Connection map

The Connection map report shows the connections between the SAP systems registered in Protect4S.

The connection types shown are:

  • Type 3 RFC destination: connections using the RFC protocol with authentication consisting of a named user and password, for instance the TMS transport connections.

  • Type T RFC destination: TCP/IP connections using the RFC protocol between the SAP system and a (registered) server program, for instance the executable sapxpg.

  • Type G & H destinations: connections to external systems using the HTTP(S) protocol, for instance to the HTTP port of a SAP JAVA based system.

  • SOAP webservices: connections using HTTP(S) protocol and logical ports to external systems, for instance connections between a SAP system and SAP Control agents.

  • ADBC connections: connections between SAP databases using the ADBC protocol.

The report is meant to make security staff aware of the different system connections that may exist between SAP systems and to show the Risk that these connections may pose.

The Risk of these connections is that maliciouses 3rd parties may use them to jump from one infected SAP system to a new SAP system target. Since the Solution Manager contains connections to other SAP systems, it is an attractive target that enables the compromise of other systems in the SAP landscape.

Creating a new Connection Map

The report must first run to create a new Connection Map. To do this, press the button “New” in the Connection map application. When you subsequently press the “Refresh” button, you will see that a new Connection map ID has been scheduled and is in progress.

Creating a new Connection map

The time to create a new Connection Map depends on the number of connections, the number of SAP systems registered and whether these systems are up and running.

After a while, the Connection Map ID status changes from “In progress” to “Completed” after which this map may be accessed by clicking on the “Display” icon from the row in the list.

Connection map display

The display shows the map that has been created. The display can be altered in various ways using the display settings:

Display Settings

The map consists of SAP System nodes connected by edges. The colours of the nodes and edges may be changed to indicate, Risk, System Role, Connection type or System type.The nodes can be dragged with the mouse to another location in the map.

System overview

The System overview menu shows a list of systems. When a system is selected in the upper list, the various connections that it contains are shown in the lower list:

System overview

The connections are sorted on Risk and for each connection, the target hostname, instance number and user associated is shown. When the display button on the left is selected for one of these connections, a new screen shows the source and target system properties:

Source and Target System properties

When possible, the user authorisations and roles are shown after selecting the User Information Menu:

User Information

Connection overview

The connection overview shows the list of all connections associated with all SAP systems registered in Protect4S. In this overview, the Risk associated with the connection, source and target systems are shown:

Conection overview

When the display button on the left is selected for one of these connections, a new screen shows the source and target system properties (same as in System overview).

Risk value

The risk value of these connections depends on various factors:

  • whether the connection contains a userID and password.

  • whether the connection is from a non-Production system to a Production System.

  • whether the target system is a Production System.

  • whether the authorisations of the user contain SAP_ALL or admin roles.

  • for SOAP connections: whether the logical port facilitates Operating System access

  • for type T RFC: whether the external server program name is "sapxpg"or "rfcexec"

How to secure connections between different SAP systems

Our blog on this topic describes various ways to secure the connections between SAP systems: