These are personally prepared SAP ADM960 Certification Flashcards....
ADM960 – SAP Security consultant certification flashcards –
[email protected]
7 goals of Security?
Authentication: process of identifying the “real” identity Authorizations: what the identified user can do Confidentiality the communications are kept private Integrity none of the information has been tampered Repudiation denying that you have done something. Non-repudiation cannot deny having done something Availability gets to their resources when they need to.
What is behind the threat “Planting”?
A hacker may gain access to a system and plant a program to enable them to access that computer later.
What are the 11 threats listed in the course?
Penetration, Authorization violation, Planting, Eavesdropping, Tampering, Denial of service, Repudiation, Flooding, Masquerading, Spoofing, Buffer overflow
A hacker can grab a connection and communicate with both the client and the server. Once the hacker has grabbed the connection he could change the data.
What is behind the threat “Tampering”?
Which kind of attack makes the server unavailable? There are several ways to do this, such as snap the network cable, physically destroy the server, or unplug it from the network.
A denial of service
1
ADM960 – SAP Security consultant certification flashcards –
[email protected]
How is it called when programs can be written that modify the IP address of the source of the TCP/IP packet, to fool the network into thinking that the packet is coming from within the network.
Spoofing
When an application receives data that it is not expecting or prepared for, unpredictable results can occur. This can lead to vulnerability within the server. How is this threat called?
Buffer Overflow
• • 3 categories of safeguards? •
• • •
3 types of security policy
Which protocol is used between the SAP GUI and the Server?
Technical safeguards (for example firewall, Encryption, PKI, certificates, access control) Organizational safeguards (for example rules or guidelines) Environmental safeguards (for example fire detection)
General Security policy. IT Security policy Configuration documentation
DIAG Protocol
2
ADM960 – SAP Security consultant certification flashcards –
[email protected]
Which protocol is used between SAP Servers?
RFC, Remote function call
Which SAP product transforms the traditional SAP applications to Web-based transactions, so that they are accessible using Internet technology?
The ITS, Internet Transaction Server
What is the interface of web based information for enduser
The SAP Web-GUI
Î Web gate (WGate, resides on Web server) Î Application gate (AGate)
What are the 2 main corposants of the ITS
Single Host: Agate and Wgate on the same host (Web Server)
ITS configuration: What is the difference between a single host configuration and a dual host configuration?
Dual Host: Agate installed on a separated host
3
ADM960 – SAP Security consultant certification flashcards –
[email protected] 7 Application Layer: Program-to-Program (HTTP) 6 Presentation Layer: Manages data representation 5 Session Layer: communication channels 4 Transport Layer: end-to-end integrity (TCP, SPX) 3 Network Layer: Routes data, IP 2 Data Link Layer: physical passing data (Ethernet) 1 Physical Layer: putting data onto the network
What are the 7 layers of the OSI model?
Information sent across a network is not intended just for a computer. It is intended for a program on a computer. How are the programs distinguished?
These programs are distinguished by their port
Which command displays all connections and listening ports on your computer?
netstat –a
Î Internet Communication Manager (ICM), port 8080 Î Dispatcher port 32 (Front-End) Î The message server port 36 (Other SAP Systems) Î The gateway 33 (External Systems) Î Print service 515
What are the default SAP ports?
Between the Client and the Webserver: 80 HTTP, 443 HTTPS Between WGate and Agate: 3900 or 3909 Agate – Dispatcher : 32 (Front-End) Agate – Message server: 36 (Other SAP Systems) Agate – Gateway: 33 (External Systems)
What are the ports used by the ITS?
4
ADM960 – SAP Security consultant certification flashcards –
[email protected]
How is a system (or a combination of systems) called that protects a networked system from unauthorized or unwelcome access?
A firewall
Packet Filters (Layer Network, Data Link). Application Proxies (Application, Transport) -> SAP Router as DIAG/RFC Proxy
What are the two most common types of firewalls?
Which SAP Product is used for DIAG/RFC Proxy?
SAP router
Control and log the connections to your SAP system Allow access from only the SAProuters you have selected Protect your connection and data from unauthorized access Only allow encrypted connection from a known partner
4 functionalities of the SAP router?
SAP Router: Which file contains the list of connections that are denied or permitted?
The file saprouttab
5
ADM960 – SAP Security consultant certification flashcards –
[email protected]
D|P|S]{#before,#after} {password} D: Deny the connection P: Permit the connection S: Permit only SAP protocol connections
What is the structure of SAP Router file entry?
Which product is used as a "software Web switch" between the Internet and your SAP systems (several WAS) and Can be used as a URL filter.
The SAP Web Dispatcher
DMZ stands for DeMilitarized Zone. A DMZ can be described as a network added between a protected network and an external network in order to provide an additional layer of security.
What is a DMZ?
IDS, Intrusion Detection System
Which kind of systems can notify the administrator of attempts to attack the network or system?
o What are the 2 types of IDS? o
6
Network based IDS o Misuse detection (Virus) o Anomaly detection Host based IDS o Host sensor
ADM960 – SAP Security consultant certification flashcards –
[email protected]
Which kind of servers translates the logical name into the physical name, the domain name into the IP address?
DNS
What is the safeguard of Eavesdropping?
Encryption
Symmetric encryption (single Secret Key) Asymmetric encryption (Public, Private key) What are the 3 types of encryption?
Combining Symmetric and Asymmetric Encryption (Hybrid, public key, private key, secret key)
Transferring the secret key safely. Distributing the secret key for a large number of communication partners.
What are the 2 obstacles of symmetric encryption?
What are the 2 disadvantages of public key encryption?
7
•
It is slower than in symmetrical key encryption.
•
Encryption is only possible in one direction with a single key pair. Alice can encrypt a message to send to Bob, but not vice versa.
ADM960 – SAP Security consultant certification flashcards –
[email protected]
What is the safeguard of Masquerading?
Authentication (user ID/pwd or cryptography)
What is used to authenticate individuals using cryptography?
To authenticate individuals using cryptography, the person receives a digital certificate. It can be compared to a Passport in the „real world“. „Digital Identity Card“
How is the complete infrastructure that manages the issuing and verification of certificates called?
A Public-Key Infrastructure (PKI).
• •
What is the use of the Distinguished name?
Specifies the Owner Identity Found the owner certificate as subject
CN=Common Name, OU=Organizational Unit, O=Organization, C=Country
What are the different parts of a distinguished name?
8
ADM960 – SAP Security consultant certification flashcards –
[email protected]
Issues the certificate The issued certificate is digitally signed by the CA (official stamp) Its role is to ensure that the public key (which matches the private key) belongs to a specific person or server.
What are the 3 functions of the Certification Authority
The CA also possesses a digital certificate, called a CA root certificate. Alice needs the CA’s root certificate to verify the digital signature on the Web Server‘s certificate. The most common CA root certificates are preinstalled in the most widely-used Web browsers.
How the CA is technically trusted?
The SAP also has a CA that issues digital certificates to customers. How is the digital certificate issued by the SAP Trust Center Services called?
the SAP Passport
Which safeguards answers to the threat of Tampering (denial, message alteration)?
Digital signature
What 3 security goals answer the digital signature?
Integrity: Document has not been modified. Authentication: Alice is who she claims to be. Non-repudiation: Alice cannot deny having signed the document.
9
ADM960 – SAP Security consultant certification flashcards –
[email protected]
Which key is used to create the digital signature
The private key of the user
3 characteristics of the hash algorithms?
They reduce the size of a document, typically to a fixed length (for example, 128 bits). They are one-way: you cannot determine the original document based on the digest. They are unique: it is highly unlikely that a second data source will produce the same hash
It is a storage location for the server security information. That contains: What contains the Personal Security Envrionment (PSE)
• • •
Private key Server‘s public-key certificate Certificates of trusted CAs (certificate list)
In which 4 cases Secure Store and Forward (SSF) provides security for SAP data and documents?
Data leaves the SAP system Data is stored on insecure media Data is transmitted over insecure networks Data security is associated with persons and individuals
What 3 security goals answer SSF?
Integrity, Privacy, Authentication
10
ADM960 – SAP Security consultant certification flashcards –
[email protected]
What is the SAP default library to use SSF?
What is the SAP default library to use SNC and SSL?
What are the 5 master-user types?
SAP Security Library (SAPSECULIB) Default security library provided by SAP to use for SSF
SAP Cryptographic Library (SAPCRYPTOLIB) Default security library provided by SAP for SNC and SSL.
Dialog System: used to run background jobs. Communication: used for communication without dialog between different systems (RFC/CPIC) Service: allows multiple logon, no password check. Reference: used only to assign additional authorizations to Dialog users
• What are the 3 authorization objects required to create and maintain user master records?
• •
What is the profile of the special user Eearlywatch?
S_USER_GRP: user master maintenance: assign user groups S_USER_PRO: user master maintenance: assign authorization profile S_USER_AUT: user master maintenance: create and maintain authorizations
S_TOOLS_EX_A
11
ADM960 – SAP Security consultant certification flashcards –
[email protected]
Which User information system report monitors the passwords of all predefined users?
RSUSR003
Which user group should be assigned to the users SAP*, DDIC, EARLYWATCH?
user group SUPER
What are the 2 ways in which you can define the choice of user passwords?
You can use the system profile parameters (login*) Invalid passwords can be entered in the table of reserved passwords USR40 ? denotes a single character *denotes a character string
Which two profile parameters control the deactivation of password-based logon?
login/disable_password_logon and login/password_logon_usergroup
Which profile parameter refuses incoming connections of type CPIC(Gateway)
login/disable_cpic
12
ADM960 – SAP Security consultant certification flashcards –
[email protected]
Which profile parameter set the time for automatic SAPGUI logout?
rdisp/gui_auto_logout
• • •
What are the 4 types of RFC connections?
•
Synchronous RFC (the client waits until the server has completed its processing) Between SAP systems and from WAS Asynchronous RFC (Parallel processing) Transactional RFC (Secure communication between) systems Queued RFC (Defined processing sequences)
Which transaction code allows you to monitor the SAP Gateway?
Transaction SMGW available from Release 3.0C
Where an RFC destination system should be specified for outgoing connections (side infos) and with which transaction can it be maintained?
RFCDES maintained with transaction sm59
• • •
Four advantages of a trusted relationship between SAP systems
•
13
Single sign on is possible beyond system boundaries No passwords are transmitted in the network Timeout mechanism protects against replay attacks User-specific logon data are checked in the trusting system
ADM960 – SAP Security consultant certification flashcards –
[email protected]
The trust relationship is not mutual (t/f)?
True, The trust relationship is not mutual, which means it applies to one direction only.
•
Which file can be used in order to secure the RFC connection?
You can use the SAP gateway’s secinfo file to control the start-up and registration of external RFC and CPI-C programs.
Which profile parameters define the location of the secinfo file?
gw/sec_info
Which program start the external command after it has passed the gateway?
Sapxpg
Which authorization object is needed to maintain external commands?
S_RZL_ADM with activity 01 and 03.
14
ADM960 – SAP Security consultant certification flashcards –
[email protected]
Which authorization object is needed to execute external commands?
S_LOG_COM
What should you specify in order to allow the execution of external command?
You must specify an entry of the program sapxpg in the file secinfo
• • • • •
7 measures to protect an RFC connection
What are the 3 SAP standard systems contained in a DEV system?
What is the default change option of the 2 QA default systems (test and training)?
• •
Connect systems with the same security level Allow function modules to be called via RFC Use authorization object S_RFC Use users type Communication Specify full logon data for connections to other SAP systems only if necessary Specify secinfo file appropriately Protect files and tables containing side info
• • •
Development and customizing client (CUST) Sandbox client (SAND) Test client (TEST)
not modifiable
15
ADM960 – SAP Security consultant certification flashcards –
[email protected]
• •
What are the two levels of SAP change options that define whether customizing and development is available?
Which transaction displays the history of the system change options?
The client change option does not override the system change option (t/f)?
How to set the client change option?
How to protect your production client against overwriting by a client copy?
The system change option The client change option
SE03
True, Rather the client change option is used to fine tune the clients’ role within the SAP environment.
Use the transaction code SCC4 that woks on table T000
Set the protection level in transaction SCC4 at least to level 1 no overwriting.
16
ADM960 – SAP Security consultant certification flashcards –
[email protected]
How to protect your production client against a cross client comparison?
You should choose level 2 no overwriting, no external availability. In this case the client is not available in the customizing cross-system viewer of another system.
What are the 2 fields of the authorization object S_TABU_DIS
DICBERCLS ACTVT
What is the field of the authorization object S_TABU_CLI
CLIIDMAINT
• • • • •
What are the 5 fields of the authorization object S_DEVELOP
DEVCLASS OBJTYPE (PROG) OBJNAME P_GROUP ACTV
1. Define QA system (Prerequisite: between 2 systems) 2. Define QA procedure (QA worklist)
What are the 2 steps needed to configure the QA approval procedure?
17
ADM960 – SAP Security consultant certification flashcards –
[email protected]
What is the transaction to display an overview of the modifications and enhancement found in the system that you can search by Last transport request or Request/Task?
SE95 (Modification browser)
What is the transaction to maintain and activate the security audit log?
SM19
What happened to the profile parameter rsau/local/file if the profile parameter rsau/max_diskspace/per_file is used?
If parameter rsau/max_diskspace/per_file is used, parameter rsau/local/file is no longer valid and will no longer be analyzed. Parameters DIR_AUDIT and FN_AUDIT are used instead
What is the profile parameter to define the maximum of filters that can be used?
rsau/selection_slot
o o o o o o
6 types of information that can be recorded with the security audit log?
18
Dialog log-on attempts RFC log-on attemps Transaction starts RFC calls to functions module Change to user master record Change to the audit configuration
ADM960 – SAP Security consultant certification flashcards –
[email protected]
o o o o
4 types of security audit log filters?
Which transaction allows you to view the assignments of the events to audit classes and security levels with the system log message maintenance
User Audit Classes Client Security Level (Only critical, Severe and critical, all)
SE92 (Display system log messages)
How to display the results of the security audit log (transaction)?
SE20
The reports of the user information system start with?
RSUSR + #
ITS: What are the 4 main functions of the A gate?
Communication to and from the SAP system Communicates using the SAP protocols RFC and DIAG. Generating the HTML pages from SAP screens Managing user logon data and session information
19
ADM960 – SAP Security consultant certification flashcards –
[email protected]
ITS: What are the 2 main functions of the Wgate (Webserver)?
Connects the ITS to the Webserver Use the HTTP protocol
What is an ITS service?
An ITS service is the set of components needed to call an SAP transaction via the ITS
How do you protect access to the ITS service and template files?
Using groups at the operating system level
• • • • • •
ITS, scalability and load balancing, what are the 6 possible landscape?
• In a dual host installation, where do you use firewalls?
•
20
Single Wgates connects to multiple Agates Separate WGates connects to single Agate Multiple WGates connects to multiple Agates ITS connects to single Application server Multiple ITS instances connect to single systems ITS connects to message server (Load balancing)
Firewall in front of the Web server to deny access using undesired protocols Firewall between the Web server and the AGate to restrict access even more.
ADM960 – SAP Security consultant certification flashcards –
[email protected]
• • •
What is the goal of SNC in an ITS environment?
Authentication between the components Integrity protection Privacy protection
What is the SNC default security product?
SAP Cryptographic Library(SAPCRYPTOLIB)
SNC: Where are the private keys stored?
In the SNC PSE
What are the 2 possibilities to establish a trust when using the SAPCRYPTOLIB?
What is the transaction to maintain the SNC PSE?
• •
Either use a single PSE for all communication partner Exchange public-key certificates
Use the trust manager Æ S_Trust
21
ADM960 – SAP Security consultant certification flashcards –
[email protected]
1. sec/libsapsecu, specify the location of the SAPCRYPTOLIB 2. ssf/ssfapi_lib, specify the location of the SAPCRYPTOLIB 3. ssf/name must be set to SAPSECULIB
What are the 3 trust manager profile parameters?
1. 2. 3. 4. 5. 6. 7.
What are the 7 steps to enable SNC on the ITS?
Install SAPCryptoLib + license ticket (SECUDIR) Set trust manager profile parameters Create (or import) the SNC PSE Create credentials Establish trust relationship Set SNC profile parameters Make access control list entries
What is the table for the SNC System access control list
SNCSYSACL
What is the table for the Extended user Access control
USRACLEXT
• • •
Testing and analyzing: SNC information is provided in trace files. What are the 3 most common errors?
22
Library could not be loaded No credentials No entry in ACL
ADM960 – SAP Security consultant certification flashcards –
[email protected]
• • •
What are the 3 user authentication mechanisms?
X.509 client certificates: which table is responsible for the user mapping?
User Id and passwords X.509 client certificates Pluggable Authentication Services PAS Æ External mechanisms
USREXTID
• •
What are the 2 different worlds for SSO?
SAP GUI for Windows Æ SNC Web ÆSSL
SSO, Web: How is the SAP Logon ticket stored in the web-browser?
Stored as non-persistant session cookie in the web browser (named MYSAPSSO2)
What 4 information contains the sap logon ticket?
User Id, Validity period, Issuing System ID, Issuing system’s digital signature
23
ADM960 – SAP Security consultant certification flashcards –
[email protected]
What are the 3 constraints of the logon ticket?
same DNS, user Id identical in all systems, user must accept session cookies
How is the integrity and authenticity of the logon ticket protected?
It is Digitally signed by ticket issuing server to provide integrity and authenticity protection
How to maintain the configuration of the logon tickets?
Maintain the configuration using transaction SSO2 and STRUSTSSO2
Is SSO to non SAP components possible with SAP logon tickets?
Yes, SSO to non-SAP Components possible with SAP Tickets. 2 options: o API Interface o Web Server Filter (HTTP header field)
What are the 2 profile parameters used to configure sso with sap logon tickets?
Profile parameters to configure • Login/create_sso2_ticket • Login/accept_sso2_ticket
24
ADM960 – SAP Security consultant certification flashcards –
[email protected] 1. The user enters the URL for the PAS service 2. The user provides user authentication info 3. The external authentication mechanism verify the users information 4. The ticket-issuing system maps the external user ID to the SAP user ID 5. The user is issued a logon ticket 6. The Agate redirects the user to the service
What are the 6 steps of the PAS authentication process?
What are the 3 steps to install the PAS?
• • •
Install SAP package ntauth.sar Set the Service file parameters Maintain user mapping. Maintain table USREXTID Report (RSUSREXTID)
• •
Using logon tickets, ITS and SAP shortcuts Logon tickets is passed to the SAP shortcuts using ITS service wngui Only from web to traditional (traditional to web not supported)
How to combine the 2 worlds (SAP GUI and web)? •
2 roles that the web application server (WAS) can play?
• •
2 main components of the web application server (WAS)?
The Internet Communication Manager (ICM) • Ensures communication between the SAP system (SAP Web Application Server) with the outside world using the HTTP, HTTPS and SMTP protocols. The Internet Communication Framework (ICF) • Provides the framework for implementing the SAP Web AS applications.
25
SAP Web AS as client component SAP Web AS as server component
ADM960 – SAP Security consultant certification flashcards –
[email protected]
What is the transaction of the ICM monitor?
SMICM
• • • • • • •
7 activities of the ICM monitor?
What is the transaction of the Internet Communication Framework (ICF)?
Start and Stop the ICM Set trace level, view logs View profile parameters settings (starts with icm) View statistics View memory pipe information View active services Monitor service cache
ICF, transaction SICF
• • 4 activities of the ICF with transaction SICF (Maintain services)
• •
• • Load balancing: 3 different mechanisms: •
26
Display HTTP hierarchical tree Create and maintain BSPs (SE80, view and test BSP) Create virtual hosts Activate/Deactivate service (activate only the necessary services)
Redirection. User is redirected to the server in backend (simple but not user friendly) DNS based method. Look-up to root clients to servers based on IP address Load-balancing device. Receive request and directs them to server in the backend. Transparent for the client (the same URL and ip)
ADM960 – SAP Security consultant certification flashcards –
[email protected]
The network connection last for the duration of a user session (HTTP is a stateless protocol, successive requests may open a new network connection)
What is a stateful user section vs a stateless?
What are the 2 options and the properties of a stateful user session?
Session ID (Either in web browser cookie or into the user´s URL) -> SSL doesn´t work IP Address of client -> SSL Ok (but an issue with proxy)
•
2 types of load balancing with SSL and their properties? •
End to end SSL. The server supports both privacy protection using encryption as well as user authentication using client certificates. Must use the client IP address for session persistence Terminating SSL. Terminate the SSL connection at the load balancer
+ Better performance + Session cookie can be used - Less security
What are the pros and cons of a Terminating SSL with load balancing?
• • • • •
5 Scenarios of load-balancing with the WAS?
27
Message Server-based redirection Dispatcher or Load-Balancer SAP Web dispatcher Alternative technologies Combining technologies (Web switch and web dispatcher)
ADM960 – SAP Security consultant certification flashcards –
[email protected]
What is the problem of a stateful load-balancing connection?
If the load balancer directs the user to a different server for subsequent requests, then the second server would not know what had already occurred on the first server. Session context information is lost! (conflict between the application)
• • •
3 kinds of alternatives technologies for the load balancing
SSL encryption with WAS. 4 info to specify with the help of profile parameters?
Hardware load balancer Web switch Reverse proxy o you can route incoming requests to different services based on the URL path
• • • •
Specify Plug-in Specify Server Port Specify whether to use client certificate Specify location of sap cryptolab
o
Standard SSL server PSE (Basis for creating individual SSL server PSE‘s for each host to use) Individual SSL server PSE Shared SSL server PSE
What are the 3 types of SSL Server PSE o o
1. Create the SSL Server PSE (STRUST) 2. Specify the PSE for each application server 3. For each unique PSE a. Generate a certificate request, b. send the request to a CA c. import the certificate request response 4. Establish the necessary trust relationship with CA certificates
4 steps to enable SSL on the SAP Web As (Client or server)?
28
ADM960 – SAP Security consultant certification flashcards –
[email protected]
• 3 kinds of SSL client PSE
• •
Standard SSL client PSE (Must exist for SSL to work) Anonymous SSL client PSE (CN=anonymous) Individual SSL client PSE
• • 3 configuration steps to specify that a connection use SSL.
• • •
SM59, maintain HTTP destination Activate SSL and specify which SSL client PSE to use Type G: To a different Web server Type H: To another SAP Web AS If SSL client authentication is to be used, select Basic Authentication.
4 steps to enable SNC on the SAP Web As
1. 2. 3. 4.
Which table Specifies which systems are allowed to connect to the SAP system using SNC?
SNCSYSACL
Which table specify the users that can log on to the system using SNC?
USRACL
29
Install the SAP Cryptographic library Create the SNC PSE Specify access control list (ACL) entries Set profile parameters
ADM960 – SAP Security consultant certification flashcards –
[email protected]
Which table specifies that WebRFC users can log on using the AGate‘s SNC-protected connection?
USRACLEXT
• • •
4 SNC profile parameters?
•
• • 3 components of the portal user and role management? •
3 enterprise portal authentication mechanisms:
Activate SNC (snc/enable) Set level of protection (snc/data_protection/max) Accept RFC and DIAG connection that are not protected with SNC (snc/accept_insecure_gui) Use external authentication (snc/extid_login_diag)
Corporate Directory server (for authentication) Portal Directory Server (Portal related user and group properties) Portal Content Directory (content Æ role assignment)
User Id/Password (Form based iView) X. 509 digital certificate Third party authentication (Windows)
30