6 Replies Latest reply: Oct 15, 2009 11:04 AM by Jana Richter RSS

CFE Cache - Is this stored with strong encryption?

Jonathan Watts
Currently Being Moderated

Hi

 

The 'SAP runs ACCAD - insights on example landscape' document asks the question:  Is the data on CFEs is secure or can an admin read it? Is AccAD u201Ehackeableu201C thus can it be hacked from outside with hacker tools? Minor issues were found and then fixed by AccAD development team in 2006.

 

This inspires confidence in the solution.  However, the installation guide states that establishing physical security of the hard disk is recommended.  This note suggests that the above comment may not be so reassuring. 

 

Is the cache content strongly encrypted on the CFE hard disk? 

 

Thanks

Jon

  • Re: CFE Cache - Is this stored with strong encryption?
    Jana Richter
    Currently Being Moderated

    Hi Jon,

     

    good question - actually the cached content that is stored in memory and on the disk is not yet encrypted in the current release AccAD 2.1 for SAP NetWeaver.

     

    For this reason it is recommend to ensure physical security for the Client Front-Ends, to ensure that no unauthorized access to the cached content could happen. If this is not possible and the non-caching is a security constraint, another option might be to disable caching of security-relevant content like KM documents (if applicable) and thus benefit from the efficient compression mechanisms only.

     

    We plan to provide encryption for disk cache in the next release Accelerated Application Delivery 2.2 for SAP NetWeaver (Ramp-Up start planned for December 2009).

     

    Hope this helps, best regards

    Jana

  • Re: CFE Cache - Is this stored with strong encryption?
    Jana Richter
    Currently Being Moderated

    Hi John and all readers of this forum,

     

    I just wanted to give you a short update: Starting with AccAD 2.1 SPS 04, you can create a separate partition on your Client Front-End which uses encryption. Thus you can enable the CFE cache to use a strong encryption. Note: The encrypted drive is formatted with each reboot. Thus, data which is stored on this drive will be deleted with each reboot.

     

    Within AccAD 2.2 we plan to have full support for cache encryption (not requiring a separate partition and not being affected by reboots) - but for now there is still a nice way of enabling the above-mentioned feature within AccAD 2.1.

     

    You can find more details on how to enable this within [SAP Note 1381413|https://service.sap.com/sap/support/notes/1381413].

     

    Best regards

    Jana

  • Re: CFE Cache - Is this stored with strong encryption?
    Andrew Komolhathai
    Currently Being Moderated

    Hi Jana,

    According to the note# 1381413 saying AccAD supports Drive Encryption,

    On our server thereu2019s some restriction on hardware so weu2019ve decided to put the CFE on Windows servers 2003.

    Apparently, according to this note, the provided script are only working with Linux CFE.

     

    Are there any workaround to get this done on window CFE as well ?

  • Re: CFE Cache - Is this stored with strong encryption?
    Andrew Komolhathai
    Currently Being Moderated

    Hi Jana,

    According to the note# 1381413 saying AccAD supports Drive Encryption,

    On our server thereu2019s some restriction on hardware so weu2019ve decided to put the CFE on Windows servers 2003.

    Apparently, according to this note, the provided script are only working with Linux CFE.

     

    Are there any workaround to get this done on window CFE as well ?

    • Re: CFE Cache - Is this stored with strong encryption?
      Jana Richter
      Currently Being Moderated

      Hi Andrew,

       

      pretty good question. So far the disk encryption has only been developed for Linux CFEs in the following approach: Our process in Linux is to have a dedicated partition which is encrypted with a random key upon machine boot and usage of soft links to volumes u2013 this is a small integration project which really covers the scenario a machine is stolen.

       

      Some options that I see how you could achieve security for this "machine stolen" scenario with a Windows CFE:

      - A customer may use some encryption mechanism for the entire disk with some password or biometric authentication mechanism upon boot. There are a few tools available that provide these HD encryption for Windows. But when you use these mechanisms, it means that the service can not go up without an operator.

      - Alternatively, from SPS 05 you can configure to use only memory cache without disk persistency (in Appliance Landscape within the Engine configuration - Instance - Cache Store there are settings related to that). However, this of course means that you are limited in what can be stored within the cache.

       

      So far we have not yet received any requirements to the cache encryption in Windows, thus it is not available yet. Is this a crucial point in your implementation to have a full disk encryption available for the Windows CFE?

       

      Best regards

      Jana

Actions