Hardening Avantra
We strongly recommend regularly reviewing your Avantra installation landscape and applying appropriate hardening measures. Each enterprise or managed service provider has its own approach to system hardening and our Recommendations should be appended to those approaches.
The items mentioned in this guide are designed to be appended to your existing hardening practices. This is not a complete system hardening guide.
This guide will be updated periodically and should be regularly reviewed by your operations team and security experts to ensure you continue to run a hardened environment.
Avantra Server
Secure the WebUI port and bind address
AHG-S-01
By default, Avantra can be configured to use HTTP or HTTPS. In a productive environment, we strongly recommend you ensure that your WebUI (XANGUI) configuration is set to use the secure port via HTTPS. You can also specify the TSL cipher suites that can be used for web UI communication. Finally, in a multi-network set up with multiple interfaces, ensure that your WebUI is only accessible from the required interface.
Recommendation
- Enable the HTTPS (secure) port in your installation on an unprivileged port (e.g. 8443).
- Avoid using HTTP.
- Bind the Avantra WebUI to only the required network interface.
Within the Avantra server settings, bind the Avantra server to only the required network interface (Administration-Settings-Avantra Master-Network.bind-address).
Helpful Links
Managing your Web UI configurationDisable HTTP completely or redirect HTTP to HTTPS
AHG-S-02
By default, Avantra can be configured to use HTTP or HTTPS. In a productive environment, we strongly recommend you ensure that any insecure (HTTP) requests to your Web UI are dropped or, at least, auto-redirected to the secure version (HTTPS).
Recommendation
Disable the HTTP port by removing it from the configuration file. If it must be left enabled, then we recommend enabling redirection of HTTP to HTTPS by default.
Helpful Links
Managing your Web UI configurationX.509 Web Certificate
AHG-S-03
By default, Avantra comes with a pre-installed X.509 certificate with the common name xandria. In all cases we strongly recommend you replace this and add your own X.509 server certificate to your installation to secure all web interface communications.
Recommendation
Replace the default X.509 certificate with your own CA-signed certificate.
Helpful Links
Using CA-signed certificates for HTTPS in Avantra UIOS permissions for the Avantra services user
AHG-S-04
It is important to ensure that the service user in use to run the Avantra OS services for Server/UI and Agent has no other permissions except for running the services. E.g. not in the administrator or SUDO group. Your user should have read, write, and execute permissions on the Avantra install directory and group membership for any other directories to which access is required.
We strongly discourage the use of root as Avantra agent OS user. Instead, customers should work with sudo to allow list only the commands required. E.g. if you plan to automate OS patching within Unix, then allow the service user to run that command only using sudo rather than adding them to the sudoers.
Recommendation
Restrict the OS service user to the minimal required permission to run.
OS Hardening
AHG-S-05
We strongly recommend utilizing the operating system hardening guide as provided by your operating system provider e.g. SUSE, RHEL, Windows, or other. These guides will cover topics such as firewalls, audit logs, and more.
Recommendation
Frequently review the OS hardening guide for your chosen OS and implement its Recommendations.
Helpful Links
User authentication
AHG-S-06
Avantra supports the configuration of external identity providers via SAML or active directory. We recommend using an external identity provider as it allows for tight integration into corporate systems for processes such as Joiners, Movers, and Leavers (JML) as well as supporting two-factor authentication (2FA). We strongly encourage using concepts such as 2FA via an external identity provider.
Recommendation
Configure an external identity provider, ideally, with 2FA enabled.
Helpful Links
OS-level code execution for managed systems
AHG-S-07
Avantra is designed as a complete management platform that includes powerful features that allow for the execution of scripts and commands on remote systems for automation. Depending on your environment you may not want to allow the execution of OS-level commands in your environment.
Recommendation
Ensure that you apply the hardening Recommendation **AHG-A-01 to significantly restrict the access permissions of the OS user in use to run the Agent services. This agent should ONLY have the permissions to run the agent as well as access to run any scripts or commands required for your specific scenarios. This protection should mitigate this risk.
Optional (extra hardening) Recommendation for validated environments that require complete hardening, you can switch off any capability to execute OS-level commands within the Avantra server settings. Please bear in mind that this is a global flag and will reduce the capabilities in this space. The flag is called Security.EnableOSCodeExec and can be found in Administration > Settings > Master.
Database write-query execution for managed systems
AHG-S-08
Avantra is designed as a complete management platform that includes powerful features that allow for the execution of queries and commands on remote databases (as part of checks or automation). Depending on your environment you may not want to allow the execution of write-capable SQL commands in your environment.
Recommendation
Ensure that you apply the hardening Recommendation AHG-A-02 to significantly restrict the access permissions of the database user in use to monitor your managed database objects. This user should ONLY have the permissions required for your specific scenarios (usually read-only and no access to production data). This protection should mitigate this risk.
Optional (extra hardening) Recommendation for validated environments that require complete hardening, you can switch off any capability to execute database write commands within the Avantra server settings. Please bear in mind that this is a global flag and will reduce the capabilities in this space. The flag is called Security.RUNJSAllowDBWrite and can be found in Administration > Settings > Master.
Restrict permissions on Avantra files
AHG-S-09
Your Avantra installation should be protected from other users of your OS. The only user requiring access to read, write or execute Avantra files should be the Avantra service user running your OS services.
Recommendation
Ensure that the permissions within the Avantra installation directory are restricted for groups and other users.
If it's not possible to limit access to the Avantra directory, be sure to restrict ownership to the credential encryption key.
Example Unix commands
// Replace <avantraOSuser> with your
sudo chown -R <avantraOSuser>:<avantraOSGroup> /opt/avantra
sudo chmod -R go-rwx /opt/avantra
Secure communications between the UI and server
AHG-S-10
Avantra supports HTTPS communication between the UI and the server. This is, for most customers, not a concern as the UI mostly resides on the same host as the server and so all communications are internal. However, you can set Avantra to use the secure communications option a5s (HTTPS) (instead of a5 (HTTP)). The flags are called Network.master-ui-protocol and ui-master-protocol and can be found in Administration > Settings > Avantra Master and Administration > Settings > Avantra UI.
Switching to a5s for communication between your server and UI (if your UI and server are on the same host) may have a small impact on performance owing to the HTTPS overhead. While this is generally not an issue with modern system sizes and resources, it's worth being aware of.
Recommendation
Set the flag Network.master-ui-protocol to a5s in the Avantra server settings under Administration > Settings > Avantra Master. Set the flag ui-master-protocol to a5s in the Avantra UI server settings under Administration > Settings > Avantra UI.
Set TLS cipher suites and protocols
AHG-S-11
Avantra supports TLS versions 1.0 > 1.3 for agent communications and these can be enabled/disabled based on your organizational policies. We encourage customers to configure these settings to match corporate policies.
Recommendation
Set the flags Network.tls-cipher-suites and Network.tls-enabled-client-protocols to appropriate values in the Avantra server settings under Administration > Settings > Master.
Reduce log level
AHG-S-12
Avantra has six different log levels:
- Trace
- Debug
- Info
- Warning
- Error
- Fatal
Unless needed for support or problem-solving purposes, we recommend running with minimal log level to reduce information captured in your log files at the OS level.
Recommendation
Set the flag global.log-level to O`FF in the Avantra server settings under Administration > Settings > Avantra Master.
Set the flag LogLevel to Fatal in the Avantra UI server settings under Administration > Settings > Avantra UI.
There is also a monitoring parameter that can be set on your agents to turn off logging TraceLevel and the value should be set to 0.
Failed login attempt restrictions
AHG-S-13
By default, Avantra will lock a user account after 3 failed login attempts for a period of 5 minutes. This behavior can be changed to match your organizational requirements using the flags below in the Avantra UI server settings under Administration > Settings > Avantra UI.
logon.lockTimeMinuteslogon.maxFailedLoginTries
Recommendation
Match the values for the above flags to your organizations' requirements in this space.
Disable browser credential caching
AHG-S-14
By default, Avantra can use a remember me option at login to allow users to speed up future login attempts. This behavior can be disabled to prevent misuse using the flag remember-me under the Avantra UI server settings under Administration > Settings > Avantra UI.
Recommendation
Set the flag remember-me to no under the Avantra UI server settings under Administration > Settings > Avantra UI.
Disable password reset processes
AHG-S-15
By default, Avantra has a password reset functionality enabled for local accounts via an email sent to the user. To disable this, use the flag reset-password under the Avantra UI server settings under Settings > Avantra UI. Note that this disables all password resets for local accounts including administrator accounts.
Recommendation
Set the flag reset-password to no under the Avantra UI server settings under Administration > Settings > Avantra UI.
Set a default password policy for local accounts
AHG-S-16
Avantra can mandate complex password use for local Avantra accounts (as opposed to Identity provider accounts) and this is configurable within the Avantra UI. You can find this under Administration > Settings > Password Policy.
Recommendation
Set the appropriate Password Policy to match your organizational requirements.
Review the Avantra Logbook settings
AHG-S-17
The Avantra logbook keeps a record of all activity within your Avantra system and is very useful when undertaking audits and clarifying who completed actions. It is enabled by default but the settings should be verified to match your organizational requirements.
Recommendation
Review and update the Avantra Logbook settings under Administration > Settings > Logbook.
Disable the Avantra Server statistics Web page
AHG-S-18
The Avantra server has a statistics and server-health overview webpage enabled on port 9058. This page gives you information about the health of your Avantra server such as DB connection pool info, JVM heap sizes, remote connection to managed agents, and much more. This web server is hosted directly by the Avantra service independent of the Avantra UI (XANGUI). In a hardened environment, this web service should be disabled unless needed for support purposes.
Recommendation
Disabled the web service on this port by setting the flag Web.http-server to off under Administration > Settings > Avantra Master.
Apply secure web application headers
AHG-S-19
Now in the Avantra web application, customers can manually add specific security headers into the configuration file to be implemented further on, and this action will ensure protection from click-jacking, XSS attacks, MIME sniffing, etc. For more information on HTTP security headers, follow this link.
Recommendation
The following new configurations can be configured in xangui.cfg:
X_FRAME_OPTIONS=deny|sameorigin|allow-from
CONTENT_SECURITY_POLICY=...
X_PERMITTED_CROSS_DOMAIN_POLICIES=none
X_CONTENT_TYPE_OPTIONS=nosniff
REFERRER_POLICY=no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url
For more information about the values that CONTENT_SECURITY_POLICY can take, follow see Mozilla Developer Network - Content Security Policy (CSP)
This setting could cause the issues with SAML and UI timeout, therefore, it must be explicitly defined in xangui.cfg if wanted and thoroughly tested before being used in a productive Avantra system.
Removing the RTM User
AHG-S-20
The RTM user is a built-in user that Avantra uses to allow access to the RTM Control Center dashboard without needing to logon.
However, as of Avantra 25.3, this user is no longer created on fresh installations.
For existing installations, when updating to 25.3, the installer will attempt to remove this user. If the user is in use, the deletion will fail. If this happens, we recommend that you manually disable and delete the RTM User account.
Recommendation
- Navigation to Administration > Users
- Search for the user
User RTM. - Ensure that it is not in use any more.
- The the password to a string password by clicking Change Password and then Change.
- Click Delete in the main User screen to delete the RTM user.
Avantra Agents
OS permissions for the Avantra service user(s)
AHG-A-01
It is important to ensure that the service user in use to run the Avantra OS services for Server/UI and Agent has no other permissions except for running the services. E.g. not in the administrator or SUDO group. Your user should have read, write, and execute permissions on the Avantra install directory and group membership for any other directories to which access is required.
Recommendation
Restrict the OS service user to the minimal required permission to run.
Database permissions for any database management user(s)
AHG-A-02
It is important to ensure that the service user in use to monitor and manage your managed databases has no other permissions except for what is required to successfully monitor and manage that object. E.g. no access to production schemas or to query/update data within the database.
Recommendation
Restrict the user permissions for database management to the minimal required permission to run i.e. no access to production data and no grant permissions.
Monitored system permissions for any management user(s)
AHG-A-03
It is important to ensure that the service user in use to monitor and manage your managed objects has no other permissions except for what is required to successfully monitor and manage that object.
Recommendation
Restrict the user permissions for object management to the minimal required permission to run i.e. no access to production data and no administrator rights.
Use Agents as Gateways for a multi-tenant or multi-network setup
AHG-A-04
If you serve multiple customers or you have multiple networks containing SAP systems, consider setting up one or more Agents per network to serve as a gateway. While the gateway has no security function in itself, its usage allows you to tighten firewall rules and lock down the routes of communication between the server and the remote agents.
Recommendation
Map out the network topology and employ Agents as Gateways when crossing network boundaries or to concentrate network traffic from a specific location.
Network communications and External Access
Restrict Avantra Server access to the internet
AHG-N-01
The Avantra server only needs to access the wider internet in a few situations. These situations are predictable and configurable either via outbound firewall rules in your network or by using a proxy. Common situations are listed below. The suggested endpoints can be further restricted based on your individual set up e.g. specific regional API endpoints for a cloud provider. To completely restrict the endpoints, we recommend setting up your Avantra server, observe the outbound requests, and lockdown to match those endpoints.
- Avantra Activation Server communication
- api.avantra.com:443
- ServiceNow outbound integrations
- *.service-now.com:443
- Integrations with cloud provider APIs (GCP, Azure, AWS, etc.)
- GCP
- *.googleapis.com:443
- AWS
- *.aws.amazon.com:443
- Azure
- management.azure.com:443
- SAP
- api.sap.com:443
- *.hana.ondemand.com:443
- apps.support.sap.com:443
- GCP
- Mobile Application notifications via Google Firebase
- accounts.google.com:443
- oauth2.googleapis.com:443
- www.googleapis.com:443
- 3rd Party API endpoints for e.g. notifications
- As per your own requirements
- OS Updates
- As per your own requirements
Recommendation
Restrict outbound network connectivity based on your required scenarios and configure a proxy if required.
Restrict incoming network communications
AHG-N-02
The Avantra server requires a limited number of inbound connections. These situations are predictable and configurable either via inbound network firewall rules in your network or by using a reverse proxy or load balancer.
- Agent communications
- TCP inbound to the server (port 9050)
- Web UI (usually 8443)
- User Interface
- /xn/*
- GraphQL REST API (Mobile App)
- /xn/api/graphql
- /xn/api/auth/login
- SOAP API
- /xn/ws
- User Interface
Recommendation
Restrict inbound network connectivity based on your required scenarios and configure a load balancer in front of your Avantra if external access is required either directly to the UI or via the Mobile App.