Setting Up Highly Secured SAP Solution Manager Environment!!
Security is the common and very big concern in today’s IT world. It was my earlier career where one my client totally rejected the CEN monitoring setup in Solution manager due to security concern of trusted RFC connections from SAP Solution Manager to all the managed system.
Yes, Solution Manager would be acting as central monitoring hub and centrally managing all your landscape details, it doesn’t meant that solution manager is the gateway to connect all the managed system without any security consideration in place. Every SP release of solution manager new functionality getting released. In 7.1 on wards, Infrastructure management also integrated with Application life cycle management. In such situation how we can at least ensure basic security in the solution manager environment.
There are lots security practices like installing system under DMZ and there are other 3rd party security products also available. Security is the big topic, you can do the encryption on any level in SAP system either in the application side or in the networking side. But before that there are lots of basic possibilities available in our solution manager system side to ensure the security, without going high level encryption.
Through this blog I would like to give awareness on these very basic areas in solution manager, where we can improve security.
Security Tips from Security Guide
I admitted that , Its very difficult to read and review the SAP security guide which is the single file size of 66 MB. But make it as team work, and split the pages,review it and get the understanding of major change of authorization objects in solution manager, list of functionality where the trusted RFC are must. and also the interesting topics, such as SSL.
Below the guide, SAP Solution Manager 7.1 Security Guide
After the small review, below the areas are talking the secure connection between Solution manager to Managed system
- Enable HTTPS for ICF Services Page No 64
- Enable SSL page No 66
- Secure Storage Page No 77.
It is totally depend on your environment strategy whether you want to implement all or not. But when security comes priority one, all the above comes under the topic as “Must Implemented”.
This is the first step, just enable the secure data transfer between solution manager itself, and also the prerequisite for other SSL connection such as between web services, certificate authentication and secure Database. Enabling https is similar to all the sap systems, list of standard tasks like setting the SSL parameters, open the SSL port and add the cryptographic library.
Set up SSL , follow here SSL Configuration in SAP ABAP AS and JAVA AS – Step-by-step procedure , also follow the security guide page number 66.
Secure communication with Web services
SAP Solution manager functionality is based on role based work center, if you planned to provide work center access to the end user, SSL connections on web services are worth to considered.
Follow security guide page no 52 and the sap note Note 1716999 – Enable HTTPS for Solution Manager web service communications
Secure connection with Diagnostics agent
If you planned to implement RCA, it is good to enable SSL connection between diagnostics agent and solution manager
Follow Diagnostic agent guide on the sap note 144865 and below wiki, SAP Community Network Wiki – SAP Solution Manager Setup – Certificate Based Authentication for th…
This is nothing but where your all the RFC user, password get stored in the encoded format. It is the standard component, System uses default key to encrypt, for more on this review the note 1027439
I just listed the basic things which helps in secure way of dealing of solution manager connection with Internet and managed system, there are others also like,
But as already mentioned there are lots of other possibilities also available based on customers own security practices.
Now I would like to hear from you all, please share your own experience on security concerns of solution manager and best practices you implemented.