How to check HTTP usage in your ABAP system?

Security teams might request to you as basis administrator: which HTTP calls are being made to and from your ABAP system? Or you might be requested to switch off HTTP (allowing only HTTPs) and you need to know which users and applications are still calling on HTTP.

Questions that will be answered in this blog are:

  • Which users and systems are calling my ABAP system on HTTP?
  • Which systems does my ABAP system call using HTTP?
  • Which programs and processes are using HTTP?

If you need to check RFC usage in your system: read this blog.

Web statistics in ST03

Go to transaction ST03N or ST03, and open the total for this month. Then open the analysis view for web statistics. First check the WEB Client Statistics:

This already gives a lot of information: host and port information, amount of calls. On the tabs for Transaction, User and URL you can get even more details you need for transaction source, user and URL’s on HTTP.

On all 4 tabs on all 4 reports you can double click to get more details. After double-click both HTTPs and HTTP are show. Be sure to filter on HTTP:

StatisticsDescription
WEB Client StatisticsWorkload due to requests for which the system acts as a Web client
WEB Client Dest. StatisticsWorkload due to requests for which the system acts as a Web client, broken down by different client destinations
WEB Server StatisticsWorkload due to requests for which the system acts as a Web server
WEB Server Dest. StatisticsWorkload due to requests for which the system acts as a Web server, broken down by different server destinations

Common cases

Common cases you might want to check for HTTP use:

End users using HTTP

Most of the calls will work on HTTPs as well as HTTP. The most common problem is that end users will have bookmarked the HTTP version in their browser. They will need to be informed the HTTPs version (with a different port number). If you switch off HTTP in this case when a lot of people are still using HTTP you will get a lot of tickets and complaints. Use the web client statistics as explained above to see which entry URL’s they are using. Then mail them to use the new HTTPs entry URL’s with the appropriate port and ask them to switch. Repeat this a few times until the amount of stubborn users is low enough to disable HTTP.

Disabling HTTP check

In transaction SMICM go to the Services icon and then check there is nothing running with an HTTP port.

If you are using SAP Focused Run, read this blog to set up a Security and Configuration validation rule to execute a landscape wide scan on use of HTTP port.

Sending hyperlink in email with ABAP code

This blog will explain the ABAP code you can use to send an email from SAP system which is in HTML format including hyperlink.

Questions that will be answered in this blog are:

  • Which basis settings do I need to make for HTML mail format sending?
  • What code snippets can I re-use to send a hyperlink in an email from my custom ABAP program?

Basis settings for HTML mail

In order to be able to send an mail with a hyperlink the mail must have HTML format.

First check this table entry exists in table SXCONVERT2:

If not create it.

Now go to transaction SCOT and set the output format of RAW to HTM:

Save the settings.

ABAP code to mail hyperlink

The ABAP code to mail is as follows:

*&---------------------------------------------------------------------*
*& Report zemail_cl_bcs
*&---------------------------------------------------------------------*
*&
*&---------------------------------------------------------------------*
  REPORT  zemail_cl_bcs.

  CONSTANTS:
    gc_subject TYPE so_obj_des VALUE 'ABAP Email with CL_BCS',
    gc_raw     TYPE char03 VALUE 'HTM'.

  DATA:
    gv_mlrec         TYPE so_obj_nam,
    gv_sent_to_all   TYPE os_boolean,
    gv_email         TYPE adr6-smtp_addr,
    gv_subject       TYPE so_obj_des,
    gv_text          TYPE bcsy_text,
    zls_text         TYPE soli,
    xhtml_string     TYPE xstring,
    gr_send_request  TYPE REF TO cl_bcs,
    gr_bcs_exception TYPE REF TO cx_bcs,
    gr_recipient     TYPE REF TO if_recipient_bcs,
    gr_sender        TYPE REF TO cl_sapuser_bcs,
    t_hex            TYPE solix_tab,
    gr_document      TYPE REF TO cl_document_bcs.

  DATA: zlv_longstring_message TYPE string.
  DATA: zlt_et_soli TYPE soli_tab.
  DATA: zls_et_soli TYPE soli.

  TRY.
      "Create send request
      gr_send_request = cl_bcs=>create_persistent( ).

      "Email FROM...
      gr_sender = cl_sapuser_bcs=>create( sy-uname ).
      "Add sender to send request
      CALL METHOD gr_send_request->set_sender
        EXPORTING
          i_sender = gr_sender.

      "Email TO...
      gv_email = 'guru@saptechnicalguru.com'.
      gr_recipient = cl_cam_address_bcs=>create_internet_address( gv_email ).
      "Add recipient to send request
      CALL METHOD gr_send_request->add_recipient
        EXPORTING
          i_recipient = gr_recipient
          i_express   = 'X'.

      CONCATENATE '<html><strong>Decission needed</strong><br/><br/>'
      '<tr><th style="color:blue;">Approval item</th>'
      '<a href=https://server:port/sap/bc/ui2/flp#WorkflowTask-displayInbox?allItems'
      '=true&/detail/XXX999_PGW/000000226597/TaskCollection(SAP__Origin=&#39;XXX999_PGW&#39;,InstanceID=&#39;000000226597&#39;)> click here to decide 000000226597</a>'

                   INTO zlv_longstring_message.

      CONCATENATE zlv_longstring_message '</html>' INTO zlv_longstring_message.

      CALL FUNCTION 'SCMS_STRING_TO_XSTRING'
        EXPORTING
          text   = zlv_longstring_message
        IMPORTING
          buffer = xhtml_string
        EXCEPTIONS
          failed = 1
          OTHERS = 2.

      CALL FUNCTION 'SCMS_XSTRING_TO_BINARY'
        EXPORTING
          buffer     = xhtml_string
        TABLES
          binary_tab = t_hex.

      gr_document = cl_document_bcs=>create_document(
                      i_type    = gc_raw
                      i_hex    = t_hex
                      i_length  = '1200'
                      i_subject = gc_subject ).
      "Add document to send request
      CALL METHOD gr_send_request->set_document( gr_document ).

* set send immediately flag
      gr_send_request->set_send_immediately( 'X' ).
      "Send email
      CALL METHOD gr_send_request->send(
        EXPORTING
          i_with_error_screen = 'X'
        RECEIVING
          result              = gv_sent_to_all ).
      IF gv_sent_to_all = 'X'.
        WRITE 'Email sent!'.
      ENDIF.

      "Commit to send email
      COMMIT WORK.

      "Exception handling
    CATCH cx_bcs INTO gr_bcs_exception.
      WRITE:
        'Error!',
        'Error type:',
        gr_bcs_exception->error_type.
  ENDTRY.

The end result is as follows in the mail:

The hyperlink in the mail jumps to the URL, which in this case is the URL link to this specific workflow item in the FIORI inbox.

The coding explained

We use the CL_BCS class from SAP. BCS stands for Business Communication Service. This class provides all modern options to send mail. We set the sender and receiver.

We now build the mail in HTML. All is stored in zlv_longstring_message. We start with the <html> tag, and a header text in bold (strong). Then we add the text with the hyperlink (a href) in blue color.

The hyperlink towards the FIORi inbox contains ‘ characters. This does not convert well for all further on steps. So we replace ‘ instead the &#39 text. This &#39 text is the HTML character coding for an apostrophe (‘). In this way there is no misinterpretation at any browser.

At the end, we add the closing tag </html>. Now the HTML build up is ready and can be used to send.

The HTLM is converted via function modules SCMS_STRING_TO_XSTRING and SCMS_XSTRING_TO_BINARY to a binary. This binary is set as document with type HTM to the mail. The mail is then sent with immediate flag.

OS commands

In some cases OS commands might be needed to perform maintenance work. It can also be misused by hackers.

Questions that will be answered in this call are:

  • How to fire OS commands via SM49 or SM69?
  • How to fire OS command via program RSBDCOS0?

OS commands via SM49 and SM69

OS commands can be defined and executed using transaction SM49 or SM69:

You can use the SAP standard commands and define your own Z commands.

Issues with external commands? Read OSS note 1328083 – An external command behaves differently than expected.

OS command via ABAP program RSBDCOS0

There is also an ABAP program to fire external commands: RSBDCOS0. OSS note for this program: 2443193 – Report RSBDCOS0 – Execute OS command from SAP GUI.

Start the program and enter the command (in this case ls command):

Output is shown:

The action is registered in the SM21 system log:

SAP Activate methodology for S4HANA implementations

In the past there was the RunSAP implementation methodology. This is now succeeded with the SAP Activate methodology. The most important one is the S4HANA implementation.

You can go to the methodology using this link.

The roadmap now opens:

The methodology is split into several phases:

  • Discover
  • Prepare
  • Explore
  • Realize
  • Deploy
  • Run

The method is focusing more on using out-of-the-box SAP software and focused on Agile/Scrum way of implementing S4HANA.

On the tab content you can find useful content per phase:

And accelerators per phase:

Keep in mind the method is focusing on green field implementation. Nevertheless you can still use the content and accelerators in your own projects.

SQL commands via ST04

Via ST04 SQL commands, an administrator, or hacker can fire any SQL statement provided he has the authorizations.

Once the authorizations on S_DBCON are there, any SQL can be used to read and update any table.

Firing SQL command via ST04

Start transaction ST04 and open the SQL editor in the Diagnostics section:

Now enter your SQL statement and press execute.

Result is shown:

How to avoid this?

If you don’t want people to use this function, withdraw the rights to do so. Authorization object S_DBCON is used to protect this.

Note that the SQL is fired using the SAP user of the system, not the ABAP user logged on.

PDF converter in SAP ABAP kernel

The newer SAP ABAP kernels and system (781 kernel and 755 system) can support PDF converter from the SAP ABAP kernel.

Using the kernel it will speed up PDF generation for ABAP list, SAP Script and SmartForms.

Background

The background of the SAP ABAP kernel is explained in OSS note 2991197 – Using the kernel PDF converter in ABAP.

Switching on PDF generation via SAP kernel

To switch on, start program RSTXPDF3KRN and choose to change the parameter PDF_KERNEL:

Confirm to turn on:

Fonts

Fonts and fonts mapping can still be maintained via program RSTXPDF2UC:

SAP for me

SAP for me is an alternative to the SAP support marketplace.

Questions that will be answered in this blog are:

  • What functions does SAP for me offer?

Start of SAP for Me

You can easily start SAP for Me with the URL me.sap.com.

SAP for Me versus support.sap.com

SAP for Me provides some extra functions that are not offered yet by support.sap.com. The general overview of functions is listed in the chapters below.

Highlights:

  • Calendar function
  • Financial invoices and licenses
  • Statistics on open SAP messages

Calendar function

In the calendar function you can quickly see which upcoming maintenance activities there are for your cloud products, planned expert sessions, software release dates, and security patch days:

Portfolio and products overview

In the portfolio and products overview you can see the products (both on premise and cloud) that you are licensed for. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Finance and legal

In the finance and legal overview you can see the products (both on premise and cloud) that you are licensed for, the invoices and for cloud the current usage. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Services and support

The services and support overview page is a different view on your tickets open at SAP. It provides quick insight into which tickets are with SAP, and which ones are at customer action (which do require your attention):

Systems and provisioning

Systems and provisioning provides an overview of both on premise and cloud systems:

Users and contacts

Users and contacts page gives overview of your important contacts.

Information disclosure of SAP Web Administration Interface

Despite the fact that this is a know issue, in many cases still it is seen that the SAP web administration interface is still set to fully public. This way an attacker can still retrieve vital release information.

You should check this carefully, also for newer system installations, this might be not ok.

Questions that will be answered in this blog are:

  • What is the web administration interface?
  • Why is it dangerous to have this public?
  • How to close the gap and make the web administration interface shielded again?

What is the web administration interface?

The web administration interface can be started on your netweaver system by using a browser and keying in <host:port>/sap/admin/public/index.html:

Here you can see the status and also the version information:

If you keyed in the URL and you got a password prompt like this:

If you did not get it, that means this page is still public.

Why is this public release information dangerous?

This page is present in ABAP, JAVA stacks and webdispatcher. Portals and Netweaver gateway systems are often exposed to external world for partners, customers and suppliers. If you did not do a good job on security with reverse proxies and the SAP systems themselves, this page is available on internet. Hackers scan for it, get the release information and know if you are vulnerable or not.

Dangerous? Yes, very. See the last very high Hotnews security note on ICMAD:

How to solve the issue?

The solution is described in OSS note 2260323 – Internet Communication Manager (ICM) 7.20 security settings and more specifically in OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface.

The solution is to set the sub parameter ALLOWPUB (it is a sub parameter of icm/HTTP/admin) to NO. See screen shot on how to see the sub parameters:

Checking if it is done properly is simple: start the page again and see that it disabled:

SAP support log assistant

Many SAP applications generate logs with errors. These can be hard to analyze.

SAP now offers online tool to quickly scan a log for known issues and provide potential OSS notes with hints and solutions.

Questions that will be answered in this blog are:

  • What is the SAP support log assistant?
  • How to use the SAP support log assistant?

How to run and use the SAP support log assistant

To start the SAP support log assistant, use this URL.

Use the button to upload your log file. In this case a SAP cloud connector log file with errors:

After the upload, press the button Scan files to start the scan. The results:

The third screen is the summary:

Here you can download your results, submit to SAP or provide SAP with feedback.

Background of the SAP support log assistant

SAP note 2990062 – What is the Support Log Assistant and how can I use it to find known issues and solutions? describes the full background.

Wiki page: link.

File types that can be analyzed: link.

Explanation blog: link.

TLS v1.2 setup

TLS stands for Transport Layer Security (full background you can read in this blog). It determines the security protocol used for the web part of the ABAP server.

Questions that will be explained in this blog:

  • How can I enable TLS v1.2 for my ABAP server?
  • How can I check TLS v1.2 is properly setup?
  • Can I disable TLS v1.0 and v1.1?

Setup of TLS v1.2 on ABAP

The setup of TLS v1.2 is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients.

Settings to enable TLS v1.2 and still allowing v1.0 and v1.1 for older clients:

ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_26  =  SECUDIR=$(DIR_INSTANCE)$(DIR_SEP)sec
SETENV_27  = SAPSSL_CLIENT_CIPHERSUITES=150:PFS:HIGH::EC_P256:EC_HIGH
SETENV_28  =  SAPSSL_CLIENT_SNI_ENABLED=TRUE
icm/HTTPS/client_sni_enabled = TRUE
ssl/client_sni_enabled = TRUE

Set up of TLS v1.2 on HANA

For setup of TLS v1.2 on HANA follow the instructions in OSS note 2829919 – How to enable TLS 1.2 for all Hana ports.

How to check TLS v1.2 usage?

The TLS version usage per browser is a different process to check. Read this blog to find the exact instructions per browser.

The end result is as follows:

Can I switch off TLS v1.0 and v1.1?

Yes, you can switch off TLS v1.0 and v1.1. This is described in OSS note 2384290 – SapSSL update to facilitate TLSv1.2-only configurations, TLSext SNI for 721+722 clients. Please also read the warning in this note: the advantage is very low, the risk that you will get issues is high.

So switching off in live system is tricky. Switching it off starting new system landscape is simple and a good idea to do.

TLS v1.3

TLS v1.3 is currently not supported for ABAP. See OSS note 2765639 – Is TLS 1.3 supported in NetWeaver AS ABAP?.

SAP background

More background can be found in OSS note 510007 – Additional considerations for setting up SSL on Application Server ABAP.