AGS Security Services Patch Process

SAP Active Global Support

July, 2012

Security Patch Process . . or how best to protect your data and keep the availability of your SAP solutions

© 2012 SAP AG. All rights reserved. 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision. This presentation is not subject to your license agreement or any other agreement

with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to

develop or release any functionality mentioned in this presentation. This presentation and SAP's

strategy and possible future developments are subject to change and may be changed by SAP at any

time for any reason without notice. This document is provided without a warranty of any kind, either

express or implied, including but not limited to, the implied warranties of merchantability, fitness for a

particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP intentionally or grossly negligent.


Abstract

Software security remains a critical topic of interest to all companies and to the information technology

industry.

The security of a specific system thereby also significantly depends on the secure installation and

operation of this system. SAP gained a lot of experience from its support for and engagement with

numerous customers. It uses the resulting best practices not only for further improvements and

enhancements of its support offering but also makes them available as recommendations, services and

tools directly to its customers.

In this presentation you will learn about the self services and tools available for security, centered around

the “Security Notes” section in the EarlyWatch Alert report.

Using the new application System Recommendations within the SAP Solution Manager you can track

down critical Security Notes which are required for your systems.

And you will get additional information about the Configuration Validation which can be used to analyze

the security configuration for single systems as well as for the complete system landscape.


Agenda

Configuration

Validation

SOS

EWA

Security Notes Report

and System

Recommendations

Security Patch Process

Security Tools and Services

EarlyWatch Alert (EWA) – Security Chapter

Security Notes Report (RSECNOTE)

System Recommendations

Configuration Validation


SAP Introduces Monthly Security Patch Day

SAP Security Patch Day

Regular Patch Day every second Tuesday of a month

Based on feedback from customers and SAP User Groups

Benefit 1:

Better planning for SAP Security Notes with dedicated, regular schedule

Benefit 3:

More efficient patching of SAP systems as it is on the same day

as with other software providers

Benefit 2:

More efficient review and selection of SAP Security Notes

relevant for an organization


Security Notes

Security Notes

■ are standard SAP Notes / HotNews

■ with information about known security vulnerabilities

■ and appropriate countermeasures (correction instruction, configuration, service pack, upgrade,

manual measures)

They can be found here: http://service.sap.com/securitynotes

■ Each customer has to regularly review this list and has to verify for each entry whether the

security note applies to his systems or not and what to do if necessary

http://service.sap.com/securitynotes


Security Notes in the Service Marketplace https://service.sap.com/securitynotes → “Security Notes Search”

The rightmost column “Automatic check

in EWA” shows which security notes get

checked in the EarlyWatch Alert and with

the tool RSECNOTE.

https://service.sap.com/securitynotes


Security Notes in the Service Marketplace https://service.sap.com/securitynotes → “my Security Notes”

If your systems are registered in the SAP

Service Market Place, than you can work

with a filter “by System” easily.

If this is not the case than you cannot use

the filter “by System” but we do not

recommend to use the filter “by Product”

for searching for Security Notes.

Limitation: You have to

remove implemented notes

manually from the list.

x

https://service.sap.com/securitynotes


Security Notes in the Service Marketplace

SAP Support Portal Newsletter


Classification of Security Notes by Type

1. ABAP Correction Instructions Use Note Assistant (transaction SNOTE) to implement the correction or apply the Support Package

2. ABAP Software-like manual corrections Implement the correction manually, e.g. deactivate a web-based service

3. Kernel Notes Install a new Kernel

4. Java Notes Install Java Support Packages or Patches

5. Notes about other components Individual procedure to update the Database, SAPGUI, RFC Library, Business Objects, Sybase, ...

6. Other manual instructions Anything else. Sometimes described in White Papers.


Classification of Security Notes by Implementation Process

1. Implementation as part of a monthly standard patch process

e.g. for ABAP Correction Instructions or ABAP software-like manual

corrections

2. Implementation as part of a project

e.g. for notes about other components or other manual instructions

3. Implementation as part of maintenance activities

e.g. Support Package upgrade, Kernel upgrade, Java upgrade

4. Implementation after maintenance activities

e.g. manual instructions which require a Support Package upgrade or

Kernel upgrade as a prerequisite


Preparation for the Patch Process

Define the „Patch Day Roadmap“

Define the responsible person (CERT) who decides about (not) implementing SAP Security Notes

Define the responsible person (IT) for the security patch process of your SAP systems

Register the responsible person in the SAP Service Marketplace as the Security Contact:

(https://www.service.sap.com/securitycontacts)

Check the status des SAP Solution Manager (release and SP level, plan for upgrade if required)

Define the methods and tools for identifying and analyzing new SAP Security Notes

Define the teams, testing methods and tools for regression testing of productive business processes

Define the workflow about exceptional and regular transports

https://websmp206.sap-ag.de/securitycontacts


Security Maintenance Management

General Process Overview for testing SP’s and Security Notes

No Action

needed

Testing

Deploy

Changes

Go

Live

Solution Manager

Test Management

Regression tests

Solution Manager Quality

Gate Management

No add. functional test

Integration into

Maintenance

Download & Apply

Support Packages

Latest Sec. Notes

Manual

Adjust-

ments Apply Support

Packages

Change of

potential bug

Apply Single

Correction(s)

Monthly

Security

Patches

Testing

Solution Manager

Test Management

Individual testing

Immediate risk mitigation

Security Notes(s)

Exceptions

Manual

Adjust-

ments


Security

Patch Day

of SAP

Monthly on 2nd

Tuesday

Check

System

Recommendations

in Solution Manager

Check

Service Marketplace

/securitynotes

Check

EarlyWatch Alert

RSECNOTE

Risk

assess-

ment

The week after the Patch Day

HOW SAP Solution Manager Security Services

support your security patch management

Apply

Security Notes

Apply

Kernel Patches, Java

Patches and ABAP

Support Packages

Update Configuration

Validation checks

in Solution Manager

Within one month During next maintenance cycle

Apply it now!

Scheduled implementation!

Apply additional manual

configuration of Security

Notes

if necessary

Complete Test

Perform individual

regression test


Agenda

Configuration

Validation

SOS

EWA


and System

Recommendations








The Role of EarlyWatch Alert (EWA) for Security

SAP EarlyWatch Alert (EWA) (see http://service.sap.com/ewa)

SAP EarlyWatch Alert is an important part of making sure that your core

business processes work. It is a tool that monitors the essential

administrative areas of SAP components and keeps you up to date on their

performance and stability. SAP EarlyWatch Alert runs automatically to keep

you informed, so you can react to issues proactively, before they become

critical.

Security in the EarlyWatch Alert:

The EWA Report includes selected information on critical security observations

– SAP Security Notes: ABAP and Kernel Software Corrections

– Default Passwords of Standard Users

– Password Policy

– Gateway and Message Server Security

– Users with Critical Authorizations

More detailed and additional information can be found with the help of the security self-services

http://service.sap.com/ewa


EarlyWatch Alert Chapter “Security”

Overview


EarlyWatch Alert Chapter “Security”

SAP Security Notes

This chapter in the report indicates that Security Notes are missing in your

system, that can by identified using the tool RSECNOTE.

Absence of this chapter does not guarantee that all applicable SAP Security

notes available at http://service.sap.com/securitynotes are applied to this

system.



Agenda

Configuration

Validation

SOS

EWA


and System

Recommendations








Check for Security-Related SAP Notes

Using Transaction ST13 Tool RSECNOTE

Execute tool RSECNOTE

within transaction ST13

A special authorization is

required to execute this tool

(see SAP note 888889 for

details).


Transaction ST13 Tool RSECNOTE

Result

The result can be send via

mail, too.

The tool RSECNOTE shows

security-related notes which

should be implemented for

this system.


Transaction ST13 Tool RSECNOTE

Result

RSECNOTE lists three categories:

- Security Notes that require implementation

- Security Notes that are successfully implemented

- Security Notes that are manually confirmed

Please note: RSECNOTE focuses on SAP Security HotNews

(as far as technically clearly identifiable) and selected

additional Security Notes. Check

http://service.sap.com/securitynotes for additional

SAP Security Notes relevant for your systems.



Cross-System check for Security Notes

Report ZSECNOTE_CENTRAL @ SDN

SDN Code Exchange https://cw.sdn.sap.com/cw/groups/cross-system-check-for-security-notes


Agenda

Configuration

Validation

SOS

EWA


and System

Recommendations








To keep your SAP systems up-to-date and secure you have to apply various types of notes and

patches. System recommendations shows all relevant notes and patches for the selected systems

and helps you to easily keep all of your systems up-to-date.



System Recommendations: Overview

Advantages & Features

Provides a detailed recommendation of SAP notes and non-SAP notes

which should be implemented, based on the actual status of the system

and already implemented notes

The recommendations comprise the following notes categories:

Security notes

Performance-relevant notes

HotNews

Legal change notes

Correction notes / Patch notes

Powerful calculation method for notes provides a comprehensive

recommendation for the selected system

Increase system security by applying up-to-date security-relevant notes

exactly tailored for the respective system

Integration into Change Request Management to directly create Change

Requests for the selected notes

Easy-to-use filter settings allow exact selection of system or solution


3.

System Recommendations: Process Flow

Select system to check

& update

Customer

Connect to SAP Global

Support Backbone

Calculate delta

information (latest relevant

notes, etc...)

Send information back to

the customer‘s SAP

Solution Manager

system

Retrieve system

information (SP level,

patch level, notes, ...)

SAP

1.

2.

4. 5.

Show relevant notes of the system(s) via

System Recommendations or


6.


How System Recommendations supports your security Process flow

TUE

SAP Patch Day System Recommendations


SAP releases

security patches

every second

Tuesday


identifies the relevant patches

for the selected system(s)

The selected relevant patches

are applied to the SAP system Security validation is done in

the Configuration Validation

Provide a report focusing on

the implementation status of

the applied security notes


System Recommendation AGS Workcenter – Change Management

Quicklink for Easy Access Menu:

WebDynpro WDC_NOTE_CENTER


System Recommendations: Key Elements

BW reporting as of

SolMan 7.10 SP 3

Filter by solution, product

system, technical system

and date

Filter by application

component

Integration of Change

Request Management and

Maintenance Optimizer

Status management

and filter

Settings

Export to Excel

Structured

recommendations

Multiple views


System Recommendations: Key Elements

Integration of

Change Request

Management and

Maintenance

Optimizer


System Recommendations: Setup

The following steps are necessary to set up System Recommendations:

Prerequisites:

The SAP-OSS RFC connection needs to be set up correctly

All managed systems have to be connected to SAP Solution Manager and documented in

transaction SMSY, and they have to be assigned to a product system and to a solution

Authorization object: SM_FUNCS

Control access and visibility of tabs in System Recommendations

To collect this data automatically for the use within System Recommendations you can set up a

batch job in the „Settings“ area of System Recommendations.

System Recommendations is part of the „Change Management“ Work Center in

SAP Solution Manager.

Blog: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/24227

Online Help: http://help.sap.com/saphelp_sm70ehp1_sp26/helpdata/en/83/68fad4952d42a192469fa02586aeff/frameset.htm

Important Notes: Note 1554475 System Recommendations - corrections for SP26 Note 1577059 SysRec: No RFC authorization

Note 1624914 SysRec: Corrections for performance issue in SP26 & 27 Note 1634132 SysRec: Corrections for performance issue in 7.1 SP 1-3

http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/24227

http://help.sap.com/saphelp_sm70ehp1_sp26/helpdata/en/83/68fad4952d42a192469fa02586aeff/frameset.htm

https://service.sap.com/sap/support/notes/1554475














Cross-System check for System Recommendations

Report ZSYSREC_NOTELIST @ SDN for SolMan 7.00

SDN

Code Exchange

https://cw.sdn.sap.com/cw/groups/cross-system-check-for-security-notes














Integrated BW Reporting as of SolMan 7.10 SP 3

List SAP notes not yet implemented in

the systems of the selected solution,

within the specified time period



Explicit BW Reporting as of SolMan 7.10 SP 3

Select note area ..

.. or select notes which have been

classified as being ‘important’ by

your CERT department CERT = Computer Emergency Response Team

Save view

Using the predefined report

0TPL_0SMD_VCA2_SYS_RECOM_NOTES

of the application “Configuration Validation”

you can define arbitrary selections, filters and

views for a cross-system report based on the

results of the application “System

Recommendations”


Extended Functions in System Recommendations

as of SolMan 7.10 SP 5

Download selected

notes into Note

Assistant (SNOTE) of

managed system

Show object

list for selected

ABAP notes

Additional information:

+ Note contains automatic correction instruction (SNOTE)

+ Note contains manual correction instruction

+ Note references to a Kernel Patch

+ ABAP Support Package which contains the solution

New list view

Filter and sort list

Execute Business Process

Change Analyzer (BPCA) to

identify business processes

which should be tested




Show object list for

selected ABAP notes




Execute Business Process

Change Analyzer (BPCA) to

identify business processes

which should be tested


Business Process Change Analyzer (BPCA)

Online Help - Analyzing Business Processes Affected by Changes http://help.sap.com/saphelp_sm71_sp01/helpdata/en/d7/e0f086fa3440c3bc2debad74ecda22/frameset.htm

Pre-requisites to use the Business Process Change Analyzer (BPCA) for test preparation:

Document Business Processes in a SAP Solution Manager Project.

Create “Technical Bill of Material” (TBOM) for critical business transactions.

How-to Guide for BPCA https://service.sap.com/~sapidb/011000358700000932192009E

End-to-End Integration Testing of SAP Solutions using Business Process Change Analyzer http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/600defe0-48ed-2c10-51be-84349d14b8d8

http://help.sap.com/saphelp_sm71_sp01/helpdata/en/d7/e0f086fa3440c3bc2debad74ecda22/frameset.htm

https://service.sap.com/~sapidb/011000358700000932192009E

http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/600defe0-48ed-2c10-51be-84349d14b8d8









https://service.sap.com/~sapidb/011000358700000932192009E


Agenda

Configuration

Validation

SOS

EWA


and System

Recommendations








Consider Customers Situation of Today …

Are all our CRM systems

compliant with the new

Configuration Baseline ?.. not compliant.. which systems? what

exactly?

Are security settings

applied? …on all systems? … could you please confirm and

report?

Have we imported

Transport request xxxx

(with important

performance changes) on

all systems? … could I have a list of the systems where it is still

missing?

Are the OS, DB,

Software and Kernel on

the certain / latest level? … on all Systems? .. Please

show me?

Have we applied SAP

Note xxxxx on all

systems? …please report implementation status for all

systems?

A large number of systems… Complex SAP Landscape …

… Need to perform comparison of current configuration status against a defined target or

standard configuration baselines

… with minimum efforts and ASAP

Challenges



Architecture Overview

Configuration and

Change Database

( CCDB )

ABAP based

installations

Solution Tool

Plugins

JAVA based

installations

Diagnostics

Agents Extractor Framework (EFWK)

Once a day

Solution Manager EHP1

Configuration Validation Reporting

DB Table Target System Maintenance

Virtual

InfoProvider

0SMD_VCA1

Function Module


Change Reporting

Copy

Customer defined system

configurations / baselines

Existing system configurations

Manual maintenance of copied

configuration data

Interactive BI based Reporting


Content Deliverables – Configuration Items Overview

Application

Kernel

Database

Operating System

Support Package Stack

Software Component Versions

Implemented SAP Notes

Imported ABAP Transports

Software Release Validation

Web AS ABAP Kernel Release

Java VM version

Web AS Java Release

Database Release

Operation System Release

SAP Product specific settings

PI/XI specific configuration

BI specific configuration

BIA specific configuration

ABAP Instance Parameters

Java VM parameters for J2EE

Database Parameters

Operating System Environment Settings

Parameter Validation

Security

Standard Users

Gateway Secinfo

Gateway Reginfo


Possible Reference Systems / Configuration Baselines

Reference is an Existing System

Data stored in Configuration and Change

Database (CCDB)

Latest available snapshot used for comparison

No changes of configuration items are allowed

Reference is a Target System

Content of existing configuration is copied into a

separate database table

Copied configuration items can be edited to

match a specific audit task

Reference system should contain a restricted

number of configuration items

Reference

Systems

Compared

Systems

Existing System

(CCDB)

Target System

(DB Table)

Existing

Systems

(CCDB)

copy

filter

maintain

compare

compare

1

2

1

2



Target System Maintenance


Formatting

Drilldown Instance

Name


Drilldown Reporting


New with Solution Manager 7.10

SAP Notes: System and Online Recommendations

ABAP_NOTES and JAVA_NOTES of a Target

System can be filled with:

System recommendations which are the SAP Notes

relevant for the source system

Online recommendations which are the SAP Notes

from SAP Security List



ABAP Notes – Online recommendations from the SAP Security List

The SAP Notes from the SAP Security List

Software and Kernel dependency of a Note is

provided

Only relevant SAP Notes for the source system can

be inserted (the SAP Notes matching Components

and Kernel Release from the source system)

Software dependency Kernel dependency



ABAP Notes – System recommendations

The SAP Notes relevant for the source system can

be restricted via

Data Range

Note Group – for example only Security and

Hotnews SAP Notes can be inserted


New with Solution Manager 7.10 SP 2

Use Case – Predefined Reports about Security Notes



Use Case – Predefined Reports about Security Notes



Management Dashboard

WebDynpro ABAP Application MY_DASHBOARD The dashboard apps show the validation results of the comparison

of selected systems with a target system.


Further Information and Contact


Configuration Validation @ Service Market Place

https://service.sap.com/diagnostics

END-TO-END ROOT CAUSE ANALYSIS

Demos

Presentations

Configuration Guide (goon in folder ‘media library’)

Configuration Validation @ SDN

http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home

Best Practice

https://websmp101.sap-ag.de/dvm

https://service.sap.com/changecontrol

https://service.sap.com/changecontrol

http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home

https://websmp101.sap-ag.de/dvm


Configuration Validation: EGI session

Get in-depth knowledge of the Configuration Validation functionality with the Expert Guided

Implementation (EGI) service.

The EGI gives the participants the opportunity to set up ready-to-use Configuration Validation

Reports in their own SAP Solution Manager.

Participants have direct access to an SAP expert who

directly supports them remotely, if necessary, during the

execution

Participants execute demonstrated steps within their own

project, on their own SAP environment

SAP expert explains step-by-step configuration using

training materials

Empowering, Web session, 1-2 h. each morning

Expertise on demand, during execution

Training, practical experience, remote consulting

Execution, 2-3 h. on the same day More information on available EGI topics

and booking information can be found

here:

https://service.sap.com/esacademy

EGI Registration

https://service.sap.com/esacademy

Thank You!

Contact information:

SAP Active Global Support – Security Services

[email protected]

AGS Security Services Patch Process

Documents