Copyright © 2003 Americas’ SAP Users’ Group

Session 4904SAPConsole an End-to-End Security Implementation

Chris Kralovansky

NIBCO INC.

Technical Analyst - SAP Basis & Security

Monday, May 19, 2003

Objectives

Share project approach, key questions, and deliverables every customer should think about when undertaking an SAPConsole implementation

Discuss approaches to physical and logical security in an SAPConsole implementation

Develop an understanding of end-to-end security considerations for an SAPConsole implementation in a wireless environment

Agenda

NIBCO company background

NIBCO’s data collection technology evolution

SAPConsole implementation plan

SAPConsole physical and logical security consideration

Lesson learned

Background – NIBCO INC

Founded in Elkhart, IN in 1904

Fourth generation family-owned company

Twelve (12) manufacturing facilities throughout the U.S., Mexico, and Poland

Five (5) distribution centers: (4) U.S. and (1) Poland

Background – NIBCO INC

Employs 2900+ associates world-wide

Websites:

www.nibco.com

www.nibco.com.pl

www.tolco.com

www.nibcopartner.com

• Manufacturer of:

Background – NIBCO INC

NIBCO’s SAP Implementation History

1996 - SAP selected as the sole provider of business systems for NIBCO

Oct. 1996 – Formation of NIBCO’s SAP implementation team (T.I.G.E.R.)

Dec. 1997- Big-bang implementation

Release 3.0F

19 Locations (manufacturing and distribution)

Modules – FI/CO/CO-PA/PCA/SD/MM/PP/WM/SD

Norgistics (N/3) – Data Collection Middleware

NIBCO’s SAP Implementation History

Upgrades

March 1999 - Release 4.0B

March 2001 – Release 4.6C

Support Packages 2-3 times per year

NIBCO’s SAP Implementation History

Additional Locations

May 2000 - International Distribution Center

May 2002 – NIBCO Sp.z.o.o. – Poland Manufacturing, Distribution, Sales, Finance,

Payroll In-bond locations

(2) locations in Poland

(2) locations in Hungary

(2) locations in Ukraine

NIBCO’s SAP Implementation History

Additional Functionality

December 1999 – Introduced eNIBCO a suite of customer facing eCommerce offerings

April 2000 – HR-Payroll – U.S.

2000 – Replaced Norgistics (N/3) with CIM Concepts Data Integrator for R/3 – Data Collection Middleware

May 2002 – Localized Polish implementation

December 2002 – SAPConsole goes LIVE

May 2003 – SAP Business Warehouse (Unicode)

June 2003 – HR-Payroll – Reynosa, Mexico

June 2003 - Time & Attendance – Reynosa, Mexico

NIBCO’s SAP Implementation History

Tolco Support Systems Acquisition – June 2002

Corona, CA

Houston, TX

Sacramento, CA

SAP HRMS Live – June 2002

SAP Operational – November 2002

SAP R/3

Norand N/3 -Norgistics

Off-lineApplication

Off-line Database

ALE

Co

nnec

tion

Wireless Controller

Ethernet

WirelessAccess Point

Wireless DataCollection Devices

1997 - 2000Initial Data Collection Implementation

One distribution siteWM Functions

SecurityFunctions

Combinationof SAP

security andoff-line

applicationsecurity

SAP R/3All Data Stored

and maintained inSAP

CIM ConceptsData Integrator for

R/3Off-line

Application

SA

PG

UI A

uto

mat

ion

Scr

een

Scr

apin

g

Wireless Controller

Ethernet

WirelessAccess Point

Wireless DataCollection Devices

2000 - 2002Three distribution & three MFG sites

WM, IM and PP Functions

SecurityFunctionsdeveloped

as anapplicationcomponent

in SAP

ALE

Co

nnec

tion

Se

curit

y in

itiat

ion

2000

SAP R/3Data and

application stored& maintained in

SAP

SAPCONSOLE-----------Georgia

SoftWorks

Wireless Controller

Ethernet

WirelessAccess Point

Wireless DataCollection Devices

SecurityFunctions“Pure SAPdeliveredsecurity”

2002 - CurrentMigrating from current

All data collection functions

Firewall

2002

NIBCO’s Data Collection Technology Evolution

NIBCO Data Collection Technology Evolution

…….so why did NIBCO change data collection middleware solutions????

Business strategy –

Utilize SAP products to solve business problems

Leverage SAP investment and relationship

Architectural & technical strategy

Complete the transition from an off-line, interfaced solution to an on-line, integrated solution

Utilize SAP as the core data repository

Leverage SAP programming language and security skills

Manage Total Cost of Ownership

SAPConsole Implementation Scope

Initial implementation was a wireless, manufacturing shop floor application pilot at one NIBCO facility

Develop an understanding of the of SAPConsole technology deployment

Develop support processes required to manage SAPConsole in a 7x24 environment

Develop a robust, secure, infrastructure to support SAPConsole in a wireless environment

Develop security management processes which meet the “real” business requirements of the operation

Develop a training approach for SAPConsole transaction deployment

..... so what is so hard about that????

…………… Well nothing really, but there are challenges that every company needs to consider!!!

SAPConsole Project Considerations

What were the challenges? OK, what did we argue over??

How do we adequately secure our wireless infrastructure? How will we allow terminals to bypass NT authentication? How will we maintain SAP userids? How will we support SAP password changes? What SAP user type will be assigned? What standards do we use for userids and passwords? Do we delegate SAP security administration to our remote locations? How will we add / revoke SAP Console specific security at a moments

notice? How will we support the administration of userid’s needing LM01 access? How will we manage various data collection device screen sizes?

SAPConsole Physical Security

Wireless security infrastructure Intermec - DCS300 Controllers, 2100AP, 6400 and 2455

terminals Changed network name and eliminated broadcasts Rationalized the use of WEP:

64 bit vs. 128 bit - Understand your devices capabilities Work with your partners –

Worked with Peak Technologies and Intermec to develop an approach (Wireless security whitepaper)

If you fail to plan for wireless security your network will be hacked!!

Cisco firewall technology Authorized the data collection devices through the firewall by IPaddress Utilized VPN for wireless PC’s

Treat the 802.11B wireless infrastructure like internet utilizing WEP encryption and firewall technology to “isolate” the network

SAPConsole Physical Security

Eth

erne

t

UntrustedNetwork Trusted

Network

Frame RelayFrom WHQ

Router

CoreSwitch

Switch

Firewall

Access Point

DCS300

Access Point

Access Point

File ServerPrint server

RF Base PC or Laptop

WirelessVPN Connection

VPN and DCS300 trafficwill be the only traffic

allowed to pass from theuntrusted to the trusted

side of the firewall.

SAPConsole Infrastructure Struggles

Implemented SAPConsole Version 620 which fixed many challenges:

Password changes at logon vs. an every 90 day parade

Logoff confirmation

Application messages are complete

User can select a memorable, personal password

Allows user to logon to multiple devices – this can also be prevented

Utilize Georgia SoftWorks for device telnet to SAPConsole application – Manages NT authentication process

SAPConsole Logical Security

Wasted time trying to develop special rules for SAPConsole users because of “special needs”

“We need to use a different userid and password standard for the floor people!”

“We need to develop our own authentication and application security tools for SAPConsole!”

“We can’t make them change their passwords every 90 days!”

“We need userid’s, and activity groups at a moments notice!”

“People come off the street, pick, pack and ship products!”

Do not abandon your current security administration processes,

if they work today then use them!!!

SAPConsole Logical Security

What did we do?

Utilized existing userid & password standards

Built SAP security roles by location and task

Utilized existing processes for establishing and maintaining userid’s and activity groups

Leveraged PID’s to drive higher transactional efficiencies for the SAPConsole user

Added processes to maintain the table for LM01 security in production client (SM30) Building a transaction for de-centralized table

maintenance of LRF_WKQU

Key SAPConsole Information Sources

OSS Note Components LE-MOB Mobile Devices BC-FES-CON SAP Console

OSS Note #380399 Multiple logons in RF transactions

OSS Note #507542 SAPConsole: Logoff & change password screens

OSS Note # 524881 SAPConsole security problem on WIN NT/2000 server

OSS Note #515874 Table LRF_WKQU Customizing or Master Data?

SAPConsole - Lessons Learned

SAPConsole implementation is more than about deploying a transaction to a wireless device

Understand and plan a secure, wireless infrastructure before you start

Understand your ”real” security requirements for SAP user administration – if you have solid processes use them

Get and stay current on SAPConsole – SAP continues to enhance the functionality

Track your implementation and validate that your security approach meets your company needs

Copyright © 2003 Americas’ SAP Users’ Group

Thank you for attending!

Please remember to complete and return your evaluation form following this session.

Session Code: 4904