SAP Omnichannel Point-of-Sale by GK

End-User Documentation: OmniPOS / Omnichannel Point-of-Sale – Security Guide

Security Guide

Version: 7.4 (5.19.0)

Copyright
© 2021 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or
transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

1. You may not use the SAP Material for a purpose competitive with SAP or its products unless otherwise
clearly permitted by applicable law.
2. You may not use the SAP corporate logo.
3. No use of other SAP trademarks is granted under this section. For information regarding use of SAP
trademarks, see http://www.sap.com/corporate/en/legal/trademark.html.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product
and service names mentioned are the trademarks of their respective companies.
Security Guide III

Table of contents
1 Introduction .......................................................................................................................................................... 1
2 Security of the Platform ...................................................................................................................................... 1
2.1 Security Patches ................................................................................................................................................. 1
2.2 Storage Protection .............................................................................................................................................. 2
3 User Management and Authentication .............................................................................................................. 2
3.1 Operating System Users .................................................................................................................................... 2
3.2 User Types ......................................................................................................................................................... 2
3.3 User Management .............................................................................................................................................. 3
3.4 Authentication ..................................................................................................................................................... 3
3.5 Rights.................................................................................................................................................................. 3
4 Security in the Network ....................................................................................................................................... 3
4.1 Network Security ................................................................................................................................................ 3
4.2 Additional Security Guidelines for Decentralized Store Systems ....................................................................... 4
4.2.1 Firewalls ...................................................................................................................................................... 4
4.3 Secure Communication Channels ...................................................................................................................... 4
5 Security of the Data Storage .............................................................................................................................. 5
6 Monitoring ............................................................................................................................................................ 5
7 Certification .......................................................................................................................................................... 5
Security Guide 1

1 Introduction
This document describes security-related topics for the following applications:

• POS (Thin, Fat)

• POS Service
• POS Server

In order to ensure the:

• confidentiality
• integrity
• availability
• and authenticity

of the data, all accesses to important information must be carried out in a controlled and traceable manner.

This Security Guide defines a framework for system and information security by explaining:

• the underlying rules

• the required processes
• the access rights
• the functions and responsibilities to be considered

For additional information on secure operation of the POS application, refer to the PA-DSS "Implementation
Guide".

2 Security of the Platform

2.1 Security Patches
Central POS Server
For the Central POS Server, there are no specific requirements for using security patches. For the respectively
valid security guides, refer to the following link: http://service.sap.com/securityguide

• SAP NetWeaver Security Guides 7.4 for DB platform and OS platform

• SAP NetWeaver Security Guides 7.4 Standalone Engine
• SAP NetWeaver Security Guides 7.4 (complete)
• SAP NetWeaver Security Guides 7.4
• SAP NetWeaver Security Guides 7.4 according to types of use
• Security Guide for the type of use AS
• SAP NetWeaver Security Guides (Application Server for Java)

POS

For the POS system, it is recommended to install the latest security fixes and patches for the system environment
that is certified for the product. In addition to this document, please refer to the Security Guides and security
patches provided by the manufacturer of your POS system.

Basic security guidelines for POS systems

Updates are especially required if weak points become known that have negative effects on the security of the
systems or if malfunctions occur repeatedly. Before performing an update, please check the reliability of the new
components and their interaction with existing programs. Ideally, your own test system is used to do so. As an
alternative, the update can be tested on a single computer before performing it on the respective systems.
2 Security Guide

From a security point of view, it is very important to regularly update operating system components and web
browsers as such updates are regularly provided by the manufacturers. Such updates are almost always used to
fix current security gaps. If these updates are not performed, there is no protection against newer threats. In the
most cases, mechanisms are provided ("automatic updates") that ensure the automatic performance of security-
critical updates and the exclusive use of reliable sources. These indispensable mechanisms enable you to keep the
security of POS systems up-to-date with a low administration effort.

2.2 Storage Protection

For the POS applications, there are no specific requirements for storage protection. For the respectively valid
security guides, refer to the following link: http://service.sap.com/securityguide

• SAP NetWeaver Security Guides 7.4 for DB platform and OS platform

3 User Management and Authentication

3.1 Operating System Users
The operating system users can be created, managed and deleted using:

• the locale user configuration

• LDAP
• Microsoft Windows Active Directory (MS Windows only).

For additional information, refer to the security guidelines of the Security Guide:
http://service.sap.com/securityguide

• SAP NetWeaver Security Guides 7.4 for DB platform and OS platform

3.2 User Types

The different user types can be categorized into four groups:

• Users with access to the host system

• Users with access to SAP NetWeaver Java (Central POS Server only)
• Users with access to the used databases

Users with access to the host system

At least one user account with administrative rights for the installation of system services must exist to
install/uninstall the different services. The services require the anonymous system account, which is available in
the standard configuration of Microsoft Windows 2008 Server (see the Product Availability Matrix for which version
to use).

Users with access to SAP NetWeaver Java

For information on the general SAP NetWeaver user management, refer to the SAP NetWeaver Java Security
Guide.

Users with access to the used databases

After the installation, default accounts exist for access to the required database components. It is recommended to
change the predefined passwords of the used DBMS during the installation or immediately afterwards.

Standard users that are available after the installation are (Central POS Server only):
Security Guide 3

Operating system users

User Primary group

Administrator Sapsys
<SAPSID>adm Sapsys
SAPService<SAPSID> Sapsys
sdb Sdba

SAP system users

User type User name Comment

SAP system user Administrator The role J2EE_ADMIN is assigned to this user by default. The password of this user is saved in the secure
(Java) storage. If you would like to change the administrator password, you must change the password in the secure
storage as well.
SAP Web Webadm This standard user receives the same rights as the SAP* user. The same password is valid as defined for the
Dispatcher user SAP* user.

No specific OS standard users are created for the POS Client during the installation. The security guides of the
respective operating system vendors apply.

3.3 User Management

Omnichannel Point-of-Sale applications use their own user management which is independent of the host's
operating system and of the SAP NetWeaver.
The users are imported using the corresponding interfaces.

3.4 Authentication
The authentication for users on the portal or on the POS Client is carried out by user name/password
authentication.

There are special security mechanisms for passwords:

• Passwords can expire after a defined period of time (configurable)

• A warning is displayed before password expiration (configurable)
• Access can be blocked if an incorrect password is entered several times (configurable)

3.5 Rights
The Omnichannel Point-of-Sale applications use the roles provided by Storemanager. The authorization concept
integrated in Storemanager is based on an assignment of rights to users carried out according to roles. Single roles
can be maintained by the user management integrated in Storemanager. The user import interface is used to
assign the roles to users.

4 Security in the Network

4.1 Network Security
Your network infrastructure is very important for the protection of your system. Your network must support the
communication, which is necessary for your operating requirements, without permitting unauthorized access. A
clearly defined network topology is able to remove many security risks (on operating system level or application
level) based on software errors, and prevents attacks to the network, e.g. network spying. If users are unable to log
in to your application servers and database servers on operating system level or database level, attackers have no
chance to misuse systems and to access the database or files of the system. If the users are not allowed to
4 Security Guide

connect with the server LAN (Local Area Network), they are unable to make use of known errors or security gaps in
the server network services.
The individual SAP Omnichannel Point-of-Sale by GK applications communicate with the Central Services and
among each other via secure network connections.
In particular, the options below are used for the communication of the individual applications among each other:

• HTTPS (secure hypertext transport protocol)

• Basic authentication (enforces access controls for communication)

4.2 Additional Security Guidelines for Decentralized Store Systems

4.2.1 Firewalls
IT systems in the internal LAN of the store are only allowed to be connected to the Internet by using sufficient
security mechanisms. Such mechanisms are called "Firewalls".
A firewall controls the network connections between the company network and the Internet and blocks all
connections that are not explicitly declared as "allowed". Firewalls are available in various models and at different
prices, ranging from broadband routers with an integrated packet filter firewall to high-performance firewall
appliances with different protection zones. They differ greatly regarding performance and protective effect:

• Devices with packet filter firewalls are very simple firewalls that provide only a limited amount of protection
with a low flexibility. These firewalls are mainly intended for the protection of private PCs and are
unsuitable for use in a store network.
• Multi-functional firewalls, often called security appliances, offer several services in addition to the firewall
functionality. They are typically used to provide secure access for remote administration. Some of these
devices can search for viruses in the network traffic or even repel spam emails. In the case of usual
requirements, they are suitable for small or medium-sized stores.
• Complex firewall systems are used when it is necessary to secure important company applications – e.g.
publicly accessible web and database servers – when a large number of users access high-performance
Internet connections or when the highest possible failure safety should be achieved by a double firewall
design.

Each firewall must be installed and configured correctly, in order to effectively provide protection. Furthermore, it
must be continually administered. The following basic rules must be fulfilled:

• Each communication between the store network and Internet must always be carried out via the firewall. It
is not allowed to bypass the firewall via modem, WLAN or mobile Internet connections.
• Regular security-related updates of the firewall software are necessary to prevent a weak point in the
firewall jeopardizing the whole store network.
• The firewall configuration and administration requires a secure connection. Internet attackers must not be
able to change or read out the firewall configuration. The access must also be limited to authorized
persons of the store network.
• The firewall configuration must be documented. This document must be updated after each modification.
The reason, time and the name of the executing employee must be noted in the event of configuration
changes.
• A correctly configured firewall only allows connections that are absolutely necessary and actually used. All
other connections are blocked.

4.3 Secure Communication Channels

The Omnichannel Point-of-Sale applications communicate via secure communication connections.
In addition, it is possible to ensure the complete communication between GK components via a virtual private
network (VPN).
Security Guide 5

5 Security of the Data Storage

Data Storage location Protected by
Configuration data File system System security concept
User data Database Security concept of the DBMS
Temporary data File system System security concept
Log data and traces File system System security concept

For further information on the data storage security, please refer to the corresponding sections in the respective
security guides at http://service.sap.com/securityguide

• SAP NetWeaver Security Guides 7.4 for DB platform and OS platform

• SAP NetWeaver Security Guides 7.4 Standalone Engine
• SAP NetWeaver Security Guides 7.4 (complete)
• SAP NetWeaver Security Guides 7.4
• SAP NetWeaver Security Guides 7.4 according to types of use
• Security Guide for the type of use AS
• SAP NetWeaver Security Guides (Application Server for Java)

6 Monitoring
• Security-related trace and log files, see Operation Guide
• Central monitoring, see Operation Guide

7 Certification
The Omnichannel Point-of-Sale application is certified for PA-DSS 3.2.
Contact
GK SOFTWARE SE
Waldstraße 7
08261 Schöneck
Germany

Tel.: +49 (0) 3 74 64 84 – 0

Fax: +49 (0) 3 74 64 84 – 15

Email: [email protected]
www.gk-software.com