Additional Steps and Best Practices for Security
Security is important for the integrity of the event broker services because it transports your messaging data. If you have deployed your event broker services in a Customer-Controlled Region, there are a few additional security-related steps you can take because they fall within your responsibilities to manage. By default, in Public Regions and Dedicated Regions, SAP uses the following best practices, and also recommends them for your Customer-Controlled Region:
- permit OS, hotfixes, service packs, and security patches
- harden access to advanced event mesh for SAP Integration Suite
- harden access to event broker services
- restrict ports and protocols on event broker services
- use Bastion host access to compute resources
- secure access for outbound connections
OS, Hotfixes, Service Packs, and Security Patches
It is critical that all service packs, hotfixes, and security patches are updated on the infrastructure for all advanced event mesh components to ensure they have the latest, most secure code base.
To that end, these are best practices that we recommend and adhere to:
- OS patching is performed automatically on SAP-controlled environments. Compute instances are configured to automatically install OS patches and an alert system is in place to notify SAP if an instance needs to be rebooted to complete a patch installation.
- Event broker service updates follow a defined process. You can coordinate with SAP to schedule an upgrade to your event broker services to pick up the latest maintenance loads. During scheduled service upgrades, SAP upgrades your current release to apply the latest maintenance load that contains the latest security and critical fixes. For more information, see Upgrading Event Broker Services .
- There is an integration period between advanced event mesh and releases of SAP Event Broker: Software. For this reason, you may see a period of time before event broker services are upgraded to a release of SAP Event Broker: Software.
- Security updates are delivered via secure ports to the deployment. Port 443 is required to download updated docker images. For more information, see Connection Details for Operational Connectivity.
Hardening Access to SAP Integration Suite, Advanced Event Mesh
There are a few areas to further harden access to advanced event mesh. SAP recommends the following additional practices for additional security:
- For management client applications, ensure that the API tokens are assigned the minimal, but necessary permissions for the client application to perform its tasks.
Hardening Access to Event Broker Services
The event broker services are created with default settings to allow for easy development and testing when connecting from client applications. These default settings are useful for developmental purpose and are secure, but further hardening of access can be considered for additional security.
Some of the settings are set only at creation time and others are only configurable after the event broker service has been created and are as follows.
- Settings when creating an event broker service:
- These settings must be made a creation time. Consider the following:
- Restrict the ports and protocols that are enabled by default to limit the vectors of attack to your messaging plane. For more information, see Restricting Secure Ports and Protocols on Event Broker Services.
- Settings after an event broker service is created:
- These settings can be only made after the event broker service is created.
- By default, client applications use Basic Authentication as the authentication scheme to connect to an event broker service. You can configure an event broker service to use more than one authentication scheme. SAP recommends that you use a more robust authentication scheme and at minimum, use the recommended authentication schemes specified by your organization's security policies for client application access. For example, you can use LDAP Authentication as the authentication instead of Basic Authentication. For more information, see Configuring Authentication to Event Broker Services.
- For the authorization of client applications, a client profile is created named default. SAP recommends that the default client profile is deleted, and that you create client profiles with restricted authorization for use with your client applications. For more information, see Using Client Profiles and Client Usernames.
- By default, SEMP over Message Bus is disabled for enhanced security and to keep your SEMP
show
commands hidden. For additional information, see Enabling SEMP Over the Message Bus.
Restricting Secure Ports and Protocols on Event Broker Services
Both event broker services and event broker management, as well as the events themselves (messaging), are securely accessed and securely utilized through SAP APIs and Open Source APIs.
These APIs do not provide a mechanism for the user or client applications to access the hosts or instances; only the functionality of the event broker services is available.
API access to an event broker service is configurable and we recommend the following configuration settings:
- Only use secured ports (i.e., do not enable the plain-text ports other than for development purposes or non-production usage).
- Disable protocols that you do not use. The default for an event broker service is to enable all protocols with secure ports. This can be configured when you create the event broker service.
- When possible, use non-default port numbers.
- You can explicitly enable CLI access to configure the message VPN for an event broker service. Enabling CLI access exposes another mechanism to connect and manage an event broker service, but may unnecessarily expose you to a security risk. If CLI access is not required or in use, SAP recommends that you disable the CLI port where your services have public Internet connectivity to harden access to your event broker service. The default setting when you create an event broker service is disabled. For more information, see Enabling the Solace CLI for Event Broker Services in SAP Integration Suite, Advanced Event Mesh.
Limiting Access to Compute Resources with Bastion Host
You should limit access to the compute resources from the public Internet. If you require access for troubleshooting or maintenance to the hosts in a Customer-Controlled Regions (Kubernetes cluster, Virtual Private Cloud, or Virtual Network), SAP recommends that the customer configures a bastion host that provides access through port 22 to limit the vectors of attack. For more information, see the appropriate section in the advanced event mesh deployment guides. For example, if you are deploying to Amazon Elastic Kubernetes Service (EKS), see Installing in Amazon Elastic Kubernetes Service (EKS).
Securing Access for Outbound Connections
For interactions that require outbound connections, such as RDPs (REST Destination Points), the event broker services can be configured to originate from a static IP address. This makes it easier for applications outside of your deployment to whitelist.
For your organization, you can also configure your network to permit specific outbound access to a static IP address for the RDP for additional security.
Static IP addresses only show when an event broker service connects to external hosts through the NAT gateway and those NAT gateways are provisioned with static, public IP addresses in your data center.
For more information about static IP address, see Static IP Availability for Messaging Connectivity in Public Regions and Dedicated Regions.