RFC Gateway security, part 7 – secure communication
source link: https://blogs.sap.com/2021/11/10/rfc-gateway-security-part-7-secure-communication/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
RFC Gateway security, part 7 – secure communication
From my experience the RFC Gateway security is for many SAP Administrators still a not well understood topic. As a result many SAP systems lack for example of proper defined ACLs to prevent malicious use.
After an attack vector was published in the talk “SAP Gateway to Heaven” from Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai (https://github.com/gelim/sap_ms) the RFC Gateway security is even more important than ever. This publication got considerable public attention as 10KBLAZE.
With this blogpost series i try to give a comprehensive explanation of the RFC Gateway Security:
Part 1: General questions about the RFC Gateway and RFC Gateway security
Part 2: reginfo ACL in detail
Part 3: secinfo ACL in detail
Part 4: prxyinfo ACL in detail
Part 5: ACLs and the RFC Gateway security
Part 6: RFC Gateway Logging
Part 7: Secure communication
Updates:
Secure communication
Please make sure you have read part 1 of this series to be familiar with the basics of the RFC Gateway and the terms i use to describe things.
Does the RFC Gateway support encrypted communication?
The RFC Gateway supports encrypted communication for RFC using SNC (Secure Network Communication).
Does SNC require any additional license?
As of SAP note 1848999 there is no additional license required.
An additional license is only required when SNC or SNC with SSO for SAP GUI or Web GUI for end-users shall be provided. This requires the SAP Secure Login Client which is part of the product SAP Single Sign-On 3.0.
What is needed for encrypting the traffic?
To establish secure communication using SNC a cryptographic library must be installed on both communication partners, for example, the SAP CommonCryptoLib 8.
The server and client must possess a public and private key pair and a public key certificate, which is stored in a Personal Security Environment (PSE). Typically, the $SECUDIR/SAPSNCS.pse is used.
Furthermore, both parties must be able to validate the counterparts certificates, which includes the validation of its trust-chain. Therefore, the trusted Issuing CAs have to be stored in the PSE.
More details on the CCL integration for SNC can be found at CommonCryptoLib: SNC protocol versions and cipher suites.
How to enable SNC
If the above prerequisites are fulfilled, the subject name of the certificate has to be configured as SNC Name in the profile parameter snc/identity/as.
SNC can then be enabled by the parameter snc/enable.
Secure RFC communication typically, but not necessarily, is established over port ’48<InstNo>’. Therefore, there may be also some adjustments to the firewall necessary.
Please note: Some legacy interfaces do not allow to adjust the port and use ’32<InstNo>’ which is widely known as the port for unencrypted RFC communication.
How to manage trusted Issuing CAs?
This can be done via the command line tool sapgenpse maintain_pk. For ABAP systems the trust manager STRUST, for Java systems the Certificates and Keys (/nwa/key-storage) should be used instead.
Please note: Trusting a Root CA leads to trusting all sub-CAs. This should be strongly avoided.
Does the usage type ‘Registered external RFC Servers’ support encrypted communication?
Encrypted communication can be enabled or enforced for the different scenarios by the parameter snc/only_encrypted_rfc.
Does the usage type ‘Started external RFC Servers‘ support encrypted communication?
Encrypted communication can be enforced by the parameter snc/permit_insecure_start.
What if a legacy component does not support SNC?
If SNC can not be used for some reasons in a scenario (which is rarely the case), a mitigation could be to establish the connection over a secure tunnel initiated between two SAP Routers. Be aware that this is not an end-to-end encryption, especially if you are not in control over the architecture on one of both sides .
How to setup the CommonCryptoLib for secure communication?
Details on the CCL configuration options for SNC in terms of protocols, cipher suites and more can be found at CommonCryptoLib: SNC protocol versions and cipher suites.
Recommend
-
28
Most OAuth 2.0 guides are focused around the context of a user, i.e. logging in to an application using Google, Github, Okta, etc. While this can be useful, these guides ignore server-to-server communication where there i...
-
57
This tutorial teaches you how to build a Spring Boot App using the OAuth 2.0 Client Credentials Grant type, designed to fix server-to-server communication.
-
11
Nokia E63 phone converted into LoRa messenger for secure, off-the-grid communicationSkip to content...
-
12
Unpacking Android Security: Part 3 — Insecure Communication
-
10
Cloud security fundamentals part 2: Prevention and secure designMegan MooreOctober 13, 2022In our previous blog breaking down The 5 Fundamentals of Cloud Security, we discussed the importance of
-
7
Using RFC adapter in the SAP integration suite -Part II 0 1 117 This post is in continuation o...
-
12
Johannes Goerlich February 28, 2023 3 minute...
-
8
Gunter Albrecht April 4, 2023 6 minute read...
-
8
Article - Azure Arc - The Gateway to the Cloud Part 3 - Security and Monitoring Posted Jan 14, 2024 by By Wolfgang Ofner 2 min readI am excited to announce that the third instal...
-
10
rfc/callback_security_method parameter
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK