S 5.127 Protection of the SAP Internet Connection Framework (ICF)

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The Internet Connection Framework (ICF) of an SAP system permits HTTP-based access to the functions of the ABAP stack. In addition, the ICF also supports the Simple Mail Transport Protocol (SMTP). Various services can be requested. The services are arranged hierarchically in a tree structure similar to that of a file system. The HTTP access path (URL path section) is determined by the path in the tree structure. The SICF transaction is used to administer the ICF.

The recommendations listed in the following should be taken into consideration in terms of the ICF.

References to SAP documentation can be found in S 2.346 Use of the SAP documentation.

Active ICF services

Only the services needed should be enabled. The function of each enabled service should be known. It is recommended to make a brief note of which functions are offered by each service and if it is permitted to enable the corresponding service.

All ICF services are disabled after installing an SAP system. However, it is recommended to check this. This should also be checked after having installed updates and new ICF services as well.

The ability to enable the entire ICF tree hierarchy appended below an ICF object all at once should not be used. Services should only be enabled individually.

SSL protection

Access to each ICF service can be configured individually to specify if the communication performed while accessing the service needs to be protected using SSL. It is generally recommended in this case (see S 5.125 Protection of communication with SAP systems) to enable SSL for all services to protect the data transmitted against unauthorised reading. Since the subtree of an IFC object inherits its properties, it is only necessary to modify the configuration of the root node.

Authenticated accesses

For each ICF service, it is necessary to define which authentication mechanism is allowed to be used to obtain access to the service. This applies especially to software developed in-house.

In general, it is recommended to use the following configuration for user authentication:

• Anonymous login data: do not enter any values.
• Security requirement: SSL
• Basic authentication: standard SAP user

If anonymous access to services is to be permitted, login information must be specified under "Anonymous login data". All anonymous accesses are obtained using the user entered here in this case. However, only technical users of the service type should be used for this purpose. Dialogue users should not be used here.

It must be taken into consideration that the login data defined for an ICF object for anonymous access also applies to all objects in its subtree. The login data (e.g. client, user, language) defined for each of the various objects located in the path through the tree to a certain object may also overlap.

In general, the normal check of the authorisation objects used by the application is always performed after calling the ICF service (e.g. a business server pages application or BSP).

ICF administration

The SICF (ICF Service Administration) and SMICM (ICF Monitor) administrative transactions must be protected against unauthorised access (authorisation object: S_TCODE).

In productive systems, functions allowing the logging of detailed records of the client requests (e.g. debugging, trace, runtime analysis, and recorder tools) should not be used. Error situations should be examined on the test and approval system.

ICF access authorisations

The persons accessing the ICF services should not have simultaneous access to the SAP system using the dialog interface (SAPgui) so that each person can be associated with a specific service user.

Authorisation to access the ICF services should be granted restrictively. Authorisation object S_ICF is used as the basis for the authorisation check. The following configuration must be used to control access to the ICF services:

• The ICF_FIELD field must be set to the value "SERVICE".
• The ICF_VALUE field must contain the character string entered in the corresponding ICF service under "Service Data/Service Options/SAP Authorisation". If the same character string is entered for several services, access to all of this services can be controlled using a single authorisation (see also S 4.263 Protection of SAP destinations).

Information on error pages

The error pages of ICF services should not contain any internal information. This applies especially to services created in-house.

Review questions:

• Have only the required ICF services been enabled in the SAP system?
• Is the function of each enabled ICF service in the SAP system documented and are checks as to whether it may be enabled performed?
• Are checks as to whether no undesired ICF services have been enabled performed upon completion of the installation of updates or new ICF services in the SAP system?
• Is detailed logging of client requests in the productive SAP system avoided and are error situations examined in the test and/or approval system instead?
• Have the access authorisations to IFC services been assigned restrictively in the SAP system?