AntiVirus Bridge for SAP solutions - Installation and Configuration Guide
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
AntiVirus Bridge
for SAP solutions
ICAP Edition
Version 1.83
Installation and Configuration Guide
Page 1
AntiVirus Bridge for SAP solutions - ICAP Edition
Installation and Configuration Guide
Table of Contents
AntiVirus Bridge for SAP NetWeaver – Basics......................................................................3
Product Description...........................................................................................................3
ICAP-Edition......................................................................................................................3
AntiVirus Bridge – ICAP Edition – Principles of function...................................................4
Installation..............................................................................................................................5
On Microsoft Windows Servers.........................................................................................5
Installation on UNIX platforms...........................................................................................8
Licensing..............................................................................................................................10
Reviewing your license: ..................................................................................................10
Obtaining a license:.........................................................................................................12
Evaluation license:.......................................................................................................12
Permanent license:......................................................................................................14
Manually installing a license........................................................................................15
Configuration........................................................................................................................16
On Microsoft Windows:....................................................................................................16
Configuring ICAP connectivity.....................................................................................16
Testing ICAP connectivity............................................................................................17
Configuring high availability and load balancing.........................................................18
Advanced configuration settings:................................................................................19
On UNIX Systems:...........................................................................................................20
Configuring ICAP connectivity.....................................................................................20
Configuring high availability and load balancing.........................................................21
Advanced configuration settings:................................................................................22
Page 2
AntiVirus Bridge for SAP NetWeaver – Basics
Product Description
AntiVirus Bridge for SAP NetWeaver is a Virus Scan Adapter (VSA), allowing the intergation of external
Virus-scanners with the SAP® NetWeaver 04™ and NetWeaver 04s™ application server platform.
AntiVirus Bridge uses ICAP (Internet Content Adaptation Protocol, see Appendix) or the HTTP
(Hyptertext transfer Protocol) to communicate with one or more Web-security scanners, providing the
actual scanning of data.
The basic functionality encompasses scanning and cleaning of data that is being uploaded to an SAP-
server via the proprietary SAP-GUI of via the SAP Web/Java frontend, if the application is accessible
through an enterprise portal. Furthermore, it allows scanning and cleaning of legacy data (e.g.
Knowledge Management Repositories) with manually triggered or scheduled Virus-Scan-Reports.
Customer specific or highly customized applications can also explicitly make use of this new security
functionality.
ICAP-Edition
AntiVirus Bridge ICAP Edition integrates Virus-scanning solutions via the Internet Content Adaptation
Protocol (ICAP). Originally ICAP was developed to allow scanning and modification of web-content
passing through a web proxy. Typically HTTP sessions are encapsulated in an ICAP session and
forwarded for content inspection/modification.
In general, two modes are to be distinguished:
– Request Modification (REQMOD): This mode is designed to control HTTP-requests. Request
modification is mainly used for URL-filtering purposes.
– Response Modification (RESPMOD): This mode is designed to analyse HTTP responses, aka data
flows from Web-servers to Browsers. As Web-surfing is a common infection vector for various types
of malware, this mode is broadly supported and a large number of security-products uses
RESPMOD.
For further on ICAP, please refer to http://www.i-cap.org or to RFC 3507.
Page 3
AntiVirus Bridge – ICAP Edition – Principles of function
AntiVirus Bridge for SAP NetWeaver provides a virtual virus scan engine instances to the SAP
Application server. Data objects to be scanned and/or cleaned are accepted through the NW-VSI
application programming interface. Depending on AntiVirus Bridge's configuration and the object's size,
passing of objects is achieved either through a memory block OR through a temporary file on a local
disk. the latter requires up to 4 hard-disk read/write cycles and is thus significantly slower.
AntiVirus Bridge encapsulates the objects in virtual HTTP sessions which are then forwarded in ICAP
RESPMOD sessions to the actual virus scanner.
Virus Scan Adapter
ABAP J2EE
Virus Scan Adapter Engine Engine
ICAP Client VSILIB VSILIB
Virus Scan
Engine
vsaicap.dll
ICAP Server
NW-VSI Interface
SAP NetWeaver
Enscapsulated
TrendMicro InterScan
scanned files
Web Security Suite
Virus Scan
VirusScan Engine Server
ICAP Server
Another antivirus VSILIB
Picture 1: Principles of function – ICAP mode
Depending on the result of the scan, the object is passed back to the NetWeaver-server using the NW-
VSI-API or – in case of an infection – blocked or replaced with a cleaned version of the original object.
This is achieved by the same means as the for request, either through an temporary file or through a
block in the server's memory.
Page 4
Installation
On Microsoft Windows Servers.
The installation procedure is identical on all supported versions of Microsoft Windows.
AntiVirus Bridge for SAP NetWeaver can be obtained online from the download section on BowBridge's
website (http://www.bowbridge.net). The Windows version comes as a Microsoft Software Installation
(MSI) file.
Administrator privileges are required to install AntiVirus Bridge. Please
logon as Administrator or as a user with according privileges.
Although the Win32 MSI will install on x86_64, it will not function
properly. Use the appropriate package for your platform only.
Do begin the installation, execute the MSI file for your platform.
The installation wizard guides you through the installation process:
During the installation, you will be prompted to accept the BowBridge License agreement you will be
able to choose the installation directory.
Page 5The installation wizard will copy all required files to the directory you specified and will create new Start-
menu entries for the configuration tool.
At the end of the installation, the setup wizard launches the configuration tool and you have the
opportunity to add a license to your installation. If you choose not to add a license at this time, you may
add one at any later time.
Click on Save and Close to finish the installation.
Page 6This concludes the installation on Windows platforms.
Page 7Installation on UNIX platforms.
The installation process on all UNIX platforms is basically identical, you may however get slightly
different output than the one shown in the following screenshots, depending on which UNIX you are
using.
Root privileges are required to install AntiVirus Bridge for SAP solutions
on UNIXes.
AntiVirus Bridge for SAP solutions for UNIXes comes as a tar-file. The file is naming follows the scheme
BowBridge_AVB-SAP_[version]_[platform].tar.
e.g. BowBridge_AVB_SAP_1.8.3_Solaris_AMD64.tar
Please copy it to a writable directory on your system and untar it by entering: (see screenshots for your
reference)
tar cvf [name of file]
Change into the newly created directory BowBridge and call the install script with the target directory as
the only option.
e.g.: ./install /opt/BowBridge
The install script will guide you through the installation process and prompt you to accept the license
Page 8agreement. Towards the end of the installation process, you may provide a valid BowBridge license or
choose to install it at some later time.
After finishing the installation the install script will launch the setup application to allow you to configure
the product.
This concludes the installation on UNIX platforms.
Page 9Licensing
BowBridge Software products require a license certificate to operate. If no license is installed into the
product, it will not function.
There are two types of licenses available: evaluation licences, which are typically valid for 30 days and
permanent licenses for production systems.
Reviewing your license:
You can review your current license from within the product's user interface.
– On Windows platforms, open the configuration tool and click on “License Management”.
This will bring up a windows displaying the current license and some license management
options.
– On UNIX systems, open the setup application [target_directory]/setup and choose the “View
License” from the main menu to bring up the license information screen.
Page 10Obtaining a license:
Evaluation license:
to obtain an evaluation license, two ways are possible:
– upon download: You may submit a request for an evaluation license along with your
download registration on our website http://www.bowbridge.net. In the
“Support” section of the website, choose the “Software Downloads” option
and enter your contact information. You will then automatically receive an
evaluation license, valid for 30 days.
– In the User Interface: You may choose to request an evaluation license from within our products.
– For Windows systems, open the Configuration Tool and choose the
License Management module.
You may then choose to Send the request (requires a configured
email client on the server) or to safe the license request and mail it to
license@bowbridge.net for processing.
BowBridge processes license requests within 24 hours.
Page 11– For UNIX Systems, open the setup application ([target_directory]/setup)
and choose the “Request new License” option.
Please provide your details as shown above. You may then choose to
directly send the request to BowBridge (requires sendmail) or to save the
request and manually send it to license@bowbridge.net.
BowBridge processes license requests within 24 hours.
Page 12Permanent license:
Permanent licenses for production systems are attached to the physical machine of the server. Thus a
unique ID of that very server is embedded in the license. For that reason, the license request for a
permanent license must be generated on the actual machine on which the BowBridge product will be
used.
The process is identical to the process of requesting an evaluation license, but the respective
checkbox/field “Evaluation License” remains unchecked. The Windows user interfaces bring up a
message indicating the inclusion of the unique Identifier.
You may then choose to send the license directly (requires a configured email client on Windows or
sendmail on UNIX) or to save the request to disk and mail it to license@bowbridge.net
Page 13Manually installing a license
If you did not insert a license upon installation, or want to apply a new license to your BowBridge
product, you can install the license manually.
On Windows systems:
– bring up the configuration tool and choose the License Management module
– click on “Browse License” and specify the license file you want to install.
– Notice the warning that your previously installed license will be discarded and will no longer be
valid.
The new license status will be displayed in the License Management Module
On UNIX systems:
To manually install a new license, you need to bring up a console and copy the license file to
/etc/vsaicap/cert.pem.
Please make sure the license file can be read by non-root processes by setting appropriate permissions
(eg by issuing: chmod 666 /etc/vsaicap/cert.pem).
We suggest you verify your license status in the setup application after manually installing a license.
Page 14Configuration
Enabling content protection for your SAP system requires configuration of BowBridge AntiVirus Bridge
for SAP solutions and enabling your NetWeaver platform to benefit from it.
On Microsoft Windows:
Configuring ICAP connectivity
AntiVirus Bridge for SAP Solutions performs scanning via a scan engine connected to it via ICAP. The
scan engine may be local (on the same machine) or remote (on a separate machine).
In any case, AntiVirus Bridge needs to be made aware of the IP-address on which the scan engine
resides. If no scan engine backend is configured, AntiVirus Bridge will not initialize, when opened by the
SAP server.
To configure the ICAP backend, bring up the AntiVirus Bridge configuration tool.
AntiVirus Bridge for SAP Solutions comes with a set of pre-configured Bridge Profiles to facilitate
configuration. Profiles are available for the following products:
– BowBridge Scan Virtual Appliance
– Kaspersky AntiVirus for Caching
– McAfee Secure Web Gateway and Secure Internet Gateway
– Secure Computing WebWasher
– Symantec Scan Engine
– Trend Micro IWSx
Page 15If you want to combine one of the above products with AntiVirus Bridge, you merely need to enter the IP
-address or the DNS-resolvable host name of your ICAP Scan Engine in the ICAP-Server URL field to
form a valid ICAP URL.
For security and performance reasons, we recommend not to reference
the ICAP backend via a host name, but to use the IP-address instead.
Testing ICAP connectivity
Once a valid ICAP URL has been entered in the configuration tool, you may test the connection to the
ICAP backend by clicking on the “Test” button. The AntiVirus Bridge Configuration Tool will connect to
the ICAP backend and issue an “OPTIONS” request. A pop-up will inform you whether the connection
has succeeded or not.
Successful connection test does not guarantee that virus scanning will
work. If for example a license is not installed on the ICAP backend,
AntiVirus Bridge will not detect that at this stage.
Page 16Configuring high availability and load balancing
AntiVirus Bridge for SAP solutions offers the option to specify up to two ICAP backends.
In the AntiVirus Bridge Configuration Tool, please check the field
This will enable the option to specify a second ICAP backend in the same manner as described under
“Configuring ICAP connectivity”.
High availability mode:
If a scan operation fails on the first ICAP backend, e.g. because the server is not reachable or because
the connection times out during the scan operation, AntiVirus Bridge will repeat the scan operation on
the second ICAP backend.
In this scenario, all scans will always be performed on the first ICAP backend, the second ICAP
backend will be used only if the scan operation fails on the first ICAP backend.
Load balancing mode:
If the checkbox
is also selected, AntiVirus Bridge will automatically load-balance simultaneous scan operations across
the two ICAP Backends.
In this scenario, the first (or only) scan operation at any time will be performed on the first ICAP
backend, the second (simultaneous) scan operation will be performed on the second ICAP backend,
the third on the fist ICAP backend etc.
The load balancing mode also includes high availability. If a scan operation fails on one of the ICAP
backends, it will automatically be repeated on the other one.
Required Backends:
AntiVirus Bridge allows you to specify how many ICAP backends need to be reachable (via ICAP
“OPTIONS”-request) in order for the adapter to start.
Page 17If set to “1”, this will allow the adapter in high-availability and/or load-balancing to initialize, even if only
one of the two configured ICAP backends can be reached.
Advanced configuration settings:
AntiVirus Bridge for SAP Solutions allows you to specify a number of advanced, common settings in the
Configuration Tool:
Connection timeout:
This value refers to the time in which the TCP connection to the ICAP backend needs to be established.
If the connections cannot be established within the specified time, the scan will fail or be repeated on
the secondary ICAP backend if ICAP High Availability and/or ICAP Load Balancing is configured.
You may need to adjust this value if you want a faster switch to the backup ICAP scanner (decrease
value) or if the ICAP backend is remote to the SAP server anc connected via a very slow line (increase
value):
Read/Write timeout:
This value is the maximum amount of time before the entire scan operation times out. You may need to
increase this value if you plan to scan very large files or if the ICAP Backend is connected to your SAP
server via a slow line.
Maximum Connections:
This value specifies the maximum number of scan instances the adapter makes available to the SAP
server. Note this value should not exceed the maximum number of ICAP connections supported by your
Page 18ICAP backend. Also, the maximum number of instances configured in your SAP server must not exceed
this value.
Trace Level:
This value in the range between 0 and 3 specifies the trace level of AntiVirus Bridge for SAP solutions.
Trace output will be written/appended to the “debug.log” file in the installation directory.
CAUTION: Trace-files, especially in trace level 2 and 3 can grow very big
very fast!
Furthermore writing of debug-information has a significant negative
impact on the scan performance.
On UNIX Systems:
Configuring ICAP connectivity
AntiVirus Bridge for SAP Solutions performs scanning via a scan engine connected to it via ICAP. The
scan engine may be local (on the same machine) or remote (on a separate machine).
In any case, AntiVirus Bridge needs to be made aware of the IP-address on which the scan engine
resides. If no scan engine backend is configured, AntiVirus Bridge will not initialize, when opened by the
SAP server.
To configure the ICAP backend, start the setup application, installed in your installation target directory
and select the VSA configuration option from the main menu
Page 19In addition to the ICAP server's IP address or host name, a path needs to be specified to identify a
certain ICAP service or reference a specific policy on the ICAP backend.
The default ICAP URLs for common ICAP servers are:
Product ICAP URL
BowBridge Software
icap:///avscan
AV Scanning Virtual Appliance
Kaspersky Labs
icap:///av/respmod
AntiVirus for Proxy
McAfee
icap:///RESPMOD
Secure Web/Internet Gateway
Secure Computing
icap:///wwrespmod
Web Washer 6.x
Symantec
icap:///avscanresp
Scan Engine 5.x
Trend Micro
icap:///antivirus
Interscan Web Security Suite
Trend Micro
icap:///interscan
Interscan Web Security Appliance
For security and performance reasons, we recommend not to reference
the ICAP backend via a host name, but to use the IP-address instead.
Configuring high availability and load balancing
AntiVirus Bridge for SAP solutions offers the option to specify up to two ICAP backends.
In the AntiVirus Bridge setup application, please check the field
This will enable the option to specify a second ICAP backend in the same manner as described under
“Configuring ICAP connectivity”.
Page 20High availability mode:
If a scan operation fails on the first ICAP backend, e.g. because the server is not reachable or because
the connection times out during the scan operation, AntiVirus Bridge will repeat the scan operation on
the second ICAP backend.
In this scenario, all scans will always be performed on the first ICAP backend, the second ICAP
backend will be used only if the scan operation fails on the first ICAP backend.
Load balancing mode:
If the checkbox
is also selected, AntiVirus Bridge will automatically load-balance simultaneous scan operations across
the two ICAP Backends.
In this scenario, the first (or only) scan operation at any time will be performed on the first ICAP
backend, the second (simultaneous) scan operation will be performed on the second ICAP backend,
the third on the fist ICAP backend etc.
The load balancing mode also includes high availability. If a scan operation fails on one of the ICAP
backends, it will automatically be repeated on the other one.
Required Backends:
AntiVirus Bridge allows you to specify how many ICAP backends need to be reachable (via ICAP
“OPTIONS”-request) in order for the adapter to start.
If set to “1”, this will allow the adapter in high-availability and/or load-balancing to initialize, even if only
one of the two configured ICAP backends can be reached.
Advanced configuration settings:
AntiVirus Bridge for SAP Solutions allows you to specify a number of advanced, common settings in the
Configuration Tool:
Page 21Connect timeout:
This value refers to the time in which the TCP connection to the ICAP backend needs to be established.
If the connections cannot be established within the specified time, the scan will fail or be repeated on
the secondary ICAP backend if ICAP High Availability and/or ICAP Load Balancing is configured.
You may need to adjust this value if you want a faster switch to the backup ICAP scanner (decrease
value) or if the ICAP backend is remote to the SAP server anc connected via a very slow line (increase
value):
Read/Write timeout:
This value is the maximum amount of time in which the ICAP backend must finish scanning the file and
reply to the ICAP request before the entire scan operation times out. You may need to increase this
value if you plan to scan very large files or if the ICAP Backend is connected to your SAP server via a
slow line.
Maximum Connections:
This value specifies the maximum number of scan instances the adapter makes available to the SAP
server. Note this value should not exceed the maximum number of ICAP connections supported by your
ICAP backend. Also, the maximum number of instances configured in your SAP server must not exceed
this value.
Trace Level:
This value in the range between 0 and 3 specifies the trace level of AntiVirus Bridge for SAP solutions.
Trace output will be written/appended to the “debug.log” file in the installation directory.
Activating Tracing requires you to specify a trace file.
Trace File:
is full path (path + filename) to a writable location on the filesystem, where tracing information will be
created/appended.
CAUTION: Trace-files, especially in trace level 2 and 3 can grow very big
very fast!
Furthermore writing of debug-information has a significant negative
impact on the scan performance.
Page 22You can also read
