Why is Protect4S offering a new feature, the Protect4S Connection Map? An average SAP landscape consists of multiple SAP systems with many interconnections. These connections between SAP systems may pose risks when they are not secured properly:
- malicious 3rd parties or insiders may use them to jump from one infected SAP system to a new SAP system target, thus, acquiring the authorisation of the configured user. Often, a less secure configured SAP system (for example a Sandbox) is used as a “stepping-stone” to Productive SAP systems.
- malicious 3rd parties or insiders may use the connections between SAP to execute functions, commands or scripts on remote systems.
The Protect4S Connection Map gives insight in which connections there are in the SAP landscape and what risks they contain:
The different connection types shown are:
- Type 3 RFC destination: connections using the RFC protocol with authentication consisting of a named user and password, for instance, the TMS transport connections.
- Type T RFC destination: connection using the RFC protocol between the SAP system and a (registered) server program, for instance, the executable sapxpg.
- Type G & H destinations: connection to external systems using the HTTP(S) protocol, for instance, to the HTTP port of an SAP JAVA based system.
- SOAP web services: connections using HTTP(S) protocol and logical ports to external systems, for instance, connections between an SAP system and SAP Control agents.
- ADBC connections: connections between SAP databases using the ADBC protocol.
Trusted Systems
It is possible to avoid the use of named users and passwords in Type 3 RFC destinations by establishing a trust relationship between 2 SAP systems. In addition, the use of this trusted RFC connection can be limited to specific users, by means of an authorisation object.
Trust relationships between SAP systems offer the following benefits:
- Single Sign-On is possible beyond system boundaries.
- No passwords are transmitted in the network.
- Timeout mechanisms for the logon data protect against illegal logon attempts.
- User-specific logon data is checked in the called system.
More information:
SAP Help Topic: Maintaining Trust Relationships between SAP Systems
SAP OSS Note: 128447 – Trusted/trusting systems
Unified Connectivity (UCON)
The Unified Connectivity Framework (UCON Framework) provides various scenarios which you can use to optimize the protection of your RFC and HTTP(S) communication against unauthorized access.
It is possible to limit the number of remote functions that may be executed using an RFC destination by means of a whitelist. In addition, the user roles of the calling user may be reduced to the absolute minimum using a Role builder.
More information:
SAP Help: Unified Connectivity
SAP OSS Notes:
2008727 – Securing Remote Function Calls (RFC) (contains a PDF document)
2098702 – Composite note for UCON RFC
Authorisation for RFC destinations
All RFC destinations contain a special authorisation field, located in the Login and Security tab, called “Authorization for Destination”. This field may be used to secure the RFC destination.
When a text is specified in this field, a check is made at runtime on the client-side to see whether the calling user has the correct authorization to call this destination. The specified literal must be entered in the authorization profile of the calling user in authorization object S_ICF, more specifically in the ICF_VALUE field of this object.
More information:
SAP Help: Controlling Access to RFC Destinations
ACL files for protecting SAP gateway and server programs
The reginfo and secinfo ACL files can and must be used to protect server programs like rfcexec and sapxpg against unauthorised remote callers.
More information:
SAP Help: Security Settings in the Gateway
SAP OSS Notes:
2605523 – [WEBINAR] RFC Gateway Security Features
1425765 – Generating sec_info reg_info
1689663 – GW: Simulation mode for reg, sec, and prxy_info
1305851 – Overview note: “reg_info” and “sec_info”
Other sources of information
The SAP RFC/ICF Security Guide contains many more security measures that can be taken to secure your connections between SAP systems.
To find out how the new feature shows the existing connections inside an SAP system landscape, try out Protect4S for 30 days for free or request a free demo!
For more SAP security-related news, articles and whitepapers, please follow us on LinkedIn!
