SAP applications or database parameters been
applied to all systems?
Is any kernel release older than six months present on any of the systems?
To answer these questions, a target system can be defined as a reference system for
comparing values. This target system can be either a real system or a virtual set of manually
maintained configuration items. Based on this reference system, settings are compared in a
consistency check. For some settings, such as STANDARD_USERS and the SAP NetWeaver
Gateway configuration, additional predefined checks can be performed, which are not
consistency-based.
The following checks are part of the standard configuration stores:
Rules for profile parameters can be defined using number ranges and comparison
operators.
Regular expressions can be used for checks of the SAP Gateway configuration files.
Configuration store ABAP_NOTES allows checks for software dependencies of SAP Notes.
SNOTE Notes that are already applied are included in the ABAP_NOTES configuration
store.
LESSON SUMMARY
You should now be able to:
Learning Assessment
X A SAP
X B Customized
X C Administrator
X D User
2. In Application Server ABAP (AS ABAP) and Application Server Java (AS Java) based
systems, several standard users ,with pre-configured authorizations, are available directly
after installation.
Determine whether this statement is true or false.
X True
X False
3. What are the available user types in SAP NetWeaver Application Server (AS) for ABAP?
Choose the correct answers.
X A Workflow
X B Dialog
X C System
X D User Administrator
4. Which of the following password rules in Application Server ABAP (AS ABAP) are defined
by the customer?
Choose the correct answers.
X B Minimum length
5. The secinfo file of SAP Gateway can be used to control the start-up of an external Remote
Function Call (RFC) to secure the RFC connection.
Determine whether this statement is true or false.
X True
X False
X A SAP
X B Customized
X C Administrator
X D User
2. In Application Server ABAP (AS ABAP) and Application Server Java (AS Java) based
systems, several standard users ,with pre-configured authorizations, are available directly
after installation.
Determine whether this statement is true or false.
X True
X False
3. What are the available user types in SAP NetWeaver Application Server (AS) for ABAP?
Choose the correct answers.
X A Workflow
X B Dialog
X C System
X D User Administrator
4. Which of the following password rules in Application Server ABAP (AS ABAP) are defined
by the customer?
Choose the correct answers.
X B Minimum length
5. The secinfo file of SAP Gateway can be used to control the start-up of an external Remote
Function Call (RFC) to secure the RFC connection.
Determine whether this statement is true or false.
X True
X False
Lesson 1
Discussing Authentication for SAP NetWeaver AS 132
Lesson 2
Discussing Authentication for SAP Netweaver AS Java 137
Lesson 3
Discussing Authentication for SAP NetWeaver AS ABAP 140
Lesson 4
Configuring UME Parameters for SSO 143
Lesson 5
Discussing Single Sign On with Active Directory 145
UNIT OBJECTIVES
Customize the SAP logon ticket issued by SAP NetWeaver Java systems
Configure an SAP Netweaver ABAP AS for Single Sign on with Active Directory
LESSON OVERVIEW
The lesson explains session handling and how to enable session security.
Business Example
You need to activate HTTP security to enable session security of your application server. For
this reason, you require an understanding of the following:
Session handling
How to check the logon procedure of an Internet Communication Framework (ICF) service
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Session Handling
Stateful Web applications store the application state on the application server. During
communication, only the key to this state is included with each request. The key to the state is
also called session identifier or short session ID. In general, the session ID can be transferred
as a cookie, through a URL parameter, or as a hidden form field.
In addition to the application state, a security state and a corresponding security session may
exist. A security session starts with logging on to the system and ends with logging off the
system. SAP security session IDs are transmitted only through non-persistent cookies.
An attacker can obtain the session ID of the victim and can then act on behalf of the victim,
with the complete set of the victim’s authorizations in the attacked system.
Session Hijacking
During this type of attack, the attacker steals a valid session ID of the victim. The attacker
then sends a request with this session ID to the server. This can be performed, for
example, by sniffing the network traffic. In some scenarios, the session ID is a part of the
URL. URLs with session IDs can be hijacked if the victim stores the URL in the bookmarks
or sends the URL through e-mail. Assuming the session ID is still valid, the attacker can
act with the full set of the victim’s authorizations.
Session Fixation
During this type of attack, the attacker sets the session ID for a certain user before the
user is authenticated by the application. This can be done by manipulating the URL that is
used by the user to access the Web application. As a result, after user authentication,
both the attacker and the victim know the session ID and can work on the system under
the same user ID.
Session Riding
With this type of attack, the attacker uses the victim’s user agent to send requests to an
application server, resulting in undesired and potentially harmful actions. We strongly
recommend that you implement the session security settings on production systems to
improve session security.
Session Security
SAP NetWeaver AS for ABAP HTTP security session man- SAP Note 1322944
7.02, 7.20 and higher agement
Generally, an ABAP-based application server uses the sap-contextid cookie for identifying
both the application session and the security session.
works with SAP NetWeaver 7.02, 7.20, and higher, a new protection mechanism has been
developed and must be used on newer releases of SAP NetWeaver. For more information, see
SAP Note 1322944.
HTTP security session management uses a new, separate cookie to identify the security
session (SAP_SESSIONID_<sid>_<client>). A security session ID and the resultant value of
the SAP_SESSIONID_<sid>_<client> cookie changes upon authentication and programmatic
re-authentication. For more information, see SAP Note 1322944 and SAP NetWeaver Library.
Before activating the HTTP security session management on an AS ABAP-based system that
is accessed from an SAP NetWeaver Portal, you must apply SAP Note 1471069 to the portal.
SAP NetWeaver AS for Java uses the JSESSIONID session cookie for identifying application
and security sessions. A specific protection mechanism was developed that adds an
additional session identifier named JSESSIONMARKID. If this security mechanism is
activated, the security session is identified using the additional non-persistent cookie
JSESSIONMARKID. The JSESSIONMARKID cookie changes after authentication and
programmatic re-authentication, which counters session fixation and hijacking attacks. The
SessionIdRegenerationEnabled Java parameter is available in SAP NetWeaver 6.40 and
higher releases and needs a certain Support Package level. For more information on updating
your systems to use this Java parameter, see SAP Note 1310561.
Some applications require additional configuration, for example, operating an interaction
center with the SAP Customer Relationship Management (SAP CRM) application. For more
information, see SAP Notes 1420203 and 1532777.
To avoid the risk of session cookies being hijacked in the network, we recommend that you
use HTTPS for all browser access from end users to SAP software systems. To prevent a
browser transmitting a session cookie over an unencrypted HTTP communication channel,
the secure cookie attribute for session cookies must be set.
For more information about how to set the SystemCookiesHTTPSProtection attribute for
Java, see SAP Note 1449940 and SAP NetWeaver Library. The settings are available in SAP
NetWeaver 6.40 and higher releases and need a specific Support Package level. It may be
necessary to update your systems to the required levels.
For ABAP systems, you set parameter login/ticket_only_by_https = 1. This parameter is
available in SAP NetWeaver AS 6.10 and higher releases. After enabling this attribute, if
system cookies are required to make the application work, plain HTTP connections will no
longer work. For more information about best practices when activating the recommended
secure session handling, see SAP Note 1531399. Careful regression tests need to be
performed for modified SAP programs and custom applications after applying session
security and HTTPS protection measures.
Security Issues
A stolen logon ticket (the MYSAPSSO2 cookie) allows a different user to create a new
session, even after the legitimate user has successfully logged off.
Functional Aspects
Validity of logon tickets is fixed (defined by ticket issuer, default: eight hours).
Options to log off are only provided by SAP NetWeaver Portal (Distributed Session
Manager (DSM) Terminator).
Robustness
Conflicts with other systems that also set the MYSAPSSO2 cookie (cookie is set with
the same name domain-wide).
1. Start HTTP session management (transaction SICF_SESSIONS). A list of all the clients
that exist in the system displays.
Hint:
The security audit log records this activation or deactivation of HTTP security
session management.
Some browser plugins or applets may have problems. For more information, see SAP Note
1317545.
Public services or services with configured identity will never evaluate or create security
sessions (no mixed mode).
Processing incoming HTTP requests updates a Least Recently Used (LRU) timestamp.
The cache is scanned every 60 seconds for inactive and expired sessions for each server.
Inactive or expired sessions and all associated application contexts, including the allocated
server resources, are terminated. Other server nodes are notified of this termination event.
In cases of associated Security Assertion Markup Language (SAML) sessions, no
notification is sent to the SAML Identity Provider (IdP).
In cache-full situations, the system creates security sessions with a fixed validity period.
An emergency reaction results in system log entries.
During start-up and controlled shutdown, each server instance deletes its own security
contexts (SEC_CONTEXT_COPY table). The last server triggers the system-wide
termination of the security context (SECURITY_CONTEXT table).
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson describes the Java Login Modules and how they control the logon process into an
Netweaver Java system.
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Logon ticket and Assertion ticket are SAP-specific procedures. The assertion ticket is only
used for system-system communication. The implementation of JAAS in SAP NetWeaver AS
for Java is based on logon modules. A logon module is a concrete implementation of the flow
logic of the authentication. Several logon modules can be combined to make a logon module
stack (also called an authentication stack).
Using the policy configuration, a login module or an authentication stack can be assigned to
an application to determine the logon procedure for this application. The delivered
authentication stacks can be found in the policy configuration, for example, ticket under the
Template type.
The following table shows the effects of different flags during an authentication process.
Modules are executed one after the other until authentication is established. If the sequence
of login modules listed in the stack is completed, and no authentication takes place, then
access will be denied.
Logon Ticket
In the standard delivery, the SAP NetWeaver AS for Java uses logon tickets in the logon
procedure. The authentication stack ticket, which is used first, checks whether there is a valid
logon ticket (EvaluateTicketLoginModule). If there is not a valid logon ticket, the user must
enter the user ID and password (BasicPasswordLoginModule). A logon ticket is issued if the
entries are correct (CreateTicketLoginModule). The logon ticket is sent from the browser in
the standard system for each request. It goes to the same domain of the issuing system and
can therefore be used to log on to other systems with Single Sign-On (SSO).
The logon ticket is a session cookie. This means that the cookie is not saved, rather it is only
held in the working memory. It is deleted when the browser session finishes. The logon ticket
contains the data shown in the figure.
Assertion Tickets
Assertion tickets are an extension of logon tickets. The main differences are as follows:
Assertion tickets are issued directly for the respective target system.
Older systems interpret the assertion ticket as a logon ticket. Therefore, the configuration for
SSO is along the same lines as the configuration for logon tickets. The application area of the
assertion tickets is first and foremost system-system communication, via RFC or HTTP. For
example, in SAP NetWeaver Java, destinations can use the assertion ticket as a logon
method. In SAP NetWeaver Java, it is possible to use the logon modules
CreateAssertionTicketLoginModule and EvaluateAssertionTicketLoginModule, as well as the
policy configuration evaluate_assertion_ticket to issue and verify assertion tickets. An
assertion ticket is issued when a connection to a remote system is established.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson describes the usage of Task Lists to automate the security configuration for SAP
Netweaver ABAP.
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Figure 101: Task List for Configuring Single Sign-On Across ABAP Systems
It is possible to automate configuration tasks, using the task manager for technical
configuration (transaction STC01). The task manager guides you through extensive
configuration processes by means of predefined task lists, and allows you to customize them.
Documentation is available for each step in the task list. Some steps will require input
parameters.
The task list monitor (transaction STC02) allows you to verify if a task list was executed and
which messages were logged by the system.
In the following example, we will use a task list to verify if the basic configuration for SSL is
complete.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson describes the usage of User Management properties to establish the settings for
SAP logon tickets.
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Customize the SAP logon ticket issued by SAP NetWeaver Java systems
To customize the Java properties, start the Configtool and choose View Configuration Edit
Mode. Expand the folders cluster_config system custom_global cfg services
com.sap.security.core.ume.service .
Some of the most relevant parameters are as follows:
login.ticket_lifetime
Lifetime of the SAP Logon Ticket (in format: <hours>:<minutes>).
login.ticket_client
Dummy client written to the SAP Logon Ticket (default 000).
SAP NetWeaver AS Java does not have clients, as AS ABAP does. For SSO, from SAP
NetWeaver AS Java to SAP NetWeaver AS ABAP, the client ID must also be entered in the
ACL (transaction STRUSTSSO2 ).
ume.login.mdc.hosts
The logon ticket can also be sent to other domains. The value will specify the target hosts.
ume.logon.security.relax_domain.level
Number of subdomains to be removed (a value of 2 means that the SAP Logon Tickets
issued by a system on the wdflbmt7211.wdf.sap.corp host are sent to servers in the
sap.corp domain). This allows a ticket to be recognized across multiple servers in the same
domain.
ume.logon. security.enforce_secure_cookie
If true, the logon ticket is only sent if SSL is used (default false).
LESSON SUMMARY
You should now be able to:
Customize the SAP logon ticket issued by SAP NetWeaver Java systems
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Configure an SAP Netweaver ABAP AS for Single Sign on with Active Directory
How-To Procedure
In the following example, the SAP NetWeaver system is running on a host called twdf3115 and
a domain called ADTWDFVM1100.DEMO.SAP. The SAP host was added to the domain.
Ensure that the Active Directory prerequisites are fulfilled. Users should be available in the
active directory, a security principal should be assigned, and key tabs should have been
generated for each SAP server.
Figure 108: Step 2 – Call the SNCWIZARD Transaction in your ABAP Environment
Figure 109: Step 3 - Provide the Distinguished Name for the Server
After the system restart, call transaction SNCWIZARDagain. Browse until you reach the final
screen, showing the Complete button. No other configuration steps are required.
Figure 114: Step 8 – Import the Key Tab into your Secure Store
In a command window, execute the following commands, after changing to the following
directory: D:\usr\sap\PCC\DVEBMGS20\sec
set SECUDIR=D:\usr\sap\PCC\DVEBMGS20\sec
The SAP server SID is PCC and the instance number 20. The installation was performed on
drive D.
sapgenpse keytab -p SAPSNCSKERB.pse -x PsePassword1 -X Secret1 -a
SAP/KerberosDCC3115@ADTWDFVM1100.DEMO.SAP
A default installation is enough for each laptop where single sign-on will be used. This laptops
should be domain members.
Figure 116: Step 10 – Maintain Canonical Name for Users Eligible for Single Sign-On
The SAP GUI needs to be configured for users logged into the domain. In the example, the
user logged will be: adtwdfvm1100\twdf3115_pcc_tstusr.
LESSON SUMMARY
You should now be able to:
Configure an SAP Netweaver ABAP AS for Single Sign on with Active Directory
Learning Assessment
2. A logon ticket used for authentication contains which of the following data?
Choose the correct answers.
X A User ID
X B Password
X E Validity period
3. Logon tickets are stored as a non-persistent session cookie in the Web browser.
Determine whether this statement is true or false.
X True
X False
X True
X False
5. Mutual authentication can be used to access SAP NetWeaver Application Server (SAP
NetWeaver AS for ABAP).
Determine whether this statement is true or false.
X True
X False
2. A logon ticket used for authentication contains which of the following data?
Choose the correct answers.
X A User ID
X B Password
X E Validity period
3. Logon tickets are stored as a non-persistent session cookie in the Web browser.
Determine whether this statement is true or false.
X True
X False
X True
X False
5. Mutual authentication can be used to access SAP NetWeaver Application Server (SAP
NetWeaver AS for ABAP).
Determine whether this statement is true or false.
X True
X False
Lesson 1
Securing the RFC Gateway 155
Lesson 2
Enabling SNC for SAP NetWeaver AS ABAP 168
Lesson 3
Reducing the Attack Surface: RFC Communication and Unified Connectivity 189
UNIT OBJECTIVES
LESSON OVERVIEW
This lesson explains interface security. It also explains how Remote Function Call (RFC)
communication and RFC connections can be secured. In addition, this lesson elaborates on
the concept of security in Internet Communication Manager (ICM) and SAP Message Server.
Business Example
You need to set up interface security in an SAP system. For this reason, you require an
understanding of the following:
How to secure the SAP Gateway process and the Application Server ABAP (AS ABAP)
Message Server
LESSON OBJECTIVES
After completing this lesson, you will be able to:
ABAP RFC
The most frequently used RFC functionality in customer installations is provided by ABAP
remote-enabled function modules. For instance, technologies such as Business
Application Programming Interface (BAPI), Application Link Enabling (ALE), and
Intermediate Document (IDoc) are provided by ABAP and use RFC as the underlying
communication protocol.
The mechanisms used to secure the communication are based on end user authentication
and authorization checks in the ABAP system (for example, the S_RFC authorization
object in the called system and the S_ICF authorization object in the calling system). SAP
Gateway does not perform additional security checks.
RFC clients through the same SAP Gateway. This RFC client is actually the ABAP system in
which the external RFC server program is registered. This is configured in transaction
SM59in RFC destinations of type T with the Registered Server Program technical setting.
One example for this use case is SAP NetWeaver Search and Classification (TREX).
SAP and partner companies are developing various integration technologies, one of which
is known as a registered RFC server program. Typically, registered RFC servers do not
perform user authentication or authorization checks. Registration of RFC server programs
and RFC client access to these servers is controlled through SAP Gateway access control
lists ( secinfo for releases up to 4.6 and reginfo in higher releases).
Caution:
For system security, it is of utmost importance that you create and maintain the
SAP Gateway ACL properly. ACL files do not exist in default installations.
As a result, no restrictions exist regarding RFC server registration, access to registered RFC
servers, or to the starting of RFC server programs in default installations. This can lead
compromise the system. SAP provides guidelines on how to set up ACLs, minimum SAP
kernel patch levels, and configuration switches. For more information, see the SAP
NetWeaver 7.40 online documentation ( http://help.sap.com/nw74 ), path Security
Information/Security Guide (English) SAP NetWeaver Security Guide Security Guides for
Connectivity and Interoperability Technologies Security Settings in SAP Gateway.
SAP provides a tool to create SAP Gateway ACLs that cover typical usage scenarios for
registered and started RFC server programs. You must activate SAP Gateway logging to
support ongoing maintenance and provide gateway monitoring.
Additionally, the SAP Gateway monitoring must only allow local access ( gw/monitor = 1). This
is the default configuration setting as of SAP Release 6.40. For more information, see SAP
Note 64016.
Verify the minimum SAP kernel patch levels (SAP Note 1298433).
Create the secinfo and reginfo ACL files manually or with the tool (SAP Notes 1408081
and 1425765). If needed, create the prxy_info file (SAP Note 1848930).
gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo
gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo
gw/reg_no_conn_info = 15
For a Microsoft Windows operating system, the files must have the .DAT extension.
Caution:
Because important security information is stored in this file, the system
administrator must take care to define the file authorization correctly. For
example, the administrator should set read-only authorization for the file owner
and no authorization for all other users.
In Gateway Monitor, to configure the gateway, choose Goto Expert Functions Logging.
For example, select the event Security checkbox and choose Activate .
Note:
To implement the recommendations from the previous section, work through all
the SAP Notes and documentation mentioned. Each customer has different
requirements and a different environment, so the information given in the SAP
Notes and documentation may not exactly fit.
SAP NetWeaver 7.40 includes a new framework, Unified Connectivity (UCON), for
securing RFCs. RFCs are a central communication technology of SAP NetWeaver
AS for ABAP and all ABAP-based systems.
The UCON basic security scenario for RFC provides both a simple process and a
toolset, allowing you to drastically reduce the number of Remote-Enabled
Function Modules (RFMs) that can be accessed from outside, thus dramatically
reducing the potential attack surface. UCON is the recommended new approach
to make your RFC communication more secure.
For more information, go to: http://scn.sap.com/docs/DOC-53844.
Additionally, SAP Consulting provides a service that offers to efficiently rename
and reauthorize RFC interface user accounts with a best practice approach,
utilizing the Xiting Authorizations Management Suite as a tool for creating
reusable interface roles. The service also helps to document interface usage and
creates proper authorization proposal values ( SU24) for function module / RFC
interface calls.
For more information, see SAP Note 1682316 .
RFC is an SAP proprietary protocol. It is the main integration technology between SAP
systems and is also used in integrations with non-SAP systems. Increasingly, other
integration technologies such as Web services complement RFC. RFC connections between
systems are maintained in RFC destinations. RFC destinations are maintained in destination
source systems that point to destination target systems.
RFC Connections
RFC communication partners can be SAP systems and external application programs. In all
cases, RFCs are possible in both directions, that is, the SAP system can be both a client and a
server. The RFC protocol supports synchronous, asynchronous, and transaction-oriented
communication.
By default, the SAP Gateway runs on each SAP NetWeaver AS for ABAP instance. In some
cases, such as when an RFC call to a Microsoft Windows-based RFC server is needed, you
need to install a standalone gateway. You can use the Gateway Monitor (transaction SMGW ) to
monitor activities on local SAP gateways. For outgoing connections from an SAP system, the
RFC destination is maintained using transaction SM59.
In SAP systems with SAP NetWeaver AS for ABAP 7.00 and later, authorization object
S_RFC_ADM is added for maintaining RFC destinations. RFC destinations cannot be created
and maintained without authorization object S_RFC_ADM.
R/2 connections
Partner system is an R/2 system.
R/3 connections
Partner system is a different SAP system.
TCP/IP connections
Partner is an external RFC program based on TCP/IP.
For connections to other SAP systems, you need to specify full logon data, such as the user
name, password, and client. This logon data is used to log on to a destination system under a
defined user name without checking the password. As a result, you must restrict access to
transaction SM59and the contents of table RFCDES must be regularly controlled. You must
not store the password at the RFC destination.
Improper management of RFC destinations leads to privilege escalation. Access to the
SAP_ALL profile in production systems may be gained due to the use of inadequately
configured RFC destinations in development systems. These risks can be mitigated by
following the guidelines to maintain ABAP connections (type 3) and logical connections (type
L) in transaction SM59.
1. Destinations that store technical connectivity configuration without stored credentials and
without trust relationships between the systems (they require user authentication for
each access).
2. Destinations with technical connectivity configuration using stored credentials (that is,
client, user, and password).
All three categories of RFC destinations can be used between systems of the same security
classification (for example, from one production system to another). These categories are
also allowed to be used from systems of higher security classification to systems of lower
security classification (for example, from one production system to a development system).
Caution:
As a general guideline, destinations from systems of lower security classification
to systems of higher security classification are not allowed to store user
credentials or to use trusted system logon (for example, from a development
system to a production system).
These destinations are only allowed to store technical connectivity configuration and
authenticate the user for each access. One exception to this general guideline is Transport
Management System (TMS) destinations. If the TMS destinations are required, they must be
considered a security risk and must only be used after thorough risk analysis.
Caution:
It is generally forbidden for systems of higher security classification to trust
systems of lower security classification.
If the risk analysis is not performed, then the security level of the trusting system is reduced
to the security level of the trusted system. Particularly in production environments, users
stored in RFC destinations must only have the minimum authorization in the destination
target that is required for the business scenario executed by means of that destination.
We recommend using dedicated accounts for each scenario wherever possible. Inspect the
SAP Security Guide of an application to get information about required authorizations. It is a
common misunderstanding to assume that assigning SAP_ALL privileges to users in
destinations with stored credentials is secure as long as the user is not of the DIALOG type.
Analyze all system trust relationships between ABAP systems using transactions SMT1
and SMT2. Identify the trust relationships in which systems of higher security classification
trust systems of lower security classification (for example, test to production or
development to production). Remove this system trust wherever possible.
Identify RFC destinations with stored user credentials from systems of lower security
classification to systems of higher security classification (using the RSRFCCHK report).
The stored credentials must be removed wherever possible to enforce user authentication
for every access.
Create a list of RFC destinations with stored credentials. Ensure that user accounts have
minimum authorizations (particularly not SAP_ALL) assigned in the destination target and
that the user type is set to SYSTEM.
Trusted RFC
Figure 124: Trusted Relationships Between SAP NetWeaver AS for ABAP-Based SAP Systems
SAP systems can establish trusted relationships with each other. If a calling (sending) SAP
system is known to the called (receiving) system as a trusted system and the user who issued
the RFC call is defined in both of the systems, no password is supplied. The calling SAP
system must be registered with the called SAP system as a trusted system. The called system
is the trusting system.
Trusted relationships among various SAP systems have the following advantages:
The trust relationship is not mutual, which means that this relationship is applicable in one
direction only. To establish a mutual trust relationship between two partner systems, you
must define each of the two trusted systems in the corresponding partner systems.
To enable the trusted systems to operate properly, the systems must have the same security-
level requirements and user administration. Before you can define a trusted system, you must
create a destination for this system in the trusting system. To do so, use transaction SMT1, or
choose Extras Trusted systems on the RFC destination overview screen (transaction
SM59). In the trusted systems, destinations for trusting systems are automatically created.
These destinations are used when you display trusting systems through Extras Trusting
systems (transaction SMT2).
The user using the trusted RFC must have the corresponding authorizations in the trusting
system (the S_RFCACLauthorization object). In addition, you can configure the system to
perform an authorization check on the transaction code from the calling system. To do this,
you need to choose the Use transaction code option on the trusted system entry in
transaction SMT1. Once you choose this option, an authorization check is performed in the
called system for the transaction code (the RFC_TCODEfield of the S_RFCACL authorization
object). You can check the authorizations for the logged on users in the trusting system in
advance by using the AUTHORITY_CHECK_TRUSTED_SYSTEM function module.
To prevent others from making changes to your trusted RFC destination, select the
Destination not modifiable checkbox on the Administration tab page of the destination in
transaction SM59. To make the destination modifiable again, double-click the checkbox.
Destinations must be kept consistent. For this reason, you are not allowed to change the ID of
the target system, the system number, or the destination name.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson explains how to set up and maintain SAP Secure Network Communication (SNC)
for SAP NetWeaver AS for ABAP.
Business Example
To secure Dynamic Information and Action Gateway (DIAG) and Remote Function Call (RFC)
communication, you need to set up SAP SNC. For this reason, you require an understanding
of the following:
LESSON OBJECTIVES
After completing this lesson, you will be able to:
This figure, SAP SNC on SAP NetWeaver AS for Java, shows the SAP SNC configuration to
connect the SAP NetWeaver AS for ABAP system with the SAP NetWeaver AS for Java
system.
Figure 126: Roadmap: Enabling SAP SNC on SAP NetWeaver AS for Java
Enabling SAP SNC on SAP NetWeaver AS for Java involves almost identical steps to those
used for SAP NetWeaver AS for ABAP. In fact, the same PSE created for SAP NetWeaver AS
for ABAP can be used for SAP NetWeaver AS for Java. The SAP NetWeaver AS for Java
parameters for SAP SNC are set differently, based on the Java applications.
You create one PSE and distribute it to all application servers. Alternatively, you can also use
the command line tool SAPGENPSE to create the PSE at the operating system level for the
SAP NetWeaver AS for Java. Do not use a mixed approach to maintain the PSE. If you use
SAPGENPSE, always use SAPGENPSE.
SAP NetWeaver AS for Java can also use the CommonCryptoLib for cryptographic functions
such as secure communication using SSL and secure communication using SAP SNC (for
RFC server connections). As with SAP NetWeaver AS for ABAP, there are two deployment
options for CommonCryptoLib: using the Java kernel or from a download from SAP Service
Marketplace.
If there is a scenario where SAPCRYPTOLIB is used instead of the CommonCryptoLib, make
sure the SAPCryptographic library files are in the following locations.
Set the environment variable SECUDIR to the sec subdirectory. This is also the directory in
which the PSE of SAP NetWeaver AS for Java and credentials are located.
Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for Java
Figure 127: Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for Java
To exchange the public key certificates, you perform the following steps:
1. Export the public-key certificate of SAP NetWeaver AS for Java using the SAPGENPSE
tool, as follows:
Sapgenpse export_own_cert –o <filename_for_appserv_cert> -p
<AppServPSE>.pse –x <PIN>
2. Export the public-key certificate of SAP NetWeaver AS for ABAP using transaction
STRUST.
3. Import the PSE of SAP NetWeaver AS for Java into SAP NetWeaver AS for ABAP.
4. Import the PSE of SAP NetWeaver AS for ABAP into SAP NetWeaver AS for Java.
Maintain the system ACL on the SAP NetWeaver AS for ABAP as follows:
In the SAP NetWeaver AS for ABAP, you maintain the ACL using transaction SM30
(SNCSYSACL table or the VSNCSYSACL view, type=E). Enter the SAP SNC name of SAP
NetWeaver AS for Java and activate the entry for RFC.
Level of protection
This is the level of protection to use in the connection; possible values are 1, 2, and 3.
My SNC name
This optional parameter makes sure that the SAP SNC name is used for the connection.
Note:
The setting of these SAP SNC parameters for JCo depends on various
applications. Each of these applications has its own way of setting up the
parameters. Refer to the documentation of the specific application to determine
how to set these up correctly. For example, the User Management Engine (UME)
sets the SNC parameters in the UME properties. In the scenario of Java iViews in
SAP Enterprise Portal, you set the SAP SNC parameters in the system object
associated with that Java iView. Other applications may use the Destination
service in SAP NetWeaver Administrator.
The connection between the adjacent SAProuters can be protected using SAP SNC. The
SAProuters authenticate each other and exchange encrypted messages. Therefore, a secure
tunnel for communications is established between components that may not be able to use
SAP SNC. A single SAProuter can act as both the initiator and acceptor for an SAP SNC-
protected connection.
To set up SAP SNC-protected connections between two SAProuters, you must establish an
SAP SNC environment in both of the SAProuters and configure SAP SNC for the connection in
the SAProuter’s route permission table.
To establish an SAP SNC environment, proceed as follows:
Set up the environment variable SNC_LIB to the path and file name of the external library
on the SAProuter host.
Key-Target (KT) entry specifies the designated SAProuter to SAProuter connection, which
uses SAP SNC.
KT <SNC partnername> <dest host> <dest serv>
KP, KD, and KS entries are similar to the normal P, D, and S entries, but are used mainly
for SAP SNC connections. They specify the hosts and services that are allowed to
communicate with one another. As with normal P, S, and D entries, you can also specify a
password for the connection.
K<P/D/S> “SNC name of source host” <dest host> <dest serv>
<password>
Caution:
The order of the entries in the route permission table is important. For incoming
connections, the SAProuter applies the first matching entry it finds. If a matching
P, D, or S entry precedes an SAP SNC entry, then the SAProuter ignores the SAP
SNC entry.
The SAProuter accepts an incoming connection if it finds a corresponding entry in its route
permission table. For normal incoming connections where SAP SNC is not used, SAProuter
identifies the communication partner using the source host (IP address) and the destination
(host and service). For SAP SNC connections coming from an SAProuter, it uses the source
SAProuter’s SNC name for identification.
Figure 129: Example of Setting SAP SNC Details in the SAProuter Route Permission Table
In the example, there are two SAProuters, one on host1, and the other on host2. The two
routers need to communicate with each other using SAP SNC. Both SAProuters are started.
SAProuter on host1 initiates SAP SNC for all connections to host2 using KT =
"p:CN=saprout2, OU=TEST01, O=myCompany, C=US" host2 * and accepting all
connections using P * * * .
SAProuter on host2 accepts only SAP SNC connections from host1, which directs to either a
dispatcher or a gateway with system number 00. KP "p:CN=saprout1, OU=TEST01,
O=myCompany, C=US" * sapdp00 .
In a standard SAP setup, users enter their SAP user name and password on the SAP GUI
logon screen. SAP user names and passwords are transferred through the network without
encryption. To secure connections between your front end and your ABAP system, SAP GUI
can be used together with an external security product or with SAP NetWeaver Single Sign-On
Secure Login Client. Kerberos tokens or certificates can be sent through SAP GUI and Secure
Login Client to the SAP SNC interface. The Secure Login Library then encrypts all
communication between the front end and the SAP servers, providing a secure SSO from the
end user to the SAP NetWeaver AS.
To configure SAP SNC with SAP GUI for Microsoft Windows, proceed as follows:
If Secure Login Client is used with SAP GUI, the Secure Login Library must be configured.
Configuration is set up differently based on whether an X.509 certificate or Kerberos
Token (Service Principle Name) is used.
Environment variable SNC_LIB on the front end is set to the path and file name of the SAP
SNC library.
In SAP Logon, SAP SNC options (SAP SNC name, quality of protection, and SAP SNC
activation) need to be set up in the SAP Logon Advanced Options.
To set up SAP SNC profile parameters in SAP NetWeaver AS for ABAP and maintain SAP SNC
names for those users who will be using the SAP GUI, proceed as follows:
The steps to enable SAP SNC for SAP GUI for Microsoft Windows are similar to steps for
enabling SAP SNC on SAP NetWeaver AS for ABAP.
To maintain non-dialog users, enter SNC information in the USRACLEXT table using
transaction SM30.
The figure, SAP SNC: Product Overview, shows the product overview for setting up SAP SNC.
Connections that use SAP protocols, such as RFC and DIAG, use SAP SNC for encryption.
SAP SNC provides privacy protection for the following communication paths:
Between SAP NetWeaver AS for ABAP and SAP NetWeaver AS for Java
Between SAProuters
You must configure the SAP SNC and install the security libraries on each SAP NetWeaver
component that is about to become a communication partner. SAP SNC can also be used
with an external security product.
SAP SNC provides the following features:
Integrity protection
Privacy protection
In the figure, SAP SNC on SAP NetWeaver AS, each component possesses a public and
private key pair. The key pair is stored in the SAP SNC Personal Security Environment (PSE)
of the component. The component needs credentials to access the PSE at runtime.
The individual PSE option is more transparent because each server possesses its own
identity. However, in this case, you need to manually establish the trust relationship between
the two servers by exchanging their public-key certificates.
When using SAP SNC, the components need to identify and trust each other.
SAP SNC – X. X X X X
509
SAP SNC – X X X
Kerberos
SPNEGO/ X X X
ABAP
SSL/TLS X X
Secure Store X X X X
& Forward
(SSF)
STRUST X X
Hardware Se- X X
curity Module
(HSM)
FIPS 140–2 X
Certification
was Achieved
(See SAP
Note:
1848999)
Note:
For the according ABAP kernel patch levels, refer to SAP Note 1848999 . You must
not use CommonCryptoLib if you are running Kernel releases prior to 7.20 PL88,
as CommonCryptoLib is not fully compatible with such old releases. Use
SAPCRYPTOLIB 5.5 PL38 in such cases.
Beginning with SAP SSO 2.0 SP3, the Secure Login Library is no longer required since its
features are now all included in the CommonCryptoLib. This means that as of release 2.0 SP3,
a newly installed SAP SSO uses the CommonCryptoLib as the default cryptographic library
for SAP SNC and SPNEGO for ABAP.
Note:
NWSSO for CommonCryptoLib 2.0 is very different from SAP NetWeaver SSO
(use of the tool sapgenpse, abandoning of the tool snc, use of specific .xml
configuration files for specific features, and so on). For more details, refer to the
SAP documentation NWSSO for CommonCryptoLib 2.0
Note:
The two SAPCRYPTOLIB variants (old or new) can be recognized by their names.
Instances of the old library are called SAPCRYPTOLIB 5.5.5 plXX (for example,
5.5.5pl38), while the newer variant of the SAPCRYPTOLIB is named
CommonCryptoLib 8 (CCL) and uses the format 8.<major>.<minor> (for example,
8.4.31). For SAP NetWeaver 74X, a SAPCRYPTOLIB in the new variant
CommonCryptoLib 8 is a fixed component of the delivery (kernel CD).
CommonCryptoLib 8 is also part of the new 72x kernel patches (in the download
from SAP Service Marketplace, in the packages SAPEXE and dw_utils).
For more details, refer to SAP Note 2072638 - Dependencies between
CommonCryptoLib and SAP Kernel Package.
To determine the CommonCryptoLib version, you can use transaction
STRUST Environment Display SSF Version.
CommonCryptoLib fixes can be patched independently from SAP Kernel
Packages as follows:
The SAP Cryptographic Library installation package contains the library file (sapcrypto.dll for
Microsoft Windows or libsapcrypto.so (or sl) for UNIX ), a license ticket, and a command line
configuration tool, sapgenpse.exe.
Copy the library and the sapgenpse command line tool in the directory $DIR_EXECUTABLE
on all application servers. Earlier versions of SAPCRYPTO 5.5.5 (pl32 and below) require a
separate license ticket file (ticket), which must be in the directory $DIR_INSTANCE/sec.
Set the environment variable SECUDIR in the environment of the user <sid>adm (or
SAPService<SID> or both) in the directory $DIR_INSTANCE/sec on all application servers.
Note:
In most situations, the ticket file is not required in the latest version, but SAP
NetWeaver AS for Java looks for the file and NWA complains if it does not exist.
Figure 137: Roadmap: Enabling SAP SNC on SAP NetWeaver AS for ABAP
The figure, Roadmap: Enabling SNC on SAP NetWeaver AS ABAP, shows the steps for
enabling SAP SNC on SAP NetWeaver AS for ABAP.
Configure SAP SNC on SAP NetWeaver AS for ABAP using SSO Wizard (transaction
SNCWIZARD)
If the new SAP Cryptogrphic library (CommonCryptoLib) version 8.4.20 or higher is used, the
SAP SSO wizard (transaction SNCWIZARD) enables you to set up a default configuration for
SAP SNC and SPNego on your SAP NetWeaver AS for ABAP. This configuration wizard is
available with SAP NetWeaver 7.0 EHP3 SP15, SAP NetWeaver 7.3 EHP1 SP15, and SAP
NetWeaver 7.4 SP08 or higher.
The SAP SSO wizard (transaction SNCWIZARD) simplifies the configuration process with the
following steps:
Sets the profile parameters for SAP SNC and SPNego in the default profile.
Note:
You can also manually change the default settings made by the wizard in
transaction RZ10.
To check your current SAP SNC and SPNego configuration, you can use transaction
SNCCONFIG. It shows the SAP SNC state of an application server instance and its SAP SNC
and SPNego profile parameters.
ssf/name = SAPSECULIB
ssf/ssfapi_lib = $(SAPCRYPTOLIB)
sec/libsapsecu = $(SAPCRYPTOLIB)
snc/gssapi_lib = $(SAPCRYPTOLIB)
Note:
In Secure Store and Forward (SSF), digital signatures and document encryption
are used. SAPSECULIB supports the security functions for digital signatures and
document encryption.
You can have more than one security product supporting SSF for various applications in SAP.
If there is more than one security product, you can install multiple security libraries to support
digital signatures and document encryption. Each of these products has a different library and
name in the SSF parameters. For example, ssf/ssfapi_lib and ssf/name; ssf2/ssfapi_lib and
ssf2/name; and ssf3/ssfapi_lib and ssf3/name.
You use transaction RZ10 to maintain the profile parameters in the instance profile and
restart the application servers.
The Trust Manager uses the security library, SAPSECULIB, by default. This library is delivered
and installed in the SAP system.
To use SAPCryptolib, profile parameters need to be set up to inform the Trust Manager. In
addition to the functions performed by SAPSECULIB, SAPCryptolib can perform encryption,
which is restricted by the export regulations.
The parameters sec/libsapsecu and ssf/ssfapi_lib require the location of
SAPCryptolib if SAPCryptoLib is used..
The ssf/name parameter must be set to SAPSECULIB.
Note:
In Secure Store and Forward (SSF), digital signatures and document encryption
are used. SAPSECULIB supports the security functions for digital signatures and
document encryption.
Create a new PSE using Trust Manager on this SAP NetWeaver AS.
Create PSE on a different server, for example, on the other communication partner, SAP
NetWeaver AS, and import the PSE using Trust Manager.
Figure 138: Maintaining the SNC PSE and Credentials: Trust Manager
The figure, Maintaining the SNC PSE and Credentials: Trust Manager, shows how to create
and import PSE using Trust Manager.
You can use the Trust Manager, transaction STRUST, to maintain the SAP SNC PSE in the
following ways:
In transaction STRUST, select the SNC PSEnode. In the context menu, choose Create. Fill
the necessary fields and save the PSE.
To use SAP SNC, you must assign a password to the PSE. To create the credential, choose
Assign Password . If you do not assign the password for the PSE, Trust Manager will have
problems later.
Alternatively, if you want to use an existing PSE that was created from another SAP
NetWeaver AS, you can copy SAPSNCS.pse from your SECUDIR to the SECUDIR of the
target system. In transaction STRUST, choose PSE Import .
Note:
If you have assigned the Distinguished Name (DN) using the snc/identity/as
profile parameter, the DN will then be displayed when the PSE is created.
The left frame shows the available PSEs that you can maintain.
The upper section is used for PSE maintenance. In this section, you can create the
certificate requests, import the corresponding responses from the Certificate Authority
(CA), import trusted certificates into the PSE’s certificate list, and export the owner of the
PSE’s public-key certificate into the clipboard.
The lower section is used as a clipboard for certificates. For example, you can view and
export a certificate from one PSE and import the certificate into the certificate list of
another PSE.
For more information, see the application help under Help Application Help or the online
documentation Security Guide Network and Transport Layer Security at http://
help.sap.com .
In addition to using the Trust Manager to create or maintain the PSE, you can also use the
command tool SAPGENPSE to perform the following tasks:
You can also create a PSE on a different system with transaction STRUSTand move it to
another system.
To create a PSE using SAPGENPSE
, proceed as follows:
Create credentials for the user of SAP Application Server Quality Assurance System (QAS)
using SAPGENPSE :
-sapgenpse seclogin -p <SID>.pse -x <PIN> -O <user_ID> .
Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP
Figure 139: Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP
You can use the same PSE for both the communicating systems. As shown in the figure,
Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP, in the first case,
both servers share the same identity and automatically trust each other. Alternatively, in the
second case, both servers use individual PSEs and exchange public-key certificates with each
other.
On both the communicating application servers, perform the following steps to export and
import certificates:
Use the Trust Manager to export the SAP AS certificate and import it to the other system.
To export the certificate of the server, go to transaction STRUSTand choose SNC PSEand
the certificate. Choose Export certificate and save it to a destination as a local file.
To import the certificate, go to transaction STRUST, choose SNC PSEand the certificate
from its source (for example, the file system), and choose Add to certificate list .
If Secure Login Library is used, set snc/gssapi_lib to secgss.dll in the SLL directory.
Caution:
For production systems, we recommend deactivating non-SAP SNC access for
most SAP GUI users (snc/accept_insecure_gui=U ). Only a small number of
emergency accounts must be able to access the system with password logon. (In
transaction SU01, use the Unsecure communication permitted (user specific)
option on the SNC tab page.
Note:
The SAP SNC name is the DN given in the server’s certificate, with a p: prefix.
System ACL
Enter the SAP SNC name of the remote system and activate the types of communication
that are allowed for this system to connect. For example, RFC, CPIC, DIAG, user
authentication using certificates, or user authentication using other external
authentication mechanisms, such as PAS.
To maintain the system ACL, use transaction SNC0or table maintenance transaction SM30
in the SNCSYSACL table or VSNCSYSACL view (type=E).
To maintain the extended user ACL, use the table maintenance transaction SM30.
Establishment of Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP
Figure 142: SAP SNC Between SAP NetWeaver AS for ABAP Systems
This figure, SAP SNC Between NetWeaver AS for ABAP Systems, shows SAP SNC
configuration to connect two SAP NetWeaver AS for ABAP systems.
LESSON SUMMARY
You should now be able to:
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Once UCON is activated any RFC enabled function module that is not assigned to a
Communication Assembly will be blocked. Authorizations can bring a second layer of security
for distinct communication users.
New function modules can be coded by developers, other will be made available through
corrective or evolutive maintenance provided by SAP (example: support package, feature
pack or even just a note).
After the profile parameter is enabled you need to review your standard jobs definition.
Access transaction SM36 and ensure that the SAP_UCON_MANAGEMENT job is running in
your system.
In the transaction UCONPHTL you can identify which function modules exist in the system.
Figure 149: Step 4 – Selecting the Inspection Client and Setting the Retention Period
Note that, besides your working clients (productive, golden, ….), several technical tools will
demand access to client 000. Be sure that the retention period is large enough, as some
functionality might only experience seasonal usage (for example: fiscal year closing).
Figure 150: Step 5 – Set the Duration for Logging and Evaluation Periods
A reasonable approach is to start with a small window (at least two months for logging, as
there is a good chance that some interfaces will only run in monthly basis).
At an early stage, allow all function modules to be logged. Later, assign them to a
Communication Assembly.
LESSON SUMMARY
You should now be able to:
Learning Assessment
1. List the types of Remote Function Call (RFC) communication in the SAP system.
Choose the correct answers.
X A Synchronous RFC
X B Asynchronous RFC
X C Transactional RFC
X D Queued RFC
X E Trusted RFC
X F Background RFC
2. While enabling SAP Secure Network Communication (SNC) on the SAP NetWeaver
Application Server (AS), the environment variable SECUDIR should be set to the location
of the license ticket.
Determine whether this statement is true or false.
X True
X False
3. What is the correct sequence for the steps to enable SAP SNC on SAP NetWeaver AS for
Java?
Arrange these steps into the correct sequence.
0 Create credentials.
1. List the types of Remote Function Call (RFC) communication in the SAP system.
Choose the correct answers.
X A Synchronous RFC
X B Asynchronous RFC
X C Transactional RFC
X D Queued RFC
X E Trusted RFC
X F Background RFC
2. While enabling SAP Secure Network Communication (SNC) on the SAP NetWeaver
Application Server (AS), the environment variable SECUDIR should be set to the location
of the license ticket.
Determine whether this statement is true or false.
X True
X False
3. What is the correct sequence for the steps to enable SAP SNC on SAP NetWeaver AS for
Java?
Arrange these steps into the correct sequence.
3 Create credentials.
Lesson 1
Discussing Secure Sockets Layer (SSL) for SAP 197
Lesson 2
Discussing SSL for SAP Management Console 208
Lesson 3
Discussing SSL for SAP NetWeaver AS ABAP 210
Lesson 4
Discussing SSL for SAP NetWeaver AS Java 215
UNIT OBJECTIVES
LESSON OVERVIEW
This lesson explains how to configure Secure Socket Layer (SSL) for the SAP NetWeaver
Application Server (SAP NetWeaver AS) component.
Business Example
You want to secure HTTP communication. For this reason, you require an understanding of
SSL, SSL server, and SSL client.
LESSON OBJECTIVES
After completing this lesson, you will be able to:
To secure HTTP connections in SAP NetWeaver AS, you can use SSL for encryption.
SAP NetWeaver AS can act as the server or the client component of the HTTP connection in
the following ways:
Usage of HTTPS is recommended for all browser access from end users to SAP systems.
End users must not use HTTP to access SAP systems.
HTTPS must be implemented for communication between SAP systems, if the network
traffic is susceptible to sniffing by end users.
Access to the table SSF_PSE_D must be restricted by assigning the table to a dedicated
table authorization group. End users must not have access to this new table authorization
group. For more information about protecting read access to key tables, see SAP Note
1485029.
Access to Personal Security Environment (PSE) files from ABAP programs must be
restricted. For more information about protecting access to PSE, see SAP Note 1497104.
Similar to Secure Network Communications (SNC), SSL in SAP NetWeaver AS for ABAP also
uses the SAP Cryptographic Library to perform the cryptographic functions. However, for
SNC, you can alternatively use a partner product. For SSL, you must use the SAP
Cryptographic Library. The SAP Cryptographic Library is available for download from the SAP
Service Marketplace.
To secure HTTP connections in SAP NetWeaver AS, you can use SSL for encryption.
SAP NetWeaver AS can act as the server or the client component of the HTTP connection in
the following ways:
Usage of HTTPS is recommended for all browser access from end users to SAP systems.
End users must not use HTTP to access SAP systems.
HTTPS must be implemented for communication between SAP systems, if the network
traffic is susceptible to sniffing by end users.
Access to the table SSF_PSE_D must be restricted by assigning the table to a dedicated
table authorization group. End users must not have access to this new table authorization
group. For more information about protecting read access to key tables, see SAP Note
1485029.
Access to Personal Security Environment (PSE) files from ABAP programs must be
restricted. For more information about protecting access to PSE, see SAP Note 1497104.
Similar to Secure Network Communications (SNC), SSL in SAP NetWeaver AS for ABAP also
uses the SAP Cryptographic Library to perform the cryptographic functions. However, for
SNC, you can alternatively use a partner product. For SSL, you must use the SAP
Cryptographic Library. The SAP Cryptographic Library is available for download from the SAP
Service Marketplace.
SAP NetWeaver AS for Java, up to release 7.02, uses the SAP Java Cryptographic Toolkit.
This is installed during the system installation. In later releases, for example, SAP NetWeaver
AS for Java 7.10, the Java Dispatcher is replaced by the Internet Communication Manager
(ICM) and the SAP Cryptographic Library is used.
Note:
With SAP NetWeaver AS for ABAP+Java, SAP Cryptographic Library is used. If
terms such as PSE and ICM are used, the information points to SAP NetWeaver
AS for Java 7.1 and higher versions.
VCLIENT=0
In the case of HTTPS, you can additionally specify the parameter VCLIENT=0 to notify the
SSL server that no SSL client verification is needed.
VCLIENT=1
In this case, the server asks the client to transfer a certificate. If the client does not send a
certificate, authentication is performed by another method, for example, basic
authentication (default setting).
VCLIENT=2
In this case, the client must transfer a valid certificate to the server; otherwise, access is
denied.
Note:
This server-specific value overrides the value that is set with parameter icm/
HTTPS/verify_client . If you specify the SSL configuration with SSLCONFIG,
you must not set the value of VCLIENT.
The sec/libsapsecu and ssf* parameters are necessary for the Trust Manager.
The ssl/ssl_lib parameter specifies where the SAP Cryptographic Library is located.
The SAP NetWeaver AS can be the server component or the client component for
connections.
Depending on the server’s role for these connections, SAP NetWeaver AS has a different
identity.
For each identity, there is a separate PSE. For example, there is an SSL server PSE, an SSL
client PSE, and a PSE for SNC.
SSL Server
For each identity, the SAP NetWeaver AS uses a different distinguished name due to the
restrictions on the corresponding name.
For example, when using the SSL server PSE, the common name (CN) in the distinguished
name of the server must correspond to the fully-qualified host name used to access the
server. As a result, different hosts within the same system may need to have different names
and different SSL server PSEs.
When using the SSL client PSE, the server functions as a system and not as a server, and uses
the <SID> as the CN.
Individual hosts can use the following types of SSL server PSEs:
Standard
Individual
Shared
The standard SSL server PSE is used to create individual SSL server PSEs for each host.
However, a host may also use this standard PSE for its SSL server PSE.
The CN part of the distinguished name must correspond to the fully-qualified host name that
is used to access the server. As a result, servers that are accessed using the same host name
alias can share PSEs.
The standard SSL server PSE contains a wildcard as the host name in the distinguished name.
Servers that share the SSL server PSE have the same key pair and identity. Having the same
key pair and identity saves costs when obtaining the corresponding SSL server certificates.
For example, when the user contacts the SSL server through the URL https://
host123.mydomain.com:8444 , the CN of the server is *.mydomain.com . The user receives
a warning or error in the Web browser that the names do not match.
As a result, it is inconvenient to use standard SSL server PSE for individual servers. Only use
this scenario when users can access the server, regardless of the mismatched names.
To avoid warnings or error messages, you can use individual PSEs for individual servers
instead of using the host name of the server as CN in the distinguished name.
To use individual PSEs, users must be able to directly access SAP NetWeaver AS. As a result,
these PSEs are not useful when you need to manage your SAP NetWeaver AS systems using
load balancing devices or network zones.
For cases in which you have a load balancer or any other device in front of the SAP NetWeaver
AS, you can have the servers sharing one PSE. When setting up this PSE, you use the host
name of the device as the CN part of the distinguished name of the application server.
SSL Client
For connections in which SAP NetWeaver AS is the client component, SAP NetWeaver AS
uses a different PSE called the SSL client PSE.
You can use different types of SSL client PSE, depending on the scenario.
By default, the server uses the standard SSL client PSE. Note that this PSE must exist for SSL
to work. When using this PSE, SAP NetWeaver AS will be authenticated using the identity
associated with this PSE.
The anonymous SSL client PSE is available to use for connections where only server-side
authentication and data encryption are necessary. No client authentication is needed. The
anonymous SSL client PSE is used only as a container for the list of Certification Authorities
(CAs) that the server trusts when accessing the other server.
You can create individual SSL client PSEs for additional identities. Use these PSEs for cases
where you want SAP NetWeaver AS to function as an individual identity, for example, when
accessing a specific application, such as a banking application.
Contrary to the SSL server PSE, the SSL client PSE is used by all application server instances
in the system.
You specify which connections use which identity and PSE when you set up the HTTP
destination using transaction SM59. For each connection, you can specify a different PSE.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson describes the procedure to secure access to the SAP Management Console.
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Sapstartsrv (as of 720 patch 45) allows you to specify network ACL lists, using the profile
parameters service/http/acl_file and service/https/acl_file. After you set the profile
parameters, or change the ACL lists, you must restart the affected sapstartsrv to activate the
changes. SAP Note: 1495075 describes the syntax of the ACL files.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
The lesson explains the process of configuring the Secure Socket Layer (SSL) on SAP
NetWeaver by creating SSL client Personal Security Environment (PSE) and SSL server PSE.
Business Example
You want to enable SSL on SAP NetWeaver Application Server (SAP NetWeaver AS) to
reinforce the security of the system. For this reason, you require knowledge of how to
perform the following tasks:
LESSON OBJECTIVES
After completing this lesson, you will be able to:
The data being transferred between the two parties (client and server) is encrypted, and
the two partners can be authenticated.
If users need to transfer their account information, SSL can be used to authenticate the
users and encrypt the information during transfer.
The figure, Roadmap to Create SSL Client PSE, shows the steps to create an SSL client PSE.
a) Use the Trust Manager, transaction STRUST, to maintain the SSL client PSEs.
Use the <SID> as the Common Name (CN) part of the DN.
b) If the server functions as a client component for connections where SSL is used,
create a certificate request and send it to your CA.
Import the corresponding response into the standard SSL client PSE.
c) Establish trust relationships by importing the CA root certificates from CAs that you
trust into the certificate list of the PSE.
The anonymous SSL client PSE is optional. You need this PSE for connections where the
SAP NetWeaver AS is not to be authenticated for the connection.
The Common Name part of the Distinguished Name is automatically determined by the
system as CN=anonymous .
The SAP NetWeaver AS is not authenticated when using this PSE, so you do not need to
use a certificate signed by a CA. You can skip the certificate request handling steps.
However, you need to establish the trust relationships by importing the trusted CA root
certificates into certificate list of the PSE.
a) To create and activate an individual SSL client PSE, you need to make an entry in the
SSL client identity table. On the Trust Manager screen, to access the table, choose
Environment SSL Client Identities .
b) Use the Trust Manager to maintain the PSE. There are no restrictions on the
Distinguished Names for individual SSL client PSEs.
c) After creating the SSL client PSE(s), restart the Internet Communication Manager
(ICM).
a) Create the HTTP connection using transaction SM59. There are two types of HTTP
connection:
Note:
The only difference between these two connection types is the available
logon procedures. The technical settings are identical.
b) Under Technical settings , specify the host, URL, and HTTPS port to use for the target
system.
c) Specify the authentication method to use for the logon under Logon/Security options.
d) For SAP NetWeaver AS connections, Type H, specify the following logon methods:
e) Activate SSL and specify which SSL identity to use for the connection.
f) Specify the language or target client, if these values are different from the default
values.
g) If you want SSO to another SAP NetWeaver AS, you must maintain a user mapping in
the target system using the table USREXTID.
This table maps the client SAP NetWeaver AS‘s DN to the user ID used for the
connection.
LESSON SUMMARY
You should now be able to:
LESSON OVERVIEW
This lesson explains how to enable Secure Socket Layer (SSL) for SAP NetWeaver Application
Server Java (SAP NetWeaver AS Java).
Business Example
To secure the HTTP communication, you need to configure SSL on SAP NetWeaver AS Java.
For this reason, you require an understanding of the following:
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Authentication
With server-side authentication, the server identifies itself to the client when the
connection is established, which reduces the risk of server impersonation to gain
information from clients.
With mutual authentication, both the client and the server are authenticated when the
connection is established. For example, you use client-side authentication at SSL level to
authenticate users with client certificates instead of with user IDs and passwords.
Data integrity
The data being transferred between the client and the server is protected, so that any
manipulation of the data is detected.
Data privacy
The data being transferred between the client and the server is also encrypted, which
provides privacy protection. An eavesdropper cannot access the data.
3. Send certificate signing request (CSR) request to the Certification Authority (CA).
Note:
The cryptographic library (CommonCryptoLib 8.4) is included with the 7.42 kernel
so there is no need to install it separately. The ticket file does not come with the
kernel so you have to create it yourself. You can navigate to \usr\sap\<SID>\Jxx
\sec directory, create an empty text file, and save it with the file name ticket
without an extension.
For more details about the configuration of SSL in AS Java, refer to the online help
at http://help.sap.com/saphelp_nw74/helpdata/en/4a/
015cc68d863132e10000000a421937/frameset.htm.
LESSON SUMMARY
You should now be able to:
Learning Assessment
1. Which of the following options are the components of a Personal Security Environment
(PSE)?
Choose the correct answers.
X B Digital signatures
2. Which of the following is not done to create Secure Socket Layer (SSL) server Personal
Security Environment (PSE)?
Choose the correct answer.
X D Specify the PSE for each application server to use individual PSEs
3. Who must certify the public key of the SAP NetWeaver AS for Java key pair to use a key
pair for SSL?
Choose the correct answer.
X A SAP user
X B SUPER user
4. The SAP Web Dispatcher supports the use of SSL using which of the following?
Choose the correct answer.
X B OpenSSL
X C Kerberos
X D Windows NT LM Service
1. Which of the following options are the components of a Personal Security Environment
(PSE)?
Choose the correct answers.
X B Digital signatures
2. Which of the following is not done to create Secure Socket Layer (SSL) server Personal
Security Environment (PSE)?
Choose the correct answer.
X D Specify the PSE for each application server to use individual PSEs
3. Who must certify the public key of the SAP NetWeaver AS for Java key pair to use a key
pair for SSL?
Choose the correct answer.
X A SAP user
X B SUPER user
4. The SAP Web Dispatcher supports the use of SSL using which of the following?
Choose the correct answer.
X B OpenSSL
X C Kerberos
X D Windows NT LM Service
Lesson 1
Exploring Business Cases 223
UNIT OBJECTIVES
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Note:
Due to some editor software formatting malfunctions, some Linux commands
are/might be misspelled with upper case characters instead of lower case
characters, please request the latest errata available from your instructor.
On the fifth day of the course, you will implement your security policies. From the teachings of
previous days, you can pick the items you find most relevant. Alternatively, you can refer to
the following sample policy:
Requirements Description
Encryption
HTTPS access should be available, but
not mandatory.
The purpose of the business case is to provide a real-life experience, where you start with a
default installation and, from there, implement the security requirements. The business case
should be solved in one morning — students will have no more than 180 minutes to configure
the system. Any questions or doubts should only be addressed once this time is exhausted
(remember you are simulating a real-life scenario). After lunch, the instructor will discuss
what went right or wrong for each group, and how could the goals can be achieved.
Over the next pages, you will find the instructions to install the NetWeaver systems required
for the business case.
On all FSx and S4x systems, remember to shut down all existing servers, with the exception of
your own Web dispatcher. On FSx systems, you will install a new front-end server. On S4x
systems, you will install an S/4 environment.
Install an SAP front-end server system, based on AS ABAP 7.51, and the SAP MaxDB
database on Windows server 2012 R2 operating system.
Note:
Ensure that you are using the install user account to execute this installation.
In general, you will follow the installation procedure described in this training handbook. Refer
to the figures from “Installing SAP Front End Server 1: Prepare for Virtual Host names when
using cnames (Windows)” to “Installing SAP Front End Server 44: System — Status after
installation”.
This means you can use this training material for reference.
Note:
This exercise assumes that you did not already execute the optional exercise for
executing a prerequisites check. Therefore, some activities might be already done.
2. Check if the system displayed in the SAP Management Console as: FSD is stopped .
To stop the system, provide the credentials of the fsdadm user and the password given by
your instructor.
3. There are different methods available for logging on to the training host. The following
description assumes that you are using a Remote Desktop Connection .
4. Log on to the fsdhost server, using the install user and the password given by your
instructor.
5. Use a command prompt to start the registry editor ( REGEDIT ). Adapt the
BackConnectionHostNames registry key, which can be found at the following location:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
\MSV1_0.
Check that it is set to the following values: fsdhost.wdf.sap.corp and fsdhost . This
step is described in the figure “Installing SAP Front End Server 1: Prepare for Virtual Host
names when using cnames (Windows)”.
Note:
The registry key needs to exist with the correct name (see above) before
starting SAPinst using virtual host names. However, the registry key must not
exist during the dialog-free phase of the installation. Therefore, this registry
key will be created and later on switched between its valid name and an invalid
name to and back. This is only required in our special Windows operating
system environment, as explained in the lesson.
7. Copy the content of the directory S:\Installation\FSx to the newly created directory
D:\Media . This copy activity will take about 10 minutes.
8. Execute the following steps before starting to work with SWPM/SAPinst. You can execute
those steps, while the copy activity is being executed.
The systems FSD and WFD should be stop- See above, using SAP MC on the WTS
ped already
SWPM10SP20_020009707.SAR
MP_Stack_2000160619_20170221_.xml
SAPCAR_81680000938.EXE
Note:
Please see step 11 for the recommended name of the Log an Work directory.
Such an explicitly named directory can only be used for one single installation
run.
16. On the WTS server, open a browser window using the URL shown in the browser that
opened on fsdhost.
17. Usually, you won’t have configured SSL for SAPinst, therefore proceed by selecting the
message: Continue to this website (not recommended) .
18. Authenticate yourself with the install user and the corresponding password.
19. In the Software Provisioning Manager, expand Software Provisioning Manager 1.0 SP
20 System FSX (AS ABAP 7.51 FOR S/4HANA 1610) SAP S/4HANA 1610 AS
ABAP for SAP S/4HANA 1610 Frontend MaxDB Installation Application Server
ABAP Standard System Standard System and choose Next.
20. You can now also proceed by using a browser in your training WTS, instead of using a
browser on fsdhost. Make sure you enter the address full qualified (fsdhost.wdf.sap.corp:
4237).
21. Continue the installation process screen-by-screen, entering the data as shown in the
table.
Those settings for the Data Volumes will prove too small during the patch procedure. We
will adapt them later, during the update.
Note:
There might be less space on D:\ available than required.
Delete the Data Volumes of system FSD stored at this location: D:\sapdb
\FSD\sapdata
SAP System FSD will be destroyed by this action. Please be aware that no
further activities can take place in this SAP system FSD for the rest of the
course.
SAPinst might show an error message, and you might be asked to cancel the current
activity. Then SAPinst will return to setting the size of the SAP MaxDB Data Volumes. After
deleting the files named above, you can now proceed without further error message.
MaxDB ABAP Schema Password of ABAP schema Do not change the Default,
will be the Master Password
Declustering/ Depooling ABAP Table Declustering You cannot change the De-
Option and Depooling fault (“Enable...”)
SAP System Database Im- Number of Parallel Jobs 6
port
Primary Application Server PAS Instance Number 60
Instance and ABAP Central
Services Instance
Primary Application Server PAS Instance Host fsdhost
Instance and ABAP Central
Services Instance
Primary Application Server ASCS Instance Number 64
Instance and ABAP Central
Services Instance
Primary Application Server ASCS Instance Host Name fsdhost
Instance and ABAP Central
Services Instance
ABAP Message Server Ports ABAP Message Server Port Do not change the Default
and Transport Host
ABAP Message Server Ports Internal ABAP Message Do not change the Default
and Transport Host Server Port
ABAP Message Server Ports Host with Transport Direc- fsdhost
and Transport Host tory
ICM User Management Password for “webadm” Do not change the Default,
will be the Master Password
SLD Destination for the SAP Register in System Land- No SLD destination
System OS Level scape Directory
Message Server Access Message Server Access Do not create Message
Control List Control List Server Access Control List
Additional Components to Install an SAP Web Dis- Select this option
be included in the ASCS In- patcher integrated in the
stance ASCS Instance
Additional Components to Install an SAP Gateway inte- Do not select this option
be included in the ASCS In- grated in the ASCS instance
stance
SAP Web Dispatcher Pa- Do not change the Default
rameters settings
Note:
Please note that the following selection is different from the screenshots in the
training material.
Configuring Transport Man- TMS Configuration (for Sin- Select No ABAP TMS Con-
agement for Single System gle System) figuration during Installation
Note:
Please note that the previous selection is different from the screenshots in the
training material.
Before starting the dialog-free part of the installation, change the name of
registry key from BackConnectionHostNames
to .BackConnectionHostNames . This invalidates the registry key for the
dialog-free part of the installation.
After the installation has finished successfully, change the name of the registry
key back to: BackConnectionHostNames .
You have successfully installed AS ABAP-based SAP System.
Note:
Ensure that you are using the install user account to execute this installation.
1. As a prerequisite, please stop the S4D SAP system on s4dhost, and the HAD SAP HANA
database on hadhost, as described in the following steps.
2. On the training WTS, use the SAP Management Console to stop the S4D SAP system,
using the s4dadm user and the password provided by your instructor.
3. After the SAP system has been stopped, stop the HAD database, using the hadadm user
and the password provided by your instructor.
4. There are different methods available for logging on to the training host. The following
description assumes that you are using MobaXterm to open a connection of type SSH to
the host.
5. Log on to the server hadhost, using the install user and the password given by your
instructor.
6. Open a command shell and execute the command DF H. The directory /hana/shared
should offer more than 200 GB of free space.
8. After the extraction has finished (this will take some minutes), navigate to:
/hana/shared/
51052030_SAP_HANA_Platform_Edition_2.0_SP01_rev10_Linux/51052030/
DATA_UNITS/HDB_SERVER_LINUX_X86_64.
Note:
The default for this parameter would be /hana/data/HAX , but we use /
hana/shared/data/HAX instead. You can change those location settings,
and in our file system environment (free disk space consideration) this
change is also required.
Note:
The default for this parameter would be /hana/log/HAX , but we use /
hana/shared/log/HAX instead.
Note:
Setting the master password for the users of the SAP HANA database
system HAX — which will serve as the database for the SAP S/4HANA
server with SID S4X as S4Xadm60 will avoid later confusion.
1000
10100/bin/sh
/usr/sap/HAX/home
Install the SAP S/4HANA system S4X as described in the training material, using the input
values, selections, given below.
Note:
Ensure that you are using the user account install and the password provided by
your instructor to execute this installation.
2. Check in the SAP Management Console that the system S4D has been stopped. If it is
running, stop it.
You can provide the credentials of the install user to stop the systems. For details on its
password, see above.
The S4Dadm user has a password as provided by your instructor.
3. There are different methods available for logging on to the training host. The following
description assumes that you are using a Remote Desktop Connection , started via the tool
MobaXterm on the WTS.
4. Log on to the server s4dhost, using the install user and the password provided by your
instructor.
5. Open a command shell and execute the command DF H. The directory /usr/sap should
offer about 90 GB of free space.
Note:
This copy activity will run for about 20 minutes.
10. After the copy activity finished, use a command shell at /usr/sap/Media/04_Export .
13. Copy the files SWPM10SP20_0–20009701.SAR and the SAPCAR that is also provided
there, e.g. SAPCAR_816–80000935.EXE from /usr/sap/Media/01_SWPM_SUM to the
directory /usr/sap/SWPM.
Note:
During and after the installation, examine the content of the directory: /
Install_Log_and_Work_PAS .
18. Use a browser (for example, Google Chrome) on the WTS to open the URL that SAPinst
displays in the shell on s4dhost.
For example, https://wdflbmt0102:4237/docs/index.html
19. Ignore/ confirm warnings about https, as we did not configure the required SSL
communication.
20. In the logon window, authenticate with the install user and the corresponding password.
22. In the Software Provisioning Manager, expand Software Provisioning Manager 1.0 SP
20 SAP S/4HANA 1610 SAP S/4HANA Server SAP HANA Database
Installation Application Server ABAP Standard System Standard System , and
choose Next.
Note:
You can also execute a Prerequisites Check.
When asked, provide the path to the Kernel files (below /Media) and select the
Check options for the Central Services Instance, the Primary Application
Server Instance and the Additional Application Server Instance.
The check result should be OK.
23. On the next screen, Parameter Settings, select the Parameter Mode Custom, and choose
Next.
24. Continue the installation process screen-by-screen, entering the data as shown in the
table.
Database Schema (SAPA- Drop Existing Schema Pass- Do not change the Default in
BAP1) word any case
SAP HANA Import Parame- SAP HANA Import Do not change the Default
ters values. The following activity
will take some few minutes.
In case this activity takes
more than 2–3 mi-nutes
check the state of SAPinst
using the Refresh button of
your browser.
Declustering/ Depooling ABAP Table Declustering Do not change the Default
Option and Depooling ("Enable declustering...")
SAP HANA Table Placement Table Placement Do not change the Default
Parameters ("Do not use...")
SAP System Database Im- Number of Parallel Jobs 12
port
Primary Application Server PAS Instance Number 60
Instance and ABAP Central
Services Instances
Primary Application Server PAS Instance Host s4dhost
Instance and ABAP Central
Services Instances
Primary Application Server ASCS Instance Number 64
Instance and ABAP Central
Services Instances
Primary Application Server ASCS Instance Host Name s4dhost
Instance and ABAP Central
Services Instances
ABAP Message Server Ports ABAP Message Server Port Do not change the Default
ABAP Message Server Ports Internal ABAP Message Do not change the Default
Server Port
ICM User Management for Password for webadm Do not change the Default,
the SAP Web Dispatcher will be the Master Password
SLD Destination for the SAP Register in System Land- No SLD destination
System OS Level scape Directory
Message Server Access Message Server Access Do not create Message
Control List Control List Server Access Control List
SAP Web Dispatcher Pa- SAP Web Dispatcher Con- Do not change the Default
rameters figuration settings
Secure Storage Key Genera- Secure Storage Individual Individual Key (recommend-
tion Key Information ed for Productive Systems)
Save the information shown
in the message
Cleanup of Operating Sys- Yes, remove operating sys- Do not select (in this train-
tem Users tem users from the group ing)
sapinst
Parameter Summary Select Parameters/ Set-
tings that you would like to
change. Choose Revise, if
required.
Note:
On the Master Password screen, enter the password for all users (as shown in
the table), and choose Next .
All class participants use the same password to make support by the
instructor easier. In your company, you will use passwords of your own
choosing.
LESSON SUMMARY
You should now be able to: