What are Secure Network Communications and Secure Sockets Layer?
Secure Network Communications (SNC) is an interface that enables you to secure communication paths between SAP system components. Strong authentication, integrity protection, and privacy protection is provided.
The actual protection is provided by an external security product that is available to the SAP system using the SNC interface. The interface complies with the Internet standard Generic Security Services Application Programming Interface (GSS API) version 2. The default product provided by SAP is the SAP Cryptographic Library, which you can use for SNC between SAP system server components.
Secure Sockets Layer (SSL) is an Internet standard protocol developed by Netscape that is used to secure communications across the Internet. The SSL protocol layer exists between the network layer protocol (for example, TCP/IP) and the application layer protocol (for example, HTTP). The protocol uses public key technology to secure the communication between a client and a server.
The SSL protocol provides encrypted connections, SSL server authentication, SSL client authentication, and SSL mutual authentication (both server and client authentication).
To access Internet addresses that use SSL connections, you use URLs starting with HTTPS: instead of HTTP:.
The successor of SSL is Transport Layer Security (TLS).
When and for what are SNC licenses required?
The SAP Crypto Software is free of charge for SNC implementations between SAP servers. The customer must purchase additional licenses from our partners for SNC implementations between the frontend and SAP server. (See also SAP Note 597059 for license details.)
You use SNC principally to encrypt the communication channel. If the customer wants encrypted communication between the frontend and the SAP server and uses the WinGUI, the customer must purchase additional SNC licenses. This is also the case for Single Sign-On with WinGUI and the SAP server, which can only be implemented using SNC. If the customer uses Web-based access to SAP systems (using the WebGUI), the customer does not require additional licenses for Single Sign-On (this is implemented without SNC) and encryption between the frontend and the SAP server (this uses SSL).
Since when is it possible to secure RFC connections using Secure Network Communications?
Since SAP R/3 4.0.
What can I do to audit my system?
There are various mechanisms to audit your system described in the Security Guide and the Audit Information System. (Transaction SM19, RZ20, RZ21 or SECR).
Does SAP require that all servers are run behind a firewall?
The realization of an independent SAP security concept is possible because SAP provides an application infrastructure with its own server and frontend components. Wherever possible, this concept is based on ensuring general end-to-end security. That is why no specific security components such as firewalls, reverse-proxies, or virtual private networks are presupposed. However, SAP does not have its own operating system and does support databases from other vendors, who are responsible for their own security concepts and mechanisms. The SAP Security Guide explains in detail what precautions are necessary at operating system and database level to minimize the weaknesses of these components. This includes, for example, the separation of the administrators for the operating system, for the SAP system and for the database, the protection of the program and configuration files of the SAP system and the operating system, as well as the secure configuration of the network functions of the operating system. The SAP Security Guide can be found on the SAP Service Marketplace, alias /securityguide.
When using Single Sign-On products, is it possible to ensure that certain systems can only be accessed from specific PCs?
You can do this using SAProuter (even without SNC). With SAProuter, you can control which IP addresses (client PCs) can access an SAP system, using an access control list.
What does the SAP Router do in the SAP secure environment?
The SAP Router is a program (executable file) that is included on the installation CD. Basically, the SAP Router regulates who (which address) is allowed to go to where (another address). This is configured in a number of files. More information is provided by the training course BC305 (Advanced R/3 System Administration).
Which algorithms are provided by the sapcryptolib?
The sapcryptolib implements the following interfaces: SSL/TLS, SNC, and SSF. The algorithms that are used depend on the interface and protocol.
For SSL the SAPCRYPTOLIB needs an RSA-PSE. The following ordered list of cipher suites is implemented in SAPCRYPTOLIB. For details on configuring subsets and reordering of cipher suites, see SAP Note 510007.
1. SSL_RSA_WITH_RC4_128_SHA
2. SSL_RSA_WITH_RC4_128_MD5
3. TLS_RSA_WITH_AES128_CBC_SHA (added with pl28)
4. TLS_RSA_WITH_AES256_CBC_SHA (added with pl28)
5. SSL_RSA_WITH_3DES_EDE_CBC_SHA
6. SSL_RSA_WITH_DES_CBC_SHA
7. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
8. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
9. SSL_RSA_EXPORT_WITH_RC4_40_MD5
10. ( SSL_RSA_WITH_NULL_SHA )
11. ( SSL_RSA_WITH_NULL_MD5 )
SAPCRYPTOLIB implements SSLv3 and TLSv1.0 Support for TLSv1.0 was added with sapcryptolib patch level 28 (see SAP Note 1415576). SSLv2 is not supported, but an SSLv2 CLIENT-HELLO message is accepted as the first handshake message of an SSLv3 or TLSv1.0 handshake (see RFC5246 Appendix E.2).
For SNC/GSS-API you also need an RSA-PSE. The RSA algorithm is used for authentication and key exchange. The connection is encrypted with 3DES-EDE "Triple-DES".
The default key size for asymmetric keypairs in newly created PSEs is 1024 bits for both RSA and DSA. DSA keypairs of 512 or 1024 bits are necessary for interoperability with SAPSECULIB usage scenarios (signed URLs for content server, SSO2 ticket).
Following a complete list of the implemented algorithms:
SYM_ENC Algorithms rc2CBC | OID 1.2.840.113549.3.2 |
rc4 | OID 1.2.840.113549.3.4 |
DES-ECB | OID 1.3.14.3.2.6 |
DES-CBC | OID 1.3.14.3.2.7 |
DES-EDE | OID 1.3.14.3.2.17 |
DES-EDE3-CBC | OID 1.2.840.113549.3.7 |
AES128-ECB | OID 2.16.840.1.101.3.4.1.1 |
AES128-CBC | OID 2.16.840.1.101.3.4.1.2 |
AES192-ECB | OID 2.16.840.1.101.3.4.1.21 |
AES192-CBC | OID 2.16.840.1.101.3.4.1.22 |
AES256-ECB | OID 2.16.840.1.101.3.4.1.41 |
AES256-CBC | OID 2.16.840.1.101.3.4.1.42 |
HASH Algorithms RSA-MD2 / md2 | OID 1.2.840.113549.2.2 | ||
RSA-MD4 / md4 | OID 1.2.840.113549.2.4 | ||
RSA-MD5 / md5 | OID 1.2.840.113549.2.5 | ||
SHA-1 / sha1 | OID 1.3.14.3.2.26 | ||
RIPEMD-160 / ripemd160 | OID 1.3.36.3.2.1 | ||
SHA-256 / sha256 | OID 2.16.840.1.101.3.4.2.1 (added with pl28) | ||
SHA-384 / sha384 | OID 2.16.840.1.101.3.4.2.2 (added with pl28) | ||
SHA-512 / sha512 | OID 2.16.840.1.101.3.4.2.3 (added with pl28) | ||
SHA-224 / sha224 | OID 2.16.840.1.101.3.4.2.4 (added with pl28) | ||
SIG Algorithms md2WithRsa | OID 1.3.14.7.2.3.1 |
| |
md5WithRsa | OID 1.3.14.3.2.3 |
| |
sha1WithRSASignature | OID 1.3.14.3.2.29 |
| |
rsaSignatureWithsha1 | OID 1.3.36.3.3.1.1 |
| |
dsaWithSHA1 | OID 1.3.14.3.2.27 |
| |
dsaCommonWithSHA1 | OID 1.3.14.3.2.28 |
| |
md2WithRsaEncryption | OID 1.2.840.113549.1.1.2 |
| |
md5WithRsaEncryption | OID 1.2.840.113549.1.1.4 |
| |
sha1WithRsaEncryption | OID 1.2.840.113549.1.1.5 |
| |
id-dsa-with-sha1 | OID 1.2.840.10040.4.3 |
| |
sha256WithRsaEncryption | OID 1.2.840.113549.1.1.11 (added with pl28) |
| |
sha384WithRsaEncryption | OID 1.2.840.113549.1.1.12 (added with pl28) |
| |
sha512WithRsaEncryption | OID 1.2.840.113549.1.1.13 (added with pl28) |
| |
dsaWithSHA224 | OID 2.16.840.1.101.3.4.3.1 (added with pl28) |
| |
dsaWithSHA256 | OID 2.16.840.1.101.3.4.3.2 (added with pl28) |
| |
KEY_AGREEMENT Algorithms dhKeyAgreement | OID 1.2.840.113549.1.3.1 |
| |
dhWithCommonModulus | OID 1.3.14.3.2.16 |
| |
When I attempt to download a copy of the SAP Cryptographic Library, the download site contains a message about Export Control Regulations, but no link to download the library. How do I download the SAP Cryptographic Library?
This download process on the SAP Service Marketplace has been developed specially, and has a very special mechanism. This ensures that SAP knows who has downloaded the software; a flag is set internally in an SAP customer database after the download is complete. SAP AG need to report to the German government offices who has received the software, because it contains cryptographic elements. This is one of the German export regulations.
This is also the reason why SAP employees see only the screen with the export regulation restrictions that says that they are not allowed to download the software. The SAP Service Marketplace knows (because of your login) that you are an SAP employee and are not allowed to download the software. Customers are also not allowed to download the software if either of the two conditions below is not met:
1. The customer’s COUNTRY must be released for download in our customer database, otherwise no customer in that country can download the software
2. The non-military flag is set in the customer record in the SAP customer database
In the SAP customer database, where the customer records are maintained, there is a flag for "Non-military company". Every local SAP country organization has to verify for each customer whether that company is a "Non-military" company. For more information, contact Thomas Koleyko from the Corporate Export department at SAP AG in Walldorf.
To allow the customer to download the SAP Cryptographic Library, set the “Non-military” flag in the customer record in the SAP customer database system. Only if this is set, the company can download the SAPCryptoLib. Of course, you should first check if you are allowed to set this flag for the company. Please wait one day after this flag is changed in the SAP customer database (ISP) system, as it must be distributed to the SAP Service Marketplace.
For more information, see SAP Note 397175.
Is it possible to enforce different authentication mechanisms, such as allowing ordinary users to use user ID/password while system administrators and so on use strong authentication like certificates?
Yes, this is possible. For more information, see the relevant passage in our SNC cookbook (especially snc/accept_insecure_gui = U), which you will find on the SAP Service Marketplace under http://service.sap.com/security -> Security in Detail -> Infrastructure Security, and SAP Notes 379081 and 142595.
What are the license conditions for the SAP Cryptographic Library?
For details about the license conditions for the SAP Cryptographic Library, see SAP Note 597059 as follows:
The "SAP Cryptographic Library" (SAPCRYPTOLIB) is available on the SAP Service Marketplace (http://service.sap.com) for software download (export control, see SAP Note 397175):
Quick Link on the SAP Service Marketplace: http://service.sap.com/swdc
Then follow the link to "SAP Cryptographic Software".
The following "License Disclaimer" is contained (LICENCE.TXT) in the CAR archives provided for download there:
License Disclaimer for the SAPCRYPTOLIB (SAP's Cryptographic Library)
The SAP Cryptographic Library may only be used as an integral part of SAP products and not as part of other non-SAP products.
The legal use of the SAP Cryptographic Library for Secure Network Communications (SNC) is limited to securing backend server components provided by SAP or entitled SAP partners. The use of the SAP Cryptographic Library for SNC protected communications on a personal computer that runs client components (for example, SAP GUI for Windows or SAP GUI for JAVA) is not permitted.
The use of the SAP Cryptographic Library to secure the SAProuter communication when using the SAPNet - R/3 Frontend for remote support is permitted without restriction.
The following explanations on the license conditions for using the "SAP Cryptographic Library" (SAPCRYPTOLIB) are intended to prevent any misunderstandings:
The SAPCRYPTOLIB can be used both as an SNC product and as an SSL Toolkit.
The restrictions listed in the "License Disclaimer" apply to the use of the SNC. SNC encryption with the SAPCRYPTOLIB can be used for communication between two SAPROUTER installations. Ensure that the SAPROUTER is not installed on a front-end PC.
No further restrictions apply to the use of the SAPCRYPTOLIB as an SSL implementation in all SAP products. In other words, the SAPCRYPTOLIB may be used both in server and in frontend components, and for the SSL backup of the communication between SAP products and SAP or non-SAP products.
No comments:
Post a Comment