Comment on page
The connection map report can be started from the Protect4S VM Reports menu:
The Connection map report shows the connections between the SAP systems registered in the Protect4S system for system type ABAP, dual-stacks and Web Dispatcher.
The connection types shown are:
- Type 3 RFC destination: connections using the RFC protocol with authentication consisting of a named user and password, for instance the TMS transport connections.
- Type T RFC destination: TCP/IP connections using the RFC protocol between the SAP system and a (registered) server program, for instance the executable sapxpg.
- Type G & H destinations: connections to external systems using the HTTP(S) protocol, for instance to the HTTP port of a SAP JAVA based system.
- SOAP webservices: connections using HTTP(S) protocol and logical ports to external systems, for instance connections between a SAP system and SAP Control agents.
- ADBC connections: connections between SAP databases using the ADBC protocol.
- SAP Web Dispatcher: connections between a SAP Web Dispatcher and backend systems.
The report is meant to make security staff aware of the different system connections that may exist between SAP systems and to show the risk that these connections may pose.
The risk of these connections is that malicious 3rd parties may use them to jump from one compromised SAP system to a new SAP system target. Since the Solution Manager contains connections to other SAP systems, it is an attractive target that enables the compromise of other systems in the SAP landscape.
The report must first run to create a new Connection Map. To do this, press the button “New” in the Connection map application. When you subsequently press the “Refresh” button, you will see that a new Connection map ID has been scheduled and is in progress.
Creating a new connection map
The time to create a new Connection Map depends on the number of connections, the number of SAP systems registered and whether these systems are up and running.
After a while, the Connection Map ID status changes from “In progress” to “Completed” after which this map may be accessed by clicking on the “Display” icon from the row in the list.
Connection map display
The display shows the map that has been created. The display can be altered in various ways using the display settings:
The map consists of SAP System nodes connected by edges. The colors of the nodes and edges may be changed to indicate, Risk, System Role, Connection type or System type. The nodes can be dragged with the mouse to another location in the map.
The System overview menu shows a list of systems. When a system is selected in the upper list, the various connections that it contains are shown in the lower list:
The connections are sorted on Risk and for each connection, the target hostname, instance number and user associated is shown. When the display button on the left is selected for one of these connections, a new screen shows the source and target system properties:
Source and Target System properties
When possible, the user authorizations and roles are shown after selecting the User Information Menu:
The connection overview shows the list of all connections associated with all SAP systems registered in the Protect4S system. In this overview, the Risk associated with the connection, source and target systems are shown:
When the display button on the left is selected for one of these connections, a new screen shows the source and target system properties (same as in System overview).
The risk value of these connections depends on various factors:
- whether the connection contains a user ID and password.
- whether the connection is from a non-Production system to a Production System.
- whether the target system is a Production System.
- whether the authorizations of the user contain SAP_ALL or admin roles.
- for SOAP connections: whether the logical port facilitates Operating System access
- for type T RFC: whether the external server program name is "sapxpg"or "rfcexec"
See overview below for an explanation of the Risk reasons.
Our blog on this topic describes various ways to secure the connections between SAP systems: