The following figure 1 is describing the scenario at hand in detail, already pointing out the security related details of the SAP Host Agent of the Managed System. Both partners share the same SAP Host Agent. The hosting provider has OS root authorization and full authorizations on the SAP Host Agents, whereas the customer is only using the functionalities of the Simple Diagnostics Agents (SDA) to enable all Focused Run features. The Personal Security Environment (PSE) of the SAP Host Agent must trust both Certificate Authorities (CA), the Customer CA and the Hosing CA to enable encrypted communication with both clients. Encrypted communication is mandatory if one partner is using basic authentication, in this case with user sapadm. The Hosting Customer must mandatory authenticate with a certificate, because only this way the authorization can be limited to SDA. Client certificate check can be only be achieved as part of the TLS handshake when establishing the HTTPS communication.
As the full administration authorization on the OS level with user SAPADM is in our example only owned by the hosting provider. The customer in this case has only authorization to URI /lmsl/sda. Those authorizations are sufficient for all Focused Run applications. For further details on setting up the certificate-based authorization, please check the security guide:
Any deployment of customer OS scripts for SAP Host Agent “CustomOperations” need to be negotiated with the hosting provider script by script in case.