Solved: Encryption

Former Member · ‎02-26-2009

Is there any type of data security for the data sent from the app server to the SAP frontend?

Any encryption, etc? Not necessarily for the data stored in the DB but traffic to the SAPGui

tim_alsop · ‎02-26-2009

EC,

yes, this encryption between SAP GUI and SAP ABAP AS is acheived using the SAP SNC interface. The use of SNC for network security and encryption requires a library to be installed on both server and each worsktation where FrontEnd is installed. The library can be obtained from SAP software partners who provide SNC libraries, or if your SAP server is on Windows you can obtain the library from SAP themselves.

Let me know if you need any more info.

Thanks

Tim

tim_alsop · ‎02-26-2009

EC,

yes, this encryption between SAP GUI and SAP ABAP AS is acheived using the SAP SNC interface. The use of SNC for network security and encryption requires a library to be installed on both server and each worsktation where FrontEnd is installed. The library can be obtained from SAP software partners who provide SNC libraries, or if your SAP server is on Windows you can obtain the library from SAP themselves.

Let me know if you need any more info.

Thanks

Tim

Former Member · ‎02-26-2009

Thank you Tim. How can I tell is something like this is setup on bothe the client and server end(s)? Because in my instance profile I see:

sec/libsapsecu = /usr/sap/DV2/SYS/exe/run/libsapcrypto.o

Former Member · ‎02-26-2009

I want to see how I can lock down as much as possible the SAP environment. I see Oracle ASO but think that only helps if my app runs on multiple servers vs. standalone (DB/CI) single-host. And that is only from app server to DB.

tim_alsop · ‎02-26-2009

EC,

Oracle ASO is similar to SAP SNC, but ASO is used to secure (e.g. provide authentication, data integrity and encryption) between Oracle client and Oracle server software. The SAP SNC interface is used for same security between SAP client (e.g. SAP frontend) and SAP server (e.g. SAP ABAP AS).

So, just because you have Oracle as the database being used by your SAP application server, this is not useful for encryption of session between SAP client (SAP frontend) and SAP ABAP AS.

Also, SAP do not provide any support for Oracle ASO between ABAP AS and Oracle DB.

Thanks,

Tim

tim_alsop · ‎02-26-2009

EC,

Your libsapcrpto in your instance profile is not used for SNC (e.g. encryption between GUI and SAP ABAP AS). The SNC library is specified in snc/gssapi_lib instance profile parameter.

Thanks,

Tim

Former Member · ‎02-27-2009

Tim. Thank you. You are very knowledgable on the subject. I will lastly ask a recommendation of:

...if I wanted to secure my SAP environment - database, gui, etc. what steps would you recommend to be put in place?

tim_alsop · ‎02-27-2009

EC,

I have already answered the question about adding security to the gui. The database is already secured since it is accessed only by SAP server software and SAP AG have taken care to store information in the database in a secure way and secure the connections betwee the SAP system and DB.

I am not clear what you mean by "what steps to be put in place" ?

Regards,

Tim

Former Member · ‎02-27-2009

I did find this:

"You can only use the SAP Cryptographic Library for SNC between server components. If you want to use SNC for front-end components (for example, SAP GUI for Windows), then you must purchase an SNC-certified partner product."

Not sure how old it is...SAP does not have some product for free?

tim_alsop · ‎02-27-2009

>


> I did find this:
> 
> "You can only use the SAP Cryptographic Library for SNC between server components. If you want to use SNC for front-end components (for example, SAP GUI for Windows), then you must purchase an SNC-certified partner product."
> 
> Not sure how old it is...SAP does not have some product for free?

This is still correct and accurate. The SAP supplied SNC library is for server to server connections, but if you want to secure SAP GUI (FrontEnd) to SAP ABAP AS connections using SNC then you need to buy a third-party product from a SAP partner company. There is on exception and that is when SAP Server is on Windows because SAP supply another SNC library (not the SAP crypto library referenced in your previous post) which can be used for SAP GUI SNC connections. If you SAP server is on UNIX or Linux you need to talk to a partner company about their product and get prices from them and other technical details.

Note: I work for one of the partner companies mentioned above, which is why I know about this topic.

Take care,

Tim

Former Member · ‎02-27-2009

Re: The database is already secured since it is accessed only by SAP server software and SAP AG have taken care to store information in the database in a secure way and secure the connections between the SAP system and DB.

...is that Oracle ASO?

tim_alsop · ‎02-27-2009

>


> ...is that Oracle ASO?

No, It is not using ASO. The use of ASO would not be appropriate for a server to acess the database. Most of the time both server and DB are in same secure network (e.g. in the data center) so there is no need to encrypt the connection between SAP server and DB. The use of ASO would be more appriate if you had a server running an Oracle DB and had client software which accesses the DB using sql-net. This is not applicable to SAP use or Oracle.

Thanks,

Tim