Deploy the Azure Sentinel SAP data connector with SNC
This article describes how to deploy the Azure Sentinel SAP data connector when you have a secure connection to SAP via Secure Network Communications (SNC) for the NetWeaver/ABAP interface based logs.
The default, and most recommended process for deploying the Azure Sentinel SAP data connector is by using an Azure VM. This article is intended for advanced users.
The Azure Sentinel SAP solution is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
The basic prerequisites for deploying your Azure Sentinel SAP data connector are the same regardless of your deployment method.
Make sure that your system complies with the prerequisites documented in the main SAP data connector deployment procedure before you start.
Other prerequisites for working with SNC include:
A secure connection to SAP with SNC. Define the connection-specific SNC parameters in the repository constants for the AS ABAP system you're connecting to. For more information, see the relevant SAP community wiki page.
The SAPCAR utility, downloaded from the SAP Service Marketplace. For more information, see the SAP Installation Guide
For more information, see Azure Sentinel SAP solution detailed SAP requirements (public preview).
Create your Azure key vault
Create an Azure key vault that you can dedicate to your Azure Sentinel SAP data connector.
Run the following command to create your Azure key vault and grant access to an Azure service principal:
kvgp=<KVResourceGroup> kvname=<keyvaultname> spname=<sp-name> kvname=<keyvaultname> # Optional when Azure MI not enabled - Create sp user for AZ cli connection, save details for env.list file az ad sp create-for-rbac –name $spname SpID=$(az ad sp list –display-name $spname –query “.appId” --output tsv #Create key vault az keyvault create \ --name $kvname \ --resource-group $kvgp # Add access to SP az keyvault set-policy --name $kvname --resource-group $kvgp --object-id $spID --secret-permissions get list set
For more information, see Quickstart: Create a key vault using the Azure CLI.
Add Azure Key Vault secrets
To add Azure Key Vault secrets, run the following script, with your own system ID and the credentials you want to add:
#Add Azure Log ws ID az keyvault secret set \ --name <SID>-LOG_WS_ID \ --value "<logwsod>" \ --description SECRET_AZURE_LOG_WS_ID --vault-name $kvname #Add Azure Log ws public key az keyvault secret set \ --name <SID>-LOG_WS_PUBLICKEY \ --value "<loswspubkey>" \ --description SECRET_AZURE_LOG_WS_PUBLIC_KEY --vault-name $kvname
For more information, see the az keyvault secret CLI documentation.
Deploy the SAP data connector
This procedure describes how to deploy the SAP data connector on a VM when connecting via SNC.
To deploy the SAP data connector:
On your data connector VM, download the latest SAP NW RFC SDK from the SAP Launchpad site > SAP NW RFC SDK > SAP NW RFC SDK 7.50 > nwrfc750X_X-xxxxxxx.zip.
You'll need your SAP user sign-in information in order to access the SDK, and you must download the SDK that matches your operating system.
Make sure to select the LINUX ON X86_64 option.
Create a new folder with a meaningful name, and copy the SDK zip file into your new folder.
Clone the Azure Sentinel solution GitHub repo onto your data connector VM, and copy Azure Sentinel SAP solution systemconfig.ini file into your new folder.
mkdir /home/$(pwd)/sapcon/<sap-sid>/ cd /home/$(pwd)/sapcon/<sap-sid>/ wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/template/systemconfig.ini cp <**nwrfc750X_X-xxxxxxx.zip**> /home/$(pwd)/sapcon/<sap-sid>/
Edit the systemconfig.ini file as needed, using the embedded comments as a guide.
You'll need to edit all configurations except for the key vault secrets. For more information, see Manually configure the SAP data connector.
Define the logs that you want to ingest into Azure Sentinel using the instructions in the systemconfig.ini file.
For example, see Define the SAP logs that are sent to Azure Sentinel.
Relevant logs for SNC communications are only those logs that are retrieved via the NetWeaver / ABAP interface. SAP Control and HANA logs are out of scope for SNC.
Define the following configurations using the instructions in the systemconfig.ini file:
- Whether to include user email addresses in audit logs
- Whether to retry failed API calls
- Whether to include cexal audit logs
- Whether to wait an interval of time between data extractions, especially for large extractions
For more information, see SAL logs connector configurations.
Save your updated systemconfig.ini file in the sapcon directory on your VM.
Download and run the pre-defined Docker image with the SAP data connector installed. Run:
docker pull docker pull mcr.microsoft.com/azure-sentinel/solutions/sapcon:latest-preview docker create -v $(pwd):/sapcon-app/sapcon/config/system -v /home/azureuser /sap/sec:/sapcon-app/sec --env SCUDIR=/sapcon-app/sec --name sapcon-snc mcr.microsoft.com/azure-sentinel/solutions/sapcon:latest-preview
Post-deployment SAP system procedures
After deploying your SAP data connector, perform the following SAP system procedures:
Download the SAP Cryptographic Library from the SAP Service Marketplace > Software Downloads > Browse our Download Catalog > SAP Cryptographic Software.
For more information, see the SAP Installation Guide.
Use the SAPCAR utility to extract the library files, and deploy them to your SAP data connector VM, in the
Verify that you have permissions to run the library files.
Define an environment variable named SECUDIR, with a value of the full path to the
Create a personal security environment (PSE). The sapgenspe command-line tool is available in your
<sec>directory on your SAP data connector VM.
./sapgenpse get_pse -p my_pse.pse -noreq -x my_pin "CN=sapcon.com, O=my_company, C=IL"
For more information, see Creating a Personal Security Environment in the SAP documentation.
Create credentials for your PSE. For example:
./sapgenpse seclogin -p my_pse.pse -x my_pin -O MXDispatcher_Service_User
For more information, see Creating Credentials in the SAP documentation.
Exchange the Public-Key certificates between the Identity Center and the AS ABAP's SNC PSE.
For example, to export the Identity Center's Public-Key certificate, run:
./sapgenpse export_own_cert -o my_cert.crt -p my_pse.pse -x abcpin
Import the certificate to the AS ABAP's SNC PSE, export it from the PSE, and then import it back to the Identity Center.
For example, to import the certificate to the Identity Center, run:
./sapgenpse maintain_pk -a full_path/my_secure_dir/my_exported_cert.crt -p my_pse.pse -x my_pin
For more information, see Exchanging the Public-Key Certificates in the SAP documentation.
Edit the SAP data connector configuration
On your SAP data connector VM, navigate to the systemconfig.ini file and define the following parameters with the relevant values:
[Secrets Source] secrets = AZURE_KEY_VAULT
In your Azure key vault, generate the following secrets:
<Interprefix>-ABAPSNCPARTNERNAME, where the value is the
<Relevant DN details>
<Interprefix>-ABAPSNCLIB, where the value is the
<Interprefix>-ABAPX509CERT, where the value is the
S4H-ABAPSNCPARTNERNAME = 'p:CN=help.sap.com, O=SAP_SE, C=IL' (Relevant DN) S4H-ABAPSNCLIB = 'home/user/sec-dir' (Relevant directory) S4H-ABAPX509CERT = 'MIIDJjCCAtCgAwIBAgIBNzA ... NgalgcTJf3iUjZ1e5Iv5PLKO' (Relevant certificate code)
By default, the
<Interprefix>value is your SID, such as
If you're entering secrets directly to the configuration file, define the parameters as follows:
[Secrets Source] secrets = DOCKER_FIXED [ABAP Central Instance] snc_partnername = <Relevant_DN_Deatils> snc_lib = <lib_Path> x509cert = <Certificate_Code> For example: snc_partnername = p:CN=help.sap.com, O=SAP_SE, C=IL (Relevant DN) snc_lib = /sapcon-app/sec/libsapcrypto.so (Relevant directory) x509cert = MIIDJjCCAtCgAwIBAgIBNzA ... NgalgcTJf3iUjZ1e5Iv5PLKO (Relevant certificate code)
Attach the SNC parameters to your user
On your SAP data connector VM, call the
SM30transaction and select to maintain the
Add a new entry. In the User field, enter the communication user that's used to connect to the ABAP system.
Enter the SNC name when prompted. The SNC name is the unique, distinguished name provided when you created the Identity Manager PSE. For example:
CN=IDM, OU=SAP, C=DE
Make sure to add a
pbefore the SNC name. For example:
p:CN=IDM, OU=SAP, C=DE.
SNC is enabled on your data connector VM.
Activate the SAP data connector
This procedure describes how to activate the SAP data connector using the secured SNC connection you created using the procedures earlier in this article.
Activate the docker image:
docker start sapcon-<SID>
Check the connection. Run:
docker logs sapcon-<SID>
If the connection fails, use the logs to understand the issue.
If you need to, disable the docker image:
docker stop sapcon-<SID>
For example, issues may occur because of a misconfiguration in the systemconfig.ini file, or in your Azure key vault, or some of the steps for creating a secure connection via SNC weren't run correctly.
Try performing the steps above again to configure a secure connection via SNC. For more information, see also Troubleshooting your Azure Sentinel SAP solution deployment.
After your SAP data connector is activated, continue by deploying the Azure Sentinel - Continuous Threat Monitoring for SAP solution. For more information, see Deploy SAP security content.
Deploying the solution enables the SAP data connector to display in Azure Sentinel and deploys the SAP workbook and analytics rules. When you're done, manually add and customize your SAP watchlists.
For more information, see: