SAP Active Global Support July, 2012 Security Patch Process . . or how best to protect your data and keep the availability of your SAP solutions
SAP Active Global Support
July, 2012
Security Patch Process . . or how best to protect your data and keep the availability of your SAP solutions
© 2012 SAP AG. All rights reserved. 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.
© 2012 SAP AG. All rights reserved. 3
Abstract
Software security remains a critical topic of interest to all companies and to the information technology
industry.
The security of a specific system thereby also significantly depends on the secure installation and
operation of this system. SAP gained a lot of experience from its support for and engagement with
numerous customers. It uses the resulting best practices not only for further improvements and
enhancements of its support offering but also makes them available as recommendations, services and
tools directly to its customers.
In this presentation you will learn about the self services and tools available for security, centered around
the “Security Notes” section in the EarlyWatch Alert report.
Using the new application System Recommendations within the SAP Solution Manager you can track
down critical Security Notes which are required for your systems.
And you will get additional information about the Configuration Validation which can be used to analyze
the security configuration for single systems as well as for the complete system landscape.
© 2012 SAP AG. All rights reserved. 4
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
© 2012 SAP AG. All rights reserved. 5
SAP Introduces Monthly Security Patch Day
SAP Security Patch Day
Regular Patch Day every second Tuesday of a month
Based on feedback from customers and SAP User Groups
Benefit 1:
Better planning for SAP Security Notes with dedicated, regular schedule
Benefit 3:
More efficient patching of SAP systems as it is on the same day
as with other software providers
Benefit 2:
More efficient review and selection of SAP Security Notes
relevant for an organization
© 2012 SAP AG. All rights reserved. 7
Security Notes
Security Notes
■ are standard SAP Notes / HotNews
■ with information about known security vulnerabilities
■ and appropriate countermeasures (correction instruction, configuration, service pack, upgrade,
manual measures)
They can be found here: http://service.sap.com/securitynotes
■ Each customer has to regularly review this list and has to verify for each entry whether the
security note applies to his systems or not and what to do if necessary
© 2012 SAP AG. All rights reserved. 8
Security Notes in the Service Marketplace https://service.sap.com/securitynotes → “Security Notes Search”
The rightmost column “Automatic check
in EWA” shows which security notes get
checked in the EarlyWatch Alert and with
the tool RSECNOTE.
© 2012 SAP AG. All rights reserved. 9
Security Notes in the Service Marketplace https://service.sap.com/securitynotes → “my Security Notes”
If your systems are registered in the SAP
Service Market Place, than you can work
with a filter “by System” easily.
If this is not the case than you cannot use
the filter “by System” but we do not
recommend to use the filter “by Product”
for searching for Security Notes.
Limitation: You have to
remove implemented notes
manually from the list.
x
© 2012 SAP AG. All rights reserved. 10
Security Notes in the Service Marketplace
SAP Support Portal Newsletter
© 2012 SAP AG. All rights reserved. 11
Classification of Security Notes by Type
1. ABAP Correction Instructions Use Note Assistant (transaction SNOTE) to implement the correction or apply the Support Package
2. ABAP Software-like manual corrections Implement the correction manually, e.g. deactivate a web-based service
3. Kernel Notes Install a new Kernel
4. Java Notes Install Java Support Packages or Patches
5. Notes about other components Individual procedure to update the Database, SAPGUI, RFC Library, Business Objects, Sybase, ...
6. Other manual instructions Anything else. Sometimes described in White Papers.
© 2012 SAP AG. All rights reserved. 12
Classification of Security Notes by Implementation Process
1. Implementation as part of a monthly standard patch process
e.g. for ABAP Correction Instructions or ABAP software-like manual
corrections
2. Implementation as part of a project
e.g. for notes about other components or other manual instructions
3. Implementation as part of maintenance activities
e.g. Support Package upgrade, Kernel upgrade, Java upgrade
4. Implementation after maintenance activities
e.g. manual instructions which require a Support Package upgrade or
Kernel upgrade as a prerequisite
© 2012 SAP AG. All rights reserved. 13
Preparation for the Patch Process
Define the „Patch Day Roadmap“
Define the responsible person (CERT) who decides about (not) implementing SAP Security Notes
Define the responsible person (IT) for the security patch process of your SAP systems
Register the responsible person in the SAP Service Marketplace as the Security Contact:
(https://www.service.sap.com/securitycontacts)
Check the status des SAP Solution Manager (release and SP level, plan for upgrade if required)
Define the methods and tools for identifying and analyzing new SAP Security Notes
Define the teams, testing methods and tools for regression testing of productive business processes
Define the workflow about exceptional and regular transports
© 2012 SAP AG. All rights reserved. 14
Security Maintenance Management
General Process Overview for testing SP’s and Security Notes
No Action
needed
Testing
Deploy
Changes
Go
Live
Solution Manager
Test Management
Regression tests
Solution Manager Quality
Gate Management
No add. functional test
Integration into
Maintenance
Download & Apply
Support Packages
Latest Sec. Notes
Manual
Adjust-
ments Apply Support
Packages
Change of
potential bug
Apply Single
Correction(s)
Monthly
Security
Patches
Testing
Solution Manager
Test Management
Individual testing
Immediate risk mitigation
Security Notes(s)
Exceptions
Manual
Adjust-
ments
© 2012 SAP AG. All rights reserved. 15
Security
Patch Day
of SAP
Monthly on 2nd
Tuesday
Check
System
Recommendations
in Solution Manager
Check
Service Marketplace
/securitynotes
Check
EarlyWatch Alert
RSECNOTE
Risk
assess-
ment
The week after the Patch Day
HOW SAP Solution Manager Security Services
support your security patch management
Apply
Security Notes
Apply
Kernel Patches, Java
Patches and ABAP
Support Packages
Update Configuration
Validation checks
in Solution Manager
Within one month During next maintenance cycle
Apply it now!
Scheduled implementation!
Apply additional manual
configuration of Security
Notes
if necessary
Complete Test
Perform individual
regression test
© 2012 SAP AG. All rights reserved. 16
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
© 2012 SAP AG. All rights reserved. 17
The Role of EarlyWatch Alert (EWA) for Security
SAP EarlyWatch Alert (EWA) (see http://service.sap.com/ewa)
SAP EarlyWatch Alert is an important part of making sure that your core
business processes work. It is a tool that monitors the essential
administrative areas of SAP components and keeps you up to date on their
performance and stability. SAP EarlyWatch Alert runs automatically to keep
you informed, so you can react to issues proactively, before they become
critical.
Security in the EarlyWatch Alert:
The EWA Report includes selected information on critical security observations
– SAP Security Notes: ABAP and Kernel Software Corrections
– Default Passwords of Standard Users
– Password Policy
– Gateway and Message Server Security
– Users with Critical Authorizations
More detailed and additional information can be found with the help of the security self-services
© 2012 SAP AG. All rights reserved. 20
EarlyWatch Alert Chapter “Security”
Overview
© 2012 SAP AG. All rights reserved. 21
EarlyWatch Alert Chapter “Security”
SAP Security Notes
This chapter in the report indicates that Security Notes are missing in your
system, that can by identified using the tool RSECNOTE.
Absence of this chapter does not guarantee that all applicable SAP Security
notes available at http://service.sap.com/securitynotes are applied to this
system.
© 2012 SAP AG. All rights reserved. 22
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
© 2012 SAP AG. All rights reserved. 23
Check for Security-Related SAP Notes
Using Transaction ST13 Tool RSECNOTE
Execute tool RSECNOTE
within transaction ST13
A special authorization is
required to execute this tool
(see SAP note 888889 for
details).
© 2012 SAP AG. All rights reserved. 24
Transaction ST13 Tool RSECNOTE
Result
The result can be send via
mail, too.
The tool RSECNOTE shows
security-related notes which
should be implemented for
this system.
© 2012 SAP AG. All rights reserved. 25
Transaction ST13 Tool RSECNOTE
Result
RSECNOTE lists three categories:
- Security Notes that require implementation
- Security Notes that are successfully implemented
- Security Notes that are manually confirmed
Please note: RSECNOTE focuses on SAP Security HotNews
(as far as technically clearly identifiable) and selected
additional Security Notes. Check
http://service.sap.com/securitynotes for additional
SAP Security Notes relevant for your systems.
© 2012 SAP AG. All rights reserved. 26
Cross-System check for Security Notes
Report ZSECNOTE_CENTRAL @ SDN
SDN Code Exchange https://cw.sdn.sap.com/cw/groups/cross-system-check-for-security-notes
© 2012 SAP AG. All rights reserved. 27
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
© 2012 SAP AG. All rights reserved. 28
To keep your SAP systems up-to-date and secure you have to apply various types of notes and
patches. System recommendations shows all relevant notes and patches for the selected systems
and helps you to easily keep all of your systems up-to-date.
System Recommendations
© 2012 SAP AG. All rights reserved. 29
System Recommendations: Overview
Advantages & Features
Provides a detailed recommendation of SAP notes and non-SAP notes
which should be implemented, based on the actual status of the system
and already implemented notes
The recommendations comprise the following notes categories:
Security notes
Performance-relevant notes
HotNews
Legal change notes
Correction notes / Patch notes
Powerful calculation method for notes provides a comprehensive
recommendation for the selected system
Increase system security by applying up-to-date security-relevant notes
exactly tailored for the respective system
Integration into Change Request Management to directly create Change
Requests for the selected notes
Easy-to-use filter settings allow exact selection of system or solution
© 2012 SAP AG. All rights reserved. 30
3.
System Recommendations: Process Flow
Select system to check
& update
Customer
Connect to SAP Global
Support Backbone
Calculate delta
information (latest relevant
notes, etc...)
Send information back to
the customer‘s SAP
Solution Manager
system
Retrieve system
information (SP level,
patch level, notes, ...)
SAP
1.
2.
4. 5.
Show relevant notes of the system(s) via
System Recommendations or
Configuration Validation
6.
© 2012 SAP AG. All rights reserved. 31
How System Recommendations supports your security Process flow
TUE
SAP Patch Day System Recommendations
Configuration Validation
SAP releases
security patches
every second
Tuesday
System Recommendations
identifies the relevant patches
for the selected system(s)
The selected relevant patches
are applied to the SAP system Security validation is done in
the Configuration Validation
Provide a report focusing on
the implementation status of
the applied security notes
© 2012 SAP AG. All rights reserved. 32
System Recommendation AGS Workcenter – Change Management
Quicklink for Easy Access Menu:
WebDynpro WDC_NOTE_CENTER
© 2012 SAP AG. All rights reserved. 33
System Recommendations: Key Elements
BW reporting as of
SolMan 7.10 SP 3
Filter by solution, product
system, technical system
and date
Filter by application
component
Integration of Change
Request Management and
Maintenance Optimizer
Status management
and filter
Settings
Export to Excel
Structured
recommendations
Multiple views
© 2012 SAP AG. All rights reserved. 34
System Recommendations: Key Elements
Integration of
Change Request
Management and
Maintenance
Optimizer
© 2012 SAP AG. All rights reserved. 35
System Recommendations: Setup
The following steps are necessary to set up System Recommendations:
Prerequisites:
The SAP-OSS RFC connection needs to be set up correctly
All managed systems have to be connected to SAP Solution Manager and documented in
transaction SMSY, and they have to be assigned to a product system and to a solution
Authorization object: SM_FUNCS
Control access and visibility of tabs in System Recommendations
To collect this data automatically for the use within System Recommendations you can set up a
batch job in the „Settings“ area of System Recommendations.
System Recommendations is part of the „Change Management“ Work Center in
SAP Solution Manager.
Blog: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/24227
Online Help: http://help.sap.com/saphelp_sm70ehp1_sp26/helpdata/en/83/68fad4952d42a192469fa02586aeff/frameset.htm
Important Notes: Note 1554475 System Recommendations - corrections for SP26 Note 1577059 SysRec: No RFC authorization
Note 1624914 SysRec: Corrections for performance issue in SP26 & 27 Note 1634132 SysRec: Corrections for performance issue in 7.1 SP 1-3
© 2012 SAP AG. All rights reserved. 36
Cross-System check for System Recommendations
Report ZSYSREC_NOTELIST @ SDN for SolMan 7.00
SDN
Code Exchange
https://cw.sdn.sap.com/cw/groups/cross-system-check-for-security-notes
© 2012 SAP AG. All rights reserved. 37
Cross-System check for System Recommendations
Integrated BW Reporting as of SolMan 7.10 SP 3
List SAP notes not yet implemented in
the systems of the selected solution,
within the specified time period
© 2012 SAP AG. All rights reserved. 38
Cross-System check for System Recommendations
Explicit BW Reporting as of SolMan 7.10 SP 3
Select note area ..
.. or select notes which have been
classified as being ‘important’ by
your CERT department CERT = Computer Emergency Response Team
Save view
Using the predefined report
0TPL_0SMD_VCA2_SYS_RECOM_NOTES
of the application “Configuration Validation”
you can define arbitrary selections, filters and
views for a cross-system report based on the
results of the application “System
Recommendations”
© 2012 SAP AG. All rights reserved. 39
Extended Functions in System Recommendations
as of SolMan 7.10 SP 5
Download selected
notes into Note
Assistant (SNOTE) of
managed system
Show object
list for selected
ABAP notes
Additional information:
+ Note contains automatic correction instruction (SNOTE)
+ Note contains manual correction instruction
+ Note references to a Kernel Patch
+ ABAP Support Package which contains the solution
New list view
Filter and sort list
Execute Business Process
Change Analyzer (BPCA) to
identify business processes
which should be tested
© 2012 SAP AG. All rights reserved. 40
Extended Functions in System Recommendations
as of SolMan 7.10 SP 5
Show object list for
selected ABAP notes
© 2012 SAP AG. All rights reserved. 41
Extended Functions in System Recommendations
as of SolMan 7.10 SP 5
Execute Business Process
Change Analyzer (BPCA) to
identify business processes
which should be tested
© 2012 SAP AG. All rights reserved. 42
Business Process Change Analyzer (BPCA)
Online Help - Analyzing Business Processes Affected by Changes http://help.sap.com/saphelp_sm71_sp01/helpdata/en/d7/e0f086fa3440c3bc2debad74ecda22/frameset.htm
Pre-requisites to use the Business Process Change Analyzer (BPCA) for test preparation:
Document Business Processes in a SAP Solution Manager Project.
Create “Technical Bill of Material” (TBOM) for critical business transactions.
How-to Guide for BPCA https://service.sap.com/~sapidb/011000358700000932192009E
End-to-End Integration Testing of SAP Solutions using Business Process Change Analyzer http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/600defe0-48ed-2c10-51be-84349d14b8d8
© 2012 SAP AG. All rights reserved. 43
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
© 2012 SAP AG. All rights reserved. 44
Consider Customers Situation of Today …
Are all our CRM systems
compliant with the new
Configuration Baseline ?.. not compliant.. which systems? what
exactly?
Are security settings
applied? …on all systems? … could you please confirm and
report?
Have we imported
Transport request xxxx
(with important
performance changes) on
all systems? … could I have a list of the systems where it is still
missing?
Are the OS, DB,
Software and Kernel on
the certain / latest level? … on all Systems? .. Please
show me?
Have we applied SAP
Note xxxxx on all
systems? …please report implementation status for all
systems?
A large number of systems… Complex SAP Landscape …
… Need to perform comparison of current configuration status against a defined target or
standard configuration baselines
… with minimum efforts and ASAP
Challenges
© 2012 SAP AG. All rights reserved. 45
Configuration Validation
Architecture Overview
Configuration and
Change Database
( CCDB )
ABAP based
installations
Solution Tool
Plugins
JAVA based
installations
Diagnostics
Agents Extractor Framework (EFWK)
Once a day
Solution Manager EHP1
Configuration Validation Reporting
DB Table Target System Maintenance
Virtual
InfoProvider
0SMD_VCA1
Function Module
Configuration Validation
Change Reporting
Copy
Customer defined system
configurations / baselines
Existing system configurations
Manual maintenance of copied
configuration data
Interactive BI based Reporting
© 2012 SAP AG. All rights reserved. 46
Content Deliverables – Configuration Items Overview
Application
Kernel
Database
Operating System
Support Package Stack
Software Component Versions
Implemented SAP Notes
Imported ABAP Transports
Software Release Validation
Web AS ABAP Kernel Release
Java VM version
Web AS Java Release
Database Release
Operation System Release
SAP Product specific settings
PI/XI specific configuration
BI specific configuration
BIA specific configuration
ABAP Instance Parameters
Java VM parameters for J2EE
Database Parameters
Operating System Environment Settings
Parameter Validation
Security
Standard Users
Gateway Secinfo
Gateway Reginfo
© 2012 SAP AG. All rights reserved. 47
Possible Reference Systems / Configuration Baselines
Reference is an Existing System
Data stored in Configuration and Change
Database (CCDB)
Latest available snapshot used for comparison
No changes of configuration items are allowed
Reference is a Target System
Content of existing configuration is copied into a
separate database table
Copied configuration items can be edited to
match a specific audit task
Reference system should contain a restricted
number of configuration items
Reference
Systems
Compared
Systems
Existing System
(CCDB)
Target System
(DB Table)
Existing
Systems
(CCDB)
copy
filter
maintain
compare
compare
1
2
1
2
© 2012 SAP AG. All rights reserved. 48
Configuration Validation
Target System Maintenance
© 2012 SAP AG. All rights reserved. 49
Formatting
Drilldown Instance
Name
Configuration Validation
Drilldown Reporting
© 2012 SAP AG. All rights reserved. 50
New with Solution Manager 7.10
SAP Notes: System and Online Recommendations
ABAP_NOTES and JAVA_NOTES of a Target
System can be filled with:
System recommendations which are the SAP Notes
relevant for the source system
Online recommendations which are the SAP Notes
from SAP Security List
© 2012 SAP AG. All rights reserved. 51
New with Solution Manager 7.10
ABAP Notes – Online recommendations from the SAP Security List
The SAP Notes from the SAP Security List
Software and Kernel dependency of a Note is
provided
Only relevant SAP Notes for the source system can
be inserted (the SAP Notes matching Components
and Kernel Release from the source system)
Software dependency Kernel dependency
© 2012 SAP AG. All rights reserved. 52
New with Solution Manager 7.10
ABAP Notes – System recommendations
The SAP Notes relevant for the source system can
be restricted via
Data Range
Note Group – for example only Security and
Hotnews SAP Notes can be inserted
© 2012 SAP AG. All rights reserved. 53
New with Solution Manager 7.10 SP 2
Use Case – Predefined Reports about Security Notes
© 2012 SAP AG. All rights reserved. 54
New with Solution Manager 7.10 SP 2
Use Case – Predefined Reports about Security Notes
© 2012 SAP AG. All rights reserved. 55
New with Solution Manager 7.10 SP 3
Management Dashboard
WebDynpro ABAP Application MY_DASHBOARD The dashboard apps show the validation results of the comparison
of selected systems with a target system.
© 2012 SAP AG. All rights reserved. 56
Further Information and Contact
Configuration Validation
Configuration Validation @ Service Market Place
https://service.sap.com/diagnostics
END-TO-END ROOT CAUSE ANALYSIS
Demos
Presentations
Configuration Guide (goon in folder ‘media library’)
Configuration Validation @ SDN
http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home
Best Practice
© 2012 SAP AG. All rights reserved. 57
Configuration Validation: EGI session
Get in-depth knowledge of the Configuration Validation functionality with the Expert Guided
Implementation (EGI) service.
The EGI gives the participants the opportunity to set up ready-to-use Configuration Validation
Reports in their own SAP Solution Manager.
Participants have direct access to an SAP expert who
directly supports them remotely, if necessary, during the
execution
Participants execute demonstrated steps within their own
project, on their own SAP environment
SAP expert explains step-by-step configuration using
training materials
Empowering, Web session, 1-2 h. each morning
Expertise on demand, during execution
Training, practical experience, remote consulting
Execution, 2-3 h. on the same day More information on available EGI topics
and booking information can be found
here:
https://service.sap.com/esacademy
EGI Registration