ADM960 Flashcards Jmx

ADM960 – SAP Security consultant certification flashcards – [email protected]

1

7 goals of Security?

Authentication: process of identifying the “real” identity Authorizations: what the identified user can do Confidentiality the communications are kept private Integrity none of the information has been tampered Repudiation denying that you have done something. Non-repudiation cannot deny having done something Availability gets to their resources when they need to.

What is behind the threat “Planting”? A hacker may gain access to a system and plant a program to enable them to access that computer later.

What are the 11 threats listed in the course?

Penetration, Authorization violation, Planting, Eavesdropping, Tampering, Denial of service, Repudiation, Flooding, Masquerading, Spoofing, Buffer overflow

What is behind the threat “Tampering”?

A hacker can grab a connection and communicate with both the client and the server. Once the hacker has grabbed the connection he could change the data.

Which kind of attack makes the server unavailable? There are several ways to do this, such as snap the network cable, physically destroy the server, or unplug it from the network.

A denial of service


2

How is it called when programs can be written that modify the IP address of the source of the TCP/IP packet, to fool the network into thinking that the packet is coming from within the network.

Spoofing

When an application receives data that it is not expecting or prepared for, unpredictable results can occur. This can lead to vulnerability within the server. How is this threat called?

Buffer Overflow

3 categories of safeguards?

• Technical safeguards (for example firewall, Encryption, PKI, certificates, access control)

• Organizational safeguards (for example rules or guidelines)

• Environmental safeguards (for example fire detection)

3 types of security policy

• General Security policy. • IT Security policy • Configuration documentation

Which protocol is used between the SAP GUI and the Server? DIAG Protocol


3

Which protocol is used between SAP Servers? RFC, Remote function call

Which SAP product transforms the traditional SAP applications to Web-based transactions, so that they are accessible using Internet technology?

The ITS, Internet Transaction Server

What is the interface of web based information for end-user The SAP Web-GUI

What are the 2 main corposants of the ITS Web gate (WGate, resides on Web server) Application gate (AGate)

ITS configuration: What is the difference between a single host configuration and a dual host configuration?

Single Host: Agate and Wgate on the same host (Web Server)

Dual Host: Agate installed on a separated host


4

What are the 7 layers of the OSI model?

7 Application Layer: Program-to-Program (HTTP) 6 Presentation Layer: Manages data representation 5 Session Layer: communication channels 4 Transport Layer: end-to-end integrity (TCP, SPX) 3 Network Layer: Routes data, IP 2 Data Link Layer: physical passing data (Ethernet) 1 Physical Layer: putting data onto the network

Information sent across a network is not intended just for a computer. It is intended for a program on a computer. How are the programs distinguished?

These programs are distinguished by their port

Which command displays all connections and listening ports on your computer? netstat –a

What are the default SAP ports?

Internet Communication Manager (ICM), port 8080

Dispatcher port 32<nn> (Front-End) The message server port 36<nn> (Other SAP

Systems) The gateway 33<nn> (External Systems) Print service 515

What are the ports used by the ITS?

Between the Client and the Webserver: 80 HTTP, 443 HTTPS Between WGate and Agate: 3900 or 3909 Agate – Dispatcher : 32<nn> (Front-End) Agate – Message server: 36<nn> (Other SAP Systems) Agate – Gateway: 33<nn> (External Systems)


5

How is a system (or a combination of systems) called that protects a networked system from unauthorized or unwelcome access?

A firewall

What are the two most common types of firewalls?

Packet Filters (Layer Network, Data Link). Application Proxies (Application, Transport) -> SAP Router as DIAG/RFC Proxy

Which SAP Product is used for DIAG/RFC Proxy? SAP router

4 functionalities of the SAP router?

Control and log the connections to your SAP system Allow access from only the SAProuters you have selected Protect your connection and data from unauthorized access Only allow encrypted connection from a known partner

SAP Router: Which file contains the list of connections that are denied or permitted? The file saprouttab


6

What is the structure of SAP Router file entry?

D|P|S]{#before,#after} <source> <target> <service> {password} D: Deny the connection P: Permit the connection S: Permit only SAP protocol connections

Which product is used as a "software Web switch" between the Internet and your SAP systems (several WAS) and Can be used as a URL filter.

The SAP Web Dispatcher

What is a DMZ?

DMZ stands for DeMilitarized Zone. A DMZ can be described as a network added between a protected network and an external network in order to provide an additional layer of security.

Which kind of systems can notify the administrator of attempts to attack the network or system?

IDS, Intrusion Detection System

What are the 2 types of IDS?

o Network based IDS o Misuse detection (Virus) o Anomaly detection

o Host based IDS o Host sensor


7

Which kind of servers translates the logical name into the physical name, the domain name into the IP address?

DNS

What is the safeguard of Eavesdropping? Encryption

What are the 3 types of encryption?

Symmetric encryption (single Secret Key)

Asymmetric encryption (Public, Private key)

Combining Symmetric and Asymmetric Encryption (Hybrid, public key, private key, secret key)

What are the 2 obstacles of symmetric encryption?

Transferring the secret key safely. Distributing the secret key for a large number of communication partners.

What are the 2 disadvantages of public key encryption?

• It is slower than in symmetrical key encryption.

• Encryption is only possible in one direction with a single key pair. Alice can encrypt a message to send to Bob, but not vice versa.


8

What is the safeguard of Masquerading? Authentication (user ID/pwd or cryptography)

What is used to authenticate individuals using cryptography?

To authenticate individuals using cryptography, the person receives a digital certificate. It can be compared to a Passport in the „real world“. „Digital Identity Card“

How is the complete infrastructure that manages the issuing and verification of certificates called?

A Public-Key Infrastructure (PKI).

What is the use of the Distinguished name? • Specifies the Owner Identity • Found the owner certificate as subject

What are the different parts of a distinguished name?

CN=Common Name, OU=Organizational Unit, O=Organization, C=Country


9

What are the 3 functions of the Certification Authority

Issues the certificate The issued certificate is digitally signed by the CA (official stamp) Its role is to ensure that the public key (which matches the private key) belongs to a specific person or server.

How the CA is technically trusted?

The CA also possesses a digital certificate, called a CA root certificate. Alice needs the CA’s root certificate to verify the digital signature on the Web Server‘s certificate. The most common CA root certificates are preinstalled in the most widely-used Web browsers.

The SAP also has a CA that issues digital certificates to customers. How is the digital certificate issued by the SAP Trust Center Services called?

the SAP Passport

Which safeguards answers to the threat of Tampering (denial, message alteration)? Digital signature

What 3 security goals answer the digital signature?

Integrity: Document has not been modified. Authentication: Alice is who she claims to be. Non-repudiation: Alice cannot deny having signed the document.


10

Which key is used to create the digital signature The private key of the user

3 characteristics of the hash algorithms?

They reduce the size of a document, typically to a fixed length (for example, 128 bits). They are one-way: you cannot determine the original document based on the digest. They are unique: it is highly unlikely that a second data source will produce the same hash

What contains the Personal Security Envrionment (PSE)

It is a storage location for the server security information. That contains:

• Private key • Server‘s public-key certificate • Certificates of trusted CAs (certificate list)

In which 4 cases Secure Store and Forward (SSF) provides security for SAP data and documents?

Data leaves the SAP system Data is stored on insecure media Data is transmitted over insecure networks Data security is associated with persons and individuals

What 3 security goals answer SSF? Integrity, Privacy, Authentication


11

What is the SAP default library to use SSF? SAP Security Library (SAPSECULIB) Default security library provided by SAP to use for SSF

What is the SAP default library to use SNC and SSL? SAP Cryptographic Library (SAPCRYPTOLIB) Default security library provided by SAP for SNC and SSL.

What are the 5 master-user types?

Dialog System: used to run background jobs. Communication: used for communication without dialog between different systems (RFC/CPIC) Service: allows multiple logon, no password check. Reference: used only to assign additional authorizations to Dialog users

What are the 3 authorization objects required to create and maintain user master records?

• S_USER_GRP: user master maintenance: assign user groups

• S_USER_PRO: user master maintenance: assign authorization profile

• S_USER_AUT: user master maintenance: create and maintain authorizations

What is the profile of the special user Eearlywatch? S_TOOLS_EX_A


12

Which User information system report monitors the passwords of all predefined users? RSUSR003

Which user group should be assigned to the users SAP*, DDIC, EARLYWATCH? user group SUPER

What are the 2 ways in which you can define the choice of user passwords?

You can use the system profile parameters (login*) Invalid passwords can be entered in the table of reserved passwords USR40

? denotes a single character *denotes a character string

Which two profile parameters control the deactivation of password-based logon?

login/disable_password_logon and login/password_logon_usergroup

Which profile parameter refuses incoming connections of type CPIC(Gateway) login/disable_cpic


13

Which profile parameter set the time for automatic SAPGUI logout? rdisp/gui_auto_logout

What are the 4 types of RFC connections?

• Synchronous RFC (the client waits until the server has completed its processing) Between SAP systems and from WAS

• Asynchronous RFC (Parallel processing) • Transactional RFC (Secure communication

between) systems • Queued RFC (Defined processing sequences)

Which transaction code allows you to monitor the SAP Gateway? Transaction SMGW available from Release 3.0C

Where an RFC destination system should be specified for outgoing connections (side infos) and with which transaction can it be maintained?

RFCDES maintained with transaction sm59

Four advantages of a trusted relationship between SAP systems

• Single sign on is possible beyond system boundaries

• No passwords are transmitted in the network • Timeout mechanism protects against replay

attacks • User-specific logon data are checked in the

trusting system


14

The trust relationship is not mutual (t/f)? True, The trust relationship is not mutual, which means it applies to one direction only.

Which file can be used in order to secure the RFC connection?

• You can use the SAP gateway’s secinfo file to control the start-up and registration of external RFC and CPI-C programs.

Which profile parameters define the location of the secinfo file? gw/sec_info

Which program start the external command after it has passed the gateway? Sapxpg

Which authorization object is needed to maintain external commands? S_RZL_ADM with activity 01 and 03.


15

Which authorization object is needed to execute external commands? S_LOG_COM

What should you specify in order to allow the execution of external command?

You must specify an entry of the program sapxpg in the file secinfo

7 measures to protect an RFC connection

• Connect systems with the same security level • Allow function modules to be called via RFC • Use authorization object S_RFC • Use users type Communication • Specify full logon data for connections to other

SAP systems only if necessary • Specify secinfo file appropriately • Protect files and tables containing side info

What are the 3 SAP standard systems contained in a DEV system?

• Development and customizing client (CUST) • Sandbox client (SAND) • Test client (TEST)

What is the default change option of the 2 QA default systems (test and training)? not modifiable


16

What are the two levels of SAP change options that define whether customizing and development is available?

• The system change option • The client change option

Which transaction displays the history of the system change options? SE03

The client change option does not override the system change option (t/f)?

True, Rather the client change option is used to fine tune the clients’ role within the SAP environment.

How to set the client change option? Use the transaction code SCC4 that woks on table T000

How to protect your production client against overwriting by a client copy?

Set the protection level in transaction SCC4 at least to level 1 no overwriting.


17

How to protect your production client against a cross client comparison?

You should choose level 2 no overwriting, no external availability. In this case the client is not available in the customizing cross-system viewer of another system.

What are the 2 fields of the authorization object S_TABU_DIS

DICBERCLS ACTVT

What is the field of the authorization object S_TABU_CLI CLIIDMAINT

What are the 5 fields of the authorization object S_DEVELOP

• DEVCLASS • OBJTYPE (PROG) • OBJNAME • P_GROUP • ACTV

What are the 2 steps needed to configure the QA approval procedure?

1. Define QA system (Prerequisite: between 2 systems)

2. Define QA procedure (QA worklist)


18

What is the transaction to display an overview of the modifications and enhancement found in the system that you can search by Last transport request or Request/Task?

SE95 (Modification browser)

What is the transaction to maintain and activate the security audit log? SM19

What happened to the profile parameter rsau/local/file if the profile parameter rsau/max_diskspace/per_file is used?

If parameter rsau/max_diskspace/per_file is used, parameter rsau/local/file is no longer valid and will no longer be analyzed. Parameters DIR_AUDIT and FN_AUDIT are used instead

What is the profile parameter to define the maximum of filters that can be used? rsau/selection_slot

6 types of information that can be recorded with the security audit log?

o Dialog log-on attempts o RFC log-on attemps o Transaction starts o RFC calls to functions module o Change to user master record o Change to the audit configuration


19

4 types of security audit log filters?

o User o Audit Classes o Client o Security Level (Only critical, Severe and critical,

all)

Which transaction allows you to view the assignments of the events to audit classes and security levels with the system log message maintenance

SE92 (Display system log messages)

How to display the results of the security audit log (transaction)? SE20

The reports of the user information system start with? RSUSR + #

ITS: What are the 4 main functions of the A gate?

Communication to and from the SAP system Communicates using the SAP protocols RFC and DIAG. Generating the HTML pages from SAP screens Managing user logon data and session information


20

ITS: What are the 2 main functions of the Wgate (Webserver)?

Connects the ITS to the Webserver Use the HTTP protocol

What is an ITS service? An ITS service is the set of components needed to call an SAP transaction via the ITS

How do you protect access to the ITS service and template files? Using groups at the operating system level

ITS, scalability and load balancing, what are the 6 possible landscape?

• Single Wgates connects to multiple Agates • Separate WGates connects to single Agate • Multiple WGates connects to multiple Agates • ITS connects to single Application server • Multiple ITS instances connect to single systems • ITS connects to message server (Load

balancing)

In a dual host installation, where do you use firewalls?

• Firewall in front of the Web server to deny access using undesired protocols

• Firewall between the Web server and the AGate to restrict access even more.


21

What is the goal of SNC in an ITS environment? • Authentication between the components • Integrity protection • Privacy protection

What is the SNC default security product? SAP Cryptographic Library(SAPCRYPTOLIB)

SNC: Where are the private keys stored? In the SNC PSE

What are the 2 possibilities to establish a trust when using the SAPCRYPTOLIB?

• Either use a single PSE for all communication partner

• Exchange public-key certificates

What is the transaction to maintain the SNC PSE? Use the trust manager S_Trust


22

What are the 3 trust manager profile parameters?

1. sec/libsapsecu, specify the location of the SAPCRYPTOLIB

2. ssf/ssfapi_lib, specify the location of the SAPCRYPTOLIB

3. ssf/name must be set to SAPSECULIB

What are the 7 steps to enable SNC on the ITS?

1. Install SAPCryptoLib + license ticket (SECUDIR) 2. Set trust manager profile parameters 3. Create (or import) the SNC PSE 4. Create credentials 5. Establish trust relationship 6. Set SNC profile parameters 7. Make access control list entries

What is the table for the SNC System access control list SNCSYSACL

What is the table for the Extended user Access control USRACLEXT

Testing and analyzing: SNC information is provided in trace files. What are the 3 most common errors?

• Library could not be loaded • No credentials • No entry in ACL


23

What are the 3 user authentication mechanisms?

• User Id and passwords • X.509 client certificates • Pluggable Authentication Services PAS

External mechanisms

X.509 client certificates: which table is responsible for the user mapping?

USREXTID

What are the 2 different worlds for SSO? • SAP GUI for Windows SNC • Web SSL

SSO, Web: How is the SAP Logon ticket stored in the web-browser?

Stored as non-persistant session cookie in the web browser (named MYSAPSSO2)

What 4 information contains the sap logon ticket?

User Id, Validity period, Issuing System ID, Issuing system’s digital signature


24

What are the 3 constraints of the logon ticket? same DNS, user Id identical in all systems, user must accept session cookies

How is the integrity and authenticity of the logon ticket protected?

It is Digitally signed by ticket issuing server to provide integrity and authenticity protection

How to maintain the configuration of the logon tickets? Maintain the configuration using transaction SSO2 and STRUSTSSO2

Is SSO to non SAP components possible with SAP logon tickets?

Yes, SSO to non-SAP Components possible with SAP Tickets. 2 options:

o API Interface o Web Server Filter (HTTP header field)

What are the 2 profile parameters used to configure sso with sap logon tickets?

Profile parameters to configure • Login/create_sso2_ticket • Login/accept_sso2_ticket


25

What are the 6 steps of the PAS authentication process?

1. The user enters the URL for the PAS service 2. The user provides user authentication info 3. The external authentication mechanism verify the users information 4. The ticket-issuing system maps the external user ID to the SAP user ID 5. The user is issued a logon ticket 6. The Agate redirects the user to the service

What are the 3 steps to install the PAS?

• Install SAP package ntauth.sar • Set the Service file parameters • Maintain user mapping. Maintain table

USREXTID Report (RSUSREXTID)

How to combine the 2 worlds (SAP GUI and web)?

• Using logon tickets, ITS and SAP shortcuts • Logon tickets is passed to the SAP shortcuts

using ITS service wngui • Only from web to traditional (traditional to

web not supported)

2 roles that the web application server (WAS) can play? • SAP Web AS as client component • SAP Web AS as server component

2 main components of the web application server (WAS)?

The Internet Communication Manager (ICM) • Ensures communication between the SAP

system (SAP Web Application Server) with the outside world using the HTTP, HTTPS and SMTP protocols.

The Internet Communication Framework (ICF) • Provides the framework for implementing the

SAP Web AS applications.


26

What is the transaction of the ICM monitor? SMICM

7 activities of the ICM monitor?

• Start and Stop the ICM • Set trace level, view logs • View profile parameters settings (starts with icm) • View statistics • View memory pipe information • View active services • Monitor service cache

What is the transaction of the Internet Communication Framework (ICF)? ICF, transaction SICF

4 activities of the ICF with transaction SICF (Maintain services)

• Display HTTP hierarchical tree • Create and maintain BSPs (SE80, view and test

BSP) • Create virtual hosts • Activate/Deactivate service (activate only the

necessary services)

Load balancing: 3 different mechanisms:

• Redirection. User is redirected to the server in backend (simple but not user friendly)

• DNS based method. Look-up to root clients to servers based on IP address

• Load-balancing device. Receive request and directs them to server in the backend. Transparent for the client (the same URL and ip)


27

What is a stateful user section vs a stateless?

The network connection last for the duration of a user session (HTTP is a stateless protocol, successive requests may open a new network connection)

What are the 2 options and the properties of a stateful user session?

Session ID (Either in web browser cookie or into the user´s URL) -> SSL doesn´t work IP Address of client -> SSL Ok (but an issue with proxy)

2 types of load balancing with SSL and their properties?

• End to end SSL. The server supports both privacy protection using encryption as well as user authentication using client certificates. Must use the client IP address for session persistence

• Terminating SSL. Terminate the SSL connection at the load balancer

What are the pros and cons of a Terminating SSL with load balancing?

+ Better performance + Session cookie can be used - Less security

5 Scenarios of load-balancing with the WAS?

• Message Server-based redirection • Dispatcher or Load-Balancer • SAP Web dispatcher • Alternative technologies • Combining technologies (Web switch and web

dispatcher)


28

What is the problem of a stateful load-balancing connection?

If the load balancer directs the user to a different server for subsequent requests, then the second server would not know what had already occurred on the first server. Session context information is lost! (conflict between the application)

3 kinds of alternatives technologies for the load balancing

• Hardware load balancer • Web switch • Reverse proxy

o you can route incoming requests to different services based on the URL path

SSL encryption with WAS. 4 info to specify with the help of profile parameters?

• Specify Plug-in • Specify Server Port • Specify whether to use client certificate • Specify location of sap cryptolab

What are the 3 types of SSL Server PSE

o Standard SSL server PSE (Basis for creating individual SSL server PSE‘s for each host to use)

o Individual SSL server PSE o Shared SSL server PSE

4 steps to enable SSL on the SAP Web As (Client or server)?

1. Create the SSL Server PSE (STRUST) 2. Specify the PSE for each application server 3. For each unique PSE

a. Generate a certificate request, b. send the request to a CA c. import the certificate request response

4. Establish the necessary trust relationship with CA certificates


29

3 kinds of SSL client PSE

• Standard SSL client PSE (Must exist for SSL to work)

• Anonymous SSL client PSE (CN=anonymous) • Individual SSL client PSE

3 configuration steps to specify that a connection use SSL.

• SM59, maintain HTTP destination • Activate SSL and specify which SSL client PSE

to use • Type G: To a different Web server • Type H: To another SAP Web AS • If SSL client authentication is to be used, select

Basic Authentication.

4 steps to enable SNC on the SAP Web As

1. Install the SAP Cryptographic library 2. Create the SNC PSE 3. Specify access control list (ACL) entries 4. Set profile parameters

Which table Specifies which systems are allowed to connect to the SAP system using SNC? SNCSYSACL

Which table specify the users that can log on to the system using SNC? USRACL


30

Which table specifies that WebRFC users can log on using the AGate‘s SNC-protected connection? USRACLEXT

4 SNC profile parameters?

• Activate SNC (snc/enable) • Set level of protection (snc/data_protection/max) • Accept RFC and DIAG connection that are not

protected with SNC (snc/accept_insecure_gui) • Use external authentication

(snc/extid_login_diag)

3 components of the portal user and role management?

• Corporate Directory server (for authentication) • Portal Directory Server (Portal related user and

group properties) • Portal Content Directory (content role

assignment)

3 enterprise portal authentication mechanisms: User Id/Password (Form based iView) X. 509 digital certificate Third party authentication (Windows)

Documents

ADM960 Flashcards Jmx