Author: saptechnicalguru

SQL commands via ST04

Via ST04 SQL commands, an administrator, or hacker can fire any SQL statement provided he has the authorizations.

Once the authorizations on S_DBCON are there, any SQL can be used to read and update any table.

Firing SQL command via ST04

Start transaction ST04 and open the SQL editor in the Diagnostics section:

Now enter your SQL statement and press execute.

Result is shown:

How to avoid this?

If you don’t want people to use this function, withdraw the rights to do so. Authorization object S_DBCON is used to protect this.

Note that the SQL is fired using the SAP user of the system, not the ABAP user logged on.

PDF converter in SAP ABAP kernel

The newer SAP ABAP kernels and system (781 kernel and 755 system) can support PDF converter from the SAP ABAP kernel.

Using the kernel it will speed up PDF generation for ABAP list, SAP Script and SmartForms.

Background

The background of the SAP ABAP kernel is explained in OSS note 2991197 – Using the kernel PDF converter in ABAP.

Switching on PDF generation via SAP kernel

To switch on, start program RSTXPDF3KRN and choose to change the parameter PDF_KERNEL:

Confirm to turn on:

Fonts

Fonts and fonts mapping can still be maintained via program RSTXPDF2UC:

SAP for me

SAP for me is an alternative to the SAP support marketplace.

Questions that will be answered in this blog are:

  • What functions does SAP for me offer?

Start of SAP for Me

You can easily start SAP for Me with the URL me.sap.com.

SAP for Me versus support.sap.com

SAP for Me provides some extra functions that are not offered yet by support.sap.com. The general overview of functions is listed in the chapters below.

Highlights:

  • Calendar function
  • Financial invoices and licenses
  • Statistics on open SAP messages

Calendar function

In the calendar function you can quickly see which upcoming maintenance activities there are for your cloud products, planned expert sessions, software release dates, and security patch days:

Portfolio and products overview

In the portfolio and products overview you can see the products (both on premise and cloud) that you are licensed for. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Finance and legal

In the finance and legal overview you can see the products (both on premise and cloud) that you are licensed for, the invoices and for cloud the current usage. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Services and support

The services and support overview page is a different view on your tickets open at SAP. It provides quick insight into which tickets are with SAP, and which ones are at customer action (which do require your attention):

Systems and provisioning

Systems and provisioning provides an overview of both on premise and cloud systems:

Users and contacts

Users and contacts page gives overview of your important contacts.

Information disclosure of SAP Web Administration Interface

Despite the fact that this is a know issue, in many cases still it is seen that the SAP web administration interface is still set to fully public. This way an attacker can still retrieve vital release information.

You should check this carefully, also for newer system installations, this might be not ok.

Questions that will be answered in this blog are:

  • What is the web administration interface?
  • Why is it dangerous to have this public?
  • How to close the gap and make the web administration interface shielded again?

What is the web administration interface?

The web administration interface can be started on your netweaver system by using a browser and keying in <host:port>/sap/admin/public/index.html:

Here you can see the status and also the version information:

If you keyed in the URL and you got a password prompt like this:

If you did not get it, that means this page is still public.

Why is this public release information dangerous?

This page is present in ABAP, JAVA stacks and webdispatcher. Portals and Netweaver gateway systems are often exposed to external world for partners, customers and suppliers. If you did not do a good job on security with reverse proxies and the SAP systems themselves, this page is available on internet. Hackers scan for it, get the release information and know if you are vulnerable or not.

Dangerous? Yes, very. See the last very high Hotnews security note on ICMAD:

How to solve the issue?

The solution is described in OSS note 2260323 – Internet Communication Manager (ICM) 7.20 security settings and more specifically in OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface.

The solution is to set the sub parameter ALLOWPUB (it is a sub parameter of icm/HTTP/admin) to NO. See screen shot on how to see the sub parameters:

Checking if it is done properly is simple: start the page again and see that it disabled:

SAP support log assistant

Many SAP applications generate logs with errors. These can be hard to analyze.

SAP now offers online tool to quickly scan a log for known issues and provide potential OSS notes with hints and solutions.

Questions that will be answered in this blog are:

  • What is the SAP support log assistant?
  • How to use the SAP support log assistant?

How to run and use the SAP support log assistant

To start the SAP support log assistant, use this URL.

Use the button to upload your log file. In this case a SAP cloud connector log file with errors:

After the upload, press the button Scan files to start the scan. The results:

The third screen is the summary:

Here you can download your results, submit to SAP or provide SAP with feedback.

Background of the SAP support log assistant

SAP note 2990062 – What is the Support Log Assistant and how can I use it to find known issues and solutions? describes the full background.

Wiki page: link.

File types that can be analyzed: link.

Explanation blog: link.

TLS v1.2 setup

TLS stands for Transport Layer Security (full background you can read in this blog). It determines the security protocol used for the web part of the ABAP server.

Questions that will be explained in this blog:

  • How can I enable TLS v1.2 for my ABAP server?
  • How can I check TLS v1.2 is properly setup?
  • Can I disable TLS v1.0 and v1.1?

Setup of TLS v1.2 on ABAP

The setup of TLS v1.2 is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients.

Settings to enable TLS v1.2 and still allowing v1.0 and v1.1 for older clients:

ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_26  =  SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27  = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28  =  SAPSSL_CLIENT_SNI_ENABLED=TRUE
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE

Set up of TLS v1.2 on HANA

For setup of TLS v1.2 on HANA follow the instructions in OSS note 2829919 – How to enable TLS 1.2 for all Hana ports.

How to check TLS v1.2 usage?

The TLS version usage per browser is a different process to check. Read this blog to find the exact instructions per browser.

The end result is as follows:

Can I switch off TLS v1.0 and v1.1?

Yes, you can switch off TLS v1.0 and v1.1. This is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients. Please also read the warning in this note: the advantage is very low, the risk that you will get issues is high.

So switching off in live system is tricky. Switching it off starting new system landscape is simple and a good idea to do.

TLS v1.3

TLS v1.3 is currently not supported for ABAP. See OSS note 2765639 – Is TLS 1.3 supported in NetWeaver AS ABAP?.

SAP background

More background can be found in OSS note 510007 – Additional considerations for setting up SSL on Application Server ABAP.

SAP Process discovery

SAP offers new tool called Process discovery.

This tool can help you to prepare for an S4HANA conversion.

SAP pathfinder will most likely by succeeded by Signavio process insights. Read this blog for more information on Signavio process insights, discovery edition.

Preparation

Apply OSS notes 2758146 and 2745851  and move them to your productive system.

Then run program RC_VALUE_DISCOVERY_COLL_DATA in productive system with the business scenario recommendation option.

The first option is for the pathfinder tool. You can read more on this option in this blog.

Let the batch job collect the data. Run the program again and use button Download Analysis Data to download the data.

The analysis

Now you can upload this file to the SAP site. Wait about 5 working days for SAP the process the data.

You can look at a sample report on this link:

And you can see the demo results:

Background

Background on SAP process discovery can be read in this SAP blog.

In case of issues you can read the troubleshooting guide: 2977422 – Process Discovery (evolution of SAP Business Scenario Recommendations) & SAP Pathfinder report – troubleshooting guide.

Read more in OSS note 2918818 – Usage and Performance Data Collection for Process Discovery (evolution of SAP Business Scenario Recommendations) and SAP Innovation and Optimization Pathfinder on Spotlight on the inclusion of usage and performance data.

SAP Readiness Check for SAP S/4HANA upgrades

The SAP readiness check is normally used to asses the impact of an ECC to an S4HANA system upgrade or conversion (read this blog).

It can also be used to asses the impact of an upgrade of a lower S4HANA version to a newer S4HANA version.

Preparation for the S4HANA readiness check

First apply the notes listed in master note 3059197 – SAP Readiness Check for SAP S/4HANA upgrades. If you have a short dump after start of program RC_COLLECT_ANALYSIS_DATA, follow the instructions in OSS note 3093810 – Executing report RC_VALUE_DISCOVERY_COLL_DATA immediately results in an ABAP Dump CX_SY_DYN_CALL_ILLEGAL_FUNC.

Also apply the notes mentioned in OSS note 3061414 – Enabling extended integration impact analysis for SAP Readiness Check, if you want to include ALE scenario’s in your analysis.

If you have to upgrade to a newer version, apply the latest version of the 305197 note and afterwards use the “Update latest version form SAP catalog”, as explained in OSS note 3213713 – SAP S/4HANA Readiness check report do not show latest S/4HANA target releases.

Running the check

Start program RC_COLLECT_ANALYSIS_DATA:

Start the batch job and wait until it is done.

Start program RC_COLLECT_ANALYSIS_DATA again and push button Download Analysis Data.

This file you need to upload on the SAP Readiness check site.

Result

After you have uploaded the results SAP needs about 1 hour to process the results. Then you can look at the items you need to consider for your S4HANA release upgrade:

Remark: the amount of items will be far less than the ECC to S4HANA conversion readiness check.

Bug fix notes

Bug fix notes:

SAP password hash strengthening

The SAP password hash can be deciphered. See for example this blog. By increasing the complexity of the hash, you can slow down this process.

Questions that will be answered in this blog are:

  • How can I strengthen my SAP password hash?
  • Does it also work when I use CUA?

Password hash algorithm strength

Main blog for SAP password hash algorithm is 1458262 – ABAP: recommended settings for password hash algorithms. Note 2140269 – ABAP password hash: supporting salt sizes up to 256 bits describes the actual parameter value.

In RZ11 you need to set parameter login/password_hash_algorithm to exactly this value: encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256.

Make sure you follow the correct syntax. The syntax is listed in OSS note 991968 - List of values for "login/password_hash_algorithm". If you don't do it properly, you might get the issue reported in OSS note 3043774 - Iterated salted hash is empty after having assigned or changed a password.

End result

Example for a test user. Before the setting the PWDSALTEDHASH field has this value:

After change of the parameter we reset the password of the user and the hash now looks like this:

Really more complex, hence more complex to decipher: the hashes are far stronger now. It can still be cracked, but it takes far more time on either single password or large group of passwords.

The parameter only effects new passwords. Not the existing ones.

CUA

If you use CUA, the password can be distributed from CUA. If you CUA system and connected systems are modern enough there is no issue at all. See the CUA section of OSS note 1458262 – ABAP: recommended settings for password hash algorithms.

Test drive SAP Cloud ALM demo system

SAP Cloud ALM is a solution offered by SAP for managing cloud products of SAP.

The tool is still in build up, but is looking promising. If you are interested in what Cloud ALM can do, you can read the documentation, but also try out in the online Cloud ALM demo system.

Questions that will be answered in this blog are:

  • How can I see online in a demo system what SAP Cloud ALM can do?
  • Where can I find more information on SAP Cloud ALM?
  • Does SAP Cloud ALM require a license or is it free for use?

If you look for a SAP solution manager demo system: read this blog.

The SAP Cloud ALM demo system

The SAP Cloud ALM demo system can be accessed on the ALM demo tenant page:

Use one of the users listed to logon:

Background information on Cloud ALM

General information about Cloud ALM can be found on this link.

All technical background and implementation information on Cloud ALM can be found at the SAP Cloud ALM expert portal:

SAP Cloud ALM license

According to this SAP blog, the use of SAP Cloud ALM is part of the general SAP license, just like SAP solution manager. It’s use is free of license cost, but off course, time you need to spend on implementation and activation is not.