Unified Connectivity (UCON)

Overview
July 2014 Public
Disclaimer

This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 2

Agenda - UCON RFC Security Basic Scenario

Motivation and Scope

Basic Concepts

Coverage of New RFMs

How to Cope With the Restrictions of Productive Systems

Summary

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 3

UCON RFC Security Basic Scenario
Motivation and Scope
The Scope of UCON RFC Basic Connectivity

High-performing,
C for local high load scenarios,
across all ABAP Releases,
close integration into ABAP

RFC-Based Connectivity

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 5

UCON - A Simple Approach to Make RFC More Secure

Reduce the Overall Attack Surface of Your Remote-Enabled

Function Modules. Enhance RFC security by blocking the
access to a large number of RFMs !

Facts:
Most SAP ERP customers run just a limited number of the business
scenarios for which they need to expose some RFMs
A lot of RFMs are only used to parallelize within a system.

Solution
Find out which RFMs need to be exposed for the scenarios of a
customer.
Block the access to all other RFMs.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 6

The Basic Strategy of UCON to Solve These Problems

Reduce the number of RFMs exposed to the outside world.

Expose only and exactly those RFMs a customer needs to run their business scenarios.

A typical SAP
38000 RFMs in customer only needs
to expose a few
SAP ERP (incl.
hundred RFMs for
SAP NetWeaver) their business
scenarios

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 7

UCON RFC Security Basic Scenario
Basic Concepts
The UCON Way to Security: Expose Only Those
Function Modules You Need to the Outside World

…
R R R R R R R R R R R
F F F F F F F F F F F
M M M M M M M M M M M
1 2 3 4 5 6 7 8 9 .
10 11

Default Communication Assembly (CA)

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 9

UCON Checks Do not Interfere with Calls Within the Same Client and System

Blocked for access

from outside –
Open for use in
parallel RFC inside
…
the same client in the
same system
R R R R R
F F F F F
M M M M M
1 3 5 7 .
…

SAP Business Suite

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 10

UCON - An Additional Role/User-Independent Layer of Security Checks

User trying to access a RFM

RFM in no
CA?
No Access

yes

User User has

has authorization no
for the relevant CA?
authorization? No Access

yes Access to
RFM

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 11

UCON Setup and Configuration

It is simple to set up and configure Unified Connectivity (UCON):

1. Set the UCON profile parameter UCON/RFC/ACTIVE to 1 to enable UCON runtime checks for RFMs in the
final phase.

2. Run the UCON setup to generate a default communication assembly (CA) and other required entities.

3. Choose a suitable duration of the logging and evaluation phase.

4. Schedule the batch job SAP_UCON_MANAGEMENT that selects and persists the RFC statistic records
required by the UCON phase tool on the database.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 12

UCON RFC Security
Easy Customer Adoption in Three Steps

Logging of RFMs
Evaluation/ Runtime checks
called from
outside Simulation active

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 13

UCON RFC Security
Easy Customer Adoption in Three Steps

Logging of RFMs
Evaluation/ RuntimeChecks
Runtime check
called from
outside
Simulation active active

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 14

Phase 1
Logging of RFC Connectivity Data

Tool support to use solid information instead of unreliable data

• Use a dedicated tool set to collect the information you need

Identify the RFMs you need to expose to run your business

scenarios
•Collect aggregated statistic data on which RFMs are called in
your system from outside
• Over a time period you can choose

At the end of phase 1, choose the RFMs you need and assign them
to the Default CA:
•Based on the statistical records, you decide which RFMs
should be accessed from outside and assign them to the CA

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 15

UCON RFC Security
Easy Customer Adoption in Three Steps

Logging
Logging of ofRFMs
RFMs
called
Evaluation/ Runtimechecks
Runtime check
Checks
called from
from
outside
outside Simulation
simulation active active

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 16

Phase 2
Evaluation of the Data Logged

UCON should not interfere with productive customer scenarios:

•Use the evaluation phase (phase 2) to simulate UCON
runtime checks
• Check completeness of RFMs you need to expose
• Put required RFMs into Default CA

Customizable duration of evaluation phase:

•Duration of evaluation phase depends on in-house experience
and knowledge

Check whether you have protected the right RFMs and make
necessary corrections

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 17

UCON RFC Security
Easy Customer Adoption in Three Steps

Logging of
Logging ofRFMs
RFMs
called
Evaluation/ Runtimechecks
Runtime check
Checks
called from
from
outside
outside
Simulation
simulation active active

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 18

Phase 3
The RFMs in the System Are Protected by UCON

UCON runtime checks are now active:

• Only RFMs in the default CA are accessible from outside
•RFM that are not in the Default CA are now protected
against any outside access

Less than 5% of all RFMs need to be exposed in a typical

customer system:
•Out of a total of 38,000 RFMs in an SAP ERP system, only
a few hundred are required and exposed for productive
customer connectivity

Massive reduction of RFC attack surface for the average

customer system

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 19

Prerequisites for the Different Security Layers

Access to RFMs

UCON
runtime
checks

S_RFC
checks

Access to RFMs

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 20

Efforts Required for the Different Security Layers

Access to RFMs

UCON
runtime
checks

S_RFC
checks

Access to RFMs

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 21

UCON Protection After the Initial UCON Security Classification

Check-Active Phase

Blocked RFMs/ UCON-

Blocked RFMs from initial UCON set-up protected RFMs from
other, new transports or
installations
37,000++

100 ++

Default CA
SAP Business Suite

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 22

UCON RFC Security Basic Scenario
Coverage of New Remote-Enabled Function Modules
UCON Protection After Initial Security Classification

Check-active Phase

Protected/
Development blocked
RFMs

Default Communication
Assembly
Exposed RFMs

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 24

New RFMs Arrive at a UCON-Protected System

Check-active phase

Development

Over time: New RFMs in

transports, SPs, EhPs …

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 25

New RFMs on Their Way to UCON Protection – Logging Phase

New RFMs are

automatically Logging phase
assigned to the
logging phase Evaluation phase
Access allowed

Check-active phase

Access blocked
UCON protection

Access allowed

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 26

New RFMs on Their Way to UCON Protection – Evaluation Phase

Logging phase

Evaluation phase

Check-active phase Access allowed

Access blocked
UCON protection

Access allowed

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 27

New RFMs Have Achieved UCON Protection – Check-Active Phase

Logging phase

Evaluation phase

Check-active phase

Access blocked
UCON protection

Access allowed

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 28

The Ever-Growing Scope of UCON Protection

Blocked RFMs
Blocked RFMs from initial UCON set-up from other, new
transports or
installations

Default CA
SAP Business Suite

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 29

UCON RFC Security Basic Scenario
How to Cope With the Restrictions of Productive Systems
UCON and the Restrictions in a Productive System
Challenges

PROD
Authorizations and system change options in
Productive Systems are not sufficient for UCON Assignment of relevant RFMs
Operations to default CA and UCON
phases

Collection UCON
of RFC call Phase
statistics Tool
and UCON
protection

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 31

UCON and the Restrictions in a Productive System
Solution

DEV PROD

Assignment of Delegate
UCON Collection
relevant RFMs
of RFC call
to default CA operations
statistics
and UCON to DEV and UCON
phases
protection
UCON UCON
Phase Phase
Tool Tool

Slide 32

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 32

UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV - Step 1

DEV PROD

Import RFC call statistics from

PROD to DEV
1 .csv
UCON RFC call
UCON
Phase Tool statistics Phase Tool

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 33

UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV - Step 2

DEV PROD

Import RFC call statistics from

PROD to DEV
1 .csv
UCON RFC call
UCON
Phase Tool statistics Phase Tool

2 Assign relevant RFMs to

default CA and to next phase

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 34

UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV - Step 3

DEV PROD

Import RFC call statistics from

PROD to DEV
1 .csv
UCON RFC call
UCON
Phase Tool statistics Phase Tool

2 Assign relevant RFMs to

default CA and to next phase

3 R3Trans
UCON Phase and CA assignment UCON
Phase Tool of RFMs Phase Tool

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 35

UCON and the Restrictions in a Productive System
How to Delegate UCON Operations to DEV in a Nutshell

DEV PROD

Assignment of
Collection
relevant RFMs
of RFC call
to default CA
statistics
and UCON
and UCON
phases
protection
UCON UCON
Phase RFC call Phase
Tool statistics Tool

Phase and CA
assignment of RFMs

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 36

UCON RFC Security Basic Scenario
Summary
UCON - Summary

It is simple to set up and configure Unified Connectivity (UCON)

• The UCON framework offers a simple, straightforward approach for enhancing the security of
your RFCs. It allows you to minimize the number of RFMs on ABAP-based servers exposed
to other clients and systems, reducing the available attack surface in your RFC
communications.

• The UCON phase tool guides and supports the administrator in the three-step setup and the
three-phased process.

• UCON covers new function modules entering the system via Support Packages,
Enhancement Packages, transports, or new developments.

• UCON is fully enabled for life-cycle management to ensure consistent RFC security
across your system landscape.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 38

Get More Information

Community Network
Get more information, videos and updates
Unified Connectivity (UCON)
http://scn.sap.com/docs/DOC-53844

SAP NetWeaver Security Community

http://scn.sap.com/community/security

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 39

© 2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark
information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing
herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or
release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any
reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking
statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue
reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© 2014 SAP SE or an SAP affiliate company. All rights reserved. Public 40