SAP Landscape Management 3.0, Enterprise Edition

Managed Assets

This section provides an overview of security relevant assets that are controlled by SAP Landscape Management.

Asset

Description

Relevant Agents and Storages

SAP Landscape Management Server Certificates

Certificates used to authenticate SAP Landscape Management server and to encrypt communication where SAP Landscape Management is used as server via HTTPS.

SAP NetWeaver Application Server for Java encapsulates the network communication.

The NW Certificate Store stores the certificate.

Partner Adapter deployed together with SAP Landscape Management may use SAP Landscape Management certificates via API to authenticate.

Credentials for managed systems (e.g., sapadm, <sapsid>adm, HANA SYSTEM USER).

Credentials used to manage the SAP systems during operation execution. In addition, SAP Landscape Management copies, or deletes users upon the executed operation. This can be locally on the host or in the central user store.

For more information, see the Operations Guide on SAP Help Portal at https://help.sap.com/viewer/lama_operations.

SAP Landscape Management for processing.

The NW Secure Store for persisting these credentials.

Credentials are transferred via network for authentication to the respective service.

SAP Host Agent may receive credentials for the managed system during the executed operation. Depending on the configuration of customer enhancements (hooks, operations) credentials might be forwarded to them. Credentials will be forwarded to the partner adapters for their respective management function.

Credentials for infrastructure communication (e.g., LDAP administration, Virtual Resource Management).

Credentials used to retrieve or update data in infrastructure, relevant to execute a certain operation in SAP Landscape Management such as copying a <sapsid>adm to a new <sapsid>adm because of system copy. In addition, credentials might be used to trigger a custom hook or custom operation. The credentials to connect to the respective service will not be changed by SAP Landscape Management.

SAP Landscape Management for processing credentials.

The NW Secure Store for persisting these credentials.

Credentials are transferred via network for authentication to the respective service.

Client certificates

SAP Landscape Management may leverage client certificates instead of password based authentication for example SAP Host Agent or other infrastructure services.

SAP Landscape Management for processing via NW API.

The NW Certificate Store for persisting the respective certificates.

Database content (Logs and Landscape)

Information about the managed system landscape including SAP services and infrastructure. Repositories, service configurations, and SAP Landscape Management specific configurations such as custom hooks. User individual UI configurations. Logs of activities executed including User IDs.

SAP Landscape Management access the database via JDBC to transfer the data from or to the UI or any other interface (such as Rest API, Configuration Servlet). The SAP Landscape Management also uses the data for its operational tasks. The operation executed determines to which agent the data can be transferred.

Archived logs

Archived logs are export files of logs from the database containing user IDs and activities related including timestamps.

SAP Landscape Management reads the logs from the database and writes them to compressed archives to the location configured. Archived logs are removed from the database.

Central directory entries

SAP Landscape Management needs to modify name resolution when creating or modifying hosts or SAP systems and changes user stores when systems are copied, cloned.

SAP Landscape Management reads and modifies name server and central user stores. Depending on the operation executed SAP Landscape Management may create users on the managed host only.

Managed hosts, managed systems, data storages

SAP Landscape Management modifies managed hosts and systems including their storages. Modifications may belong to local name resolutions, mounting remote directories up to deleting backups or storages, reconfiguration of local iptable entries, and so on.

SAP Host Agents, partner adapters, and SAP Landscape Management itself are responsible for making the changes required for a specific use case.