SAP remote connections via SAP Router and it’s security

1. What is SAP Router?
2. What is SAP Router used for?
3. What SAP Router doesn’t support?
4. What protocols does SAP Router use?
5. What is SAP Protocol?
6. How are the connections between a customer’s SAP Router to SAP’s SAP Routers secured?
7. What is SNC?
8. What Levels of security will SNC provide?
9. How does SNC carry out it’s encryption?
10. What are route permission tables in SAP Router?
11. How do I configure SNC in our route permission table?
12. How does a customer’s SAP Router know what connection to accept from SAP’s SAP Routers?
13. How can a customer register their SAP Router with SAP?
14. What are the most common types of connections for SAP Router?
15. Where can I get the certifications I need to establish a trust?
16. What is the process of SAP connecting to a customer’s SAP Router?
17. What are the port numbers for the different connection types?
18. When the connections are closed/open on the customer’s SAP Router, where does this occur and what controls this?
19. Can I avoid password access to customer systems?

1: What is SAP Router?

SAP router is a standalone program that protects your SAP network against unauthorised access. SAP router is a proxy in a network connection between SAP systems, or between SAP systems and external networks. SAP router acts as an extra firewall to the existing firewall (port filter). It is usually installed directly on the firewall host. The SAP router port serves as a gateway, through which connections to your firewall-protected system can be opened. You can specify the connections you want to allow in a route permission table.

2: What is it used for?

With SAP router you can control and log incoming connections to an SAP system. SAP router can be used to improve network security. Connections and data can be protected by a password from unauthorised external access. With the route permission table you can specify that connections only from selected SAP routers are permitted. With the SNC layer encrypted connections from a known partner can be permitted.

3: What SAP Router doesn’t support? Unsupported Scenarios:

• Communication between server components with HTTP-based protocols through the SAProuter (e.g. Web service calls through HTTP) (For HTTP, SSL will be used)
• Communication from a user interface such as the browser or the Business Client through SAProuter to an application server (e.g. Web Dynpro or BSP-based applications)
• Binary protocols (e.g. terminal server, X-server) between communication partners

4: What protocols does SAP Router use?

This is the Network Interface (NI) and is used by SAP router, all SAP programs, and development kits for CPI-C and remote function call (RFC). In the OSI 7 layer model, the NI layer forms the upper part of the transport layer. The NI protocol uses TCP or UDP. The protocol is also known as the SAP protocol.

5: What is SAP Protocol?

The SAP Protocol is the protocol used by SAP programs that communicate using the NI interface. This is an enhanced version of the TCP/IP protocol, which has been extended by one field and some options for error information.

NI 6: How are the connections between a customer’s SAP Router to SAP’s SAP Router secured?

There are two different options here:

1: IPSEC/VPN

2: SNC IPSEC/VPN LAN-to-LAN IPSec VPNs are established between SAP and the customer’s network to provide data confidentiality and integrity services. These VPNs complement the leased lines in the current Remote Customer Support Network environment. State-of-the-art encryption, authentication, and access control technology will be employed. VPN equipment is required at both ends of the connection.

The VPN switch at customer’s side must be reachable from the Internet. SNC

SNC is used to make network connections using the Internet, in particular WAN connections, secure. It provides reliable authentication as well as encryption of the data to be transferred. SAP router allows SNC connections to be set up. The route permission table can be used to specify precisely whether SNC connections are to be allowed, and if so, which ones. A comparison between both can be found here.

7: What is SNC?

Secure Network Communications (SNC) integrates SAP NetWeaver Single Sign-On or an external security product with SAP systems. SNC protects the data communication paths between the various client and server components of the SAP system that use the SAP protocols RFC or DIAG. More information for SNC can be seen here.

8: What Levels of security will SNC provide?

There are three levels of security protection you can apply, they are:

• Authentication only
• Integrity protection
• Privacy protection

Authentication only

When using authentication only, the system verifies the identity of the communication partners. This is the minimum protection level offered by SNC. NOTE: No actual data protection is provided!

Integrity Protection

When using integrity protection, the system detects any changes or manipulation of the data, which may have occurred between the two end points of a communication.

Privacy Protection

When using privacy protection, the system encrypts the messages being transferred to make eavesdropping useless. Privacy protection also includes integrity protection of the data. This is the maximum level of protection provided by SNC.

9: How does SNC carry out it’s encryption?

SNC uses the SAP Cryptographic Library. It is the default security product delivered by SAP for performing encryption functions in SAP systems. For example, you can use it for providing Secure Network Communications (SNC) between various SAP server components or for using the Secure Sockets Layer (SSL) protocol with the AS ABAP. Hashing Algorithms: MD5, SHA1, SHA224, SHA256, SHA384, SHA512, RIPEMD128, RIPEMD160 Encryption Algorithms : RSA, ELGAMAL, AES128, AES192, AES256, DES, TDES2KEY, TDES3KEY, IDEA, RC2, RC4, RC5_32 The SAP SAP Cryptographic Library uses public key technology. Each component is issued a pair of keys that consists of a private and a public key. The private key is to be kept safe on the server and the public key is to be distributed to communication partners in the form of a public-key certificate. Trust is established by verifying the communication partner’s public key provided with the public-key certificate. Both the Key Storage service on the AS Java and the trust manager on the AS ABAP provide functions for generating the key pair. These tools are available when using the cryptographic products provided by SAP. You can see more information on the public key certificates here. A Full list of details can be found here in SAP Note 1848999

10: What are route permission tables in SAP Router?

The route permission table contains the host names and port numbers of the predecessor and successor points on the route (from the SAProuter’s point of view), as well as the passwords required to set up the connection (corresponds to a substring). It is used to specify which connections are allowed and which prohibited by SAProuter. It also specifies whether SNC connections are set up and if so, which ones. This acts as another protective mechanism that can be used to control what SAProuter has access to your SAProuter and thus, what traffic can flow in and out via the SAProuter. The password that can be stored in the route string is stored as plain text.

11: How do I configure SNC in our route permission table?

All the configure steps are listed here

12: How does a customer’s SAP Router know what connection to accept from SAP’s SAP Routers?

When the route permission table is set up correctly, a customer’s SAProuter will only ever accept an incoming connection if it finds a corresponding entry in it’s route permission table. For normal incoming connections (that do not use SNC protection), it identifies the communication partner using the source host (IP address) and the destination (host and service). However, for SNC-protected connections coming from a SAProuter, it uses the source SAProuter’s SNC name for identification, which is maintained in the route permission table.

13: How can I register my SAP Router with SAP?

SAProuter configuration requires SAP IT to add your external IP address to the SAP Network. This creates a secure communication route between SAP and your landscape. To register your configuration with SAP, follow the instructions in SAP Note 28976 – Remote connection data sheet to create a message with the necessary data so that one of SAP’s external partner companies will assist you. More information found here.

14: What are the most common types of connections for SAP Router?

There are many different connection types for the SAProuter but the two most commonly used connection types are IPSEC/VPN and SNC (your public/business internet encrypted with certificate).

15: Where can I get the certifications I need to establish a trust?

These certifications can be downloaded/generated from the SAP Market Place. These certificates are issued by SAP. Without this certificate remote support is not possible. The certification establishes the trust between the two SAP Routers.

16: What is the process of SAP connecting to a customer’s SAP Router?

The connection to a customer’s system is made using Route strings. A route is defined for SAProuter in the form of a route string, which must observe specific syntax rules. A route string contains an entry, or substring, for each SAProuter and for the target server. Each substring contains the information that SAProuter needs to make a connection in the route:

• the host name
• the port name
• and the password, if supplied.

By default, route strings are sent without a password. The default value for service is “3299”, and the default password is “” (empty). The diagram below shows a sample connection between SAP and a customer system. In this example, an SAP service engineer working at sappc needs to log on to a customer application server yourapp, which offers or uses the service sapservice. The SAP service engineer logs onto R/3 and connects sappc to yourapp via the SAProuter on saprouter and the customer’s SAProuter yoursaprouter. yoursaprouter requires the password pass_to_app for connections to yourapp. The route string looks like this:  /H/saprouter/H/yoursaprouter/H/yourapp/S/ sapservice/P/pass_to_app This route string is interpreted by SAProuter as follows: The connection from sappc to the application server is made in the following stages:

SAProuter always checks only the previous host name or IP address and the next substring (/H/…/S/…/P/…) for the host name or IP address, service and password. No password is used in the first substring, since the client is accessing itself. If the /S/ part is missing, the default SAProuter port number is used. If the /P/ part is missing, no password is used.

17: What are the port numbers for the different connection types?

Before reading the below ports, DO NOT confuse these ports with the SAProuter 3299. 3299 is the only port which is allowed open on the SAP Router. Ports to be allowed in internal firewall/router (for Secured connection):

18: When the connections are closed/open on the customer side, where does this occur?

Basically everything related to support connection handling/configuration is done on the SAP side. SAP does not change anything on customer’s SAProuter configuration. It is the customer’s responsibility to configure the support connection settings correctly, ie: settings such as System Type and Connection Type.

With the connection type, the customer can configure this to determine if SAP are allowed to open a support connection without additional involvement from their side or alternatively the customer can choose handle this on their end. If the customer decides to configure this in a way that SAP are allowed to open a connection, the SAP Support colleague can request this connection opening via the STFK framework. If the customer chooses that they will handle this process themselves, then a request is made via the SAP Incident process. When the customer has configured the Support Connection settings correctly, on the SAP side, the STFK framework knows the route information to establish a connection to the customer’s system and also allows such a connection on the SAP Saprouter. Opening/Closing a support connection in STFK is handled by Support Connection Framework on the SAP side and determines if a connection to the customer system is allowed or not.

This is done without involvement of Saprouter and is not done by changing the saprouttab, this is handled by the Framework itself. On the customer side, all connections can run via Saprouter and only this Saprouter port has to be allowed in firewall settings. The Saprouter supports only 1 port for listening for new incoming connections, no matter what kind of protocol is used afterwards, basically Saprouter needs the Route Information to establish the connection to the next hop. This route information has to be the first data packet on a new TCP connection.

A Route/Connection can be a raw TCP connection once the connection between Source and Target is established. This is the reason why also other protocols can run via Saprouter and not just RFC/DIAG protocols. SAP has to send the Route Information to the SAP side Saprouter and forwards the application traffic to this connection and SAProuter acts like a simple proxy then, so also a SSH/Telnet connection can be realised via SAProuter The exception here is HTTP/HTTPS connections on SAP side. These connections are handled by the SAP Webdispatcher, which acts as a reverse proxy on the SAP side but forwards its connections to the SAProuter on the customer side, so on the customer side, also HTTP/HTTPS comes in via the SAProuter port. The decision on where to forward the traffic is configured by the Route Information, which is also found with the SAP Webdispatcher, which then enables it to forward the connection on to the customer’s SAProuter.

19.Can I avoid password access to customer systems?

The answer is yes, SAP has established and operates a dedicated PKI to allow Secure Network Connections ( SNC ) and Single Sign On (SSO) to access customer systems remotely. The dedicated CA only issues temporary generated certificates for the user SAPSUPPORT with a validity of 8 hours. This new secure remote access scenario is part of the SAP standard support package and eliminates maintaining the target user credentials in the SAP Secure Area. The SNC Name p:CN=SAPSUPPORT, O=SAP-SE, C=DE can be assigned to one or multiple users on the SAP application server. See SAP Note 2562127 for more information