Certificate SAP INTEGRATION CERTIFICATION

Size: px

Start display at page:

Download "Certificate SAP INTEGRATION CERTIFICATION"

Claud Pitts
5 years ago
Views:

1 Certificate SAP INTEGATION CETIFICATION SAP AG hereby confirms that the interface software for the product EPSCAN Security Monitoring Suite 2.2 of the company EPScan has been certified for integration with SAP ECC 6.0 based on ICC Integration Assessment in SAP NetWeaver. This certificate confirms the existence of product features in accordance with SAP certification procedures. It does not guarantee that the product is error-free. The certification test is documented in report no and expires June 21, Vendor Hardware: x86_64 platform Vendor Operating System: Ubuntu Linux SAP Test System: SAP NetWeaver 731 Used Integration Tools: none This configuration meets the requirements for connecting EPSCAN Security Monitoring Suite 2.2 to SAP NetWeaver. Certified Functions: Identified Gateway port and Sytem number Testing authentication by JCO SAP table data transferred to EPScan SAP profile and system parameters transferred to EPScan SAP system check performed unning HTTP checks Walldorf, June 21, 2013 Mr. Jürgen Bierlein, SAP AG SAP, /3, and SAP NetWeaver are registered trademarks of SAP AG Germany. All other names are registered or unregistered trademarks of the individual firms.

2 Interface Certification ICC Integration Assessment Test eport Version 1.0 SAP Integration and Certification Center SAP Integration and Certification Center Page 1

3 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 2013 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. All other product and service names mentioned are the trademarks of their respective companies. Please refer to Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. SAP Integration and Certification Center Page 2

4 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION Interface Certification # SAP Interface incl. elease: ICC Integration Assessment SAP Product incl. elease used for test: SAP NetWeaver 731 Hardware used for SAP test system: x86_64 platform Operating System of SAP test system: Windows Name of Vendor: EPScan Vendor Number (SAP internal): Vendor Product Name: EPSCAN Security Monitoring Suite elease Vendor Product: 2.2 Vendor Product Number (SAP internal): Vendor Interface Software Name: elease Vendor Interface Software: Hardware used for Vendor Test System: x86_64 platform Operating System of Vendor Test System: Ubuntu Linux LTS Tools used for the technical integration: none Certification Date: June 21, 2013 Expiration Date: June 21, 2016 Location: Walldorf Persons present - Vendor: Mr. Alexander Polyakov Persons present - SAP: Mr. Jürgen Bierlein Certified Functions: Identified Gateway port and Sytem number Testing authentication by JCO SAP table data transferred to EPScan SAP profile and system parameters transferred to EPScan SAP system check performed unning HTTP checks SAP Integration and Certification Center Page 3

5 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 1. Software Solution Provider (SSP) Information Company and product information SSP Name SAP Assigned SSP Number SSP Product Name Version / elease of SSP Product 2.2 SAP Assigned Product Number Interface Software Name Interface Software Version 2.0 Product web page Which releases of the SAP Business Solutions are supported by your software? Check exactly one release. If your product supports multiple releases, please fill out one document per SAP release. Please name the corresponding version of your software. EPScan Prefilled with SAP data EPSCAN Security Monitoring Suite Prefilled with SAP data EPScan connector SAP ECC 6.0 EHPAny Corresp. version of your software: 2.2 SAP /3 Enterprise 4.7 Corresp. version of your software: other Corresp. version of your software: For which databases is your software available? What operating system(s) does your software support? MySQL is used for internal needs of the software Linux x86, Linux x64, Windows X86, Windows x64, Vendor product is written in Java and therefore platform independent but there are contraints regarding additional software e.g. Tomcat. Vendor has a list of supported operating systems. SAP Integration and Certification Center Page 4

6 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 2. Functional Overview Supported Functions and Business Processes General Description Please give a broad overview on the functionality and the purpose of your product. You should stress the benefits for the customer in this section. You may want to elaborate why your product is complementary to the SAP Business Solution, if applicable. EPScan Security Monitoring Suite for SAP is an innovative product for integrated assessment of SAP platform security and standard compliance. The system enables conducting complex security assessment while scanning SAP servers for software vulnerabilities, misconfigurations, critical authorizations, and performs assessment for compliance to current standards and best practices including SAP best practices. The current version of the scanner has the following functions: Instrumentality for necessary data receive: o o Security configuration; Access Control; o Vulnerabilities. Instrumentality for received data analysis: o o o Standard compliance; isk analysis; Security metrics. The key benefit of the system is in its ability not only to enhance security but also to decrease TCO because of the benefits described below. Business benefits eduction in expenses on the security assessment eduction in training expenses Protection against remote hacker attacks Protection against insider attacks SAP Integration and Certification Center Page 5

7 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 3. Business Processes Business Processes and Their Implementation The product is not intended to implement any business process. It s a security scanner for the SAP system itself, providing quick information on misconfiguration, patch management,critical access rights and vulnerabilities. Also the product can be used to check if the system complies with SAP and ISACA recommendations. With the vendor product the customer has no option to use an exploit to get unprivileged access to an SAP landscape. SAP Integration and Certification Center Page 6

8 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 4. Product Implementation Programming Languages, Namespaces What programming languages or tools do you use to implement your product (multiple selections possible)? Do you have SAP Software license? If you use the ABAP Development Workbench, do you develop in the customer namespace or do you use a partner namespace? ABAP Development Workbench C/C++ Java/J2EE/EE 5 (standalone Java app) Microsoft.NET - SQL-Tools Provide name(s): Others Provide name(s): Adobe Flex,SAP JCo SAP Application developer license SAP NetWeaver developer license SAP Test and Demo license Provide Installation number: Customer namespace Partner namespace. Please provide name: EPSCAN Do you use the Add-On Assembly Kit (AAK) for checking and delivering your software to customers? Do you use your own tables within the /3 database (which are not defined by using the /3 data dictionary)? no no Name tables and location: Do you modify SAP programs? no Do you use SAP NetWeaver Developer Studio? Do you use the Java Development Infrastructure (JDI)? For Java application (J2EE/EE 5) Note: SAP currently doesn t support JDK 6 no SAP NetWeaver 7.0 SAP NetWeaver CE 7.1 Use namespace no Package EA file to SAP SCA (Software Component Archive) file JDK version supported: J2EE/ EE5 specifications adhere to: SAP Integration and Certification Center Page 7

9 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 6. Integration Technology 6.1 Use of SAP s Integration Technologies What SAP integration technologies do you use to integrate your product with the SAP Business Solutions? SAP Enterprise Services SAP Business Application Programming Interfaces (BAPIs): emote Function Call (FC): If you use FC, what type of functions do you use? SAP released FCs Self-developed FCs SAP Intermediate Documents (IDocs) via EDI or Application Link Enabling (ALE). If you use IDocs, what type of IDocs do you use? SAP released Idocs Extended or self-developed IDocs SAP Documented Interface, e.g. SAP BO API, or the SAP DBA monitoring interface: Please provide name of interface documentation: SAP Internet Application Components (IACs) and Internet Transaction Server (ITS) and / or other internet enabling technologies: Business Transaction Events (BTEs, Open FI): SAP Workflow: SAP Automation for alternate front-ends (intelligent terminal): Others (e.g. Batch Data Communication, Direct Input, Data Migration eports): SAP extensions (e.g. User Exits, Customer Exits, Business Add-Ins (BADIs)): Please provide details: HTTP connections SAP Integration and Certification Center Page 8

10 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 6.2 Complete List of Used ES / BAPIs / FCs / IDocs / other SAP APIs Please list all items of SAP integration technologies in detail. Example: Enterprise Services: User-friendly name / Technical Name SupplierSimpleByNameAnd AddressQuerponse_In (ECC_SUPPLIESNAQ) BAPIs: FCs: SalesOrder.Simulate SalesOrder.GetStatus... BANK_KEY_CHECK... IDocs/Message (from SAP): ODES01/ODES CEMAS01/CEMAS... IACs: Available to Promise on the Internet (SD-BF-AC) SAP Standard eports for data migration: IIBIP00... CMOD exit/enhancement: CUBX0001-Configuration: determine superior material... BADIs/BTEs: BOM_UPDATE... Name of ES/BAPI/FC/IDoc/Message/etc. (Using the provided format for each type) /EPSCAN/ZFC_EAD_TABLE /EPSCAN/ZGET_POFILE_PA SXPG_COMMAND_EXECUTE FC_PING (Automaticaly while using JCo function ping() ) /EPSCAN/ZSYSTEM_ESET_F C_SEVE Status 1 S S N S 1 : eleased, N: not released, S: self developed SAP Integration and Certification Center Page 9

11 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 7. Performance SAP requires the vendor to provide what the performance capabilities are and demonstrate that performance and overall quality will meet the operational requirements of the product. 7.1 Performance and Scalability Please give a description of the architecture and design of the product, including performance and scalability. The system s architecture is based on cross-platform development, multi-user model, and thin client. User-friendly client-server architecture, the thin client based on Adobe Flex, allows managing the scanner without installing any additional software, using any browser that supports Flash, while multi-platform server engine developed on Java enables operation on any OS. Scan scheme To receive data from an SAP server, the scanner uses a special EPScan account, which is created in every client beforehand with the rights to read a set of tables needed for the analysis. Data is transferred from the server via FC using standard functional modules. After that, the system processes the received data with respect to various criteria and creates reports. Architecture The system consists of the following components: Server: DBMS (MySQL); Application server (Apache Tomcat); Static WEB server (Nginx). Client: Any browser which supports Flash. Interaction with the server is implemented via HTTP using any browser that supports Flash. The server can be installed on any OS that supports Java. The recommended operating systems are Windows XP/7 and Linux Ubuntu. 7.2 Quality Assurance Please give a The quality assurance process in EPSCAN is based on the best world standards like ISO. The description of implemented system of quality management and control over the project is carried out as your internal follows: Quality Assurance procedures to assure that the interface design and performance consistently conform to specified requirements. SAP Integration and Certification Center Page 10

12 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION Development Quality assurance dept. Project supervisor Quality assurance manager Project manager Quality assurance engineer Software engineers Beta-testers Deployment manager Do you have a test plan? Please attach here Test Plan.pdf no Please explain: Do you have a test report? Please attach here Test report.pdf no Please explain: Do you have a benchmark study? Please attach here benchmark.pdf no Please explain: SAP Integration and Certification Center Page 11

13 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 8. Product Integration Test-Drive Preparation To certify your integration, SAP requires the following documentation to be ed to the assigned SAP consultant a week before the Test-Drive day, or to be present at the Test-Drive day as the latest. 8.1 Available Documentation Functional Documentation Installation Documentation Maintenance Documentation End User Documentation You should describe, how the final test of your product integration can be done during a Test-Drive at SAP. The test cases should show the usage of all above listed integration technologies and APIs. SAP will ask you, to initiate maximum tracing capabilities to verify the used calls. You should prepare the necessary test data in the SAP test&demo systems before testing. 8.2 Describe test steps to be executed during Test-Drive 1 Enumerating open ports and System Numbers on scanned IP Identified Gateway port and System number 2 Testing authentication by JCO ping() Authentication successful. User exists in the system. 3 /EPSCAN/ZFC_EAD_TABLE checks executed /EPSCAN/ZFC_EA D_TABLE function successfully executed at SAP and data transferred to EPScan. 4 /EPSCAN/ZGET_POFILE_PA checks executed /EPSCAN/ZGET_PO FILE_PA function successfully executed at SAP and system parameters transferred to EPScan. 5 SXPG_CALL_SYSTEM checks executed SXPG_CALL_SYSTEM function successfully executed at SAP and data from files transferred to EPScan. 6 Creating the project in the scanner Project successfully created 7 unning HTTP checks for ICF services HTTP GET requests were sent to SAP ICF and responses transferred to EPScan 8 unning HTTP with delays HTTP GET requests were sent to SAP ICF with time delays and responses transferred to SAP Integration and Certification Center Page 12

14 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION EPScan Test esult 8.2.1: Test esult 8.2.2: SAP Integration and Certification Center Page 13

15 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION Test esult 8.2.3: Test esult 8.2.4: SAP Integration and Certification Center Page 14

16 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION Test esult 8.2.5: Test esult 8.2.6: SAP Integration and Certification Center Page 15

These performance load test cases will determine if the product can handle a pre-defined number of users

17 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION Test esult 8.2.7: Test esult 8.2.8: SAP requires to includee the performance load testing during Test Drive. These performance load test cases will determine if the product can handle a pre-defined number of users or amount of data without running out of resources or having transactions suffer excessive delay. SAP Integration and Certification Center Page 16

ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 8.3 Describe performance load test steps to be executed during Test-Drive 8.3.1 unning the scan process directed to the SAP system.

18 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION 8.3 Describe performance load test steps to be executed during Test-Drive unning the scan process directed to the SAP system. During the scan the resources on a SAP server are monitored unning the scan process directed to the SAP system. During the scan network traffic between SAP server and EPScan server is monitored The scan process requires minimal system resources No excessive traffic is monitored Test esult 8.3.1: SAP Integration and Certification Center Page 17

ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION Test esult 8.3.2: 9. Additional Comments Please feel free to add comments here regarding e.g. special techniques you use. 10.

19 ICC INTEGATION ASSESSMENT - TEST EPOT FO INTEFACE CETIFICATION Test esult 8.3.2: 9. Additional Comments Please feel free to add comments here regarding e.g. special techniques you use. 10. Vendor Confirmation Vendor states that by following the guidelines of the ICC Integration Assessment or ICC Integration Guide, only the integration technologies listed in this document and in the Technical Product Profile are used in the described interface software. Certification is only valid for the SAP release and vendor product release noted in this document; in the event of SAP component or third-party product release changes SAP offers re-certification of the interface software. General emarks: Product certified no conditional SAP Integration and Certification Center Page 18