cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CFE Cache - Is this stored with strong encryption?

Go to solution
Former Member

on ‎06-18-2009 5:09 AM

0 Kudos

Hi

The 'SAP runs ACCAD - insights on example landscape' document asks the question: Is the data on CFEs is secure or can an admin read it? Is AccAD u201Ehackeableu201C thus can it be hacked from outside with hacker tools? Minor issues were found and then fixed by AccAD development team in 2006.

This inspires confidence in the solution. However, the installation guide states that establishing physical security of the hard disk is recommended. This note suggests that the above comment may not be so reassuring.

Is the cache content strongly encrypted on the CFE hard disk?

Thanks

Jon

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jana_richter
Employee
Employee
‎09-03-2009 4:10 PM
0 Kudos

Hi John and all readers of this forum,

I just wanted to give you a short update: Starting with AccAD 2.1 SPS 04, you can create a separate partition on your Client Front-End which uses encryption. Thus you can enable the CFE cache to use a strong encryption. Note: The encrypted drive is formatted with each reboot. Thus, data which is stored on this drive will be deleted with each reboot.

Within AccAD 2.2 we plan to have full support for cache encryption (not requiring a separate partition and not being affected by reboots) - but for now there is still a nice way of enabling the above-mentioned feature within AccAD 2.1.

You can find more details on how to enable this within [SAP Note 1381413|https://service.sap.com/sap/support/notes/1381413].

Best regards

Jana

Show replies
Show replies

Answers (3)

Answers (3)

Former Member
‎10-14-2009 12:37 PM
0 Kudos

Hi Jana,

According to the note# 1381413 saying AccAD supports Drive Encryption,

On our server thereu2019s some restriction on hardware so weu2019ve decided to put the CFE on Windows servers 2003.

Apparently, according to this note, the provided script are only working with Linux CFE.

Are there any workaround to get this done on window CFE as well ?

Show replies
Show replies
jana_richter
Employee
Employee
‎10-15-2009 10:04 AM
0 Kudos

Hi Andrew,

pretty good question. So far the disk encryption has only been developed for Linux CFEs in the following approach: Our process in Linux is to have a dedicated partition which is encrypted with a random key upon machine boot and usage of soft links to volumes u2013 this is a small integration project which really covers the scenario a machine is stolen.

Some options that I see how you could achieve security for this "machine stolen" scenario with a Windows CFE:

- A customer may use some encryption mechanism for the entire disk with some password or biometric authentication mechanism upon boot. There are a few tools available that provide these HD encryption for Windows. But when you use these mechanisms, it means that the service can not go up without an operator.

- Alternatively, from SPS 05 you can configure to use only memory cache without disk persistency (in Appliance Landscape within the Engine configuration - Instance - Cache Store there are settings related to that). However, this of course means that you are limited in what can be stored within the cache.

So far we have not yet received any requirements to the cache encryption in Windows, thus it is not available yet. Is this a crucial point in your implementation to have a full disk encryption available for the Windows CFE?

Best regards

Jana

Former Member
‎10-14-2009 12:37 PM
0 Kudos

Hi Jana,

According to the note# 1381413 saying AccAD supports Drive Encryption,

On our server thereu2019s some restriction on hardware so weu2019ve decided to put the CFE on Windows servers 2003.

Apparently, according to this note, the provided script are only working with Linux CFE.

Are there any workaround to get this done on window CFE as well ?

Show replies
Show replies
jana_richter
Employee
Employee
‎06-22-2009 10:57 AM
0 Kudos

Hi Jon,

good question - actually the cached content that is stored in memory and on the disk is not yet encrypted in the current release AccAD 2.1 for SAP NetWeaver.

For this reason it is recommend to ensure physical security for the Client Front-Ends, to ensure that no unauthorized access to the cached content could happen. If this is not possible and the non-caching is a security constraint, another option might be to disable caching of security-relevant content like KM documents (if applicable) and thus benefit from the efficient compression mechanisms only.

We plan to provide encryption for disk cache in the next release Accelerated Application Delivery 2.2 for SAP NetWeaver (Ramp-Up start planned for December 2009).

Hope this helps, best regards

Jana

Show replies
Show replies
Former Member
‎06-23-2009 11:16 AM
0 Kudos

Thanks Jana.

Ask a Question