Avantra Hardening Guide
We strongly recommend regularly reviewing your Avantra installation landscape and applying appropriate hardening measures. Each enterprise or managed service provider has its own approach to system hardening and our recommendations should be appended to those approaches.
The items mentioned in this guide are designed to be appended to your existing hardening practices. This is not a complete system hardening guide. |
This guide will be updated periodically and should be regularly reviewed by your operations team and security experts to ensure you continue to run a hardened environment.
Avantra Server
Secure the WebUI port and bind address
AHG-S-01
By default, Avantra can be configured to use HTTP or HTTPS. In a productive environment, we strongly recommend you ensure that your WebUI (XANGUI) configuration is set to use the secure port via HTTPS. You can also specify the TSL cipher suites that can be used for web UI communication. Finally, in a multi-network set up with multiple interfaces, ensure that your WebUI is only accessible from the required interface.
-
Enable the HTTPS (secure) port in your installation on an unprivileged port (e.g. 8443) (see helpful link below).
-
Avoid using HTTP (see helpful link below).
-
Bind the Avantra WebUI to only the required network interface (see helpful link below).
-
Within the Avantra server settings, bind the Avantra server to only the required network interface (
Administration
-Settings
-Avantra Master
-Network.bind-address
)
Disable HTTP completely or redirect HTTP to HTTPS
AHG-S-02
By default, Avantra can be configured to use HTTP or HTTPS. In a productive environment, we strongly recommend you ensure that any insecure (HTTP) requests to your Web UI are dropped or, at least, auto-redirected to the secure version (HTTPS).
Disable the HTTP port by removing it from the configuration file. If it must be left enabled, then we recommend enabling redirection of HTTP to HTTPS by default.
X.509 Web Certificate
AHG-S-03
By default, Avantra comes with a pre-installed X.509 certificate with the common name "xandria". In all cases we strongly recommend you replace this and add your own X.509 server certificate to your installation to secure all web interface communications.
Replace the default X.509 certificate with your own CA-signed certificate.
OS permissions for the Avantra services user
AHG-S-04
It is important to ensure that the service user in use to run the Avantra OS services for Server/UI and Agent has no other permissions except for running the services. E.g. not in the administrator or SUDO group. Your user should have read, write, and execute permissions on the Avantra install directory and group membership for any other directories to which access is required.
Please note, we strongly discourage the use of root as Avantra agent OS user. Instead, customers should work with sudo to allow list only the commands required. E.g. if you plan to automate OS patching within unix, then allow the service user to run that command only using sudo rather than adding them to the sudoers |
Restrict the OS service user to the minimal required permission to run.
OS Hardening
AHG-S-05
We strongly recommend utilizing the operating system hardening guide as provided by your operating system provider e.g. SUSE, RHEL, Windows, or other. These guides will cover topics such as firewalls, audit logs, and more.
Frequently review the OS hardening guide for your chosen OS and implement its recommendations.
User authentication
AHG-S-06
Avantra supports the configuration of external identity providers via SAML or active directory. We recommend using an external identity provider as it allows for tight integration into corporate systems for processes such as Joiners, Movers, and Leavers (JML) as well as supporting two-factor authentication (2FA). We strongly encourage using concepts such as 2FA via an external identity provider.
Configure an external identity provider, ideally, with 2FA enabled.
OS-level code execution for managed systems
AHG-S-07
Avantra is designed as a complete management platform that includes powerful features that allow for the execution of scripts and commands on remote systems for automation. Depending on your environment you may not want to allow the execution of OS-level commands in your environment.
Ensure that you apply the hardening recommendation AHG-A-01 to significantly restrict the access permissions of the OS user in use to run the Agent services. This agent should ONLY have the permissions to run the agent as well as access to run any scripts or commands required for your specific scenarios. This protection should mitigate this risk.
Optional (extra hardening) recommendation for validated environments that require complete hardening, you can switch off any capability to execute OS-level commands within the Avantra server settings. Please bear in mind that this is a global flag and will reduce the capabilities in this space. The flag is called "Security.EnableOSCodeExec" and can be found in "Administration" → "Settings" → "Master". |
Database write-query execution for managed systems
AHG-S-08
Avantra is designed as a complete management platform that includes powerful features that allow for the execution of queries and commands on remote databases (as part of checks or automation). Depending on your environment you may not want to allow the execution of write-capable SQL commands in your environment.
Ensure that you apply the hardening recommendation AHG-A-02 to significantly restrict the access permissions of the database user in use to monitor your managed database objects. This user should ONLY have the permissions required for your specific scenarios (usually read-only and no access to production data). This protection should mitigate this risk.
Optional (extra hardening) recommendation for validated environments that require complete hardening, you can switch off any capability to execute database write commands within the Avantra server settings. Please bear in mind that this is a global flag and will reduce the capabilities in this space. The flag is called "Security.RUNJSAllowDBWrite" and can be found in "Administration" → "Settings" → "Master". |
Restrict permissions on Avantra files
AHG-S-09
Your Avantra installation should be protected from other users of your OS. The only user requiring access to read, write or execute Avantra files should be the Avantra service user running your OS services.
Ensure that the permissions within the Avantra installation directory are restricted for groups and other users.
If it is not possible to limit access to the Avantra directory, be sure to restrict ownership to the credential encryption key |
// Replace <avantraOSuser> with your
sudo chown -R <avantraOSuser>:<avantraOSGroup> /opt/avantra
sudo chmod -R go-rwx /opt/avantra
Secure communications between the UI and server
AHG-S-10
Avantra supports HTTPS communication between the UI and the server. This is, for most customers, not a concern as the UI mostly resides on the same host as the server and so all communications are internal. However, you can set Avantra to use the secure communications option a5s (HTTPS) (instead of a5 (HTTP)). The flags are called "Network.master-ui-protocol" and "ui-master-protocol" and can be found in "Administration" → "Settings" → "Avantra Master" and "Administration" → "Settings" → "Avantra UI".
Please note, switching to a5s for communication between your server and UI (if your UI and server are on the same host) may have a small impact on performance owing to the HTTPS overhead. While this is generally not an issue with modern system sizes and resources, it is worth being aware of. |
Set the flag "Network.master-ui-protocol" to a5s in the Avantra server settings under "Administration" → "Settings" → "Avantra Master". Set the flag "ui-master-protocol" to a5s in the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".
Set TLS cipher suites and protocols
AHG-S-11
Avantra supports TLS versions 1.0 → 1.3 for agent communications and these can be enabled/disabled based on your organizational policies. We encourage customers to configure these settings to match corporate policies.
Set the flags "Network.tls-cipher-suites" and "Network.tls-enabled-client-protocols" to appropriate values in the Avantra server settings under "Administration" → "Settings" → "Master".
Reduce log level
AHG-S-12
Avantra has six different log levels:
-
Trace
-
Debug
-
Info
-
Warning
-
Error
-
Fatal
Unless needed for support or problem-solving purposes, we recommend running with minimal log level to reduce information captured in your log files at the OS level.
-
Set the flag "global.log-level" to "OFF" in the Avantra server settings under "Administration" → "Settings" → "Avantra Master".
-
Set the flag "LogLevel" to "Fatal" in the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".
There is also a monitoring parameter that can be set on your agents to turn off logging "TraceLevel" and the value should be set to 0
Failed login attempt restrictions
AHG-S-13
By default, Avantra will lock a user account after 3 failed login attempts for a period of 5 minutes. This behavior can be changed to match your organizational requirements using the flags below in the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".
-
logon.lockTimeMinutes
-
logon.maxFailedLoginTries
Match the values for the above flags to your organizations' requirements in this space.
Disable browser credential caching
AHG-S-14
By default, Avantra can use a "remember me" option at login to allow users to speed up future login attempts. This behavior can be disabled to prevent misuse using the flag "remember-me" under the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".
Set the flag "remember-me" to "no" under the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".
Disable password reset processes
AHG-S-15
By default, Avantra has a password reset functionality enabled for local accounts via an email sent to the user. To disable this, use the flag "reset-password" under the Avantra UI server settings under "Settings" → "Avantra UI". Note that this disables all password resets for local accounts including administrator accounts.
Set the flag "reset-password" to "no" under the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".
Set a default password policy for local accounts
AHG-S-16
Avantra can mandate complex password use for local Avantra accounts (as opposed to Identity provider accounts) and this is configurable within the Avantra UI. You can find this under "Administration" → "Settings" → "Password Policy".
Set the appropriate Password Policy to match your organizational requirements.
Review the Avantra Logbook settings
AHG-S-17
The Avantra logbook keeps a record of all activity within your Avantra system and is very useful when undertaking audits and clarifying who completed actions. It is enabled by default but the settings should be verified to match your organizational requirements.
Review and update the Avantra Logbook settings under "Administration" → "Settings" → "Logbook".
Disable the Avantra Server statistics Web page
AHG-S-18
The Avantra server has a statistics and server-health overview webpage enabled on port 9058. This page gives you information about the health of your Avantra server such as DB connection pool info, JVM heap sizes, remote connection to managed agents, and much more. This web server is hosted directly by the Avantra service independent of the Avantra UI (XANGUI). In a hardened environment, this web service should be disabled unless needed for support purposes.
Disabled the web service on this port by setting the flag "Web.http-server" to "off" under "Administration" → "Settings" → "Avantra Master".
Apply secure web application headers
AHG-S-19
Now in the Avantra web application, customers can manually add specific security headers into the config file to be implemented further on, and this action will ensure protection from click-jacking, XSS attacks, MIME sniffing, etc. For more information on HTTP security headers, follow this link.
The following new configurations can be configured in xangui.cfg
:
X_FRAME_OPTIONS=deny|sameorigin|allow-from
CONTENT_SECURITY_POLICY=...
X_PERMITTED_CROSS_DOMAIN_POLICIES=none
X_CONTENT_TYPE_OPTIONS=nosniff
REFERRER_POLICY=no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url
For more information about the values that |
This setting could cause the issues with SAML and UI timeout, therefore, it must be explicitly defined in |
Avantra Agents
OS permissions for the Avantra service user(s)
AHG-A-01
It is important to ensure that the service user in use to run the Avantra OS services for Server/UI and Agent has no other permissions except for running the services. E.g. not in the administrator or SUDO group. Your user should have read, write, and execute permissions on the Avantra install directory and group membership for any other directories to which access is required.
Restrict the OS service user to the minimal required permission to run.
Database permissions for any database management user(s)
AHG-A-02
It is important to ensure that the service user in use to monitor and manage your managed databases has no other permissions except for what is required to successfully monitor and manage that object. E.g. no access to production schemas or to query/update data within the database.
Restrict the user permissions for database management to the minimal required permission to run i.e. no access to production data and no grant permissions.
Monitored system permissions for any management user(s)
AHG-A-03
It is important to ensure that the service user in use to monitor and manage your managed objects has no other permissions except for what is required to successfully monitor and manage that object.
Restrict the user permissions for object management to the minimal required permission to run i.e. no access to production data and no administrator rights.
Use Agents as Gateways for a multi-tenant or multi-network setup
AHG-A-04
If you serve multiple customers or you have multiple networks containing SAP systems, consider setting up one or more Agents per network to serve as a gateway. While the gateway has no security function in itself, its usage allows you to tighten firewall rules and lock down the routes of communication between the server and the remote agents.
Map out the network topology and employ Agents as Gateways when crossing network boundaries or to concentrate network traffic from a specific location.
Network communications & External Access
Restrict Avantra Server access to the internet
AHG-N-01
The Avantra server only needs to access the wider internet in a few situations. These situations are predictable and configurable either via outbound firewall rules in your network or by using a proxy. Common situations are listed below. The suggested endpoints can be further restricted based on your individual set up e.g. specific regional API endpoints for a cloud provider. To completely restrict the endpoints, we recommend setting up your Avantra server, observe the outbound requests, and lockdown to match those endpoints.
-
Avantra Activation Server communication
-
api.avantra.com:443
-
-
ServiceNow outbound integrations
-
*.service-now.com:443
-
-
Integrations with cloud provider APIs (GCP, Azure, AWS, etc.)
-
GCP
-
*.googleapis.com:443
-
-
AWS
-
*.aws.amazon.com:443
-
-
Azure
-
management.azure.com:443
-
-
SAP
-
api.sap.com:443
-
*.hana.ondemand.com:443
-
apps.support.sap.com:443
-
-
-
Mobile Application notifications via Google Firebase
-
accounts.google.com:443
-
oauth2.googleapis.com:443
-
www.googleapis.com:443
-
-
3rd Party API endpoints for e.g. notifications
-
As per your own requirements
-
-
OS Updates
-
As per your own requirements
-
Restrict outbound network connectivity based on your required scenarios and configure a proxy if required.
Restrict incoming network communications
AHG-N-02
The Avantra server requires a limited number of inbound connections. These situations are predictable and configurable either via inbound network firewall rules in your network or by using a reverse proxy or load balancer.
-
Agent communications
-
TCP inbound to the server (port 9050)
-
-
Web UI (usually 8443)
-
User Interface
-
/xn/*
-
-
GraphQL REST API (Mobile App)
-
/xn/api/graphql
-
/xn/api/auth/login
-
-
SOAP API
-
/xn/ws
-
-
Restrict inbound network connectivity based on your required scenarios and configure a load balancer in front of your Avantra if external access is required either directly to the UI or via the Mobile App.