Smart home system is very popular in current days that give many kind of application that make all simple and easy to control. In modern day, home machines are using wireless equipment and can be retrieved by internet that will make populations life
Agustinus Agus Purwanto, SE MM www.sunparadisehotelsmanagement.com Email: [email protected] Mobile: +62 812 9444 1224
Smart home system is very popular in current days that give many kind of application that make all simple and easy to control. In modern day, home machines are using wireless equipment and can be retrieved by internet that will make populations life
This is a mini report for a circuit available in ELECTRONICSFORU. The link is- http://www.electronicsforu.com/electronicsforu/circuitarchives/view_article.asp?sno=238&article_type=1&id=347&tt=unhot...
buku panduanFull description
A SRMS ExampleDescripción completa
Full description
ADM960 SAP NetWeaver AS – Security SAP NetWeaver - Administration
Date Training Center Instructors Education Website
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.
•
IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.
•
ORACLE® is a registered trademark of ORACLE Corporation.
•
INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered trademarks of Informix Software Incorporated.
•
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
•
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
•
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
•
JAVA® is a registered trademark of Sun Microsystems, Inc.
•
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
•
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.
Disclaimer THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE, INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTS CONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.
g20111119105135
About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study.
Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used. Type Style
Description
Example text
Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths, and options. Also used for cross-references to other documentation both internal and external.
2011
Example text
Emphasized words or phrases in body text, titles of graphics, and tables
EXAMPLE TEXT
Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example SELECT and INCLUDE.
Example text
Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, and passages of the source text of a program.
Example text
Exact user entry. These are words and characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.
Contents Course Overview ............................................................................. vii Course Goals.................................................................................vii Course Objectives ...........................................................................vii
Unit 1: Computer Security: An Overview .................................................1 Introduction to Computer Security .......................................................... 2
Unit 2: Product Overview ................................................................... 19 SAP Solutions and Applications .......................................................... 20
Unit 3: Network Basics ...................................................................... 43 Networking Concepts ...................................................................... 44 Network Security in an SAP Landscape ................................................. 59
Unit 4: Basic Security for SAP Systems ...............................................103 Securing the Front End ................................................................... 105 User Security in SAP Systems........................................................... 115 Interface Security in SAP Systems ...................................................... 158 Development Protection and Security Patches ........................................ 192 Monitoring Security in SAP Systems.................................................... 214 Monitoring and Analyzing Security with SAP Solution Manager .................... 240
Unit 5: Introduction to Cryptography ...................................................265 Cryptography ............................................................................... 266 Authentication and Digital Signatures................................................... 283 Cryptography in SAP Systems........................................................... 306
Unit 6: Secure Network Communication - SNC.......................................331 Setting Up Secure Network Communications.......................................... 332
Unit 7: Secure Socket Layer - SSL ......................................................383 Setting Up SSL for SAP NetWeaver AS ................................................ 384
Unit 8: Authentication and Single Sign-on Mechanisms in SAP Systems .....447 Understanding Authentication............................................................ 448 Configuring Single Sign-on ............................................................... 480
Glossary .......................................................................................505 Index ............................................................................................507
Course Overview This course will introduce you to the need for security in the SAP system environment. You learn about different technical safeguards that can be used to secure your SAP NetWeaver Application Server based systems.
Target Audience This course is intended for the following audiences: • • • •
SAP system administrators Technical Consultants Project team members Persons responsible for technical system security
General knowledge of technical security and SAP technology.
Course Goals This course will prepare you to: • • • • • •
Explain the need for implementing security Discuss the security threats for SAP Systems Discuss security safeguards and security policies Explain security aspects pertaining to SAP products Explain network communication and how it can be secured Execute security measures to increase security of SAP Systems
Course Objectives After completing this course, you will be able to:
List security goals and threats Discuss the security threats for SAP Systems Explain the basics of networking Secure network communication in SAP System environment Implement security measures in SAP products
Unit 1 Computer Security: An Overview Unit Overview This unit will introduce you to the basics terms of computer security. The unit lists the major security threats to a system and the security safeguards to be used against each security threat.
Unit Objectives After completing this unit, you will be able to: • •
List security goals, threats, and safeguards Categorize security measures and the necessary steps to establish a secure system environment
Unit Contents Lesson: Introduction to Computer Security......................................... 2
Lesson: Introduction to Computer Security Lesson Overview This lesson describes the security threats and security safeguards. It also explains how to categorize the security measures to secure the system environment.
Lesson Objectives After completing this lesson, you will be able to: • •
List security goals, threats, and safeguards Categorize security measures and the necessary steps to establish a secure system environment
Business Example To implement security measures a basic understanding of terms is needed.
Computer Security Concepts Goals Safeguards, threats, and goals are closely related to each other. Threats compromise certain security goals, whereas safeguards protect your system against certain threats. As a result, when implementing security, you need to consider the safeguards with reference to the goals and the threats. Security requirements for sensitive business data arise due to: • • • • • •
2
Protection of Intellectual Property Legal Issues and Contracts Trust Relationship to Business Partners Continuous Business Operations Protection of Image Correctness of Data
Security can also optimize administration processes, such as: • •
Reducing the number of password resets when using Single Sign-On Using digital signatures for approval processes
• •
The average annual loss reported are $234,244 in this year's survey. Respondents reported large jumps in incidence of password sniffing, financial fraud, and malware infection. One-third of respondents' organizations were fraudulently represented as the sender of a phishing message. Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well. 64.3 percent of respondents experienced malware infection, compared to 2008's 50 percent;
• •
•
29.2 percent experienced denial-of-service attacks, compared to 2008's 21 percent; 17.3 percent experienced password sniffing, compared to 9 percent in 2008; 13.5 percent experienced Web site defacement, compared to 2008's 6 percent; 7.6 percent experienced instant messaging abuse, down from 21 percent in 2008. •
Source: Computer Security Institute http://www.gocsi.com
The Computer Crime and Security Survey is conducted by CSI annually. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. • • • • • •
Availability: Ensures that the users can access their resources when they need the resources. When determining your requirements with reference to availability of resources, you should consider the costs resulting from unplanned downtime, for example, loss of customers, costs for unproductive employees, and overtime.
Some damage can hardly be expressed in terms of money, for example, loss of reputation. Authentication: Determines the “real” identity of the user. Different authentication mechanisms can be used in a system environment, such as: •
Authentication using user ID and password
•
Authentication using smart card
•
Authentication using a smart card and PIN.
Authorization: Defines the rights and privileges of the identified user. Determine the functions that a user can access. The application must be programmed to check whether or not a user is authorized before he or she can access a particular function. Confidentiality: Ensures that the user’s history or communication is kept confidential. Information and services need to be protected from unauthorized access. The authorization to read, change, or add information or services must be granted explicitly to only a few users. Other users are denied access. Within your company, you might trust your own users. But if you post something on the Internet, the confidentiality of information is at risk. Integrity: Ensures that the user information, which has been transmitted or stored, has not been tampered with. Programs and services need to work as expected and provide accurate information. As a result, people, programs, or hardware components should not modify programs and services. Repudiation: Represents the process of denying that you have done something. Non-repudiation: Ensures that people cannot deny their actions.
This list represents only a set of commonly known threats. One of the major threats is “social engineering”. Story: A security consultant was asked to come to a large company to evaluate the security lapses in the company. The person with whom he was supposed to work was quite busy and left the consultant alone, saying he would be back soon. After about an hour, this consultant decided to wander down to the computer room to see what was up. He could not get in because it was a secure room. As a result, he waited outside the door until someone comes along, asks if he wants to get in, swipes his card, and lets him in. Now, he is in the secure room and wants to log on to the computer. He looks around for the yellow post-it note with the administrator password on it. He finds the note posted next to the terminal and logs on to the server. He works for about 45 minutes on the computer. At around noon, some young guy working in the computer room tells him they are going to Burger King for lunch and asks if he would want them to pick up anything for him. He gives them some money and they all leave. The consultant is alone in the computer room for an hour. When they return, they bring him his lunch.
He finishes his work and goes back to the desk of the person with whom he was supposed to work. This person was quite apologetic and told him that he would pay him for the whole day but asks if he could come back the next day. This consultant says that he is done and the company has numerous security lapses. When considering security, do not always think about system attacks. An untrained employee can also be a risk if he carries out unexpected system activities accidentally. You should also consider environmental threats, such as earthquakes, which might compromise the availability of the system. Systems are penetrated when an unauthorized person gains access to them by guessing accounts and passwords. A person can violate authorizations and penetrate a system by misusing the current authorizations that were allocated or stolen. With some authorizations the hacker is allowed to access the operating system, which allows transports and other OS functions. A hacker may gain access to a system and plant a program to access to the computer. For example, you might use the code to create a new user to break into the system. A hacker can also eavesdrop without being detected. Tampering of data occurs when a hacker can grab a connection and communicate with both the client and the server. After the hacker has grabbed the connection, the hacker can change the data. A denial of service attack brings down the server and makes the server unavailable. There are several ways to make the server unavailable, such as cutting the network cable, physically destroying the server, or unplugging the server from the network. A buyer could repudiate the fact that he or she purchased an item from an online store. A hacker can deny service by flooding the system with messages so that the system cannot respond. A person can masquerade as another user. Programs can be written to modify the IP address of the source of the TCP/IP packet and trick the network into thinking that the packet is coming from within the network. This process is known as spoofing. An application can receive data that it is not expecting or prepared for. As a result, unpredictable results occur. This is known as buffer overflow and it can lead to a vulnerability within the server. Acquiring sensitive information such as usernames, passwords or credit card details by masquerading as a trustworthy entity is known as phishing.
The dymamic nature or websites causes security holes which can be used to gain elevated access privileges to sensitive page-content, session cookies and a variety of other information maintained by the browser. Cross Site Scripting (XSS) attacks are a special form of Code Injection. Another code injection technique is SQL Injection. A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
Figure 2: Threats in Client-Server Communication
Due to the open, exposed communication architecture, client-server communication is vulnerable to attacks. The client communicates with the server across the network, where attackers can eavesdrop, capture, and manipulate data. At the back-end system, applications and the operating system may contain security holes that attackers can take advantage of. In addition, one of the primary threats is social engineering, whereby the attacker often obtains sensitive information by impersonating an important person. Threats shown in the above graphic also apply to the client. In most cases, clients are difficult to control as compared to servers.
Technical safeguards such as firewalls, cryptographic algorithms and certificates Organizational safeguards such as rules or guidelines Physical safeguards such as fire detection and secured rooms and buildings
You should establish the following measures to prevent physical damage: • • • • • •
Secure the buildings Secure the server rooms Lock the servers Use underground wires Install security cameras around the building Define policies to lock doors
Figure 6: Safeguards (Technical)
There are measures available for most of the threats that have been described. The graphic shown here does not represent all the possible threats and measures. It shows an example of how you can use security measures against many of the possible threats.
One very important aspect is to regularly install security patches for applications and operating systems that are available with vendors. Many security lapses can be fixed but customers/users need to update their systems regularly.
Security Policies
Figure 7: Security Policies
A company or organization needs to define a global security policy From this general security policy a detailed IT security policy is derived. Finally, documents that describe the security configuration of specific components in the system landscape are created.
This figure above shows how you can implement security. Analyze the risks to determine the security requirements. Then look at the threats that are relevant. Determine the vulnerability to those threats and the appropriate safeguards for the threats. As part of the risk analysis, you should conduct the following activities: • • • • •
Determine your security requirements with reference to availability, confidentiality, and integrity of data. Identify the threats that could compromise your security. Determine the relevance of a threat to your company (vulnerability). After you know the risks, determine the measures or safeguards to protect your system. Measure the associated risk of a threat and the cost of securing your system against the risk. As a result, you can make a cost-benefit analysis.
The risk analysis process leads to creating Standard Operation Procedures (SOPs) and implementing safeguards. Prioritize the safeguards, if there are constraints against implementing all of them. These lead to monitoring, implementation, and education. This is not a linear process but a circular process with continuous enhancements.
System upgrades and landscape changes mean that you must adapt your security measures accordingly and continuously. Note: Security is an on-going process. You need to reassess your security policy regularly.
Lesson Summary You should now be able to: • List security goals, threats, and safeguards • Categorize security measures and the necessary steps to establish a secure system environment
Unit Summary You should now be able to: • List security goals, threats, and safeguards • Categorize security measures and the necessary steps to establish a secure system environment
Lesson: SAP Solutions and Applications Lesson Overview This lesson introduces the SAP solutions and technical components talked about in the course..
Lesson Objectives After completing this lesson, you will be able to: •
Describe the basic architecture of SAP applications based on SAP NetWeaver Application Server.
Business Example You need to understand the basic architecture of SAP applications based on the SAP NetWeaver Application Server.
SAP Solutions and Applications SAP Business Suite The SAP Business Suite is an extended family of business applications that enables companies to manage their entire value chains. The included business applications provide users with consistent results throughout the entire company network and give your company the flexibility it needs in today's dynamic market situations. The application consists of a number of different products that support cross-company processes. Note: For more information, go to http://www.sap.com/solutions/businesssuite. SAP's software portfolio is constantly extended, optimized, and tailored to the needs of the market and of customers. SAP has therefore, for example, developed many industry-specific applications over the years. The topic of integrating different business systems (even from different vendors and across company boundaries) has become increasingly important recently. Products for small to midsize businesses have also been added to SAP's family of software solutions.
The SAP Business Suite, a complete business software package that is unique worldwide, plays a central role. Many companies are already profiting from the comprehensive and flexible business applications with highly evolved functions: complete integration, industry-typical functions, unlimited scalability, and smooth collaboration via the internet. The SAP Business Suite provides: • • • • •
A complete spectrum of business solutions A technological infrastructure that combines openness and flexibility with maturity and stability Interfaces for integrating non-SAP products Components that can be adapted to meet multiple business requirements Numerous industry-specific functions
The next graphic illustrates the key components of the SAP Business Suite:
Figure 9: SAP Business Suite: Architecture
The components that make up SAP Business Suite are described in the following sections.
Core Applications The core applications of SAP Business Suite are a set of business applications that support all the essential business processes of an enterprise. They are summarized here. SAP ERP is a market-leading application for optimizing business and IT by reducing IT complexity, increasing adaptability, and delivering more IT value at a lower cost than traditional enterprise resource planning (ERP) solutions. It supports mission-critical, end-to-end business processes for finance, human capital management, asset management, sales, procurement, and other essential corporate functions. SAP ERP also supports industry-specific processes by providing industry-specific business functions that can be activated selectively via the switch framework, which keeps the application core stable and helps to ensure maximum performance. Hint: For more information see http://www.sap.com/solutions/businesssuite/erp. The SAP Customer Relationship Management (SAP CRM) application provides a comprehensive platform for marketing, sales, and service professionals to obtain complete customer intelligence that they can leverage to effectively manage customers and customer-related processes. SAP CRM enables multichannel customer interactions, including mobile smart phones, the Internet, and social media, and also offers a dedicated communications infrastructure that helps to connect all users anytime, anywhere. Hint: For more information see http://www.sap.com/solutions/businesssuite/crm. The SAP Product Lifecycle Management (SAP PLM) application helps companies manage, track, and control all product-related information over the complete product and asset lifecycle as well as throughout the extended supply chain. SAP PLM facilitates creativity and frees the process of product innovation from organizational constraints. Hint: For more information see http://www.sap.com/solutions/businesssuite/plm. The SAP Supplier Relationship Management (SAP SRM) application provides a procurement platform that helps organizations in all industries improve their centralized sourcing and contract management and interact with suppliers through
multiple channels. SAP SRM accelerates and optimizes the entire end-to-end procure-to-pay process by supporting integrated processes and enforcing contract compliance, resulting in realizable savings. Hint: For more information see http://www.sap.com/solutions/businesssuite/srm. The SAP Supply Chain Management (SAP SCM) application allows companies to adapt their supply chain processes to an ever-changing competitive environment. SAP SCM transforms traditional supply chains from linear, sequential processes into open, configurable, responsive supply networks in which customer-centric, demand-driven companies can sense and respond more intelligently and more quickly to demand-and-supply dynamics across a globally distributed environment. Hint: For more information see http://www.sap.com/solutions/businesssuite/scm.
Industry Applications SAP addresses the requirements of specific business processes for many industries by complementing the basic business processes common to all large enterprises. Support for these industry-specific processes is delivered as part of SAP ERP. Or as a separate industry application (for example, the SAP Dealer Business Management application or the SAP Reinsurance Management application) that integrates with the other applications of SAP Business Suite. The architecture and business functionality of the industry applications are a result of SAP’s in-depth understanding of industry-specific business requirements and the resulting business processes. SAP industry portfolios are continuously enhanced by adding new applications that address the highly specialized business needs of customers in very targeted markets. The following table lists the industry portfolio (as of Q3 2010):
2011
Industry Sector
Industry Portfolio
Discrete Industries
SAP for Aerospace & Defense SAP for Automotive SAP for Engineering, Construction & Operations SAP for High Tech SAP for Industrial Machinery & Components
Process Industries
SAP for Chemicals SAP for Life Sciences SAP for Mill Products
Industry Portfolio SAP for Mining SAP for Oil & Gas
Consumer Industries
SAP for Consumer Products SAP for Retail SAP for Wholesale Distribution
Service Industries
SAP for Media SAP for Professional Services SAP for Telecommunications SAP for Transportation & Logistics SAP for Utilities
Public Services
SAP for Defense & Security SAP for Healthcare SAP for Higher Education & Research SAP for Public Sector
Financial Services
SAP for Banking SAP for Insurance
Supplementary Applications Supplementary applications include applications that drive specialized business processes common to a large number of industries. They deliver a short time to value, appeal to specialized business users, and offer a high degree of process flexibility. Supplementary applications include, for example, manufacturing applications, SAP solutions for auto-ID and item serialization, and applications for mobile business.
SAP NetWeaver The SAP NetWeaver technology platform is the reliable, secure, and scalable foundation to run business applications like SAP Business Suite and SAP BusinessObjects applications to help ensure that large enterprises can perform mission-critical business processes. As the technical foundation for service-oriented architecture, SAP NetWeaver delivers a comprehensive set of middleware functions in a modular software environment with the aim of reducing IT complexity and increasing business flexibility across heterogeneous IT landscapes. SAP NetWeaver provides IT organizations with the lowest cost of operation and best business availability for SAP applications across heterogeneous IT landscapes through unified lifecycle management, identity management, secure communications, and end-to-end monitoring.
Enhancement Packages Enhancement packages for innovation without disruption: SAP has a proven way to continuously deliver innovation for SAP Business Suite and SAP NetWeaver without disruption. It comes in the form of enhancement packages that provide collections of new or improved business functions that companies can deploy in a modular fashion and on their own timetable. The strategy of enhancement packages – enabling companies to take advantage of ongoing innovations while keeping their core software stable – was introduced with the SAP ERP 6.0 application and has been proven with several enhancement packages since 2006. All core applications of SAP Business Suite are now enabled for continuous innovation through enhancement packages. In the future, SAP intends to continue to deliver enhancement packages for the core applications, minimizing the need for companies to engage in potentially disruptive upgrade projects.
Context of Applications and Components Numerous applications for business challenges are provided in the context of the SAP Business Suite. However, many applications have similar or identical requirements for business functions in subareas. Different applications therefore contain similar (software) components in parts. A component is the smallest, separately producible, deliverable, installable, and maintainable software unit. Components refer to, for example, an SAP ECC system, an SAP SCM system or also an SAP NetWeaver Portal system. The graphic provides an overview of this hierarchy (components as building blocks of solutions) using the SAP SCM application as the example.
SAP NetWeaver The SAP NetWeaver technology platform is the reliable, secure, and scalable foundation to run business applications like SAP Business Suite and SAP BusinessObjects applications to help ensure that large enterprises can perform mission-critical business processes. As the technical foundation for service-oriented architecture, SAP NetWeaver delivers a comprehensive set of middleware functions in a modular software environment with the aim of reducing IT complexity and increasing business flexibility across heterogeneous IT landscapes. SAP NetWeaver provides IT organizations with the lowest cost of operation and best business availability for SAP applications across heterogeneous IT landscapes through unified lifecycle management, identity management, secure communications, and end-to-end monitoring. NetWeaver provides customers with a flexible way to integrate and extend business processes that run across SAP, SAP -certified partner, and custom-built applications by delivering prebuilt integration content and enterprise services, with rapid deployment supported by model-driven tools. With support for business process management, mission-critical business processes can be monitored for efficiency, integrity, and security. Business users can also use SAP NetWeaver to define business rules to help ensure consistent processes across the business network. SAP NetWeaver integrates and connects people, information, and business processes across technologies and companies. It enables companies to adjust to changes quickly. SAP NetWeaver ensures that a company's crucial business processes are reliable, safe,
and scalable. Furthermore, SAP NetWeaver enables companies to maximize the benefits from the current software and systems. Nonuniform integration technologies are consolidated and predefined business content is provided thus reducing the amount of manual work required. SAP NetWeaver is based on a technology using industry standards and can be enhanced with popular development tools.
IT Practices and IT Scenarios
Figure 11: SAP NetWeaver: Technology Map – Edition 2010
SAP NetWeaver enables you to implement IT processes in a range of solution methods, called IT practices. For each practice, SAP NetWeaver supports a range of key IT activities, which can be performed using the integrated components of the platform. The focus here is not on system and technological components but on the IT and business goals of the company. IT practices enable you to reach your company's goals in individual and manageable projects, that is, in sequential steps and according to their importance. For instance, IT practices refer to the increase of user productivity through improved, cross-company collaboration, personalized access to applications and data and optimized knowledge management. IT practices show how SAP NetWeaver can be used to solve certain IT problems by means of IT scenarios. For each IT practice, SAP NetWeaver supplies corresponding IT scenarios, which act as implementation guides.
The aim of the IT scenarios is to help you as a customer, partner or service provider with the installation, configuration and operation of SAP NetWeaver as well as the operation of SAP applications, customer-specific applications and the implementation of your defined IT scenarios.
SAP NetWeaver Application Server (SAP NetWeaver AS) Almost every SAP system is based on SAP NetWeaver AS and uses it as the runtime environment. Together with the database, SAP NetWeaver AS is the application platform of SAP NetWeaver.
Figure 12: SAP NetWeaver AS as the Basis for SAP Systems
SAP NetWeaver AS is the logical result of the further development of the SAP Application Server Technology (previously: SAP Basis), whereby special attention is paid to web-based applications.
A reliable and extensively tested runtime environment, which has been developed further continuously over more than ten years A framework for executing complex business processes that meet the highest security standards A reliable and user-friendly development environment Support for open standards, including HTTP, HTTPS, SMTP, WebDAV, SOAP, SSL, SSO, X.509, Unicode, HTML, XML and WML High scalability Support for different operating system and database platforms
Since the applications delivered by SAP do not always require both runtime environments, that is, ABAP and Java, there are different installation options for SAP NetWeaver AS. These are: • • •
SAP NetWeaver AS ABAP: Complete infrastructure in which ABAP-based applications can be developed and used. SAP NetWeaver AS Java: Complete infrastructure in which J2EE-conform applications can be developed and used. SAP NetWeaver AS ABAP+Java (dual stack): Complete infrastructure in which ABAP-based and J2EE-based applications can be developed and used.
History of Selected Software Components This section provides a bit of history of a few selected software components.
Technical Basis (Application Server) Back in the days when SAP basically offered two products (SAP R/2 and SAP R/3), the development of the (technical) basis was closely linked to application development. The release names of the SAP Basis corresponded to the SAP R/3 version, for example, SAP Basis 4.0B was the technical basis for SAP R/3 4.0B. Around the turn of the millennium, the SAP portfolio grew significantly, new products were created that required more frequent changes and enhancements of the SAP Basis than SAP R/3. This marks the transition from the classic SAP Basis (last version: SAP Basis 4.6D) to SAP Web Application Server (SAP Web AS). New Internet technologies (Internet Communication Manager from SAP Web AS 6.10 onwards) and the supplementing of the classical ABAP environment with Java/JEE (from SAP Web AS 6.20 onwards) were important milestones.
SAP Web AS 6.40 forms the technical basis (“application platform”) of SAP NetWeaver 2004. SAP NetWeaver offers extensive capabilities (such as Business Warehouse), which are all based on the application platform. From SAP NetWeaver 7.0 (previously: SAP NetWeaver 2004s) the names and releases were adapted further, so now SAP NetWeaver 7.0 is based on SAP NetWeaver Application Server (SAP NetWeaver AS).
Central ERP Functions The following graphic shows the historical development for the current SAP ERP Central Component (ECC 6.0):
Figure 13: Evolution from SAP R/3 via SAP R/3 Enterprise to SAP ECC
As already mentioned, in times of SAP R/3, the technical basis and application development were interlinked, up to and including SAP R/3 4.6C. With SAP R/3 Enterprise (4.7), which is based on SAP Web AS 6.20, the concept of SAP R/3 Enterprise Extensions was introduced. A central application (previously: solution) of the SAP Business Suite is SAP ERP for Enterprise Resource Planning. The central software component of SAP ERP is SAP ERP Central Component (SAP ECC). SAP ECC 5.00 can thus be considered the technical successor of SAP R/3 Enterprise and is based on an SAP
Web AS 6.40. At the time of creating this documentation, the current version is SAP ERP 6.0 (previously: SAP ERP 2005), which also includes an SAP ECC 6.00 (that operates on the basis of SAP NetWeaver AS 7.00) and other components. Functional enhancements for the different software components are made available through enhancement packages. SAP NetWeaver AS 7.1x or 7.2x is not used as the technical basis for an SAP ECC system. Other SAP NetWeaver components, such as SAP NetWeaver Process Integration (PI) and SAP NetWeaver Composition Environment (CE) require this SAP NetWeaver AS release level.
Installation Options of SAP NetWeaver AS Depending on the application or product used, different variants of SAP NetWeaver AS are installed.
Figure 14: Installation Options of SAP NetWeaver AS
• • •
AS ABAP system: Complete infrastructure in which ABAP-based applications can be developed and used. AS Java system: Complete infrastructure for developing and using J2EE-based applications. AS ABAP+Java system: Complete infrastructure in which ABAP-based and J2EE-based applications can be developed and used. Such a system should only be installed if explicitly required by the application. For example, SAP NetWeaver PI 7.0 or SAP Solution Manager 4.0
One of the main characteristics of the SAP NetWeaver AS is that ABAP tables, programs, and application data is stored in the ABAP schema of the database while Java data is stored in the Java schema. Here, the ABAP runtime environment can access the ABAP schema of the database, and the Java runtime environment can access the Java schema. In the ABAP+Java system, the different runtime environments communicate directly via the SAP Java Connector (JCo).
AS ABAP Architecture In AS ABAP, the central instance is distinguished by the fact that the message server and the enqueue work process run there. All other instances of the system are usually called dialog instances. Alternatively, the instances are also named after the services provided. The services that an application server can provide are determined by the type of work processes it has. An application server can then take on several roles, for example, as a dialog server and simultaneously as an update server, if it provides several dialog work processes and at least one update work process. Note: An overview of the AS ABAP instances is available in SM51 (in SAP Easy Access under Tools → Administration → Monitor → System Monitoring→ Servers. You can use the transaction SM50 to display an overview of the work processes on the instance that you are logged on to; you can also display this overview by choosing Tools → Administration → Monitor → System Monitoring → Process Overview on the SAP Easy Access screen.
Figure 15: AS ABAP Architecture
The ABAP message server provides the AS ABAP with a central message service for internal communication (for example, for starting updates, requesting and removing locks, triggering background requests). The message server also provides information on which instances of the system are currently available.
The ABAP dispatchers of the individual application servers communicate via the ABAP message server, which is installed exactly once per SAP system. When you log on to the AS ABAP using the SAP GUI for Windows or the SAP GUI for Java using logon groups, the message server performs a load distribution of users to the available instances. This load distribution, which takes place during the logon procedure, is also known as logon load balancing. After the load distribution by the message server, the SAP GUI communicates directly with the dispatcher. The user remains logged on to this instance until he logs off again. Note: An overview of users who are logged on the instance to which you are also logged on, is available using transaction SM04 (Tools→ Administration → Monitor → System Monitoring→ User Overview). You can see to which instance you are logged on under System → Status. If you are accessing the AS ABAP via web protocols such as HTTP using the browser, the Internet Communication Manager (ICM) receives the request. This forwards the request to the dispatcher of its instance. Communication from other SAP systems via Remote Function Call (RFC) is accepted by the Gateway Reader (GW).
AS Java Architecture In AS Java, the central instance is distinguished by the fact that the Software Deployment Manager (SDM) runs there. The central services Message Service (MS) and Enqueue Service (ES) run in the central services instance (CS instance). All other instances of the system are usually called dialog instances. Note: The entirety of the Java environment (all processes and the database scheme) is also referred to a Java cluster, and the individual processes (dispatcher and server) as nodes of the Java cluster. You can obtain an overview of started Java processes (Java dispatcher and Java server processes as well as SDM) via the system information of the Java runtime environment ((http://:/sap/monitoring/SystemInfo, for example http://twdf1234.wdf.sap.corp:50000 → System Information)
Analogous to the AS ABAP, the message service of the AS Java provides a central message service for internal communication. The Java message service also provides the information what instances and nodes of the AS Java are available. Each node of the Java cluster can communicate directly with the message service. In the AS Java, the enqueue service holds logical locks. Each node of the Java cluster can communicate directly with the enqueue service. When the AS Java is accessed using a browser, the Java dispatcher receives requests, which are then processed by the server processes.
AS ABAP+Java Architecture For the AS ABAP+Java (meaning ABAP and Java processes in the same SAP system, under the same system ID), the same architectural principles apply as for separate AS ABAP and AS Java systems. However, there are some particularities because both runtime environments are integrated with each other in this case. Note: The AS ABAP+Java is often called “add-in installation” because it was possible to install an AS ABAP first and then supplement it with the AS Java at a later point in time. Officially “dual-stack” can be used as a short term for AS ABAP+Java.
The central instance of an AS ABAP+Java system can be recognized by the following processes: ABAP-MS, enqueue work process and SDM. The central services of the Java runtime environment (Java-MS, Java-ES) are also provided in the Java central services instance here. All other instances are usually called dialog instances. Since both runtime environments are capable of answering requests via web protocols, the Internet Communication Manager must now decide whether the request is addressed to the ABAP or the Java runtime environment. It decides this by means of the URL of the request. In case of a request to the ABAP runtime environment, for example, the call of an ABAP web dynpro, the ICM forwards the request to the ABAP dispatcher and the work processes respond to the request. If the request is a request for the Java runtime environment, for example, the call of a Java Server Page (JSP), the ICM forwards the request to the Java dispatcher and one of the server processes responds to the request. In an AS ABAP+Java system, data is also kept in separate database schemas (but in the same database installation). That is, work processes can only access ABAP data and server processes can only access Java data. In the data exchange, both runtime environments then communicate using the SAP Java Connector (JCo). This communication is necessary, for example, if billing data that is stored in the ABAP data schema is supposed to be displayed in a Java user interface.
The SAP JCo is integrated into the AS Java and is also used when an AS Java system has to communicate with a remote AS ABAP system.
Technical Parts and Topics addressed in this Course
Figure 18: Technical Parts and Topics addressed in this Course
The figure above gives an overview of the technical parts and components talked about in this course. In addition you find some topics we also address in the following units. The different security aspects involved for those parts and topics will be explained in detail in the units to come. The standalone engines SAProuter and SAP Web Dispatcher are part of SAP NetWeaver and will also be discussed in more detail later on.
Lesson Summary You should now be able to: • Describe the basic architecture of SAP applications based on SAP NetWeaver Application Server.
Related Information • • •
38
SAP Education course SAPTEC - SAP NetWeaver Application Server Fundamentals. SAP NetWeaver 7.02 online documentation, path SAP NetWeaver Library → SAP NetWeaver by Key Capability → Application Platform by Key Capability SAP Developer Network, Quick Link /irj/sdn/nw-products.
Unit 3 Network Basics Unit Overview This unit will introduce you to the basics terms and concepts of networking. The first lesson explains the different network protocols, the models they are based on, and the concept of a firewall. The second lesson transfers these topics into an SAP system environment.
Unit Objectives After completing this unit, you will be able to: • • • •
Explain basic network terms and concepts Implement recommendations for network architecture in an SAP landscape. Install and Configure SAProuter. Install and Configure SAP Web Dispatcher.
Unit Contents Lesson: Networking Concepts ..................................................... 44 Lesson: Network Security in an SAP Landscape................................ 59 Exercise 1: Install and Configure SAProuter................................. 81 Exercise 2: Install and Configure SAP Web Dispatcher.................... 85
Lesson: Networking Concepts Lesson Overview This lesson describes the basics of networks. It also describes the network communication in the SAP environment.
Lesson Objectives After completing this lesson, you will be able to: •
Explain basic network terms and concepts
Business Example You need to understand basic network terms and concepts.
Network Protocols The figure below highlights the topics talked about in this lesson. That is the communication protocols and the firewall.
A protocol is a set of rules that define how communication takes place between communication partners. Different protocols are used when telephoning compared to broadcasting. In computer communication, different issues are handled at different levels.
Protocols represent the rules that specify how the different parties may communicate. Protocols deal with the following issues: • • • • • •
How many volts pulse is a 0 and 1? How to determine the end of a message? How to handle lost messages? How to identify computers? How to connect to a computer? How do applications communicate on the network?
OSI Models Because of the heterogeneous systems and communication media available, there is the need to have a standard to enable communication between different partners.
The International Organization for Standardization (ISO) has developed a standard model for communication called the Open Systems Interconnection Model (OSI Model). Open System means that a system can communicate with any other system that follows the specified standards, formats, and semantics.
The Open Systems Interconnection (OSI) reference model describes how information from a software application in one computer moves through a network medium to a software application in another computer. The OSI reference model is a conceptual model composed of seven layers, each specifying particular network functions. The seven layers of the OSI Model are: • • • • • • •
7 - Application Layer: Enables Program-to-Program communication. 6 - Presentation Layer: Manages data representation and conversion. For example, the presentation layer converts data from EBCDIC to ASCII. 5 - Session Layer: Establishes and maintains communication channels. In practice, this layer is often combined with the Transport Layer. 4 - Transport Layer: Ensures end-to-end integrity of data transmission. 3 - Network Layer: Routes data from one node to another. 2 - Data Link Layer: Passes data from one node to another including error detection.. 1 - Physical Layer: Places data on the network media and takes the data off the network.
Data is passed down the stack from one layer to the next, until the data is transmitted across the network by the network access layer protocols. The four layers in this reference model are designed to distinguish between the different ways that the data is handled as it passes down the protocol stack from the application layer to the underlying physical network. At the remote end, the data is passed up the stack to the receiving application. The individual layers do not need to know how the layers above or below them function; the layer only need to know how to pass data to the other layers. Each layer in the stack adds control information, such as destination address, routing controls, and checksum, to ensure proper delivery of data. This control information is called a header and/or a trailer because it is placed at the beginning or end of the data to be transmitted. Each layer treats all the information that it receives from the layer above it as data and places its own header and/or trailer around that information. These wrapped messages are then passed to the layer below with additional control information, some of which may be forwarded or derived from the higher layer. When a message exits the system on a physical link, such as a wire, the original message is enveloped in multiple, nested wrappers, one for each layer of the protocol through which the data passed. When a protocol uses headers or trailers to package the data from another protocol, the process is called encapsulation.
Information sent across a network is not intended only for a computer but for a program on a computer. These programs are distinguished by their port. Every application, which receives data from a TCP/IP network acquires a TCP port, a 16-bit number (0 – 65535), which will uniquely belong to that application on that particular host. The application “listens” on that port for incoming messages. Some ports have numbers that are preassigned to services or programs by the Internet Assigned Numbers Authority (IANA). Port numbers can range from 0 through 65536 but port numbers from 0 through 1023 are reserved for privileged services and designated as well-known ports. This list of well-known port numbers specifies the port used by the server process as its contact port. By default, these well known ports are defined in the etc/services file. Command netstat -a displays all the connections and ports listening on your computer.
Firewalls A firewall is a system or a combination of systems that protects a networked system from unauthorized or unwelcome access. Firewalls can be implemented in both hardware or software or a combination of both.
Figure 25: Firewalls
There are several types of firewall techniques, which filter the traffic at different levels.
Packet filters can filter the network traffic up to the transport layer level (TCP) looking at IP addresses, port numbers and the type of protocol used. Application level gateways can analyze and control commands of the application protocol.
IP packet filtering is done using a router set up to filter the packets as they pass between the router’s interfaces. These routers can filter IP packets mainly on the following fields: • • • •
Source IP address Destination IP address TCP source port TCP destination port
Packet filters cannot filter information sent at the application level. For this an application level gateway is used.
Figure 28: Application Level Gateway
Application level gateways, do not allow any direct network connections between computers from one network to the other. Instead, all the connections from the external network must be made to the gateway, which interprets the protocol traffic and makes connections to the internal network on behalf of the outside requestor. The application level gateway consists of two TCP/IP stacks and application level proxies for each protocol in it's responsibility. The application level proxy is analyzing and controlling the commands for it's specific protocol, e.g. HTTP. It may also provide additional authentication functionality.
Figure 29: Firewall Architecture / Demilitarized Zone (DMZ)
Servers accessible from the Internet should not be connected directly to the internal network. A two-layer firewall solution provides additional security for internal networks, even if servers connected to the Internet are compromised. If a server located in the DMZ is hacked, the hacker is still not able to access all internal systems as the inner firewall is limiting access. The network zone in between the two firewalls is often called demilitarized zone (DMZ). The DMZ protects valuable resources (e.g. application systems) from direct exposure to an untrusted environment. Sometimes it is also called a perimeter network. Typically services like web servers, e-mail servers and proxys are located in the DMZ. Hint: This concept can also be applied additionally to the internal network architecture.
An intrusion detection system (IDS) is a product that automatically identifies attacks to networks or hosts. In case of an important event security administrators can be notified. There are two basic types of IDS: network based IDS and host based IDS. A network based intrusion detection system monitors and analyzes the traffic for a whole network. A host based IDS monitors and analyzes the network traffic, operation system and file system of one single host. If the two types are combined and their data is send to a central server it is called a distributed IDS. Keep in mind that no system automatically provides full security.
Intrusion Prevention System
Figure 31: Intrusion Prevention System (IPS)
An intrusion prevention system (IPS) is a considered extension of an IDS. Compared to intrusion detection systems, the IPS is placed in-line to actively prevent and block detected intrusions. The system is able to identify attacks and differences in the bit pattern of data traffic using signatures, abnormal algorithms and advanced patterns. IPS can then take actions as sending an alarm, dropping the malicious packets, resetting the connection or blocking the traffic from the offending IP address.
Suitable for intranet scenario Suitable for global load balancing Not suitable for server load balancing
Load balancing device: • • • • • •
2011
Transparent for client Always the same URL One official IP address for all application servers One server certificate for all servers Technically challenging Usually preferable
Stateful applications impose special requirements on the load balancing mechanisms. HTTP is a stateless protocol which means that the network connection does not last for the duration of a user session. The protocol itself provides no options to return a subsequent request to an already established session. While processing a request, the load balancer directs the user to a particular application server. If the load balancer directs the user to a different server for subsequent requests, then the second server would not know what had already occurred on the first server. As a result, session context information is lost. For example, if the first context holds any locks on the data, the second session cannot access these locked items. There is a conflict between the application that uses stateful information and the stateless protocol. As a result the load balancing device must ensure that all requests from an application session are always directed to the same application server.
To make sure that the client is always directed to the correct server, the application server can use a session ID that it either saves in a Web browser cookie or inserts into the URL of the user. In this case, the load balancer does not have to maintain the session information. The server information is contained in the cookie or the URL. As a result, you need access to the plain text information in the request. You cannot use SSL for encryption.
IP address of client • • •
In this case, the load balancer uses the IP address of the client to direct the user to a particular server. This method works when using encrypted traffic but there are a few problems. Proxies and alternative host names cause misleading concepts in the load balancing. For example, all users that access the IP address of a client through a specific proxy are directed to the same server.
Lesson: Network Security in an SAP Landscape Lesson Overview This lesson informs about different aspects of network security in an SAP system landscape. SAProuter and SAP Web Dispatcher are introduced as important SAP components. The usage of SAProuter and SAP Web Dispatcher have influence on the network architecture.
Lesson Objectives After completing this lesson, you will be able to: • • •
Implement recommendations for network architecture in an SAP landscape. Install and Configure SAProuter. Install and Configure SAP Web Dispatcher.
Business Example Ensure basis network security for the SAP system landscape.
Network Components The figure below shows the components talked about in this lesson.
Apart from protocols, ports and network recommendations this lesson introduces SAProuter and SAP Web Dispatcher.
Ports used by SAP NetWeaver AS Many SAP systems are based on SAP NetWeaver AS. To understand what ports and protocols SAP NetWeaver AS uses means understanding this for the majority of SAP installations. In an SAP system landscape the following types of communication does occur: • • • • •
SAP GUI for Windows or Java to the AS ABAP based SAP system Web Browser to the SAP system Connections from the AS ABAP based SAP system to print servers, for example using SAPSprint Connections between SAP systems Connections to third party applications
The SAP system needs to use a number of ports, which are determined by the operating system process involved and the instance number the process belongs to.
Figure 36: Ports used by SAP NetWeaver Application Server
The figure above shows the most important ports of SAP NetWeaver AS. SAP GUI for Windows connects to the ABAP system using the dispatcher process on the application server. The dispatcher uses the port 32$$, where $$ stand for the instance number. SAP Logon (as part of SAP GUI) communicates with the ABAP Message Server. It's port is defined by an entry sapms in the services file of the operation system. The default port is 36$$. The ABAP system also communicates with the SAP GUI using RFC. There the Gateway process is involved. It's port is 33$$. External RFC clients, for example other SAP systems or third party applications, connect to the Gateway process. The Internet Communication Manager (ICM) uses the default port 80$$ for the HTTP protocol, where a Web Browser can connect to. sapstartsrv is the process that is involved in Starting and Stopping the SAP system. It can be called using the default port 5$$13. The SAP program SAPsprint handles the SAP system print requests send out by the Spool work process. SAPsprint listens on default port 515.
When connecting with a Web Browser to the AS Java, the Java dispatcher is called on default HTTP port 5$$00. Also the Software Deployment Manager (SDM) can be accessed remotely on the default port 5$$18. Note: For a complete list of ports you can use the document TCP/IP Ports Used by SAP Applications. It is provided on the SAP Developer Network, Quick Link /irj/sdn/security, and follow the link Network and Communications Security.
Network Filtering Even from the small number of ports mentioned in the section before you can see that network filtering is a fundamental requirement for secure SAP systems. It reduces the attack surface to the least number of services required to be accessed by end users. These remaining services should then be configured securely.
Figure 37: Network Filtering
Secure SAP operation requires network filtering between end user network and SAP systems. For more information see the SAP NetWeaver Security Guide. The network services listed in the table below are required to be accessible from end-user networks in most customer's SAP installations. All other network services are typically not required and should be blocked between the end-user network and SAP systems. Network services listed below refer to the standard installation default ports. $$ is used as a place holder for the instance number of the SAP system.
The ABAP dispatcher is used by SAP GUI. The communication protocol used is SAP DIAG.
32$$
ABAP Message Server
The Message Server manages load balancing information and system internal communication.
36$$
Gateway
The Gateway manages SAP Remote Function Call (RFC) communication.
33$$
HTTPS
Secure HTTP communication from Web Browser or Web Service to SAP system.
443$$ (ICM port, not active per default) 5$$01 (Java Dispatcher port)
The actual network architecture depends on infrastructure components (e.g. SAProuter, SAP Web Dispatcher, Load Balancer), which need to be taken into account for architecture planning. These infrastructure components do not change the fact that access to SAP DIAG, SAP RFC, SAP Message Server and HTTPS is necessary, but have impact on network filtering implementation.
Administrative access to the SAP systems needs to be done from an administration network. This network is allowed to access the SAP systems with administrative protocols (e.g. SSH, RDP, database administration, etc.). Access to the administrative network must be properly secured by common security concepts (e.g. allow administrative access to the SAP systems only from dedicated subnets or dedicated workstations).
SAProuter SAProuter is a software that functions as an intermediate station between SAP systems or programs. SAProuter functions as proxy that has some properties of an application level gateway when it comes to the usage of SAP protocols. SAProuter allows you to connect to an SAP system without a direct network connection between the client computer and the application server. The SAP GUI (for Windows; for Java) connects to the SAProuter that forwards all the packets to the application server or to another SAProuter.
The figure above shows how SAProuter can be used in an SAP system landscape. Instead of opening the corporate firewall for all ports and protocols used by an SAP system only the SAProuter port (default port 3299) is opened. The SAProuter can be configured to only let pass communications based on the SAP Protocol, coming from specific IP addresses and directed to the SAP systems. Note: SAP Protocol is the technical foundation for protocols like DIAG and RFC. SAP Protocol is also called NI (Network Interface). In this scenario the SAProuter makes it easier to administrate the networking aspects of the SAP landscape. In case of changes at the SAP system level (e.g. installation of an additional instance providing additional ports) it is not necessary to involve the IT department responsible for the corporate firewall. The SAP administration can reconfigure the SAProuter to incorporate the changes.
Control and log the connections to your SAP system. Allow access from only the SAProuters you have selected. Allow only encrypted connections from a known partner. Note: SAProuter cannot be used for protocols not based on SAP Protocol, for example HTTP, telnet, or SMTP. Caution: SAProuter does not replace a firewall. You can use it in addition to the corporate firewall.
See SAP Note 30289: SAProuter documentation for more information.
SAProuter and Remote Support SAProuter also is used to enable a secured connection between the customer network and SAP Support.
Figure 40: SAProuter and Remote Support
In this scenario an SAProuter at customer site is connected to an SAProuter at SAP. The connection is secured by Secure Network Communication (SNC). Using this connection SAP Support can access the SAP systems at customer site.
SAProuter Installation and Configuration You will find the latest SAProuter on the SAP Service Marketplace, Quick Link /patches. Navigate to Support Packages and Patches → Browse our Download Catalog → Additional Components → SAPROUTER → SAPROUTER . For installing SAProuter simply extract the downloaded package to a file system directory on the host. For example on a Windows host, create the directory :\usr\sap\saprouter and copy the executables saprouter.exe and niping.exe into this directory. To install SAProuter as a Windows Service execute the command ntscmgr install SAProuter -b :\usr\sap\saprouter\saprouter.exe -p ”service -r ”. For the possible options please see SAP Note 30289: SAProuter documentation.
SAProuter uses the Route Permission Table to control which specific IP addresses and subnetworks are allowed or denied to access a particular network. The route. Per default the Route Permission Table is a file called saprouttab in the installation directory of SAProuter. The file contains a list of connections that are denied or permitted access to a particular network. Standard entries appear as follows: P/S/D