Month: April 2022

PDF converter in SAP ABAP kernel

The newer SAP ABAP kernels and system (781 kernel and 755 system) can support PDF converter from the SAP ABAP kernel.

Using the kernel it will speed up PDF generation for ABAP list, SAP Script and SmartForms.

Background

The background of the SAP ABAP kernel is explained in OSS note 2991197 – Using the kernel PDF converter in ABAP.

Switching on PDF generation via SAP kernel

To switch on, start program RSTXPDF3KRN and choose to change the parameter PDF_KERNEL:

Confirm to turn on:

Fonts

Fonts and fonts mapping can still be maintained via program RSTXPDF2UC:

SAP for me

SAP for me is an alternative to the SAP support marketplace.

Questions that will be answered in this blog are:

  • What functions does SAP for me offer?

Start of SAP for Me

You can easily start SAP for Me with the URL me.sap.com.

SAP for Me versus support.sap.com

SAP for Me provides some extra functions that are not offered yet by support.sap.com. The general overview of functions is listed in the chapters below.

Highlights:

  • Calendar function
  • Financial invoices and licenses
  • Statistics on open SAP messages

Calendar function

In the calendar function you can quickly see which upcoming maintenance activities there are for your cloud products, planned expert sessions, software release dates, and security patch days:

Portfolio and products overview

In the portfolio and products overview you can see the products (both on premise and cloud) that you are licensed for. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Finance and legal

In the finance and legal overview you can see the products (both on premise and cloud) that you are licensed for, the invoices and for cloud the current usage. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Services and support

The services and support overview page is a different view on your tickets open at SAP. It provides quick insight into which tickets are with SAP, and which ones are at customer action (which do require your attention):

Systems and provisioning

Systems and provisioning provides an overview of both on premise and cloud systems:

Users and contacts

Users and contacts page gives overview of your important contacts.

Information disclosure of SAP Web Administration Interface

Despite the fact that this is a know issue, in many cases still it is seen that the SAP web administration interface is still set to fully public. This way an attacker can still retrieve vital release information.

You should check this carefully, also for newer system installations, this might be not ok.

Questions that will be answered in this blog are:

  • What is the web administration interface?
  • Why is it dangerous to have this public?
  • How to close the gap and make the web administration interface shielded again?

What is the web administration interface?

The web administration interface can be started on your netweaver system by using a browser and keying in <host:port>/sap/admin/public/index.html:

Here you can see the status and also the version information:

If you keyed in the URL and you got a password prompt like this:

If you did not get it, that means this page is still public.

Why is this public release information dangerous?

This page is present in ABAP, JAVA stacks and webdispatcher. Portals and Netweaver gateway systems are often exposed to external world for partners, customers and suppliers. If you did not do a good job on security with reverse proxies and the SAP systems themselves, this page is available on internet. Hackers scan for it, get the release information and know if you are vulnerable or not.

Dangerous? Yes, very. See the last very high Hotnews security note on ICMAD:

How to solve the issue?

The solution is described in OSS note 2260323 – Internet Communication Manager (ICM) 7.20 security settings and more specifically in OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface.

The solution is to set the sub parameter ALLOWPUB (it is a sub parameter of icm/HTTP/admin) to NO. See screen shot on how to see the sub parameters:

Checking if it is done properly is simple: start the page again and see that it disabled:

SAP support log assistant

Many SAP applications generate logs with errors. These can be hard to analyze.

SAP now offers online tool to quickly scan a log for known issues and provide potential OSS notes with hints and solutions.

Questions that will be answered in this blog are:

  • What is the SAP support log assistant?
  • How to use the SAP support log assistant?

How to run and use the SAP support log assistant

To start the SAP support log assistant, use this URL.

Use the button to upload your log file. In this case a SAP cloud connector log file with errors:

After the upload, press the button Scan files to start the scan. The results:

The third screen is the summary:

Here you can download your results, submit to SAP or provide SAP with feedback.

Background of the SAP support log assistant

SAP note 2990062 – What is the Support Log Assistant and how can I use it to find known issues and solutions? describes the full background.

Wiki page: link.

File types that can be analyzed: link.

Explanation blog: link.

TLS v1.2 setup

TLS stands for Transport Layer Security (full background you can read in this blog). It determines the security protocol used for the web part of the ABAP server.

Questions that will be explained in this blog:

  • How can I enable TLS v1.2 for my ABAP server?
  • How can I check TLS v1.2 is properly setup?
  • Can I disable TLS v1.0 and v1.1?

Setup of TLS v1.2 on ABAP

The setup of TLS v1.2 is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients.

Settings to enable TLS v1.2 and still allowing v1.0 and v1.1 for older clients:

ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_26  =  SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27  = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28  =  SAPSSL_CLIENT_SNI_ENABLED=TRUE
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE

Set up of TLS v1.2 on HANA

For setup of TLS v1.2 on HANA follow the instructions in OSS note 2829919 – How to enable TLS 1.2 for all Hana ports.

How to check TLS v1.2 usage?

The TLS version usage per browser is a different process to check. Read this blog to find the exact instructions per browser.

The end result is as follows:

Can I switch off TLS v1.0 and v1.1?

Yes, you can switch off TLS v1.0 and v1.1. This is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients. Please also read the warning in this note: the advantage is very low, the risk that you will get issues is high.

So switching off in live system is tricky. Switching it off starting new system landscape is simple and a good idea to do.

TLS v1.3

TLS v1.3 is currently not supported for ABAP. See OSS note 2765639 – Is TLS 1.3 supported in NetWeaver AS ABAP?.

SAP background

More background can be found in OSS note 510007 – Additional considerations for setting up SSL on Application Server ABAP.