GRC
HR
SCM
CRM
BI


Article

 

Ensure the Security of Documents Before They Enter Your SAP Systems — Built-In Virus Scanning Support in SAP NetWeaver

by Kristian C. Lehment | SAPinsider

July 1, 2006

by Kristian C. Lehment, SAP AG SAPinsider - 2006 (Volume 7), July (Issue 3)
 

Any kind of external data — office documents, images, executables, etc. — is not considered secure until it is scanned for malicious or suspicious code. As a central distribution point of information, your enterprise’s database is particularly at risk for spreading malformed or otherwise dangerous data very quickly across the network. That’s why applications that receive and store files inside of SAP-managed databases must be able to check incoming data for threats.

In the past, administrators have relied on some very creative, albeit cumbersome, approaches for scanning the files headed into their SAP systems — or they have simply omitted this step altogether. And developers often overlook the step of building this level of security into their custom-developed applications during data transfers across networks or when documents are exchanged using interfaces, for example. As a result, whenever a new sales order, new hire application, or knowledge management document is uploaded into your systems, it could be putting those systems at risk.

The good news is that SAP provides the SAP NetWeaver Virus Scan Interface (SAP NW-VSI), an API built into the SAP NetWeaver platform to integrate virus scan engines with applications running on SAP NetWeaver. The SAP NW-VSI automatically checks documents before they are uploaded into the SAP system, making the process of scanning SAP system-bound documents as transparent as possible for application users and developers.1 Of course, SAP has not gone into the virus scanning business — in order to perform the actual scan, you will rely on the specialized third-party virus scan software from the SAP partner of your choice.2

In this article, we will discuss the functions and benefits of the SAP NW-VSI. We will then detail how to set up and configure it, and we’ll outline the various ways SAP has made it easier for developers to incorporate virus scanning into custom-developed applications — without coding in many cases.

Three Key Functions of the SAP NW-VSI

The SAP NW-VSI is a necessary component of the virus scanning process, but it shouldn’t be considered an extra hurdle to ensuring that the files entering your SAP system are free of any harmful programs. The interface is designed not only to make the process of connecting the SAP NetWeaver platform and third-party software as seamless as possible (see sidebar), but also to enhance the capabilities of the virus scan engine you choose. Specifically, the SAP NW-VSI:

Provides a seamless connection to multiple scan engines so you can choose the appropriate virus scan engine for your system

The structure of the SAP NW-VSI allows you to combine virus scan products with various SAP systems on different operating system platforms to scan your SAP documents for viruses. In fact, by simply integrating a virus scan adapter (VSA) using a proprietary connection, any customer can connect existing virus scan products to the SAP NW-VSI.3 Figure 1 illustrates how this works.

Figure 1
Three Sample Virus Scanning Software Architectural Scenarios That Could Interact with
SAP NetWeaver via the SAP NW-VSI

The left side of the figure shows three third-party virus scan software architecture scenarios, all of which can interact with SAP NetWeaver via the SAP NW-VSI. The scenarios are different depending on the architecture of the third-party virus scanning product. In scenario 1, a customer uses a virus scan daemon that is connected to a virus scan adapter.

In scenario 2, the third-party product includes the virus scan engine, virus scan adapter, and all other functionality needed to connect to the SAP NW-VSI. You do not need to acquire additional modules.

In scenario 3, the third-party vendor uses an architecture that consists of a scan engine module and one separate, SAP-specific library that contains functionality to connect to the SAP NW-VSI.

Allows administrators to control the intensity of the scan

Not every document requires the same level of performance and security. By configuring Scan Profiles within the SAP NW-VSI, you can set the level of security required for each scan.4 For instance, for documents within an HR application that deal with external recruiting forms you would want to be sure to conduct high-security scanning using two different scan engines from different scan providers. In this case, performance is by far secondary to ensuring a comprehensive examination of the incoming files. On the other hand, a CRM application that usually deals with internal documents requires less scanning effort but better performance. Finally, applications that transfer information via controlled files on controlled networks (such as IDocs) will not need virus scanning at all.

Provides the parameters and data for every virus scan but only alerts administrators to non-secure results

So that administrators do not have to monitor virus scan results for every document or data bit that may be uploaded into their systems, the SAP NW-VSI is designed for management by exception. If a scan is negative, meaning that no problems are found, the document will automatically upload as requested. Only when a problem is found will the user receive a message that the uploading of the document is denied. In this way, virus scanning is invisible to the end user for all secure documents entering the system.

How the Virus Scan Interface Works Within Your SAP NetWeaver Architecture

As shown in the figure to the right, the SAP NetWeaver Virus Scan Interface sits between third-party virus scan offerings and the virus scanning elements contained within SAP NetWeaver, providing seamless integration between them. The functionality from SAP consists of C/C++, ABAP, and Java interfaces to support both ABAP and Java applications. It uses different layers to support both the ABAP and the SAP NetWeaver Application Server (SAP NetWeaver AS) Java world, and to deal with platform dependencies such as operating systems and 32-bit or 64-bit processors when integrating the virus scan interface.

The Virus Scan Adapter (VSA), also commonly referred to as a “connector,” is third-party software that connects the SAP NW-VSI with the Virus Scan Engine’s internal, proprietary API. You may or may not require the VSA, depending on the configuration of the engine.

The SAP VSI Library, part of the SAP NetWeaver platform, sits on top of the SAP NW-VSI and loads the certified partner products as a shared library, enabling multiple applications to access it. ABAP or Java application programs can then begin virus scans with dedicated classes and methods specific to their language (in the figure, these classes and methods are part of the SAP Internal Virus Scan Interface layer). To invoke individual scans, the ABAP or Java applications call a Virus Scan Server through the ABAP- and Java-specific SAP Virus Scan APIs using a remote function call (RFC). Using the Java-specific Virus Scan Provider, Java applications may also request the scan by calling the interface directly, without using an RFC or a virus scan server.

Three Sample Virus Scanning Software Architectural Scenarios That Could Interact with SAP NetWeaver via the SAP NW-VSI

Setting Up and Testing the SAP NW-VSI

Administrators have been able to set up, configure, and activate virus scanning within SAP software since SAP NetWeaver Application Server 6.40 (SP13) with SAP R/3 Enterprise.

The SAP NW-VSI itself contains the functions required to configure and initialize the scan engine. Once you have installed a virus scan engine and adapter, you can configure the SAP NW-VSI. There are specific configuration options for both ABAP and Java installations, as well as a combination of the two. For instructions on how to configure each, see the sidebar “Sources for How to...”

When you’ve completed configuration of the SAP NW-VSI, you’ll want to test the infrastructure. SAP provides a dummy Virus Scan Adapter for this purpose. SAP also delivers a test application with each SAP NetWeaver Application Server (SAP NetWeaver AS) Java engine (since SP13; http://[host]:[port]/vscantest). Once you’ve installed and configured the test adapter, you can test the upload of files by using a file that contains a test virus.5

Support for Your Custom-Developed Applications

In many SAP customers’ development departments, developers use tools like the ABAP Workbench or SAP NetWeaver Developer Studio to create custom applications. If you have already written (or plan to write) applications that deal with the upload of external documents into the SAP databases, there are a number of options for implementing virus scanning capabilities directly into your applications — and you may be able to do this without hard-coding anything.

If you are using standard SAP NetWeaver development tools and deploying your custom applications on the SAP NetWeaver platform as of the 2004 release, virus scan functionality is already built in. What follows is a list of functions in both ABAP and Java that already include the virus scanning capability — requiring no coding in some cases:6

ABAP

The anti-virus routine is available with standard uploads in ABAP since SAP_BASIS 640 (SP11) with these functions:7

  • The function module 'GUI_UPLOAD' (which is also called by 'WS_UPLOAD')

  • The class method 'CL_FRONTEND_SERVICES=>GUI_UPLOAD'

  • The class 'CL_HTTP_ENTITY=>GET_DATA' (BSP framework)

Java

For Java applications, anti-virus applications are available with standard uploads as of SAP NetWeaver 2004 (SP13). The following function now includes built-in anti-virus functionality8 in the Web Dynpro for Java-control 'FileUpload' (used while uploading files when using Web Dynpro for Java).

If you are not using any of the these functions or methods, you can use SAP APIs to call external virus-scanning software during upload. The Virus Scan Server is part of SAP NetWeaver and communicates through RFCs with the SAP NetWeaver Application Server within SAP NetWeaver. The Java side of the SAP NetWeaver Application Server only needs the server if native integration into the SAP NetWeaver AS Java engine is not possible for platform reasons.9

Native SAP APIs are available in:

ABAP

The 'CL_VSI' class provides three methods for the check: SCAN_BYTES, SCAN_FILE, SCAN_ITAB.

Java

The interface called tc/sec/vsi/interface supports virus scan checks. A reference to this interface must be set in your own applications.10

In order to test the virus scan interface, you can unpack the sample adapter from the VSA-SDK.ZIP file11 and set the sample adapter as an adapter within the configuration (ABAP: Adapter path /; Java: VSA_LIB).

Using any of these built-in approaches, developers can incorporate virus scanning capabilities into their custom applications and run them on SAP NetWeaver with ease — it’s a small development effort for huge security returns.

Conclusion

Whether you’re an administrator who recognizes the need to secure your SAP systems from potentially high-risk uploads or a conscientious developer who is building a virus scan process directly into a new application, SAP has the resources and software to help you keep your SAP systems safe (see sidebar below).

Sources for How to…

Implement and Test the SAP NetWeaver Virus Scan Interface

  • Using the SAP NW-VSI:

    SAP Note 786179 — Data security products: Application in the antivirus area

    SAP Note 817623 — Integrating a virus scan in SAP applications

    SAP Note 782963 — Availability of virus scan server for NW-VSI

  • Configuring both ABAP and Java installations for virus scanning:
    http://help.sap.com --> SAP NetWeaver --> Search for “System Security” --> System Security --> Virus Scan Interface --> Architecture of the Virus Scan Interface

    • For ABAP-specific instructions, click on ABAP-Specific Configuration --> Setting up the Virus Scan Interface

    • For Java, click on Java-Specific Configuration --> Setting Up Virus Scan Providers

  • Testing the virus scan interface and the underlying scan engine:
    SAP Note 666568 — Using the EICAR anti-virus test file

  • Finding certified virus scan software vendors:
    www.sap.com/partners/directories

Build Virus Scan Capabilities into Your Custom Development

  • Using the SAP NW-VSI in your custom-developed ABAP applications:
    SAP Note 797108 — Virus scan interface (VSI): Changes and releases

  • Using the VSI in your custom-developed Java applications:
    SAP Note 848189 — Virus Scan Provider service in J2EE engine

As administrators consider how to integrate virus scan software into their scanning process, the choice of third-party scanning software is key. Choosing an SAP-certified solution that has gone through testing and has proven interoperability with the SAP NW-VSI is highly recommended, as it ensures SAP support for the scan functionality.

Virus scan software vendors are currently in the process of becoming certified; updates to certification information can be found by visiting the SAP Partner Directory at www.sap.com/partners/directories, clicking the Search by Solutions tab, and selecting “NW-VSI 1.0” in the “SAP-Defined Integration Scenarios” scroll box.

We also encourage our customers to point other virus software vendors to SAP for certification. Please visit the Integration and Certification Center at www.sap.com/ICC for more information on certification.


1 This interface was introduced with SAP NetWeaver Application Server release 6.40 (SP13) with SAP R/3 Enterprise. SAP Insider readers first learned of SAP NW-VSI in Jürgen Schneider’s column, “Achieving Virus Protection in Your ABAP and Java Programs with SAP NetWeaver,” in the July-September 2004 issue of SAP Insider (www.SAPinsider.com).

2 Third-party virus scan engines must be certified by SAP in order to be supported by SAP for integration with the SAP NW-VSI. Options for certified engines are discussed at the end of this article.

3 Note that there are limitations to which virus scan engines can be used, including certification. You can find more details about which virus scan offerings are suitable for connection with the SAP NW-VSI at the end of this article.

4 For more details about Scan Profile configuration, visit the SAP Help Portal at http://help.sap.com --> SAP NetWeaver and search for “Setting Up the Virus Scan Interface.”

5 For more details, as well as the EICAR anti-virus test file, see SAP notes 786179 and 666568.

6 In all cases, be sure to use the correct version of the development tools, as the scanning interface is not available in older versions.

7 See SAP note 797108.

8 See SAP note 848189.

9 See SAP notes 782963 and 817623.

10 Documentation about this interface is available at http://sdn.sap.com/irj/sdn/javadocs.

11 The VSA-SDK.ZIP file is available with SAP note 786179.


Kristian C. Lehment is Product Manager for Security at SAP AG. He is responsible for the rollout of product information and for partner relations related to SAP product security. Kristian worked in the product management area of SAP’s research group for new technology in the hospitality industry from 1997 until 2000. Previously he worked as a senior consultant and then as an application programmer for Micros Fidelio, a leading provider of hotel software systems. He can be reached at kristian.lehment@sap.com.

An email has been sent to:






More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ