Welcome to the Installation Guide for bowbridge Anti-Virus 4.x for SAP solutions.

This guide will take you through the installation process at the OS layer for several common deployment options on a step-by-step basis.
For the sake of conciseness, Linux and UNIX will treated as one and referred to as UNIXes.

Before installing bowbridge Anti-Virus 4.x, we recommend determining the required components, validating resources, and verifying system and network access privileges.

Supported Operating Systems – VSA client

• Linux (SLES 12 or higher, RHEL7 or higher)
• Windows Server 2016 or higher
• AIX 7.2
• Oracle Solaris 10 or higher (on SPARC or x86_64)

Supported Operating Systems – control and scan workers

• Linux (SLES 12 or higher, RHEL7 or higher)
• Windows Server 2016 or higher (ETA Q4/2023)
• AIX 7.2 (ETA Q4/2023)
• Solaris 10 or higher on SPARC or x86_64 (ETA Q4/2023)

Disk-space

• VSA-client: 1GB
• message broker: ~1GB
• bowbridge control: ~100MB
• MIMEscan security worker: ~100MB
• Active Content Detection security worker: ~100MB
• Archive Extractor security worker: ~100MB
• Anti-malware security worker – McAfee: ~1GB
• Anti-malware security worker – SOPHOS: ~1GB
• ICAP Client security worker: ~100MB
• ClamAV security worker: ~100MB

Memory (RAM) at runtime:

• VSA-client: 1MB per SAP work process or Server-thread
• message broker: up to 100MB
• bowbridge control: up to 80MB
• MIMEscan security worker: 60MB
• Active Content Detection security worker: 60MB
• Archive Extractor security worker: 50MB
• Anti-malware security worker – McAfee: 550MB
• Anti-malware security worker – SOPHOS: 400MB
• ICAP Client security worker: 50MB
• ClamAV security worker: 50MB

Thanks to its modular architecture, the installation of bowbridge Anti-Virus 4.x can be adapted to the individual requirements in your environment. Hence, while some modules are required, others are optional.

Most modules can be deployed in several ways:

Inter-module communication

TCP network connectivity on one distinct port (default TCP/5672) is required between the modules and the message broker. Therefore, only the broker opens this port for listening. All other components initiate outgoing connections to the message broker and do not open any listening sockets.

Automatic download of updates

For the bowbridge Anti-Virus 4.x deployment to automatically update virus data and/or program binaries, network access to an update source must be permitted.
If direct HTTPS access to the internet is not possible, bowbridge Anti-Virus supports using a Web Proxy with or without authentication.
Customers may choose to deploy a “local update service,” a scope-limited replica of the bowbridge update servers. The local update service retrieves updates from the internet and makes them available internally.

bowbridge CloudScan Proxy

When using the bowbridge CloudScan Proxy service, outgoing connections to an assigned CloudScan Message Broker must be allowed on the port in the assigned Broker URL.

Download the latest bowbridge Anti-Virus 4.x installer for your operating system platform from the bowbridge website and transfer it to the target system.

RECOMMENDATION:

Transfer the installer to SIDadm’s home directory or a temporary directory on the target server. Do not yet create the final target directory; do not run the installer from within the designated target directory.

Please have the RealmID you wish to use handy.

If the components requiring installation include the message broker, then ensure you can access the bowbridge customer portal, so you can generate the broker’s TLS certificate in the portal.

When ready to perform the installation, extract the installer by running

gunzip install_bowbridge_anti-virus_<version>_<build>_<OS>_<platform>.sh.gz

Note: replace <version>, <build>, <OS>, and <platform> with the values in your installer filename.

Interactive installation

Navigating the interactive installer

As a terminal-based application, the interactive installer is navigated using the keyboard.

• Use the cursor keys to move up and down within a selected field
• Use the SPACE key to select/unselect options, such as radio buttons or checkboxes
• Use the TAB key to move to the next section, option, or button.
• Use the ENTER key to “push the button” that is currently in focus.

RECOMMENDATION:

bowbridge Anti-Virus can be installed with SIDadm privileges only, but installing the product as root is highly recommended for best performance and stability.

Basic installation steps

Start the installer by running the following:

sudo ./install_bowbridge_anti-virus_<version>_<build>_<OS>.sh

After an initial check of the required packages, the interactive installer will guide you through the installation process.

You may see a message indicating the optional component cyrus-sasl-scram is not available. SASL-SCRAM is a plugin to the SASL authentication framework used by the message broker. You may safely ignore the notice. The authentication will fall back to SASL-PLAIN. As all communication between the modules is TLS-encrypted,  even SASL-PLAIN authentication is protected from eavesdropping on the wire. The modules will automatically choose the most secure way of communication. If SASL-SCRAM is available on the sender and the receiver, it will be chosen over SASL-PLAIN.

Select the “Install” option.

When executed as root, the installer requires the SIDadm user so that file ownership can be adjusted after the installation finishes.

Provide the name of the SIDadm user.

Provide the installation path.

For a local deployment – with all modules running on the SAP application server, select “Local” and continue following the section Local deployment.

For a distributed deployment, with some or all modules running on separate hosts, select “Distributed” and continue following the section Distributed deployment.

Select whether you would like to deploy all available modules or only a selection of them.

RECOMMENDATION:

For an evaluation installation, we recommend installing all modules so administrators have the option to try the full functionality. For production deployments, choose “Selected” and only install the required modules.

Select the modules to install. (see “Identifying Required Modules”).

Enter the RealmID of the installation

Administrators must accept the EULA before the installation starts.

If you opted to install the quarantine handler, please enter the base-path for your quarantine. Inside that base-path folder, sub-folders for your Realm-ID and the SID(s) will be created when of the first quarantined file is stored.

Generating the broker certificate

If the broker is among the modules to install, the interactive installer will guide you through the process of creating a certificate for the encryption and authentication of the broker.

The installer generates an RSA keypair and will display a Certificate Signing Request (CSR) for the public key. This ensures the private key never leaves the server.

The CSR is displayed in a plain text terminal so it can be copied to the clipboard.

Log-in to the bowbridge customer portal and open the “Certificates” tile. At the top of the table of existing certificates for the organization in question, clicking the “Create” button will open a dialogue box where the CSR can be inserted.

Upon submitting the CSR, an x.509 certificate for the server is created and signed by the bowbridge Certificate Authority and added to the list of certificates.

Display the newly created certificate and copy it to the clipboard.

When asked to do so by the installer, paste the certificate into the open editor and close the editor (vi) by pressing the ESC-key and entering :wq and then pressing ENTER.

As the last step in creating the certificate, the installer checks the certificate is valid.

Proceed to the section Services Configuration.

IMPORTANT:

When deploying a distributed installation, the message broker must be deployed first. It may be deployed alongside other components but must be deployed before deploying other modules. The broker setup will generate credentials that will be needed to deploy other modules.

Select the modules to install on this host.

Installing the Message Broker (and co-located workers)

If the broker is to be deployed, please provide a name for the broker instance. The name must not contain spaces or special characters.

Generating the broker certificate

If the broker is among the modules to install, the interactive installer will guide you through the process of creating a certificate for the encryption and authentication of the broker.

The installer generates an RSA keypair and will display a Certificate Signing Request (CSR) for the public key. This ensures the private key never leaves the server.

The CSR is displayed in a plain text terminal to be copied to the clipboard.

Log-in to the bowbridge customer portal and open the “Certificates” tile. At the top the table of existing certificates for your organization, clicking the “Create” button will open a dialogue where the CSR can be inserted.

Upon submitting the CSR, an x.509 certificate for the server is created and signed by the bowbridge Certificate Authority and added to the list of certificates.

Display the newly created certificate and copy it to the clipboard.

When asked to do so by the installer, paste the certificate into the open editor and close the editor (vi) by pressing the ESC-key and entering :wq and then pressing ENTER.

As the last step in creating the certificate, the installer checks the certificate is valid.

If the option is chosen to install the quarantine handler, please enter the base-path for the quarantine. Inside that base-path folder, sub-folders for the Realm-ID and the SID(s) will be created when the first quarantined file is stored.

Creating the services configuration

Unless explicitly chosen otherwise, bowbridge Anti-Virus 4.x will run the scan workers as services controlled by the Operating System. On Linux, they are implemented as systemd-services, and on AIX as subsystems.

RECOMMENDATION:

bowbridge recommends automatically starting the services when the OS boots. This ensures they are already running with the SAP instance starts, resulting in a faster start of the SAP  instance further reduces the overall management and monitoring overhead.

By default, controlling OS-controlled services/subsystems requires root privileges, which SIDadm may not have access to.
Therefore, the installer can create itemized sudoers entries in your sudo configuration. They allow SIDadm to control the bowbridge services with sudo without specifying the root password. Please note that the scope of these sudoers entries is limited to the bowbridge services only and does not allow SIDadm to control any other OS-level services.

Upon completion of the installation, a summary is displayed. It contains the INIT parameters as they should be set in the SAP-level configuration.

This summary is stored in the bowbridge_installation_summary.txt file in the current directory.

The installation log is stored in /tmp/bowbridge_installation.log

Installing workers not co-located with the message broker

Once a message broker is installed, it is possible to add worker modules to the installation using the authentication credentials created by the broker at install-time.

The installer can be run along the same lines of other deployment scenarios; then the module/s to install on this host can be selected.

During the installation the DNS-resolvable hostname of the broker and the name of the broker instance must be provided.
These details are available for review in the bowbridge-installation-summary.txt file on the host where the broker is installed

Enter the RealmID of the installation

Administrators must accept the EULA before the installation starts.

Provide the broker-password for the respective component. It, too, is stored in the bowbridge-installation-summary.txt file on the broker host.

If the quarantine handler is bing installed, please enter the base-path for the quarantine. Inside that base-path folder, sub-folders for the Realm-ID and the SID(s) will be created when the first quarantined file is stored.

Installing the Virus Scan Adapter (VSA) shared libraries  on the SAP application server host

After a message broker and the desired scan workers are deployed, the VSA shared libraries must be installed on every application server in order for them to connect to the scanning server(s).

Run the installer script and choose “Installation” and “Distributed”

Select only the “VSA shared libraries” option and proceed with OK.

Specify the target directory for the shared libraries. bowbridge recommends installing them to /opt/bowbridge or /usr/sap/bowbridge. However, installation into any directory is possible, as long as the target directory is consistent across all instances of the SAP system.

Accept the EULA

The installation then completes within a few seconds.

Proceed to the section Services Configuration.

Unless explicitly chosen otherwise, bowbridge Anti-Virus 4.x will run the scan workers as services controlled by the Operating System. On Linux, they are implemented as systemd-services, and on AIX as subsystems.

RECOMMENDATION:

bowbridge recommends automatically starting the services when the OS boots. This ensures they are already running with the SAP instance starts, resulting in a faster start of the SAP  instance further reduces the overall management and monitoring overhead..

By default, controlling OS-controlled services/subsystems requires root privileges, which SIDadm may not have access to.
Therefore, the installer can create itemized sudoers entries in your sudo configuration. They permit SIDadm to control the bowbridge services with sudo without specifying the root password. Please note that the scope of these sudoers entries is limited to the bowbridge services only and does not permit SIDadm to control any other OS-level services.

Upon completion of the installation, a summary is displayed. It contains the INIT parameters as they should be set in the SAP-level configuration.

This summary is stored in the bowbridge_installation_summary.txt file in the current directory.

The installation log is stored in /tmp/bowbridge_installation.log

Typically, after the installation, administrators must perform several post-installation tasks to activate and customize the raw installation.

• Add and map licenses.
• Set/verify the event-handler configuration
• Set/verify log settings
• Set/edit update settings

A bowbridge Anti-Virus license controls what services and features can be used by a VSA client.

Each license is valid for a defined number of application servers of a given SAP SID. In on-premises installations, the administrator adds licenses to a “pool” of licenses for a given RealmID and maps license instances to individual hostname-and-SID combinations.

License management

In Anti-Virus 4.x, licenses are managed centrally by the bowbridge Control module.

It stores all licenses in the license pool related to the RealmID and manages the mapping of available licenses to VSA client instances of a specific Installation ID.

License operations are performed with the bb-license command-line tool, which is part of the Tools package.

NOTE:

When performing license operations as SIDadm, the connection settings to the broker are taken from the .bowbridge file created by the installer in SIDadm’s home directory.
If you wish to use other/different connection settings, please provide the respective command-line parameters:

–realm-id <Realm-ID (=INITLICENSE_PATH)>
–broker-url <broker URL>
–broker-name <name>
–broker-password <password>
–broker-cert <path to the bowbridge CA root certificate>

For the sake of conciseness, these parameters are omitted in the examples below, and it is assumed the configuration from the .bowbridge-file is used.

Showing all licenses managed by your control instance

./bb-license showlicensepool returns a list of all licenses currently added to the license pool-

Adding a license to control’s license pool

bb-license addlicense <license-file name> adds a license to the license-pool of the current realm.

Deleting a license from the license pool

bb-license deletelicense <LicenseID> will, after requesting a confirmation, permanently remove a license and all related mappings from the license pool

Displaying the details of a specific license

bb-license showlicensedetails <LicenseID> will display the license details, such as the features, the expiration date, and the list of hostnames it is currently mapped to.

Mapping a license-instance to a hostname

To activate an instance of a license for a specific VSA, mapping a license instance to the SID@hostname combination is required.

bb-license addmapping <LicenseID>:<SID>@<hostname>

Showing all existing mappings

In addition to viewing the hostnames a specific license is mapped to with bb-license showlicensedetails, it is also possible to view all mappings for the current realm with:

bb-license showmappings

Deleting a license-to-host name mapping.

If the host name of one of your SAP systems hosts changes, re-assigning a license may be necessary.
In that case, delete the current mapping with

bb-license deletemapping <LicenseID>:<SID>@<hostname>

Realms

Realms are a new concept in bowbridge Anti-Virus 4.x. They allow for the grouping of multiple installations and assigning configuration parameters to all installations that are part of the group. These include scan parameters, MIME type-to-extension mappings, MIME type translations, and active-content settings.

These settings are stored and maintained at the level of the bowbridge Control module. VSA clients retrieve the configurations at startup, so storing, maintaining, and updating the settings on individual application servers is no longer required.

Typically, all application servers of one Organizational Unit, one Department, or one system line (DEV, QA, PROD, SBX, etc.) would share a Realm (identified by a globally unique RealmID), so parameters set at the Realm level would apply to all systems in that realm.

For more granularity, administrators can add another layer of settings specific to an SID within the context of a Realm. For example, administrators could set up a realm for their SAP CRM system, specifying settings applicable to the entire system line. However, they may want a slightly different set of settings for the Production SID, so they could create a configuration that applies only to the Production SID or the CRM system.

Hierarchical configurations

bowbridge Anti-Virus 4.x supports hierarchical configurations, specifically scan parameters, MIME type-to-extension mappings, MIME-type translations, and active-content settings. Administrators may assign parameters to apply to all installations, to only installations of a certain realm (i.e., system line), or even to only a specific SID within a realm.

In detail, the layers are:

• default.default: Settings defined as default will apply to all systems unless overruled by settings in a more specific layer

• RealmID.default: If defined, settings specified in this layer apply to all systems sharing the same RealmID unless overruled by SID-specific settings or parameters passed via the VSI API.

• RealmID.SID: If defined, these settings apply to all application servers of the given SID that share the given RealmID or parameters passed via the VSI API. This means all application servers of a specific SAP system.

After installing the product, only the default.default versions of the configuration files exist in the config subdirectory on the host running the bowbridge Control module:

• <bowbridge-base-directory>/config/activecontent/active content.default.default
• <bowbridge-base-directory>/mime/mimetype_to_extensions_mappings.default.default
• <bowbridge-base-directory>/mime/mime_translations.default.default
• <bowbridge-base-directory>/vsa/scan.default.default

These configuration files are plain-text, human-readable, and extensively commented files.

To add a configuration for a realm or a realm+SID combination, duplicate the default.default configuration and modify it as necessary.

The Control Module monitors and detects changes to the configuration files and notifies workers of relevant changes, triggering a re-loading of the configuration. Only the VSA needs to be re-initialized, in order to reload the configurations. This is best achieved by clicking the “Load” button in transaction VSCAN, or periodically by setting an automatic re-init interval in transaction VSCAN or the Virus Scan Provider configuration in NetWeaver Administrator.

All modules except the VSA and the Broker can self-update. Administrators can choose which part of the module they want to update automatically:

• Threat data, including malware definitions, file-type detection, mappings, etc.
• Detection engines
• Program binaries

bowbridge Anti-Virus 4.x downloads updates from the bowbridge update server over a secure, authenticated, and encrypted connection. The product verifies the download’s integrity and only activates it after it is confirmed to function. Deployment and activation of updates do not require administrator intervention and do not interrupt the service delivery.

After the installation, automatic updating of Threat Data, Detection Engines, and Program Binaries become active. They are controlled by the UPDATE_DATA, UPDATE_ENGINE, and UPDATE_BINARY parameters configured in the start script of the respective worker.

By default, bowbridge Anti-Virus 4.x will attempt to download the required updates via a direct internet connection. By setting the UPDATE_PROXY (and optionally the UPDATE_PROXYPASS) or UPDATE_SERVER parameters, administrators can configure the updates to be downloaded via a web proxy or from an alternative update source, such as the bowbridge Local Update Server (LUS).

All bowbridge modules generate several types of logs and events.

By default, none of them are stored on disk or are acted upon. To store logs and act on events, further configurations are necessary.

Storing logs

In on-premises installations, all logs are sent to the control module of the realm. A log basepath must be defined for the control module to store the logs in the server’s filesystem. Control will then store all worker-originated logs in the basepath. Log entries originating from the VSA clients are stored in subdirectories for the RealmID and the SID to allow attribution to the correct system.

As there are several types of logs, separate base-directory paths must be specified in the [bb-av-control] section of the <bowbridge program directory>/config/bb-av-control.cfg file.

To enable the respective log, please uncomment the line and specify an existing directory as the value to:

• ERROR_LOG_BASEDIR
  This log will only store errors
• UPDATE_LOG_BASEDIR
  This log stores information about updates being deployed
• BLOCK_LOG_BASEDIR
  This log stores information about blocked files
• STATUS_LOG_BASEDIR
  This log stores information about modules starting, stopping, and their load
• SCAN_LOG_BASEDIR
  This log stores information about every single scan operation.
• EPO_LOG_BASEDIR
  This log is needed only for the integration with Trellix ePolicy Orchestrator

Please also note the MAX_LOG_SIZE_MB parameter. Once a log file exceeds the size (in MB) specified as the value, the log file will be compressed into a ZIP archive, and a new log file will be created.

After saving your configuration, the control module must be restarted for the changes to go into effect. To restart the service, run

sudo systemctl restart bb-av-control.service (on Linux)

Processing events

All bowbridge Anti-Virus 4.x modules generate several types of events. To receive these events, an event-handler worker must be installed and configured to subscribe to certain events for a certain scope of sources.

the file <bowbridge program directory>/config/bb-av-events.cfg contains the configuration for the bb-av-events service.

The [SCOPE] section allows the administrator to specify what sources of events are relevant for this handler.
The scope can be limited by:

• SOURCE, a list of hostnames of event sources (i.e., SAP application servers)
• SIDS, a list of SAP-SIDs. Please note that worker-originated events do not include an SID
• REALMS, a list of RealmIDs.Please note that worker-originated events do not include a RealmID
• MODULES, a list of bowbridge modules to receive events from.

Administrators may choose to take a broad approach and receive all

In addition to the scope, the event handler must subscribe to specific events of interest and map them to an OS-layer script that will be executed if the event occurs.
bowbridge delivers a template for such a script. When the event occurs, the script receives the event details and can act upon them.

Administrators may choose to take a broad approach and use a wildcard (“*”) for all scope definitions and uncomment all event-types.
Or they can take a very restrictive approach and, for example, only be interested in a scan-error event from a particular SID on a particular host.

They may also choose to run multiple instances of event handler workers, for example, one for the NON-PROD instances and a separate one for the PROD instances of an SAP system.