1. Copyright © 2003 Americas’ SAP Users’ Group Session 4904 SAPConsole an End-to-End Security Implementation Chris Kralovansky NIBCO INC. Technical Analyst - SAP Basis & Security Monday, May 19, 2003

2. Objectives  Share project approach, key questions, and deliverables every customer should think about when undertaking an SAPConsole implementation  Discuss approaches to physical and logical security in an SAPConsole implementation  Develop an understanding of end-to-end security considerations for an SAPConsole implementation in a wireless environment

3. Agenda  NIBCO company background  NIBCO’s data collection technology evolution  SAPConsole implementation plan  SAPConsole physical and logical security consideration  Lesson learned

4. Background – NIBCO INC  Founded in Elkhart, IN in 1904  Fourth generation family- owned company  Twelve (12) manufacturing facilities throughout the U.S., Mexico, and Poland  Five (5) distribution centers: (4) U.S. and (1) Poland

5. Background – NIBCO INC  Employs 2900+ associates world-wide  Websites: www.nibco.com www.nibco.com.pl www.tolco.com www.nibcopartner.com

6. Manufacturer of: Background – NIBCO INC

7. NIBCO’s SAP Implementation History  1996 - SAP selected as the sole provider of business systems for NIBCO  Oct. 1996 – Formation of NIBCO’s SAP implementation team (T.I.G.E.R.)  Dec. 1997- Big-bang implementation  Release 3.0F  19 Locations (manufacturing and distribution)  Modules – FI/CO/CO-PA/PCA/SD/MM/PP/WM/SD  Norgistics (N/3) – Data Collection Middleware

8. NIBCO’s SAP Implementation History  Upgrades  March 1999 - Release 4.0B  March 2001 – Release 4.6C  Support Packages 2-3 times per year

9. NIBCO’s SAP Implementation History  Additional Locations  May 2000 - International Distribution Center  May 2002 – NIBCO Sp.z.o.o. – Poland Manufacturing, Distribution, Sales, Finance, Payroll In-bond locations  (2) locations in Poland  (2) locations in Hungary  (2) locations in Ukraine

10. NIBCO’s SAP Implementation History  Additional Functionality  December 1999 – Introduced eNIBCO a suite of customer facing eCommerce offerings  April 2000 – HR-Payroll – U.S.  2000 – Replaced Norgistics (N/3) with CIM Concepts Data Integrator for R/3 – Data Collection Middleware  May 2002 – Localized Polish implementation  December 2002 – SAPConsole goes LIVE  May 2003 – SAP Business Warehouse (Unicode)  June 2003 – HR-Payroll – Reynosa, Mexico  June 2003 - Time & Attendance – Reynosa, Mexico

11. NIBCO’s SAP Implementation History  Tolco Support Systems Acquisition – June 2002  Corona, CA  Houston, TX  Sacramento, CA  SAP HRMS Live – June 2002  SAP Operational – November 2002

12. NIBCO’s Data Collection Technology Evolution

13. NIBCO Data Collection Technology Evolution …….so why did NIBCO change data collection middleware solutions????  Business strategy –  Utilize SAP products to solve business problems  Leverage SAP investment and relationship  Architectural & technical strategy  Complete the transition from an off-line, interfaced solution to an on-line, integrated solution  Utilize SAP as the core data repository  Leverage SAP programming language and security skills Manage Total Cost of Ownership

14. SAPConsole Implementation Scope  Initial implementation was a wireless, manufacturing shop floor application pilot at one NIBCO facility  Develop an understanding of the of SAPConsole technology deployment  Develop support processes required to manage SAPConsole in a 7x24 environment  Develop a robust, secure, infrastructure to support SAPConsole in a wireless environment  Develop security management processes which meet the “real” business requirements of the operation  Develop a training approach for SAPConsole transaction deployment

15. ..... so what is so hard about that????

16. …………… Well nothing really, but there are challenges that every company needs to consider!!!

17. SAPConsole Project Considerations What were the challenges? OK, what did we argue over??  How do we adequately secure our wireless infrastructure?  How will we allow terminals to bypass NT authentication?  How will we maintain SAP userids?  How will we support SAP password changes?  What SAP user type will be assigned?  What standards do we use for userids and passwords?  Do we delegate SAP security administration to our remote locations?  How will we add / revoke SAP Console specific security at a moments notice?  How will we support the administration of userid’s needing LM01 access?  How will we manage various data collection device screen sizes?

18. SAPConsole Physical Security  Wireless security infrastructure  Intermec - DCS300 Controllers, 2100AP, 6400 and 2455 terminals  Changed network name and eliminated broadcasts  Rationalized the use of WEP: 64 bit vs. 128 bit - Understand your devices capabilities Work with your partners –  Worked with Peak Technologies and Intermec to develop an approach (Wireless security whitepaper) If you fail to plan for wireless security your network will be hacked!!  Cisco firewall technology  Authorized the data collection devices through the firewall by IPaddress  Utilized VPN for wireless PC’s  Treat the 802.11B wireless infrastructure like internet utilizing WEP encryption and firewall technology to “isolate” the network

19. SAPConsole Physical Security

20. SAPConsole Infrastructure Struggles  Implemented SAPConsole Version 620 which fixed many challenges:  Password changes at logon vs. an every 90 day parade  Logoff confirmation  Application messages are complete  User can select a memorable, personal password  Allows user to logon to multiple devices – this can also be prevented  Utilize Georgia SoftWorks for device telnet to SAPConsole application – Manages NT authentication process

21. SAPConsole Logical Security  Wasted time trying to develop special rules for SAPConsole users because of “special needs”  “We need to use a different userid and password standard for the floor people!”  “We need to develop our own authentication and application security tools for SAPConsole!”  “We can’t make them change their passwords every 90 days!”  “We need userid’s, and activity groups at a moments notice!”  “People come off the street, pick, pack and ship products!” Do not abandon your current security administration processes, if they work today then use them!!!

22. SAPConsole Logical Security  What did we do?  Utilized existing userid & password standards  Built SAP security roles by location and task  Utilized existing processes for establishing and maintaining userid’s and activity groups  Leveraged PID’s to drive higher transactional efficiencies for the SAPConsole user  Added processes to maintain the table for LM01 security in production client (SM30) Building a transaction for de-centralized table maintenance of LRF_WKQU

23. Key SAPConsole Information Sources  OSS Note Components  LE-MOB Mobile Devices  BC-FES-CON SAP Console  OSS Note #380399  Multiple logons in RF transactions  OSS Note #507542  SAPConsole: Logoff & change password screens  OSS Note # 524881  SAPConsole security problem on WIN NT/2000 server  OSS Note #515874  Table LRF_WKQU Customizing or Master Data?

24. SAPConsole - Lessons Learned  SAPConsole implementation is more than about deploying a transaction to a wireless device  Understand and plan a secure, wireless infrastructure before you start  Understand your ”real” security requirements for SAP user administration – if you have solid processes use them  Get and stay current on SAPConsole – SAP continues to enhance the functionality  Track your implementation and validate that your security approach meets your company needs

25. Copyright © 2003 Americas’ SAP Users’ Group Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: 4904