TSEC10_2_EN_Col11

TSEC10
SAP System Security and

Authorization Academy I - part 2
.
.
PARTICIPANT HANDBOOK
INSTRUCTOR-LED TRAINING
.
Course Version: 11
Course Duration: 5 Day(s)
e-book Duration: 9 Hours 15 Minutes
Material Number: 50144572
SAP Copyrights and Trademarks
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/
corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software
vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without
notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which
speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Typographic Conventions
American English is the standard used in this handbook.

The following typographic conventions are also used.
This information is displayed in the instructor’s presentation
Demonstration
Procedure
Warning or Caution
Hint
Related or Additional Information
Facilitated Discussion
User interface control Example text
Window title Example text
© Copyright. All rights reserved. iii

© Copyright. All rights reserved. iv
Contents
vii Course Overview
1 Unit 1: Security Overview
2 Lesson: Evaluating Security Concepts

7 Lesson: Outlining the Security Roadmap
11 Lesson: Describing the Training Environment
16 Unit 2: NetWeaver AS Components and Communication Mechanisms
17 Lesson: Determining the Key Points of Network Security

22 Lesson: Installing and Configuring SAProuter
28 Lesson: Installing and Configuring SAP Web Dispatcher
41 Unit 3: NetWeaver AS Security Operations
43 Lesson: Explaining the Secure Store

54 Lesson: Outlining Authorizations and Security Policies
71 Lesson: Setting Up User Security in SAP Systems
87 Lesson: Securing the Message Server and the Internet
Communication Manager (ICM)
96 Lesson: Securing the SAP GUI
101 Lesson: Monitoring SAP Systems Security
115 Lesson: Describing Application Lifecycle Management
121 Lesson: Monitoring Security with SAP Solution Manager
131 Unit 4: Authentication and Single Sign-On
132 Lesson: Discussing Authentication for SAP NetWeaver AS

137 Lesson: Discussing Authentication for SAP Netweaver AS Java
140 Lesson: Discussing Authentication for SAP NetWeaver AS ABAP
143 Lesson: Configuring UME Parameters for SSO
145 Lesson: Discussing Single Sign On with Active Directory
154 Unit 5: RFC Security
155 Lesson: Securing the RFC Gateway

168 Lesson: Enabling SNC for SAP NetWeaver AS ABAP
189 Lesson: Reducing the Attack Surface: RFC Communication and
Unified Connectivity
196 Unit 6: Secure Sockets Layer (SSL)
197 Lesson: Discussing Secure Sockets Layer (SSL) for SAP

208 Lesson: Discussing SSL for SAP Management Console
210 Lesson: Discussing SSL for SAP NetWeaver AS ABAP
215 Lesson: Discussing SSL for SAP NetWeaver AS Java
© Copyright. All rights reserved. v

222 Unit 7: Business Case
223 Lesson: Exploring Business Cases
© Copyright. All rights reserved. vi

Course Overview
TARGET AUDIENCE
This course is intended for the following audiences:
System Administrator
Technology Consultant
© Copyright. All rights reserved. vii

© Copyright. All rights reserved. viii
UNIT 1 Security Overview
Lesson 1
Evaluating Security Concepts 2
Lesson 2
Outlining the Security Roadmap 7
Lesson 3
Describing the Training Environment 11
UNIT OBJECTIVES
Evaluate computer security and major sources of threats
Identify challenges and solutions for the implementation of infrastructure security
Identify and locate the different instances available
© Copyright. All rights reserved. 1

Unit 1
Lesson 1
Evaluating Security Concepts
LESSON OVERVIEW
This lesson describes the security threats to a system and its security safeguards. This lesson
also explains how to categorize security measures (IT-based and Environment-based) to
secure the system environment from the many different risk categories.
LESSON OBJECTIVES
After completing this lesson, you will be able to:
Security Requirements
Figure 1: The Big Picture
Safeguards, threats, and goals are closely related. Threats compromise certain security
goals, and safeguards protect your system against these threats. Thus, when implementing
security, you need to consider the safeguards regarding the goals and the threats.
Security requirements arise due to the following reasons:
Government Regulations
For example, USA and SOX legal frameworks establish disclosure obligations for
organizations’ financial statements.
Protection of Intellectual Property
For example, pharmaceutical companies and formulas for innovative drugs.
Legal Issues
For example, health-care companies and patient medical history.
Trust Relationship between Business Partners
For example, legally binding documents — such as a purchase order sent electronically.

Lesson: Evaluating Security Concepts
Continuous Business Operations

For example, the availability of an uninterrupted power supply.
Protection of Image
For example, a leak of internal mails with derogatory comments about individuals or
organizations.
Human Behavior
For example, someone discloses their account and password to a helpful neighbor.
Security can optimize administration processes in the following ways:
Increase efficiency through Single Sign-On.

For example, less user password unlock/ reset help-desk tickets.
Enforce trust and accountability with Digital Signatures.

For example, ensure the authenticity of an IRS declaration.
Computer Crime and Security Facts

The following facts are taken from the data collected by the ISACA (Information Systems
Audit and Control Association — http://www.isaca.org/ ). This data was published in their
2017 report, available when this course was written.
“Enterprises have continued difficulty finding qualified personnel to fill cyber security
positions.”
“Budgets are still expanding, but more slowly.” For IT security).
“Internet of Things (IoT) is replacing mobile as the emerging area of concern. Threats
resulting from mobile-device loss are down from last year, but a new challenge area
appears to be emerging — IoT.”
“Ransomware is expanding, but the processes to address it are not yet ubiquitous.”
From ISACA, “State of Cyber Security 2017: Current Trends in Workforce Development,”
February 2017, www.isaca.org/cyber/pages/state-of-cyber-security-2017.aspx
Figure 2: Threats and Goals
The threats shown in the figure above are only a subset of known threats. A major source for
security concern is social engineering, where sensitive information is exposed casually or
picked up without going through the correct channels. For example, being asked to disclose
your user and password.

Unit 1: Security Overview
IT Security Goals
The following goals are achieved through IT security measures:
Availability
Authentication
Authorizations
Confidentiality
Integrity
Non-repudiation
In detail, these goals entail the following:
Availability
Availability ensures that the users can access their resources whenever they need them.
When determining requirements regarding the availability of resources, you should
consider the costs that result from unplanned downtime. For example, loss of customers,
costs for unproductive employees, and overtime. Some damage cannot be fully factored
in terms of money, such as loss of reputation (for example, a website-defacing attack,
with some embarrassing content).
Authentication
Authentication determines the real identity of the user. You can use the following
authentication mechanisms:
Authentication using user ID and password.
Authentication using a smart card.
Authentication using a smart card and PIN.
Authentication using Single Sign-On mechanisms, after one of the three previous
methods is successfully performed. For example, log into your company network and,
from there, access the available systems.
Authorization
Authorization defines the rights and privileges of the identified user. It also determines
the functions that a user can access. The application must be programmed to check
whether a user is authorized before that user can access a function. For example, update
your own IBAN number, but not your colleague’s IBAN. Within SAP’s current context,
application authorizations can be determined in the application layer or database layer
(more relevant for HANA-based systems).
Confidentiality
Confidentiality ensures that the user’s history and communication is kept confidential.
Information and services need to be protected from unauthorized access. The
authorizations to read, change, or add information or services, must be granted explicitly
to only a few users and other users must be denied access. If you post something on the
Internet, the confidentiality of information is at risk. For example, access to your tax
records.
Integrity

Lesson: Evaluating Security Concepts
Integrity ensures that the user information, which has been transmitted or stored, has
not been altered. Programs and services should execute successfully and provide
accurate information. Thus, people, programs, or hardware components should not
modify programs and services. For example, a signed contract.
Non-repudiation
Repudiation is the process of denying that you have done something. Whereas, non-
repudiation ensures that people cannot deny their actions. Non-repudiation allows you to
successfully conduct legally binding business transactions. For example, submitting a
bank payment order electronically.
Environmental Security Concepts, Threats, and Goals

Security does not only refer to system attacks. The human factor is also a major concern for a
comprehensive approach to security. Many of the goals are common to system security
threats, but other goals will also be relevant, focusing mainly on mitigation strategies for risk
and the ability to provide an audit trail.
Accountability
Such as, who performed an action that had a negative impact in the organization?
For example, a sales operation made with an abnormally high discount.
Compliance
Such as, who identified the risks (or their absence) for specific business processes? Who sets
the limit for small purchases that can be performed without approvals? Who makes the
decision of whether or not to implement a mitigation control?
For example, a periodic review of small purchases, their frequency, their accumulated
amount, and so on.
The following are examples of environmental threats. They are not focused on in this training,
but they should not be neglected due to their potential impact in the IT landscape.
Accidents
This can range from hardware failure to random events. For example, a trainee that
doesn’t properly classify accounting documents, leading to non-compliant profit and loss
reports. Or a construction worker that accidentally cuts a fiber-optic cable.
Natural Disasters
Environmental threats that might compromise the availability of the system. For
example, a flood that forces an electrical grid shutdown.
Fraud
An unauthorized person gains access to a system with stolen accounts and passwords,
or performs activities that they are not meant to do through excessive authorizations. For
example, changing their own basic wage.
Infrastructure
Environmental threats that might compromise the availability of the system. For
example, the absence of a proper cooling system that forces a server to power off.
Errors
This can range from improper training to simple random sporadic events. For example,
an accounting clerk that doesn’t properly classify accounting documents, leading to non-
compliant profit and loss reports that trigger a fine from the tax authority.
Procedures

The different ways to conduct any system activity, from development (for example, no
proper source code quality checks, which leads to functions being vulnerable to code
injections) to normal operations (for example, unrestricted access to websites where you
can download “infected” software).
LESSON SUMMARY
You should now be able to:

Unit 1
Lesson 2
Outlining the Security Roadmap
LESSON OVERVIEW
The purpose of this lesson is to raise awareness about the many topics that a Security
Administrator needs to address and to point out some of the solutions SAP can provide.
LESSON OBJECTIVES
Password Policy
Figure 3: Securing the IT Landscape: The What and How
A security roadmap requires a two-step analysis:
What do you need to protect?
How can you protect your vulnerable spots?
Figure 4: Implementing a Password Policy
SAP systems provide different facilities for enforcing robust choices:
Complexity Rules
For example, system parameters and policies that set the mandatory use of capitals,
digits, and other characters, for all users or for distinct users.
Expiration Rules

For example, the concept of common or technical users (such as, the dialog or system
user in ABAP), and the parameters or policies that allow the system to enforce those
rules.
Reusability Rules (Password History)
For example, parameters that prevent a user from reusing the last known passwords.
Prevention of Dictionary Attacks (Denied Passwords)
For example, dictionary maintenance tools for disallowing specific passwords, such as
the customizing recorded in table USR40.
Authentication
Figure 5: Authentication Methods
SAP systems are compliant with industry standard authentication mechanisms, such as
SAML. They also provide their own methods for authentication, for example, SAP Logon
Tickets.
Encryption
Figure 6: Data and Communication Encryption
SAP provides libraries that allow encryption, several communications protocols (for example,
the Secure Network Communication libraries for RFC communication), and facilities to store
digital certificates (for example, the Secure Store files). SAP systems support database
encryption methods (such as, HANA volume encryption).
Threat Detection
Figure 7: Tools to Identify System and Application Security Threats
SAP systems contain auditing and tracing tools that allow a system administrator to
recognize potential threats. These functionalities can be complemented with the capabilities
of Solution Manager to evaluate security configurations, and recommend corrective
measures and patches. SAP products can also have their security capabilities extended
through integration with partner software.

Lesson: Outlining the Security Roadmap
Uploaded and Embedded Documents and Script Vulnerabilities (Virus Scan Interface)
The SAP NetWeaver Virus Scan Interface (NW-VSI) allows external anti-virus and content
security solutions to integrate with SAP application servers. The Virus Scan Adapter is built by
the anti-virus solution provider, based on SAP templates in the Software Development Kit
(SDK) for Virus Scan Adapters. This standardized process provides a transparent job division
between SAP data to be scanned (SAP know-how), and the actual virus scan (Anti Virus
know-how). Additionally, it allows SAP customers to easily switch between anti-virus and
content security solutions, based on their business needs.
Version 2.0 of NW-VSI not only covers the signature-based classical AV protection, but also
supports the detection of malicious file formats, file format classification, and detection of
active content inside of a file, such as script in files. The use-case for these enhancements is
the protection of web applications against XSS in files (cross-site scripting in files). SAP note:
1693981 describes the problems about script inside of documents that are uploaded into SAP
systems.
The integration of VSI is not only available in the NetWeaver core platform, but in all SAP web
application servers. The figure about VSI shows left, the different options that AV partners
have, and right, the different SAP integrations.
For more information, refer to SAP note: 817623 (Frequent questions about VSI in SAP
applications) and SAP note: 1494278 (NW-VSI: Summary of Virus Scan Adapter´s for SAP
integration).
Threat Analytics
Figure 8: Data Acquisition and Data Mining for IT Security
Most SAP tools that allow you to capture security relevant information can also work as a data
warehouse system, where analytical tools can be employed for finding patterns and
preemptively address potential threats.
Enterprise Threat Detection
Figure 9: Enterprise Threat Detection Capabilities
For more information, go to: https://help.sap.com/viewer/p/

SAP_ENTERPRISE_THREAT_DETECTION

Figure 10: Monitoring Enterprise Threat Detection
Enterprise Threat Detection provides real-time data analysis and dashboard panels, from
which you can drill-down to the event details.
Figure 11: Enterprise Threat Detection Alert Example
From the alerts, you can trigger a ticket-based investigation process. In the example shown
above, a system where single-sign on is the only allowed method to access experienced login
through basic authentication (login id and password).
LESSON SUMMARY

Unit 1
Lesson 3
Describing the Training Environment
LESSON OBJECTIVES
Available Instances
Figure 12: ADM960 System Landscape
Figure 13: Attack Surface for a Java NetWeaver Environment (Application Server Instances)

Figure 14: Attack Surface for a Java NetWeaver Environment (Java Central Services Instance)
The training landscape contains a Solution Manager 7.20 system. The figures above show the
entry points for the Java stack present in the system.
Figure 15: Attack Surface for an ABAP NetWeaver Environment (Application Server Instances)
Figure 16: Attack Surface for an ABAP NetWeaver Environment (ABAP Central Services Instance)
The training landscape contains several SAP NetWeaver systems of type single stack (ABAP
only). The figures above exemplify the entry points for the ABAP stack present in the system.

Lesson: Describing the Training Environment
Figure 17: Attack Surface for SAP Web Dispatcher
As well as the available ABAP and Java engines, the training landscape also contains several
SAP Web Dispatcher instances, used for load balancing purposes.
LESSON SUMMARY

Unit 1
Learning Assessment
1. How can a hacker find information regarding your SAP landscape?
2. How can the SAP Management Console be reached?
3. How can you find which communication ports are enabled for each IP address?
4. What measures you can take to prevent a dictionary-based attack?

Unit 1
Learning Assessment - Answers
1. How can a hacker find information regarding your SAP landscape?
He can scan for well-known port ranges. With ports like 5xx13 or 5xx14, he can try to reach
the SAP administration console to find more details.
2. How can the SAP Management Console be reached?
http://hostname:5<sysnr>13 or https://hostname:5<sysnr>14
3. How can you find which communication ports are enabled for each IP address?
Log on to the SAP Administration Console, authenticate with a valid SAP administration,
wait for the tree to refresh, and search for access points on any of the available instances.
For each port, you will see the IP address where it’s listening, and if the port is active or
not.
4. What measures you can take to prevent a dictionary-based attack?
In an ABAP system table, USR40 allows the definition of non-admissible passwords.

UNIT 2 NetWeaver AS
Components and
Communication
Mechanisms
Lesson 1
Determining the Key Points of Network Security 17
Lesson 2
Installing and Configuring SAProuter 22
Lesson 3
Installing and Configuring SAP Web Dispatcher 28
UNIT OBJECTIVES
Determine network security for SAP systems
Install and configure SAProuter
Install and configure SAP Web Dispatcher

Unit 2
Lesson 1
Determining the Key Points of Network
Security
LESSON OVERVIEW
This lesson explains the various aspects of network security in an SAP system landscape. It
also introduces SAProuter and SAP Web Dispatcher, both of which play an important role in
network architecture.
Business Example
You need to ensure basic network security for an SAP system landscape. For this reason, you
require an understanding of the following:
The network components
The ports used by the SAP NetWeaver Application Server (SAP NetWeaver AS)
Network filtering
LESSON OBJECTIVES
Network Security for SAP Systems

The figure, Network Components, shows the various network components of an SAP system
landscape.

Unit 2: NetWeaver AS Components and Communication Mechanisms
Figure 18: Network Components
Many SAP systems are based on SAP NetWeaver AS. An understanding of the ports and
protocols used by SAP NetWeaver AS makes you aware of the ports and protocols used in the
majority of SAP installations.
The following are examples of communication that occur in a typical NetWeaver-based
landscape:
Connection from SAP GUI for Microsoft Windows or Java to the AS ABAP-based SAP
system
Connection from the Web browser to the SAP system
Connections from the AS ABAP-based SAP system to print servers, for example, using
SAPSprint
Connections between SAP systems
Connections between SAP systems and third-party applications
The SAP system uses many ports to establish connections in the system. These ports are
determined by the operating system process involved and the instance number to which the
process belongs.

Lesson: Determining the Key Points of Network Security
SAP NetWeaver AS – Ports
Figure 19: Ports Used by SAP NetWeaver AS
The figure, Ports Used by SAP NetWeaver AS, shows the important ports of SAP NetWeaver
AS.
SAP GUI for Microsoft Windows connects to the ABAP system by using the dispatcher
process on the application server. The dispatcher uses the port 32$$, where $$ stands for
the instance number. SAP Logon, as a part of SAP GUI, communicates with the ABAP
message server.
The SAP NetWeaver AS port is defined by an entry sapms<SID> in the services file of the
operating system. The default port is 36$$. The ABAP system also communicates with the
SAP GUI by using remote function call (RFC). In this communication, the gateway process
with port 33$$ is involved. The process uses port 33$$ to establish the connection.
The external RFC clients, for example, other SAP systems or third-party applications, connect
to the gateway process.
The Internet Communication Manager (ICM) uses the default port 80$$ for the HTTP
protocol. This port helps to establish a connection with a Web browser.
The process involved in starting and stopping the SAP system is SAPSTARTSRV
. It can be
called using the default port 5$$13 on Java systems.
The SAP program SAPSprint handles the SAP system print requests sent by the spool work
process. SAPSprint listens on default port 515.
When you connect a Web browser to the SAP NetWeaver AS for Java (old versions 7.0x), the
Java dispatcher is called on the default HTTP port 5$$00. The Software Deployment Manager
(SDM) is remotely accessed on the default port 5$$18. In the newer SAP NetWeaver AS for

Java versions, the Java Dispatcher is replaced with the ICM, which is called on default HTTP
port 5$$00. For Netweaver versions 7.1x and upper SDM does not exist anymore.
Note:
For a complete list of ports, see the security documentation relevant for your
NetWeaver version. Go to: http://help.sap.com .
Network Filtering
Figure 20: Network Filtering
Network filtering is the fundamental requirement for secure SAP systems. Network filtering
reduces the attack surface to the minimum number of services that the end users access. The
remaining services must then be configured securely.
Network filtering is required between the end-user network and the SAP systems to secure
the SAP operations.
Note:
For more information, see the SAP NetWeaver Security Guide.
Table 1: Network Services Required from End User Networks in SAP Installations
The following table lists the network services required from the end user networks in most
SAP installations:
Service Description Default port
ABAP dispatcher The ABAP dispatcher is used 32$$
by SAP GUI. The communica-
tion protocol used is SAP Dy-
namic Information and Action
Gateway (DIAG).
ABAP message server The ABAP message server 36$$
manages load balancing in-
formation and system inter-
nal communication.
Gateway The gateway manages SAP 33$$
RFC communication.

Lesson: Determining the Key Points of Network Security
Service Description Default port

HTTPS (Java) HTTPS ensures secure HTTP 443$$ (ICM port, this is inac-
communication from a Web tive by default), 5$$01 (Java
browser or a Web service to Dispatcher or ICM port)
an SAP system.
These services refer to the default ports in a standard installation. All other network services
are not required and must be blocked between the end-user network and SAP systems.
The actual network architecture depends on infrastructure components, such as SAProuter,
SAP Web Dispatcher, and the load balancer. These infrastructure components need to be
considered for architecture planning. Access to SAP DIAG, SAP RFC, SAP Message Server,
and HTTPS is necessary, but the infrastructure components impact the network filtering
implementation.
Network Architecture
Figure 21: Network Architecture
Administrative access to the SAP systems is provided from an administration network. This
network is allowed to access the SAP systems with administrative protocols such as Secure
Shell (SSH), Remote Desktop Manager (RDP), and database administration. Access to the
administrative network must be properly secured by common security concepts, for example,
allowing administrative access to the SAP systems only from dedicated subnets or dedicated
workstations.
LESSON SUMMARY

Unit 2
Lesson 2
Installing and Configuring SAProuter
LESSON OVERVIEW
This lesson explains the installation and configuration of SAProuter. This lesson also explains
various load balancing techniques.
Business Example
You need to install and configure SAProuter to connect to an SAP system. For this reason,
you require the following knowledge:
An understanding of SAProuter
An understanding of load balancing with SAP NetWeaver Application Server (SAP

NetWeaver AS)
How to install and configure SAProuter
LESSON OBJECTIVES

Lesson: Installing and Configuring SAProuter
SAProuter
Figure 22: SAProuter as Proxy for SAP Protocol
SAProuter software functions as an intermediate station among various SAP systems and
programs. SAProuter functions as a proxy that has properties of an application-level gateway
when used in SAP protocols.
SAProuter allows you to connect to an SAP system without a direct network connection
between the client computer and application server. The SAP GUI (for Microsoft Windows and
Java) connects to the SAProuter that forwards all the packets to the application server, or to
another SAProuter.
As illustrated in the figure, SAProuter as Proxy for SAP Protocol, when using SAProuter in an
SAP system landscape, you only open the SAProuter port (default port 3299), instead of the
corporate firewall, for all ports and protocols used by an SAP system. You can configure
SAProuter to allow communications based only on the SAP protocol, coming from specific IP
addresses, and directed to the SAP systems.
Note:
In the OSI 7 layer model, the Network Interface (NI) layer forms the upper part of
the transport layer, and is the part nearest to the applications. This means that NI
uses TCP or UDP. The protocol is also known as the SAP Protocol. SAP protocol is
the technical foundation for protocols like Dynamic Information and Action
Gateway (DIAG) and remote function call (RFC). It is also referred to as NI.

SAProuter makes it easier to administer the networking aspects of the SAP landscape. To
make changes at the SAP system level, such as installing an additional instance that provides
additional ports, you do not need to change the configuration of the corporate firewall. The
SAP administration can reconfigure the SAProuter to incorporate the changes.
SAProuter Functionality
Controls and logs connections to your SAP system.
Can restrict access to other selected SAProuters.
Can restrict access to encrypted connections from a known partner.
Note:
SAP
router does not support scenarios for communication based on non-SAP
protocols.
Caution:
SAProuter does not replace a firewall. You can use it in addition to the corporate
firewall. For more information about SAProuter, see SAP Note: 30289.
SAProuter and Remote Support
Figure 23: SAProuter and Remote Support
SAProuter enables a secured connection between the customer network and SAP support.
The figure, SAProuter and Remote Support, shows a connection between SAProuters at the
customer site and the SAP site. This connection is secured by Secure Network

Communication (SNC), and allows SAP support to access the SAP systems at the customer
site.
SAProuter Installation and Configuration
Figure 24: SAProuter Configuration – Route Permission Table
Figure 25: SAProuter 7.45 — Support Packages and Patches
You can find the latest SAProuter at: https://launchpad.support.sap.com/#/

softwarecenter/support/index . Search for SAProuter 7.45. From the maintenance
components, pick the archive suitable for your operative system.
To install SAProuter, extract the downloaded package to a file system directory on the host.
For example, on a Microsoft Windows host, create directory: <drive>:\usr\sap
\saprouter . Copy executable files saprouter.exe and niping.exe into this directory.

SAProuter can be installed as a Microsoft Windows service. For more information, refer to the
exercise: Install SAP Router.
SAProuter uses the route permission table to control the specific IP addresses and
subnetworks that are permitted or denied access to a particular network. By default, the route
permission table is a file called saprouttab in the installation directory of SAProuter. The file
contains a list of connections that are denied or permitted access to a particular network.
The figure, SAProuter Configuration – Route Permission Table, shows standard entries that
appear in the route permission table (such as P, S, D, <source host>, <target host>,
<service>, and <password>).
Table 2: Functions of Standard Entries in the Route Permission Table

Field names Description
D Denies the connection.
P Permits the connection.
S Permits only connections based on SAP pro-

tocol.
<source host> Specifies the host name or IP address of the

client. For example, the host on which the
SAP GUI is running.
<target host> Specifies the host name or IP address of the

target. For example, the host on which the
SAP system is running.
<service> Specifies the service name or port number of

the communication target.
<password> Specifies the password needed to use this

route. Specifying the password is optional.
Note:
You can use wildcard characters (*) to enter host names and services. For
security reasons, we recommend that you do not use wildcards in P and S entries.
Hint:
The first match in the saprouttab file is decisive. This means that the order of the
entries is important and the D entries should be at the top of the list. If no entries
match, permission is denied.
If the communication is to be secured by means of SNC, the saprouttab file entries must be
specified with KT, KD, KS, and KP. The SAProuter must be started with the option -K.

Note:
More information about secure communication using the SAProuter can be found
in the SAP help library. You can find reference to the relevant help pages in SAP
Note: 30289.
To connect to an SAP system using SAProuter, you must enter the following SAProuter
string:
/H/<host of SAProuter/S/<port of AProuter>/W/<password>/H/<target
host>
Entering /S/<port of SAProuter> is optional in the router string if SAProuter uses the
default port 3299. You must enter the password with /W/<password> if a password is set in
the saprouttab file. For more information, see SAP Note: 30289.
SAProuttab Sample File

An saprouttab file example can be seen below.
# SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
# SNC connection to local system for R/3-Support

# R/3 Server: 192.168.1.1
# R/3 Instance: 00
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 192.168.1.1 3200
# SNC connection to local WINDOWS system for WTS, if applicable

# Windows server: 192.168.1.2
# Default WTS port: 3389
# SNC connection to local UNIX system for SAPtelnet, if applicable

# UNIX server: 192.168.1.3
# Default Telnet port: 23
# SNC connection to local Portal system for URL access, if applicable

# Portal server: 192.168.1.4
# Port number: 50003
# Access from the local Network to SAP

P 192.168.*.* 194.39.131.34 3299
# deny all other connections

D***
LESSON SUMMARY

Unit 2
Lesson 3
Installing and Configuring SAP Web Dispatcher
LESSON OVERVIEW
With the rising use of Web-based applications and the need for customers to access SAP
applications via the Web, the set up and configuration of SAP Web dispatcher has become
much more important. This lesson addresses these topics.
Business Example
You need to install the SAP Web Dispatcher. For this reason, you require the following
knowledge:
An understanding of the SAP Web Dispatcher
LESSON OBJECTIVES
SAP Web Dispatcher
Figure 26: SAP Web Dispatcher

Lesson: Installing and Configuring SAP Web Dispatcher
Common Features of SAP Web Dispatcher

The SAP Web Dispatcher is the entry point for HTTP(S) requests into your systems, based
on SAP NetWeaver Application Server (SAP NetWeaver AS).
The SAP Web Dispatcher was developed primarily as a software load balancer, but over
time has been enhanced with the functions of an application level gateway. Additionally, it
can be used as a reverse proxy.
The SAP Web Dispatcher can reject or accept connections. When the SAP Web Dispatcher
accepts a connection, it balances the load to ensure an even distribution across the
application servers, which contributes to security in your SAP system.
You can use the SAP Web Dispatcher in SAP NetWeaver Application Server for ABAP (SAP
NetWeaver AS for ABAP), SAP NetWeaver Application Server for Java (SAP NetWeaver AS
for Java), and SAP NetWeaver AS ABAP+Java-based systems.
The SAP Web Dispatcher is most commonly used to balance the load of requests from the
user’s Internet browser, although this is not its only use.
The SAP Web Dispatcher can be used to load-balance any HTTP-based requests. If, for
example, SAP NetWeaver AS provides a Web service (WS), which is consumed by another
server, the SAP Web Dispatcher is required to distribute the requests from the Web service
clients to the server nodes of SAP NetWeaver AS.
As of Release 7.2, one SAP Web Dispatcher can be used for multiple SAP systems, as
displayed in the figure, SAP Web Dispatcher. For more details on which SAP Web Dispatcher
you can use for which release of SAP NetWeaver AS, see SAP Note 908097.
Features of the SAP Web Dispatcher
Server selection and load balancing

Forwards incoming stateful or stateless HTTP(S) requests to an appropriate SAP
NetWeaver AS for processing.
URL filtering
Maintains a URL permission table to control which requests are rejected or accepted.
Web caching
Improves response times and offloads the application server by using the SAP Web
Dispatcher as a Web cache.
Modification of HTTP requests

Manipulates inbound HTTP requests on the basis of defined rules.
Manipulates HTTP header fields, filtering requests, and redirecting requests and URL
values.
Secure Socket Layer (SSL)

Forwards, terminates, and (re)encrypts requests depending on its SSL configuration.
You can configure the SAP Web Dispatcher to use as many of these features as necessary.

SAP Web Dispatcher Details
Figure 27: SAP Web Dispatcher Details for an SAP NetWeaver AS for ABAP System
An SAP NetWeaver AS-based SAP system consists of one or more instances where HTTP(S)
requests are processed. Using the SAP Web Dispatcher, you have a single point of access for
HTTP(S) requests in your system. The SAP Web Dispatcher balances the load so that the
requests are distributed over all the instances. In addition, you can increase the security of
your system landscape by using the additional features of the SAP Web Dispatcher, for
example, URL filtering.
SAP Web Dispatcher Installation

As of installation media (DVDs) for SAP systems based on SAP NetWeaver 7.0 and newer,
you can install the SAP Web Dispatcher using Software Provisioning Manager (SWPM) /
SAPinst. This option is recommended and characterized by the following:
The SAP Web Dispatcher runs under its own system ID (SID).
The conventional paths are used (/usr/sap/<SID>).
As part of the instance, sapstartsrv is configured and can be used to start, stop and
monitor the SAP Web Dispatcher.

Hint:
You can determine the current version of your SAP Web Dispatcher
installation as follows:
- By executing sapwebdisp -v
- By analyzing the most recent developer trace file (by default,
dev_webdisp)
- By launching the Version Info dialog in SAP MC or SAP MMC
See the SAP Library for installation guides on SAP Help Portal at: http://help.sap.com .
To use the SAP Web Dispatcher as a load balancer, you must specify the information about
the message server of the SAP system during installation. The message server provides
further information about the SAP system to the SAP Web Dispatcher. In an SAP NetWeaver
AS for ABAP-based or SAP NetWeaver AS for ABAP+Java-based system, the SAP Web
Dispatcher uses the ABAP message server. In an SAP NetWeaver AS for Java-based system,
the SAP Web Dispatcher uses the Java message server.
SAP Web Dispatcher Security

To guarantee maximum security when the SAP Web Dispatcher is used, we recommend the
following measures:
Use the latest version of the SAP Web Dispatcher.
Configure your own error pages to ensure that the end user does not see the technical
reason for the error.
Use the SAP Web Dispatcher as a URL filter with the white lists (only the specified URLs
are allowed).
Filter the following URLs because they provide the details of the infrastructure and the
configuration: /sap/public/icman/*, /sap/public/icf_info/*, and /sap/wdisp/info .
Increase security for the Web Administration Interface by performing the following tasks:
- Use a dedicated port (a separate port is used for the content port).
- Use SSL.
- Allow administration tasks to be performed under a specific host name or IP address
that is accessed from the internal network only.
For more information about security when using the SAP Web Dispatcher, see SAP Note
870127.
Use the Authentication Handler to configure the SAP Web Dispatcher to reject specific URLs.
Set up the access restrictions with the icm/HTTP/auth_<xx> profile parameter. Filter
requests using the SAP Web Dispatcher according to the following criteria:
URL
Client IP address
Server IP address

User name or user group and password
String search in the URL
SAP Web Dispatcher: URL Filtering
Figure 28: SAP Web Dispatcher: URL Filtering
By setting the icm/HTTP/auth_<xx> parameter, for example, icm/HTTP/auth_0 = PREFIX=/,

PERMFILE=permissionfile.txt, FILTER=SAP, you can specify permitted and prohibited
requests in the permissionfile.txt file. You can control which specific IP addresses and
subnetworks are permitted and denied access to a particular network. You can also permit or
deny specific URL patterns. The permissionfile.txt file contains a list of connections that
are denied or permitted access to a particular network.
The entries in the file appear as follows:
P/S/D <URI pattern> <User> <Group> <Client IP> <Server IP>, where D denotes denies, P
denotes permits the following connection mentioned in the file, and S permits only the
connections that use HTTPS protocol. The IP address (pattern) of the clients is entered as
<Client IP> and the IP address of the application server host is entered as <Server IP>. <URI
pattern> specifies the URL prefix of the request, for example, /sap/public/info. With <User>
or <Group>, you can allow a pattern for a user or group known to the SAP Web Dispatcher, for
example, for administration of the SAP Web Dispatcher. Wildcard characters (*) can be used.
Hint:
The first matching line starts the processing. This means that the order of the
entries is important. Please note that the URI pattern is case-sensitive. Create
the table as a positive list. Permit all the URLs that are to be allowed and, at the
end of the table, add an entry D /* * * * * to deny all other connections.

SAP NetWeaver AS and Load Balancing
Figure 29: Client-Based Load Balancing (Not Recommended)
In client-based load balancing, the user contacts the message server, and the message is
redirected to one of the application servers. The user remains on this application server
during the session. The user has a direct connection to the application server, which means
there is no problem with session persistence or using Secure Socket Layer (SSL). However,
the user is not always directed to the same server, so the URL varies and bookmarks are
invalid. In addition, if the user switches to another server, he has to authenticate again.
When you use SSL, each server must have its own server certificate, which increases the
costs and administrative overheads. In client-based load balancing, SSL is suitable for small
intranet landscapes. Client-based load balancing is not recommended for productive
systems.

Server-Based Load Balancing
Figure 30: Server-Based Load Balancing
Server-based load balancing uses load balancers in front of the back-end servers. As a result,
the user has only one URL that is used to access the application server.
The options available for load balancing are as follows:
SAP Web Dispatcher
Web switch
Reverse proxy
Combination of more than one load balancing techniques (complex scenario)
Alternative load balancing techniques are as follows:
Hardware load balancer
Other network load balancing devices

Load Balancing with the SAP Web Dispatcher
Figure 31: Load Balancing with the SAP Web Dispatcher
The SAP Web Dispatcher is a load balancing and application proxy solution for SAP
NetWeaver AS. The SAP Web Dispatcher is an easy-to-use solution.
The characteristics of the SAP Web Dispatcher are as follows:
It uses the message server to determine the current state.
It uses SAP logon groups to determine which requests (ABAP or Java) are directed to
which server.
The advantages of the SAP Web Dispatcher are as follows:
It is available free of charge with SAP NetWeaver AS.
It requires minimal configuration and administration.
It supports the features of SAP NetWeaver AS out-of-the-box.
The SAP Web Dispatcher is a program that runs on a host and is connected to the Internet or
intranet.
All required information for a basic configuration is gathered during the installation process.

Load Balancing Alternative: Web Switch
Figure 32: Load Balancing Alternative – Web Switch
Advantages of using load balancing techniques other than the SAP Web Dispatcher (such as
Web switch) include the following:
They provide additional features that are not available with the SAP Web Dispatcher, such
as authentication.
They enable reuse of an existing infrastructure.
They provide a unified Web infrastructure for all Web systems that include both SAP
systems and non-SAP systems.
Disadvantages of using load balancing techniques other than the SAP Web Dispatcher include
increased costs, less integration with SAP NetWeaver AS, and increased configuration and
maintenance overhead.

Load Balancing Alternative: Reverse Proxy
Figure 33: Load Balancing Alternative – Reverse Proxy
With the reverse proxy, you can route incoming requests to different services based on the
URL path. For example, in the figure, Load Balancing Alternative – Reverse Proxy, the
requests containing the path /other are directed to static Web pages located on the Web
server. If the request is directed to a path under /sap , the reverse proxy directs the request to
the SAP NetWeaver AS host456 . The requests that contain the path /store are directed to
host789 . In this way, you can activate various services on various hosts that are all accessible
using the same HTTP(s) port.

Load Balancing: Complex Scenario
Figure 34: Load Balancing: Complex Scenario
You can optimize the security and availability of systems by combining various load-balancing
techniques. For example, in the figure, Load Balancing: Complex Scenario, Web switches are
used at the end of the communication path. Therefore, the Web switch does not need to be
highly trusted or handle session persistence. If SSL is used, the connection is passed on to the
SAP Web Dispatcher, which is considered more trusted. The SAP Web Dispatcher handles the
load balancing and session persistence for the connections to SAP NetWeaver AS at the back
end. If SSL is used, it can be terminated at the SAP Web Dispatcher so that the SAP Web
Dispatcher can perform URL filtering.
LESSON SUMMARY

Unit 2
Learning Assessment
1. In saprouttab a line started with S means?
2. How can you specify a custom port for SAProuter?
3. How can you restrict access to specific URLs in the Web Dispatcher?
4. Name three options for restricting access in the permission file Web Dispatcher?

Unit 2
1. In saprouttab a line started with S means?
It only permits communication through the SAP protocol.
2. How can you specify a custom port for SAProuter?
Use the parameter -S
3. How can you restrict access to specific URLs in the Web Dispatcher?
Use the parameter cm/HTTP/auth_0 to specifiy a text file with the access rules.
4. Name three options for restricting access in the permission file Web Dispatcher?
URL, client IP address, server IP address

UNIT 3 NetWeaver AS Security
Operations
Lesson 1
Explaining the Secure Store 43
Lesson 2
Outlining Authorizations and Security Policies 54
Lesson 3
Setting Up User Security in SAP Systems 71
Lesson 4
Securing the Message Server and the Internet Communication Manager (ICM) 87
Lesson 5
Securing the SAP GUI 96
Lesson 6
Monitoring SAP Systems Security 101
Lesson 7
Describing Application Lifecycle Management 115
Lesson 8
Monitoring Security with SAP Solution Manager 121
UNIT OBJECTIVES
Explain cryptography and the secure store
Outline authorizations and password policy parameters
Outline security policy maintenance
Set up user security in SAP systems

Unit 3: NetWeaver AS Security Operations
Secure the message server and the Internet Communication Manager (ICM)
Secure the SAP GUI
Monitor security in SAP systems
Describe the SAP Solution Manager and Security Patching
Describe the process of moving to SAP HANA-based SAP NetWeaver systems
Describe change and transport system security
Outline SAP services
Analyze the security monitoring capabilities of SAP Solution Manager

Unit 3
Lesson 1
Explaining the Secure Store
LESSON OVERVIEW
This lesson explains how to implement security measures in SAP systems with Secure Socket
Layer (SSL) and Secure Network Communications (SNC).
Business Example
You want to implement security measures in SAP systems. For this reason, you need an
understanding of the following:
SSL and SNC
Personal Security Environment (PSE)
Digital signatures in SAP systems
How to use the Trust Manager
How to use the Key Storage Service
LESSON OBJECTIVES

Cryptography and the Secure Store

Secure Socket Layer (SSL)
Figure 35: SSL: Server Authentication
HTTPS is the protocol indicator for HTTP over SSL in the URL. SSL uses a hybrid encryption
method.
SSL provides the following features:
Data encryption
Server authentication
Client authentication
Mutual authentication
To use SSL for server authentication, SAP NetWeaver Application Server (AS) has a private
and public key pair. In the figure, SSL: Server Authentication, when Alice connects, the server
sends its public key certificate with a digitally signed message.
In addition to verifying the validity of the certificate, Alice verifies the identity of SAP
NetWeaver AS by verifying values, such as validity dates and digital signature of the
Certification Authority (CA).
Alice only accepts the certificate if she trusts the CA that issued the certificate to SAP
NetWeaver AS.
Alice verifies the signed message sent by SAP NetWeaver AS. This message ensures that SAP
NetWeaver AS has the matching private key and is the intended server with which she wants
to communicate.
Alice generates the secret key that she encrypts using the public key of SAP NetWeaver AS
and sends the secret key to SAP NetWeaver AS.
Further communication between Alice and the server is encrypted using the secret key.

Lesson: Explaining the Secure Store
SSL: Mutual Authentication
Figure 36: SSL: Mutual Authentication
SSL with mutual authentication has the same procedure as SSL with server authentication,
except for the following additional steps:
Alice also sends her public key certificate with the encrypted secret key to SAP NetWeaver
AS.
In addition to her public key certificate, she also sends a signed message.
SAP NetWeaver AS verifies Alice’s public key certificate and signed message to
authenticate her.
As a result, both SAP NetWeaver AS and Alice are authenticated.
SSL: Uses in SAP Environments
Figure 37: SSL: Uses in SAP Environments

SSL is used in the following SAP environments where Internet protocols are used:
Between the Web browser of a user and SAP NetWeaver AS
Between two SAP NetWeaver AS
Between SAP NetWeaver AS and a different Web server
Secure Network Communications (SNC)

The SAP proprietary protocols SAP Dynamic Information and Action Gateway (SAP
DIAG) (used for SAP GUI) and SAP Remote Function Call (RFC) do not cryptographically
authenticate client and server or encrypt network communication.
Due to missing authentication and encryption, rouge systems can attack network
communication in the following ways:
Eavesdrop passwords transmitted over the network
Intercept network traffic
Manipulate content and forward it to legitimate servers (man-in-the-middle attacks)
We recommend using SNC, as it provides the following features to mitigate the risks during
communication:
Cryptographically strong mutual authentication
Integrity protection of transmitted data
Encryption of network traffic
SNC can be used without additional partner software for all RFC communication between SAP
servers. SNC can also be used for SAP GUI communication if the SAP server and SAP GUI
clients run Windows. For more information about Microsoft Windows Single Sign-On (SSO)
options, see SAP Note 352295. An SNC partner product is needed to secure SAP GUI
connections in heterogeneous system landscapes (for example, servers run Advanced
Interactive eXecutive (AIX) and clients run Microsoft Windows).
Table 3: Profile Parameters for SNC Levels

Profile Parameters SNC Level SNC Property
snc/ 1 Secure authentication
data_protection/min
snc/ 2 Data integrity protection
data_protection/max
snc/data_protection/ 3 Confidentiality
use
Not all partner solutions provide all three SNC properties.

Scenarios for SNC
Figure 38: Recommended Scenarios for SNC
The following security measures must be taken during SNC implementations:
SNC is implemented between SAP GUI and ABAP systems because end user traffic may
pass through networks susceptible to network sniffing.
For production systems, we recommend deactivating non-SNC access for most SAP GUI
users ( snc/accept_insecure_gui=U ). Only a small number of emergency accounts
must be able to access the system with password login.
For RFC communication, SNC must be implemented if the network traffic is susceptible to
sniffing by end users.
Detailed requirements for SNC implementations are customer-specific.
SNC Using Generic Security Service Application Programming Interface (GSS-API)
Figure 39: SNC Using Generic Security Service Application Programming Interface (API)
SNC uses a generic GSS-API interface that is standardized by the Internet Engineering Task
Force (IETF).

GSS-API encrypts the data at the Network Interface (NI) protocol level. NI is the SAP protocol
layer.
SSL is present in the TCP/IP layer.
SNC Products
Figure 40: SNC Products
The following SNC product is available free of charge:
Microsoft Kerberos (Microsoft environment only)
To use SNC in other configurations, you can use SAP NetWeaver SSO or products from SAP
security partners.
The SAP Cryptographic Library is available on the SAP Service Marketplace. You can use this
product for server-to-server communication. When the SAP Cryptographic Library is
installed, it replaces the SAP Security Library (SAPSECULIB). SAPSECULIB is the default
security library for digital signatures.
Note:
These two products cannot be used simultaneously.
SAP NetWeaver SSO is an SAP Product that enables you to use authentication and
encryption. It is perfect for use in SAP NetWeaver environments. To learn more about SAP
NetWeaver SSO, visit http://help.sap.com .
As an alternative, you can use a product that has been certified for use by the SAP Software
Partner Program.

Secured SAP Connections
Figure 41: Secured SAP Connections
In the SAP environment, the following protocols can be secured using partner products:
HTTP (SSL) to Application Gateway: SAP Secure Login Library or partner product
DIAG, RFC (SNC) with SAPGUI: SAP NetWeaver SSO (license required) or partner product
HTTP (SSL) to SAP NetWeaver AS (and SAP Web Dispatcher): SAPCryptolib
DIAG, RFC (SNC) to SAProuter: SAPCryptolib
DIAG, RFC (SNC) between SAP NetWeaver AS: SAPCryptolib
SNC to SAPLPD: SAPCryptolib

Personal Security Environment (PSE)
Figure 42: PSE
PSE contains the following components:
Private key
Public key certificate of the server
Certificates of trusted CAs (certificate list)

PSEs in SAP Systems
Figure 43: PSEs in SAP Systems
Separate PSEs are used for various identities or functions (separation of tasks). Each PSE
performs a specific function.
The functions performed by PSEs are as follows:
SNC PSE is used by SAP NetWeaver AS for SNC.
System PSE is used by the SAP system for digital signatures.
SSL server PSE is used by SAP NetWeaver AS for SSL when the PSE is the server
component for the connection.
SSL client PSE is used by SAP NetWeaver AS for SSL when the PSE is the client
component for the connection.
Secure Store & Forward (SSF) applications use various PSEs to obtain the security
information that they need. For example, HTTP Content Server and SAP NetWeaver AS
use different PSEs to sign logon tickets.
File PSE contains security information (key pair and certificate list) that is stored in a local
file in the file system. The file PSE is used for creating and verifying digital signatures, but
not for encryption.
To meet the requirements for various functions, the server needs to have different names.
The Distinguished Name (DN) specified for a PSE identifies the server for the corresponding
function when using this PSE.

Caution:
Restrict access to the table SSF_PSE_D by assigning the table to a dedicated
table-authorization group. End users must not have access to this new table-
authorization group. For more information about protecting access to key tables,
see SAP Note 1485029. Restrict file system access to PSE files from ABAP
programs. For more information about protecting access to PSE files using an
additional authority check, see SAP Note 1497104.
Digital Signature in SAP Systems
Figure 44: SSF and Digital Signatures
SSF provides security for SAP data and documents in the following cases:
Data leaves the SAP system, for example, online orders, payments, or transfer of business
information.
Data is stored on unsecure media, for example, an external database, diskettes, or

archives.
Data is transmitted over unsecure networks, such as the Internet.
Data security is associated with persons and individuals, for example, digital signatures.
SSF provides data integrity, privacy, authentication, and non-repudiation in business

transactions. Data can be signed or encrypted in the SAP system and transferred to other
media. SSF uses the standard Public Key Cryptographic Standard #7 (PKCS#7). As a result,
data can also be processed by non-SAP systems.

Digital Signatures used by SSF for Protection of Data
User signatures
- Authenticity and integrity
Alice’s document (for example, a business order) is authentic, is signed by her, and has
not been changed.
- Non-repudiation
Alice cannot deny having signed the document.
System signatures
- Document integrity
A document (for example, an archived document) has not been changed.
LESSON SUMMARY

Unit 3
Lesson 2
Outlining Authorizations and Security Policies
LESSON OVERVIEW
This lesson provides an overview of authorizations in SAP systems and explains the rules for
password management in SAP systems.
Business Example
You want to define authorizations in an SAP system. For this reason, you require an
The authorization concept of Application Server ABAP (AS ABAP) and Application Server
Java (AS Java)
Password management in AS ABAP
Secure store in AS ABAP and AS Java
Configuring password parameters
LESSON OBJECTIVES

Lesson: Outlining Authorizations and Security Policies
Authorizations and Password Policy Parameters

SAP NetWeaver AS for ABAP Authorization
Figure 45: SAP NetWeaver AS for ABAP Users and Authorization – Introduction
SAP uses a positive authorization concept. Positive authorization means that an authorization
or an access must be granted so that a user can execute actions or tasks. However, the
concepts and terms differ in SAP NetWeaver AS for ABAP and SAP NetWeaver AS for Java.
A user can log on to an SAP system client if they know the user and password for a user
master record.
Every time the user calls a transaction, an authorization check occurs in the SAP system. If a
user attempts to start a transaction for which that user is not authorized, the system rejects
the user with an appropriate message.
If the user starts a transaction for which they have authorization, the system displays the
initial screen of the transaction. The user can enter the data and perform various tasks on this
screen. The system performs additional authorization checks for data and actions that need
to be protected.

Authorization Objects
Figure 46: Authorization Objects
Authorization objects protect actions and the access to data in the SAP system. They are
delivered by SAP and are available in the SAP system. They are divided into various object
classes.
Authorization objects enable complex checks that involve multiple conditions before allowing
you to perform an action. The conditions are specified in the authorization fields of the
authorization objects and are linked for the check. Authorization objects and their fields have
descriptive and technical names. For example, the authorization object User Master
Maintenance: User Groups (technical name: S_USER_GRP) contains two fields: Activity
(technical name: ACTVT) and User Group in User Master Record (technical name:
CLASS). The authorization object S_USER_GRP protects the user master record. An
authorization object includes up to 10 authorization fields.
An authorization is associated with only one authorization object. The authorization contains
the value for the fields for the authorization object. An authorization is a permission to
perform a certain action in the SAP system. The action is defined based on the values of the
individual fields of an authorization object. For example, authorization B for authorization
object S_USER_GRP enables all user master records that are not assigned to the SUPER user
group to be displayed.
There can be multiple authorizations for one authorization object. Some authorizations are
delivered by SAP, but most are created to meet customer-specific needs.

Role Maintenance
Figure 47: Role Maintenance
Role maintenance (transaction PFCG, previously known as Profile Generator) simplifies the
process of creating and assigning the authorization to users. In role maintenance, related
transactions are selected. For the selected transactions, role maintenance creates the
authorizations with the required fields. A role can be assigned to various users. Changes to a
role affect multiple users. Users can be assigned various roles.
The user menu contains entries such as transactions, URLs, and reports. These entries are
assigned to the user through the roles.

SAP NetWeaver AS for Java Authorization
Figure 48: Authorization Concept of SAP NetWeaver AS for Java
You can use authorizations to control which users can access a Java application and which
actions are permitted for a user. Authorizations are combined as roles and then assigned to a
user or a user group by an administrator. The SAP NetWeaver Identity Management (SAP
NetWeaver ID Management) and Visual Administrator tools are used to assign authorizations.
Authorization checks are built into the Java application. In the Java application, you can
differentiate authorization checks with different objectives.
Access to an application is protected by checking whether the appropriate JEE security role is
assigned to the requesting user. If the user does not have the required security role, an error
message is displayed and access is denied. If the user has access to the system, the individual
activities can be protected. When requesting a special activity, for example, Delete, the
system checks whether the required JEE security role or User Management Engine (UME)
permission is assigned. You can control access to object instances, such as folders and
documents, using the Access Control List (ACL).
With all types of authorization checks specified, the developer must define the authorizations
query in the application. The developer decides which type of authorization check is to be
used. After implementation, the application determines which JEE security roles, UME
permissions, or UME ACLs are used.

Caution:
In SAP NetWeaver 7.0, UME roles are administered using SAP NetWeaver ID
Management, and J2EE security roles are administered using the Visual
Administrator. In SAP NetWeaver AS for Java 7.1 and later, JEE security roles are
mapped to server roles (UME roles) in a particular deployment descriptor of the
application.
J2EE security roles are a part of the J2EE standard. UME roles are an (SAP) extension of the
J2EE security roles. You can define the same authorization checks with J2EE security roles
and UME roles. However, it is easier and more precise to assign authorizations with UME
roles. A UME role comprises various authorization objects, whereas J2EE consists of one
object. In comparison to one UME role, many J2EE security roles must be assigned for the
same authorization. Always use UME roles, except in cases in which J2EE security roles are
sufficient.
Note:
A role in the ABAP environment is roughly equivalent to a UME role. An
authorization object in the ABAP environment can be compared to a security role
or UME permission.
Secure Storage in SAP NetWeaver AS for ABAP

In special situations, applications or system functions need a way to securely store user and
password information. The secure storage is an ABAP-kernel function for storing encoded
data. The function is used by applications in the SAP system to securely store access data
such as passwords for external systems.
The following SAP applications use the secure storage to store passwords:
Web Service Security
Remote Function Call (RFC) destinations
Internet Communication Framework (ICF) services
Change and Transport System (CTS)
SAPphone
SAPconnect
Generic Request and Message Generator (GRMG)

Secure Storage in SAP NetWeaver AS for ABAP (SECSTORE)
Figure 49: Secure Storage in AS ABAP (SECSTORE)
As of Release 7.00, transaction SECSTORE(report RSECADMIN) is the central maintenance

tool for secure storage in AS ABAP. This tool offers checks for the records (using the check
feature of the kernel) and allows migration of records for changed global key and system-
dependent data.
You can check the entries in the secure storage across clients in transaction SECSTORE
(without seeing their contents).
Data Check
Figure 50: Data Check

Hint:
Call transaction SECSTOREafter every system copy and check the entries. If all
entries are green, no action is necessary. If entries are red, a new migration key is
needed to migrate the data.
The installation number of the system and the system ID are used when creating the key for
the secure storage. If one or more of these values change, the data in the secure storage can
no longer be read. Under certain circumstances, you can migrate the data. To do this, you
need a migration key.
If the installation number changes because a new license is imported, SAP automatically
generates the migration key and sends the key with the mail for the new license.
Data Migration
Figure 51: Data Migration
To migrate the data, switch to the System data changed tab page in transaction SECSTORE .
Fill the Old System Name, Old Installation Number , and Release Key input fields and choose
Execute. The migration key can be generated at the SAP Service Marketplace ( http://
service.sap.com ), Quick Link /migrationkey .

Migration Key
Figure 52: Migration Key
For more information about migration entries in the secure storage, see SAP Note 816861.
For more information about how system copy ignores secure storage tables, see SAP Note
828529.
For more information about maintaining secure storage across customer numbers, see SAP
Note 1027439.
Secure Storage in SAP NetWeaver AS for Java

In SAP NetWeaver AS for Java-based systems, applications or services must be able to store
sensitive data, such as passwords.
SAP NetWeaver AS for Java stores the following security-relevant information in a file in the
file system:
Database user SAP<SID>DB and the password
Database connection information
SAP NetWeaver AS for Java uses the SAP Java Cryptography Toolkit to encrypt the
information in the secure store using the triple Data Encryption Standard (DES) algorithm.
The encryption is performed during the SAP NetWeaver AS for Java installation process.
Using the configuration tool, you can encrypt the file again and change the key phrase.

Caution:
As the secure storage file contains sensitive information, access to this file must
be restricted by file system permissions. The secure storage file is located at
\usr\sap\<SID>\SYS\global\security\data\SecStore.properties .
Password Rules in SAP NetWeaver AS for Java
Figure 53: Password Rules in SAP NetWeaver AS for Java
Password rules in SAP NetWeaver AS for Java are controlled by UME parameters. The most
important parameters can be changed by the system administrator in the UME Configuration
UI.
Hint:
In the SAP NetWeaver AS for ABAP+Java (dual stack) system, you need to
maintain the password parameters at SAP NetWeaver AS for ABAP and SAP
NetWeaver AS for Java. The password parameters are not synchronized
automatically.
Password Management in SAP NetWeaver AS for ABAP

Like all systems with password-based logon, SAP systems store password information in
some form. SAP systems do not store passwords as they are, but use one-way functions to
calculate password hashes. These password hashes are stored in the database. The system
verifies a user password using the one-way function to calculate the password hash and
compare it to the stored value. Since it is a one-way function, the password cannot be

calculated from the stored password hashes. All systems using this method are subject to
password dictionary attacks or password brute-force attacks if the password hashes are
retrieved from the system. Security measures, such as strong password rules, must be taken
to significantly reduce the probability of successful password cracking attacks.
You must configure a strong password policy according to your corporate policy.
SAP NetWeaver AS for ABAP Password Rules
Table 4: Password Rules
The following table lists AS ABAP password rules defined by the customer and the rules
predefined in the SAP system:
Rules Defined by the Customer Rules Predefined in the SAP System
Minimum length First character cannot be ! or ?
Special characters, digits First three characters may not be identi-

cal
Validity
Password cannot be PASSor SAP*
Password may not be set to a value con-
tained in lock list (table USR40) Passwords are case-sensitive in SAP Net-
Weaver AS for ABAP 7.00 and later
Passwords can be up to 40 characters

long, as of SAP NetWeaver AS for ABAP
7.00
Apart from the predefined password rules, you can influence user passwords in the following
ways:
Using the system profile parameters to assign a minimum length for the passwords and
define how often the user has to set new passwords.
Entering prohibited passwords in table USR40.
Table USR40 is maintained with transaction SM30. Entries may contain wildcard characters
such as ? for one character and * for a character string.
System Profile Parameters

You can control the password policies with profile parameters starting with login. The table,
System Profile Parameters and Applicable Values, shows the most relevant profile
parameters.
Table 5: System Profile Parameters and Applicable Values

System Profile Parameters Applicable Values: Applicable Values:
Default Allowed
Minimum length of the logon password: login/ 6 3–40

min_password_lng
Minimum number of digits/letters/specials: log- 0 0–40

in/min_password_digits/_letters/_spe-
cials

System Profile Parameters Applicable Values: Applicable Values:

Default Allowed
Minimum number of lowercase/uppercase: log- 0 0–40

in/min_password_lowercase/_uppercase
Maximum number of days a password (set by the 0 0–24000

admin) can be unused (idle): login/pass-
word_max_idle_initial
Maximum number of days a password (set by the 0 0–24000

user) can be unused (idle): login/pass-
word_max_idle_productive
Existing password must comply with current poli- 0 0/1

cy (checked during logon): login/pass-
word_compliance_to_current_policy
Number of different characters between old and 1 1–40

new password: login/min_password_diff
Password expiration time in days: login/pass- 0 0–1000

word_expiration_time
End session after number of incorrect logons: 3 1–99

login/fails_to_session_end
Lock user after number of incorrect logons: log- 5 1–99

in/fails_to_user_lock
Automatic unlock at midnight: login/ 0 0/1

failed_user_auto_unlock
Deactivation of multiple dialog logons: login/ 0 0/1

disable_multiple_gui_login
List of excepted users for multi logon: login/ List of user IDs List of user IDs
multi_login_users
Number of passwords (chosen by the user, not 5 1–100

the administrator) that the system stores and the
user is not permitted to use again: login/pass-
word_history_size
Note:
The default values of certain profile parameters have been changed in SAP
NetWeaver AS for ABAP 7.00 and later. For more information about profile
parameters, see SAP Note 862989.
In SAP NetWeaver AS for ABAP 7.00 and later, the password hash algorithm has been
changed. More secure hash values can be generated that are not backward-compatible, and
that make reverse engineering attacks difficult. By default, new systems generate a
backward-compatible hash value and a new hash value. However, you can configure the
system so that only the new hash value is generated. The new hash value is not backward-

compatible. You can set the degree of backward compatibility with the profile parameter
login/password_downwards_compatibility .
Note:
For more details on backward compatibility, see SAP Note 1023437.
If you are using non-backward-compatible passwords, communication with older systems

may cause problems where the older system calls the newer system. For more information
about dealing with incompatible passwords, see SAP Note 792850.
Security of Password Hashes

In addition to a strong password policy, you can ensure the security of the password hashes
by taking the following actions:
Restrict access to tables containing password hashes (USR02, USH02, and in later
releases USRPWDHISTORY) by changing the table authorization group of these tables.
Non-administrative users must not have access to this new table authorization group.
Activate the latest password hashing mechanism (code version) available for your release.
Downward-compatible password hashes must not be stored in Releases 7.0 and higher.
Note:
For more information about protecting read access to password hash value
tables, see SAP Note 1484692.
Profile Parameter Settings for Password Hashes
Table 6: Profile Parameters for Password Hashes

The following profile parameters are used to activate the latest hashing mechanism:
Releases Recommended Profile Pa- Code Version
rameters
Up to 4.5 No special profile parameter B
needed
4.6 to 6.40 login/password_charset = 2 E
7.00 to 7.01 login/password_down- F
wards_compatibility = 0
7.02 and higher login/password_down- H
wards_compatibility = 0
Caution:
After activating the latest password hashing mechanism, redundant password
hashes must be deleted from the relevant tables. For more information about
recommended settings for password hash algorithms, see SAP Note 1458262.

If you use Central User Administration (CUA), you must ensure that the CUA system has at
least the same or a higher release than all attached systems and that relevant SAP Notes are
implemented. For more information about CUA and passwords, see SAP Notes 1300104,
1306019, and 1022812.
Security Policies Maintenance

SECPOL: Defining Security Policies for Netweaver ABAP Systems
Instance profile parameters allow IT administrators to set global policies for the entire
system. For different groups of users, a more tailored approach can be useful.
Table 7: Available Attributes for Security Policies

Attribute Purpose Default Value
CHECK_PASS- Check the Password Blacklist 1

WORD_BLACKLIST
MIN_PASSWORD_DIGITS Minimum Number of Digits 0
MIN_PASSWORD_LENGTH Minimum Password Length 6
MIN_PASSWORD_LETTERS Minimum Number of Letters 0
MIN_PASSWORD_LOWER- Minimum Number of Lower- 0
CASE case Letters
MIN_PASSWORD_SPECIALS Minimum Number of Special 0
Characters
MIN_PASSWORD_UPPER- Minimum Number of Upper- 0
CASE case Letters
MIN_PASS- Minimum Wait Time for Pass- 1
WORD_CHANGE_WAITTIME word Change
MIN_PASSWORD_DIFFER- No. of Different Chars When 1
ENCE Changing
PASS- Password Change Req. for 1
WORD_CHANGE_FOR_SSO SSO Logons
PASSWORD_CHANGE_IN- Interval for Regular Password 0
TERVAL Changes
PASSWORD_COMPLI- Password Change After Rule 0
ANCE_TO_CURRENT_POLI- Tightening
CY
PASSWORD_HISTORY_SIZE Size of the Password History 5
DISABLE_PASSWORD_LOG- Disable Password Logon 0
ON
DISABLE_TICKET_LOGON Disable Ticket Logon 0
MAX_FAILED_PASS- Maximum Number of Failed 5
WORD_LOGON_ATTEMPTS Attempts
MAX_PASSWORD_IDLE_INI- Validity of Unused Initial 0
TIAL Passwords

Attribute Purpose Default Value
MAX_PASS- Validity of Unused Produc- 0

WORD_IDLE_PRODUCTIVE tion Passwords
PASSWORD_LOCK_EXPIRA- Automatic Expiration of Pass- 0
TION word Lock
SERVER_LOGON_PRIVILEGE Logon if server_logon_re- 0
striction=1
TENANT_RUNLEVEL_LOG- Logon for Each Tenant Runle- 0
ON_PRIVILEGE vel > 0
The attributes available for security policies definitions allow system administrators to
override settings made with instance profile parameters.
Figure 54: Step 1/3 Creating a Security Policy
The first step involves calling transaction SECPOL and create a new security policy. Security
policies are customizing objects and can easily be transported from one system to another.
Figure 55: Step 2/3 Assigning Attributes for a Security Policy
The second step establishes the attributes relevant for each security policy.

Figure 56: Step 3/3 Assigning a Security Policy
The third step applies a security policy to a specified user. Mass maintenance can be
perfomed with transaction SU10.
Table 8: Comparison Between Policy Attributes and Profile Parameter Functionality

Policy Attribute Profile Parameter
Transportable Manual Configuration

Assignable to Individual Users System/ Instance-Wide Setting
Immediately Effective Requires a Server Restart
User Management: Defining Security Policies for Netweaver Java Systems

Netweaver Java Systems are shipped with two pre-configured policies (Default and Technical
User). New policies can be set by system administrators.
Figure 57: Step 1/2 Defining a Security Policy
To define a new policy access the User Management configuration and adapt the available
parameters.

Figure 58: Step 2/2 Assigning a Security Policy
The policy can be assigned to individual users in the General Information tab.
LESSON SUMMARY

Unit 3
Lesson 3
Setting Up User Security in SAP Systems
LESSON OVERVIEW
This lesson provides an overview of authorizations in SAP systems and explains the rules for
password management in SAP systems.
Business Example
You want to define authorizations in an SAP system. For this reason, you require an
The authorization concept of Application Server ABAP (AS ABAP) and Application Server
Java (AS Java)
Password management in AS ABAP
Secure store in AS ABAP and AS Java
Configuring password parameters
LESSON OBJECTIVES

Setting Up User Security in SAP Systems

User Administration in SAP NetWeaver Application Server (AS) for ABAP
Figure 59: User Maintenance (Transaction SU01) – User Master Record
User Maintenance (transaction SU01) and Role Maintenance (transaction PFCG) are the most
important tools for an SAP NetWeaver AS for ABAP-based system. When creating a new user
master record with transaction SU01, the required fields are Last name on the Address tab
page and Initial password on the Logon data tab page.
On the Logon data tab page, the User Group for Authorization Check implements delegated
user administration. A user master record in a user group can be changed only by an
administrator with the authorization to modify the user group. If a user master record is not
assigned to a group, any user administrator can change this user master record. The Validity
Period specifies the beginning and end of the validity of the user master record.
A user can log on to the SAP system if a user master record with a valid password exists. The
user master record determines the actions that individual users are allowed to perform in the
SAP system.
When maintaining user master records, you need to assign authorization to the users in the
form of roles and profiles.
User master records are client-specific.
SAP Authorization
SAP authorization protects transactions, programs, and services in SAP systems from
unauthorized access. On the basis of SAP authorization, the administrator assigns
authorizations to individual users that determine which actions they can execute in the SAP
system after they have logged on to the system and authenticated themselves.

Lesson: Setting Up User Security in SAP Systems
To access business objects or execute SAP transactions, a user requires corresponding

authorizations, as business objects or transactions are protected by authorization objects.
The authorizations represent instances of generic authorization objects and are defined
depending on the activity and responsibilities of the employee. The authorizations are
combined in an authorization profile that is associated with a role. The user administrators
then assign the corresponding roles using the user master record, so that the user can use
the appropriate transactions for his or her tasks.
The following authorization objects are required to create and maintain user master records:
S_USER_GRP: user master maintenance: assign user groups
S_USER_PRO: user master maintenance: assign authorization profile
S_USER_AUT: user master maintenance: create and maintain authorization
With suitable authorization, a user is able to maintain personal data by choosing

System User profile Own data (transaction SU3).
User Administration in SAP NetWeaver AS for Java
Figure 60: SAP NetWeaver AS for Java User Stores
SAP NetWeaver AS for Java provides an open architecture, based on service providers, to
store user and group data.
SAP NetWeaver AS for Java is delivered with the following service providers, known as user
stores:
Database Management System (DBMS) provider

DBMS provides user and authorization data storage in the system database.
Universal Description, Discovery, and Integration (UDDI) provider

UDDI provides storage through external service providers.
User Management Engine (UME) provider

UME provider enables connection of the integrated UME.

The DBMS and UDDI providers implement standards and guarantee the J2EE conformity of
SAP NetWeaver AS for Java. The SAP-defined UME is installed as user storage during the
installation of SAP NetWeaver AS for Java. The SAP-defined UME is the recommended option
for most SAP customers. The user and the authorization concept can be installed and
operated flexibly only on the basis of the UME user storage.
Purpose of the UME

The UME provides centralized user management for all Java applications and can be
configured to work with user management data from multiple data sources. It is seamlessly
integrated in the J2EE Engine of SAP Web AS for Java as its default user store and can be
administered using the SAP Web AS for Java administration tools.
The UME adds business value by enabling customers to leverage their existing system
infrastructure by accessing user-related data on an existing corporate directory, an SAP Web
AS for ABAP system, a database, or any combination of these. In addition, it reduces
administrative overhead by allowing customers to perform centralized user administration.
Data Sources
The UME supports the following data sources as storage locations for user data:
System database
Directory Service (Lightweight Directory Access Protocol (LDAP) server)
ABAP-based SAP system (as of AS ABAP 6.20)
SAP delivers preconfigured data source combinations. These preconfigured data source
combinations can be used without further adjustments or can be adapted according to the
specific needs of the customer.
Hint:
The data source of the system database is always connected to the UME for all
data source configurations delivered by SAP. Certain information (for example,
the UME roles) is always kept in the database.

SAP NetWeaver AS for Java – SAP NetWeaver Identity Management (SAP NetWeaver ID
Management)
Figure 61: SAP NetWeaver AS for Java: User Management Administration Console
The most important tool for a user administrator in an SAP NetWeaver AS for Java system is
identity management. The identity management tool is used for all data sources and is
implemented as an application running in a Web browser (based on Web Dynpro Java).
You can start identity management in the following ways:
Use the URL http(s)://<hostname>.<domain>:<http(s) port>/useradmin .
Use the SAP NetWeaver Administrator (URL /nwa ), Configuration Security Identity
Management .
Use the path User Administration Identity Management in a portal.
Hint:
The function scope available in identity management depends on the Java
authorizations of the current user.

Central User Administration (CUA)
Figure 62: CUA
CUA distributes user master records between SAP systems. The administration of an SAP
system landscape is performed from one central system. You can display an overview of all
user data in the SAP system landscape. All user data is stored in the standard SAP tables
(USR*) that contain the user master record data.
Use CUA if you have a complex landscape with several clients and systems to synchronize the
user data or if a user works in more than one system and uses the same user ID in all the
systems. Data that can be distributed with CUA includes data about the user master record,
such as address, logon data, user fixed values, and user parameters.
The system (security) administrator logs on to CUA and assigns roles or profiles and systems
to the user in CUA. You no longer need to log on to each system to make system-specific
assignments of activity groups and profiles.
Roles and authorization profiles can be transported but are not maintained from the CUA.
They are created and modified in the subsystems.

CUA and LDAP Synchronization
Figure 63: CUA and LDAP Synchronization
Prior to release 6.10, SAP systems could communicate with LDAP, but required an
independent, external component called LDAP Connector. As of release 6.10, SAP systems
can communicate directly with a directory server using LDAP.
SAP NetWeaver Identity Management
Figure 64: Identity Management
Role of Identity Management in SAP NetWeaver

Identity management is an integral part of the SAP NetWeaver technology platform for the
following reasons:
It enables efficient and secure management of identity information.
It supports both SAP-only and heterogeneous system landscapes.

It integrates with the SAP NetWeaver platform and business applications.
It complements integrated SAP NetWeaver security frameworks.
Enterprises usually have a variety of SAP and non-SAP systems. By default, every system has
its own separate user management. Separate user management involves a large degree of
manual effort for the user administrator to administer the user information and role
assignments in each system.
However, employees of an enterprise have to perform different business process tasks.
These tasks require certain authorizations or roles in the system landscape. The source of
employee information is usually the SAP ERP Human Capital Management (SAP ERP HCM)
system. SAP ERP HCM triggers actions such as on-boarding and change of position, location,
or name. These changes must be reflected in the system landscape.
Identity Management Yesterday – Partial Centralization
Figure 65: Identity Management Yesterday – Partial Centralization
Before SAP offered SAP NetWeaver ID Management, user management was centralized using
the CUA. A limitation of CUA is that it is only supported for ABAP-based systems. For
interoperability with Java systems that use an LDAP directory both as a user store and for
integration with non-SAP applications, users are synchronized with an LDAP directory using
the ABAP LDAP connector. Central management for a heterogeneous system landscape was
only possible by using a third-party identity management product.

SAP NetWeaver ID Management – Holistic Approach
Figure 66: SAP NetWeaver ID Management – Holistic Approach
Driven by business processes, with SAP NetWeaver ID Management, SAP offers integrated
identity management capabilities for a heterogeneous system landscape. SAP NetWeaver ID
Management uses a central identity store to consolidate identity data from different source
systems (for example, SAP ERP Human Capital Management (HCM)) and distributes this
information to the different target systems. The distribution handles user accounts and role
assignments of SAP and non-SAP applications. You can define various rule sets for the
assignment of roles to users, which means that role assignment can be automatically
performed based on attributes of the identity.
An important feature of SAP NetWeaver ID Management is the availability of approval
workflows to distribute the responsibility for authorization assignments to various business
process owners and managers of employees. The integration of SAP ERP HCM as one of the
possible source systems for identity information is one of the key functionalities to enable
business-driven identity management. With the audit functionality of the solution, the auditor
can check employee system authorizations from a central location. Both the current
authorizations and the previous settings can be examined. The data within SAP NetWeaver ID
Management can be accessed using services and standard protocols, such as LDAP.
Comparison between CUA and SAP NetWeaver ID Management
Table 9: CUA versus SAP NetWeaver ID Management

Functionality CUA SAP NetWeaver ID Manage-
ment
Target systems ABAP only SAP and non-SAP
Workflow support No Yes
Rule-based access manage- No (except the rarely used Yes
ment HR Org. rule engine)

Functionality CUA SAP NetWeaver ID Manage-

ment
Modeling of role hierarchy No Yes
Cross-system role assign- Only through HR Org Yes
ments
LDAP directory integration LDAP synchronization Yes
Support for all user attributes Yes Yes
Password management Initial passwords Yes, including workflow sup-
port
The following points highlight the relationship between SAP NetWeaver ID Management and
the CUA:
SAP NetWeaver ID Management is the strategic solution for managing identities in SAP
and non-SAP environments.
SAP NetWeaver ID Management can replace the CUA in order to manage user IDs in the
non-SAP system landscape.
SAP continues to support the CUA in its current functionality according to the SAP
maintenance rules.
A connector is available that connects SAP NetWeaver ID Management to the CUA.
Standard Users in SAP NetWeaver AS for ABAP

In SAP NetWeaver AS for ABAP and SAP NetWeaver AS for Java-based systems, several
standard users with preconfigured authorizations are available directly after installation. To
ensure system security, users must be provided with a strong password and monitored
regularly.
Table 10: Important Default Users in SAP NetWeaver AS for ABAP

Client 000 001 066 New
User SAP* SAP* SAP* (SAP*)
DDIC DDIC EARLYWATCH
SAPCPIC SAPCPIC
Note:
Check users with the RSUSR003 report for standard passwords.
When an SAP NetWeaver AS for ABAP-based system is installed, the default clients are as
follows:
Client 000 is used for special administrative purposes. SAP imports the Customizing
settings into this client during the upgrade process or when applying Support Packages.
Client 000 must not be used for Customizing, data input, or development.

Client 066 was created during system installation in the past. It was used to deliver
services by SAP Active Global Support. This client is no longer used, and can be safely
removed. For more information on this client, see SAP Note 7312 - Client 066 for
EarlyWatch.
Client 001 is a copy of client 000, and was created during system installation in the past. It
can be used as the productive client. However, if you have decided to use other clients as
productive clients, rather than client 001, you can safely remove client 001. Bear in mind
that SAP Solution Manager systems and SAP Business Warehouse systems usually use
client 001 as a productive client.
Caution:
Prior to deleting a client, especially in the case of client 001, you must check that
there are no active users on the client. You can use report RSUSR200 on the
User Information System (transaction SUIM) or the Workload Statistics
(transaction ST03N) to check if there has been user activity. Within transaction
ST03N, you can use the analysis view Settlement Statistics to determine which
clients have been used, and which users have been used the clients.
Note:
To find out which clients you have in your system, use transaction SCC4. To
display the contents of the T000 table, use transaction SM30.
Depending on the client, several standard users may already be prepared. User SAP* is a
superuser for initial access to the system. The user DDIC is required for certain installation
and upgrade tasks, software logistics, and the ABAP Dictionary. The passwords of user SAP*
and DDIC of clients 000 and 001 (not in 066) are set during the installation process. In older
installation routines, passwords were not set during the installation process and the user had
the default passwords 06071992 (for SAP*) and 19920706 (for DDIC). The user
EARLYWATCH is used by the SAP EarlyWatch specialists and has access to monitoring and
performance data. The default password for user EARLYWATCH is SUPPORT . The user
SAPCPIC is used for communication purposes. The default password for user SAPCPIC is
ADMIN. For more information on SAPCPIC, see SAP Note 29276.
Caution:
You must change the passwords of standard users to strong ones.
In addition to changing the passwords of standard users, you must perform the following
steps:
1. Create a new superuser. Deactivate only SAP* by locking the SAP* user and removing
authorizations.
2. Assign standard users to the SUPER group so that standard users can only be modified by
administrators who are authorized to change users in the SUPER group.
3. Lock users DDIC and EARLYWATCH and unlock them only when necessary.
Do not delete DDIC or its profiles. DDIC is needed for certain installation and upgrade tasks,
software logistics, and the ABAP Dictionary. Deleting the DDIC user may result in loss of

functions in tasks related to the installation and upgrade of software logistics and the ABAP
Dictionary.
To log on to a newly created client (a client with no user master record at all and no user
SAP*), use the SAP* kernel mechanism. In the kernel, a hardcoded user with password pass
is implemented. This system access is not affected by authorization checks.
The SAP* kernel mechanism can be controlled by using the login/no_automatic_user_sapstar
profile parameter. As of SAP NetWeaver AS 7.00 (SAP NetWeaver 7.0), the default value of
this profile parameter has been changed to 1, which means that the SAP* kernel mechanism
is deactivated. In older releases, the SAP* kernel mechanism was activated by default (value
0) and had to be deactivated when the kernel was not needed. For more information on
deactivating the automatic SAP* user, see SAP Note 68048.
Caution:
To ensure this mechanism is not misused, create a new user SAP* in all the
clients of your systems and set the login/no_automatic_user_sapstar profile
parameter to value 1. An existing user master record SAP* must not be deleted
from any client.
Hint:
Use the RSUSR003 report to make sure that the user SAP* has been created in
all clients and that the default passwords have been changed for the standard
users.
Standard Users in SAP NetWeaver AS for Java
Field Data Source

User Database LDAP Server Dual Stack Remote
(ABAP+Java)
Administration Administrator Administrator J2EE_ADMIN J2EE_ADMIN_<
user SID>
Guest user Guest Guest J2EE_GUEST 2EE_GST_<SID>
Communication SAP<SID>DB Freely definable SAPJSF SAPJSF_<SID>
user to data
source

Activating the UME Emergency User
Figure 67: Activating the UME Emergency User
The figure, Activating the UME Emergency User, illustrates the process used for the
activation.
Note:
Please note the difference between user store and data source. SAP delivers
multiple user stores, which include the UME and the DBMS user store. In turn, the
UME can use different data sources for storing the user information.

User Types in SAP NetWeaver AS for ABAP
Figure 68: User Types in SAP NetWeaver AS for ABAP
When creating new users, you can choose between different user types. The user type affects
what the user can do and how the user’s password is handled.
The user type is an important property of a user.
The following user types are available in AS ABAP:
Dialog
A normal Dialog user is used for all logon types by just one person. During a dialog logon,
the system checks for expired or initial passwords, and the user has the opportunity to
change the password. Multiple dialog logons are checked and logged.
System
The System user type is used for dialog-free communication within a system; for
background processing within a system; and for Remote Function Call (RFC) users for
various applications, such as Application Link Enabling (ALE), Workflow, the Transport
Management System (TMS), and CUA. It is not possible to use this type of user for a dialog
logon. Users of this type are exempted from the usual settings for the validity period of a
password. Only user administrators can change the password.
Note:
For more information, see SAP Note 622464: Change: Password change req.
entry for SYSTEM user type.
Communication
Use the Communication user type for dialog-free communication between systems. This
type of user cannot be used for a dialog logon. The usual settings for the validity period of a
password apply to users of this type.
Service

A user of the Service type is a dialog user that is available to a larger, anonymous group of
users. In general, you must only assign highly restricted authorizations to users of this
type. Service users are used, for example, for anonymous system accesses using the SAP
Internet Transaction Server (ITS) or Internet Communication Framework (ICF) service.
The system does not check for expired or initial passwords during logon. Only the user
administrator can change the password. Multiple logons are permitted in the system.
Reference
As with the Service user, a Reference user is a general user not specific to a particular
person. You cannot use a Reference user to log on. A Reference user is used only to assign
additional authorizations. You can specify a Reference user for a Dialog user for additional
authorization on the Roles tab page.
User Types in SAP NetWeaver AS for Java

As in SAP NetWeaver AS for ABAP, UME also distinguishes between various user types.
Table 11: UME User Types

User Type Logon to SAP Net- Password Change Mapped ABAP User
Weaver AS for Java Types (with ABAP
System as Data
Source)
Standard Possible Yes Dialog
Technical users Possible No System
Internal service user Not possible – –
Unknown (only with Depends on SAP Net- Depends on SAP Net- Communication,
data source ABAP) Weaver AS for ABAP Weaver AS for ABAP Service, and Refer-
user type user type ence
Hint:
User types are also called security policy profiles.
Specify the security policy profile (user type) when you create a user with identity
management (you cannot create the Unknown type). In the case of existing users,
subsequent changes to the user type are only possible with restrictions.
Note:
The last column in the table is only relevant if you are operating a UME with an
ABAP system as the data source. Changes to the user type of an ABAP user are
mapped to the corresponding UME user master record (and vice versa, if the UME
has write access to the ABAP system).
As of SAP NetWeaver AS for Java 7.01, you can create your own security policy profiles (user
types) in the UME configuration UI. For example, you may create your own set of strong
password rules for special administrator users. In an SAP NetWeaver AS for ABAP+Java, the

security policy profiles (user types) created for customers are mapped to the ABAP Dialog
user type.
LESSON SUMMARY

Unit 3
Lesson 4
Securing the Message Server and the Internet
Communication Manager (ICM)
LESSON OVERVIEW
This lesson provides an overview of fundamental security measures on a front-end system.
The lesson also introduces the security features of SAP GUI for Microsoft Windows.
Business Example
To ensure the security of the front-end computer, you need to configure security features of
SAP GUI for Microsoft Windows. For this reason, you require an understanding of the
following:
Front-end security
Security settings of SAP GUI for Microsoft Windows
How to maintain security settings in SAP GUI for Microsoft Windows
LESSON OBJECTIVES

Security Configuration for the Message Server and the ICM

ICM on SAP NetWeaver AS for ABAP
Figure 69: ICM and ICF
The ICM ensures communication between an SAP system and the external platform using the
HTTP, HTTPS, and SMTP protocols. As a server, the ICM can process external requests that
have URLs with the server or port combination to which the ICM responds. The ICM then calls
the corresponding local handlers, such as the file handler or the server cache handler, to
perform the necessary task.
Internet Communication Framework (ICF) provides the framework for implementing the
applications for the ICM. ICF consists of the interfaces that enable the SAP NetWeaver AS to
function as a Web server or a Web client.
ICM Monitor (Transaction SMICM)
Figure 70: ICM Monitor (Transaction SMICM)

Lesson: Securing the Message Server and the Internet Communication Manager (ICM)
Transaction code SMICM performs the following functions:
Monitors the ICM
Views threads
Views active services and ports
Views trace files
Views memory pipe information
Displays the cache content and statistics
Restarts the ICM
Figure 71: ICF (Transaction SICF)
ICF provides a framework to the user for developing the Business Server Pages (BSPs) for the
SAP NetWeaver AS Internet applications.
Applications are organized in a hierarchical tree.
Use transaction SICF to create and maintain BSPs, and to create and maintain virtual hosts
for the SAP NetWeaver AS. Use transaction SE80 to create and test BSPs.

ICM Profile Parameters
Figure 72: ICM Profile Parameters
Table 12: Requirements and Mechanisms for ICM Profile Parameters

Requirements Mechanisms
Scalability Load balancing
Access control Network zones, using virtual hosts
Confidentiality Encryption
Identifying users User authentication
Protecting individual services Activate or deactivate services
Web-Enabled Content Management

ABAP systems offer Web-enabled content that can be accessed using Web browsers. This
content is managed by SAP ICF and maintained using transaction SICF. Some ICF services
can be misused, which may allow unauthorized access to system functionality.

Figure 73: Reducing Attack Surface by Limiting ICF Services
Handling Web-Enabled Content in SAP ICF
Only ICF services that are required for business scenarios need to be enabled. Not every
ICF service needs to be enabled in SAP production systems.
If it is suspected that more ICF services are activated than necessary, the actual usage of
ICF services can be analyzed and services can be maintained collectively with SAP ECC 7.0
onwards. For information on mass maintenance of ICF services, refer to SAP Note
1498575.
Short-term recommendation: Review at least the ICF services that do not require user
authentication. This includes all services in /sap/public as well as services with stored
logon data.
Short-term recommendation: Deactivate at least the ICF services that are listed in the
table if they are not used in your business scenarios.
SICF Service SAP Note
/sap/bc/soap/rfc SAP Note 1394100
/sap/bc/echo SAP Note 626073
/sap/bc/FormToRfc SAP Note 626073
/sap/bc/report SAP Note 626073
/sap/bc/xrfc SAP Note 626073
/sap/bc/xrfc_test SAP Note 626073
/sap/bc/error SAP Note 626073
/sap/bc/webrfc SAP Note 865853
/sap/bc/bsp/sap/certreq SAP Note 1417568
/sap/bc/bsp/sap/certmap SAP Note 1417568
/sap/bc/gui/sap/its/CERTREQ SAP Note 1417568
/sap/bc/gui/sap/its/CERTMAP SAP Note 1417568
/sap/bc/bsp/sap/bsp_veri SAP Note 1422273

SICF Service SAP Note
/sap/bc/IDoc_XML SAP Note 1487606
/sap/bc/srt/IDoc SAP Note 1487606
Virtual Hosts
Figure 74: Using Virtual Hosts
Virtual hosts are used to set up individual HTTP service trees from several IP addresses. The
user specifies virtual hosts by using profile parameter is/HTTP/virt_host_<xx>.
IP Address Host Name
10.20.30.40 intranet.mycompany.com
25.20.50.60 myhost.mycompany.com
Define whether there must be several virtual hosts using the is/HTTP/virt_host_<n> =
<host1>:port1;<host2>:<port2>;...; profile parameter, where <n> stands for numbers 0-9.
The profile parameter can be changed statically in the instance profile, or dynamically using
transaction RZ11. Transaction RZ11 also contains parameter documentation. Note that
parameter is/HTTP/virt_host_0 = *:*; is set and cannot be changed. As a result, if no other
virtual host is found, the default host number is 0. The default host shows up in the HTTP
service tree for transaction SICF as default_host. Initially, this was the only virtual server.
Each user accesses the tree that corresponds to the user’s virtual host. To avoid namespace
conflicts, all other hosts provided by SAP begin with SAP.
As of SAP NetWeaver AS 7.10, the ICM replaces the Java dispatcher in SAP NetWeaver AS for
Java. The ICM for SAP NetWeaver AS for Java can be configured using the profile of the Java
instance. The same options are available as for SAP NetWeaver AS for ABAP.
Transaction SMICM is not available on a Java system; therefore, the ICM is monitored using
the administration framework of the ICM.

The ICM administration framework is accessed using the <protocol>://<message server

host>:5$$00/sap/admin URL. For administrative access to the ICM administration
framework, a special user is necessary. These users are maintained in a text file, which
defaults to /usr/sap/<SID>/SYS/global/security/data/icmauth.txt. You can maintain this
file using the icmon program, which is installed in the exe directory of SAP NetWeaver AS. For
more information, go to http://help.sap.com and search for icmon.
The SAP Management Console uses the administrative interface of the ICM to show
information regarding the ICM. To use this information, in SAP MMC, navigate to the ICM
node beneath the application server node.
SAP Message Server Security

SAP Message Server is a system component that provides two services. The server manages
SAP communication between the application servers of a single SAP system and also
provides load-balancing information to clients, such as the SAP GUI. In standard installations
before SAP Release 7.0, both clients and application servers used the same message server
port for communication. As of Release 7.0, default installations automatically split the
message server port into an internal port (used for application server connections) and an
external port (used for end user connections). This is defined using the rdisp/mshost, rdisp/
msserv, and rdisp/msserv_internal profile parameters.
Without appropriate security measures, malicious programs on client machines can
potentially access the message server to disrupt application server communication. This can
potentially lead to privilege escalation. Therefore, SAP strongly recommends that you
implement the security measures to mitigate the risks of unauthorized SAP Message Server
access.
Releases Recommended Configuration
Up to 4.5 The SAP Message Server port (rdisp/

mshost, rdisp/msserv) must be firewalled.
Only network segments with SAP servers
should be granted access to this port. Client
networks must be blocked from accessing
SAP Message Server. This impacts the ability
to provide load-balancing functionality to
SAP GUI clients.

Releases Recommended Configuration
4.6 The SAP Message Server services must be

separated in two ports. For more informa-
tion, see SAP Note 1421005. One port is used
for the SAP GUI client access (rdisp/
msserv), and the other is used for access to
internal server communication (rdisp/
msserv_internal). Internal system communi-
cation needs to be firewalled. Only network
segments with SAP servers should be grant-
ed access to internal server communication.
Additional in-formation is provided in the
SAP NetWeaver Security Guide. Refer to SAP
NetWeaver 7.01 online documentation, path:
SAP NetWeaver Library Administrator’s
Guide SAP NetWeaver Security Guide
Security Guides for SAP NetWeaver Accord-
ing to Usage Types Security Guide for Us-
age Type AS Security Settings for the SAP
Message Server.
6.40 and higher In addition to the measures recommended

for Release 4.6, the SAP Message Server
ACL should be activated that lists all relevant
network interfaces (for example, including
failover interfaces) of all application servers
(ms/acl_info).
In addition to access restrictions for SAP Message Server, we recommend that you restrict
access to remote message server monitoring (ms/monitor = 0). For more information, see
SAP Note 821875.
Message Server Access Control List (ACL)

The ms/acl_info parameter specifies a file with access rights to the message server
(default: /usr/sap/<SID>/SYS/global/ms_acl_info; for Microsoft Windows, the file extension
must be .DAT).
If the file exists, it must contain all machine names, domains, IP addresses, and subnet masks
for the application servers that are allowed to log on to the message server. You can either list
the names or enter each name in a separate line. This file does not affect external clients that
only want to retrieve information from the message server, which is always possible.
The HOST entries must have the syntax: HOST= [*| ip_adr | host_name |
Subnet_mask | Domain ] [, ...].
HOST Entry Description

HOST=* All hosts are allowed
HOST=host1, host2 Logons allowed from host1 and host2
HOST=*.sap.com All hosts in the sap.com domain can log on
HOST=147.45.56.32 Hosts with this IP address can log on

HOST Entry Description

HOST=147.45.56.* Hosts with this subnet can log on
Caution:
Set the file system access authorizations for the file to a value that prevents
unwanted modifications.
You can read the file in transaction SMMS, which means that you can add, change, or delete
dynamic entries ( SMMS Goto Security Settings Access Control .
LESSON SUMMARY

Unit 3
Lesson 5
Securing the SAP GUI
LESSON OVERVIEW
This lesson provides an overview of fundamental security measures on a front-end system.
The lesson also introduces the security features of SAP GUI for Microsoft Windows.
Business Example
To ensure the security of the front-end computer, you need to configure security features of
SAP GUI for Microsoft Windows. For this reason, you require an understanding of the
following:
Front-end security
Security settings of SAP GUI for Microsoft Windows
How to maintain security settings in SAP GUI for Microsoft Windows
LESSON OBJECTIVES
Secure the SAP GUI

Lesson: Securing the SAP GUI
SAP GUI Security

Front-End Security
Figure 75: Front-End Security Overview
The figure, Front-End Security Overview, highlights the components of an SAP environment.
To ensure front-end security in an SAP environment, various measures must be taken at the
front end, such as operating system (OS) patching, virus scanner, and an intrusion prevention
system. To prevent SAP GUI for Microsoft Windows from performing operations that might
put the security of the workstation at risk, you can use the security settings of the SAP GUI
system.
SAP NetWeaver AS for ABAP-based SAP systems can access security-critical functionality on
SAP GUI user workstations with the permission of the user (for example, uploading or
downloading files, changing Microsoft Windows registry, and executing programs). SAP GUI
for Microsoft Windows 7.10 introduced the possibility of alerting users in the event of security
access from ABAP systems. The option of alerting users to security events can be enabled by
the security administration in the system but the users need to confirm the access requests.
This alerting option can lead to many security alerts.
SAP GUI for Microsoft Windows improves the granularity and flexibility of security event
handling. This improvement is implemented using configurable security rules. SAP GUI for
Microsoft Windows offers a default set of security rules that can be extended by customers.
This feature mitigates the risk of malicious attacks on SAP GUI for Microsoft Windows
workstations from ABAP systems that have been compromised.

Caution:
We strongly recommend implementing the following security measures:
Deploy the latest SAP GUI for Microsoft Windows version and patch level on
all the user workstations.
Activate SAP GUI for Microsoft Windows security rules using at least the
security rule setting Customized and default action Ask.
SAP GUI for Microsoft Windows – Security Settings

A default security configuration is delivered with SAP GUI for Microsoft Windows that
suppresses many potentially malicious actions and permits the actions that are required.
However, this configuration must be adapted to the requirements of your company. The SAP
GUI for Microsoft Windows security module supports the administrator both in creating a
configuration and in distributing this configuration file by providing a central repository.
SAP GUI for Microsoft Windows Security Module – Status Levels

The SAP GUI for Microsoft Windows security module has the following status levels:
Disabled
Customized
Strict Deny
If the status level is set to Disabled, no security checks take place. Each request received from
the back-end system to read, write, or execute a program is immediately executed. In this
case, the user is not aware that an action triggered by the back-end system is being
performed. Therefore, this setting involves the danger of undesirable actions that are
executed remaining undetected, which may cause damage.
Caution:
We recommend avoiding the Disabled status level. It is suitable only for
restricted system situations.
The Strict Deny status level denies the execution of each individual action triggered by the
back-end system unless explicitly permitted by a rule defined by SAP. The SAP rules permit,
for example, the user to call help for the application. In practice, it is often not possible to use
this setting because many SAP applications access resources on the client machine, such as
downloads, uploads, and the execution of programs.
The Customized status level is the default setting when you install SAP GUI for Microsoft
Windows. When a request for an action is received from a back-end system, SAP GUI for
Microsoft Windows searches the list of security rules entered to evaluate the request. The
security rules are processed in accordance with their order in the list.
Whenever a request to perform an action is received, SAP GUI automatically works through
the list of rules from top to bottom. If a suitable rule is found, SAP GUI terminates the search.
This means that rules below this point that may also apply are ignored. If there is a rule
relating to the requested action, SAP GUI proceeds as defined in this rule. If there are no
settings in the rules with regard to a particular action request, SAP GUI selects the default
action defined. The default action is usually the query dialog that lets the user decide whether

Lesson: Securing the SAP GUI
to execute ( Default Action = Ask). However, you can also choose to permit action requests for
which there are no rules ( Default Action = Allow).
Security Rules
Figure 76: SAP GUI for Microsoft Windows – Security Rules
To create and manage the security rules, in the SAP GUI Options - SAP Logondialog box,
choose Security Settings . In SAP GUI, choose Customize Local
Layout Options Security Security Settings .
Security rules can have the following origins:
SAP
Administrator
User
Rules of SAP origin are created by SAP and installed together with SAP GUI for Microsoft
Windows. Neither users nor administrators can edit these rules or change their sequence.
These rules are taken into account only if the status has been set to Customized. These rules
protect important local objects that are required for the operation of SAP GUI for Microsoft
Windows. These objects include registry values or specific files that contain configuration
information.
Rules of Administrator origin are created by the administrator, who is responsible for
distributing SAP GUI for Microsoft Windows. A user cannot change these rules.
A user of SAP GUI for Microsoft Windows can create additional security rules of User origin
for the local working environment.

Rules can be generated by executing security-relevant actions if the status is set to

Customized and the default action is set to Ask. In this case, if there is no rule, a query is
shown (at the place where we define the rules) for the requested action. The options available
to the user depend on the action to be performed. For example, the system attempts to
execute a file on the client PC. If the user’s decision applies only to the current situation and
the user chooses Allow/Deny this one time , there are no consequences for future queries of
this type. However, if the user makes a permanent decision and chooses Always allow or
Always allow in this context , a security rule is automatically generated that corresponds
exactly to the present situation. This rule is added to the end of the existing list of rules and is
taken into account for subsequent requests of this type.
In a second variant of the query dialog box, there are two additional options (for example,
when uploading files using SAP GUI for Microsoft Windows): Always permit in this context for
this file type and Always permit for this file type . These two options also lead to the creation of
a security rule against which subsequent requests are checked. In this way, security rules can
be automatically generated while running the operation.
Hint:
You can also manually create rules in Security Settings . To do this, scroll down
the list of rules and select the empty entry at the bottom. The Insert button is
then active.
Administration of Security Settings

Security rules that are created for a large number of users or front ends are centrally stored in
a server by an administrator. The administrator can use the Microsoft Windows registry
values below the registry key [HKEY_LOCAL_MACHINE\Software\SAP\SAPGUI Front\SAP
Frontend Server\Security] to configure the behavior of the security module.
Note:
For more information, see SAP Library for SAP GUI for Windows Security Guide on
SAP Help Portal at http://help.sap.com .
To create a rule file as an administrator, you use the rule editor in the Security node of the
Options dialog box. The administrator then needs to copy the generated saprules.xml file from
the files system directory %APPDATA%\SAP\Common to the location specified in the
registry value.
Caution:
Do not replace the saprules.xml file in the installation directory of SAP GUI for
Microsoft Windows 7.30 or higher. This file is overwritten during a subsequent
installation, for example, by a patch.
LESSON SUMMARY
Secure the SAP GUI

Unit 3
Lesson 6
Monitoring SAP Systems Security
LESSON OVERVIEW
This lesson describes how to use the security audit log to monitor SAP systems. It also
describes how to use the User Information System in the SAP system. In addition, it describes
the alert monitor.
Business Example
You want to monitor SAP systems using various SAP monitoring tools. For this reason, you
require an understanding of the following:
Security monitoring
Application Server ABAP (AS ABAP) and Application Server Java (AS Java) security audit
logs
How to set up the security audit log in ABAP and Java
How to configure the system trace
How to use security audit logs and the User Information System
LESSON OBJECTIVES
Monitoring Security
Security Monitoring Overview
SAP systems can become unsecure if previously applied security configurations are reverted
or disabled. Security configuration monitoring is therefore recommended to regularly verify
applied security configurations (recommended at least once a month). Identified deviations
must be realigned. SAP offers various granularities for security configuration monitoring.
The configuration tools and techniques that can be set up through SAP Solution Manager are
as follows:
SAP EarlyWatch Alert service

EarlyWatch Alert (EWA) is a tool that monitors the essential administrative areas of SAP
components and keeps customers up to date on their performance and stability. As part of
EWA, SAP also provides selected checks on security-relevant configuration (including the
implementation status of relevant SAP Security Notes). For more information, see SAP
Note 863362 and SAP Library for SAP EarlyWatch Alert on the SAP Help Portal at http://
help.sap.com .
SAP Security Optimization Service (SOS)

SOS is designed to check the security of your SAP system. This service comprises a
system analysis and the resulting recommendations for system settings. It addresses
system and Customizing settings that impact system security. In addition, it focuses on
internal and external system security.
To improve the internal security, many critical authorization combinations are checked.
External security is improved by checking the access possibilities to your system and the
authentication methods used. This service checks the configuration of an SAP system on
predefined security topics. For more information, see SAP Library for SAP SOS on the SAP
Help Portal at http://help.sap.com .
SAP Computing Center Management System (CCMS)

CCMS is a general framework to monitor an SAP system and raise alerts for events. CCMS
can be customized to monitor security-critical settings and alert you in the event of
changes.
SAP Solution Manager Diagnostics (SMD)

SMD Configuration Validation Reporting delivers a generic framework to verify
configurations of connected managed SAP systems. This framework is used to define
expected system configurations according to policies and guidelines and compare them
against the actual configuration of managed SAP systems. For more information about
Configuration Validation, see SAP Library on SAP Help Portal at http://help.sap.com .
Recommended Security Measures for SAP Systems

To ensure that SAP systems are secure, the following security measures are recommended:
Define which security configurations must be monitored.
Implement a solution to monitor relevant security configurations and provide an alert in

the event of deviations.
SAP NetWeaver AS for ABAP Security Audit Log
Figure 77: Security Audit Log – Audit Log Event Filter

Lesson: Monitoring SAP Systems Security
The security audit log is a tool designed for auditors who need to take a detailed look at what
occurs in the SAP system. By activating the audit log, you keep a record of those activities in
SAP NetWeaver AS for ABAP-based systems that you consider relevant for auditing. This
information is recorded daily in an audit file on each application server. To determine the
information to be written in this file, the audit log uses filters stored in the memory in a control
block, which is used to save the audit logs in the memory.
When an event occurs that matches an active filter (for example, a transaction starts), the
audit log generates a corresponding audit message and writes the message to the audit file. A
corresponding alert is sent to the CCMS alert monitor. Details of the events are provided in
the audit analysis report of the security audit log.
The security audit log is active only if you use transaction SM19to maintain and activate the
profiles.
In the profile parameter FN_AUDIT, the eight + symbols represent the date, which is
automatically substituted with the current date by the system.
If rsau/max_diskspace/per_file is used, the rsau/local/file parameter is no longer
valid and is not analyzed. Instead, the parameters DIR_AUDIT and FN_AUDIT are used. The
rsau/max_diskspace/per_file parameter defines the maximum size of a single security
audit file.
The rsau/max_diskspace/local parameter specifies the maximum size of a security audit
file. If this size is reached, then the system logging of audit events is completed.
The rsau/selection_slots parameter specifies the number of selection units that are set
using transaction SM19and checked by the system during processing of filters to allow for the
security audit log.
Information Recorded in the Security Audit Log
Successful and unsuccessful dialog logon attempts
Successful and unsuccessful Remote Function Call (RFC) logon attempts
RFC calls to function modules
Successful and unsuccessful transaction starts
Successful and unsuccessful report starts
Changes to user master records
Changes to the audit configuration
Caution:
The security audit log contains personal information that may be protected by
data protection regulations. Before using the security audit log, ensure that you
adhere to the data protection laws that apply to your area of application.
You can specify the information you want to audit in filters, with which you can do one of the
following:
Create and save permanently in the database in static profiles

You use this procedure to create profiles of security audit filters in the database of SAP
NetWeaver AS for ABAP. All nodes of a cluster use identical filters for determining which
events to record in the audit log. You create profiles for different auditing scenarios. Once
activated, the SAP NetWeaver AS for ABAP loads the profile when the system starts. The
SAP NetWeaver AS for ABAP uses the filters defined in the profiles to write events to the
security audit log. By default, no security audit log is activated. To create some statics
profiles, you must set the profile parameter rsau/enable and restart the system.
Change dynamically on one or more application servers

You use this procedure to change the filter settings currently in use, without having to
restart the SAP NetWeaver AS for ABAP. The system distributes these changes to all
active application servers.
To determine what you want to audit, you create the selection criteria by calling transaction
SM19.
For each selection criterion that you want to define, choose the user, audit classes, client, and
security levels. The security levels selected specify the levels of events (audit messages) to be
included in the audit log. Messages with the chosen level and higher levels are included in the
log.
For example, if you select low, then all the messages with a security level of low, average, and
high are included in the selection. If you select high, only high-level messages are included.
High-level messages and the Only Critical option describe events involving a high-level
security risk, such as unauthorized access attempts. All audit events are defined in the
system log messages with the prefix “AU”. You can view the assignment of the events to audit
classes and security levels using the system log message maintenance (transaction SE92).
You can also modify these definitions.
For the client and user entries, you can use * as a wildcard for all clients or users. If by default
a partially generic entry, such as 0* or ABC*, is not possible, you can activate the profile
parameter rsau/user_selection . This enables the use of ABAP patterns asterisk (*) for
any character string, plus sign (+) for any single character, and number sign (#) to escape
wildcards, spaces at the end of strings, and so on. Otherwise, only the asterisk (*) is a
wildcard.
For each selection criteria you apply to your audit, you select the Selection Active tab page.
After specifying the selection criteria, save the data. For the application server to use the
profile at the next server start, choose Profile Activate . The name of the active profile
appears in the Active Profile field.

Figure 78: Security Audit Log – Audit Configuration Selection Criteria
The figure, Security Audit Log – Audit Configuration Selection Criteria, shows the initial
screen for the security audit logs. For each selection criteria that you want to define, choose
the client, user names, audit classes, and events.
The events selection specifies the levels of events (audit messages) that you want to include
in the audit log. Messages with the chosen level and higher levels are included in the log. If you
select All, all messages with a security level of low, average, and high are included in the
selection. If you select Only Critical , only high-level messages are included.
Figure 79: Security Audit Log: Security Audit Profile Parameters

The security audit log is active only if you use transaction SM19to maintain and activate the
profiles. Set the profile parameters as shown in the figure, Security Audit Log: Security Audit
Profile Parameters.
To display the profile parameters in transaction SM19, choose Environment Profile
parameter . Auditing is activated only if the rsau/enable parameter is set. Audit profile
activation is also achieved by dynamically activating an audit profile in transaction SM19.
In the profile parameters DIR_AUDIT and FN_AUDIT, describe the path and name of the audit
files. The eight + symbols represent the date, which is automatically substituted with the
current date by the system.
The rsau/max_diskspace/per_file parameter specifies the maximum size of one
security audit file. If this size is reached, the system creates the next file. For example, you
could restrict the size to 650 MB to fit one file on one CD during archiving.
If the rsau/max_diskspace/per_file parameter is set to 0, parameters rsau/local/
file and rsau/max_diskspace/local are valid and analyzed.
Figure 80: Security Audit Log: Audit Log Transaction SM20N
The security audit log produces a report on the activities that have been recorded in the audit
file. You can analyze a local server, a remote server, or all servers in your SAP system.
To display the initial screen, run transaction SM20or transaction SM20N, starting with Release
6.10. The initial screen is designed in a similar way to the system log (transaction SM21).
The following information is provided on the initial screen:
Time
Work process
Client

User
Transaction code
Terminal ID
Message number
Text describing event
Security Audit Log – Audit Log Details
Figure 81: Security Audit Log: Audit Log Details
The limitations of the security audit log are as follows:
An RFC has no terminal.
The Microsoft Windows Terminal Server maps all events to a single terminal ID.
The time, user ID, and transaction code are displayed in the audit log. You can identify the
terminal ID and track the hacker, as shown in the figure, Security Audit Log: Audit Log Details.
The text in the figure provides the reason for the unsuccessful logon.
Note:
For more information, see SAP Note 173743.

SAP NetWeaver AS for Java Security Audit Log
Figure 82: SAP NetWeaver AS for Java Security Audit Log
The security audit log of the SAP NetWeaver AS for Java contains a log of important security
events, such as successful and failed user logons and the creation or modification of users,
groups, and roles.
This information is used by auditors to track changes made in the system. By default, the log
files are available at /usr/sap/<SID>/<Instance>/j2ee/cluster/serverX/
security_audit.X.log . They can be viewed with SAP NetWeaver Administrator, in the log
viewer.
Note:
For more information, see SAP Library for SAP NetWeaver online documentation
on the SAP Help Portal at http://help.sap.com and search for the security audit
log of the SAP NetWeaver AS for Java.
User Information System

You can use the User Information System (transaction SUIM) to obtain an overview of the
authorizations and users in your SAP system at any time using the search criteria that you
define. In particular, you can display lists of users with critical authorization.
Hint:
To explicitly search for authorizations that contain the full authorization asterisk
(*), you need to enter a number sign (#) before the asterisk, that is, #*.
Otherwise, the system searches for any values.
Functions of the User Information System
Compare roles and users.
Display change documents for the authorization profile of a user.
Display the transactions contained in a role.

Create where-used lists.
Note:
You must regularly check the lists that are important. Define a monitoring
procedure and corresponding checklists to ensure that you continually review
your authorization plan. Determine which authorizations are critical and regularly
review which users have these authorizations in their profiles.
You access the User Information System by running transaction SUIM. You can find the
elements of the authorization system using various selection criteria.
Figure 83: User Information System: Transaction SUIM
The User Information System provides an overview of user master records, authorizations,
profiles, roles, and change dates.
You can display lists to answer the following questions:
What authorization rights are assigned to the users?
What changes have been made to the authorization profile of a user?
Which roles contain a particular transaction?
Table 13: ABAP Standard Reports and Features

You can use the following ABAP standard reports to access the user information directly:

ABAP Standard Report Features

RSUSR004 Restricts user values to the simple profiles
and authorization objects.
RSUSR007 List users whose address data is incomplete
RSUSR008_009_NEW With critical authorizations (new version),
this report replaces reports RSUSR008 and
RSUSR009. You can continue to use the old
programs RSUSR008 and RSUSR009 until
SAP Web AS 6.40.
RSUSR012 Search authorizations, profiles, and users
with specified object values
RSUSR020 Profiles by complex selection criteria
RSUSR030 Authorizations by complex selection criteria
RSUSR040 Authorization objects by complex selection
criteria
RSUSR050 Comparisons
RSUSR060 Where-used lists
RSUSR061 Enter authorization fields
RSUSR100 Change documents for users
RSUSR101 Change documents for profiles
RSUSR102 Change documents for authorizations
RSUSR200 List of users according to logon date and
password change
RSUSR300 Set external security name for all users

System Trace
Figure 84: System Trace: Special Recording
Use the system trace transaction ST01 to track several types of operations in an SAP system.
The following components can be monitored using the SAP system trace:
Authorization checks
Kernel functions
Kernel modules
Database accesses (SQL trace)
Table buffers
RFC calls
Lock operations (client side)
The last four components can be monitored using performance analysis (transaction ST05).
There are two ways of selecting the traces you want to display. On the initial screen, you can
select the components to be logged and additional filters, if required. You can reuse the filters
and restrictions from the traces that have these settings when the traces are evaluated.
You must start tracing by setting the trace options that you require on the trace options
screen. If you start from the set menu on the main screen, then your trace includes all the
active users, which can affect system performance.
The system trace function only traces the internal SAP system activity of the local application
server to which you are currently logged on. The system trace function only works if it can
write to the trace file in the instance log directory at operating system level, for
example: /usr/sap/DVEBMGS00/log . Ensure that there is enough disk space, and that
access authorizations are set correctly.

If you want to protect a trace from being overwritten later, choose Goto Save from the
menu. On the next screen, you can create a short text for a trace and choose whether the new
file that is created specifically for this trace must be automatically created, or whether you
want to specify a file name yourself. If you do not specify an absolute path, a file of this name
is created in the log directory. In the case of automatic file creation, the system determines
the file name and stores the file in the log directory. Unlike in a manually created file, the F4
help can be used to search for the file from the analysis screen, which is an advantage.
Note:
If you choose automatic creation, you can delete the file again in this transaction
(use the Delete button on the analysis screen). This is not possible if you specify a
file name manually. If you want to delete this file, you need to delete it at the
operating system level.
To display a trace, choose Analyze. You can obtain more information about any entry by
selecting that entry.
Alert Monitor
Figure 85: Alert Monitor: Current Administrator Concerns
The monitoring architecture, a solution within SAP NetWeaver, centrally monitors any IT
environment, from individual systems through networked SAP NetWeaver solutions, to
complex IT landscapes incorporating several hundred systems. The monitoring architecture
is provided in SAP NetWeaver and can be used immediately after installation. You can easily
extend the architecture to include SAP and non-SAP components.
Alerts form a central element of monitoring. Alerts quickly and reliably report errors, such as
values exceeding or falling below a particular threshold value or that an IT component has
been inactive for a defined period of time. These alerts are displayed in the Alert Monitor; this
reduces the system administration workload because the system administrator now only

needs to watch the error messages instead of endless system data. The Alert Monitor is
therefore the central tool with which you can efficiently administer and monitor distributed
SAP NetWeaver solutions or client and server systems. The Alert Monitor displays problems
quickly and reliably to ensure that the appropriate analysis tool is used at the right time.
The following features are listed under the security section of the monitoring tree:
Logon
RFC logon
Transaction start
Report start
RFC call
User master records
System
Miscellaneous
Figure 86: Alert Monitor: Alert Monitoring Tree
The Alert Monitor checks various components of your SAP system. Use transaction RZ20 to
call the Alert Monitor.
The Alert Monitor uses thresholds and rules to generate alerts whenever an abnormal
condition occurs in your SAP system or its environment. Alerts direct your attention to critical
situations. The Alert Monitor reports alerts up through the monitoring tree. The color of a
monitoring tree element (MTE) always represents the highest alert in all MTEs in its branch.
Some screen elements in the alert monitoring tree are as follows:
The open Alerts view shows what has happened in the system since it was last checked.

The current status view shows the most recent values.
The display Alert shows the history of the alert values.
Any problems or errors are displayed in red. Warnings are displayed in yellow. According to
the threshold values, green means that there are no problems. You can use properties to
customize the threshold values for red and yellow alerts. To start the analysis tool, you
double-click the alert text that you want to analyze. To display information about certain types
of alert, select the checkbox next to the alert and then choose display detailed Alerts . The
complete Alert button resets the alerts displayed on the screen.
LESSON SUMMARY

Unit 3
Lesson 7
Describing Application Lifecycle Management
LESSON OVERVIEW
This lesson describes some of the impacts that HANA brings to security management in
Netweaver Systems.
LESSON OBJECTIVES
Solution Manager and Security Patching
SAP HANA-Based SAP NetWeaver Systems

Integrated Database User Management
As of SAP NetWeaver Application Server ABAP 7.40 it is possible to manage database users
from ABAP user management.
Figure 87: Database User Management within SU01
Currently the possibility to manage DBMS users is implemented only for SAP HANA as
database system. It is however possible to connect any other database system that is
supported by the SAP Neweaver AS ABAP by a customer implementation of the class

interface IF_DBMS_USER. The implementation for SAP HANA is done in class

CL_DBMS_USER_HDB.
SAP NetWeaver AS ABAP and the DBMS have independent security policies. You can create
all possible security policies in SAP NetWeaver AS ABAP to match any security policy in SAP
HANA. You cannot create all possible security policies in SAP HANA to match any security
policy in SAP NetWeaver AS ABAP.
Figure 88: Database Connection Configuration with DBCO
For managing users in the HANA database, you need to provide the connection details in
transaction DBCO. One HANA user needs to be provided with the following privileges:
System privileges: CATALOG READ, ROLE ADMIN, USER ADMIN
Object privileges: EXECUTE for the procedures GRANT_ACTIVATED_ROLE,

REVOKE_ACTIVATED_ROLE
Figure 89: Maintenance View USR_DBMS_SYSTEM
The next configuration step requires that you specify the ABAP client where the database
users will be managed. This can be done in transaction SM30 (maintenance view
USR_DBMS_SYSTEM).

Lesson: Describing Application Lifecycle Management
Figure 90: Report RUSR_DBMS_USERS
The mass maintenance for database users can be done by calling report
RUSR_DBMS_USERS.
Core Data Services Authorizations

The new ABAP dictionary objects allows a programmer to push down to the database the
authorization checks. This will change drastically the way that authorizations for reading/
writing data are designed.
Figure 91: Transaction SACM
In Access Control Management (transaction ACM) you can review the existing Access
Controls and run troubleshooting tools.

Figure 92: Access Controls for Core Data Services Views
To find out which Access Controls you can also query table TADIR for all objects with type
DCLS. An S/4 release 1610 system contains more than 1.600 access controls. One example
for their usage is when you wish to expose a CDS view directly through a Fiori application.
Figure 93: Example of an Access Control
The Access Control objects can be maintained only with ABAP DevelopmentTools for Eclipse.
Figure 94: Example of an Access Control with ABAP Authorization Objects
An ABAP programmer has the option to reuse existing ABAP authorization objects instead of
filtering accesses based on column values provided by the CDS view.

Lesson: Describing Application Lifecycle Management
Change and Transport System Security

Verifying the TMSADM User
Figure 95: Report RSUSR003
The Transport Management System configuration automatically generates the user

TMSADM, in older versions this user had a well know password. To check if the old password
still exists you can use report RSUSR003 to verify user TMSADM.
Setting the TMSADM Password
Figure 96: STMS Initial Configuration
Recent versions of SAP Netweaver AS ABAP request a password for the user TMSADM while
configuring the Transport Management system. Older or non-updated versions do not
prompt at all or allow old standard passwords to be kept.

Figure 97: Report TMS Update PWD OF TMSADM
Report TMS_UPDATE_PWD_OF_TMSADM allows you to update the TMSADM password in

the generated RFC destinations. If you are using domain links please refer to note 1801805 for
further information.
LESSON SUMMARY

Unit 3
Lesson 8
Monitoring Security with SAP Solution
Manager
LESSON OBJECTIVES
EarlyWatch Alert (EWA)

Business Example
You are working as an administrator responsible for security configurations. Switching to
several SAP systems for parameter validations can be time-consuming. Using reports from a
central position in an SAP landscape gives you an insight into a variety of security-relevant
configurations. For this reason, you require an understanding of the following:
The capabilities of EarlyWatch Alert (EWA)
The Security Optimization Service (SOS)
The Configuration Validation feature of SAP Solution Manager
The capabilities of Solution Manager Parameter Reporting
How to use the parameter reporting feature of SAP Solution Manager.
EarlyWatch Alert (EWA)

Monitoring a system landscape is a complex task of significant importance for every company
that operates one or more SAP systems. The complexity increases with every additional
system, component, or extension. SAP Solution Manager, SAP’s service and support
platform, helps you efficiently implement, monitor, and operate SAP security-relevant
parameters throughout the SAP system landscape. There are several methods, tools, and
service offerings by SAP to provide fine grain monitoring capabilities and recommendations
for security improvements.
The Computer Center Management System (CCMS) monitoring architecture is used as a
basis to collect information in the landscape from the SAP system. It offers a flexible
framework into which extensive monitoring and administration functions can be easily added.
The elements of the monitoring architecture function are largely independent of each other.
These elements can be further developed and adjusted independently of each other. Based
on the monitoring architecture, the CCMS in SAP Solution Manager, SAP’s service and
support platform, ensures central and efficient monitoring of SAP.
SAP EarlyWatch is a special service in SAP Solution Manager systems offered for regular,
proactive system diagnosis. With EarlyWatch Alert (EWA), SAP offers the customer a
proactive service that identifies standard problems before they become acute. Suitable
countermeasures are recommended in the resulting reports.

The EarlyWatch family includes EWA on each of the production systems and SAP EarlyWatch
on Solution Manager as a remote service.
Hint:
EWA identifies potential security problems at an early stage. The underlying
concept of EWA is to ensure smooth operation of individual SAP systems by
keeping you informed of their status. In addition, it allows you to take action
before severe technical problems occur.
EWA is a diagnostic tool to monitor your most important business processes and systems.
EWA helps to identify potential problems early, avoid bottlenecks, and monitor the
performance of your systems. Using this mechanism, the security status can be validated for
a predefined set of parameters on a weekly basis. The EWA report also displays an alert when
security-critical SAP Notes are missing or are not applied on the analyzed system.
EWA is included in the maintenance agreement with SAP at no extra cost. By running and
monitoring EWA, you can increase system stability, performance, and security for your entire
solution landscape. EWA monitors solutions in SAP and non-SAP systems in SAP Solution
Manager. SAP Solution Manager processes the EWA reports.
EWA Functionalities
Depending on the status of your system, EWA triggers services such as SAP EarlyWatch
Check. SAP EarlyWatch Checks are automatically triggered by EWA in cases of red flags in
EWA. SAP EarlyWatch Check is performed over a remote connection by a technical service
engineer. Your system is analyzed during the service. The service engineer also diagnoses
particularly complex problems and develops solutions. Each productive system is entitled to a
maximum of two SAP EarlyWatch Checks per year within your maintenance agreement with
SAP (valid for SAP customers with Standard Support agreement).
Caution:
SAP strongly recommends activating EWA for all productive systems.
The EarlyWatch report covers the following security and authorization topics:
User authorization to display all tables
User authorization to start all reports
User authorization for debug or replace
User authorization to display the spool requests of other users
User authorization to administer Remote Function Call (RFC) connections
User authorization to reset or change user passwords
Monitor for missing password changes of one or more standard users
Data can be collected and transferred automatically for all remote sessions. EWA informs the
customer about problems with the data collection. The relevant data is sent from the satellite
systems to the central SAP Solution Manager system for processing and evaluation. EWA for
the satellite systems is also the basis for further analysis. If the overall rating of EWA is red,

Lesson: Monitoring Security with SAP Solution Manager
the service results are automatically sent to SAP Support. In all the sections rated as yellow or
green, results are sent to SAP Support once every four weeks.
The EWA results are prerequisites for the following SAP services:
SAP GoingLive Check
SAP GoingLive Functional Upgrade Check service
SAP EarlyWatch Check
Security Optimization Service (SOS)

SAP SOS is designed to verify and improve the security of SAP systems. SAP SOS identifies
potential security issues and recommends mitigation strategies. This service comprises a
system analysis and the resulting recommendations for system settings. It addresses system
and Customizing settings that impact your system security. SAP SOS focuses on internal and
external system security.
To improve internal security, many critical authorization combinations are tested. External
security is improved by checking the methods of accessing your system and checking the
authentication methods used. To prepare the session, a questionnaire must be completed.
The results of the tests on various system components are used to produce
recommendations for optimizing the configuration of the system or component being
analyzed.
Hint:
SAP SOS can be used at any time. The best time is during the end of the go-live
phase. The service is also useful when preparing for internal and external audits.
It can be rerun to confirm that the applied changes in the system configuration
have been successful and that no new vulnerabilities have appeared.
The underlying concept of SAP SOS is to ensure smooth operation of your SAP solution by
taking action before severe security problems occur. This test consists of hundreds of checks
based on the SAP Security guidelines and the knowledge of the SAP Security consultants.

Table 14: Checks Performed in the SAP SOS

For SAP NetWeaver AS for For SAProuter For SAP NetWeaver AS for
ABAP Java
ABAP Basis Administra- Saprouttab check JAVA Landscape check

tion check
Operating system access Configuration check
User Management check check
Secure Socket Layer
Super users check Secure Network Commu- (SSL) check
nication (SNC) check
Password check Administration check
Spool and printer authori-

zation check
SAP GUI Single Sign-On

(SSO) check
Certificate Single Sign-On

(SSO) check
Background authorization
check
Batch input authorization

check
Transport control authori-

zation check
Role management author-

ization check
Profile parameter check
External authentication
check

Lesson: Monitoring Security with SAP Solution Manager
Figure 98: SOS Process Flow
Configuration Validation
With Configuration Validation within SAP Solution Manager, SAP offers a tool to validate
various kinds of software configuration items. Configuration Validation helps to standardize
and harmonize configuration items within the ABAP and Java systems, using a single
configuration item repository within SAP Solution Manager. Configuration Validation uses the
centrally stored configuration data to validate a large number of systems using a subset of the
collected configuration data.
The following questions must be answered:
Are all systems at a certain operating system patch level or database patch level?
Have any template configurations for SAP applications or database parameters been
applied to all systems?
Is any kernel release older than six months present on any of the systems?
Have the security policies been applied?
Are the security default settings in place?
To answer these questions, a target system can be defined as a reference system for
comparing values. This target system can be either a real system or a virtual set of manually
maintained configuration items. Based on this reference system, settings are compared in a
consistency check. For some settings, such as STANDARD_USERS and the SAP NetWeaver
Gateway configuration, additional predefined checks can be performed, which are not
consistency-based.
The following checks are part of the standard configuration stores:

Failed transports can be identified (ABAP_TRANSPORTS).
Rules for profile parameters can be defined using number ranges and comparison
operators.
Regular expressions can be used for checks of the SAP Gateway configuration files.
Checks for the status of STANDARD_USERS can be performed.
Configuration store ABAP_NOTES allows checks for software dependencies of SAP Notes.
SNOTE Notes that are already applied are included in the ABAP_NOTES configuration
store.
For more information about Solution Manager 7.20, go to: https://blogs.sap.com/

2017/03/07/solution-manager-update-new-media-center-for-solman-7.2/ .
LESSON SUMMARY

Unit 3
Learning Assessment
1. Security rules can have which of the following origins?

Choose the correct answers.
X A SAP
X B Customized
X C Administrator
X D User
2. In Application Server ABAP (AS ABAP) and Application Server Java (AS Java) based
systems, several standard users ,with pre-configured authorizations, are available directly
after installation.
Determine whether this statement is true or false.
X True
X False
3. What are the available user types in SAP NetWeaver Application Server (AS) for ABAP?
X A Workflow
X B Dialog
X C System
X D User Administrator

Unit 3: Learning Assessment
4. Which of the following password rules in Application Server ABAP (AS ABAP) are defined
by the customer?
X A First three characters may not be identical
X B Minimum length
X C First character cannot be ! or ?
X D Special characters and digits
5. The secinfo file of SAP Gateway can be used to control the start-up of an external Remote
Function Call (RFC) to secure the RFC connection.
X True
X False

Unit 3
1. Security rules can have which of the following origins?

X A SAP
X B Customized
X C Administrator
X D User
2. In Application Server ABAP (AS ABAP) and Application Server Java (AS Java) based
systems, several standard users ,with pre-configured authorizations, are available directly
after installation.
X True
X False
3. What are the available user types in SAP NetWeaver Application Server (AS) for ABAP?
X A Workflow
X B Dialog
X C System
X D User Administrator

Unit 3: Learning Assessment - Answers
4. Which of the following password rules in Application Server ABAP (AS ABAP) are defined
by the customer?
X A First three characters may not be identical
X B Minimum length
X C First character cannot be ! or ?
X D Special characters and digits
5. The secinfo file of SAP Gateway can be used to control the start-up of an external Remote
Function Call (RFC) to secure the RFC connection.
X True
X False

UNIT 4 Authentication and
Single Sign-On
Lesson 1
Discussing Authentication for SAP NetWeaver AS 132
Lesson 2
Discussing Authentication for SAP Netweaver AS Java 137
Lesson 3
Discussing Authentication for SAP NetWeaver AS ABAP 140
Lesson 4
Configuring UME Parameters for SSO 143
Lesson 5
Discussing Single Sign On with Active Directory 145
UNIT OBJECTIVES
Activate session security
Adapt the logon procedure for SAP NetWeaver Java systems
Work with security-relevant task lists
Customize the SAP logon ticket issued by SAP NetWeaver Java systems
Configure an SAP Netweaver ABAP AS for Single Sign on with Active Directory

Unit 4
Lesson 1
Discussing Authentication for SAP NetWeaver
AS
LESSON OVERVIEW
The lesson explains session handling and how to enable session security.
Business Example
You need to activate HTTP security to enable session security of your application server. For
this reason, you require an understanding of the following:
Session handling
How to enable session security
HTTP security sessions
How to check the logon procedure of an Internet Communication Framework (ICF) service
How to activate HTTP security sessions
How to check the default logon method of AS Java
LESSON OBJECTIVES
Session Handling
Stateful Web applications store the application state on the application server. During
communication, only the key to this state is included with each request. The key to the state is
also called session identifier or short session ID. In general, the session ID can be transferred
as a cookie, through a URL parameter, or as a hidden form field.
In addition to the application state, a security state and a corresponding security session may
exist. A security session starts with logging on to the system and ends with logging off the
system. SAP security session IDs are transmitted only through non-persistent cookies.
An attacker can obtain the session ID of the victim and can then act on behalf of the victim,
with the complete set of the victim’s authorizations in the attacked system.
Types of Session Attack

The following types of attack exploit session-handling vulnerabilities:
Session Hijacking
During this type of attack, the attacker steals a valid session ID of the victim. The attacker
then sends a request with this session ID to the server. This can be performed, for
example, by sniffing the network traffic. In some scenarios, the session ID is a part of the

Lesson: Discussing Authentication for SAP NetWeaver AS
URL. URLs with session IDs can be hijacked if the victim stores the URL in the bookmarks
or sends the URL through e-mail. Assuming the session ID is still valid, the attacker can
act with the full set of the victim’s authorizations.
Session Fixation
During this type of attack, the attacker sets the session ID for a certain user before the
user is authenticated by the application. This can be done by manipulating the URL that is
used by the user to access the Web application. As a result, after user authentication,
both the attacker and the victim know the session ID and can work on the system under
the same user ID.
Session Riding
With this type of attack, the attacker uses the victim’s user agent to send requests to an
application server, resulting in undesired and potentially harmful actions. We strongly
recommend that you implement the session security settings on production systems to
improve session security.
Session Security
Table 15: Security Measures to Help Prevent Unauthorized Access

Product Version Security Measure Reference
SAP NetWeaver Application login/tick- SAPNote 1531399

Server (AS) for ABAP 6.10 et_on-
ly_by_https=1
and higher
SAP NetWeaver AS for ABAP HTTP security session man- SAP Note 1322944
7.02, 7.20 and higher agement
SAP NetWeaver AS for ABAP Enable re-authentication SAP Note 1277022

7.01, 7.10, and 7.11
SAP NetWeaver AS for ABAP Enable re-authentication SAP Note 1266780

6.40 and 7.00
SAP NetWeaver AS for Java SessionIdRege-

nerationEna- SAP Note 1310561
6.40 and higher
bled=true
SAP Note 1449940
SystemCoo-
kiesHTTPSProtec-
tion=true
Generally, an ABAP-based application server uses the sap-contextid cookie for identifying
both the application session and the security session.
Session Security Measures

To prevent session fixation and session hijacking attacks, various session security measures
are advisable (for example, re-authentication with SAP NetWeaver 6.40, 7.00, 7.01, 7.10, and
7.11). With active re-authentication, the sap-contextid cookie is not enough to enter a session.
Authentication credentials are checked on every round trip. For more information on re-
authentication in SAP NetWeaver 6.40 and 7.00, see SAP Note 1266780.
Please note that, after an upgrade to SAP NetWeaver 7.01 and higher, methods described in
SAP Notes 1277022 or 1322944 have to be used. For releases 7.01, 7.10, and 7.11 of SAP
NetWeaver, see SAP Note 1277022. Though the method provided with SAP Note 1277022 still

Unit 4: Authentication and Single Sign-On
works with SAP NetWeaver 7.02, 7.20, and higher, a new protection mechanism has been
developed and must be used on newer releases of SAP NetWeaver. For more information, see
SAP Note 1322944.
HTTP security session management uses a new, separate cookie to identify the security
session (SAP_SESSIONID_<sid>_<client>). A security session ID and the resultant value of
the SAP_SESSIONID_<sid>_<client> cookie changes upon authentication and programmatic
re-authentication. For more information, see SAP Note 1322944 and SAP NetWeaver Library.
Before activating the HTTP security session management on an AS ABAP-based system that
is accessed from an SAP NetWeaver Portal, you must apply SAP Note 1471069 to the portal.
SAP NetWeaver AS for Java uses the JSESSIONID session cookie for identifying application
and security sessions. A specific protection mechanism was developed that adds an
additional session identifier named JSESSIONMARKID. If this security mechanism is
activated, the security session is identified using the additional non-persistent cookie
JSESSIONMARKID. The JSESSIONMARKID cookie changes after authentication and
programmatic re-authentication, which counters session fixation and hijacking attacks. The
SessionIdRegenerationEnabled Java parameter is available in SAP NetWeaver 6.40 and
higher releases and needs a certain Support Package level. For more information on updating
your systems to use this Java parameter, see SAP Note 1310561.
Some applications require additional configuration, for example, operating an interaction
center with the SAP Customer Relationship Management (SAP CRM) application. For more
information, see SAP Notes 1420203 and 1532777.
To avoid the risk of session cookies being hijacked in the network, we recommend that you
use HTTPS for all browser access from end users to SAP software systems. To prevent a
browser transmitting a session cookie over an unencrypted HTTP communication channel,
the secure cookie attribute for session cookies must be set.
For more information about how to set the SystemCookiesHTTPSProtection attribute for
Java, see SAP Note 1449940 and SAP NetWeaver Library. The settings are available in SAP
NetWeaver 6.40 and higher releases and need a specific Support Package level. It may be
necessary to update your systems to the required levels.
For ABAP systems, you set parameter login/ticket_only_by_https = 1. This parameter is
available in SAP NetWeaver AS 6.10 and higher releases. After enabling this attribute, if
system cookies are required to make the application work, plain HTTP connections will no
longer work. For more information about best practices when activating the recommended
secure session handling, see SAP Note 1531399. Careful regression tests need to be
performed for modified SAP programs and custom applications after applying session
security and HTTPS protection measures.
HTTP Security Sessions

Drawbacks of Logon Tickets with SSO
Currently, logon tickets cause the following known drawbacks with Single Sign-On (SSO):
Security Issues
URLs containing sap-contextid allow access to protected resources (session

hijacking).
A stolen logon ticket (the MYSAPSSO2 cookie) allows a different user to create a new
session, even after the legitimate user has successfully logged off.
Functional Aspects

Lesson: Discussing Authentication for SAP NetWeaver AS
No automatic logoff is possible (inactivity timeout).
Validity of logon tickets is fixed (defined by ticket issuer, default: eight hours).
Sessions cannot be terminated on the server side (for example, by an administrator).
Options to log off are only provided by SAP NetWeaver Portal (Distributed Session
Manager (DSM) Terminator).
Robustness
Conflicts with other systems that also set the MYSAPSSO2 cookie (cookie is set with
the same name domain-wide).
HTTP Session Security Activation

The idea of HTTP security sessions is to separate security sessions from application sessions.
Application sessions are only required for stateful operations (server-sided state). Security
sessions are created during logon and deleted during logoff.
In addition, the session identifier is separated from the session context. The session context is
kept at the server side (security state). The session identifier is just a reference to the session
context, transmitted through a cookie.
Steps to Activate HTTP Security Sessions
1. Start HTTP session management (transaction SICF_SESSIONS). A list of all the clients
that exist in the system displays.
2. Select the relevant line and choose Activate.
3. Monitor sessions in transaction SM05.
Hint:
The security audit log records this activation or deactivation of HTTP security
session management.
Impact of HTTP Security Sessions
URLs containing sap-contextid are no longer sufficient to gain access to protected

resources. Instead, the SAP_SESSIONID_<sid>_<client> cookie must be transmitted with
the same HTTP request.
Some browser plugins or applets may have problems. For more information, see SAP Note
1317545.
For outbound HTTP communication, it is necessary to modify the default settings of a

destination (transaction SM59) to accept cookies.
Public services or services with configured identity will never evaluate or create security
sessions (no mixed mode).
The cookie with security session ID is host-specific. Therefore, a load-balancer is required.
With HTTP security sessions, a session inactivity timeout is introduced, as follows:

Absence of HTTP communication is treated as inactivity.
Processing incoming HTTP requests updates a Least Recently Used (LRU) timestamp.
For performance reasons, the LRU timestamp is implemented using a server-specific

cache.
The cache is scanned every 60 seconds for inactive and expired sessions for each server.
Inactive or expired sessions and all associated application contexts, including the allocated
server resources, are terminated. Other server nodes are notified of this termination event.
In cases of associated Security Assertion Markup Language (SAML) sessions, no
notification is sent to the SAML Identity Provider (IdP).
In cache-full situations, the system creates security sessions with a fixed validity period.
An emergency reaction results in system log entries.
During start-up and controlled shutdown, each server instance deletes its own security
contexts (SEC_CONTEXT_COPY table). The last server triggers the system-wide
termination of the security context (SECURITY_CONTEXT table).
LESSON SUMMARY

Unit 4
Lesson 2
Discussing Authentication for SAP Netweaver
AS Java
LESSON OVERVIEW
This lesson describes the Java Login Modules and how they control the logon process into an
Netweaver Java system.
LESSON OBJECTIVES
Java Login Modules

Java Authentication and Authorization Service (JAAS)
JAAS is implemented in the SAP NetWeaver Java system to support different logon
procedures. Depending on the requirement and scenario, this enables you to choose the
appropriate logon procedure.
Figure 99: Java Login Modules
Logon ticket and Assertion ticket are SAP-specific procedures. The assertion ticket is only
used for system-system communication. The implementation of JAAS in SAP NetWeaver AS
for Java is based on logon modules. A logon module is a concrete implementation of the flow
logic of the authentication. Several logon modules can be combined to make a logon module
stack (also called an authentication stack).
Logon Procedure Configuration

As system administrator, you can adjust the logon procedures for the delivered applications.
For this purpose, you can maintain the policy configuration of the corresponding application
in SAP NetWeaver Administrator ( http://host:port/nwa ), as follows: Configuration
Security Authentication and Single Sign-On .

Figure 100: Logon Procedure Configuration
Using the policy configuration, a login module or an authentication stack can be assigned to
an application to determine the logon procedure for this application. The delivered
authentication stacks can be found in the policy configuration, for example, ticket under the
Template type.
The following table shows the effects of different flags during an authentication process.
Modules are executed one after the other until authentication is established. If the sequence
of login modules listed in the stack is completed, and no authentication takes place, then
access will be denied.
Flag Required to Succeed Description
OPTIONAL No Authentication proceeds

down the list if the module
has succeeded or failed.
REQUIRED Yes Authentication proceeds

down the list of modules if
the module has succeeded or
failed.
REQUISITE Yes If successful, the authentica-

tion proceeds down the list.
Otherwise, control returns to
the application (the authenti-
cation does not proceed).
SUFFICIENT No If the authentication is suc-

cessful, control returns to ap-
plication.
Otherwise, the authentication
proceeds.
Logon Ticket
In the standard delivery, the SAP NetWeaver AS for Java uses logon tickets in the logon
procedure. The authentication stack ticket, which is used first, checks whether there is a valid

Lesson: Discussing Authentication for SAP Netweaver AS Java
logon ticket (EvaluateTicketLoginModule). If there is not a valid logon ticket, the user must
enter the user ID and password (BasicPasswordLoginModule). A logon ticket is issued if the
entries are correct (CreateTicketLoginModule). The logon ticket is sent from the browser in
the standard system for each request. It goes to the same domain of the issuing system and
can therefore be used to log on to other systems with Single Sign-On (SSO).
The logon ticket is a session cookie. This means that the cookie is not saved, rather it is only
held in the working memory. It is deleted when the browser session finishes. The logon ticket
contains the data shown in the figure.
Assertion Tickets
Assertion tickets are an extension of logon tickets. The main differences are as follows:
Unlike logon tickets, assertion tickets are not stored temporarily.
Assertion tickets are only valid for 2 minutes.
Assertion tickets are issued directly for the respective target system.
Older systems interpret the assertion ticket as a logon ticket. Therefore, the configuration for
SSO is along the same lines as the configuration for logon tickets. The application area of the
assertion tickets is first and foremost system-system communication, via RFC or HTTP. For
example, in SAP NetWeaver Java, destinations can use the assertion ticket as a logon
method. In SAP NetWeaver Java, it is possible to use the logon modules
CreateAssertionTicketLoginModule and EvaluateAssertionTicketLoginModule, as well as the
policy configuration evaluate_assertion_ticket to issue and verify assertion tickets. An
assertion ticket is issued when a connection to a remote system is established.
LESSON SUMMARY

Unit 4
Lesson 3
Discussing Authentication for SAP NetWeaver
AS ABAP
LESSON OVERVIEW
This lesson describes the usage of Task Lists to automate the security configuration for SAP
Netweaver ABAP.
LESSON OBJECTIVES
STC01 - Task List Manager for Configuration
Figure 101: Task List for Configuring Single Sign-On Across ABAP Systems
It is possible to automate configuration tasks, using the task manager for technical
configuration (transaction STC01). The task manager guides you through extensive
configuration processes by means of predefined task lists, and allows you to customize them.
Documentation is available for each step in the task list. Some steps will require input
parameters.
The task list monitor (transaction STC02) allows you to verify if a task list was executed and
which messages were logged by the system.
In the following example, we will use a task list to verify if the basic configuration for SSL is
complete.

Lesson: Discussing Authentication for SAP NetWeaver AS ABAP
Figure 102: Choose Relevant Task List 1/4
Figure 103: Review Actions to be Performed 2/4
Figure 104: Execute Task List 3/4

Figure 105: Execute Task List 4/4
LESSON SUMMARY

Unit 4
Lesson 4
Configuring UME Parameters for SSO
LESSON OVERVIEW
This lesson describes the usage of User Management properties to establish the settings for
SAP logon tickets.
LESSON OBJECTIVES
UME Properties for the SAP Logon Ticket
Figure 106: Java Properties for the User Management Engine
To customize the Java properties, start the Configtool and choose View Configuration Edit
Mode. Expand the folders cluster_config system custom_global cfg services
com.sap.security.core.ume.service .
Some of the most relevant parameters are as follows:
login.ticket_lifetime
Lifetime of the SAP Logon Ticket (in format: <hours>:<minutes>).
login.ticket_client
Dummy client written to the SAP Logon Ticket (default 000).

SAP NetWeaver AS Java does not have clients, as AS ABAP does. For SSO, from SAP
NetWeaver AS Java to SAP NetWeaver AS ABAP, the client ID must also be entered in the
ACL (transaction STRUSTSSO2 ).
ume.login.mdc.hosts
The logon ticket can also be sent to other domains. The value will specify the target hosts.
ume.logon.security.relax_domain.level
Number of subdomains to be removed (a value of 2 means that the SAP Logon Tickets
issued by a system on the wdflbmt7211.wdf.sap.corp host are sent to servers in the
sap.corp domain). This allows a ticket to be recognized across multiple servers in the same
domain.
ume.logon. security.enforce_secure_cookie
If true, the logon ticket is only sent if SSL is used (default false).
LESSON SUMMARY

Unit 4
Lesson 5
Discussing Single Sign On with Active
Directory
LESSON OBJECTIVES
Single Sign-On with Active Directory

Business Example
Your company uses Active Directory and Kerberos to provide single sign-on capabilities for
several applications. You want to implement your company standards to SAP NetWeaver
systems.
Restrictions on Current Training Environment

The current training environment does not support demonstrations for this procedure. This
how-to procedure is provided for your reference in your own company networks.
How-To Procedure
In the following example, the SAP NetWeaver system is running on a host called twdf3115 and
a domain called ADTWDFVM1100.DEMO.SAP. The SAP host was added to the domain.
Figure 107: Step 1 – Verify the Active Directory Configuration
Ensure that the Active Directory prerequisites are fulfilled. Users should be available in the
active directory, a security principal should be assigned, and key tabs should have been
generated for each SAP server.

Figure 108: Step 2 – Call the SNCWIZARD Transaction in your ABAP Environment
Figure 109: Step 3 - Provide the Distinguished Name for the Server
Figure 110: Step 4 – Review the Configuration Changes

Lesson: Discussing Single Sign On with Active Directory
Figure 111: Step 5 – Restart your SAP System
After the system restart, call transaction SNCWIZARDagain. Browse until you reach the final
screen, showing the Complete button. No other configuration steps are required.
Figure 112: Step 6 – SNCWIZARD Shows Existing Configuration
Figure 113: Step 7 – Wizard-Based Configuration is Complete

Figure 114: Step 8 – Import the Key Tab into your Secure Store
In a command window, execute the following commands, after changing to the following
directory: D:\usr\sap\PCC\DVEBMGS20\sec
set SECUDIR=D:\usr\sap\PCC\DVEBMGS20\sec
The SAP server SID is PCC and the instance number 20. The installation was performed on
drive D.
sapgenpse keytab -p SAPSNCSKERB.pse -x PsePassword1 -X Secret1 -a
SAP/KerberosDCC3115@ADTWDFVM1100.DEMO.SAP
sapgenpse seclogin -p SAPSNCSKERB.pse -x PsePassword1 -O SAPServicePCC

-N
Figure 115: Step 9 – Install the Secure Client
A default installation is enough for each laptop where single sign-on will be used. This laptops
should be domain members.

Lesson: Discussing Single Sign On with Active Directory
Figure 116: Step 10 – Maintain Canonical Name for Users Eligible for Single Sign-On
Figure 117: Step 11 – Configure your SAP GUI Connection
The SAP GUI needs to be configured for users logged into the domain. In the example, the
user logged will be: adtwdfvm1100\twdf3115_pcc_tstusr.
LESSON SUMMARY

Unit 4
Learning Assessment
1. Which of the following authentication mechanisms are used in SAP NetWeaver?

X A User ID and password
X B Secure Network Communications (SNC)
X C Secure Socket Layer (SSL) and X.509 client certificates
X D Java Authentication and Authorization Service (JAAS)
X E Security Assertion Markup Language (SAML)
X F Simple Object Access Protocol (SOAP)
X G SAP logon tickets
2. A logon ticket used for authentication contains which of the following data?
X A User ID
X B Password
X C ID of the issuing system
X D Digital signature of the issuing system
X E Validity period
3. Logon tickets are stored as a non-persistent session cookie in the Web browser.
X True
X False

4. The template ticket can be used to configure the login modules.

X True
X False
5. Mutual authentication can be used to access SAP NetWeaver Application Server (SAP
NetWeaver AS for ABAP).
X True
X False

Unit 4
1. Which of the following authentication mechanisms are used in SAP NetWeaver?

X A User ID and password
X B Secure Network Communications (SNC)
X C Secure Socket Layer (SSL) and X.509 client certificates
X D Java Authentication and Authorization Service (JAAS)
X E Security Assertion Markup Language (SAML)
X F Simple Object Access Protocol (SOAP)
X G SAP logon tickets
2. A logon ticket used for authentication contains which of the following data?
X A User ID
X B Password
X C ID of the issuing system
X D Digital signature of the issuing system
X E Validity period
3. Logon tickets are stored as a non-persistent session cookie in the Web browser.
X True
X False

4. The template ticket can be used to configure the login modules.

X True
X False
5. Mutual authentication can be used to access SAP NetWeaver Application Server (SAP
NetWeaver AS for ABAP).
X True
X False

UNIT 5 RFC Security
Lesson 1
Securing the RFC Gateway 155
Lesson 2
Enabling SNC for SAP NetWeaver AS ABAP 168
Lesson 3
Reducing the Attack Surface: RFC Communication and Unified Connectivity 189
UNIT OBJECTIVES
Verify SAP Gateway security
Outline RFC callback whitelist protection
Configure SNC for SAP NetWeaver AS ABAP
Configure SNC for other SAP components
Set up data collection for RFC enable function modules

Unit 5
Lesson 1
Securing the RFC Gateway
LESSON OVERVIEW
This lesson explains interface security. It also explains how Remote Function Call (RFC)
communication and RFC connections can be secured. In addition, this lesson elaborates on
the concept of security in Internet Communication Manager (ICM) and SAP Message Server.
Business Example
You need to set up interface security in an SAP system. For this reason, you require an
The configuration of trusted RFC connections between SAP systems
How to secure the SAP Gateway process and the Application Server ABAP (AS ABAP)
Message Server
How to restrict Web-enabled content
How to activate the logging of security events
How to configure trusted RFC
LESSON OBJECTIVES

Unit 5: RFC Security
SAP Gateway Security
Figure 118: Categories of RFC Communication
SAP Gateway is a technical component of the application server that manages

communication for the SAP RFC-based functionality. RFC communication can be categorized
into three different scenarios, as shown in the figure, Categories of RFC Communication.
The various scenarios of RFC communication (as shown in the figure, Categories of RFC
Communication) are as follows:
ABAP RFC
The most frequently used RFC functionality in customer installations is provided by ABAP
remote-enabled function modules. For instance, technologies such as Business
Application Programming Interface (BAPI), Application Link Enabling (ALE), and
Intermediate Document (IDoc) are provided by ABAP and use RFC as the underlying
communication protocol.
The mechanisms used to secure the communication are based on end user authentication
and authorization checks in the ABAP system (for example, the S_RFC authorization
object in the called system and the S_ICF authorization object in the calling system). SAP
Gateway does not perform additional security checks.
Registered RFC server program

The RFC server programs use the SAP RFC library and integrate ABAP systems with non-
ABAP systems that provide RFC functions.
The external RFC server programs are registered by the administrators while configuring
the RFC destinations at SAP Gateway; these server programs can later be accessed by

Lesson: Securing the RFC Gateway
RFC clients through the same SAP Gateway. This RFC client is actually the ABAP system in
which the external RFC server program is registered. This is configured in transaction
SM59in RFC destinations of type T with the Registered Server Program technical setting.
One example for this use case is SAP NetWeaver Search and Classification (TREX).
SAP and partner companies are developing various integration technologies, one of which
is known as a registered RFC server program. Typically, registered RFC servers do not
perform user authentication or authorization checks. Registration of RFC server programs
and RFC client access to these servers is controlled through SAP Gateway access control
lists ( secinfo for releases up to 4.6 and reginfo in higher releases).
Started RFC server program

The started RFC server programs are also built with the SAP RFC library, but instead of
being registered at SAP Gateway, they reside on the host of the application server. SAP
Gateway launches these RFC server programs triggered by RFC client requests.
For example, SAP Gateway uses the remote shell and RFC to start transaction SAPXPG
,
which runs the external command or program.
SAP default configurations only start these RFC server programs locally. You can change
this configuration in transaction SM59in RFC destinations of type T with the Start on
Explicit Host technical setting. The SAP Gateway options can point explicitly to the local
SAP Gateway or be left blank. Again, in most cases, started RFC servers do not perform
user authentication or authorization checks. As in the case of registered RFC servers,
access to these started RFC servers is controlled through SAP Gateway access control
lists (ACLs), secinfo for all releases.
Caution:
For system security, it is of utmost importance that you create and maintain the
SAP Gateway ACL properly. ACL files do not exist in default installations.
As a result, no restrictions exist regarding RFC server registration, access to registered RFC
servers, or to the starting of RFC server programs in default installations. This can lead
compromise the system. SAP provides guidelines on how to set up ACLs, minimum SAP
kernel patch levels, and configuration switches. For more information, see the SAP
NetWeaver 7.40 online documentation ( http://help.sap.com/nw74 ), path Security
Information/Security Guide (English) SAP NetWeaver Security Guide Security Guides for
Connectivity and Interoperability Technologies Security Settings in SAP Gateway.
SAP provides a tool to create SAP Gateway ACLs that cover typical usage scenarios for
registered and started RFC server programs. You must activate SAP Gateway logging to
support ongoing maintenance and provide gateway monitoring.
Additionally, the SAP Gateway monitoring must only allow local access ( gw/monitor = 1). This
is the default configuration setting as of SAP Release 6.40. For more information, see SAP
Note 64016.
Security Measures for SAP Gateway
Verify the minimum SAP kernel patch levels (SAP Note 1298433).
Set profile parameters gw/sec_info , gw/reg_info , gw/reg_no_conn_info (SAP

Notes 1408081 and 1444282), and, if relevant, gw/prxy_info (SAP Note 1848930).

Create the secinfo and reginfo ACL files manually or with the tool (SAP Notes 1408081
and 1425765). If needed, create the prxy_info file (SAP Note 1848930).
Reload ACL files dynamically on each application server to activate changes.
If necessary, missing configurations can be identified in the following ways:

- Activation of the SAP Gateway logging and log file review (SAP Note 910919)
- Analysis of the error messages shown on the RFC client
Gateway Security Configuration

After you check and update the system to the required kernel and Support Package level, set
the parameters and provide the files secinfo and reginfo .
The parameters required after the system update are as follows:
gw/sec_info = $(DIR_GLOBAL)$(DIR_SEP)secinfo
gw/reg_info = $(DIR_GLOBAL)$(DIR_SEP)reginfo
gw/reg_no_conn_info = 15
For a Microsoft Windows operating system, the files must have the .DAT extension.
Caution:
Because important security information is stored in this file, the system
administrator must take care to define the file authorization correctly. For
example, the administrator should set read-only authorization for the file owner
and no authorization for all other users.
With SAP Gateway Monitor (transaction SMGW

), you can monitor and administer SAP
Gateway. Choose Goto Expert Functions External Security to display, create, and reload
the secinfo and reginfo files.
If your communication processes flow across 3 systems, with one being used as a gateway,
you might need to configure the prxy_info file.

Figure 119: Gateway Monitor (Transaction SMGW)
In Gateway Monitor, to configure the gateway, choose Goto Expert Functions Logging.
For example, select the event Security checkbox and choose Activate .

Note:
To implement the recommendations from the previous section, work through all
the SAP Notes and documentation mentioned. Each customer has different
requirements and a different environment, so the information given in the SAP
Notes and documentation may not exactly fit.
SAP NetWeaver 7.40 includes a new framework, Unified Connectivity (UCON), for
securing RFCs. RFCs are a central communication technology of SAP NetWeaver
AS for ABAP and all ABAP-based systems.
The UCON basic security scenario for RFC provides both a simple process and a
toolset, allowing you to drastically reduce the number of Remote-Enabled
Function Modules (RFMs) that can be accessed from outside, thus dramatically
reducing the potential attack surface. UCON is the recommended new approach
to make your RFC communication more secure.
For more information, go to: http://scn.sap.com/docs/DOC-53844.
Additionally, SAP Consulting provides a service that offers to efficiently rename
and reauthorize RFC interface user accounts with a best practice approach,
utilizing the Xiting Authorizations Management Suite as a tool for creating
reusable interface roles. The service also helps to document interface usage and
creates proper authorization proposal values ( SU24) for function module / RFC
interface calls.
For more information, see SAP Note 1682316 .

Security Configuration for Gateway
Figure 120: Product Overview
RFC is an SAP proprietary protocol. It is the main integration technology between SAP
systems and is also used in integrations with non-SAP systems. Increasingly, other
integration technologies such as Web services complement RFC. RFC connections between
systems are maintained in RFC destinations. RFC destinations are maintained in destination
source systems that point to destination target systems.

RFC Connections
Figure 121: RFC Connections
RFC communication partners can be SAP systems and external application programs. In all
cases, RFCs are possible in both directions, that is, the SAP system can be both a client and a
server. The RFC protocol supports synchronous, asynchronous, and transaction-oriented
communication.
By default, the SAP Gateway runs on each SAP NetWeaver AS for ABAP instance. In some
cases, such as when an RFC call to a Microsoft Windows-based RFC server is needed, you
need to install a standalone gateway. You can use the Gateway Monitor (transaction SMGW ) to
monitor activities on local SAP gateways. For outgoing connections from an SAP system, the
RFC destination is maintained using transaction SM59.
In SAP systems with SAP NetWeaver AS for ABAP 7.00 and later, authorization object
S_RFC_ADM is added for maintaining RFC destinations. RFC destinations cannot be created
and maintained without authorization object S_RFC_ADM.

SAP System as an RFC Client
Figure 122: SAP System as an RFC Client
The following connection types (partner system or program) are possible:
R/2 connections
Partner system is an R/2 system.
R/3 connections
Partner system is a different SAP system.
TCP/IP connections
Partner is an external RFC program based on TCP/IP.
For connections to other SAP systems, you need to specify full logon data, such as the user
name, password, and client. This logon data is used to log on to a destination system under a
defined user name without checking the password. As a result, you must restrict access to
transaction SM59and the contents of table RFCDES must be regularly controlled. You must
not store the password at the RFC destination.
Improper management of RFC destinations leads to privilege escalation. Access to the
SAP_ALL profile in production systems may be gained due to the use of inadequately
configured RFC destinations in development systems. These risks can be mitigated by
following the guidelines to maintain ABAP connections (type 3) and logical connections (type
L) in transaction SM59.
RFC Destination Types

To securely manage ABAP and logical RFC destinations, the following categories are defined:
1. Destinations that store technical connectivity configuration without stored credentials and
without trust relationships between the systems (they require user authentication for
each access).

2. Destinations with technical connectivity configuration using stored credentials (that is,
client, user, and password).
3. Destinations with technical connectivity configuration using trusted system logon

(Trusted or Trusting RFC).
All three categories of RFC destinations can be used between systems of the same security
classification (for example, from one production system to another). These categories are
also allowed to be used from systems of higher security classification to systems of lower
security classification (for example, from one production system to a development system).
Caution:
As a general guideline, destinations from systems of lower security classification
to systems of higher security classification are not allowed to store user
credentials or to use trusted system logon (for example, from a development
system to a production system).
These destinations are only allowed to store technical connectivity configuration and
authenticate the user for each access. One exception to this general guideline is Transport
Management System (TMS) destinations. If the TMS destinations are required, they must be
considered a security risk and must only be used after thorough risk analysis.
Caution:
It is generally forbidden for systems of higher security classification to trust
systems of lower security classification.
If the risk analysis is not performed, then the security level of the trusting system is reduced
to the security level of the trusted system. Particularly in production environments, users
stored in RFC destinations must only have the minimum authorization in the destination
target that is required for the business scenario executed by means of that destination.
We recommend using dedicated accounts for each scenario wherever possible. Inspect the
SAP Security Guide of an application to get information about required authorizations. It is a
common misunderstanding to assume that assigning SAP_ALL privileges to users in
destinations with stored credentials is secure as long as the user is not of the DIALOG type.

Figure 123: ABAP RFC Communication Recommendations
ABAP RFC Communication Recommendations

You must take the following security measures to mitigate the risk of unauthorized access
through RFC destinations:
Analyze all system trust relationships between ABAP systems using transactions SMT1
and SMT2. Identify the trust relationships in which systems of higher security classification
trust systems of lower security classification (for example, test to production or
development to production). Remove this system trust wherever possible.
Identify RFC destinations with stored user credentials from systems of lower security
classification to systems of higher security classification (using the RSRFCCHK report).
The stored credentials must be removed wherever possible to enforce user authentication
for every access.
Create a list of RFC destinations with stored credentials. Ensure that user accounts have
minimum authorizations (particularly not SAP_ALL) assigned in the destination target and
that the user type is set to SYSTEM.

Trusted RFC
Figure 124: Trusted Relationships Between SAP NetWeaver AS for ABAP-Based SAP Systems
SAP systems can establish trusted relationships with each other. If a calling (sending) SAP
system is known to the called (receiving) system as a trusted system and the user who issued
the RFC call is defined in both of the systems, no password is supplied. The calling SAP
system must be registered with the called SAP system as a trusted system. The called system
is the trusting system.
Trusted relationships among various SAP systems have the following advantages:
Single Sign-On (SSO) is possible beyond system boundaries.
No passwords are transmitted in the network.
The timeout mechanism protects against replay attacks.
User-specific logon data is checked in the trusting system.
The trust relationship is not mutual, which means that this relationship is applicable in one
direction only. To establish a mutual trust relationship between two partner systems, you
must define each of the two trusted systems in the corresponding partner systems.
To enable the trusted systems to operate properly, the systems must have the same security-
level requirements and user administration. Before you can define a trusted system, you must
create a destination for this system in the trusting system. To do so, use transaction SMT1, or
choose Extras Trusted systems on the RFC destination overview screen (transaction
SM59). In the trusted systems, destinations for trusting systems are automatically created.
These destinations are used when you display trusting systems through Extras Trusting
systems (transaction SMT2).
The user using the trusted RFC must have the corresponding authorizations in the trusting
system (the S_RFCACLauthorization object). In addition, you can configure the system to
perform an authorization check on the transaction code from the calling system. To do this,
you need to choose the Use transaction code option on the trusted system entry in

transaction SMT1. Once you choose this option, an authorization check is performed in the
called system for the transaction code (the RFC_TCODEfield of the S_RFCACL authorization
object). You can check the authorizations for the logged on users in the trusting system in
advance by using the AUTHORITY_CHECK_TRUSTED_SYSTEM function module.
To prevent others from making changes to your trusted RFC destination, select the
Destination not modifiable checkbox on the Administration tab page of the destination in
transaction SM59. To make the destination modifiable again, double-click the checkbox.
Destinations must be kept consistent. For this reason, you are not allowed to change the ID of
the target system, the system number, or the destination name.
LESSON SUMMARY

Unit 5
Lesson 2
Enabling SNC for SAP NetWeaver AS ABAP
LESSON OVERVIEW
This lesson explains how to set up and maintain SAP Secure Network Communication (SNC)
for SAP NetWeaver AS for ABAP.
Business Example
To secure Dynamic Information and Action Gateway (DIAG) and Remote Function Call (RFC)
communication, you need to set up SAP SNC. For this reason, you require an understanding
of the following:
SAP SNC and how it is configured
How to enable SAP SNC on SAP NetWeaver AS for ABAP
LESSON OBJECTIVES
SNC Configuration for Other SAP Components
Figure 125: SAP SNC on SAP NetWeaver AS for Java
This figure, SAP SNC on SAP NetWeaver AS for Java, shows the SAP SNC configuration to
connect the SAP NetWeaver AS for ABAP system with the SAP NetWeaver AS for Java
system.

Lesson: Enabling SNC for SAP NetWeaver AS ABAP
Enabling SAP SNC on SAP NetWeaver AS for Java
Figure 126: Roadmap: Enabling SAP SNC on SAP NetWeaver AS for Java
Enabling SAP SNC on SAP NetWeaver AS for Java involves almost identical steps to those
used for SAP NetWeaver AS for ABAP. In fact, the same PSE created for SAP NetWeaver AS
for ABAP can be used for SAP NetWeaver AS for Java. The SAP NetWeaver AS for Java
parameters for SAP SNC are set differently, based on the Java applications.
You create one PSE and distribute it to all application servers. Alternatively, you can also use
the command line tool SAPGENPSE to create the PSE at the operating system level for the
SAP NetWeaver AS for Java. Do not use a mixed approach to maintain the PSE. If you use
SAPGENPSE, always use SAPGENPSE.
SAP NetWeaver AS for Java can also use the CommonCryptoLib for cryptographic functions
such as secure communication using SSL and secure communication using SAP SNC (for
RFC server connections). As with SAP NetWeaver AS for ABAP, there are two deployment
options for CommonCryptoLib: using the Java kernel or from a download from SAP Service
Marketplace.
If there is a scenario where SAPCRYPTOLIB is used instead of the CommonCryptoLib, make
sure the SAPCryptographic library files are in the following locations.
Copy the library to <AS_Java_install_dir>
Copy the license ticket to <AS_Java_install_dir>/sec
Copy the sapgenpse.exe to <AS_Java_install_dir>
Set the environment variable SECUDIR to the sec subdirectory. This is also the directory in
which the PSE of SAP NetWeaver AS for Java and credentials are located.

PSE Creation and Credentials Assignment Using the SAPGENPSE.exe Tool

The PSE can be created or imported using the SAPGENPSE tool. You use the following
command to create a new certificate:
sapgenpse get_pse –p <SID>.pse –noreq –x <PIN><DISTINGUISHED_NAME>
To open the PSE of the server and create credentials, you use the following command:
sapgenpse seclogin –p <SID>.pse -x <PIN><DISTINGUISHED_NAME> -O <user
id>
Use the following command to import the certificate:
sapgenpse maintain_pk –a <filename_for_appserv_cert> -p
<AppServPSE>.pse -x <PIN>
Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for Java
Figure 127: Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for Java
To exchange the public key certificates, you perform the following steps:
1. Export the public-key certificate of SAP NetWeaver AS for Java using the SAPGENPSE
tool, as follows:
Sapgenpse export_own_cert –o <filename_for_appserv_cert> -p
<AppServPSE>.pse –x <PIN>
2. Export the public-key certificate of SAP NetWeaver AS for ABAP using transaction
STRUST.
3. Import the PSE of SAP NetWeaver AS for Java into SAP NetWeaver AS for ABAP.
4. Import the PSE of SAP NetWeaver AS for ABAP into SAP NetWeaver AS for Java.
Maintain the system ACL on the SAP NetWeaver AS for ABAP as follows:

In the SAP NetWeaver AS for ABAP, you maintain the ACL using transaction SM30
(SNCSYSACL table or the VSNCSYSACL view, type=E). Enter the SAP SNC name of SAP
NetWeaver AS for Java and activate the entry for RFC.
Save the data.
Java Connector (JCo) for SAP NetWeaver AS for Java

The SAP NetWeaver AS for Java uses the Java Connector (JCo) to communicate with the SAP
NetWeaver AS for ABAP.
The JCo needs the following information to use the SAP SNC connection:
SNC library path

This path can also be defined using the SNC_LIB system environment variable of the user
who starts SAP NetWeaver AS for Java (usually SAPService<SID>).
Level of protection
This is the level of protection to use in the connection; possible values are 1, 2, and 3.
My SNC name
This optional parameter makes sure that the SAP SNC name is used for the connection.
Partner’s SNC name

This parameter is required and is used to identify the partner SAP NetWeaver AS for
ABAP. You can find the application server’s SAP SNC name in the profile parameter snc/
identity/as .
Note:
The setting of these SAP SNC parameters for JCo depends on various
applications. Each of these applications has its own way of setting up the
parameters. Refer to the documentation of the specific application to determine
how to set these up correctly. For example, the User Management Engine (UME)
sets the SNC parameters in the UME properties. In the scenario of Java iViews in
SAP Enterprise Portal, you set the SAP SNC parameters in the system object
associated with that Java iView. Other applications may use the Destination
service in SAP NetWeaver Administrator.

SAP SNC on SAProuter
Figure 128: SAP SNC and SAProuters
The connection between the adjacent SAProuters can be protected using SAP SNC. The
SAProuters authenticate each other and exchange encrypted messages. Therefore, a secure
tunnel for communications is established between components that may not be able to use
SAP SNC. A single SAProuter can act as both the initiator and acceptor for an SAP SNC-
protected connection.
To set up SAP SNC-protected connections between two SAProuters, you must establish an
SAP SNC environment in both of the SAProuters and configure SAP SNC for the connection in
the SAProuter’s route permission table.
To establish an SAP SNC environment, proceed as follows:
Set up the environment variable SNC_LIB to the path and file name of the external library
on the SAProuter host.
Start the SAProuter with the option -K <SNC of the SAProuter>
- For example, SAP SNC name on host1: “p:CN=saprout1, OU=TEST01,

O=myCompany, C=US”
- saprouter -r -K "p:CN=saprout1, OU=TEST01, O=myCompany, C=US" &
SAP SNC Details in the SAProuter Route Permission Table

To configure SAP SNC in the SAP route permission table, the following types of entries need
to be set up:
Key-Target (KT) entry specifies the designated SAProuter to SAProuter connection, which
uses SAP SNC.
KT <SNC partnername> <dest host> <dest serv>
KP, KD, and KS entries are similar to the normal P, D, and S entries, but are used mainly
for SAP SNC connections. They specify the hosts and services that are allowed to
communicate with one another. As with normal P, S, and D entries, you can also specify a
password for the connection.
K<P/D/S> “SNC name of source host” <dest host> <dest serv>
<password>

Caution:
The order of the entries in the route permission table is important. For incoming
connections, the SAProuter applies the first matching entry it finds. If a matching
P, D, or S entry precedes an SAP SNC entry, then the SAProuter ignores the SAP
SNC entry.
The SAProuter accepts an incoming connection if it finds a corresponding entry in its route
permission table. For normal incoming connections where SAP SNC is not used, SAProuter
identifies the communication partner using the source host (IP address) and the destination
(host and service). For SAP SNC connections coming from an SAProuter, it uses the source
SAProuter’s SNC name for identification.
Figure 129: Example of Setting SAP SNC Details in the SAProuter Route Permission Table
In the example, there are two SAProuters, one on host1, and the other on host2. The two
routers need to communicate with each other using SAP SNC. Both SAProuters are started.
SAProuter on host1 initiates SAP SNC for all connections to host2 using KT =
"p:CN=saprout2, OU=TEST01, O=myCompany, C=US" host2 * and accepting all
connections using P * * * .
SAProuter on host2 accepts only SAP SNC connections from host1, which directs to either a
dispatcher or a gateway with system number 00. KP "p:CN=saprout1, OU=TEST01,
O=myCompany, C=US" * sapdp00 .

SAP SNC for SAP GUI for Microsoft Windows
Figure 130: Configuring SAP GUI SNC
In a standard SAP setup, users enter their SAP user name and password on the SAP GUI
logon screen. SAP user names and passwords are transferred through the network without
encryption. To secure connections between your front end and your ABAP system, SAP GUI
can be used together with an external security product or with SAP NetWeaver Single Sign-On
Secure Login Client. Kerberos tokens or certificates can be sent through SAP GUI and Secure
Login Client to the SAP SNC interface. The Secure Login Library then encrypts all
communication between the front end and the SAP servers, providing a secure SSO from the
end user to the SAP NetWeaver AS.
To configure SAP SNC with SAP GUI for Microsoft Windows, proceed as follows:
If Secure Login Client is used with SAP GUI, the Secure Login Library must be configured.
Configuration is set up differently based on whether an X.509 certificate or Kerberos
Token (Service Principle Name) is used.
Environment variable SNC_LIB on the front end is set to the path and file name of the SAP
SNC library.
In SAP Logon, SAP SNC options (SAP SNC name, quality of protection, and SAP SNC
activation) need to be set up in the SAP Logon Advanced Options.
To set up SAP SNC profile parameters in SAP NetWeaver AS for ABAP and maintain SAP SNC
names for those users who will be using the SAP GUI, proceed as follows:
The steps to enable SAP SNC for SAP GUI for Microsoft Windows are similar to steps for
enabling SAP SNC on SAP NetWeaver AS for ABAP.
To maintain the SNC information of dialog users, use transaction SU01.
To maintain non-dialog users, enter SNC information in the USRACLEXT table using
transaction SM30.

SNC Configuration for NetWeaver AS ABAP
Figure 131: SAP SNC: Product Overview
The figure, SAP SNC: Product Overview, shows the product overview for setting up SAP SNC.
Privacy Protection: SAP SNC
Figure 132: Providing Privacy: SAP SNC
Connections that use SAP protocols, such as RFC and DIAG, use SAP SNC for encryption.
SAP SNC provides privacy protection for the following communication paths:
Between two SAP NetWeaver AS for ABAP systems
Between SAP NetWeaver AS for ABAP and SAP NetWeaver AS for Java
Between SAP GUI and SAP NetWeaver AS for ABAP

Between SAProuters
You must configure the SAP SNC and install the security libraries on each SAP NetWeaver
component that is about to become a communication partner. SAP SNC can also be used
with an external security product.
SAP SNC provides the following features:
Authentication between SAP components
Integrity protection
Privacy protection
SAP SNC on SAP NetWeaver AS
Figure 133: SAP SNC on SAP NetWeaver AS
In the figure, SAP SNC on SAP NetWeaver AS, each component possesses a public and
private key pair. The key pair is stored in the SAP SNC Personal Security Environment (PSE)
of the component. The component needs credentials to access the PSE at runtime.
The individual PSE option is more transparent because each server possesses its own
identity. However, in this case, you need to manually establish the trust relationship between
the two servers by exchanging their public-key certificates.
Trust Establishment When Using SAP SNC
Figure 134: Establishing Trust When Using SAP SNC
When using SAP SNC, the components need to identify and trust each other.

The options to establish a trust relationship for server-to-server communication are as

follows:
Use the same PSE for all components.

- All the communicating servers or components share the same identity, which means
that the components share the public and private key pair and the associated
Distinguished Name (DN). Since all the components use the same identity, the trust
relationships between the components are automatically established.
- The advantage of using the same PSE for all components is that it is easy to configure.
- The disadvantage of using the same PSE for all components is that the communication
is less transparent because all the components have the same identity and name.
Use individual PSEs and exchange public-key certificates.

- Each server possesses its own identity, which means that each server has its own
public and private key pair and DN.
- The trust relationships are established among communication partners by exchanging
the public-key certificates with each component that needs to be trusted. For example,
the two participating SAP NetWeaver AS for ABAP systems will need to exchange
certificates to trust each other. SAP NetWeaver AS for ABAP and SAP NetWeaver AS
for Java can also exchange certificates.
- The advantage of using individual PSEs is that the communication is transparent
because each component has its own identity.
- The disadvantage of using individual PSEs is that more configuration effort is needed.
SAP SNC Implementation

In the previous releases, SAP provided various tools to secure the system and its
communications and to manage the Single Sign-On (SSO): SAP Security Library, SAP
Cryptographic Library, Secure Login Library (part of SAP Netweaver SSO).
The SAP Cryptographic Library (SAPCRYPTOLIB) was the default security product provided
by SAP in the past for encryption with SAP systems. The SAP Cryptographic Library supports
encryption functions and the use of digital signatures in SAP Systems. SNC or for Secure
Sockets Layer (SSL) scenarios are supported using SAPCRYPTOLIB.
The Secure Login Library is a component of the SAP SSO product. It is used as cryptography
and security library for SAP NetWeaver AS for ABAP providing SSO through SNC using
Kerberos tokens or X.509 certificates as well as supporting digital signatures according to the
Secure Store and Forward (SSF) interface.
The SAP Security Library (SAPSECULIB) supports digital signatures using the SSF interface
for creating and verifying digital signatures within SAP systems, but not for encrypting data.
As of SAP Netweaver 7.40 some major security enhancements were made on System
Security: interfaces, Basis, authentication, and so on. SAP has released a new cryptographic
library called CommonCryptoLib. CommonCryptoLib is the technical successor of the SAP
Cryptographic Library (SAPCRYPTOLIB). This new cryptographic library provides a single
security library, which can be used in all scenarios supported by the previous security libraries

Table 16: CommonCryptoLib Scenarios

SAP Security SAP Crypto- Secure Login Common- SSO License
Library graphic Library Crypto-Lib Required
SAP SNC – X. X X X X
509
SAP SNC – X X X
Kerberos
SPNEGO/ X X X
ABAP
SSL/TLS X X
Secure Store X X X X
& Forward
(SSF)
STRUST X X
Hardware Se- X X
curity Module
(HSM)
FIPS 140–2 X
Certification
was Achieved
(See SAP
Note:
1848999)
Deployment Options for the CommonCryptoLib

The new CommonCryptoLib replaces the SAP Cryptographic Library. It comes with the latest
kernel of SAP NetWeaver AS for ABAP. Beginning with Kernel 7.20 PL88, no specific Kernel
patch is required to use CommonCryptoLib. The library is fully compatible with
SAPCRYPTOLIB and SAPSECULIB.
Note:
For the according ABAP kernel patch levels, refer to SAP Note 1848999 . You must
not use CommonCryptoLib if you are running Kernel releases prior to 7.20 PL88,
as CommonCryptoLib is not fully compatible with such old releases. Use
SAPCRYPTOLIB 5.5 PL38 in such cases.
There are two deployment options for CommonCryptoLib:
Via the ABAP kernel
Via download from SAP Service Marketplace
Beginning with SAP SSO 2.0 SP3, the Secure Login Library is no longer required since its
features are now all included in the CommonCryptoLib. This means that as of release 2.0 SP3,
a newly installed SAP SSO uses the CommonCryptoLib as the default cryptographic library
for SAP SNC and SPNEGO for ABAP.

Note:
NWSSO for CommonCryptoLib 2.0 is very different from SAP NetWeaver SSO
(use of the tool sapgenpse, abandoning of the tool snc, use of specific .xml
configuration files for specific features, and so on). For more details, refer to the
SAP documentation NWSSO for CommonCryptoLib 2.0
Figure 135: COMMONCRYPTOLIB

Note:
The two SAPCRYPTOLIB variants (old or new) can be recognized by their names.
Instances of the old library are called SAPCRYPTOLIB 5.5.5 plXX (for example,
5.5.5pl38), while the newer variant of the SAPCRYPTOLIB is named
CommonCryptoLib 8 (CCL) and uses the format 8.<major>.<minor> (for example,
8.4.31). For SAP NetWeaver 74X, a SAPCRYPTOLIB in the new variant
CommonCryptoLib 8 is a fixed component of the delivery (kernel CD).
CommonCryptoLib 8 is also part of the new 72x kernel patches (in the download
from SAP Service Marketplace, in the packages SAPEXE and dw_utils).
For more details, refer to SAP Note 2072638 - Dependencies between
CommonCryptoLib and SAP Kernel Package.
To determine the CommonCryptoLib version, you can use transaction
STRUST Environment Display SSF Version.
CommonCryptoLib fixes can be patched independently from SAP Kernel
Packages as follows:
1. Download CommonCryptoLib either as a part of the corresponding dw_utils or

dw_sar package, or as an alone standing product from the Download Center.
2. Extract the CommonCryptoLib files: SAPCRYPTOLIBP_<version>-

<platformID>.SAR under DIR_CT_RUN
3. Restart the application server.
Manual Installation of SAP Cryptographic Library SAPCRYPTOLIB

If there are scenarios where SAPCRYPTOLIB has to be used instead of CommonCryptoLib,
check to make sure you have the latest version using the following methods:
Download the SAP Cryptographic Library from SAP Service Marketplace.
Extract the contents of the SAP Cryptographic Library installation package.
The SAP Cryptographic Library installation package contains the library file (sapcrypto.dll for
Microsoft Windows or libsapcrypto.so (or sl) for UNIX ), a license ticket, and a command line
configuration tool, sapgenpse.exe.
Copy the library and the sapgenpse command line tool in the directory $DIR_EXECUTABLE
on all application servers. Earlier versions of SAPCRYPTO 5.5.5 (pl32 and below) require a
separate license ticket file (ticket), which must be in the directory $DIR_INSTANCE/sec.
Set the environment variable SECUDIR in the environment of the user <sid>adm (or
SAPService<SID> or both) in the directory $DIR_INSTANCE/sec on all application servers.
Note:
In most situations, the ticket file is not required in the latest version, but SAP
NetWeaver AS for Java looks for the file and NWA complains if it does not exist.

Figure 136: SAP Cryptographic Library — SAPCRYPTOLIB
Figure 137: Roadmap: Enabling SAP SNC on SAP NetWeaver AS for ABAP

The figure, Roadmap: Enabling SNC on SAP NetWeaver AS ABAP, shows the steps for
enabling SAP SNC on SAP NetWeaver AS for ABAP.
Configure SAP SNC on SAP NetWeaver AS for ABAP using SSO Wizard (transaction
SNCWIZARD)
If the new SAP Cryptogrphic library (CommonCryptoLib) version 8.4.20 or higher is used, the
SAP SSO wizard (transaction SNCWIZARD) enables you to set up a default configuration for
SAP SNC and SPNego on your SAP NetWeaver AS for ABAP. This configuration wizard is
available with SAP NetWeaver 7.0 EHP3 SP15, SAP NetWeaver 7.3 EHP1 SP15, and SAP
NetWeaver 7.4 SP08 or higher.
The SAP SSO wizard (transaction SNCWIZARD) simplifies the configuration process with the
following steps:
Defines the SAP SNC identity. The default value is CN=<system_ID>.
Sets the profile parameters for SAP SNC and SPNego in the default profile.
Note:
You can also manually change the default settings made by the wizard in
transaction RZ10.
Maintains Kerberos and X.509 credentials.
Creates an SAP SNC PSE if it does not exist.
To check your current SAP SNC and SPNego configuration, you can use transaction
SNCCONFIG. It shows the SAP SNC state of an application server instance and its SAP SNC
and SPNego profile parameters.
Trust Manager Profile Parameters

To use the SAP Cryptographic Library, system profile parameters need to be set up properly
so that the Trust Manager can access the correct libraries.
The parameters sec/libsapsecu and ssf/ssfapi_lib require the location of SAPCryptolib. The
ssf/name parameter must be set to SAPSECULIB.
For 740 Kernels and 72x Kernel (patches) created after Q2 2014, there is a known predefined
variable "$(SAPCRYPTOLIB)", where the platform-specific shared library prefix and filename
extension is supplied by the Kernel. You can use ABAP report RSPARAM to lookup the current
profile parameter settings including the following.
ssf/name = SAPSECULIB
ssf/ssfapi_lib = $(SAPCRYPTOLIB)
sec/libsapsecu = $(SAPCRYPTOLIB)
snc/gssapi_lib = $(SAPCRYPTOLIB)
Note:
In Secure Store and Forward (SSF), digital signatures and document encryption
are used. SAPSECULIB supports the security functions for digital signatures and
document encryption.

You can have more than one security product supporting SSF for various applications in SAP.
If there is more than one security product, you can install multiple security libraries to support
digital signatures and document encryption. Each of these products has a different library and
name in the SSF parameters. For example, ssf/ssfapi_lib and ssf/name; ssf2/ssfapi_lib and
ssf2/name; and ssf3/ssfapi_lib and ssf3/name.
You use transaction RZ10 to maintain the profile parameters in the instance profile and
restart the application servers.
Table 17: Profile Parameters and Sample Values

Profile Parameters Value
sec/libsapsecu Path and file name of the SAP Cryptographic
Library
ssf/ssfapi_lib Path and file name of the SAP Cryptographic
Library
ssf/name SAPSECULIB
The Trust Manager uses the security library, SAPSECULIB, by default. This library is delivered
and installed in the SAP system.
To use SAPCryptolib, profile parameters need to be set up to inform the Trust Manager. In
addition to the functions performed by SAPSECULIB, SAPCryptolib can perform encryption,
which is restricted by the export regulations.
The parameters sec/libsapsecu and ssf/ssfapi_lib require the location of
SAPCryptolib if SAPCryptoLib is used..
The ssf/name parameter must be set to SAPSECULIB.
Note:
In Secure Store and Forward (SSF), digital signatures and document encryption
are used. SAPSECULIB supports the security functions for digital signatures and
document encryption.
Creation of SAP SNC PSE and Credentials

To use Trust Manager to create and maintain PSE for SAP NetWeaver AS for ABAP, the
following options are available:
Create a new PSE using Trust Manager on this SAP NetWeaver AS.
Create PSE on a different server, for example, on the other communication partner, SAP
NetWeaver AS, and import the PSE using Trust Manager.

Figure 138: Maintaining the SNC PSE and Credentials: Trust Manager
The figure, Maintaining the SNC PSE and Credentials: Trust Manager, shows how to create
and import PSE using Trust Manager.
You can use the Trust Manager, transaction STRUST, to maintain the SAP SNC PSE in the
following ways:
In transaction STRUST, select the SNC PSEnode. In the context menu, choose Create. Fill
the necessary fields and save the PSE.
To use SAP SNC, you must assign a password to the PSE. To create the credential, choose
Assign Password . If you do not assign the password for the PSE, Trust Manager will have
problems later.
Alternatively, if you want to use an existing PSE that was created from another SAP
NetWeaver AS, you can copy SAPSNCS.pse from your SECUDIR to the SECUDIR of the
target system. In transaction STRUST, choose PSE Import .
Note:
If you have assigned the Distinguished Name (DN) using the snc/identity/as
profile parameter, the DN will then be displayed when the PSE is created.
Trust Manager and Command Tool SAPGENPSE

The sections of the Trust Manager screen and their functions are as follows:
The left frame shows the available PSEs that you can maintain.
The upper section is used for PSE maintenance. In this section, you can create the
certificate requests, import the corresponding responses from the Certificate Authority

(CA), import trusted certificates into the PSE’s certificate list, and export the owner of the
PSE’s public-key certificate into the clipboard.
The lower section is used as a clipboard for certificates. For example, you can view and
export a certificate from one PSE and import the certificate into the certificate list of
another PSE.
For more information, see the application help under Help Application Help or the online
documentation Security Guide Network and Transport Layer Security at http://
help.sap.com .
In addition to using the Trust Manager to create or maintain the PSE, you can also use the
command tool SAPGENPSE to perform the following tasks:
Create PSE using SAPGENPSE

.
Create credentials using SAPGENPSE

.
You can also create a PSE on a different system with transaction STRUSTand move it to
another system.
To create a PSE using SAPGENPSE
, proceed as follows:
Set the environment variable SECUDIRto $(DIR_INSTANCE)/sec .
Use the command:

sapgenpse get_pse –p <SID>.pse –noreq –x <PIN><DISTINGUISHED_NAME> .
Create credentials for the user of SAP Application Server Quality Assurance System (QAS)
using SAPGENPSE :
-sapgenpse seclogin -p <SID>.pse -x <PIN> -O <user_ID> .
Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP
Figure 139: Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP

You can use the same PSE for both the communicating systems. As shown in the figure,
Establish Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP, in the first case,
both servers share the same identity and automatically trust each other. Alternatively, in the
second case, both servers use individual PSEs and exchange public-key certificates with each
other.
On both the communicating application servers, perform the following steps to export and
import certificates:
Use the Trust Manager to export the SAP AS certificate and import it to the other system.
To export the certificate of the server, go to transaction STRUSTand choose SNC PSEand
the certificate. Choose Export certificate and save it to a destination as a local file.
To import the certificate, go to transaction STRUST, choose SNC PSEand the certificate
from its source (for example, the file system), and choose Add to certificate list .
SNC Profile Parameters

The transaction code RZ10 is used to set the SAP SNC-relevant profile parameters in the
instance profile. Setting the profile parameter snc/enable to 1 activates SAP SNC on the
application server.
If this parameter is set but the SAP SNC PSE and credentials do not exist, then the application
server will not start. For this reason, setting the SAP SNC parameters should be the last step
in the configuration procedure.
Ensure the SAP SNC PSE and the corresponding credentials exist for the application server.
Figure 140: SAP SNC Profile Parameters
If Secure Login Library is used, set snc/gssapi_lib to secgss.dll in the SLL directory.

Caution:
For production systems, we recommend deactivating non-SAP SNC access for
most SAP GUI users (snc/accept_insecure_gui=U ). Only a small number of
emergency accounts must be able to access the system with password logon. (In
transaction SU01, use the Unsecure communication permitted (user specific)
option on the SNC tab page.
Setup of Access Control List (ACL) Entries

In addition to identifying the communication partner using the trust relationship, the AS ABAP
also checks the ACLs. These lists specify explicitly which other systems are allowed to
connect to this system using SAP SNC.
Figure 141: Set up ACL Entries
Note:
The SAP SNC name is the DN given in the server’s certificate, with a p: prefix.
The ACLs involved in the process are as follows:
System ACL
Enter the SAP SNC name of the remote system and activate the types of communication
that are allowed for this system to connect. For example, RFC, CPIC, DIAG, user
authentication using certificates, or user authentication using other external
authentication mechanisms, such as PAS.
To maintain the system ACL, use transaction SNC0or table maintenance transaction SM30
in the SNCSYSACL table or VSNCSYSACL view (type=E).

Extended User ACL

An entry for SAP NetWeaver AS is needed to use WebRFC, for example with PAS. The
entry specifies which users from the system can log on using the SAP SNC connection.
To maintain the extended user ACL, use the table maintenance transaction SM30.
Establishment of Trust Relationships for SAP SNC on SAP NetWeaver AS for ABAP
Figure 142: SAP SNC Between SAP NetWeaver AS for ABAP Systems
This figure, SAP SNC Between NetWeaver AS for ABAP Systems, shows SAP SNC
configuration to connect two SAP NetWeaver AS for ABAP systems.
LESSON SUMMARY

Unit 5
Lesson 3
Reducing the Attack Surface: RFC
Communication and Unified Connectivity
LESSON OBJECTIVES
RFC Communication and Unified Connectivity

Business Example
Your company runs one S/4 system, where some interfaces use BAPIs for reading and writing
data into your database. After examining the available BAPIS, you are sure that hundreds of
BAPIs will never be called. However, you cannot pin point which RFC enabled functions
modules are in use in the productive environment. Enabling detailed traces is not deemed as a
feasible option.
Blocking Unwanted Access
Figure 143: Blocking Remote Function Modules
Once UCON is activated any RFC enabled function module that is not assigned to a
Communication Assembly will be blocked. Authorizations can bring a second layer of security
for distinct communication users.

Software Lifecycle Management
Figure 144: What Happens when a New Function Module is Imported?
New function modules can be coded by developers, other will be made available through
corrective or evolutive maintenance provided by SAP (example: support package, feature
pack or even just a note).
Figure 145: Import Usage Statistics into the Development Environment
The findings from a productive system can be sent to a non-productive environment.

Developers can incorporate into their development practices the assignment of new function
modules to Communication Assemblies.
Step by Step Procedure: Capturing RFC Activity in a Productive Environment

RFC enabled function modules need to be assigned to a Communication Assembly, this will
allow you to filter which ones should be externally available. The overall process involves
picking up function module candidates, assigning them to Communication Assemblies and
logging their usage.
Hint: For a more visual presentation How-To Videos are available at: https://
wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=448476438

Lesson: Reducing the Attack Surface: RFC Communication and Unified Connectivity
Figure 146: Step 1 — Profile Parameters
Unified connectivity is not enabled by default. Set the parameter ucon/rfc/active to 1.
Figure 147: Step 2 — Data Collection Jobs
After the profile parameter is enabled you need to review your standard jobs definition.
Access transaction SM36 and ensure that the SAP_UCON_MANAGEMENT job is running in
your system.

Figure 148: Step 3 – Transaction UCONPHTL
In the transaction UCONPHTL you can identify which function modules exist in the system.
Figure 149: Step 4 – Selecting the Inspection Client and Setting the Retention Period
Note that, besides your working clients (productive, golden, ….), several technical tools will
demand access to client 000. Be sure that the retention period is large enough, as some
functionality might only experience seasonal usage (for example: fiscal year closing).

Lesson: Reducing the Attack Surface: RFC Communication and Unified Connectivity
Figure 150: Step 5 – Set the Duration for Logging and Evaluation Periods
A reasonable approach is to start with a small window (at least two months for logging, as
there is a good chance that some interfaces will only run in monthly basis).
Figure 151: Step 6 – Logging RFC Activity
At an early stage, allow all function modules to be logged. Later, assign them to a
Communication Assembly.
Figure 152: Step 7 – Assigning RFC Modules to a Communication Assembly
LESSON SUMMARY

Unit 5
Learning Assessment
1. List the types of Remote Function Call (RFC) communication in the SAP system.
X A Synchronous RFC
X B Asynchronous RFC
X C Transactional RFC
X D Queued RFC
X E Trusted RFC
X F Background RFC
2. While enabling SAP Secure Network Communication (SNC) on the SAP NetWeaver
Application Server (AS), the environment variable SECUDIR should be set to the location
of the license ticket.
X True
X False
3. What is the correct sequence for the steps to enable SAP SNC on SAP NetWeaver AS for
Java?
Arrange these steps into the correct sequence.
0 Install the SAP Cryptographic Library and license ticket.
0 Create or import the SAP SNC PSE.
0 Create credentials.
0 Establish trust relationships.
0 Set SAP SNC profile parameters.
0 Restart SAP NetWeaver AS for Java.

Unit 5
1. List the types of Remote Function Call (RFC) communication in the SAP system.
X A Synchronous RFC
X B Asynchronous RFC
X C Transactional RFC
X D Queued RFC
X E Trusted RFC
X F Background RFC
2. While enabling SAP Secure Network Communication (SNC) on the SAP NetWeaver
Application Server (AS), the environment variable SECUDIR should be set to the location
of the license ticket.
X True
X False
3. What is the correct sequence for the steps to enable SAP SNC on SAP NetWeaver AS for
Java?
Arrange these steps into the correct sequence.
1 Install the SAP Cryptographic Library and license ticket.
2 Create or import the SAP SNC PSE.
3 Create credentials.
4 Establish trust relationships.
5 Set SAP SNC profile parameters.
6 Restart SAP NetWeaver AS for Java.

UNIT 6 Secure Sockets Layer
(SSL)
Lesson 1
Discussing Secure Sockets Layer (SSL) for SAP 197
Lesson 2
Discussing SSL for SAP Management Console 208
Lesson 3
Discussing SSL for SAP NetWeaver AS ABAP 210
Lesson 4
Discussing SSL for SAP NetWeaver AS Java 215
UNIT OBJECTIVES
Describe SSL for SAP
Enable SSL for the SAP Management Console
Enable SSL for SAP NetWeaver AS ABAP
Enable SSL for SAP NetWeaver AS Java

Unit 6
Lesson 1
Discussing Secure Sockets Layer (SSL) for
SAP
LESSON OVERVIEW
This lesson explains how to configure Secure Socket Layer (SSL) for the SAP NetWeaver
Application Server (SAP NetWeaver AS) component.
Business Example
You want to secure HTTP communication. For this reason, you require an understanding of
SSL, SSL server, and SSL client.
LESSON OBJECTIVES
SSL for SAP
Figure 153: Product Overview

Unit 6: Secure Sockets Layer (SSL)
The figure, Product Overview, provides an overview of SSL.
Encryption Using SSL
Figure 154: Encryption Using SSL
To secure HTTP connections in SAP NetWeaver AS, you can use SSL for encryption.
SAP NetWeaver AS can act as the server or the client component of the HTTP connection in
the following ways:
Users connecting to SAP NetWeaver AS using their Web browser.
SAP NetWeaver AS connecting to another SAP NetWeaver AS.
SAP NetWeaver AS connecting to another Web server.
Recommendations for Implementing SSL in SAP NetWeaver AS
Usage of HTTPS is recommended for all browser access from end users to SAP systems.
End users must not use HTTP to access SAP systems.
HTTPS must be implemented for communication between SAP systems, if the network
traffic is susceptible to sniffing by end users.
HTTPS must be implemented to terminate on infrastructure components (for example,

load balancers, reverse proxies) in the server network. Alternatively, SAP systems must be
configured to directly support HTTPS or SSL server.
Access to the table SSF_PSE_D must be restricted by assigning the table to a dedicated
table authorization group. End users must not have access to this new table authorization
group. For more information about protecting read access to key tables, see SAP Note
1485029.
Access to Personal Security Environment (PSE) files from ABAP programs must be
restricted. For more information about protecting access to PSE, see SAP Note 1497104.
Similar to Secure Network Communications (SNC), SSL in SAP NetWeaver AS for ABAP also
uses the SAP Cryptographic Library to perform the cryptographic functions. However, for
SNC, you can alternatively use a partner product. For SSL, you must use the SAP
Cryptographic Library. The SAP Cryptographic Library is available for download from the SAP
Service Marketplace.

Lesson: Discussing Secure Sockets Layer (SSL) for SAP
Encryption Using SSL
Figure 155: Encryption Using SSL
To secure HTTP connections in SAP NetWeaver AS, you can use SSL for encryption.
SAP NetWeaver AS can act as the server or the client component of the HTTP connection in
the following ways:
Users connecting to SAP NetWeaver AS using their Web browser.
SAP NetWeaver AS connecting to another SAP NetWeaver AS.
SAP NetWeaver AS connecting to another Web server.
Recommendations for Implementing SSL in SAP NetWeaver AS
Usage of HTTPS is recommended for all browser access from end users to SAP systems.
End users must not use HTTP to access SAP systems.
HTTPS must be implemented for communication between SAP systems, if the network
traffic is susceptible to sniffing by end users.
HTTPS must be implemented to terminate on infrastructure components (for example,

load balancers, reverse proxies) in the server network. Alternatively, SAP systems must be
configured to directly support HTTPS or SSL server.
Access to the table SSF_PSE_D must be restricted by assigning the table to a dedicated
table authorization group. End users must not have access to this new table authorization
group. For more information about protecting read access to key tables, see SAP Note
1485029.
Access to Personal Security Environment (PSE) files from ABAP programs must be
restricted. For more information about protecting access to PSE, see SAP Note 1497104.
Similar to Secure Network Communications (SNC), SSL in SAP NetWeaver AS for ABAP also
uses the SAP Cryptographic Library to perform the cryptographic functions. However, for
SNC, you can alternatively use a partner product. For SSL, you must use the SAP
Cryptographic Library. The SAP Cryptographic Library is available for download from the SAP
Service Marketplace.

SAP Cryptographic Library
Figure 156: SAP Cryptographic Library
SAP NetWeaver AS for Java, up to release 7.02, uses the SAP Java Cryptographic Toolkit.
This is installed during the system installation. In later releases, for example, SAP NetWeaver
AS for Java 7.10, the Java Dispatcher is replaced by the Internet Communication Manager
(ICM) and the SAP Cryptographic Library is used.
Note:
With SAP NetWeaver AS for ABAP+Java, SAP Cryptographic Library is used. If
terms such as PSE and ICM are used, the information points to SAP NetWeaver
AS for Java 7.1 and higher versions.

ICM Parameters for SSL Profile
Figure 157: ICM Parameters for SSL Profile
The icm/server_port_<xx> parameters specify which protocol uses which port.

The sequence numbers and protocols for ICM and SSL profile parameter listings must
correspond.
The possible values for VCLIENT are as follows:
VCLIENT=0
In the case of HTTPS, you can additionally specify the parameter VCLIENT=0 to notify the
SSL server that no SSL client verification is needed.
VCLIENT=1
In this case, the server asks the client to transfer a certificate. If the client does not send a
certificate, authentication is performed by another method, for example, basic
authentication (default setting).
VCLIENT=2
In this case, the client must transfer a valid certificate to the server; otherwise, access is
denied.
Note:
This server-specific value overrides the value that is set with parameter icm/
HTTPS/verify_client . If you specify the SSL configuration with SSLCONFIG,
you must not set the value of VCLIENT.
The sec/libsapsecu and ssf* parameters are necessary for the Trust Manager.

The ssl/ssl_lib parameter specifies where the SAP Cryptographic Library is located.
SAP Cryptographic Library: Installation Example

If you are using SAPCRYPTOLIB as your cryptographic library, install the following:
The library in the $(DIR_EXECUTABLE) directory
The license ticket in the $(DIR_INSTANCE)/sec directory
PSE for Identities
Figure 158: PSE for Identities
The SAP NetWeaver AS can be the server component or the client component for
connections.
Depending on the server’s role for these connections, SAP NetWeaver AS has a different
identity.
For each identity, there is a separate PSE. For example, there is an SSL server PSE, an SSL
client PSE, and a PSE for SNC.

SSL Server
Figure 159: Distinguished Name of the Server
For each identity, the SAP NetWeaver AS uses a different distinguished name due to the
restrictions on the corresponding name.
For example, when using the SSL server PSE, the common name (CN) in the distinguished
name of the server must correspond to the fully-qualified host name used to access the
server. As a result, different hosts within the same system may need to have different names
and different SSL server PSEs.
When using the SSL client PSE, the server functions as a system and not as a server, and uses
the <SID> as the CN.

SSL Server PSE
Figure 160: SSL Server PSE
Individual hosts can use the following types of SSL server PSEs:
Standard
Individual
Shared
The standard SSL server PSE is used to create individual SSL server PSEs for each host.
However, a host may also use this standard PSE for its SSL server PSE.
The CN part of the distinguished name must correspond to the fully-qualified host name that
is used to access the server. As a result, servers that are accessed using the same host name
alias can share PSEs.

Servers that Use the Standard PSE
Figure 161: Servers that use the Standard PSE
The standard SSL server PSE contains a wildcard as the host name in the distinguished name.
Servers that share the SSL server PSE have the same key pair and identity. Having the same
key pair and identity saves costs when obtaining the corresponding SSL server certificates.
For example, when the user contacts the SSL server through the URL https://
host123.mydomain.com:8444 , the CN of the server is *.mydomain.com . The user receives
a warning or error in the Web browser that the names do not match.
As a result, it is inconvenient to use standard SSL server PSE for individual servers. Only use
this scenario when users can access the server, regardless of the mismatched names.
Servers that Use Individual PSEs
Figure 162: Servers that use Individual PSEs
To avoid warnings or error messages, you can use individual PSEs for individual servers
instead of using the host name of the server as CN in the distinguished name.

To use individual PSEs, users must be able to directly access SAP NetWeaver AS. As a result,
these PSEs are not useful when you need to manage your SAP NetWeaver AS systems using
load balancing devices or network zones.
Servers that Share a PSE
Figure 163: Servers that Share a PSE
For cases in which you have a load balancer or any other device in front of the SAP NetWeaver
AS, you can have the servers sharing one PSE. When setting up this PSE, you use the host
name of the device as the CN part of the distinguished name of the application server.
SSL Client
Figure 164: SSL Client PSE – 1

For connections in which SAP NetWeaver AS is the client component, SAP NetWeaver AS
uses a different PSE called the SSL client PSE.
You can use different types of SSL client PSE, depending on the scenario.
By default, the server uses the standard SSL client PSE. Note that this PSE must exist for SSL
to work. When using this PSE, SAP NetWeaver AS will be authenticated using the identity
associated with this PSE.
The anonymous SSL client PSE is available to use for connections where only server-side
authentication and data encryption are necessary. No client authentication is needed. The
anonymous SSL client PSE is used only as a container for the list of Certification Authorities
(CAs) that the server trusts when accessing the other server.
You can create individual SSL client PSEs for additional identities. Use these PSEs for cases
where you want SAP NetWeaver AS to function as an individual identity, for example, when
accessing a specific application, such as a banking application.
Contrary to the SSL server PSE, the SSL client PSE is used by all application server instances
in the system.
SSL Client PSE – Determination
Figure 165: SSL Client PSE – 2
You specify which connections use which identity and PSE when you set up the HTTP
destination using transaction SM59. For each connection, you can specify a different PSE.
LESSON SUMMARY

Unit 6
Lesson 2
Discussing SSL for SAP Management Console
LESSON OVERVIEW
This lesson describes the procedure to secure access to the SAP Management Console.
LESSON OBJECTIVES
SSL for the SAP Management Console

To establish a secure communication, go to Properties in the SAP Windows Management
Console or Settings in the SAP Java Management Console.
Figure 166: Enabling HTTPS for SAP Windows Management Console

Lesson: Discussing SSL for SAP Management Console
Figure 167: Enabling HTTPS SAP Windows Management Console
Sapstartsrv (as of 720 patch 45) allows you to specify network ACL lists, using the profile
parameters service/http/acl_file and service/https/acl_file. After you set the profile
parameters, or change the ACL lists, you must restart the affected sapstartsrv to activate the
changes. SAP Note: 1495075 describes the syntax of the ACL files.
Trusted Connection with the PKI System

As of SAP Kernel Release 742, sapstartsrv automatically initializes a system PKI (information
available in http://scn.sap.com/community/security/blog/2015/04/04/secure-server-
communication-in-sap-netweaver-as-abap ), which assigns a sap_system_pki_instance
certificate (saved via a PIN in the secure storage) to each instance. Clients that authenticate
themselves with a certificate of the system PKI of the system are automatically authorized to
execute all Web service methods. With the option "-systempki <profile>", sapcontrol offers
this option ("-prot NI_HTTPS" is implicitly activated). Usage requires access to the central
secure storage and sap_system_pki_instance.pse via the configuration of the specified
profile.
LESSON SUMMARY

Unit 6
Lesson 3
Discussing SSL for SAP NetWeaver AS ABAP
LESSON OVERVIEW
The lesson explains the process of configuring the Secure Socket Layer (SSL) on SAP
NetWeaver by creating SSL client Personal Security Environment (PSE) and SSL server PSE.
Business Example
You want to enable SSL on SAP NetWeaver Application Server (SAP NetWeaver AS) to
reinforce the security of the system. For this reason, you require knowledge of how to
perform the following tasks:
Create SSL server PSE
Create SSL client PSE
Configure SSL for Application Server ABAP (AS ABAP)
LESSON OBJECTIVES
SSL for SAP NetWeaver AS ABAP

The Secure Sockets Layer (SSL) protocol is used to secure HTTP connections to and from
SAP NetWeaver Application Server (AS) for ABAP.
Authentication and Encryption with SSL
The data being transferred between the two parties (client and server) is encrypted, and
the two partners can be authenticated.
If users need to transfer their account information, SSL can be used to authenticate the
users and encrypt the information during transfer.

Lesson: Discussing SSL for SAP NetWeaver AS ABAP
To Create SSL Client PSE
Figure 168: Roadmap to Create SSL Client PSE
The figure, Roadmap to Create SSL Client PSE, shows the steps to create an SSL client PSE.
1. Create the standard SSL client PSE.
Figure 169: Create the Standard SSL Client PSE
a) Use the Trust Manager, transaction STRUST, to maintain the SSL client PSEs.
Use the <SID> as the Common Name (CN) part of the DN.
b) If the server functions as a client component for connections where SSL is used,
create a certificate request and send it to your CA.

Import the corresponding response into the standard SSL client PSE.
c) Establish trust relationships by importing the CA root certificates from CAs that you
trust into the certificate list of the PSE.
2. Create the anonymous SSL Client PSE.
Figure 170: Create the Anonymous SSL Client PSE
The anonymous SSL client PSE is optional. You need this PSE for connections where the
SAP NetWeaver AS is not to be authenticated for the connection.
The Common Name part of the Distinguished Name is automatically determined by the
system as CN=anonymous .
The SAP NetWeaver AS is not authenticated when using this PSE, so you do not need to
use a certificate signed by a CA. You can skip the certificate request handling steps.
However, you need to establish the trust relationships by importing the trusted CA root
certificates into certificate list of the PSE.
3. Create an individual SSL client PSE.
Figure 171: Create an Individual SSL Client PSE

Lesson: Discussing SSL for SAP NetWeaver AS ABAP
a) To create and activate an individual SSL client PSE, you need to make an entry in the
SSL client identity table. On the Trust Manager screen, to access the table, choose
Environment SSL Client Identities .
b) Use the Trust Manager to maintain the PSE. There are no restrictions on the
Distinguished Names for individual SSL client PSEs.
c) After creating the SSL client PSE(s), restart the Internet Communication Manager
(ICM).
4. Assign connection with SSL client PSE.
Figure 172: Assign Connection with SSL Client PSE
a) Create the HTTP connection using transaction SM59. There are two types of HTTP
connection:
HTTP connection to an external server (connection type G)
HTTP connection to an ABAP system (connection type H)
Note:
The only difference between these two connection types is the available
logon procedures. The technical settings are identical.
b) Under Technical settings , specify the host, URL, and HTTPS port to use for the target
system.
c) Specify the authentication method to use for the logon under Logon/Security options.
d) For SAP NetWeaver AS connections, Type H, specify the following logon methods:
If SSL client authentication is to be used, select Basic Authentication .
Otherwise, you can select SAP standard or SAP Trusted Systems.
e) Activate SSL and specify which SSL identity to use for the connection.

f) Specify the language or target client, if these values are different from the default
values.
g) If you want SSO to another SAP NetWeaver AS, you must maintain a user mapping in
the target system using the table USREXTID.
This table maps the client SAP NetWeaver AS‘s DN to the user ID used for the
connection.
h) Test the connection.
LESSON SUMMARY

Unit 6
Lesson 4
Discussing SSL for SAP NetWeaver AS Java
LESSON OVERVIEW
This lesson explains how to enable Secure Socket Layer (SSL) for SAP NetWeaver Application
Server Java (SAP NetWeaver AS Java).
Business Example
To secure the HTTP communication, you need to configure SSL on SAP NetWeaver AS Java.
For this reason, you require an understanding of the following:
How to enable SSL on SAP NetWeaver AS Java
How to configure SSL for SAP NetWeaver AS Java
LESSON OBJECTIVES
SSL for SAP NetWeaver AS Java

The SAP NetWeaver Application Server (AS) for Java supports the use of transport layer
security for network communications. It uses SSL for some protocols, such as HTTP, P4, and
LDAP. SSL is a quasi-standard protocol developed by Netscape.
For an overview of the supported SSL scenarios, see the figure, Overview of Supported SSL
Scenarios.

Figure 173: Overview of Supported SSL Scenarios
Security Features of SSL at the Network Layer
Authentication
With server-side authentication, the server identifies itself to the client when the
connection is established, which reduces the risk of server impersonation to gain
information from clients.
With mutual authentication, both the client and the server are authenticated when the
connection is established. For example, you use client-side authentication at SSL level to
authenticate users with client certificates instead of with user IDs and passwords.
Data integrity
The data being transferred between the client and the server is protected, so that any
manipulation of the data is detected.
Data privacy
The data being transferred between the client and the server is also encrypted, which
provides privacy protection. An eavesdropper cannot access the data.
To Enable SSL on SAP NetWeaver AS for Java
1. Choose a specific SSL port.
2. Generate a public and private key pair.

Lesson: Discussing SSL for SAP NetWeaver AS Java
3. Send certificate signing request (CSR) request to the Certification Authority (CA).
4. Import the CSR response.
5. Import the public certificate of the CA.
6. Restart the instance.
Note:
The cryptographic library (CommonCryptoLib 8.4) is included with the 7.42 kernel
so there is no need to install it separately. The ticket file does not come with the
kernel so you have to create it yourself. You can navigate to \usr\sap\<SID>\Jxx
\sec directory, create an empty text file, and save it with the file name ticket
without an extension.
For more details about the configuration of SSL in AS Java, refer to the online help
at http://help.sap.com/saphelp_nw74/helpdata/en/4a/
015cc68d863132e10000000a421937/frameset.htm.
LESSON SUMMARY

Unit 6
Learning Assessment
1. Which of the following options are the components of a Personal Security Environment
(PSE)?
X A Public and private key pair
X B Digital signatures
X C Public-key certificate of the server
X D SAP Security Library
2. Which of the following is not done to create Secure Socket Layer (SSL) server Personal
Security Environment (PSE)?
Choose the correct answer.
X A Create the standard SSL server PSE
X B Establish the necessary trust relationships
X C Create individual PSEs
X D Specify the PSE for each application server to use individual PSEs
3. Who must certify the public key of the SAP NetWeaver AS for Java key pair to use a key
pair for SSL?
X A SAP user
X B SUPER user
X C Certification Authority (CA)
X D The SSL client

4. The SAP Web Dispatcher supports the use of SSL using which of the following?
X A SAP Cryptographic Library
X B OpenSSL
X C Kerberos
X D Windows NT LM Service

Unit 6
1. Which of the following options are the components of a Personal Security Environment
(PSE)?
X A Public and private key pair
X B Digital signatures
X C Public-key certificate of the server
X D SAP Security Library
2. Which of the following is not done to create Secure Socket Layer (SSL) server Personal
Security Environment (PSE)?
X A Create the standard SSL server PSE
X B Establish the necessary trust relationships
X C Create individual PSEs
X D Specify the PSE for each application server to use individual PSEs
3. Who must certify the public key of the SAP NetWeaver AS for Java key pair to use a key
pair for SSL?
X A SAP user
X B SUPER user
X C Certification Authority (CA)
X D The SSL client

4. The SAP Web Dispatcher supports the use of SSL using which of the following?
X A SAP Cryptographic Library
X B OpenSSL
X C Kerberos
X D Windows NT LM Service

UNIT 7 Business Case
Lesson 1
Exploring Business Cases 223
UNIT OBJECTIVES
Explore business cases

Unit 7
Lesson 1
Exploring Business Cases
LESSON OBJECTIVES
Business Case Introduction

Scenario
You need to install and secure a new system.
For simplicity purposes, the instructions to install an SAP NetWeaver system are provided.
Depending on the server that was assigned, you will be installing a front-end server, or an S/4
system (for which you will first need to install an SAP HANA database). The instructions for
solving the business case are not provided. You will need to refer to the course handbook and
to the documentation sites (such as, help.sap.com ) to find the best approach to solve the
business case.
On the fourth day, before leaving the class, leave your server installation running on the Load
Database step.
Note:
Due to some editor software formatting malfunctions, some Linux commands
are/might be misspelled with upper case characters instead of lower case
characters, please request the latest errata available from your instructor.
On the fifth day of the course, you will implement your security policies. From the teachings of
previous days, you can pick the items you find most relevant. Alternatively, you can refer to
the following sample policy:
Table 18: Demo Security Policy

Requirements Description
Password Policies Implement a password dictionary that

rules out some well-known passwords.
Implement global, system-wide restric-

tions for basic authentication (user and
password).
Implement two policies for two different

types of user universes:

Unit 7: Business Case
Requirements Description
- Limited access users

- Sensitive information users
No users with standard passwords should

be allowed in the system.
Trust Together with partner group 1 (as as-

signed by your instructor), ensure that
RFC communication is available between
all clients 000.
Together with partner group 2, ensure the

message server and gateway restrict con-
nections to group 2, but not group 1 serv-
ers.
Example D systems accept connections

from Q systems, but not P systems.
SAP Solution Manager needs to trust and

be trusted by all systems, and should be
allowed in all relevant access control lists.
Application Security Set up data collection for RFC function

modules, so that later someone can
choose which ones should be accessible.
Encryption
HTTPS access should be available, but
not mandatory.
RFC SNC communications should be

available, but not mandatory.
Authentication with Certificates Certificate-based authentication can be

established, but not mandatory.
Internal Network Connections All connections (SAP GUI based) should

be done through a password protected
router.
All connections (HTTP) can be done with

or without a webdispatcher, but the web-
dispatcher administration tools can only
be accessed from the localhost.
The purpose of the business case is to provide a real-life experience, where you start with a
default installation and, from there, implement the security requirements. The business case
should be solved in one morning — students will have no more than 180 minutes to configure
the system. Any questions or doubts should only be addressed once this time is exhausted

Lesson: Exploring Business Cases
(remember you are simulating a real-life scenario). After lunch, the instructor will discuss
what went right or wrong for each group, and how could the goals can be achieved.
Over the next pages, you will find the instructions to install the NetWeaver systems required
for the business case.
On all FSx and S4x systems, remember to shut down all existing servers, with the exception of
your own Web dispatcher. On FSx systems, you will install a new front-end server. On S4x
systems, you will install an S/4 environment.
How to Install an SAP Front-End System

Install the SAP front-end server (sometimes shortened to FES) system FSX, as described
in the training material, using the input values and selections given below.
Install an SAP front-end server system, based on AS ABAP 7.51, and the SAP MaxDB
database on Windows server 2012 R2 operating system.
Note:
Ensure that you are using the install user account to execute this installation.
In general, you will follow the installation procedure described in this training handbook. Refer
to the figures from “Installing SAP Front End Server 1: Prepare for Virtual Host names when
using cnames (Windows)” to “Installing SAP Front End Server 44: System — Status after
installation”.
This means you can use this training material for reference.
Note:
This exercise assumes that you did not already execute the optional exercise for
executing a prerequisites check. Therefore, some activities might be already done.
1. On your ADM WTS, start the SAP Management Console.
2. Check if the system displayed in the SAP Management Console as: FSD is stopped .
To stop the system, provide the credentials of the fsdadm user and the password given by
your instructor.
3. There are different methods available for logging on to the training host. The following
description assumes that you are using a Remote Desktop Connection .
4. Log on to the fsdhost server, using the install user and the password given by your
instructor.
5. Use a command prompt to start the registry editor ( REGEDIT ). Adapt the
BackConnectionHostNames registry key, which can be found at the following location:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
\MSV1_0.
Check that it is set to the following values: fsdhost.wdf.sap.corp and fsdhost . This
step is described in the figure “Installing SAP Front End Server 1: Prepare for Virtual Host
names when using cnames (Windows)”.

In our training environment, this registry key is initially valid.
Note:
The registry key needs to exist with the correct name (see above) before
starting SAPinst using virtual host names. However, the registry key must not
exist during the dialog-free phase of the installation. Therefore, this registry
key will be created and later on switched between its valid name and an invalid
name to and back. This is only required in our special Windows operating
system environment, as explained in the lesson.
6. Create a new directory, named D:\Media .
7. Copy the content of the directory S:\Installation\FSx to the newly created directory
D:\Media . This copy activity will take about 10 minutes.
8. Execute the following steps before starting to work with SWPM/SAPinst. You can execute
those steps, while the copy activity is being executed.
The systems FSD and WFD should be stop- See above, using SAP MC on the WTS
ped already
On fsdhost stop and disable the Services: SAPFSD_00, SAPFSD_01, SAPFSD_04,

SAPWFD_09
On the WTS use the Data-base Studio to Set the new master password to “install”.
stop the SAP MaxDB FSD Connect to the database FSD using the
user CONTROL and the pass-word provid-
ed by your instructor.
On fsdhost: Increase the page file size on C:
\ from 256 MB to 1024 MB.
On fsdhost: Delete the con-tent of the fol- D:\usr\sap\trans\EPS\in, D:\usr\sap

lowing directo-ries: \trans\data, D:\usr\sap\trans\transport
9. Create a new directory, named D:\SWPM10.
10. Copy the following files from D:\Media\01_SWPM_SUM to D:\SWPM11:
SWPM10SP20_020009707.SAR
MP_Stack_2000160619_20170221_.xml
SAPCAR_81680000938.EXE
(The files might have newer names).
11. Create a new directory, named D:\Install_Log_and_Work_PAS .
12. Open a Command Prompt at D:\SWPM.
13. Start D:\SWPM>SAPCAR_81680000938.EXE xf SWPM10SP20_020009707.SAR
14. In the open Command Prompt, execute set TEMP=D:\Install_Log_and_Work_PAS

15. In the same Command Prompt, execute D:\SWPM>sapinst SAPINST_CWD=D:

\Install_Log_and_Work_PAS SAPINST_USE_HOSTNAME=fsdhost
SAPINST_STACK_XML=D:\SWPM\MP_Stack_2000160619_20170221_.xml
Note:
Please see step 11 for the recommended name of the Log an Work directory.
Such an explicitly named directory can only be used for one single installation
run.
16. On the WTS server, open a browser window using the URL shown in the browser that
opened on fsdhost.
17. Usually, you won’t have configured SSL for SAPinst, therefore proceed by selecting the
message: Continue to this website (not recommended) .
18. Authenticate yourself with the install user and the corresponding password.
19. In the Software Provisioning Manager, expand Software Provisioning Manager 1.0 SP
20 System FSX (AS ABAP 7.51 FOR S/4HANA 1610) SAP S/4HANA 1610 AS
ABAP for SAP S/4HANA 1610 Frontend MaxDB Installation Application Server
ABAP Standard System Standard System and choose Next.
20. You can now also proceed by using a browser in your training WTS, instead of using a
browser on fsdhost. Make sure you enter the address full qualified (fsdhost.wdf.sap.corp:
4237).
21. Continue the installation process screen-by-screen, entering the data as shown in the
table.
Screen Name Field Name Value
Parameter Settings Parameter Mode Custom

General SAP System Pa- SAP System ID (SAPSID)* FSX
rameters
DNS Domain Name Set FQDN for SAP System Check
DNS Domain Name DNS Domain Name for SAP wdf.sap.corp
System
Master Password Password for All Users FSXadm60
Windows Domain Domain Model Local Domain
Operating System Users Password for SAP System FSXadm60
Service User
Operating System Users Password for SAP System Do not change the Default,
Service User will be the Master Password
SAP System Database Database ID (DBSID) FSX
Software Package Browser Media Location D:\Media\02_Kernel

Software Package Browser Media Location D:\Media

\03_51048408_14\MaxDB_
7.9_RDBMS___SP8_Build_2
1_
MaxDB Client Software Des- Installation and Private Data D:

tination Drive
Software Package Browser Media Location D:\Media\04_Export
MaxDB Client Software Des- Installation and Private Data D:
tination Drive
MaxDB Database Users Password of superdba FSXadm60
MaxDB Database Users Password of control FSXadm60
MaxDB Database Mirror Log Volumes Do not check this in training
MaxDB Database CPUs Used Concurrently 1
MaxDB Database I/O Buffer Cache 2048
MaxDB Database Number of Sessions 200
MaxDB Log Volumes Location Use D:\sapdb\FSX\saplog
MaxDB Log Volumes Size [MB] Set to 6000
MaxDB Data Volumes Location Use D:\sapdb\FSX\sapdata
MaxDB Data Volumes Size [MB] Set to 6000, there are 7 Da-
ta Volumes.
Those settings for the Data Volumes will prove too small during the patch procedure. We
will adapt them later, during the update.
Note:
There might be less space on D:\ available than required.
Delete the Data Volumes of system FSD stored at this location: D:\sapdb
\FSD\sapdata
SAP System FSD will be destroyed by this action. Please be aware that no
further activities can take place in this SAP system FSD for the rest of the
course.
SAPinst might show an error message, and you might be asked to cancel the current
activity. Then SAPinst will return to setting the size of the SAP MaxDB Data Volumes. After
deleting the files named above, you can now proceed without further error message.
MaxDB ABAP Schema Password of ABAP schema Do not change the Default,
will be the Master Password

Declustering/ Depooling ABAP Table Declustering You cannot change the De-
Option and Depooling fault (“Enable...”)
SAP System Database Im- Number of Parallel Jobs 6
port
Primary Application Server PAS Instance Number 60
Instance and ABAP Central
Services Instance
Primary Application Server PAS Instance Host fsdhost
Services Instance
Primary Application Server ASCS Instance Number 64
Services Instance
Primary Application Server ASCS Instance Host Name fsdhost
Services Instance
ABAP Message Server Ports ABAP Message Server Port Do not change the Default
and Transport Host
ABAP Message Server Ports Internal ABAP Message Do not change the Default
and Transport Host Server Port
ABAP Message Server Ports Host with Transport Direc- fsdhost
and Transport Host tory
ICM User Management Password for “webadm” Do not change the Default,
will be the Master Password
SLD Destination for the SAP Register in System Land- No SLD destination
System OS Level scape Directory
Message Server Access Message Server Access Do not create Message
Control List Control List Server Access Control List
Additional Components to Install an SAP Web Dis- Select this option
be included in the ASCS In- patcher integrated in the
stance ASCS Instance
Additional Components to Install an SAP Gateway inte- Do not select this option
be included in the ASCS In- grated in the ASCS instance
stance
SAP Web Dispatcher Pa- Do not change the Default
rameters settings
Note:
Please note that the following selection is different from the screenshots in the
training material.

Configuring Transport Man- TMS Configuration (for Sin- Select No ABAP TMS Con-
agement for Single System gle System) figuration during Installation
Note:
Please note that the previous selection is different from the screenshots in the
training material.
Secure Storage Key Secure Storage Individ-

Generation ual Key Information
Save the information Individual Key (recom-
shown in the message mended for Productive
box Systems)
Parameter Summary Select Parameters/
Settings that you
would like to change.
Choose Revise, if re-
quired.
Before starting the dialog-free part of the installation, change the name of
registry key from BackConnectionHostNames
to .BackConnectionHostNames . This invalidates the registry key for the
dialog-free part of the installation.
After the installation has finished successfully, change the name of the registry
key back to: BackConnectionHostNames .
You have successfully installed AS ABAP-based SAP System.
How to Install an SAP HANA Database System

Install the SAP HANA database system HAX, as described in this training material, using the
input values and selections given below.
Note:
Ensure that you are using the install user account to execute this installation.
1. As a prerequisite, please stop the S4D SAP system on s4dhost, and the HAD SAP HANA
database on hadhost, as described in the following steps.
2. On the training WTS, use the SAP Management Console to stop the S4D SAP system,
using the s4dadm user and the password provided by your instructor.
3. After the SAP system has been stopped, stop the HAD database, using the hadadm user
and the password provided by your instructor.

description assumes that you are using MobaXterm to open a connection of type SSH to
the host.
5. Log on to the server hadhost, using the install user and the password given by your
instructor.
6. Open a command shell and execute the command DF H. The directory /hana/shared
should offer more than 200 GB of free space.
7. In the command shell, execute the following command:

UNRAR X /KPSTRANSFER/INSTALLATION/HAX/
51052030_SAP_HANA_PLATFORM_EDITION_2.0_SP01_REV10_LINUX/
51052030_PART1.EXE /HANA/SHARED
Please ignore any hyphen used for line break. The correct command does not contain a
hyphen nor a minus symbol.
8. After the extraction has finished (this will take some minutes), navigate to:
/hana/shared/
51052030_SAP_HANA_Platform_Edition_2.0_SP01_rev10_Linux/51052030/
DATA_UNITS/HDB_SERVER_LINUX_X86_64.
9. In the command shell, execute: ./HDBLCMGUI
10. Enter, in this sequence, the following input:
a. Select SAP HANA Database to be installed.
b. Select Install New System .
c. Select Install SAP HANA Database Client version ...
d. Select SingleHost System .
e. Enter the Local Host Name as hadhost.wdf.sap.corp .
f. Enter the Installation Path as /hana/shared .
g. Enter the SAP HANA System ID as HAX.
h. Set the Instance Number to 60.
i. Set the System Usage as Test .
j. Do not restrict the maximum memory allocation.
k. Do not change the Memory in MB.
l. Don’t select the Restart system after machine reboot? option
m. Enter the Location of Data Volumes as /hana/shared/data/HAX

Note:
The default for this parameter would be /hana/data/HAX , but we use /
hana/shared/data/HAX instead. You can change those location settings,
and in our file system environment (free disk space consideration) this
change is also required.
n. Enter the Location of Log Volumes as /hana/shared/log/HAX
Note:
The default for this parameter would be /hana/log/HAX , but we use /
hana/shared/log/HAX instead.
o. Confirm the Certificates Hosts Properties as displayed.
p. Enter the password for the System Administrator (twice) as S4Xadm60.
Note:
Setting the master password for the users of the SAP HANA database
system HAX — which will serve as the database for the SAP S/4HANA
server with SID S4X as S4Xadm60 will avoid later confusion.
q. Keep the default values for the other fields as follows:
1000
10100/bin/sh
/usr/sap/HAX/home
r. Enter the password for the Database User SYSTEM(twice) as S4Xadm60.
s. On the Summary screen, check the installation parameters.
t. Observe the installation progress and view the resulting logs.
u. Conclude the installation.

You have installed an SAP HANA database system named HAX, with instance number
60, ready to be used by the subsequent installation of SAP S/4HANA.
How to Install an SAP S/4HANA Server System

Install an SAP S/4HANA 1610 system on the platform combination Linux/SAP HANA.
Install the SAP S/4HANA system S4X as described in the training material, using the input
values, selections, given below.
Note:
Ensure that you are using the user account install and the password provided by
your instructor to execute this installation.

1. On your ADM WTS, start the SAP Management Console.
2. Check in the SAP Management Console that the system S4D has been stopped. If it is
running, stop it.
You can provide the credentials of the install user to stop the systems. For details on its
password, see above.
The S4Dadm user has a password as provided by your instructor.
description assumes that you are using a Remote Desktop Connection , started via the tool
MobaXterm on the WTS.
4. Log on to the server s4dhost, using the install user and the password provided by your
instructor.
5. Open a command shell and execute the command DF H. The directory /usr/sap should
offer about 90 GB of free space.
6. Open a file browser.
7. Create a new directory named /Media in directory /usr/sap .
8. Copy the directory /kpstransfer/Installation/S4X to the location /usr/sap/

Media , using the command:
.CP V R /KPSTRANSFER/INSTALLATION/S4X/* /USR/SAP/MEDIA
Note:
This copy activity will run for about 20 minutes.
9. Create a new directory named /Install_Log_and_Work_PAS in directory /usr/sap .
10. After the copy activity finished, use a command shell at /usr/sap/Media/04_Export .
11. Execute UNRAR X 51050947_EXP1_PART1.EXE .

You don’t need to wait for the end of extraction. This will take a few minutes.
12. Create a new directory named /SWPMin directory /usr/sap .
13. Copy the files SWPM10SP20_0–20009701.SAR and the SAPCAR that is also provided
there, e.g. SAPCAR_816–80000935.EXE from /usr/sap/Media/01_SWPM_SUM to the
directory /usr/sap/SWPM.
14. Open a Command Line Terminal and navigate to:

/usr/sap/SWPM .
15. Uncompress the SWPM archive by using the command:

./SAPCAR_816–80000935.EXE xf SWPM10SP20_0–20009701.SAR .
16. In the same shell execute the command:

export TMP=/usr/sap/Install_Log_and_Work_PAS .
17. Start ./sapinst SAPINST_USE_HOSTNAME=s4dhost. .

Note:
During and after the installation, examine the content of the directory: /
Install_Log_and_Work_PAS .
18. Use a browser (for example, Google Chrome) on the WTS to open the URL that SAPinst
displays in the shell on s4dhost.
For example, https://wdflbmt0102:4237/docs/index.html
19. Ignore/ confirm warnings about https, as we did not configure the required SSL
communication.
20. In the logon window, authenticate with the install user and the corresponding password.
21. Start the installation of the S4X system.
22. In the Software Provisioning Manager, expand Software Provisioning Manager 1.0 SP
20 SAP S/4HANA 1610 SAP S/4HANA Server SAP HANA Database
Installation Application Server ABAP Standard System Standard System , and
choose Next.
Note:
You can also execute a Prerequisites Check.
When asked, provide the path to the Kernel files (below /Media) and select the
Check options for the Central Services Instance, the Primary Application
Server Instance and the Additional Application Server Instance.
The check result should be OK.
23. On the next screen, Parameter Settings, select the Parameter Mode Custom, and choose
Next.
24. Continue the installation process screen-by-screen, entering the data as shown in the
table.
General SAP System Pa- SAP System ID (SAP-SID)* S4X

rameters
General SAP System Pa- SAP Mount Directory /sapmnt (Default)
rameters
DNS Domain Name Set FQDN for SAP system check
DNS Domain Name DNS Domain Name for SAP Adjust to wdf.sapcorp. The
System default value for this field is
not to be used.
Master Password Password for All Users S4Xadm60
Operating System Users Password of SAP System S4Xadm60
Administrator
Operating System Users User ID Leave as Default (empty)

Operating System Users Group ID of sapsys Leave as Default

Operating System Users Login Shell Leave as Default
Operating System Users Home Directory Leave as Default (empty)
Confirm the Message Box
Database for SAP System Database ID (DBSID) HAX
Database for SAP System Database Host hadhost
Database for SAP System Instance Number of the SAP 60
HANA Database
Database for SAP System Password of the SAP HANA S4Xadm60
Database Administrator
SAP HANA Multitenant Da- Database Host hadhost
tabase Containers
SAP HANA Multitenant Da- Instance Number of the SAP 60
tabase Containers HANA Database
SAP HANA Multitenant Da- Password of the SAP HANA S4Xadm60
tabase Containers Database Superuser
Software Package Browser Package Path /usr/sap/Media/02_Kernel
Configuration of SAP liveC- Install SAP liveCache for Deselect the option, differ-
ache with SAP HANA SAP System ent from default. Do not
choose to install SAP liveC-
ache
SAP HANA Client Software Client Software Path Use Local Client Directory
Installation Path
Media Browser RDBMS HANA Client /usr/sap/Media/
03_Hana_Client/51052030
Media Browser Installation Export 1 S/ /user/sap/Media/
4HANA 1610 04_Export
The following verification of
the medium will take a few
minutes.
SAP HANA Multitenant Da- Database Host hadhost

tabase Containers
SAP HANA Multitenant Da- Instance Number of the SAP 60
tabase Containers HANA Database
SAP HANA Multitenant Da- Password of the SAP HANA S4Xadm60, do not change
tabase Containers Database Superuser the Default
Database Schema (DBA- Schema Password Do not change the Default
COCKPIT)

Database Schema (SAPA- Drop Existing Schema Pass- Do not change the Default in
BAP1) word any case
SAP HANA Import Parame- SAP HANA Import Do not change the Default
ters values. The following activity
will take some few minutes.
In case this activity takes
more than 2–3 mi-nutes
check the state of SAPinst
using the Refresh button of
your browser.
Declustering/ Depooling ABAP Table Declustering Do not change the Default
Option and Depooling ("Enable declustering...")
SAP HANA Table Placement Table Placement Do not change the Default
Parameters ("Do not use...")
SAP System Database Im- Number of Parallel Jobs 12
port
Primary Application Server PAS Instance Number 60
Services Instances
Primary Application Server PAS Instance Host s4dhost
Services Instances
Primary Application Server ASCS Instance Number 64
Services Instances
Primary Application Server ASCS Instance Host Name s4dhost
Services Instances
ABAP Message Server Ports ABAP Message Server Port Do not change the Default
ABAP Message Server Ports Internal ABAP Message Do not change the Default
Server Port
ICM User Management for Password for webadm Do not change the Default,
the SAP Web Dispatcher will be the Master Password
SLD Destination for the SAP Register in System Land- No SLD destination
System OS Level scape Directory
Message Server Access Message Server Access Do not create Message
Control List Control List Server Access Control List

Additional Components to Enable Additional compo- Change the Default: Install

be Included in the ASCS In- nents an SAP Web Dispatcher in-
stance tegrated in the ASCS in-
stance.
Do not install an SAP Gate-
way integrated in the ASCS
instance.
SAP Web Dispatcher Pa- SAP Web Dispatcher Con- Do not change the Default
rameters figuration settings
Secure Storage Key Genera- Secure Storage Individual Individual Key (recommend-
tion Key Information ed for Productive Systems)
Save the information shown
in the message
Cleanup of Operating Sys- Yes, remove operating sys- Do not select (in this train-
tem Users tem users from the group ing)
sapinst
Parameter Summary Select Parameters/ Set-
tings that you would like to
change. Choose Revise, if
required.
Note:
On the Master Password screen, enter the password for all users (as shown in
the table), and choose Next .
All class participants use the same password to make support by the
instructor easier. In your company, you will use passwords of your own
choosing.
You have successfully installed SAP S/4HANA.
LESSON SUMMARY

TSEC10_2_EN_Col11

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TSEC10_2_EN_Col11

Uploaded by

Copyright:

Available Formats

TSEC10

SAP System Security and

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

American English is the standard used in this handbook.

This information is displayed in the instructor’s presentation

Related or Additional Information

User interface control Example text

Window title Example text

© Copyright. All rights reserved. iii

vii Course Overview

1 Unit 1: Security Overview

2 Lesson: Evaluating Security Concepts

16 Unit 2: NetWeaver AS Components and Communication Mechanisms

17 Lesson: Determining the Key Points of Network Security

41 Unit 3: NetWeaver AS Security Operations

43 Lesson: Explaining the Secure Store

131 Unit 4: Authentication and Single Sign-On

132 Lesson: Discussing Authentication for SAP NetWeaver AS

154 Unit 5: RFC Security

155 Lesson: Securing the RFC Gateway

196 Unit 6: Secure Sockets Layer (SSL)

197 Lesson: Discussing Secure Sockets Layer (SSL) for SAP

© Copyright. All rights reserved. v

223 Lesson: Exploring Business Cases

© Copyright. All rights reserved. vi

© Copyright. All rights reserved. vii

Evaluate computer security and major sources of threats

Identify challenges and solutions for the implementation of infrastructure security

Identify and locate the different instances available

© Copyright. All rights reserved. 1

Evaluate computer security and major sources of threats

Figure 1: The Big Picture

© Copyright. All rights reserved. 2

Continuous Business Operations

Security can optimize administration processes in the following ways:

Increase efficiency through Single Sign-On.

Enforce trust and accountability with Digital Signatures.

Computer Crime and Security Facts

“Budgets are still expanding, but more slowly.” For IT security).

Figure 2: Threats and Goals

© Copyright. All rights reserved. 3

In detail, these goals entail the following:

Authentication using user ID and password.

Authentication using a smart card.

Authentication using a smart card and PIN.

© Copyright. All rights reserved. 4

Environmental Security Concepts, Threats, and Goals

© Copyright. All rights reserved. 5

Evaluate computer security and major sources of threats

© Copyright. All rights reserved. 6

Identify challenges and solutions for the implementation of infrastructure security

Figure 3: Securing the IT Landscape: The What and How

A security roadmap requires a two-step analysis:

What do you need to protect?

How can you protect your vulnerable spots?

Figure 4: Implementing a Password Policy

SAP systems provide different facilities for enforcing robust choices:

© Copyright. All rights reserved. 7

Figure 5: Authentication Methods

Figure 6: Data and Communication Encryption

Figure 7: Tools to Identify System and Application Security Threats

© Copyright. All rights reserved. 8

Figure 8: Data Acquisition and Data Mining for IT Security

Enterprise Threat Detection