Network security considerations
Be aware that creating your instances in the public zone of your cloud provider (i.e. the “open Internet”) is
convenient but less secure than providing it within your corporate network.
If you want to tighten the security, open as few ports as really needed for your scenario.
In addition, we also recommend that you limit the access to your instances by defining a whitelisted IP range of IP
addresses that may access your solution (e.g. the subnet of your company). With this, only computers within the
white-listed IP range can access your system via the specific port. You can maintain the IP Range settings in the
CAL console
→ Edit → Virtual Machine → Access Points.
, using CIDR notation.
The more complex but also more secure alternative to public Internet is to set up a virtual private cloud (VPC) with
VPN access (e.g. described in this tutorial or in your standard cloud provider documentation).
Note that when using HANA based appliances, HANA systems are not installed individually but cloned from a
template system. Because of this cloning process, the existing root keys are cloned. For more information, see
this SAP Note 2134846 - HANA encryption key handling during system cloning.
ABAP user roles and profiles
The ABAP business users listed in chapter 2 have a large set of roles and extensive authorizations (including the
SAP_ALL profile).
If you plan to release the appliance to a larger set of users (especially in the Internet scenario), it is advised to
restrict/lock the access with these users (or change the initial passwords) and create your own users with fitting
roles and authorizations.
This can be done using the standard user management capabilities (e.g. tCode SU01, etc.).
Please also note that the user BPINST is used in various RFC connections (tCode SM59) with its fixed password. If
you lock the BPINST user or change its password, please also adapt these connections accordingly.
Certificates
The appliance comes with a certificate that was self-signed by SAP. Most local browsers will issue a warning
message that such a certificate is untrusted, and you will need to add the affected URLs (Fiori launchpad and
others) to the list of trusted sites once.
Hence, if you see messages about unsafe connections, untrusted certificates, etc., please click on “Proceed” or “I
know the risk”, etc. (the screens and needed clicks will vary depending on the browser).
As an alternative, you can also apply your own trusted certificate to the system (using tCode STRUST, etc.).
The above-mentioned sample demo walkthrough site provides a technical demo guide for installing a free 90-day
Let’s Encrypt certificate.
On the delivered remote desktop, the self-signed certificate has already been imported into the store with trusted
certificates, and you will not see a warning if you access the Fiori launchpad. The web sites of the J2EE server or
the SAP Cloud Connector will still display warnings, please acknowledge the risk and continue as outlined above.