SAP on IBM i: Security considerations with the NetServer (SMB protocol)
In 2017, IT-security related headlines have raised concerns for the better protection of business data. The focus has shifted from convenience to better security.
As a result, SAP has revised its recommendations for installations on the IBM i platform and summarized the results in this document. In general, we do not recommend anymore to share the root directory of an IBM i host via NetServer.
In the past, the standard SAP NetWeaver installation procedure included creating a Server Message Block (SMB) share ROOTBIN, exporting the main filesystem directory of an IBM i host. These shares could then be used for transferring SAP installation media from a typical Windows workstation to the IBM i file system. In addition, the log files of the Software Provisioning Manager could be opened and analyzed on a Windows machine via a network path instead of a text based 5250 Telnet session.
While the described procedure is very flexible and offers convenience in many usage scenarios, it has a significant drawback regarding security. Once a ROOTBIN share has been mapped on a Windows machine and a read/write connection is established, it is possible to read files across the whole file system of the IBM i host, and to modify or even delete them (depending on the access rights of the user account used for the SMB connection). Two major risks are identifiable in this scenario:
- Accidental deletion or modification of files, libraries or other IBM i objects, caused by a mistake on the Windows workstation (accidentally dragging files, mistyping a batch command, etc.)
- Malicious deletion, modification or theft of data on the IBM i system, caused by a malware infection of the Windows workstation.
The notorious WannaCry ransomware attack in May 2017 is one of many examples to emphasize the importance of protecting critical data and limiting potential damages in case of a security breach.
To prevent accidental or malicious data loss, corruption or theft in the scenarios described above, we no longer recommend to create the ROOTBIN shares on an IBM i host when installing or running SAP. Instead, alternative methods such as the following should be used to transfer the installation media:
- One possible alternative method is creating a constricted SMB share TMPSAP for the directory “/tmp/SAP” as described in the updated SAP installation documentation for IBM i. TMPSAP can be safely used to transfer files between Windows and IBM i without unnecessarily exposing the entire IBM i file system to Windows, thus preventing the kind of risks described above.
- Another possibility to transfer the installation media is to use other network protocols like SSH (in conjunction with utilities like scp or rsync) or SFTP (file transfer protocol over SSL connection).
- Yet another possibility is to use physical optical media and copy the installation files offline.
SMB network shares are also used in distributed scenarios with additional Windows application servers. In such cases, the standard SAP recommendations are still valid: Additional Windows application servers only need access to the following directory of the IBM i: “/usr/sap/<SAPSID>”. Exposure of the root directory at the IBM i side is not necessary.
SMBv1 vs SMBv2
The WannaCry ransomware mentioned above exploited a security flaw in the Server Message Block version 1 (SMBv1) protocol. The malware infected machines that were configured to allow SMBv1 for communication. Microsoft provided a software update that closed the security hole. However, following the attack, default settings in Windows were changed. SMBv1 is now disabled by default and cannot be used unless explicitly enabled. It is no longer possible to connect Windows clients to IBM i SMB shares via SMBv1. For more information about the described security flaw in the SMBv1 protocol, see the Microsoft Security Bulletin MS17-010 at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx .
SMB support in IBM i up to version 7.1 is limited to SMBv1 only. IBM i 7.2 requires the PTFs MF63692, MF63693, MF63694 and SI64984 to also support SMBv2. IBM i 7.3 supports SMBv2 starting with the initial shipment, but we also recommend installing the correction MF63136 for IBM i 7.3. More details about SMBv2 support with IBM i can be found at https://www.ibm.com/support/docview.wss?uid=nas8N1022198 . If you are still using IBM i 7.1, we highly recommend upgrading to IBM 7.2 or 7.3 and installing the mentioned PTFs. If you cannot upgrade to a higher release now and consider the risks of using the vulnerable SMBv1 protocol acceptable, you can re-enable SMBv1 on your Windows machines as described in the Microsoft support documentation at https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows .
For more information about connecting SAP systems on IBM i with additional Windows application servers via SMB, see SAP Note 1680045.