Security

Network Security

Consider to separate the Avantra Database from the Avantra Server (i.e. Avantra Master and Avantra UI) and install these on two separate servers. Place the server hosting the Avantra Database into a network segment dedicated to databases, and the Avantra Server into a segment that allows user access.

Restrict the communication with the Avantra Database to the Avantra Server only. You can do this by means of a network firewall. If you place the Avantra Server and the Avantra Database into the same network segment, consider using the host-based firewall on the Avantra Database server to restrict access.

Use a Reverse proxy (e.g. nginx) in front of the Avantra UI. If some of your end users connect via the Internet, place the reverse proxy in a DMZ. Add an SSL certificate to the reverse proxy to terminate the SSL/TLS connection. This certificate should be issued by a trusted CA. If you place the reverse proxy in a DMZ, this will most likely be a public CA (e.g. Let’s Encrypt), otherwise your corporate CA will do just fine.

Allow HTTPS communication to the Avantra UI only, and only allow it from the reverse proxy. If you cannot use a network firewall, use a host-based firewall on the Avantra Server.

If you serve multiple customers, i.e. you have multiple networks containing SAP systems or other systems you manage with Avantra, consider to set up one or more Agents per customer network to serve as a gateway. While the gateway has no security function in itself, its usage allows you to tighten firewall rules.

Operating System Security

Use a commercially backed Linux distribution, like Red Hat Enterprise Linux, Suse Linux Enterprise Server, Amazon Linux 2, CentOS, or Ubuntu. Make sure you are following your company’s patching policy. Otherwise, make sure security patches are applied periodically.

Avantra Server

Use a dedicated OS user to run the Avantra Server components. Follow your company’s naming convention or (if there is none) name the user avantra.

Install the application to /opt/avantra.

This is a different os user naming and installation location than we use in Installing the Avantra Server of the Product Guide in order to follow the Filesystem Hierarchy Standard.

Configure the Avantra UI to listen to HTTPS on an unprivileged port (e.g. 8443). Avoid using HTTP.

Allow SSH access to this user from trusted devices, preferably only using SSH keys. Activate the host-based firewall and allow connections to the following ports only:

Table 1. Avantra Server Incoming Ports
Protocol Port Origin Purpose

HTTPS

8443

Reverse Proxy

User communication

TCP

9050

Avantra Agents

Agent communication

SSH

22

Avantra administrator’s devices

Server maintenance

HTTPS

9058

Avantra administrator’s devices

Avantra Master troubleshooting

Avantra Database

Use your standard operating system package management to install PostgreSQL. Avantra currently supports the following versions: 9.6.x, 10.x, 11.x.

Follow the instructions to initialize the database cluster and to have it automatically started at system boot.

Configure the listen_address to an appropriate IP interface for the Avantra Server to connect (see Connections and Authentication).

Restrict access in the pg_hba.conf file to the Avantra Server.

Create a dedicated database user avantra using the createuser command and make sure it has permissions to create databases (i.e. --createdb option).

Use the installed PostgreSQL database cluster only for Avantra and do not share it with other applications. The permission to create databases is a high permission that is required to install the Avantra Database and automatically update the database schema.

Allow SSH access to this user from trusted devices, preferably only using SSH keys. Activate the host-based firewall and allow connections to the following ports only:

Table 2. Avantra Database Incoming Ports
Protocol Port Origin Purpose

TCP

5432

Avantra Server

Database communication

SSH

22

DB administrators’ devices

Server maintenance

Avantra Agent

The operating system security considerations for severs running the Avantra Agents will most likely be imposed by the hosted SAP applications. That will usually be just fine. However, there are a few more requirements to keep in mind:

The Avantra Agent runs a listener on port 9051, hence your host-based firewall (and/or your network firewall) have to be configured to pass the following communication:

Table 3. Avantra Agent Incoming Ports
Protocol Port Origin Purpose

TCP

9051

Avantra Server

Database communication

SSH

22

Agent administrators’ devices

Server maintenance

The Agent itself communicates with the SAP application servers, databases, and other applications it manages. This communication happens by means of TCP connections as well as by accessing data on the local (or even remote) file systems.

Unix OS User and Installation Path

There is a trade-off in the choice of the OS user to run the Avantra Agent. From a pure security perspective you should consider the same guidance as described in Avantra Server. This should also be your preferred way for servers not hosting any SAP applications.

From an integration perspective, it could be much easier to run the Avantra Agent under the <sid>adm os user, with <sid> the System Identifier of an SAP application server hosted on the same server.

User Security

Consider integrating Avantra with your Active Directory and/or use SAML to handle login through an Identity Provider. Try mapping Groups and Roles in Avantra to Active Directory groups or SAML attributes. You may also choose to automatically create users during the login attempt.