7 goals of Security?
Authentication: process of identifying the “real” identity Authorizations: what the identified user can do
Confidentiality the communications are kept private Integrity none of the information has been tampered Repudiation denying that you have done something. Non-repudiation cannot deny having done something Availability gets to their resources when they need to.
What is behind the threat “Planting”? A hacker may gain access to a system and plant a program to enable them to access that computer later.
What are the 11 threats listed in the course?
Penetration, Authorization violation, Planting, Eavesdropping, Tampering, Denial of service,
Repudiation, Flooding, Masquerading, Spoofing, Buffer overflow
What is behind the threat “Tampering”? A hacker can grab a connection and communicate with both the client and the server. Once the hacker has grabbed the connection he could change the data.
Which kind of attack makes the server unavailable? There are several ways to do this, such as snap the network cable, physically destroy the server, or unplug it from the network.
How is it called when programs can be written that modify the IP address of the source of the TCP/IP packet, to fool the network into thinking that the packet is coming from within the network.
Spoofing
When an application receives data that it is not expecting or prepared for, unpredictable results can occur. This can lead to vulnerability within the server. How is this threat called?
Buffer Overflow
3 categories of safeguards?
• Technical safeguards (for example firewall, Encryption, PKI, certificates, access control) • Organizational safeguards (for example rules or
guidelines)
• Environmental safeguards (for example fire detection)
3 types of security policy
• General Security policy. • IT Security policy
• Configuration documentation
Which protocol is used between the SAP GUI and the
Which protocol is used between SAP Servers? RFC, Remote function call
Which SAP product transforms the traditional SAP applications to Web-based transactions, so that they are accessible using Internet technology?
The ITS, Internet Transaction Server
What is the interface of web based information for
end-user The SAP Web-GUI
What are the 2 main corposants of the ITS
Î Web gate (WGate, resides on Web server) Î Application gate (AGate)
ITS configuration: What is the difference between a single host configuration and a dual host configuration?
Single Host: Agate and Wgate on the same host (Web Server)
What are the 7 layers of the OSI model?
5 Session Layer: communication channels
4 Transport Layer: end-to-end integrity (TCP, SPX) 3 Network Layer: Routes data, IP
2 Data Link Layer: physical passing data (Ethernet) 1 Physical Layer: putting data onto the network
Information sent across a network is not intended just for a computer. It is intended for a program on a computer. How are the programs distinguished?
These programs are distinguished by their port
Which command displays all connections and listening
ports on your computer? netstat –a
What are the default SAP ports?
Î Internet Communication Manager (ICM), port 8080
Î Dispatcher port 32<nn> (Front-End)
Î The message server port 36<nn> (Other SAP Systems)
Î The gateway 33<nn> (External Systems) Î Print service 515
What are the ports used by the ITS?
Between the Client and the Webserver: 80 HTTP, 443 HTTPS
Between WGate and Agate: 3900 or 3909 Agate – Dispatcher : 32<nn> (Front-End)
How is a system (or a combination of systems) called that protects a networked system from unauthorized or unwelcome access?
A firewall
What are the two most common types of firewalls?
Packet Filters (Layer Network, Data Link).
Application Proxies (Application, Transport) -> SAP Router as DIAG/RFC Proxy
Which SAP Product is used for DIAG/RFC Proxy? SAP router
4 functionalities of the SAP router?
Control and log the connections to your SAP system Allow access from only the SAProuters you have selected
Protect your connection and data from unauthorized access
Only allow encrypted connection from a known partner
SAP Router: Which file contains the list of connections
What is the structure of SAP Router file entry?
{password}
D: Deny the connection P: Permit the connection
S: Permit only SAP protocol connections
Which product is used as a "software Web switch" between the Internet and your SAP systems (several WAS) and Can be used as a URL filter.
The SAP Web Dispatcher
What is a DMZ?
DMZ stands for DeMilitarized Zone. A DMZ can be described as a network added between a protected network and an external network in order to provide an additional layer of security.
Which kind of systems can notify the administrator of attempts to attack the network or system?
IDS, Intrusion Detection System
What are the 2 types of IDS?
o Network based IDS
o Misuse detection (Virus) o Anomaly detection o Host based IDS
Which kind of servers translates the logical name into the physical name, the domain name into the IP address?
DNS
What is the safeguard of Eavesdropping? Encryption
What are the 3 types of encryption?
Symmetric encryption (single Secret Key) Asymmetric encryption (Public, Private key) Combining Symmetric and Asymmetric Encryption (Hybrid, public key, private key, secret key)
What are the 2 obstacles of symmetric encryption?
Transferring the secret key safely.
Distributing the secret key for a large number of communication partners.
What are the 2 disadvantages of public key encryption?
• It is slower than in symmetrical key encryption. • Encryption is only possible in one direction with
a single key pair. Alice can encrypt a message to send to Bob, but not vice versa.
What is the safeguard of Masquerading? Authentication (user ID/pwd or cryptography)
What is used to authenticate individuals using cryptography?
To authenticate individuals using cryptography, the person receives a digital certificate. It can be compared to a Passport in the „real world“. „Digital Identity Card“
How is the complete infrastructure that manages the issuing and verification of certificates called?
A Public-Key Infrastructure (PKI).
What is the use of the Distinguished name?
• Specifies the Owner Identity
• Found the owner certificate as subject
What are the different parts of a distinguished name?
CN=Common Name, OU=Organizational Unit, O=Organization,
What are the 3 functions of the Certification Authority
Issues the certificate
The issued certificate is digitally signed by the CA (official stamp)
Its role is to ensure that the public key (which matches the private key) belongs to a specific person or server.
How the CA is technically trusted?
The CA also possesses a digital certificate, called a CA root certificate.
Alice needs the CA’s root certificate to verify the digital signature on the Web Server‘s certificate.
The most common CA root certificates are preinstalled in the most widely-used Web browsers.
The SAP also has a CA that issues digital certificates to customers. How is the digital certificate issued by the SAP Trust Center Services called?
the SAP Passport
Which safeguards answers to the threat of Tampering
(denial, message alteration)? Digital signature
What 3 security goals answer the digital signature?
Integrity: Document has not been modified. Authentication: Alice is who she claims to be.
Non-repudiation: Alice cannot deny having signed the document.
Which key is used to create the digital signature The private key of the user
3 characteristics of the hash algorithms?
They reduce the size of a document, typically to a fixed length (for example, 128 bits).
They are one-way: you cannot determine the original document based on the digest.
They are unique: it is highly unlikely that a second data source will produce the same hash
What contains the Personal Security Envrionment (PSE)
It is a storage location for the server security information. That contains:
• Private key
• Server‘s public-key certificate
• Certificates of trusted CAs (certificate list)
In which 4 cases Secure Store and Forward (SSF) provides security for SAP data and documents?
Data leaves the SAP system Data is stored on insecure media
Data is transmitted over insecure networks
Data security is associated with persons and individuals
What is the SAP default library to use SSF? SAP Security Library (SAPSECULIB) Default security library provided by SAP to use for SSF
What is the SAP default library to use SNC and SSL?
SAP Cryptographic Library (SAPCRYPTOLIB) Default security library provided by SAP for SNC and SSL.
What are the 5 master-user types?
Dialog
System: used to run background jobs.
Communication: used for communication without dialog between different systems (RFC/CPIC)
Service: allows multiple logon, no password check. Reference: used only to assign additional authorizations to Dialog users
What are the 3 authorization objects required to create and maintain user master records?
• S_USER_GRP: user master maintenance: assign user groups
• S_USER_PRO: user master maintenance: assign authorization profile
• S_USER_AUT: user master maintenance: create and maintain authorizations
Which User information system report monitors the
passwords of all predefined users? RSUSR003
Which user group should be assigned to the users SAP*,
DDIC, EARLYWATCH? user group SUPER
What are the 2 ways in which you can define the choice of user passwords?
You can use the system profile parameters (login*) Invalid passwords can be entered in the table of reserved passwords USR40
? denotes a single character *denotes a character string
Which two profile parameters control the deactivation of password-based logon?
login/disable_password_logon and login/password_logon_usergroup
Which profile parameter refuses incoming connections of
Which profile parameter set the time for automatic
SAPGUI logout? rdisp/gui_auto_logout
What are the 4 types of RFC connections?
• Synchronous RFC (the client waits until the server has completed its processing) Between SAP systems and from WAS
• Asynchronous RFC (Parallel processing) • Transactional RFC (Secure communication
between) systems
• Queued RFC (Defined processing sequences)
Which transaction code allows you to monitor the SAP
Gateway? Transaction SMGW available from Release 3.0C
Where an RFC destination system should be specified for outgoing connections (side infos) and with which transaction can it be maintained?
RFCDES maintained with transaction sm59
Four advantages of a trusted relationship between SAP systems
• Single sign on is possible beyond system boundaries
• No passwords are transmitted in the network • Timeout mechanism protects against replay
attacks
The trust relationship is not mutual (t/f)? True, The trust relationship is not mutual, which means it applies to one direction only.
Which file can be used in order to secure the RFC connection?
• You can use the SAP gateway’s secinfo file to control the start-up and registration of external RFC and CPI-C programs.
Which profile parameters define the location of the
secinfo file? gw/sec_info
Which program start the external command after it has
passed the gateway? Sapxpg
Which authorization object is needed to maintain
Which authorization object is needed to execute external
commands? S_LOG_COM
What should you specify in order to allow the execution of external command?
You must specify an entry of the program sapxpg in the file secinfo
7 measures to protect an RFC connection
• Connect systems with the same security level • Allow function modules to be called via RFC • Use authorization object S_RFC
• Use users type Communication
• Specify full logon data for connections to other SAP systems only if necessary
• Specify secinfo file appropriately
• Protect files and tables containing side info
What are the 3 SAP standard systems contained in a DEV system?
• Development and customizing client (CUST) • Sandbox client (SAND)
• Test client (TEST)
What is the default change option of the 2 QA default
What are the two levels of SAP change options that define whether customizing and development is available?
• The system change option • The client change option
Which transaction displays the history of the system
change options? SE03
The client change option does not override the system change option (t/f)?
True, Rather the client change option is used to fine tune the clients’ role within the SAP environment.
How to set the client change option? Use the transaction code SCC4 that woks on table T000
How to protect your production client against overwriting by a client copy?
Set the protection level in transaction SCC4 at least to level 1 no overwriting.
How to protect your production client against a cross client comparison?
You should choose level 2 no overwriting, no external availability. In this case the client is not available in the customizing cross-system viewer of another system.
What are the 2 fields of the authorization object S_TABU_DIS
DICBERCLS ACTVT
What is the field of the authorization object S_TABU_CLI CLIIDMAINT
What are the 5 fields of the authorization object S_DEVELOP • DEVCLASS • OBJTYPE (PROG) • OBJNAME • P_GROUP • ACTV
What are the 2 steps needed to configure the QA approval procedure?
1. Define QA system (Prerequisite: between 2 systems)
What is the transaction to display an overview of the modifications and enhancement found in the system that you can search by Last transport request or
Request/Task?
SE95 (Modification browser)
What is the transaction to maintain and activate the
security audit log? SM19
What happened to the profile parameter rsau/local/file if the profile parameter rsau/max_diskspace/per_file is used?
If parameter rsau/max_diskspace/per_file is used, parameter rsau/local/file is no longer valid and will no longer be analyzed. Parameters DIR_AUDIT and FN_AUDIT are used instead
What is the profile parameter to define the maximum of
filters that can be used? rsau/selection_slot
6 types of information that can be recorded with the security audit log?
o Dialog log-on attempts o RFC log-on attemps o Transaction starts
o RFC calls to functions module o Change to user master record o Change to the audit configuration
4 types of security audit log filters?
o User
o Audit Classes o Client
o Security Level (Only critical, Severe and critical, all)
Which transaction allows you to view the assignments of the events to audit classes and security levels with the
system log message maintenance SE92 (Display system log messages)
How to display the results of the security audit log
(transaction)? SE20
The reports of the user information system start with? RSUSR + #
ITS: What are the 4 main functions of the A gate?
Communication to and from the SAP system
Communicates using the SAP protocols RFC and DIAG. Generating the HTML pages from SAP screens
ITS: What are the 2 main functions of the Wgate (Webserver)?
Connects the ITS to the Webserver Use the HTTP protocol
What is an ITS service? An ITS service is the set of components needed to call an SAP transaction via the ITS
How do you protect access to the ITS service and
template files? Using groups at the operating system level
ITS, scalability and load balancing, what are the 6 possible landscape?
• Single Wgates connects to multiple Agates • Separate WGates connects to single Agate • Multiple WGates connects to multiple Agates • ITS connects to single Application server
• Multiple ITS instances connect to single systems • ITS connects to message server (Load
balancing)
In a dual host installation, where do you use firewalls?
• Firewall in front of the Web server to deny access using undesired protocols
• Firewall between the Web server and the AGate to restrict access even more.
What is the goal of SNC in an ITS environment?
• Authentication between the components • Integrity protection
• Privacy protection
What is the SNC default security product? SAP Cryptographic Library(SAPCRYPTOLIB)
SNC: Where are the private keys stored? In the SNC PSE
What are the 2 possibilities to establish a trust when using the SAPCRYPTOLIB?
• Either use a single PSE for all communication partner
• Exchange public-key certificates
What are the 3 trust manager profile parameters?
SAPCRYPTOLIB
2. ssf/ssfapi_lib, specify the location of the SAPCRYPTOLIB
3. ssf/name must be set to SAPSECULIB
What are the 7 steps to enable SNC on the ITS?
1. Install SAPCryptoLib + license ticket (SECUDIR) 2. Set trust manager profile parameters
3. Create (or import) the SNC PSE 4. Create credentials
5. Establish trust relationship 6. Set SNC profile parameters 7. Make access control list entries
What is the table for the SNC System access control list SNCSYSACL
What is the table for the Extended user Access control USRACLEXT
Testing and analyzing: SNC information is provided in trace files. What are the 3 most common errors?
• Library could not be loaded • No credentials
What are the 3 user authentication mechanisms?
• User Id and passwords • X.509 client certificates
• Pluggable Authentication Services PAS Æ External mechanisms
X.509 client certificates: which table is responsible for
the user mapping? USREXTID
What are the 2 different worlds for SSO?
• SAP GUI for Windows Æ SNC • Web ÆSSL
SSO, Web: How is the SAP Logon ticket stored in the web-browser?
Stored as non-persistant session cookie in the web browser (named MYSAPSSO2)
What 4 information contains the sap logon ticket?
User Id, Validity period, Issuing System ID,
What are the 3 constraints of the logon ticket?
same DNS,
user Id identical in all systems, user must accept session cookies
How is the integrity and authenticity of the logon ticket protected?
It is Digitally signed by ticket issuing server to provide integrity and authenticity protection
How to maintain the configuration of the logon tickets? Maintain the configuration using transaction SSO2 and STRUSTSSO2
Is SSO to non SAP components possible with SAP logon tickets?
Yes, SSO to non-SAP Components possible with SAP Tickets. 2 options:
o API Interface
o Web Server Filter (HTTP header field)
What are the 2 profile parameters used to configure sso with sap logon tickets?
Profile parameters to configure • Login/create_sso2_ticket • Login/accept_sso2_ticket
What are the 6 steps of the PAS authentication process?
1. The user enters the URL for the PAS service 2. The user provides user authentication info 3. The external authentication mechanism verify the users information
4. The ticket-issuing system maps the external user ID to the SAP user ID
5. The user is issued a logon ticket
6. The Agate redirects the user to the service
What are the 3 steps to install the PAS?
• Install SAP package ntauth.sar • Set the Service file parameters • Maintain user mapping. Maintain table
USREXTID Report (RSUSREXTID)
How to combine the 2 worlds (SAP GUI and web)?
• Using logon tickets, ITS and SAP shortcuts • Logon tickets is passed to the SAP shortcuts
using ITS service wngui
• Only from web to traditional (traditional to web not supported)
2 roles that the web application server (WAS) can play? • SAP Web AS as client component • SAP Web AS as server component
2 main components of the web application server (WAS)?
The Internet Communication Manager (ICM) • Ensures communication between the SAP
system (SAP Web Application Server) with the outside world using the HTTP, HTTPS and SMTP protocols.
The Internet Communication Framework (ICF) • Provides the framework for implementing the
What is the transaction of the ICM monitor? SMICM
7 activities of the ICM monitor?
• Start and Stop the ICM • Set trace level, view logs
• View profile parameters settings (starts with icm) • View statistics
• View memory pipe information • View active services
• Monitor service cache
What is the transaction of the Internet Communication
Framework (ICF)? ICF, transaction SICF
4 activities of the ICF with transaction SICF (Maintain services)
• Display HTTP hierarchical tree
• Create and maintain BSPs (SE80, view and test BSP)
• Create virtual hosts
• Activate/Deactivate service (activate only the necessary services)
Load balancing: 3 different mechanisms:
• Redirection. User is redirected to the server in backend (simple but not user friendly)
• DNS based method. Look-up to root clients to servers based on IP address
What is a stateful user section vs a stateless?
The network connection last for the duration of a user session (HTTP is a stateless protocol, successive requests may open a new network connection)
What are the 2 options and the properties of a stateful user session?
Session ID (Either in web browser cookie or into the user´s URL) -> SSL doesn´t work
IP Address of client -> SSL Ok (but an issue with proxy)
2 types of load balancing with SSL and their properties?
• End to end SSL. The server supports both privacy protection using encryption as well as user authentication using client certificates. Must use the client IP address for session persistence
• Terminating SSL. Terminate the SSL connection at the load balancer
What are the pros and cons of a Terminating SSL with load balancing?
+ Better performance
+ Session cookie can be used - Less security
5 Scenarios of load-balancing with the WAS?
• Message Server-based redirection • Dispatcher or Load-Balancer • SAP Web dispatcher
• Alternative technologies
• Combining technologies (Web switch and web dispatcher)
What is the problem of a stateful load-balancing connection?
for subsequent requests, then the second server would not know what had already occurred on the first server. Session context information is lost! (conflict between the application)
3 kinds of alternatives technologies for the load balancing
• Hardware load balancer • Web switch
• Reverse proxy
o you can route incoming requests to different services based on the URL path
SSL encryption with WAS. 4 info to specify with the help of profile parameters?
• Specify Plug-in • Specify Server Port
• Specify whether to use client certificate • Specify location of sap cryptolab
What are the 3 types of SSL Server PSE
o Standard SSL server PSE (Basis for creating individual SSL server PSE‘s for each host to use)
o Individual SSL server PSE o Shared SSL server PSE
4 steps to enable SSL on the SAP Web As (Client or server)?
1. Create the SSL Server PSE (STRUST) 2. Specify the PSE for each application server 3. For each unique PSE
a. Generate a certificate request, b. send the request to a CA
3 kinds of SSL client PSE
• Standard SSL client PSE (Must exist for SSL to work)
• Anonymous SSL client PSE (CN=anonymous) • Individual SSL client PSE
3 configuration steps to specify that a connection use SSL.
• SM59, maintain HTTP destination
• Activate SSL and specify which SSL client PSE to use
• Type G: To a different Web server • Type H: To another SAP Web AS
• If SSL client authentication is to be used, select Basic Authentication.
4 steps to enable SNC on the SAP Web As
1. Install the SAP Cryptographic library 2. Create the SNC PSE
3. Specify access control list (ACL) entries 4. Set profile parameters
Which table Specifies which systems are allowed to
connect to the SAP system using SNC? SNCSYSACL
Which table specify the users that can log on to the
Which table specifies that WebRFC users can log on
using the AGate‘s SNC-protected connection? USRACLEXT
4 SNC profile parameters?
• Activate SNC (snc/enable)
• Set level of protection (snc/data_protection/max) • Accept RFC and DIAG connection that are not
protected with SNC (snc/accept_insecure_gui) • Use external authentication
(snc/extid_login_diag)
3 components of the portal user and role management?
• Corporate Directory server (for authentication) • Portal Directory Server (Portal related user and
group properties)
• Portal Content Directory (content Æ role assignment)
3 enterprise portal authentication mechanisms: User Id/Password (Form based iView) X. 509 digital certificate
Third party authentication (Windows)
