Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Title: Identity & Access Management Powerful access - StandardIdentity & Access

Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: 1 Page 1 of 61 Security Baseline for the Gateway on SAP Systems Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: Page 2 of 61 Executive Summary This document describes the required steps needed in order to secure gateway communications on SAP systems. It contains descriptions that are to be set in order to maintain a minimum level of security. Summary of changes compared to previous version This is the initial creation of this document. Owner of the Standard Name Function Effective date of current version/ Transition period Effective date End of transition period Applicable for Mandatory for All Common SAP ABAP Systems Recommended for All SAP ABAP Systems Approval by the ITL T and higher body if needed Approving body Date t.b.d. t.b.d. Next planned review Reason for review Timeline/ T rigger Based on frequency At least every year this document needs to be reviewed. Based on trigger In case of new developments or new solutions this document must be reviewed and updated appropriately to remain compliant with the solutions that it describes. Taxonomy Infrastructure & T echnology, Information Security, Identity and Access Management, Powerful Access Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: Page 3 of 61 Enterprise Keywords SAP Security, SAP Basis, SAP Gateway Expert group members to create the document Name of SME Function Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: Page 4 of 61 Table of Contents 1 Introduction.......................................................................................................5 2 General overview on SAP gateway....................................................................6 3 Configuring Network-Based Access Control Lists (ACL).........................................6 4 Security Parameters of the Gateway.....................................................................8 5 Security Settings in the Gateway........................................................................11 6 Configuring Connections betweenGatewayand External Programs Securely......12 7 Logging-Based Configuration of Gateway...........................................................14 Context...............................................................................................................14 Procedure...........................................................................................................14 8 Setting Up Gateway Logging...............................................................................15 9 Evaluating the Gateway Log File.........................................................................18 Prerequisites.......................................................................................................18 Context...............................................................................................................19 Procedure...........................................................................................................19 10 Gateway Security Files secinfo and reginfo.......................................................21 11 Checking the Security Configuration ofGateway...............................................25 12 Gateway Parameters - Reference......................................................................33 Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: Page 5 of 61 1 Introduction This document describes and prescribes all minimal configuration settings that need to be implemented to ensure the SAP ABAP system’s gateway is complaint with the Information Security Standard as well as offer a minimal security baseline. Since there is a great variety of SAP ABAP systems and versions this document describes the settings based on the latest insights. Nevertheless in case a deviation from the settings in this document is needed then ensure it is documented. For more background on SAP security and authorization we refer to the knowledge item “Logical Access Control on SAP systems” that can be found on One2Share as well as the SAP site that contains a lot of material on this topic. Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: Page 6 of 61 2 General overview on SAP gateway SAP Gateway is a technology that provides a simple way to connect devices, environments and platforms to SAP software based on market standards. It offers connectivity to SAP applications using any programming language or model without the need for SAP knowledge. 3 Configuring Network-Based Access Control Lists (ACL) Use You can set up an access control list (ACL) and use it to control which connections the Gateway accepts and which it does not. They are based on the IP addresses of the clients. The same ACL file is used for the "standard"port and for the "SNC" port of the SAP gateway . Procedure 1. Create an ACL file using the syntax described below. 2. In the instance profile of the SAP gateway instance you set parameter gw/acl_file to the file path of the ACL file. Caution !!! If this parameter is not set, the Gateway accepts all connection requests. Syntax of the ACL File 3. Lines in the ACL must have the following syntax: <permit | deny> <ip-address[/mask]> [tracelevel] [# comment] Where,  permit = permits a connection, and deny = denies a connection. Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: Page 7 of 61 <ip address>: The IP address must be an IPv4 or IPv6 address in the following form: o IPv4: 4 byte, decimal, '.' separated: e.g. 10.11.12.13 o IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported  <mask>: If a mask is specified, it must be a subnetwork prefix mask: o IPv4: 0-32 o IPv6: 0-128  <trace level>: T race level, with which ACL hits (matches of addresses based on the subnetwork mask) are written to the relevant trace file (default value 2).  <# comment>: Comment lines begin with a hash sign ( #).  The file can contain blank lines. The rules are checked sequentially from the "top down". The first relevant rule determines the result ( "first match"). If no rule applies, the connection is rejected. T o make it obvious, an explicit deny (deny 0.0.0.0/0) should be entered anyway as the last rule. Example permit 10.1.2.0/24 # permit client network permit 192.168.7.0/24 # permit server network permit 10.0.0.0/8 1 # screening rule # (learning mode, trace-level 1) permit 2001:db8::1428:57ab # permit IPv6 host deny 0.0.0.0/0 # deny the rest Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: Page 8 of 61 4 Security Parameters of the Gateway Use The parameters described below are used to configure the gateway to ensure secure connections. Prerequisites Your system must be configured for using the SNC interface. Features gw/acl_file This parameter specifies the name of an access control list (ACL) file. With an ACL you can configure who is permitted to connect to the gateway . Note  The same ACL file is used for the standard port and for the SNC port of the gateway .  If the specified ACL file does not exist or is erroneous, the gateway immediately closes. Caution If the parameter is not set, access control is not valid. Default Setting Empty (no ACL file is used) Dynamic No Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: Page 9 of 61 gw/acl_mode The parameter defines the behavior of the gateway, if no ACL file ( gw/sec_info or gw/reg_info) exists. The following values are permitted:  0 : There is no restriction with starting external servers or registering servers. Recommendation This setting should not be used in production operation.  1 : External and registered servers are only permitted within the system (application servers of the same system). All other servers are rejected or have to be maintained in the respective files. Default Setting 1 Dynamic Yes gw/logging With this parameter you can configure gateway logging. You can specify whether the gateway writes its actions to a log file, which types of actions are logged, and how the file is renamed. You have the options to define a maximum size for the file, and to specify whether old files are overwritten. Recommendation If the gateway is running in an AS ABAP instance, we recommend you make settings for gateway logging in the gateway monitor (transaction SMGW). If you want to make permanent logging settings so that it works again after the instance has been restarted, you have to set this parameter in the profile. You must set the parameter as follows: gw/logging = LOGFILE=<name> ACTION=[TERSMPXVCO] [MAXSIZEKB=n] [SWITCHTF=t] [FILEWRAP=on] Title: Identity & Access Management Powerful access - StandardIdentity & Access Management Powerful access - Standard Version: Page 10 of 61 The meaning of the individual elements is as follows:  LOGFILE: File name of the log file  ACTION: The character sequence (subset from TERSMPXVCO) specifies the actions to log.  MAXSIZEKB (optional): Maximum file size. As soon as the file exceeds this size, a new file is opened, whereby the new file name can change if special characters are used. This is a the case unless a condition was specified for SWITCHTF that applies first.  SWITCHTF (optional): Opens a new file after a specific time period, unless a condition was specified for MAXSIZEKB that applies first. The following values can be specified: o year: After one year a new file is opened o month: After one month o week: After one week o day: After one day o hour: After one hour  FILEWRAP (optional): Reuse file. This parameter can only have value ON. If this value is set, no new file is written, but the one already open is reset and rewritten to. The values for parameter LOGFILE are only used the first time the file is opened. gw/monitor This parameter specifies how the Gateway handles monitor commands. The following values are possible:  0: No monitor commands are accepted  1: Only uploads/Management/ gateway-guide.pdf