Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Content Verification with Software Provisioning Manager 1.0 SP 21

SJ1111
Advisor
Advisor
‎09-11-2017 7:20 AM
0 Kudos

How does the content verification with Software Provisioning Manager 1.0 SP 21 work?


Introduction:


You may be aware that with Software Provisioning Manager 1.0 SP 21 (it actually started with SP 20 already) the software that is provided and downloaded from SAP is checked for authenticity and integrity prior to be installed onto your system. This functionality is called "Verification" for the Software Provisioning Manager.

If SAPinst detects that the downloaded content is not coming directly from SAP or has been modified in any way, it rejects to use the software or to install the content.

The method behind this functionality and how it works is the purpose of this blog post.

Background / Motivation


Security is always a topic when dealing with software that comes from "somewhere" and is supposed to be installed on your local server.

SAP has very high internal Security Standards to ensure that software coming from SAP is safe and can be installed without any security breaches. Additionally it needs to be assured that when the software packages are downloaded from SAP, that these and only these software packages are used for the installation.

To prevent a "man in the middle" attack, where software packages could potentially be exchanged and then contain hazardous parts which are subsequently installed, SAP has defined a verification function for the Software Provisioning Manager and the content, which is used for the installation with this tool.

How does it work


With Software Provisioning Manager SP 20 the Software Provisioning Manager itself (e.g. control XML) and the DVDs are verified. As of SP 21 the verification of the SAR files has been further improved.

What happens is that in the background a signature check on the different software pieces is executed. Only software that is signed with a digital signature from SAP is accepted and will be processed. The signature is created and attached to the software during the build and release process at SAP.

Software, for which the signature is expected and that does not have the signature will not be accepted (See Limitations). Even the correct software from an older download will be rejected if a signature is not available or is not correct.

This check on the signature happens inside the compiled program and cannot be bypassed and the signature in the content cannot be faked.

The signature verification takes only a few seconds. E.g. for a DVD between 10 and 20 seconds.

Limitations and Lookout


As mentioned, for all content, the signature verification is performed. How ever, older DVDs, e.g. older RDBMS DVDs and DVDs from product versions released for NetWeaver 7.40 SR2 will not be checked.

The verification of software used with and by the Software Provisioning Manager will be improved further and new content formats in the future will also be checked for the internal signature.

Some Screenshots


Here's a screenshot where Software Provisioning Manager is verifying its own content:



This is the error message if a DVD is not signed:



This shows the verification of packages while running:



 

Best Regards
Stefan Jakobi



Product Management 



Cloud and Lifecycle Management
2 Comments
Labels in this area
Popular Blog Posts