10 things you need to know to become an SAP Security Forensic Consultant

Following is a list of top 10 security topics that any SAP Security Forensic Consultant must know or atleast have an understanding of the concepts. I know, It’s not easy for anyone to master all the topics but still, a conceptual understanding is required.

1. Fundamentals and objectives of system security
     Authentication and Encryption

2. Awareness of Data Protection Acts, Information Security, International/National/State level Compliance Regulations etc.

3. Network basics
     Communication, TCP/IP, ports
     Routing, firewalls, proxies, SAProuter
4. Security in the SAP system
     Authentication and passwords
     Auditing as intrusion detection
     RFCs, trusted RFCs, RFC destinations
     Encryption, SNC
     Backdoor Access protection

5. Cryptography basics, PKI, TCS, digital signatures, Tokens

6. SAP NetWeaver Application Server, ICM
     Encryption, SSL, SNC
     Authentication, certificates, Single Sign-On

 7. Some understanding of RSA Security Solution (SAP itself use this) Logon tickets, X.509, SSL

8. Understanding of SAP GRC Access Controls Suite, Majorly Risk Analysis & Remediation and Super User Privilige Management tools.

9. Understanding of Database Security, SAP Portal, HR, BW, eCATT Security

10. Knoweledge of concepts like Keyloggers, Spoofing, SAP GUI Scripting, Macros, Application Decompilation, E-mail Security, Archieving, at least should be aware of Stealth Programs.

Source: http://amudee.com

Apply SAP License

You have to apply SAP License after completing your SAP Installation

Below are the steps to apply SAP License in Windows Command prompt

You can apply your SAP License Key from tcode SLICENSE or via command prompt.

1. Request license key from SAP Market place
2. Login to <SID>ADM(ex.qasadm) to apply license in command prompt else where it will not work
3. Open command prompt and enter command saplicense -show if you wish to see current license(mostly it will be temp license valid for 30 days by default) 
4. Or enter saplicense -install and you will be asked you to enter System ID
5. It will ask you to enter your System Number or leave it blank if dont have system number as its not mandatory
6. Now you will be asked to enter you hardware Key (you get the hardware from saplicense -get command) 
7. System will ask you to enter your installation number
8. Enter your expiration period in format[yyyymmdd] 
9. Now enter your SAP License Key which is received from SAP Market place
10. Saplicense Key is successfully installed
11. Check your installed license key using command saplicense -show if you wish to check your SAP system new license which you applied

Applying the SAP license in SAP slicense tcode is way better than command prompt but as you a basis person must know how to apply in command prompt as well.

In later post will see you how to apply in GUI method.

Changing SID of SAP system

First Stop SAP - stopsap R3
DB Changes:-
Step 1:- Backup Control File to trace.
>sqlplus /nolog
>conn / as sysdba;
>connected;
>Alter database backup controlfile to trace;
Control file trace will get created at the follwoing location:-
/oracle/ALD/saptrace/usertrace
Step 2:- Switch log files 4 times
     
 Alter system switch logfile;
Step 3a:- Shutdown database.
        shutdown immediate;
Step 3b :- Stop Listener - #lnsrctl stop
Step 4:- Copy the trace file to transfer location

Step 5:- Change the file system locations.
/oracle/ALD/sapdata1 to /oracle/ED1/sapdata1
/oracle/ALD/saptemp1 to /oracle/ED1/saptemp1
/oracle/ALD/oraarch to /oracle/ED1/oraarch
/oracle/ALD/origlogA to /oracle/ED1/origlogA
/oracle/ALD/origlogB to /oracle/ED1/origlogB
(Create ticket with linux only for the above file system mount point
& same ticket ask linux colleague to create 2 users oraed1 & ed1adm
same like oraald & aldadm with same group & permission)

As ALD is the directory inside mount point /oracle we do not need to change
mount point just change the directory to new SID name.
As /usr/sap/ALD is the directory inside mount point /usr/sap we do not need to change
mount point just change the directory to new SID name.
As ALD is the directory inside mount point /sapmnt we do not need to change
mount point just change the directory to new SID name.

Step 6a:- Make the changes in the trace file to create a new control file.
      change SID to New ED1 and save with .sql
step 6b : change the line "CREATE CONTROLFILE REUSE DATABASE "ED1" RESETLOGS  ARCHIVELOG" to "CREATE CONTROLFILE SET DATABASE "ED1" RESETLOGS  ARCHIVELOG" in the .sql file

Step 7:- Change the entries for listener.ora and tnsnames.ora with new SID.
/oracle/ALD/102_64/network/admin
Step 8:- Start listener.
listener start
Step 9:- Change init<SID>.ora file with new SID and make changes of SID and control file location in the init<SID> file.
Step 10 - check and change the env variable files sapenv_<hostname>.csh and dbenv_<hostname>.csh of ora<SID> and <SID>adm
   
Step 10:- login with oraed1.
>sqlplus /nolog
>conn / as sysdba;
>@/<New Control file location>/controlfile.sql
>ALTER DATABASE OPEN RESETLOGS;
R/3 Changes:-
Step 1: Login with  <SID>sdm and check R3trans -d and correct it, if ends withRC other than 0000.
Step 2:- Make the folder change
Step 2a - check the links for profile,global and exe directory , and correct it if needed
Step 3:- Profile changes
Change profile ALD_DVEBMGS00_keylabs to ED1_DVEBMGS00_keylabs Make SID changes inside all 3 profiles.
step 4 : Changes sapms<SID> sntries in etc/hosts and etc/services file
Step : Start SAP


Above steps are for Linux platform with Oracle
Source http://ilovebasis.blogspot.in/2012/01/procedure-for-changing-sid-of-sap.html

I am trying to do in Windows with SQL DBA lets see and will post all the steps later post.