SAP Security related parameters for new Systems

#-----------------------------------------------------------------------
# SNC
#-----------------------------------------------------------------------
snc/gssapi_lib = $(SAPCRYPTOLIB)
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/data_protection/use = 3
snc/enable = 1
snc/force_login_screen = 0
snc/identity/as = p:xx=xxxxxxxxxxxxxxxxxxxx
snc/permit_insecure_start = 1
snc/r3int_rfc_qop = 8
snc/r3int_rfc_secure = 0


#-----------------------------------------------------------------------
# SSO
#-----------------------------------------------------------------------
spnego/enable = 1
spnego/krbspnego_lib = $(SAPCRYPTOLIB)
login/password_change_for_SSO = 3

#-----------------------------------------------------------------------
# other security related parameters
#-----------------------------------------------------------------------
# RFC Callback; only 3 after system copies?
rfc/callback_security_method = 3
rfc/reject_expired_passwd = 1
rfc/reject_callback = 1
auth/rfc_authority_check = 1
# SAP GUI (=Kernel defaut)
sapgui/nwbc_scripting = FALSE

# Deactivate user scripting (=Kernel defaut)
sapgui/user_scripting = FALSE

# ciphersuites according to 2384290 and EUROSEC/SAPSEC Project - incomming/outgoing SSL traffic
# target value: will only allow TLSv1.2 and higher. This must be carefully taken into consideration before the parameter is set.
# target value: ssl/ciphersuites = 550:PFS:HIGH:!e3DES:!mSHA1::EC_HIGH - 
# intermediate value: Allow TLSv1.2 in addition to Kernel default as an intermediate solution
# intermediate value: ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/ciphersuites = 550:PFS:HIGH:!e3DES:!mSHA1::EC_HIGH
ssl/client_ciphersuites = 134:PFS:HIGH:TLS_FALLBACK_SCSV::EC_HIGH:+EC_OPT
# Solution Manager is special.
ssl/ciphersuites = tbd.
ssl/client_ciphersuites = 918:PFS:HIGH

# enable security audit log
rsau/enable = 1
# 1 enables generic user selection, means usernames can be added with wildcard * in SM19
rsau/user_selection = 1

# icf services logging >=740
icm/HTTP/logging_10 = PREFIX=/, LOGFILE=access_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)_$$_%y-%m, MAXSIZEKB=10000, SWITCHTF=month, LOGFORMAT=%t - "%r2" %s %b %L - %j %h
# icf services logging < 740
icm/HTTP/logging_0 = PREFIX=/, LOGFILE=access_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)_$$_%y-%m, MAXSIZEKB=10000, SWITCHTF=month, LOGFORMAT=%t - "%r2" %s %b %L - %j %h

# global redirect http to https (Instance Profile)
icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=HTTP, PROT=HTTPS, HOST=$(SAPLOCALHOST).$(SAPFQDN), PORT=443$$
# #### disable the HTTP Service for new systems - to be discussed and tested
# HTTP must not be used.

# password complexity
login/password_charset = 2
login/password_downwards_compatibility = 0
login/password_max_idle_initial = 180
login/password_max_idle_productive = 180
login/min_password_lng = 10
login/min_password_lowercase = 2
login/min_password_uppercase = 2
login/min_password_digits = 2
login/min_password_specials = 2

# enable gateway proxy settings / Parameter only active if prxyinfo file exists!
gw/prxy_info = $(DIR_GLOBAL)$(DIR_SEP)$(FN_PRXY_INFO)
gw/rem_start = DISABLED
gw/logging = ACTION=SEZPX LOGFILE=$(DIR_GLOBAL)/gw_log_$(SAPSYSTEMNAME)_$(SAPLOCALHOST)_$$_%y-%m-%d SWITCHTF=day

# https://launchpad.support.sap.com/#/notes/1848930
# 255 is default value with S/4HANA - prerequisite: prxyinfo
gw/reg_no_conn_info = 255

# According https://launchpad.support.sap.com/#/notes/910918 the first fitting entry is used
# example > cat /usr/sap/<SID>/SYS/global/prxyinfo
P SOURCE=xxxx,xxxx.xxxx.xxxx.com DEST=*.xxxx.xxxx.com

P SOURCE=xxxx,xxxx.xxxx.xxxx.com DEST=*.xxxx.xxxx.com

P SOURCE=xxxx,xxxx.xxxx.xxxx.com DEST=*.xxxx.xxxx.com
D SOURCE=* DEST=*
# in reginfo and secinfo verify the following:
No TP=* except for the last two lines, which must look like this:
Last lines in reginfo
P TP=* HOST=local CANCEL=local ACCESS=local
P TP=* HOST=internal CANCEL=internal ACCESS=internal
Last line in Secinfo:
P TP=* USER=* USER-HOST=local HOST=local
P TP=* USER=* USER-HOST=internal HOST=internal