SAP batch job interception

This blog will explain how to setup SAP batch job interception.

Questions that will be answered in this blog are:

  • How to activate SAP batch job interception?
  • How does an intercepted job look like?

Activating SAP batch job interception

Before you can begin the setup of the batch job interception you must run program INITXBP2 in SE38:

Program INITXBP2

Next you have to start transaction CRIT and create the profiles.

Transaction CRIT to manage job interception criteria

First create the default SAP profile by clicking on the SAP logo. Activate it. Next step is to create the profile in which you want to do the interception. In the screen above click on the create profile button. Now enter a criteria. For simplicity we have called it interception. In our case we intercept all except a list of authorized users. In the user list we include the basis users and the background users (in this example WF-BATCH). Save the data.

Next step is to activate this profile:

Activate interception proflie

Working of interception

When a batch job is planned the interception checks if the job should be intercepted or not. As a test logon as end user and launch a job. In our case the user ENDUSER tries to launch a job from SLG2 transaction to delete application logs. This jobs is intercepted and shows like this in SM37:

Intercepted job

The job does not start immediately, but shows in intercepted state. If user with release rights now goes to SM37 for this job, he can release the intercepted job.

SAP mail sending tips & tricks

This blog focuses on SAP mail sending tips and tricks.

Questions that will be answered are:

  • How can I add a disclosure to the mails I send form non-productive systems?
  • How do I restrict access to transaction SOST?
  • Which batch job to plan for sending mails?
  • How can I send encrypted or signed mails?
  • Is there a display only version of SCOT available?
  • How to send hyperlink in mail using ABAP?

Adding disclosure from to mails from development and test systems

If you want to send mails from development and test systems, but don’t want any risk that it looks like a productive mail, you can add a disclosure to the mail.

In SOST mail settings go to the disclosure function:

SOST to SODIS link

Or you can go directly there using the SODIS transaction.

In SODIS you key in the disclosure text:

SODIS disclosure

If you want you can test for any mail address if the disclosure will be shown or not by using the Routing Test function:

SODIS routing test

When sending mails from the SAP system the receiver now gets the disclosure. The real mail is pushed as text in the attachment of the mail (see OSS note 2842085 – Email body becoming to attachment in receiver side). You need to open the attachment to see the body of the text. Hyperlinks in the body will still work.

Restricting access to SOST transaction: give SOSG access

As admin you might want to restrict access to SOST transaction. This transaction is also often used by functional consultants to see if their mail is sent or not. When having access to SOST all functions like deletion and stopping of mails is also granted. What you can do is fully restrict access to SOST and grant the functional consultants access to transaction SOSG to display the mail status. It looks same as SOST, but has additional authorization checks. See also OSS note 2351372 – User access to transactions SOST, SOSV, SOSG and SOSB.

To allow sending of mail in SOSG, follow instructions from OSS note 2573586 – “Send” function greyed out in transaction SOSG.

Batch job for mail sending

For sending mail, you need to schedule batch job RSCONN01  with variant SAP&CONNECTINT. See OSS note 1912890 – Stuck email messages on SOST – RSCONN01 client dependent.

Mail read receipts

SAP mail sending can also use mail receipts. This might be wanted, but most of the times it is not wanted. More about read receipts is explained in OSS note 2161462 – How does Read Receipt work in SAPConnect?

To suppress it follow the instructions in OSS note 1607686 – Suppressing read notification requests.

Mail send restrictions based on user group

If you want to restrict mail sending based on user group, follow the instructions from OSS note 2623113 – How to limit e-mails by Sender Group in SCOT.

Mail encryption and signature

Start program RSCONN05 to set the mail signature and encryption settings. More background in OSS note 149926 – Secure e-mail: Encryption, digital signature.

Guided answers

See OSS note 3225275 – BC-SRV-COM Guided Answer for guided answers on mail setup.

Sending hyperlink in mail

If you have a requirement to send working hyperlinks in mails coming from SAP, read this blog on how to do this using custom ABAP code.

Increasing value of SMTP password length

See note 2363295 – Password for SMTP authentication is too short for increasing SMTP password length.

SAP TREX and HANA embedded search technical tips and tricks

This blog will give technical tips & tricks on embedded search. Embedded search can run on both HANA directly or on separate TREX server. It is assumed you know how to set up search in ESH_COCKPIT and know how the end user transaction ESH_SEARCH work.

Questions that will be answered in this blog are:

  • How do I set HANA default connection as embedded search location?
  • What to do after a system copy with embedded search?
  • How to reset the complete embedded search to initial state?
  • How to reset the embedded search buffer?
  • How to recreate the embedded search joins?
  • How to influence the package size of the search extraction?
  • How to check backend part of search?
  • How to deal with full text search issues?
  • How to deal with authority index issues?
  • How to deal with high load issues on TREX?

Activating search in S4HANA

If you are running S4HANA, you can use an STC01 task list to fully setup the search function. Read this blog on technical activation and this blog for FIORI search for full instructions. The remainder of the blog below can be used in case of issues.

Setting the search connection to use HANA default database connection

If you are running HANA database for ECC you can use the HANA default primary database connection for search setup. This is easier in maintenance: no extra TREX needed, no extra secondary DB connection. Search will consume extra memory and CPU off course on the HANA database.

To set this up run program ESH_ADM_SET_TREX_DESTINATION and select the Use HANA Primary DB connection option.

Notes:

Task list to run after system copy

After you copy a system the search will not immediately work. In client 000 start transaction STC01 and run task list SAP_ESH_ADJUST_AFTER_COPY. See also OSS note 2479611 – Error message: “Current system is a copy of another system”. See also note 2583055 – ESH_ADM_MSG281 error when run the task list SAP_ESH_ADJUST_AFTER_COPY on client 000 after the system copy. And read note 3243784 – Invalid value 10.000 when assigning values of parameter P_PACKS in report ESH_IX_CRT_INDEX_OBJECT_TYPE.

Resetting all settings to initial

When things gone really beyond repair, you can log on to client 000 and start transaction STC01 and run task list SAP_ESH_RESET.

Important: write down (or make screen shots) on the connectors and settings that were active before running this task list. It will really wipe out all connectors and settings.

More information can be found in OSS note 2626143 – How to execute SAP_ESH_RESET.

Resetting the buffer

Run program ESH_REFRESH_RUNTIME_BUFFER in the working client to reset the trex buffer.

Bug fix note: 2947055 – CDS activation: Runtime error in report ESH_REFRESH_RUNTIME_BUFFER. And 3253863 – CDS: Timeout error during execution of report ESH_REFRESH_RUNTIME_BUFFER.

Recreation of join indexes

Run program ESH_RECREATE_ALL_JOIN_INDICES in the working client to recreate the join indexes. See also OSS note 2112153 – How to recreate ESH join indexes which are corrupted in TREX.

Influencing package sizing per object

With program ESH_SET_INDEXING_PACKAGESIZE you can set the package size for indexing per object. You can lower the size for large objects to avoid memory issues while indexing. Issues can be dumps on SYSTEM_NO_ROLL / LOAD_NO_ROLL / TSV_TNEW_PAGE_ALLOC_FAILED / SYSTEM_NO_SHM_MEMORY.

See these OSS notes:

Check backend part of search

To check if a search issue is related to application coding or is related to search setup, you can run program ESH_TEST_SEARCH (with same transaction code ESH_TEST_SEARCH). This program gives you options to test the search independent of any programming of search front end.

Bug fix OSS note: 2972790 – ESH_TEST_SEARCH – value help for attribute search: Values are not transferred case-sensitively.

Full text search issues

If you are having issues with full text search, please check OSS note 2280372 – How to check Full Text search issues. This note is focusing on full text search issues in relation to solution manager CHARM, but the methods described can be used as well for analyzing other full text search issues.

Setting the extraction user ID

Use program ESH_EX_SET_EXTRACTION_USER or transaction ESH_EXTR_USER to set the user to be used for extraction. This includes the real time indexing. For more information see OSS note 2340298 – User Types and required authorizations for ESH extraction user. For issues see OSS note 2750997 – Error “Logon of user XYZ in client xyz failed when starting a step” in ESH indexing job logs. And 2938916 – ESH extraction user – option “Generate User” – adjustment of password policy.

Bug fix OSS note: 2938916 – ESH extraction user – option “Generate User” – adjustment of password policy.

Authorization indexing issues

While indexing you might get authorization indexing issues. First step is to repeat with sufficient rights attached to your user ID. Then run program ESH_ADM_RECALC_AUTHS to force the recalculation of the authorizations.

If it does not help, you can read the very extensive OSS note 2472239 – Error message “Authorization indexing unsuccessful” when creating search connectors. And OSS note 2729739 – Error indexing search connectors: “Authorization indexing unsuccessful for object type USER_AUTHORITY”.

New option to partially skip the checks for indexing: 3088737 – Customizing option for completely deactivating authorization indexing for individual ESH authorization indexes.

Index preload

For some TREX  issues index preload can be a solution. More information on index preload can be found in OSS note 2115082 – ESH Index Preload.

Python check script

For detailed check on TREX embedded search there is a special Python check script, which is not installed by default. The script can be downloaded as attachment from OSS note 2227741 – TREX 710: check of the TREX settings for the Enterprise/embedded Search scenario. Read OSS note 2344042 – How to execute python script check_esh.py on how to install and run the script.

TREX memory issues

If you are seeing high memory consumption in TREX, please check OSS note 2540240 – High Memory and Indexing problems in TREX.

TREX high load issues

If you are experiencing high load issues, consider increasing the amount of threads. Reference OSS note: 1065406 – BWA: Raise number of TREXRfcServer threads.

TrexViaDbsl Analysis Tool in ABAP

In newer versions this tool is available. Otherwise apply OSS note 2690982 – TrexViaDbsl Analysis Tool in ABAP. Then in SA38 you can launch program RHANA_TREXVIADBSL_ANALYZER for the analysis tool:

TrexViaDbsl Analysis Tool in ABAP

A more detailed explanation is given in OSS note 2800048 – FAQ: SAP HANA TREXviaDBSL.

TREX jobs

See OSS note 3169829 – When and how the job ESH<Client>IX_<System SID><Client>_* is created for the jobs TREX is creating on the ECC backend system:

  • ESH_IX_PROCESS_CHANGE_POINTERS/ESH_FU_DEMON,
  • ESH_IX_CRT_INDEX_OBJECT_TYPE
  • ESH_SE_CONNECTOR_MOD_BGD

TREX administration

For TREX administration read this dedicated blog.

Re-indexing and model update after upgrade

After an upgrade or support package, a model update is required. See OSS note 2468752 – Re-indexing after an application Upgrade.

Search speed for ECC

If you run ECC and use HANA as database, you can make use of SFW5 switch BSESH_HANA_SEARCH to speed up the search using HANA based features.

Special use cases

SAP solution manager documentation

If you have search issues with SAP solution manager documentation, there is a special OSS note 2608454 – FAQ: How to handle issues with the (embedded) search functionality in the context of Solution Documentation . This OSS note also contains coding for special test program that will check all relevant settings for the solution documentation search function to work properly.

Use of security policies in user maintenance

This blog will explain the use of security policies in user maintenance.

Questions that will be answered are:

  • Why to use security policies?
  • How to setup security policies?
  • How to assign a security policy to a user?

Why to use security policies?

Security policies can be used to set more strict password rules on critical user ID’s like the system administrators, user administrators and background users. This is one of the measures to avoid password attacks as explained in the password hash hacking blogs.

How to setup security policies?

Security policies can be setup in customizing under the following node (or by using transaction SECPOL):

SPRO entry for security policies

On the next screen create the needed security polices as definition (identifier and description):

Create security policy

Select one of the policies, to set the detailed attributes per policy:

ADMIN security policy attributes

In this example the policy for ADMIN is set more strict than the system settings. Setting it less strict than the password rules set in the system profile is not allowed.

Assign security policy to user

In SU01 on the tab Logon Data you can now assigned the appropriate Security Policy for the user:

Security policy assignment in user data

Unfortunately the Security Policy cannot be made a mandatory field. See OSS note 2890297 – Assigning SECPOL policies as a mandatory field for user creation/modification.

Different use case for security policies

There is a second use case for security policies: in the new netweaver releases you can set parameter to lock out users for maintenance rather than locking them in SU01 or SU10. For more information read this blog.

Background OSS notes

Relevant OSS notes:

SAP password hash hacking Part III: SAP PWDSALTEDHASH hash hacking

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this third blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures. Now we focus on the SAP PWDSALTEDHASH hash.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For follow up blog on improving attack speed by applying rule-based attack, click here. And the blog on optimizing the attack. And the blog on extended word lists.

Questions that will be answered in this blog are:

  • How to get the PWDSALTEDHASH codes?
  • How does the dictionary attack work?
  • How does the dictionary combination attack work?
  • How does the dictionary with mask attack work?
  • What more can I do to prevent a password attack?

Getting the PWDSALTEDHASH codes

The testusers 1 to 5 have been given a new password and the security admin has done its job. This is what you see in USR02:

After clean up USR02

Double clicking on a line and scrolling down will give you the PWDSALTEDHASH field content:

pwdsaltedhash from USR02

Getting many is too much work. For this you can use code of the program ZFETCH_PWDSALTEDHASH below:

*&--------------------------------------------------------------------*
*& Report ZFETCH_PWDSALTEDHASH
*&--------------------------------------------------------------------*
 REPORT ZFETCH_PWDSALTEDHASH.
 DATALV_USR02 TYPE USR02.
 DATALV_STRING TYPE STRING.
 SELECT FROM USR02 INTO LV_USR02 WHERE PWDSALTEDHASH NE SPACE.
   CONCATENATE LV_USR02-BNAME '

The output for our testusers is now:

Testuser PWDSALTEDHASH hashes

You need to save the part from {x-issha etc in a new file. The user ID in front is not needed. It is just needed in case you decrypt a password from a hash to go find the user ID.

The dictionary attack

We still assume that there is a very strict policy on strong password:

  • Minimum length 10
  • Minimum 1 upper, lower, digit and special

Since the admin has cleaned up the BCODE we have no idea on the first 8 characters now.

The trick we will use is the dictionary attack. We assume some of the users will use a password with the following rule:

  1. Take a word
  2. Capitalize first letter, rest is small
  3. Add a digit
  4. Add a special character

As input file for this attack we take all word from the Webster Dictionary: webster dictionary file.

We now go back to our Hashcat directory on C:\HC and give following command:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\users_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?d?s

Command explanation: attack mode 6 for dictionary attack and 10300 for SAP PWDALSTEDHASH format.

And now hashcat is showing is parallelization power:

dictionary attack

To test all the combinations on the 5 users only 30 minutes are needed, with almost 200.000 tries per second.

2 passwords were found: TESTUSER1 with password Theobald1! and TESTUSER5 with password Tetrazotization5{.

Especially the last one is striking: this is normally not considered a simple password: Tetrazotization5{. But because it appears in a dictionary it is relative simple to retrieve.

Combination attack with dictionary

To really show the speed, we will now perform the combination attack explained in the previous blog again. We will use the dictionary in combination with the popular extension file. Command to give:

hashcat64 -a 1 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" "C:\HC\Popular extensions.txt"

And now the performance and speed is even higher:

combination dictionary

2 out of 3 remaining passwords were found in 1 minute only!

TESTUSER2 with Themis2018! and TESTUSER3 with Vacation123!

Dictionary with mask attack

For the last to be found password, we will use the dictionary with mask attack.

Command to give:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?a?a

We try with 2 random characters after the word. After some time nothing. Then we increase to 3 characters:

hashcat64 -a 6 -m 10300 -p : --session=all --force -o "C:\HC\testusers_found.txt" --outfile-format=3 --markov-disable --remove -u 128 --gpu-temp-abort=80 --gpu-temp-retain=70 "C:\HC\pwdsaltedhash testusers.txt" "C:\HC\webster-dictionary.txt" ?a?a?a

It runs for 4 hours with about 200.000 guesses per second:

dictionary mask attack

And it finally finds the last password: TESTUSER4 with Organoid1@#

Dictionaries

The example above is just one dictionary. Also think about dictionaries with names of persons, football clubs, cities and countries, etc. Largest dictionary so far is called the Wikipedia dictionary. It is about 250 MB large and contains all the unique words used on Wikipedia.

Preventive measures

Preventive measure 1: user education

Educate your users not to take a dictionary word directly and only add a digit letter.

Especially power users, like basis and user administrators, should really receive this education. Don’t assume they know. 90% of them does not, or even hands out passwords like Welcome2018!

Preventive measure 2: extra strong passwords for background and power users

You can set extra strong password requirements for background users and power users (basis and user administrators). This can be done by setting up specific security policies. This is explained in this blog.

Preventive measure 3: stronger hashes

By creating stronger hashes, the attackers need more time. It will not stop them, but slow them down. Read more on setting stronger hashes in this dedicated blog.

Next blog

The next blog will focus on rule based attack mode, which is one of the most effective methods.