saptechnicalguru – Page 28 – Saptechnicalguru.com

Delete ABAP developer keys

This blog will answer the following questions:

How to delete old ABAP developer keys from my system?

ABAP developer keys clean up

If ABAP developers leave their key is still in your system and could potentially misused. Also when SAP comes to measure licenses they might peek in table DEVACCESS to see which developer keys are present.

Unfortunately SAP does not deliver a standard program delete an unused ABAP key. See OSS note 1710320 – How to delete SSCR Object and/or Developer Keys – SAP ONE Support Launchpad.

So you simply have to write your own customer program with a code that looks like:

DELETE FROM DEVACCESS WHERE UNAME EQ '<USERNAME>'.

Maintenance view on DEVACCESS

Alternative solution is to create a maintenance view on table DEVACCESS. This will require a once off modification key. Then you can delete and insert developers keys via the normal SM30 table maintenance transaction.

Developer key hack

The developer keys are not safe, so don’t rely on them. See this blog.

S4HANA

S4HANA does not have the developer key principle at all any more. You can delete all keys in S4HANA. Read more in this blog.

Analyzing code before upgrade or support package: CDMC toolset

This blog will explain on the use of the CDMC toolset you can run analyzing your custom code, before starting upgrade or support package.

CDMC toolset

Start transaction CNV_CDMC to goto the CDMC overview.

Goto ad hoc analysis:

Start SAP modification run

Wait for run to finish. If done, click the Display Results.

View results:

Setback of the modification overview: also OSS notes are marked as modifications.

Other useful runs: Syntax check and Inactive customer objects.

If you run these checks before an upgrade you can save quite some annoying issues during the upgrade itself.

OSS notes

Relevant OSS notes:

1316694 – FAQ: CDMC – Custom Development Management Cockpit

2772644 – ST-PI/CDMC: Clearing analysis alv error

DB01 Oracle Lock monitor

This blog will answer the following questions:

How does a deadlock look like in DB01 Oracle lock monitor?
How can I solve the issue?

Deadlocks

A database deadlock can occur when 2 or more processes are trying to update each other and are also waiting for each other. This process will lead to infinite waiting.

DB01 Oracle lock monitor

With the use of transaction DB01 you can get overview of Oracle locks. A deadlock is observed when the status is on HOLD and more processes are in status WAIT.

Solving the deadlock can be done by the Oracle DBA on database level.

Background: 745639 – FAQ: Oracle enqueues.

Shared objects memory

ABAP programs (standard SAP and custom) use the shared memory objects technology.

Questions that will be answered in this blog are:

How to set the shared objects memory size?
How to monitor usage of shared objects memory?

Monitoring shared objects

Shared objects can be monitored with transaction SHMM:

In the start screen you can see the objects now loaded and how much memory they consume. In the start screen you can also delete and invalidate the shared memory objects.

The deletion can lead to short dumps. Only use this in emergency cases and when you are really sure

In the second tab you can see the total memory overview:

Setting shared memory objects memory size

In RZ11 with system parameter abap/shared_objects_size_MB you can set the shared object size in MB. A restart of the system is required to activate any change.

Older documentation says 500 or 1000 MB is sufficient. In newer systems a value of 3000 to 5000 in not uncommon.

Useful OSS notes

Note on memory consumption: 1322182 – Memory consumption of ABAP Shared Objects.

Dump with shortage of shared objects memory: 972757 – Occurence of the SYSTEM_NO_SHM_MEMORY runtime error.

Guided answer note: 2474021 – [Best Practice] How to solve SYSTEM_NO_SHM_MEMORY runtime error – Guided Answer

Direct table hacking

Changing directly data on an SAP table is the IT admin and IT auditors worst nightmare. This blog will show you the ways it can be done.

Questions that will be answered in this blog are:

How can I directly edit tables?
How can I prevent direct table editing?
How can I detect direct table editing?

Overview of methods

Function module SE16N_INTERFACE
Debug & replace
SE16N_EMERGENCY mode
Re-enable &sap_edit for SE16N

Direct table editing method 1: function module SE16N_INTERFACE

This method is available in the SAP S4HANA system. Start with transaction SE37 and key in function module SE16N_INTERFACE. Now press the test button. In this demo we will change dates for sales order table VBAK. In the SE37 test screen enter table VBAK and very important put X in the I_EDIT and I_SAPEDIT fields.

Now hit execute and voila: you are in direct edit mode:

Now we change a few values (date to the year 2027…) and press save:

Data is changed.

Detection of this method: audit logging. In audit logging you can see the user started SE37 and then used report RS_TEST_FRAME_CALL, but you cannot see which module was done, neither is the data change logged.

Prevention of this method:

Debug/replace is needed to change the data: don’t hand out debug/replace.
Deny access to this function module.

Direct table editing method 2: debug/replace

Start transaction SE16 and show the data of the table to edit. Example in this case VBAK data:

Now select a line and put /h for debugging in the command line input. Press enter and the debug screen will open. Double click on the SY-UCOMM field:

In the variables screen now change the value ENTR (for the enter command you gave) to value AEN2 (command to change). Make sure the value is accepted. Now hit F8 to continue. And voila: edit mode:

Change the values (dates in this example) and press save:

How to detect this method: in the SAP audit log (activation of audit log is explained in this blog) show the change in debug/replace mode:

Prevention of this method: don’t hand out debug/replace rights.

And configure the audit log for detection: 3226223 – How to monitor debug activities in SAP Netweaver.

Direct table editing method 3: SE16N emergency mode

In newer SAP netweaver releases there is a new SE16N emergency mode which can be started with transaction SE16N_EMERGENCY. Read all the details in this special blog on this topic.

Direct table editing method 4: re-enable &sap_edit again in SE16N and use it

Apply OSS note 1468636 – CO-OM tools: SE16N: Use of &SAP_EDIT. This seems old, but it is still valid for all S4HANA releases as well. After the note is installed run program RKSE16N_EDIT and activate the function:

Now start SE16N and select your inputs. Before hitting the execute button, enter the command &sap_edit:

Only now press execute. The result is fully editable table.

Audit log detection

Apply/configure OSS note 3140539 – SAL | New event definition for change access in SE16N for detection of table changes in the audit log.

Also check these notes:

STAUTHTRACE: improved authorization trace

If you are still using the old classic ST01 authorization trace, do keep on reading and you will want to switch to the new STAUTHTRACE improved authorization trace.

Questions that will be answered in this blog are:

How to run the new STAUTHTRACE tool?
What are the major improvements in STAUTHTRACE tool?

Running new STAUTHTRACE tool

To run the new tool start transaction STAUTHTRACE. If the transaction code is too complex, add it as favorite to your start screen.

From the start screen you see the immediate benefits. You can start the authorization trace for:

All application servers in one go (this is highly useful in an authorization issue with RFC users or background users where you have no control on which application server it will run): just record on all servers
Specific user only, but errors only: this will reduce your logging footprint to errors only
Filter the results to not show duplicate entries

Results

The result screen from STAUTHTRACE is similar to ST01 trace

But the result is more comprehensive, since it can take errors only, with duplicates filtered and take data from all application servers. This make the result complete and more easy to catch authorization issues.

Background

The background and all feature of STAUTHTRACE are kept in SAP OSS note 2577291 – How to get trace of authorization checks using transaction STAUTHTRACE.

Extra functions:

3256212 – STUSERTRACE: Additional selection criteria for evaluation

Bug fix notes:

Generating substitution and validation rules

In the FICO module the consultant can define substitution and validation rules. These rules must be generated before they are active.

Questions that will be answered in this blog are:

How can I generate substitution and validation rules?
Where can I find more background on substitution and validation rules?

Substitution and validation rules generation

Go to SE38 and start program RGUGBR00:

Simple select the correct application are indicated by the FICO consultant (this area can be FI, CO, etc). Select Generate validations and Generate Substitutions. Now execute.

Transport and system copies

You will need to run program RGUGBR00 locally on the system after the transport import is done.

Also after a system copy program RGUGBR00 must be run again.

See OSS note 1793212 – Transport validation or/and substitution.

Background on substitutions and validations

The full functional background on substitution and validation can be found this SAP wiki.

Licenses for SAP solution manager

SAP solution manager licenses have been renewed last few years by SAP.

Questions that will be answered in this blog are:

Do I need a user license for solution manager users?
If I run solution manager on HANA, do I need to pay HANA database licenses?
How can I get Focused Build and Focused Insights?
What about Focused Run licenses?

User licenses for SAP solution manager

Since 1.1.2018 the requirement of having named users was dropped by SAP.

HANA database licenses

If you want to run HANA database below SAP solution manager as database, you need to procure the infrastructure. The HANA database rights are included in SAP solution manager. This is the only exception SAP has. For all other use case you need to pay for HANA as database as well.

Using SAP solution manager for non-SAP components

You can use SAP solution manager to manage non-SAP components as well. Especially the ITSM service desk component can be used for this. When you use this function for non-SAP components, you will need SAP enterprise support rights for SAP solution manager in stead of the SAP standard support.

Focused Insights and Focused Build

SAP offers Focused Insights and Focused Build as extra options on top of SAP solution manager. Both are installed as add-on. Focused Insights brings extra dashboard building capabilities. With Focused Build you can get an extra grip on your solution build process.

As of 01.01.2020 both solutions are part of standard maintenance contract. See also OSS note 2361567 – ST-OST Usage Rights and Support.

If you want to try out these solutions, you can use the available free SAP demo system. Read more about this in the following blog.

SAP Focused run now also covers the functionality of Focused Insights, but in a far superior and more performing way. Read more in this blog.

Focused Run

Focused Run is separate solution with separate license to optimize the running of large SAP landscapes. Focused run does NOT run on SAP solution manager. It runs on a separate environment and only runs on SAP HANA. You cannot combine a Focused Run and SAP solution manager on one single installation. More information on Focused Run can be found on the SAP site. And on the specialised SAP Focused Run Guru site.

For licenses of Focused Run, read this dedicated blog.

Despite the fact that Focused Run is a paid solution, it offers by far the most sophisticated and added value product.

More background information

More information can be found on the SAP solution manager usage rights website.

Transaction SPOOL

Transaction SPOOL can be used as a central starting place for all printing and spool related settings, tools, error analysis.

Simply start transaction SPOOL:

Now switch from Standard Mode to Expert Mode to enable all tool.

Double clicking on the line will start the tool. On the right hand side are the transaction codes and the OSS note numbers for specific additional explanation.

Background OSS note: 2359477 – Transaction SPOOL.

Bug fix note: 2763159 – Transaction SPOOL: Short dump for missing authorization.

SAP support backbone update

The SAP support backbone update is live per 1.1.2020. Blocking started as of 8.1.2020. If you did not prepare your systems for it, you might loose support functions.

Per 31.07.2020 the sending of EWA’s via RFC towards SAP will no longer work. See OSS note 2923799 – Final Shutdown of RFC Connections From Customer Systems to SAP. At the same date OSS notes downloads via RFC will be fully blocked. Also the RTCCTOOL will stop to work (see oss note 2934203 – ST-A/PI 01T* SP01 – 01U SP00: SAP backbone connectivity for RTCCTOOL on basis 700-731 after RFC shutdown).

You can get or will already get messages like:

SAP note 2847665 – OSS RFC Connection fails will refer you to the SAP Backbone connection update site.

Also on the main SAP support site there is this warning message:

Which refers to first-aid kit OSS note: 2874259 – First Aid Kit for Problems Related to SAP’s Support Backbone Switch-Over Starting on 8 January 2020 .

Questions that will be answered in this blog are:

Where can I find more background information on the SAP support backbone update?
Why can I find first aid support?
Do I need to upgrade SAP solution manager?
How to switch to digitally signed OSS notes?
Do I need to change my OSS RFC’s?
What else do I need to do?
How to check the correct setup in the SAP EWA report?
Where can I find a checklist to see if I am completely done?

Background information on SAP support backbone update

The landing page for SAP support backbone update can be found by following this link.

The webinar recording explaining all the highlights can be found by following this link.

The official OSS note is 2737826 – SAP Support Backbone Update / upcoming changes in SAP Service and Support Backbone interfaces (latest) in January 2020.

2 important OSS notes for quick start of actions:

And the new first aid kit OSS note:

2874259 – First Aid Kit for Problems Related to SAP’s Support Backbone Switch-Over Starting on 8 January 2020

Quick overview of all your systems in SAP service marketplace

SAP now provides the overview of your systems which are not ok in a special online overview. Follow this link. Your result can look like this:

What will change per 1.1.2020?

Basically the connection from SAP solution manager and the on premise SAP systems connection to the SAP backbone will change. This will impact many areas like OSS notes, EWA’s, landscape planning etc.

What do you need to do if you don’t want to loose any functionality?

Solution manager

If you don’t want to loose any functionality in SAP solution manager you will need to upgrade to Solution manager 7.2 to support package 7 or 8. If you are on 8 you have to do less manual work than on 7. On solution manager support packs 5 and 6 some functions will work, but with manual work and limitations. On solution manager 7.1 and solution manager 7.2 up to support pack 3, the connection to SAP support backbone will be lost on 1.1.2020. You can already upgrade to SP8 now and prepare solution manager.

For the automatic configuration of the connectivity follow the instructions in OSS note 2738426 – Automated Configuration of new Support Backbone Communication.

OSS notes

For OSS notes there are 2 changes: the RFC to SAP and digitally signed OSS notes.

For the RFC connection read and follow the instructions from OSS note 2740667 – RFC connection SAPOSS to SAP Service & Support backbone will change (latest) in January 2020.

OSS notes via SNOTE must be switched to digitally signed OSS notes. How to do this: see blog.

Next to this, you will need to change the OSS note RFC destination. The generic user will no longer work. You will need to change it to named technical user, or change to the connection from RFC to https connectivity.

If you setup digitally signed OSS notes there is an option for fallback to insecure.

Attention: this fallback will no longer work after 1.1.2020.

ANST

ANST is a great function to help you find OSS notes relevant for your issue. For more explanation on ANST look at this blog. The ANST reaches out to the SAP support backbone to check for recent notes. To keep the function working you need to setup a new webservice in SOAMANAGER (if the SOAP runtime is not active follow instructions in this blog). To setup the specific webservice follow the instructions in oss note 2730525 – Consuming the Note Search Webservice. Then apply OSS note 2732094 – ANST- Implementing SOAP Based ANST Note Search and 2818143 – SEARCH_NOTES- Implementing SOAP Based Note Search.

While switching to new SAP support backbone you might get a connection error. Follow the instructions from OSS note 2781045 – ANST / ST22 note search “Connection cannot be established” to solve it.

Other calls

See OSS note 2722027 – Certain OSS RFC APIs calls replaced with corresponding web service calls.

Online checklists

SAP has now published online checklists, based on your solution manager version. You can find the checklists on this link.

Support backbone configuration check in EWA report

If you install ST-A/PI 01T sp02 or higher in your system (see OSS note 2827332 – Service Data not Complete due to ST-A/PI not Up-to-date), the EWA report of that system will give information about the correct connection to SAP support backbone and correct use of technical user for the communication.

Example:

In the process OSS note 2802999 - SDCCN activation fails without errors or red icons in Migrate tab might need to be applied as well to solve an SDCCN error.

All background information can be found in OSS note 2823658 – EWA Checks for SAP Backbone Connectivity.

SDCCN error notes

SAP is having some issues with the SDCCN coding for the backbone connectivity. If you experience issues there, check out the following OSS notes: