#----------------------------------------------------------------------- # SNC #----------------------------------------------------------------------- snc/gssapi_lib = $(SAPCRYPTOLIB) snc/accept_insecure_cpic = 1 snc/accept_insecure_gui = 1 snc/accept_insecure_rfc = 1 snc/data_protection/max = 3 snc/data_protection/min = 2 snc/data_protection/use = 3 snc/enable = 1 snc/force_login_screen = 0 snc/identity/as = p:xx=xxxxxxxxxxxxxxxxxxxx snc/permit_insecure_start = 1 snc/r3int_rfc_qop = 8 snc/r3int_rfc_secure = 0 #----------------------------------------------------------------------- # SSO #----------------------------------------------------------------------- spnego/enable = 1 spnego/krbspnego_lib = $(SAPCRYPTOLIB) login/password_change_for_SSO = 3 #----------------------------------------------------------------------- # other security related parameters #----------------------------------------------------------------------- # RFC Callback; only 3 after system copies? rfc/callback_security_method = 3 rfc/reject_expired_passwd = 1 rfc/reject_callback = 1 auth/rfc_authority_check = 1 # SAP GUI (=Kernel defaut) sapgui/nwbc_scripting = FALSE # Deactivate user scripting (=Kernel defaut) sapgui/user_scripting = FALSE # ciphersuites according to 2384290 and EUROSEC/SAPSEC Project - incomming/outgoing SSL traffic # target value: will only allow TLSv1.2 and higher. This must be carefully taken into consideration before the parameter is set. # target value: ssl/ciphersuites = 550:PFS:HIGH:!e3DES:!mSHA1::EC_HIGH - # intermediate value: Allow TLSv1.2 in addition to Kernel default as an intermediate solution # intermediate value: ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH ssl/ciphersuites = 550:PFS:HIGH:!e3DES:!mSHA1::EC_HIGH ssl/client_ciphersuites = 134:PFS:HIGH:TLS_FALLBACK_SCSV::EC_HIGH:+EC_OPT # Solution Manager is special. ssl/ciphersuites = tbd. ssl/client_ciphersuites = 918:PFS:HIGH # enable security audit log rsau/enable = 1 # 1 enables generic user selection, means usernames can be added with wildcard * in SM19 rsau/user_selection = 1 # icf services logging >=740 icm/HTTP/logging_10 = PREFIX=/, LOGFILE=access_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)_$$_%y-%m, MAXSIZEKB=10000, SWITCHTF=month, LOGFORMAT=%t - "%r2" %s %b %L - %j %h # icf services logging < 740 icm/HTTP/logging_0 = PREFIX=/, LOGFILE=access_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)_$$_%y-%m, MAXSIZEKB=10000, SWITCHTF=month, LOGFORMAT=%t - "%r2" %s %b %L - %j %h # global redirect http to https (Instance Profile) icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=HTTP, PROT=HTTPS, HOST=$(SAPLOCALHOST).$(SAPFQDN), PORT=443$$ # #### disable the HTTP Service for new systems - to be discussed and tested # HTTP must not be used. # password complexity login/password_charset = 2 login/password_downwards_compatibility = 0 login/password_max_idle_initial = 180 login/password_max_idle_productive = 180 login/min_password_lng = 10 login/min_password_lowercase = 2 login/min_password_uppercase = 2 login/min_password_digits = 2 login/min_password_specials = 2 # enable gateway proxy settings / Parameter only active if prxyinfo file exists! gw/prxy_info = $(DIR_GLOBAL)$(DIR_SEP)$(FN_PRXY_INFO) gw/rem_start = DISABLED gw/logging = ACTION=SEZPX LOGFILE=$(DIR_GLOBAL)/gw_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)_$$_%y-%m-%d SWITCHTF=day # https://launchpad.support.sap.com/#/notes/1848930 # 255 is default value with S/4HANA - prerequisite: prxyinfo gw/reg_no_conn_info = 255 # According https://launchpad.support.sap.com/#/notes/910918 the first fitting entry is used # example > cat /usr/sap/<SID>/SYS/global/prxyinfo P SOURCE=xxxx,xxxx.xxxx.xxxx.com DEST=*.xxxx.xxxx.com P SOURCE=xxxx,xxxx.xxxx.xxxx.com DEST=*.xxxx.xxxx.com P SOURCE=xxxx,xxxx.xxxx.xxxx.com DEST=*.xxxx.xxxx.com D SOURCE=* DEST=* # in reginfo and secinfo verify the following: No TP=* except for the last two lines, which must look like this: Last lines in reginfo P TP=* HOST=local CANCEL=local ACCESS=local P TP=* HOST=internal CANCEL=internal ACCESS=internal Last line in Secinfo: P TP=* USER=* USER-HOST=local HOST=local P TP=* USER=* USER-HOST=internal HOST=internal