Setting Up Highly Secured SAP Solution Manager Environment!!
Security is the common and very big concern in today’s IT world. It was my earlier career where one my client totally rejected the CEN monitoring setup in Solution manager due to security concern of trusted RFC connections from SAP Solution Manager to all the managed system.
Yes, Solution Manager would be acting as central monitoring hub and centrally managing all your landscape details, it doesn’t meant that solution manager is the gateway to connect all the managed system without any security consideration in place. Every SP release of solution manager new functionality getting released. In 7.1 on wards, Infrastructure management also integrated with Application life cycle management. In such situation how we can at least ensure basic security in the solution manager environment.
There are lots security practices like installing system under DMZ and there are other 3rd party security products also available. Security is the big topic, you can do the encryption on any level in SAP system either in the application side or in the networking side. But before that there are lots of basic possibilities available in our solution manager system side to ensure the security, without going high level encryption.
Through this blog I would like to give awareness on these very basic areas in solution manager, where we can improve security.
Security Tips from Security Guide
I admitted that , Its very difficult to read and review the SAP security guide which is the single file size of 66 MB. But make it as team work, and split the pages,review it and get the understanding of major change of authorization objects in solution manager, list of functionality where the trusted RFC are must. and also the interesting topics, such as SSL.
Below the guide, SAP Solution Manager 7.1 Security Guide
After the small review, below the areas are talking the secure connection between Solution manager to Managed system
- Enable HTTPS for ICF Services Page No 64
- Enable SSL page No 66
- Secure Storage Page No 77.
It is totally depend on your environment strategy whether you want to implement all or not. But when security comes priority one, all the above comes under the topic as “Must Implemented”.
Enable HTTPS
Why:
This is the first step, just enable the secure data transfer between solution manager itself, and also the prerequisite for other SSL connection such as between web services, certificate authentication and secure Database. Enabling https is similar to all the sap systems, list of standard tasks like setting the SSL parameters, open the SSL port and add the cryptographic library.
How
Set up SSL , follow here SSL Configuration in SAP ABAP AS and JAVA AS – Step-by-step procedure , also follow the security guide page number 66.
Secure communication with Web services
Why
SAP Solution manager functionality is based on role based work center, if you planned to provide work center access to the end user, SSL connections on web services are worth to considered.
How
Follow security guide page no 52 and the sap note Note 1716999 – Enable HTTPS for Solution Manager web service communications
Secure connection with Diagnostics agent
Why
If you planned to implement RCA, it is good to enable SSL connection between diagnostics agent and solution manager
How
Follow Diagnostic agent guide on the sap note 144865 and below wiki, SAP Community Network Wiki – SAP Solution Manager Setup – Certificate Based Authentication for th…
Secure Storage
This is nothing but where your all the RFC user, password get stored in the encoded format. It is the standard component, System uses default key to encrypt, for more on this review the note 1027439
I just listed the basic things which helps in secure way of dealing of solution manager connection with Internet and managed system, there are others also like,
Setting the SSL connection with SAP Host agent, Network encryption
But as already mentioned there are lots of other possibilities also available based on customers own security practices.
Now I would like to hear from you all, please share your own experience on security concerns of solution manager and best practices you implemented.
Fortunately I wasn't the one who set up the RFC connections
I helped set up the security roles; we used and changed the SAP standard security templates. The Security wiki was a huge help.
Thank you for taking the time to write about this.
Tammy
Hi Tammy,
Thanks a lot for the feedback.
yes, needs to be more cautious on critical roles and auth object too.
still I feel that its very important to ensure the security in solution manager connections and configuration, much more than other R3 netweaver systems.
Regards,
Jansi
Jansi,
I am interested in hearing more about your approach to using Trusted RFCs in SolMan. We have our CUA in SolMan dev and recently converted to using Trusted RFCs for the CUA processes. It was in making this change that we on the security team discovered that the Basis guys had been "borrowing" our RFCs for their own processes, which were now breaking down, since the ID running their processes did not have the necessary trust authorization!
So can you share with us which SolMan processes did you decide needed to use Trusted RFCs and which did not? We are still sorting it all out.
Thanks for a very interesting post.
Best regards,
Gretchen
Hi Gretchen,
Sorry for the very late reply, I havent noticed
, regarding the use of trusted rfc in functional scenarios is always customer decision.
Similar challenges we also faced, and our security team always consider the authoisation object s_rfc as critical, and not allowed to anyone except the system admins.
Hence I suggest you the same, its not recommended to assing s_rfc to all the regular end users in solman, for example Technical Monitoring, you not required to use trusted rfcs, we can use regular Login RFC for configuration, so whoever access also prompted for user/pw of managed system.
There are other scenarios which deals by generic users like CDMC, CCLM to collect the objects from the managed system uses the Trusted RFC as one of the pre requestie. In such case, we need to enable trusted rfc, no other option. But we can restrict the end user auth control for accessing info.
Regarding your CUA processes also, try this jobs can be scheduled by system users with S_RFC (trusted rfc) access. Other way option, assign the trusted RFC role to the members who is actually releasing the job. Other than that, check this processes can be use other RFCS like Read, login, if yes use those RFCs .
Thanks,
Jansi
Hi Gretchen
In addition to above reply it is also based upon the scenario's we are talking about in addition to customer process and landscape existing.
Basically if we design it better we get a clear transparency so a Solution Manager Technical Architect must help customer to have optimal solution
for a specific customer, I have implemented 10 different ChaRM and service desk for 10 different customer in the same solution manager system based upon the complex system landscape. Challenge was to have mulitple customers using only one instance of Solution Manager based upon internal agreement
Every customer have different set of authorization concept based upon solution/ project service desk support team etc and all is possible and achievable...more important they are still using it ..from past 5 years or so.
Thus, we do have plenty of options with functional configuration authorization matrix and role and authorization PFCG.Workcenter etc to achieve complex implementation
I hope this info might help you
Regards
Prakhar