How to make your SAP Fiori Environment Secure
In this blog i will try to explain about “Securing the SAP Fiori Environment” in high level.
It’s important to secure the SAP Environment when our SAP ERP Business Processes are exposed to outside world (Internet) via Fiori Applications. Attackers are Everywhere!
Most of the cases, we will be exposing the Fiori (Gateway) to outside world. Just Imagine, if any attacker able to execute stopsap script on Gateway Instance and take it down?
It Makes the Instance unavailable and the users will not be able to access the Systems. This will directly effect the productivity. To Avoid this, always make sure to patch and harden the message server. Avoid to use message server as a load balancer, always use SAP Web Dispatcher for load balancing.
What if a Purchase Requisitions or Purchase Orders Worth of Million Dollars are reached to a wrong person and approved without the consent of right decision makers?
This would effect the data integrity and could also have a material impact on the Organizational Finances. To Avoid this, always make sure to establish a strong authentication to ensure not to happen incorrect business transactions.
When the Fiori is Accessed from a mobile device, unintentionally We do share lot of Business documents (Attachments like images, PDFs, etc.,) by downloading, copying and sharing or forwarding on insecure message apps. This can lead to information breach as per the organization policies applicable.
We can control the Security by adapting Some Guidelines on Administrative and Technical Levels.
- Designing Administrative Policies, Processes, Procedures, Guidelines and educating the end users to ensure awareness.
- Applying Strict Password Policies, Roles, Authorizations, Antivirus on Gateway Instance level and Firewalls, Web Content Filters on web-dispatcher level.
- It’s always a good option to encrypt the data between end client (Mobile/Tablet/Desktop) and Gateway Server to make it more secure.
We need to strongly consider the below Key Areas when Securing SAP Fiori.
- Landscape Network Architecture: Configure Firewalls and demilitarized zones (DMZs).
- Encrypt the Communication (GW <==> End Client) using X.509 certificate authentication.
- Endpoint Security: Organizations should have a policy to protect the data that has been downloaded on users mobile devices.
- Secure Software Development: Always make sure to follow best coding practices when developing objects.
- Vulnerability Detection and Management: Always check for latest patches and recommended Security configurations to adapt changes in threat environment.
- Authorization: Design the end user role matrix with the Security Perspective. Avoid Adding *(star) in Authorization Values.
- Authentication: Genuinely check the identity of the Logged in User. Never Hard code the user id in Trusted RFCs. Always check the Logged in User.
- Log Monitoring: There are several logs (System, Application, etc.,) that helps in tracking the issues, monitoring the usage.
On High Level, to have a Secure Fiori Environment. We need to look into 3 Areas.
» Identify and Terminate untrusted Connections on a Frontend Server in the DMZ.
» Setup Firewall Rules between Clients & Servers.
» Implement Web Application Firewalls in blocking mode between untrusted networks and Gateway Server.
» Implement the Web Dispatcher to technically restrict the ICF Services accessible from untrusted network.
The most commonly attacked web application vulnerabilities are
2. Broken authentication and session management
3. Cross-site scripting (XSS)
4. Security misconfiguration
5. Sensitive data exposure
6. Cross-site request forgery
» Always follow the Development Standards when developing UI5 Apps, oData services.
» Train the developers to achieve secure software development.
» Always Implement the Authority Check Objects when calling a BAPI or BADI in your oData Service Developments.
» You can use standard code analysis tool like Code Inspector.
Area3: 3-Point Secure Configuration
- Gateway Server secure configuration
- SAP Web Dispatcher configuration
- Secure Client configuration
1. Gateway Server secure configuration Steps:
Harden your gateway server:
Gateway Server Core Service listening on Port 33XX (XX is the Instance Value). It’s used for RFC and CPIC Connections.This Service is a Point of Attack for Hackers. Always patch the Server to the latest version to ensure this service is unexposed to external threat sources.
- Disable access to the SAP Gateway service from untrusted devices and networks.
- Disable untrusted gateway connections.
- Disable remote trace on your gateway server.
Harden your message server:
In a HTTP Scenario, either the message server or SAP Web Dispatcher can be used to load balance client requests.When Fiori is exposed to Internet over HTTP, always use only SAP Web dispatcher for load balancing so that message server is not directly accessible from untrusted networks.
- Do not permit direct external connections to your front-end message server at the firewall.
- Ensure SAP Message Server does not accept remote connections from untrusted networks
Harden your ICF server:
ICF Server is the Point of entry for untrusted connections. Always deploy it Securely.
- Only enable services on a demonstrated need-to-have basis.
- Only permit access to SAP Fiori services on the SAP Web Dispatcher
- Disable multiple logons
- Disable unencrypted (HTTP) traffic to the ICM.
- Activate HTTP security session management.
- Ensure ICM error messages do not contain sensitive information.
Harden your ABAP stack:
Always Lock/Deactivate unauthorized user Accounts and set policy parameters in Transaction RZ10.
- Lock down the SAP* account
- Disable multiple logons
- Ensure authority checks cannot be disabled
- Lock down the SAP Management Console
- Set an SAP GUI idle timeout
- Ensure that your password policy is configured to meet or exceed organizational password policy requirements
- Ensure the command field in debugger is disabled
- Ensure CALL SYSTEM is disabled
- Ensure anonymous RFC calls are disabled
- Ensure that RFC connections are configured to not accept expired passwords
- Ensure SSO tickets are encrypted with X.509 certificate Authentication.
- External debugging ABAP over HTTP is disabled
- Ensure Skip First Screen is disabled
Enable the types of logs needed to monitor and identify if any suspicious network based activity.
- Ensure SAP Gateway logging is configured
- Enable SAP message server logging
- Log HTTPS traffic
- Activate table logging
- Activate Transaction SM19 and Transaction SM20 logging
2.SAP Web Dispatcher configuration
When Fiori is exposed to outside world, web dispatchers should be used to load balance the HTTPS Traffic instead of Instance message server.Always make sure that the Web Dispatcher Administrative Functions are not accessible from networks and systems with a demonstrated need to access.
- Disable detailed error logging on SAP Web Dispatcher
- Implement web filtering on SAP Web Dispatcher
- Ensure SAP Web Dispatcher allows only HTTPS
- Ensure administrative access communication is encrypted
- Ensure that administrative access is restricted to trusted network addresses with a demonstrated “need to have” access on the firewall
- Configure SAP Web Dispatcher to restrict administrative access to specific client hosts/networks
3.Secure Client configuration
Managing the Security configuration of the clients (Mobile Devices) is challenging. Currently we don’t have enough configurations on Gateway Server.
we need to mandate the end users to secure their mobile devices with a Secure PIN.
It’s possible to handle those challenges by implementing some secure solutions from SAP like SAP Afaria, SAP Mobile Secure. This required additional licensing cost.
SAP Afaria has the below Features to adapt Secure Client Configuration.
» Password policies
» Restriction policies
» Hardware and software information
» Application policies
» Exchange account management
» Wi-Fi policy management
The Core Service that launches SAP Fiori Launchpad is USHELL and FLP. Always make sure to have them on Secure HTTP (HTTPS). Always try to use the Secure Authentication other than Basic.
You can also check the below blog related to SAP Fiori Security.
Considerations and Recommendations for Internet-facing Fiori apps
Thanks for all the info.
Could you elaborate more in the “it’s always a good option to encrypt the data between end client and Gateway server”?
It’s just establishing a secure communication between Client and Gateway Server with HTTPS by using SSL Certificate.
SSL technology provides data encryption, message integrity, server authentication, and optional client authentication for a TCP/IP connection.
SAP Web Dispatcher usually resides in DMZ is the point where the communication between Gateway Server and Client Happens.
The Encryption is possible with SSL in 2 ways, it depends on your requirement to choose which way you need.
SSL Termination (with or without client certificate validation)
This Option is considered if the network between Web Dispatcher and SAP Gateway is Secured.
In SSL termination, WD receives https encrypted data, decrypts it and forwards unencrypted data to SAP Gateway / backend (Via HTTP).
The Client verification (client certificates) is enabled by adding following parameter:
icm/HTTPS/verify_client = 1 or 2
1: The server asks the client to transfer a certificate. If the client does not send a certificate, authentication is carried out by another method, for example, basic authentication (default setting).
2: The client must transfer a valid certificate to the server, otherwise access is denied.
SSL Re-Encryption (with or without client certificate validation)
This Option is considered if the network between Web Dispatcher and SAP Gateway is unsecured.
The parameter wdisp/ssl_encrypt determines whether the SAP Web dispatcher encrypts the request again with SSL before forwarding it.
wdisp/ssl_encrypt = 0 (receives https encrypted data, web dispatcher decrypts the data and forwards unencrypted data to SAP backend)
wdisp/ssl_encrypt = 1 (receives https encrypted data, web dispatcher decrypts the data, re-encrypt again and forwards encrypted data to SAP backend)
wdisp/ssl_encrypt = 2 (the SSL is not terminated and request is sent encrypted to SAP backend)
Note: You can also configure the SAP Web Dispatcher for end-to-end SSL, by specifying the protocol ROUTER when you define the icm/server_port_ parameter.
Example: icm/server_port_0 = PROT=ROUTER,PORT=60000
In both the cases the Encryption of data happens between End Client and Gateway Server.
You can check the below Guide:
SAP Web Dispatcher for Fiori Applications