How does the content verification with Software Provisioning Manager 1.0 SP 21 work?
You may be aware that with Software Provisioning Manager 1.0 SP 21 (it actually started with SP 20 already) the software that is provided and downloaded from SAP is checked for authenticity and integrity prior to be installed onto your system. This functionality is called “Verification” for the Software Provisioning Manager.
If SAPinst detects that the downloaded content is not coming directly from SAP or has been modified in any way, it rejects to use the software or to install the content.
The method behind this functionality and how it works is the purpose of this blog post.
Background / Motivation
Security is always a topic when dealing with software that comes from “somewhere” and is supposed to be installed on your local server.
SAP has very high internal Security Standards to ensure that software coming from SAP is safe and can be installed without any security breaches. Additionally it needs to be assured that when the software packages are downloaded from SAP, that these and only these software packages are used for the installation.
To prevent a “man in the middle” attack, where software packages could potentially be exchanged and then contain hazardous parts which are subsequently installed, SAP has defined a verification function for the Software Provisioning Manager and the content, which is used for the installation with this tool.
How does it work
With Software Provisioning Manager SP 20 the Software Provisioning Manager itself (e.g. control XML) and the DVDs are verified. As of SP 21 the verification of the SAR files has been further improved.
What happens is that in the background a signature check on the different software pieces is executed. Only software that is signed with a digital signature from SAP is accepted and will be processed. The signature is created and attached to the software during the build and release process at SAP.
Software, for which the signature is expected and that does not have the signature will not be accepted (See Limitations). Even the correct software from an older download will be rejected if a signature is not available or is not correct.
This check on the signature happens inside the compiled program and cannot be bypassed and the signature in the content cannot be faked.
The signature verification takes only a few seconds. E.g. for a DVD between 10 and 20 seconds.
Limitations and Lookout
As mentioned, for all content, the signature verification is performed. How ever, older DVDs, e.g. older RDBMS DVDs and DVDs from product versions released for NetWeaver 7.40 SR2 will not be checked.
The verification of software used with and by the Software Provisioning Manager will be improved further and new content formats in the future will also be checked for the internal signature.
Here’s a screenshot where Software Provisioning Manager is verifying its own content:
This is the error message if a DVD is not signed:
This shows the verification of packages while running:
Stefan Jakobi Product Management Cloud and Lifecycle Management