ITM115 – UCON – A New Approach To Making Your RFC .
ITM115 – UCON – A New Approach to MakingYour RFC Communication More SecureJuergen Adolf PM Platform ProductsMartin Plummer PM Platform ProductsPublic
DisclaimerThis presentation outlines our general product direction and should not be relied on in making apurchase decision. This presentation is not subject to your license agreement or any other agreementwith SAP. SAP has no obligation to pursue any course of business outlined in this presentation or todevelop or release any functionality mentioned in this presentation. This presentation and SAP'sstrategy and possible future developments are subject to change and may be changed by SAP at anytime for any reason without notice. This document is provided without a warranty of any kind, eitherexpress or implied, including but not limited to, the implied warranties of merchantability, fitness for aparticular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in thisdocument, except if such damages were caused by SAP intentionally or grossly negligent. 2014 SAP SE or an SAP affiliate company. All rights reserved.Public2
AgendaUnified Connectivity (UCON) RFC Security Basic ScenarioMotivation and ScopeBasic ConceptsThe Practice of UCON: Logging and Blocking – DemoSetup && ConfigurationHow to handle System UpdatesHow to Cope With the Restrictions of Productive SystemsSummary 2014 SAP SE or an SAP affiliate company. All rights reserved.Public3
Unified ConnectivityMotivation and Scope
The Scope of UCON RFC Basic ConnectivityCompany ACompany BDifferent CompaniesComplex Business ProcessesRFC ConnectivityERPHeterogeneous IT InfrastructuresCloud 2014 SAP SE or an SAP affiliate company. All rights reserved.ERPDatacenter ACRMCRMSCMSCM Datacenter B Public5
The Scope of UCON RFC Basic ConnectivityCHigh-performing,for local high load scenarios,across all ABAP releases,close integration into ABAPRFC-Based Connectivity 2014 SAP SE or an SAP affiliate company. All rights reserved.Public6
UCON – A Simple Approach to Make RFC More SecureReduce the overall attack surface of your remote-enabledfunction modules (RFMs). Enhance RFC security by blockingthe access to a large number of RFMs!Facts: Most SAP ERP customers run just a limited number of the business(&technical) scenarios for which they need to expose some RFMs A lot of RFMs are only used to parallelize within a systemSolution Find out which RFMs need to be exposed for the scenarios of acustomer Block the access to all other RFMs 2014 SAP SE or an SAP affiliate company. All rights reserved.Public7
The Basic Strategy of UCON to Solve These ProblemsReduce the number of RFMs exposed to the outside worldExpose only and exactly those RFMs a customer needs to run their business scenarios40000 RFMs inSAP ERP (incl.SAP NetWeaver) 2014 SAP SE or an SAP affiliate company. All rights reserved.A typical SAPcustomer only needsto expose a fewhundred RFMs fortheir businessscenariosPublic8
Unified ConnectivityBasic Concepts
The UCON Way to Security: Expose Only ThoseFunction Modules You Need to the Outside World RFM1RFM2RFM3RFM4RFM5RFM6RFM7RFM8RFM9R RF FM M.10 11Default Communication Assembly (CA) 2014 SAP SE or an SAP affiliate company. All rights reserved.Public10
UCON Checks Do not Interfere with Calls Within the SameClient and SystemBlocked for accessfrom outside –Open for use inparallel RFC insidethe same client in thesame system RFM1RFM3RFM5RFM7RFM .SAP Business Suite 2014 SAP SE or an SAP affiliate company. All rights reserved.Public11
UCON – An Additional Role/User-Independent Layer of SecurityChecksUser trying to access a RFMRFM inCA?noNo AccessyeshasUser Userhas authorizationfor the relevant CA?authorization?yes 2014 SAP SE or an SAP affiliate company. All rights reserved.noNo AccessAccess toRFMPublic12
UCON RFC SecurityEasy Customer Adoption in Three StepsLogging ofRFMs called fromoutsideEvaluation/Simulation 2014 SAP SE or an SAP affiliate company. All rights reserved.RuntimechecksactivePublic13
UCON RFC SecurityEasy Customer Adoption in Three StepsLogging ofRFMs called fromoutsideEvaluation/Simulation 2014 SAP SE or an SAP affiliate company. All rights reserved.RuntimechecksactivePublic14
UCON RFC SecurityEasy Customer Adoption in Three StepsLoggingofLoggingof RFMsRFMsfromcalled ation 2014 SAP SE or an SAP affiliate company. All rights reserved.RuntimeRuntimecheckschecksactive activePublic15
UCON RFC SecurityEasy Customer Adoption in Three lled n/Simulationsimulation 2014 SAP SE or an SAP affiliate company. All rights cksactive activeactivePublic16
Prerequisites for the Different Security LayersAccess to RFMsUCONruntimechecksS RFCchecksAccess to RFMs 2014 SAP SE or an SAP affiliate company. All rights reserved.Public17
Efforts Required for the Different Security LayersAccess to RFMsUCONruntimechecksS RFCchecksAccess to RFMs 2014 SAP SE or an SAP affiliate company. All rights reserved.Public18
UCON Protection After the Initial UCON Security ClassificationCheck-Active PhaseBlocked RFMs from initial UCON set-up40,000 100 Default CASAP Business Suite 2014 SAP SE or an SAP affiliate company. All rights reserved.Public19
DemoThe Practice of UCON: Logging and Blocking
Logging and Blocking in the UCON Phase ToolShow only RFMs at the endof logging or evaluationphase 2014 SAP SE or an SAP affiliate company. All rights reserved.Public21
Logging and Blocking in the UCON Phase ToolSelect the called RFMs at the endof the logging phase Assign them to the default CA 2014 SAP SE or an SAP affiliate company. All rights reserved.Public22
Logging and Blocking in the UCON Phase ToolSelect the called RFMs at the endof the logging phase Assign them to the next phase 2014 SAP SE or an SAP affiliate company. All rights reserved.Public23
Unified ConnectivitySetup && Configuration
UCON Setup and ConfigurationIt is simple to set up and configure Unified Connectivity (UCON):1. Create the UCON profile parameter ucon/rfc/active and set it to 1 to enable UCON runtime checks for RFMs inthe final check-active phase2. Choose a suitable duration of the logging and evaluation phase3. Run the UCON setup to generate a default communication assembly (CA) and other required entities4. Schedule the batch job SAP UCON MANAGEMENT that selects and persists the RFC statistic recordsrequired by the UCON phase tool on the database 2014 SAP SE or an SAP affiliate company. All rights reserved.Public25
Unified ConnectivityHow to handle System UpdatesCoverage of New Remote-Enabled Function Modules
UCON Protection After Initial Security ClassificationCheck-active PhaseDevelopmentProtected/blockedRFMsDefault CommunicationAssemblyExposed RFMs 2014 SAP SE or an SAP affiliate company. All rights reserved.Public27
New RFMs Arrive at a UCON-Protected SystemCheck-active phaseDevelopmentOver time: New RFMs intransports, SPs, EhPs 2014 SAP SE or an SAP affiliate company. All rights reserved.Public28
New RFMs on Their Way to UCON Protection – Logging PhaseNew RFMs areautomaticallyassigned to thelogging phaseLogging phaseEvaluation phaseAccess allowedCheck-active phaseAccess blockedUCON protectionAccess allowed 2014 SAP SE or an SAP affiliate company. All rights reserved.Public29
New RFMs on Their Way to UCON Protection – Evaluation PhaseLogging phaseEvaluation phaseCheck-active phaseAccess allowedAccess blockedUCON protectionAccess allowed 2014 SAP SE or an SAP affiliate company. All rights reserved.Public30
New RFMs Have Achieved UCON Protection – Check-Active PhaseLogging phaseEvaluation phaseCheck-active phaseAccess blockedUCON protectionAccess allowed 2014 SAP SE or an SAP affiliate company. All rights reserved.Public31
The Ever-Growing Scope of UCON ProtectionBlocked RFMs from initial UCON set-upBlocked RFMsfrom other, newtransports orinstallationsDefault CASAP Business Suite 2014 SAP SE or an SAP affiliate company. All rights reserved.Public32
Unified ConnectivityHow to Cope With the Restrictions of Productive Systems
UCON and the Restrictions in a Productive SystemChallengesPRODAuthorizations and system change options inProductive Systems are not sufficient for UCONOperationsAssignment of relevant RFMsto default CA and UCONphasesCollectionof RFC callstatisticsand UCONprotection 2014 SAP SE or an SAP affiliate company. All rights reserved.UCONPhaseToolPublic34
UCON and the Restrictions in a Productive SystemSolutionDEVAssignment ofrelevant RFMsto default CAand o DEVCollectionof RFC callstatisticsand UCONprotectionUCONPhaseToolSlide 35 2014 SAP SE or an SAP affiliate company. All rights reserved.Public35
UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV – Step 1DEVPRODImport RFC call statistics fromPROD to DEV1UCONPhase Tool 2014 SAP SE or an SAP affiliate company. All rights reserved.csvRFC callstatisticsUCONPhase ToolPublic36
UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV – Step 2DEVPRODImport RFC call statistics fromPROD to DEV12UCONPhase Tool.csvRFC callstatisticsUCONPhase ToolAssign relevant RFMs todefault CA and to next phase 2014 SAP SE or an SAP affiliate company. All rights reserved.Public37
UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV – Step 3DEVPRODImport RFC call statistics fromPROD to DEV12.csvUCONPhase ToolUCONPhase ToolRFC callstatisticsAssign relevant RFMs todefault CA and to next phase3UCONPhase ToolPhase and CA assignment ofRFMs 2014 SAP SE or an SAP affiliate company. All rights reserved.R3TransUCONPhase ToolPublic38
UCON and the Restrictions in a Productive SystemHow to Delegate UCON Operations to DEV in a NutshellDEVPRODAssignment ofrelevant RFMsto default CAand UCONphasesUCONPhaseToolCollectionof RFC callstatisticsand UCONprotectionRFC callstatisticsUCONPhaseToolPhase and CAassignment of RFMs 2014 SAP SE or an SAP affiliate company. All rights reserved.Public39
Unified ConnectivitySummary
Summary – It is simple to set up and configure Unified Connectivity(UCON) The UCON framework offers a simple, straightforward approach for enhancing the security of your RFCs. Itallows you to minimize the number of RFMs on ABAP-based servers exposed to other clients and systems,reducing the available attack surface in your RFC communications The UCON phase tool guides and supports the administrator in the four-step setup and the three-phasedprocess UCON covers new function modules entering the system via Support Packages, Enhancement Packages,transports, or new developments UCON is fully enabled for life-cycle management to ensure consistent RFC security across your systemlandscape 2014 SAP SE or an SAP affiliate company. All rights reserved.Public41
SAP d-code Virtual Hands-on Workshops and SAP d-code OnlineContinue your SAP d-code education after the event!SAP d-code Virtual Hands-on WorkshopsSAP d-code Online Access hands-on workshops post-event Starting January 2015 Complementary with your SAP d-code registration Access replays of keynotes, Demo Jam, SAP d-codelive interviews, select lecture sessions, and more! Hands-on replayshttp://sapdcodehandson.sap.com 2014 SAP SE or an SAP affiliate company. All rights reserved.http://sapdcode.com/onlinePublic42
Further InformationSAP Public .com/community/securitywww.sap.comSAP Education and Certification Opportunitieswww.sap.com/educationWatch SAP d-code Onlinewww.sapcode.com/online 2014 SAP SE or an SAP affiliate company. All rights reserved.Public43
FeedbackPlease complete your session evaluation forITM115.Thanks for attending this SAP TechEd && d-code session. d.Public4444
2014 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or anSAP affiliate company.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE(or an SAP affiliate company) in Germany and other countries. Please see ht/index.epx for additional trademarkinformation and notices.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or itsaffiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE orSAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothingherein should be construed as constituting an additional warranty.In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop orrelease any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible futuredevelopments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time forany reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to placeundue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions. 2014 SAP SE or an SAP affiliate company. All rights reserved.Public45
function modules (RFMs). Enhance RFC security by blocking the access to a large number of RFMs! Facts: Most SAP ERP customers run just a limited number of the business (&technical) scenarios for which they need to expose some RFMs
22 RESUMEN GRAMATICAL ORACIONES SUSTANTIVAS VERBOS DE VOLUNTAD O INFLUENCIA (MANDATO, PROHIBICIÓN O CONSEJO) uCon infinitivo Cuando el sujeto es el mismo:Se negó a participar en la reunión anual. uCon subjuntivo o infinitivo Cuando el sujeto es distinto:Te mandó que lo hicieras tú solo/Os aconsejo venir antes de la hora. Verbos de
akuntansi musyarakah (sak no 106) Ayat tentang Musyarakah (Q.S. 39; 29) لًََّز ãَ åِاَ óِ îَخظَْ ó Þَْ ë Þٍجُزَِ ß ا äًَّ àَط لًَّجُرَ íَ åَ îظُِ Ûاَش
Collectively make tawbah to Allāh S so that you may acquire falāḥ [of this world and the Hereafter]. (24:31) The one who repents also becomes the beloved of Allāh S, Âَْ Èِﺑاﻮَّﺘﻟاَّﺐُّ ßُِ çﻪَّٰﻠﻟانَّاِ Verily, Allāh S loves those who are most repenting. (2:22
The modern approach is fact based and lays emphasis on the factual study of political phenomenon to arrive at scientific and definite conclusions. The modern approaches include sociological approach, economic approach, psychological approach, quantitative approach, simulation approach, system approach, behavioural approach, Marxian approach etc. 2 Wasby, L Stephen (1972), “Political Science .
26]. To precisely specify kernel integrity policies, we develop an event-based logic model of UCON in this paper called UCONKI. In the enforcement architecture, our approach utilizes virtual ma-chine monitor (VMM) technology to fiverticallyfl control access to sensitive kernel objects in a single virtual machine (VM) running
Athens Approach Control 132.975 Athens Approach Control 131.175 Athens Approach Control 130.025 Athens Approach Control 128.95 Athens Approach Control 126.575 Athens Approach Control 125.525 Athens Approach Control 124.025 Athens Approach Control 299.50 Military Athinai Depature Radar 128.95 Departure ServiceFile Size: 2MB
English 1004, 1010, and 1011 are omitted from this booklet. Information about these courses can be obtained from Lisa Blansett at lisa.blansett@ucon.edu, in Austin 125, or online at
for the invention of the world's first all-powered aerial ladder Alcohol Lied to Me Lulu Enterprises Incorporated, 2012 They Laughed when I Sat Down An Informal History of Advertising in Words and Pictures, Frank
