bc-ecatt test-report html - digital security · testing authentication by jco sap table data...
TRANSCRIPT
Certificate SAP INTEGRATION CERTIFICATION
SAP AG hereby confirms that the interface software for the product
ERPSCAN Security Monitoring Suite 2.2
of the company ERPScan
has been certified for integration with SAP ECC 6.0 based on ICC Integration Assessment in SAP NetWeaver. This certificate confirms the existence of product features in accordance with SAP certification procedures. It does not guarantee that the product is error-free. The certification test is documented in report no. 23249713 and expires June 21, 2016.
Vendor Hardware: x86_64 platform Vendor Operating System: Ubuntu Linux SAP Test System: SAP NetWeaver 731 Used Integration Tools: none
This configuration meets the requirements for connecting ERPSCAN Security Monitoring Suite 2.2 to SAP NetWeaver. Certified Functions:
Identified Gateway port and Sytem number Testing authentication by JCO SAP table data transferred to ERPScan SAP profile and system parameters transferred to ERPScan SAP system check performed Running HTTP checks
Walldorf, June 21, 2013 Mr. Jürgen Bierlein, SAP AG SAP, R/3, and SAP NetWeaver are registered trademarks of SAP AG Germany. All other names are registered or unregistered trademarks of the individual firms. http://www.sap.com/icc
SAP Integration and Certification Center Page 1
Interface Certification ICC Integration Assessment Test Report Version 1.0 SAP Integration and Certification Center
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 2
© 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. All other product and service names mentioned are the trademarks of their respective companies. Please refer to http://www.sap.com/corporate-en/legal/copyright/index.epx Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 3
Interface Certification #23249713 SAP Interface incl. Release: ICC Integration Assessment SAP Product incl. Release used for test: SAP NetWeaver 731 Hardware used for SAP test system: x86_64 platform Operating System of SAP test system: Windows 2008 R2
Name of Vendor: ERPScan Vendor Number (SAP internal): 12829449 Vendor Product Name: ERPSCAN Security Monitoring Suite Release Vendor Product: 2.2 Vendor Product Number (SAP internal): 9253890 Vendor Interface Software Name: Release Vendor Interface Software: Hardware used for Vendor Test System: x86_64 platform Operating System of Vendor Test System: Ubuntu Linux 12.04.2 LTS Tools used for the technical integration: none Certification Date: June 21, 2013 Expiration Date: June 21, 2016 Location: Walldorf Persons present - Vendor: Mr. Alexander Polyakov
Persons present - SAP: Mr. Jürgen Bierlein
Certified Functions: Identified Gateway port and Sytem number Testing authentication by JCO SAP table data transferred to ERPScan SAP profile and system parameters transferred to ERPScan SAP system check performed Running HTTP checks
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 4
1. Software Solution Provider (SSP) Information
Company and product information
SSP Name ERPScan
SAP Assigned SSP Number Prefilled with SAP data
SSP Product Name ERPSCAN Security Monitoring Suite
Version / Release of SSP Product 2.2
SAP Assigned Product Number Prefilled with SAP data
Interface Software Name ERPScan connector
Interface Software Version 2.0
Product web page http://www.erpscan.com
Which releases of the SAP Business Solutions are
supported by your software?
Check exactly one release. If your product
supports multiple releases, please fill out one
document per SAP release.
Please name the corresponding version of your
software.
SAP ECC 6.0 EHPAny
Corresp. version of your software: 2.2
SAP R/3 Enterprise 4.7
Corresp. version of your software:
other
Corresp. version of your software:
For which databases is your software available? MySQL is used for internal needs of the software
What operating system(s) does your software
support?
Linux x86, Linux x64, Windows X86, Windows
x64, Vendor product is written in Java and
therefore platform independent but there are
contraints regarding additional software e.g.
Tomcat. Vendor has a list of supported operating
systems.
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 5
2. Functional Overview
Supported Functions and Business Processes – General Description
Please give a broad overview
on the functionality and the
purpose of your product. You
should stress the benefits for
the customer in this section.
You may want to elaborate
why your product is
complementary to the SAP
Business Solution, if
applicable.
ERPScan Security Monitoring Suite for SAP is an innovative product for
integrated assessment of SAP platform security and standard compliance. The
system enables conducting complex security assessment while scanning SAP
servers for software vulnerabilities, misconfigurations, critical authorizations,
and performs assessment for compliance to current standards and best
practices including SAP best practices.
The current version of the scanner has the following functions:
Instrumentality for necessary data receive:
o Security configuration;
o Access Control;
o Vulnerabilities.
Instrumentality for received data analysis:
o Standard compliance;
o Risk analysis;
o Security metrics.
The key benefit of the system is in its ability not only to enhance security but
also to decrease TCO because of the benefits described below.
Business benefits Reduction in expenses on the security assessment
Reduction in training expenses
Protection against remote hacker attacks
Protection against insider attacks
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 6
3. Business Processes
Business Processes and Their Implementation
The product is not intended to implement any business process. It’s a security scanner for
the SAP system itself, providing quick information on misconfiguration, patch
management,critical access rights and vulnerabilities. Also the product can be used to check if
the system complies with SAP and ISACA recommendations.
With the vendor product the customer has no option to use an exploit to get unprivileged access
to an SAP landscape.
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 7
4. Product Implementation
Programming Languages, Namespaces
What programming languages or tools do you use
to implement your product (multiple selections
possible)?
ABAP Development Workbench
C/C++
Java/J2EE/EE 5 (standalone Java app)
Microsoft .NET -
SQL-Tools
Provide name(s):
Others
Provide name(s): Adobe Flex,SAP JCo
Do you have SAP Software license? SAP Application developer license
SAP NetWeaver developer license
SAP Test and Demo license
Provide Installation number: 0020713771
If you use the ABAP Development Workbench,
do you develop in the customer namespace or do
you use a partner namespace?
Do you use the Add-On Assembly Kit (AAK) for
checking and delivering your software to
customers?
Customer namespace
Partner namespace. Please provide name:
ERPSCAN
yes no
Do you use your own tables within the R/3
database (which are not defined by using the R/3
data dictionary)?
yes no
Name tables and location:
Do you modify SAP programs? yes no
Do you use SAP NetWeaver Developer Studio? yes
SAP NetWeaver 7.0
SAP NetWeaver CE 7.1
no
Do you use the Java Development Infrastructure
(JDI)?
yes
Use namespace
no
For Java application (J2EE/EE 5)
Note: SAP currently doesn’t support JDK 6
Package EAR file to SAP SCA (Software
Component Archive) file
JDK version supported:
J2EE/ EE5 specifications adhere to:
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 8
6. Integration Technology
6.1 Use of SAP’s Integration Technologies
What SAP integration technologies do you use to integrate your product with the SAP Business
Solutions?
SAP Enterprise Services yes
SAP Business Application Programming
Interfaces (BAPIs):
yes
Remote Function Call (RFC): yes
If you use RFC, what type of functions do you
use?
SAP released RFCs
Self-developed RFCs
SAP Intermediate Documents (IDocs) via EDI or
Application Link Enabling (ALE).
yes
If you use IDocs, what type of IDocs do you use?
SAP released Idocs
Extended or self-developed IDocs
SAP Documented Interface, e.g. SAP BOR API,
or the SAP DBA monitoring interface:
yes
Please provide name of interface documentation:
SAP Internet Application Components (IACs) and
Internet Transaction Server (ITS) and / or other
internet enabling technologies:
yes
Business Transaction Events (BTEs, Open FI): yes
SAP Workflow: yes
SAP Automation for alternate front-ends
(intelligent terminal):
yes
Others (e.g. Batch Data Communication, Direct
Input, Data Migration Reports):
yes
Please provide details:
HTTP connections
SAP extensions (e.g. User Exits, Customer Exits,
Business Add-Ins (BADIs)):
yes
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 9
6.2 Complete List of Used ES / BAPIs / RFCs / IDocs / other SAP APIs
Please list all items of SAP integration
technologies in detail.
Example:
Enterprise Services:
User-friendly name / Technical Name
SupplierSimpleByNameAnd
AddressQueryResponse_In
(ECC_SUPPLIERSNAQR)
…
BAPIs:
SalesOrder.Simulate
SalesOrder.GetStatus
...
RFCs:
BANK_KEY_CHECK
...
IDocs/Message (from SAP):
ORDERS01/ORDERS
CREMAS01/CREMAS
...
IACs:
Available to Promise on the
Internet (SD-BF-AC)
…
SAP Standard Reports for data migration:
RIIBIP00
....
CMOD exit/enhancement:
CUBX0001-Configuration:
determine superior material
...
BADIs/BTEs:
BOM_UPDATE
...
Name of ES/BAPI/RFC/IDoc/Message/etc.
(Using the provided format for each type)
Status1
/ERPSCAN/ZRFC_READ_TABLE S
/ERPSCAN/ZGET_PROFILE_PAR S
SXPG_COMMAND_EXECUTE R
RFC_PING (Automaticaly while
using JCo function ping() )
N
/ERPSCAN/ZSYSTEM_RESET_RF
C_SERVER
S
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
1 R: Released, N: not released, S: self developed
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 10
7. Performance
SAP requires the vendor to provide what the performance capabilities are and demonstrate that performance and
overall quality will meet the operational requirements of the product.
7.1 Performance and Scalability
Please give a description of the
architecture and design of the product,
including performance and scalability.
The system’s architecture is based on cross-platform development, multi-user model, and thin client. User-friendly
client-server architecture, the thin client based on Adobe Flex, allows managing the scanner without installing any
additional software, using any browser that supports Flash, while multi-platform server engine developed on Java
enables operation on any OS.
Scan scheme
To receive data from an SAP server, the scanner uses a special ERPScan account, which is created in every client
beforehand with the rights to read a set of tables needed for
the analysis. Data is transferred from the server via RFC using standard functional modules. After that, the system
processes the received data with respect to various criteria and creates reports.
Architecture
The system consists of the following components: Server:
· DBMS (MySQL); · Application server (Apache Tomcat);
· Static WEB server (Nginx). Client:
· Any browser which supports Flash.
Interaction with the server is implemented via HTTP using
any browser that supports Flash. The server can be installed on any OS that supports Java.
The recommended operating systems are Windows XP/7 and
Linux Ubuntu.
7.2 Quality Assurance
Please give a
description of
your internal
Quality
Assurance
procedures to
assure that the
interface
design and
performance
consistently
conform to
specified
requirements.
The quality assurance process in ERPSCAN is based on the best world standards like ISO. The
implemented system of quality management and control over the project is carried out as
follows:
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 11
Project supervisor
Software engineers
Deployment manager
Quality assurance
manager
Quality assurance
engineer
Beta-testers
Project manager
Development Quality assurance dept.
Do you have a
test plan?
yes
Please attach here Test Plan.pdf
no
Please explain:
Do you have a
test report?
yes
Please attach here Test report.pdf
no
Please explain:
Do you have a
benchmark
study?
yes
Please attach here benchmark.pdf
no
Please explain:
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 12
8. Product Integration Test-Drive Preparation
To certify your integration, SAP requires the following documentation to be e-mailed to the assigned SAP
consultant a week before the Test-Drive day, or to be present at the Test-Drive day as the latest.
8.1 Available Documentation
Functional Documentation yes
Installation Documentation yes
Maintenance Documentation yes
End User Documentation yes
You should describe, how the final test of your product integration can be done during a Test-Drive at
SAP. The test cases should show the usage of all above listed integration technologies and APIs. SAP will
ask you, to initiate maximum tracing capabilities to verify the used calls. You should prepare the
necessary test data in the SAP test&demo systems before testing.
8.2 Describe test steps to be executed during Test-Drive
1 Enumerating open ports and System Numbers on scanned IP Identified Gateway port
and System number
2 Testing authentication by JCO ping() Authentication successful.
User exists in the system.
3 /ERPSCAN/ZRFC_READ_TABLE checks executed /ERPSCAN/ZRFC_REA
D_TABLE function
successfully executed at
SAP and data transferred
to ERPScan.
4 /ERPSCAN/ZGET_PROFILE_PAR checks executed /ERPSCAN/ZGET_PRO
FILE_PAR function
successfully executed at
SAP and system
parameters transferred to
ERPScan.
5 SXPG_CALL_SYSTEM checks executed SXPG_CALL_SYSTEM
function successfully
executed at SAP and data
from files transferred to
ERPScan.
6 Creating the project in the scanner
Project successfully
created
7 Running HTTP checks for ICF services HTTP GET requests
were sent to SAP ICF
and responses
transferred to ERPScan
8 Running HTTP with delays
HTTP GET requests
were sent to SAP ICF
with time delays and
responses transferred to
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 13
ERPScan
Test Result 8.2.1:
Test Result 8.2.2:
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 14
Test Result 8.2.3:
Test Result 8.2.4:
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 15
Test Result 8.2.5:
Test Result 8.2.6:
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 16
Test Result 8.2.7:
Test Result 8.2.8:
SAP requires to includee the performance load testing during Test Drive. These performance load test
cases will determine if the product can handle a pre-defined number of users or amount of data without
running out of resources or having transactions suffer excessive delay.
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 17
8.3 Describe performance load test steps to be executed during Test-Drive
8.3.1 Running the scan process directed to the SAP system. During the scan the resources
on a SAP server are monitored
The scan process
requires minimal
system resources
8.3.2 Running the scan process directed to the SAP system. During the scan network traffic
between SAP server and ERPScan server is monitored
No excessive
traffic is monitored
Test Result 8.3.1:
ICC INTEGRATION ASSESSMENT - TEST REPORT FOR INTERFACE CERTIFICATION
SAP Integration and Certification Center Page 18
Test Result 8.3.2:
9. Additional Comments
Please feel free to add comments here regarding e.g. special techniques you use.
10. Vendor Confirmation
Vendor states that by following the guidelines of the ICC Integration Assessment or ICC
Integration Guide, only the integration technologies listed in this document and in the Technical
Product Profile are used in the described interface software.
Certification is only valid for the SAP release and vendor product release noted in this document;
in the event of SAP component or third-party product release changes SAP offers re-certification
of the interface software.
General Remarks:
Product certified yes no conditional