Novell Doc: Novell Compliance Management Platform Extension for SAP Environments 1.0 SP1 Solutions Guide

6.1.1 Prerequisites

The procedures assume the following items have been completed:

Sentinel 6.1 is installed and configured. For more information, see the Sentinel 6.1 Installation Guide.
Identity Manager 3.6 is installed and configured. For more information, see the Identity Manager 3.6.1 Installation Guide.

6.1.2 Configuring the SAP Servers for Auditing

Complete the following steps to enable the SAP server for auditing. These steps must be completed on each server you want to audit.

Shut down the SAP instance through the SAPMMC.
Edit the SAP profile <SID>_<INSTANCE_NAME>_<SERVER_NAME>.

For example: DMO_DVEBMGS01_sapserver

UNIX System: /usr/sap/<SID>/SYS/profile

Windows NT System: X:\usr\sap\<SID>\SYS\profile

Do not modify a SAP profile file with a .1 or .2 extension. These are the backup files.

Add the following parameters to the SAP profile file:

Parameter	Description
rsau/enable = 1	Enables the Security Audit Log
rsau/max_diskspace/local = 2147483647	Maximum space to allocate for the audit files
rsau/selection_slots = 10	Number of filters to allow for the security audit log
rsau/max_diskspace/per_file = 2147483647	Maximum space to allocate for the audit files
rsau/max_diskspace/per_day = 21474836470	Maximum space to allocate for the audit files

(Conditional) Modify the following parameters to the SAP profile if you are using the SAP ABAP trial version to increase memory allocation to the CCMS alert system. The CCMS alert system is disabled by default.

Parameter	Description
alert/MONI_SEGM_SIZE = 40000000	Allocates memory space for the alert system
rdisp/autoabaptime = 300	Parameter for the background job scheduler

Start the SAP instance through the SAPMMC.
Log in to SAP.
Specify the SAP transaction SM19, then select Environment > Profile Parameter from the toolbar.
1. In transaction SM19, click the Dynamic Configuration tab.
2. Click the Display <-> Change icon to add additional events to Filter 1.
3. Select Filter Active to activate the filter.
4. Select all event types, such as logon and master record change.
  
  By default, only System events are selected.
5. Click the Display <-> Change icon to save and distribute the changes to your SAP servers.
Load the SAP CCMS Monitor Templates > Security monitor via transaction RZ20:
1. Run transaction RZ20.
2. Expand the SAP CCMS Monitor Templates node, then select the Security Monitor set.
3. Right-click the Security Monitor set, then click Load monitor.
Repeat Step 1 through Step 8 for each SAP server that you want to enable auditing for.

6.1.3 Importing the SAP CCMS Collector and the SAP XAL Connector

The SAP CCMS Collector and the SAP XAL Connector need to be added to the Event Source Manager once. The SAP CCMS Collector and the SAP XAL Connector are then displayed as options to select during the configuration procedures.

To import the SAP CCMS Collector and the SAP XAL Connector:

Download the SAP CCMS Collector (SAP_CCMS_6.1r1.clz.zip) from the Sentinel 6.1 download Web site to the server where the Sentinel Control Center is running.
Download the SAP XAL Connector (sap_connector.zip)from the Sentinel 6.1 download Web site to the server where the Sentinel Control Center is running.
Log in to the Sentinel Control Center.
Select Event Source Management > Live View, then select Tools > Import plugin.
Browse to and select the SAP CCMS Collector SAP_CCMS_6.1r1.clz.zip file, then click Next.
Follow the remaining prompts, then click Finish.
Repeat steps Step 4 through Step 6, except browse to and select the SAP XAL Connector sap_connector.zip file.

6.1.4 Adding Auxiliary Files for the SAP XAL Connector

The SAP Java Connector 3 (JCO) library files must be added to the Sentinel server for the SAP XAL Connector to work.

Download the SAP JCO3 library files from the SAP Service Market Place Web site.

The SAP XAL Connector only supports version 3 of the JCO library files. These files are:
- sapjco3.jar
- Native libraries:
  - Linux/UNIX: libsapjco3.so
  - Windows: sapjco3.dll
Log in to the Sentinel Control Center.
(Conditional) If you have more than one Connector, select the Connector, then proceed to the next step.
Select Event Source Management > Live View, then select the Add Auxiliary File icon .
Browse to and select the native library file for your platform.
Repeat Step 4 for the sapjco3.jar file.

6.1.5 Configuring the SAP CCMS Collector

For each SAP XAL Connector, you must have one SAP CCMS Collector.

In the Event Source Management live view, right-click the Collection Manager, then click Add Collector.
Select Novell in the vendor column.
Select SAP CCMS Alerts 6r1 in the Name column, then click Next.
Select Novell Engineering and SAP_CCMS_6.1r1 for the Collector script, then click Next.

Configure the SAP CCMS Collector for your needs by using the following information:

Configuration Parameter	Default Value	Description
Event Source Time Zone	+0000	Sets the time zone offset UTC (+0000) of the event source data time stamps. This is used if the source data is reported only in local time with no time zone indicated. The format is + or - followed by a two-digit hour and minute offset.
Execution Mode	release	Sets the execution mode for the collector. There are three options: release: Use this mode for normal operation. custom: Use this mode if the Identity Manager Collector is customized. debug: Use this mode when troubleshooting. It generates debug trace files.
MSSP Customer Name
Script Error Severity	5 Severe (5)	Sets the severity for a script error event.
Send Script Error Message	yes	Sends a script error event when there is an error with the Collector script.
Sentinel Driver Instance ID		Enables multiple Sentinel drivers. Each Sentinel driver is paired with a specific Identity Vault Collector. This instance ID is synchronized between the Sentinel driver and the Identity Vault Collector. By default, there is no value. Use letters and numbers only.
iSCALE Connection URL	localhost:10012	The URL that the Identity Vault Collector uses to retrieve identity events stored in the SonicMQ^* message queue.

Click Next.
Complete the configuration of the SAP CCMS Collector with the following information:

Name: Specify a name for this Collector.

Run: Select whether the Collector is started whenever the Collector Manager is started.

Alert if no data received in specified time period: (Optional) Select this option to send the No Data Alert event to Sentinel if data is not received by the collector in the specified time period.

Limit Data Rate: (Optional) Select this option to set a maximum limit on the rate of data the collector sends to Sentinel. If the data rate limit is reached, Sentinel throttles back on the source in order to limit the flow of data.

Set Filter: (Optional) Specify a filter on the raw data passing through the collector.

Trust Event Source Time: (Optional) Select this option if you trust the Event Source server’s time.
Click Finish to save the Collector.

6.1.6 Configuring the SAP XAL Connector

The SAP XAL Connector can connect to more than one SAP Application.

In the Event Source Management live view, right-click the SAP CCMS Collector, then select Add Connector.
Select SAP from the list of installed Connectors, then click Next.
Configure the Connector by specifying the following information:

Name: Specify the name of the Connector to display.

Run: (Optional) Select this option to start the Connector when the Collector Manager starts.

Alert if no data received in specified time period: (Optional) Select this option to send a No Data Alert event to Sentinel if no data is received by the Connector in the specified time period. There is also an option to resend the alert if multiple time periods pass without receiving data from the Connector.

Limit Data Rate: (Optional) Specify the maximum limit on the rate of data this connector can send to Sentinel. If the data limit is reached, Sentinel begins to throttle back on the source in order to limit the flow of data.

Set Filter: (Optional) Specify a filter on the raw data passing through this connector.

Save Raw Data to a file: (Optional) Saves the raw data passing through the Connector to a file for further analysis.
Click Finish to save the configuration.

6.1.7 Configuring the SAP Event Source

You must configure one or more event sources for the SAP XAL Connector to poll for SAP system alerts.

In the Event Source Management live view, right-click the SAP XAL Connector, then select Add Event Source.
Specify the Connector parameters for the desired SAP server.

Host Name: Specify the DNS name or IP address of the SAP server that is polled for SAP system alerts.

System Number: Specify the system number of the SAP server.

Client Number: Specify the client number of the SAP server.

User Name: Specify the username of a user with sufficient authorization to perform CCMS administration. This involves the collection and completion of system alerts. It is recommended that a Communication (CPIC) User account be utilized.

Password: Specify the password of the CCMS administrative user.

Language: Specify the two-letter language code. The default is EN for English.
Click Next.
Specify a monitor set followed by the forward-slash-separated path to the desired monitor object. The default monitor set and object are SAP CCMS Monitor Templates/Security.

The default monitor path is the most commonly used for system alerts that are related to system auditing.
Click Next.
Specify a name for the SAP server to be displayed as an event source in the Event Source Manager.

This allows you to identify each SAP server in the Event Source Manager.
Click Next.
Click Finish to save the configuration for the new event source object.
Right-click the new SAP event source object, then click Start to start the event source object.
Repeat Step 1 through Step 8 for each SAP server you want to monitor through the same connector.

6.1 Enabling Auditing