SAP API business hub

SAP has collected all their web services and ODATA services on one central page.

Questions that will be answered in this blog are:

  • How to use the SAP API business hub to find an SAP interface for my use case?

SAP API business hub

Start the SAP API business hub by going to the URL api.sap.com:

Let’s zoom in to SAP S4HANA:

Now search for Sales Order and select the Sales Order ODATA:

For each method you can zoom into the details:

On the main details tab you can download the API specification, for example in JSON format:

Also it tells you how to build the URL to be called.

A bit below on the same screen is the link to the online documentation:

Which links to the actual help.sap.com helpfile:

SAP reference

SAP reference blog can be found here.

Logical file names

This blog will explain the maintenance of logical file names.

Questions that will be answered in this blog are:

  • Why use logical file names?
  • How to setup logical paths and logical file names?
  • Which variables can be used in logical file names and logical paths?
  • What is new in transaction SFILE?

Why use logical file name?

The use of a logical file name in any ABAP keeps the location and name name of the file constant from a logical function perspective. The actual implementation of the file location can then be maintained by the basis team. If they want to move files around, they can do so, as long as they also update the logical files. Also this way an ABAP developer does not need to worry in case of any OS switch (for example from Windows to Linux).

The names are the same on development, QA and production system. The basis team can choose to have different file structures on each system. For example by including the system ID in the folder name.

Maintaining logical file path

To maintain logical file names, start transaction FILE:

With new entries, you can add new logical file path.

We will use A2_GLOBALPATH here as example. Select the entry and click on Assignment of physical path to logical path:

Select the operating system to see the details:

Logical file names

Logical file names are also maintained with transaction FILE:

Parameters in naming

The following parameters can be used in the naming conventions:

ParameterMeaning
<OPSYS>Operating system in function module parameter
<INSTANCE>Application Instance
<SYSID>Application name in accordance with system field SY-SYSID.
<DBSYS>Database system in accordance with system field SY-DBSYS
<SAPRL>Release in accordance with system field SY-SAPRL
<HOST>Host name in accordance with system field SY-HOST
<CLIENT>Client in accordance with system field SY-MANDT
<LANGUAGE>Logon language in accordance with system field SY-LANGU
<DATE>Date in accordance with system field SY-DATUM
<YEAR>Year in accordance with system field SY-DATUM, four characters
<SYEAR>Year in accordance with system field SY-DATUM, two characters
<MONTH>Month in accordance with system field SY-DATUM
<DAY>Day in accordance with system field SY-DATUM
<WEEKDAY>Weekday in accordance with system field SY-FDAYW
<TIME>Time in accordance with system field SY-UZEIT
<STIME>Hour and minute in accordance with system field SY-UZEIT
<HOUR>Hour in accordance with system field SY-UZEIT
<MINUTE>Minute in accordance with system field SY-UZEIT
<SECOND>Seconds in accordance with system field SY-UZEIT
<PARAM_1>External parameter 1 passed in function call
<PARAM_2>External parameter 2 passed in function call
<PARAM_3>External parameter 3 passed in function call
<P=name>Value of a profile parameter in the current system
<V=name>Value of a variable in the variable table
<F=name>Return value of a function module

Transaction SFILE

Transaction SFILE is a new maintenance transaction. It is available as of S4HANA 1610. The main functions are the same as FILE. Main new function is the mass download and upload of definitions.

More background on SFILE: see OSS note 2370836 – FAQ | File access management with transaction SFILE.

SE16N emergency edit mode

For emergency cases you might need to edit table data directly. This blog will describe the emergency edit mode of SE16N.

Questions that will be answered are:

  • How to get the SE16N emergency edit mode?
  • How to enable the SE16N emergency edit mode?
  • How to use the SE16N emergency edit mode?

Getting the SE16N emergency edit mode

The SE16N emergency edit mode is standard installed as of S4HANA 2020. For older versions, you need to apply OSS note 2911103 – SE16N: Alternative edit mode.

Enabling SE16N emergency mode

The SE16N emergency mode is started via transaction SE16N_EMERGENCY. This transaction is locked by default:

Please consult your security team before unlocking this powerful transaction.

Use transaction SM01_CUS to unlock the SE16N_EMERGENCY transaction. Read this blog on the use of SM01_CUS.

Use of the SE16N emergency mode

Use of the emergency mode is pretty simple. Start transaction SE16N_EMERGENCY enter the table and you are launched into edit mode immediately. Example is here for table T001:

Other ways

For more different ways of direct table hacking, read this blog.

Bug fix OSS notes

Bug fix note:

SAP password hash hacking Part V: optimizing the attack speed

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this fifth blog we will focus on optimizing the speed of attack. The preventive measures will focus on reducing the attack speed.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For the third blog on attacking the SAP PWDSALTEDHASH has click here.

For the fourth blog on advanced topics, like the rule based attack, click here.

Questions that will be answered in this blog are:

  • How to optimize the attack speed?
  • How to optimize getting hashes converted into real passwords?

Optimizing the attack

First check if you can get hold of PASSCODE or preferably BCODE hashes. These ones are 10 to 20 times faster to hack than PWDSALTEDHASH codes.

Assuming the administrators have done their work and only PWDSALTEDHASH remains, there are still options to speed up the attack.

Get faster graphical card(s)

Don’t do password hacking on a laptop. The graphical card in any laptop is simply too slow. Use a gaming specification graphical card or cards (cost range is about 300 to 500 dollar or Euro per card).

Preparation of the attack

First thing to do is to get the password rules. Most common is 1 letter, 1 digit, 1 special and minimum length of 8. But differences occur. If for example minimum length is 10, you can adjust your dictionaries to remove all small words that will not comply.

Check the language: use the webster dictionary for English in all cases, but based on language of the company, you must use German, French, Spanish, Italian, Dutch, etc dictionaries as well.

If possible filter out high potential targets from you list. It is best to have a high value administrator or CEO, then a warehouse person who can do simple movements and write time.

Sequence of attacks

Start first with your library of most frequently used passwords. Maybe there is already a hit.

You will be surprised that about 1% will hit.

Second run is with a list of company, product and department names. If you want to target company called TARGET with product name PRODUCT, make a special file with names like:

Target2021!

Product2021!

Use the password rulebooks to generate as many variations as possible (examples are T@rget2021, Pr0duct2021!).

You will be surprised that about another 1% will hit. Who is using these simple to guess passwords? More people than you think!

Third run should be dictionary run with rulebook. Start with English and primary language of the company. Most successful Rule is word plus digit plus special.

You will be surprised that about another 1 to 3% will hit.

Pending on the speed and sizes the rulebook is a very good one to run for a longer time (consider 1 week constantly running this).

Fourth run should be a keyboard walk rulebook. The keyboard walk contains passwords like QWERtyui1234%^&*, or 1qaz@WSX (walk on keyboard…).

You will be surprised that about another 1% will hit.

Re-using the output file to generate new attack: fingerprint attack

When your first attacks are done, there is one final surprisingly successful last attack possible. For this you take your file with all the passwords you have already cracked.

These passwords you now cut into 2. Example Target2021! is cut into:

T and arget2021!

Ta and rget2021!

….

Target2021 and !

And the word itself Target2021!

Now you have 2 files. Use these into a combinator attack mode (see hashcat wiki for the exact syntax to use).

This procedure is called a fingerprint attack.

This might give surprising results like TargetProduct2021!

This attack will bring a surprising high number of hits. The better the first passwords you have cracked, the better the result here. Save this attack till last, since it can be a very lengthy one, and a lot of duplication with the previous attacks can happen.

Strengthening password technical strength

The ABAP password can be made more strong by technical means, by increasing the hash salt size. This will take longer time to crack. OSS notes:

BI queue deletion

During a SPAM import or during application of a TCI OSS note using SPAM, you can get errors due to BI queues. This blog will explain how to delete these queues.

Questions that will be answered in this blog are:

  • How to clean up the BI queues in case SPAM or TCI note is being blocked by it?

qRFC clean up

First start in transaction SMQ1 to delete the MCEX BI outbound queues:

Select all queues and press the delete button.

More blocks

If it is still blocking run program RMCEXCHK:

Look for the application number(s) that is blocking. In this example 04.

Now start transaction LBWG to delete the setup for this application:

Details behind LBWG are explained in OSS note 1752439 – Explanation of transaction LBWG.

FIORI search setup

FIORI search is a very powerful tool for the end users. It enables a google like search on the business data.

Questions that will be answered in this blog are:

  • How does FIORI search work from the end user perspective?
  • How to set up FIORI search?
  • How to authorize search data?

FIORI search from end user perspective

From the end user perspective: open the search glass and key anything. Just like in Google:

Now wait for the search engine to give results:

Now you can select a record, or select a related app (with the … you get more options):

Set up of FIORI search

In the FIORI launchpad configuration parameters (see SAP help) make sure that the enableSearch is set to true. Otherwise the search icon does not appear.

In case you run a FIORI hub, make sure to setup the webdispatcher rules properly to the backend (see SAP help).

And activate the search models and the backend (see blog).

For the related links, the related FIORI app or FIORI factsheet must be activated. See this blog on how to fast activate complete groups of FIORI apps.

FIORI search authorizations

FIORI search relies on the authorizations of the end user. First make sure that the general authorization for the search is active in this IMG node:

The setting Model Authorization must be set to Check:

In the search cockpit (transaction ESH_COCKPIT), make sure that the user authorizations are indexed. In case of doubt run it under the Actions button, and select Index User Authority:

If one end user gets results and the other one does not get the same result: the main reason might be difference in authorizations.

Useful OSS notes

For specific use cases the following OSS notes might be relevant:

Setting up trusted RFC connection

This blog will explain how to set up trusted RFC connection.

Questions that will be answered are:

  • How to setup a trusted RFC connection?

     

Setting up trusted RFC

Start in transaction SM59 to create an RFC to the destination system:

Fill out your own user ID first. Make sure your user ID is existing in the destination system and is having sufficient S_RFCACL rights in the destination system. See OSS note 128447 – Trusted/trusting systems for the details.

Test the connection including the remote logon.

If that is ok, start transaction SMT1 and start the roadmap for setting up the trusted connection:

Enter the destination and finish the roadmap:

Complete the roadmap. 

Now return to SM59 for the destination and remove the user ID, tick the box “Current User” and switch the Trust Relationship to Yes:

Now test again. All should work.

Testing trusted RFC

A trusted RFC can be tested via the Remote Logon button:

If you now can jump from the current system to the connected system without password prompt: then all is fine.

If it is not working: check in the target system in ST22 for a remote logon failure dump. Must likely your user does not have sufficient rights in the target system.

RFC security settings

For checking RFC security settings, read this dedicated blog.

RFC Access Control List

In the newer S4HANA versions, you can switch from an authorization check towards a full Access Control List setup. Use transaction SMTACL and select the trust connection:

Switch here to Access Control List Check.

RFC hacking

Be aware that RFC’s and especially trusted RFC’s can be misused for hacking. Read this dedicated blog on how, and how to protect.

Checking which systems you trust

With transaction SMT2 you can check which systems have a trusted system setup towards the system you are currently logged in to.

Set up FIORI notifications

This blog will explain the setup of FIORI notifications. They are sometimes also called FIORI push notifications.

The notifications on the FIORI launchpad are pushed to the end user on the top right part of the screen:

In this case 22 notifications are present.

Questions that will be answered in this blog are:

  • How to generically activate FIORI notifications?
  • Which specific settings do I need to perform to activate notifications for my specific workflow?
  • Hot to test FIORI notificaitons?
  • Where to find more background on FIORI notifications?

Setting up the FIORI notifications

Goto the customizing entry for notification channel configuration. We will set up the scenario for embedded FIORI. If you want to set up notifications for the FIORI gateway as a central step, more activities are required. These are listed at the sap help site.

Start with the Notification Hub RFC destination:

Set the destination to NONE and press execute:

Now set the backend system alias to LOCAL and press execute:

Now goto the menu entry for Manage Notification Providers to activate the desired ones:

Now we will setup the notification channel hub. Goto this customizing actions:

Start with the action Manage SAP System Aliases and map the LOCAL gateway to RFC destination NONE:

Now select the Publish the Notification ODATA Service entry and make sure the service /IWNGW/NOTIFICATION_SRV is published:

If not done, push the button Publish Service Groups, select LOCAL, press button Get Service Groups and search for /IWNGW/NOTIFICATION_SRV:

And publish it.

Now check in Manage WebSocket Endpoint that service NOTIFICATION_PUSH_APC is active:

In the customizing entry Activate and Maintain Push Channels, check that the push channels are properly active, and if not activate it:

Goto transaction SWF_PUSH_NOTIF1 to add the worflow task for push notifications. We will add task TS00008267 (this is used in the generic workflow verification):

Click on the text icon to maintain the text:

Make sure that in the technical job repository SJOBREPO (see blog) that the jobs for deadline monitoring and push notifications are running:

Testing the push notifications

Now you can start the verification workflow in SWU3 (see blog) or start test transaction /IWNGW/BEP_DEMO:

The results can be seen on the FIORI launchpad:

Notification icon not visible on the FIORI launchpad

If the notification is hidden, check the configurations in transactions /UI2/NWBC_CFG_SAP and /UI2/NWBC_CFG_CUST. It can be that an adminstrator has suppressed this function.

Background information

The minimum requirements for FIORI notifications are described in OSS note 2578256 – What is the minimum requirement for Fiori Notification?.

Configuration restrictions are listed in OSS 2729492 – Configuring notifications in Fiori Launchpad and known restrictions.

See this SAP help file on the topic for setup FIORI notifications.

See this SAP help file for notification channel troubleshooting.

See this SAP help file for end user tips & tricks with regards to FIORI notifications.

For custom development of FIORI push notifications, read this SAP blog.

For a very good and extensive full setup description for 1809 FIORI 2.0 description, read this SAP blog.

SUIM User Information System

SUIM is like a swiss knife for the authorization consultant. It has so many reporting tools it can basically answer any question.

Questions that will be answered in this blog are:

  • What are the most useful tools in SUIM?
  • How can I list users that never logged on to the system?
  • How can I list users that are locked, or have password issues?
  • How can I list users with critical authorizations?

SUIM

The SUIM tool is started with transaction SUIM:

Here you can select the reports from the different categories.

Most useful SUIM reports

In the subsections below you can find the most useful and most used SUIM reports.

Actual user columns are hidden in the examples below for privacy protection.

User with logon data and password change

Query need: to list when users did logon for the last time and when they last changed their password. This query can be very useful when you have to clean up for the yearly license measurement.

In SUIM select this report:

Start screen:

Example result screen:

Check on users with specific authorization value

One of the most used SUIM reports is to list which users have a specific authorization value:

In this example we will lookup users which have rights for debugging (object S_DEVELOP, value DEBUG):

On the result list you can see all users. Select the user you are interested in and select the button In Accordance with Selection to find out which role has the specifically requested authorization object:

Result can be multiple roles as well:

Remark: there are 3 single roles here which contain the object. The 3 roles are in 1 composite role that is assigned. That is why the number on top shows 1 roles and there are 3 detail lines.

Check on most common critical authorizations

SUIM has a nice check program to check on the most common critical authorizations:

You can select the default SAP variant and use display variant to see the list of checks:

Open the checks to see the details:

The result list can have many potential issues:

You again use the button In Accordance with Selection to find out which role is cause of the potential issue.

Be careful with the reporting of the numbers. A lot of managers cannot deal with the high amount reported. 'It is unbelievable that I have 91.493 critical authorization issues in my system!'. Most of the issues are simple to fix and bring the numbers down dramatically. Or some of the items are not relevant in your situation. Always handle the numbers with care.

OSS notes

SUIM is constantly being improved. There are many small bug fix OSS notes. Don’t be scared off by the length of the list. SUIM is a very large function. So it will have many OSS notes.

Bug fix notes to consider:

Number ranges tips & tricks

This blog is about number ranges.

Questions that will be answered in this blog are:

  • How to maintain number ranges?
  • How to transport number ranges?
  • How to clean up old number ranges?
  • How to check if number ranges are full or almost full?
  • Which notes can help me when we have performance issues issues with number ranges?

SNRO number range maintenance

Number ranges can be maintained with transaction SNRO. After starting select the number range to maintain:

Now press the button Interval Editing:

Now you can display or change the intervals or current number:

Transport of number ranges

Number ranges are not directly put into a transport. If you want to transport them, select from the range maintenance screen the menu option Ranges / Transport. You will get this warning screen:

After pressing Yes, the popup for the transport request will come.

Number range fill up check

Program RSNUMHOT can be used to check if any number range is full or is at a certain percentage.

Output example:

For background running read the KBA note 2485249 – How to see the spool results of report RSNUMHOT.

Number range buffer

Using transaction SM56 you can check the number range buffer settings:

See also OSS note 2586414 – NUM: Increase default of number range buffer size.

Number range clean up

If you have an older SAP implementation, the amount of number ranges can go very high. There are many number ranges per year, especially in finance. The result can be that transaction SNRO gets very slow. If this is the case install OSS note 2931837 – NR: Reorganization of interval table. This will bring program NK_IV_REORGANIZE to reorganize the number range table:

Number range issues

Number ranges are know to have issues in 2 areas:

  • Performance (mainly on very large systems): can be seen in SM66 or SM50 with long updates on table NRIV
  • Gaps in number ranges where legal requirements exist

OSS notes to check when having number range issues: