SAP Landscape Management 3.0, Enterprise Edition, Security Considerations

Communication Channel Security

This section provides an overview of network based communication paths and protocols used by SAP Landscape Management.

Communication Path

Protocols Supported

Type of Data Transferred

Security Requirements

SAP Host Agent

HTTP

HTTPS

  • Managed systems information

  • Operations to be executed on the managed system

  • Sapadm user credentials during logon on to SAP Host Agent

  • Operating system user credentials

  • Managed system user credentials

  • SAP Landscape Management DNS and NIS updates

  • Encrypted communication:

    HTTPS with server certificate in SAP Host Agent

  • SAP Host Agent authentication:

    HTTPS with server certificate in SAP Host Agent and trusted (Certification Authority) CA certificate added to NW Java Certificate Store. Make sure certificate checking is activated in the SAP Landscape Management setup.

  • Authentication of SAP Landscape Management against SAP Host Agent:

    sapadm user and password.

    To have the sapadm password transferred encrypted, ensure encrypted communication.

Instance Agent

HTTP

HTTPS

  • Managed systems information

  • Monitoring managed system

  • sidadm user credentials during logon on to SAP instance agent

  • Operating system user credentials

  • Managed system user credentials

  • Encrypted communication:

    HTTPS with server certificate in instance agent

  • Instance agent authentication:

    HTTPS with server certificate in instance agent and trusted (Certification Authority) CA certificate added to NW Java Certificate Store. Make sure certificate checking is activated in the SAP Landscape Management setup.

  • Authentication of SAP Landscape Management against instance agent:

    sidadm user and password.

    To have the sidadm password transferred encrypted, ensure encrypted communication.

Central name server communication

Central user management

LDAP

LDAP over SSL

  • LDAP updates

  • SAP Landscape Management read requested data

  • Encrypted communication and authentication of name server and user management

    LDAP over SSL with trusted CA certificate.

  • Authentication of SAP Landscape Management against name server and user management:

    username and password

    To have the password transferred encrypted, ensure encrypted communication.

Automatic synchronization based on the SAP Landscape Management export and import functionality

HTTP

HTTPS

XML data files containing SAP Landscape Management configurations with system credentials.

  • Synchronization type Direct

    Specify the URL and credentials of the SAP Landscape Management from which you want to automatically import the configuration data. To use encrypted Communication and Source authentications, use HTTPS. Authentication via username and password.

  • Synchronization type Upload

    Specify the path to the XML data file containing all configuration details you want to synchronize. Ensure proper configuration of your storage locations depending on your security requirements.

  • Synchronization type Destination

    Use NW Destinations configuration. It is recommended to use Destination synchronization type to leverage NW basis security features.

Java Post-Copy Automation (Java PCA)

HTTP

HTTPS

Java PCA execution information containing confidential system information.

  • Encrypted communication and Java PCA authentication against SAP Landscape Management:

    HTTPS with server certificate in Java PCA

  • Authentication of SAP Landscape Management against Java PCA:

    username and password

    To have the password transferred encrypted, ensure encrypted communication

SLD communication

HTTP

HTTPS

Landscape information for discovery

  • Encrypted communication with authentication of SLD:

    HTTPS

Remote Function Calls (RFC) on managed systems

RFC

System data such as passwords and PCA related data.

You can apply the following levels of security protection:

  • Authentication only

    When using authentication only, the system verifies the identity of the communication partners. This is the minimum protection level offered by SNC.
  • Integrity protection

    When using integrity protection, the system detects any changes or manipulation of the data which may have occurred between the two end points of a communication.

  • Privacy protection

    When using privacy protection, the system encrypts the messages being transferred to make eavesdropping useless. Privacy protection also includes integrity protection of the data. This is the maximum level of protection provided by SNC.

    No SNC connection possible for copied or refreshed systems before restart.

SAP Solution Manager

RFC

  • Information about scheduling

  • General system information

Storage and virtualization adapters

Depends on adapter implementation

  • Control instructions

  • Management data

  • Depends on adapter implementation

External tools accessing SAP Landscape Management web services or SAP Landscape Management Application Programming Interface (API)

HTTP

HTTPS

  • Data required to remotely control SAP Landscape Management

  • Monitoring information from SAP Landscape Management

  • Encrypted communication:

    HTTPS server certificate on SAP Landscape Management

  • Authentication against SAP Landscape Management:

    Depending on the configured NW Java authentication stack. By default, credential based authentication is used for the respective applications.

    To have the password transferred encrypted, ensure encrypted communication.

REST services for SAPUI5, web services, and servlets

HTTP

HTTPS

  • SAP Landscape Management internal data

  • Data of managed systems including credentials

  • Encrypted Communication:

    HTTPS server certificate on SAP Landscape Management

  • Authentication against SAP Landscape Management:

    Depending on the configured NW Java authentication stack. Common use cases rely on credential based authentication. In these cases ensure encrypted communication to keep the credentials secure.

Dynamic Information and Action Gateway (DIAG) and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services security.

For more information, search for Transport Layer Security and Web Services Security in the SAP NetWeaver Security Guide.