Good places to hunt for security information are the Service Marketplace and the SDN. On the service marketplace you find Security Homepage. This is the information hub for security-related topics for SAP Netweaver. You can find overview presentations as well as detailed cookbooks here. Cookbooks include but are not limited to: How to configure SSL, How to configure a Directory Integration, How to configure users and roles? How to configure a CUA? How to implement the Cryptographic Library? Youll find these in the Security in Detail link on the Security homepage. Also you will find an interactive version of the Security Solution Map, a tool that helps you find what security features and functions are available, planned or currently not in scope with SAP.
On SDN we also have a security homepage that holds articles, replays of webcasts and weblog posts on security topics.
Then we have the Security Guides that hold recommendations on how to configure SAP systems securely. They can also be found on the Service Marketplace: Security Guides on the Service Marketplace. Their target group are technical staff and/or security administrators for Netweaver Security and application-specific security. Please check this link on a regular basis, as we aim to expand the guides on a regular basis.
A security vulnerability check for SAP that was available since last year is the Security Optimization Service. It checks your SAP basis, the SAP Router, the Business Connector and the Internet Transaction Server for security misconfigurations and vulnerabilities. It includes password checks, batch input checks, basis administration checks, change control checks, etc You can order this service here: Support Portal on the SAP Service Marketplace – Maintenance & Services – Service Catalog. Select SAP Solution Management Optimization. You can also get a free version of this service via with the newest Solution Manager Content Plug in ST-SER 2005_1. For more details please check out SAP note: 837490. The check will come with a result report that makes suggestions on what to configure differently. You have the option to fix it yourself or get SAP Security Consulting onsite to do it for you.
If you are in need of SAPs Security Consulting Team you can reach them via email: SecurityConsulting@sap.com.
Speaking of Security Consulting, if you are an SAP Security Consultant you might want to look into becoming certified. You can now get an SAP certification called Advanced Technical Consultant with the specialization in SAP Security. The certification is a 3 hour multiple choice test of 80 some questions on security topics like user management, cryptography and encryption, network basics, ITS security, Single Sign-On, Web Application Server security, AIS and other monitoring tools, etc SAP courses recommended for preparation are ADM940 (Authorization Concept), ADM950 (Secure SAP System Management) and ADM960 (Security in SAP System Environments). You can find more info here: Certification Homepage. –> SAP Consultant Certification –> SAP NetWeaver (mySAP Technology). Good Luck!
SAP allows for a lot of security features and functions by configuration. But these can be enhanced by leveraging partner products. You can find a list of certified partner products here: Security Partner.
If you are a potential partner and wish to know more about our APIs and how to become certified, please check out the information of our Integration and Certification Center.
If you tried to hunt for security-related SAP information, but did not succeed after having checked the above mentioned links, surfed through the online help and browsed through SAP notes, you can send us, the Security Product Management Team, an email: Security@sap.com. This is an open email address for customers, partners and SAP employees for SAP security questions. We sometimes get urgent emails, where the sender informs us that he/she lost his/her secure ID card. That is not a question where we can be of help, although the sender definitely has our empathy. But general SAP security product questions are welcome.
Have fun leveraging the security services mentioned in this weblog post!