Protect4S - VM User Guide
  • Protect4S - VM User Guide
  • Introduction
    • Quick setup
    • Support
    • Protect4S VM place in SAP system landscape
  • Pre-conditions and installation
    • Supported operating system and database types
    • Software version requirements
    • Recommendations
    • Heterogeneous database connections
  • Protect4S VM Software Installation
    • Add-On Installation, import support packages and upgrade
    • Installation post-processing
  • Create Protect4S VM users and roles
    • Distribution of satellite roles
    • satellite system ABAP RFC user using wizard
    • satellite system ABAP RFC user MANUAL SETUP
    • satellite system JAVA user
    • satellite system database user
    • satellite system operating system user
    • Operating system user other than <sid>adm
    • Satellite system BusinessObjects user
  • Check and set Application settings
  • Protect4S VM Menu
  • Execute the Quick setup
    • Company
    • Systems
      • Creating an ABAP system
      • Creating a JAVA system
      • Creating a BusinessObjects BI system
      • Creating a HANA standalone system
      • Creating a SAP Web Dispatcher system
      • Creating a SAProuter system
      • Creating a SAP Cloud Connector system
      • SAPControl security settings
  • Create a project
    • New project
    • New Scan
  • Check Template
  • Contact persons and Scan subscription
    • Contact persons
    • Scan subscriptions
  • Reports
    • Scan result
    • Scan results information
    • System tab
    • Company tab
    • Scan statistics tab
    • Check overview
    • Risk history
    • Scan statistics
    • Scan export
    • Mitigation report
    • Scan comparison
    • Management overview
    • Connection map
  • Mitigation of Vulnerabilities
    • Mitigation menu
  • Check exemptions
  • SIEM Interface
  • Integration
    • Incident Management
  • Information and support
    • Welcome menu
    • Product information
    • Check information
    • Change log
    • User Guide
    • Report a software defect
    • Feature request
  • Deinstallation
  • Appendix A: Troubleshooting Satellite System connection issues
    • SAPControl connections
    • Database connection
    • JAVA connection
    • HTTPS certificate errors
  • Appendix B: Installation database libraries
    • IBM DB2
    • MSSQL
    • MaxDB
    • Oracle
    • SAP Sybase
    • SAP HANA
  • Appendix C: satellite system Communication Ports
  • Appendix D: Protect4S VM SICF Services
  • Appendix E: using a server group
  • Appendix F System context
  • Appendix G DNS resolving
  • Appendix H Dump in Scan subsciptions
  • Appendix I HTTPURLLOC table
  • Appendix J - Risk Matrix
  • Appendix K - Short dump function module "PFL_GET_SINGLE_PARAMETER" not found
  • FAQs
    • General
    • Installation
    • Configuration
    • Projects and scans
  • Contact us
Powered by GitBook
On this page
  • HTTP
  • HTTPS
  • Without user
  • Basic authentication
  • Certificate-based authentication
  • Retrieving the sapstartsrv certificate and import in PSE

Was this helpful?

  1. Execute the Quick setup
  2. Systems

SAPControl security settings

In the system creation wizard, an SAPControl connection can be made using different variants for HTTP and HTTPS. These are detailed below.

HTTP

HTTP is the default variant and requires no additional settings. To authenticate on SAPControl, an OS username and password must be specified, preferably the <sid>adm user. For some system types, the connection can be setup without an OS username and password, using the button 'Without user'. In this case, the connection is setup without authentication. Note the following:

  • The specified OS username and password is sent accross unencrypted from the Protect4S system to the satellite system. Using HTTPS is recommened.

  • Without a username/password, the SAPControl connection is only used for the instance information of the system. The webmethod 'GetSystemInstanceList' must be allowed to use without authentication. Some checks will not be executed without username/password.

HTTPS

It is recommended to use HTTPS for the SAPControl connection. This requires additional configuration. The following is required for each scenario:

  • On the Protect4S system, the HTTPS service must be permanently activated (transaction SMICM).

  • The HTTPS port (5<##>14) is enabled on the SAP start service (sapstartsrv).

  • The 'SSL client SSL Client (Anonymous)' PSE is activated (transaction STRUST) and the certificate of the HTTPS sapstartsrv is trusted by the PSE by adding the certificate to the certificate list.

Without user

Similar to the HTTP variant, for some system types the connection can be setup without an OS username and password. Use the button 'Without user' and leave the SSL Client PSE setting to 'DFAULT'.

Basic authentication

It is recommended to specify the OS username and password to include all checks. Leave the SSL Client PSE setting to 'DFAULT'.

Certificate-based authentication

Instead of an OS username and password, it is possible to use certificate-based authentication. Keep in mind that the Protect4S system acts as a client and the sapstartsrv as a server component. The following is required:

  • A separate 'SSL Client Identity' must be created and activated on the Protect4S VM system (transaction STRUST).

  • The certificate of the PSE must be trusted by the sapstartsrv. This is done by adding the certificate to the service PSE of sapstartsrv (default: SAPSSLS.pse).

  • The certificate of the PSE must be configured on the sapstartsrv. This is done by specifying the allowed attributes using parameter 'service/sso_admin_user_x’.

  • In the wizard screen, the 'OS user name' and 'password' field need to be empty, and the created SSL Client PSE must be selected.

  • The sapstartsrv HTTPS service must be configured with a certificate that matches the hostname used for the connection to prevent a hostname mismatch error.

  • It is recommended to use signed certificates for both the sapstartsrv and the client PSE.

Example

The example below shows how certificate-based authentication is setup for a demo certificate with CN=sapadmin.protect4s.local.

  • Separate 'SSL Client Identity':

  • Setup trust and configuration on sapstartsrv. Adding the certificate to SAPSSLS.pse is not required if sapstartsrv and the client PSE is signed by the same CA. Using wildcards in the parameter allows for multiple trusts.

  • The PSE can now be selected and tested:

Retrieving the sapstartsrv certificate and import in PSE

There are several opportunies to retrieve the certificate. Using a browser is a practical option.

  • From a (client) system that can connect to the satellite system, navigate to https://<satellite hostname>:5<##>14 where ## is the instance number.

  • Display the certificate from the browser and save it locally.

  • Import the certificate in the intended PSE.

PreviousCreating a SAP Cloud Connector systemNextCreate a project

Last updated 1 year ago

Was this helpful?