Blog for SAP technical guru's: SAP basis, SAP security and authorization, SAP ABAP, SAP Focused Run
ABAP code review
SAP offers on GitHub some extra Security Service Tools. These are custom Z ABAPs you can download and modify to your needs.
Link to GitHub:
Some highlights from the Security Service Tools page:
Follow the steps explained in this blog to set up a new custom check. We will use these steps to set up an extra SCI class to check if the AUTHORITY-CHECK statement is added in ABAP code or not.
Step 1: create the ZCL_CI_SCAN_AUTH class
In SE24 copy class CL_CI_TEST_FREE_SEARCH to ZCL_CI_SCAN_AUTH. In the attributes of the copied class set C_MY_NAME as variable to ‘ZCL_CI_SCAN_AUTH’. Also set the error code MCODE_0001 to ‘Z001’.
Step 2: redo the CONSTRUCTOR
Goto the constructor of the new class and overwrite the existing code with this code snippit:
super->constructor( ). description = 'Search authority check statement'(001). "required category = 'ZCL_OWN_CHECKS'. "required version = '000'. "required has_attributes = c_false. "optional attributes_ok = c_false. "optional DEFINE fill_message. CLEAR smsg. smsg-test = c_my_name. smsg-code = &1. "message code smsg-kind = &2. "message priority smsg-text = &3. "message text smsg-pcom = &4. "pseudocomment INSERT smsg INTO TABLE scimessages. END-OF-DEFINITION. fill_message 'Z001' 'E' 'Search authority check statement'(001) ' '.
Don’t forget to double click on the 001 to generate the text message.
Step 3: adapt the RUN code
Now the check itself has to be built in the RUN method:
DATA: l_include TYPE sobj_name, l_row TYPE token_row, l_column TYPE token_col, l_tokennr LIKE statement_wa-from, l_code TYPE sci_errc, l_search_string LIKE LINE OF search_strings VALUE 'AUTHORITY-CHECK', l_position TYPE i, l_found TYPE c VALUE ' '. * IF search_strings IS INITIAL. * RETURN. * ENDIF. IF ref_scan IS INITIAL. CHECK get( ) = 'X'. ENDIF. CHECK ref_scan->subrc = 0. *-- loop at all tokens LOOP AT ref_scan->statements INTO statement_wa. CHECK statement_wa-from <= statement_wa-to. l_position = sy-tabix. IF statement_wa-type = 'S' OR statement_wa-type = 'P'. CHECK comment_mode = 'X'. ENDIF. LOOP AT ref_scan->tokens INTO token_wa FROM statement_wa-from TO statement_wa-to. l_tokennr = sy-tabix. IF token_wa-type = 'S'. CHECK literal_mode = 'X'. ENDIF. *-- does ABAP-string contain search-string ? IF token_wa-str CP l_search_string. UNPACK sy-tabix TO l_code(4). l_include = get_include( ). l_row = get_line_abs( l_tokennr ). l_column = get_column_abs( l_tokennr ). l_found = 'X'. EXIT. ENDIF. "l_strpos > l_pos ENDLOOP. ENDLOOP. IF l_found NE 'X'. inform( p_sub_obj_type = c_type_include p_sub_obj_name = l_include p_position = l_position p_line = l_row p_column = l_column p_kind = 'E' p_test = c_my_name p_code = 'Z001' p_suppress = '"#EC CI_NOAUTH ' p_param_1 = token_wa-str ). ENDIF.
Basically the code looks for the statement ‘AUTHORITHY-CHECK’. If it found nothing happens. If it is found, it will generate a message.
Step 4: generating the message
In the method GET_MESSAGE_TEXT overwrite the code with this new code:
data: L_CODE type SCI_ERRC. if P_TEST <> MYNAME or p_code = c_code_not_remote_enabled. SUPER->GET_MESSAGE_TEXT( exporting P_TEST = P_TEST P_CODE = P_CODE importing P_TEXT = P_TEXT ). return. endif. L_CODE = P_CODE. shift L_CODE left deleting leading SPACE. P_TEXT = 'No authorithy-check statement found'(101). replace first occurrence of '&N' in P_TEXT with L_CODE.
Use steps from blog xxx to add the new check to the SCI variant ZTEST.
We have written a simple test program without AUTHORITHY-CHECK.
When running the SCI with our test variant, this is the result:
The SAP Early Watch Alert (EWA) report can contain valuable information on specific topics in your system that you must fix.
More information on the EWA workspace can be found in this blog.
General EWA tips and tricks can be found in this blog.
On the me.sap.com go to the specific page for EWA solution finder:
Action follow up is on the right hand side per alert:
You can choose:
The snoozing is a very useful function. For example, you detect a red alert on HANA revision, but it will take you a month to implement (due to regression testing, process, etc), you can now snooze the alert for the implementation period:
After the implementation is done, the alert should be gone. If the implementation is delayed, you will be reminded again.
This blog will explain specific items to keep in mind when monitoring certain applications.
Applications discussed and explained:
For each system we explain the monitoring of productive and non-productive system.
Adobe Document Server (ADS) is used to generate PDF’s for output and/or interactive PDF forms.
When monitoring a productive system, you will need to finetune the monitoring templates for:
Make sure you cover in the JAVA application template the following items:
Availability:
From the JAVA instance template make sure to cover the following items:
Fine tune the metrics so you are alerted on situation where the system is having issues.
ADS has a specific Technical instance template.
Make sure you activate it:
Most important here is the first one: ADS availability. Please make sure you are alerted when this one is not available.
BW systems are at the often used as reporting systems within an SAP landscape.
The basic monitoring of a BW system is the same as for any ABAP based system.
For a BW system some numbers are typically higher than on an ECC or S4HANA system. Response times of 1.5 seconds would indicate horrible performance on ECC, but are normal on a BW system.
BW uses process chains. To monitor process chains, read this dedicated blog.
The Cloud connector is used between on premise systems and Cloud solutions provided by SAP.
Monitoring of cloud connector focuses on availability and connectivity.
The cloud connector template contains all the needed elements out of the box:
If your landscape has only one cloud connector that is also used for non-productive systems, you might find a lot of issues in the non-productive system. Like expired certificates, channels not working, many logfile entries. If the cloud connector is very important for your business, it is best to split off the productive cloud connector from the non-productive usage. This way you can apply sharp rule settings for production: even single issue will lead to alert. While on non-production the developers will be making a lot of issues as part of their developer process.
In your landscape you might have a non-productive cloud connector that is used for testing purposes. In the non-productive cloud connectors you might apply a different template with less sensitive settings on certificates, logfiles and amount of tunnels that are failing.
3391143 – Cloud Connector system is not coming into SAP Focus Run LMDB
Content servers are often used to store attachment and data archiving files. They are technical systems with usually no direct access for end user. End users normally fetch and store data form content server via an ABAP or JAVA application.
The technical setup for monitoring content server in SAP Focused Run is described in detail in a PDF attached to OSS note 3151832 – SAP Content Server 6.40/6.50/7.53 Monitoring with SAP Focus Run. There is no need to repeat here.
The main part of content server monitoring is availability.
In some cases both your ABAP stack and content server are up and running, but communication between them is failing on application level. This leads to not working system for end users. Root causes can be firewall issues, certificate issues, or somebody altered settings.
To test the ABAP system connection to content server a custom ABAP program is needed. See this blog. You can schedule the program in batch and set up a new custom metric to capture the system log entry written by the program.
For system host the regular CPU, memory, disc template is sufficient. Finetune the thresholds to your comfort level.
Important items of the database template:
In most installations it is chosen to install Content Server with the SAP MaxDB database (similar to LiveCache).
ECC and S4HANA systems are at the core of each SAP landscape, and most vital to the business.
When monitoring a productive system, you will need to finetune the monitoring templates for:
Make sure you cover in the ABAP application template the following items:
Availability:
Performance and system health:
Security:
Fine tune the metrics so you are alerted on situation where the system is having issues.
Make sure you cover in the ABAP application server template the following items:
Availability:
Application server performance and health:
You can consider to setup extra custom metrics for the application servers:
For system host the regular CPU, memory, disc template is sufficient. Finetune the thresholds to your comfort level.
Important items of the database template:
Next to the availability and performance mentioned above, check also for monitoring certain functions:
EWM systems are at the often used as stand alone systems that make sure logistics and warehousing can keep running at high availability. If the connected ECC or S4HANA system is down, EWM can continue to support logistics operations.
EWM can be older version based on SCM/BI system core. Newer EWM systems are using S4HANA with EWM activated as standalone.
Extra in an EWM system are the use of qRFC and the CIF (Core interface). And many EWM systems have users that interact with the system via ITS GUI based handheld scanners.
EWM systems are at the often used as stand alone systems that make sure logistics and warehousing can keep running at high availability. If the connected ECC or S4HANA system is down, EWM can continue to support logistics operations.
EWM can be older version based on SCM/BI system core. Newer EWM systems are using S4HANA with EWM activated as standalone.
Extra in an EWM system are the use of qRFC and the CIF (Core interface). And many EWM systems have users that interact with the system via ITS GUI based handheld scanners.
The CIF is the core interface between SCM and ECC system. The interface typically uses RFC and qRFC. And it is working both ways.
Setup for the CIF specific RFC’s and qRFC’s the monitoring:
Many EWM systems are having interaction with scanners via the ITS server. Basically this is a small web page on a scanning device.
Make sure you monitor the availability of the URL’s that the scanners are using. More on URL monitoring can be found in this blog.
GTS systems are at the not frequent in use. When in use they do play a vital role in import and export business scenario’s when good are crossing borders.
Since a GTS system is normally installed, and often no to little maintenance and software changes are performed on the system. Also basis teams tend not to look at it too often, since it normally runs stable.
In case of non-availability of GTS, ECC scenario’s linked to GTS might fail and can causes severe business disruptions.
For this reason it is important to set up monitoring in FRUN for your GTS system and also configure mail alerts in case of issues. They will not happen too often, but when they happen you can act fast. This will also save the basis team spending a lot of time on checking GTS system for log (most cases, the checks are good).
When monitoring a productive system, you will need to finetune the monitoring templates for:
The next step is to set up interface monitoring for RFC from the ECC system towards the GTS system.
Netweaver Gateway systems are used to host Fiori applications.
For Netweaver gateway, also assign and fine tune the Gateway template:
The important custom check on URL availability is best to setup as well: read this blog for instructions.
Consider to setup interface monitoring for RFC‘s from End User to Gateway and Gateway to ECC backends.
SCM systems are at the often used logistics optimization systems. They are mainly used in combination with traditional ECC systems. They are less needed in combination with S4HANA systems (or you can use the embedded SCM of HANA).
The core of an SCM system is a BI system. Many data is using similar extractors and process chains as a BI system. Hence follow the tuning needed for a BI system.
Extra in an SCM system are the LiveCache and the CIF (Core interface).
The basic monitoring of an SCM system is the same as for any ABAP based system.
For an SCM system some numbers are typically higher than on an ECC or S4HANA system. Response times of 1.5 seconds would indicate horrible performance on ECC, but are normal on an SCM system.
LiveCache is normally running on a MaxDB database.
So it is important to activate, assign and finetune the metrics for the MaxDB database:
Focus on:
Next to the database, you also need to activate, assign and finetune the LiveCache specific application template:
This template contains the primary elements to monitor for the LiveCache functions like:
Fine tune the metrics so you are alerted on situation where the system is having issues.
The CIF is the core interface between SCM and ECC system. The interface typically uses RFC and qRFC. And it is working both ways.
Setup for the CIF specific RFC’s and qRFC’s the monitoring:
SCM uses process chains. To monitor process chains, read this dedicated blog.
SLT systems are mainly used to replicate data from source systems like ECC and S4HANA towards target systems like Enterprise HANA, HANA cloud and other data pool systems.
For SLT systems, apply the SLT DMIS template:
In the SLT system itself, make sure job /1LT/IUC_HEALTH_C with program R_DMC_HC_RUN_CHECKS runs. This will collect data that is needed for SLT itself, but which is also re-used by SAP Focused Run.
OSS notes to apply and check:
Anyhow you should make sure to regularly apply the notes for the DMIS component. See this blog.
For SLT to work, the DMIS component is installed in both the SLT system and the backend system. For the backend system SLT component, Focused Run will pick up the template as well. But this will not make any sense in monitoring, since it is the source system and not the SLT system.
For this reason, set up a dummy empty template with every monitoring item disabled:
Assign this dummy template to your backend system.
Set up the SLT integration monitoring to monitoring communication.
Standalone web dispatchers are used to load balance web traffic towards ABAP and/or JAVA systems. Common use case is to have web dispatcher for a large Netweaver Gateway FIORI installation.
Monitoring of web dispatchers focuses on availability, connectivity and performance.
The web dispatcher template contains most needed elements out of the box:
Issues with performance are often caused by limitations set in the web dispatcher configuration. Keep these settings active.
You might want to add specific custom metric to monitor the most important URL for your web dispatcher. Read more in this specific blog.
Next to this setup the normal host monitoring to make sure the file system and CPU of the web dispatcher are not filling up and causing availability issues for the web dispatcher function.
For monitoring non-productive web dispatcher systems, it is normally sufficient to restrict to host and availability monitoring.
3373764 – Issue with Content Server on Web dispatcher templates
3104059 – Troubleshooting ABAP Data supplier populating LMDB
<< This blog was originally posted on SAP Focused Run Guru by Frank Umans. Repost done with permission. >>
The ABAP workbench has a set of examples to show you how to make the best coding with regards to performance.
You can reach the examples in SE38 transaction by selecting menu Environment, Examples, Performance Examples. You then reach the performance examples demos screen.
On the left hand side you can choose a topic and double click on it. You then see 2 examples of implementation. By clicking on the Measure Runtime button:
Now the two examples are evaluated at runtime. At the bottom you can see the documentation and explanation on what is best to use.
The ABAP cleaner Eclipse plugin is a great tool to clean up your ABAP code according to the ABAP clean code principles.
Questions that will be answered in this blog are:
Follow the instructions on the ABAP cleaner site for installation. In short, just like you install the ADT tools, now put in the site “https://sap.github.io/abap-cleaner/updatesite“. Download the software and ignore the certificate warnings. Eclipse restart is required.
Basic use instructions can be found on the ABAP cleaner site. We will use this example code:
REPORT zcleanerdemo. * ABAP clean code demo Data: abap_true type boolean. data: do_not_do_anything type boolean. write:/ 'Hello world'. if abap_true <> 'X'. write: 'ok'. else. write: 'not ok'. endif.
Yes, this code is ugly.
In Eclipse right click on the code and select the option Source Code and then the option Clean up with Interactive ABAP cleaner…
It is best to start always with the interactive cleaner so you have insights and control on the changes done to your source code.
On the left hand side you see your old code. On the middle the code changes proposed. On the right hand side you see the clean up settings.
The profile is determining the rules used. Out of the box you get the default and essential profile. It is advised to play around and build your own set using the Configure button (see next chapter in this blog).
You can set the clean up range: from current statement, current method, current class to whatever code you opened in Eclipse (multiple windows). You might wonder, why only current statement or method? Remember one of the clean code principles is the boy scout rule; leave the code better than how you found it. So no need to refactor old stuff completely, do it chunk by chunk every time.
The restrict rules of syntax can be set to the latest ABAP release or to a specific release.
If you click on a rule, you can see the rules applied in bottom right part of the screen:
If you are happy with the changes press the Apply and close button.
On the screen above when you hit the Configure button you reach the configuration screen:
This screen is overwhelming when you start. Top right you can manage your profiles. Create new ones or copy from templates. Bottom right you can switch on and off which detailed rule is part of the profile. On the top right you can fine tune the exact details of each rule according to your needs and preferences.
The changes you make will be made instantly available on the example, so you can immediately assess the impact of your fine tuning.
Word of care: take care that ABAP cleaner and Pretty printer are not constantly juggling your code around.
The ABAP2XLS framework is a nice framework to speed up the development time and options to work with XLS from ABAP.
Follow the instructions on the ABAP2XLS github site to download and install. Also install the demo programs.
Run program ZABAP2XLSX_DEMO_SHOW to see the demo programs:
Double clicking on a program will show the coding on the right hand side and also start the demo program. In this case generating xls with multiple tabs with just a few lines of coding.
There are many options possible. Just look at the demo programs and re-use the coding.
In very weird cases you get performance issues on one system and not on the other. This can happen when running Oracle and using the FOR ALL ENTRIES statement for very large data sets, while it is fine on smaller sets.
The background is Oracle blocking factors. The full background can be read in these 2 SAP notes:
The solution is to give an Oracle hint (see note 129385 – Database hints in Open SQL) with a lower number of blocking factors.
%_HINTS ORACLE '&prefer_in_itab_opt 1&&max_in_blocking_factor 100&'
Performance issue solved…
If you migrate to HANA or different database, you need to remove or redo the hint again.
An ABAP developer can call a different transaction from a custom build program or transaction. This can be very helpful for certain user requirements and can save an end user time when the system is helping him with jumping from one transaction to the next logical transaction.
For authorization this can be a bit messy.
What for example will happen with this coding:
CALL TRANSACTION 'SU01'.
Will the SU01 transaction now be called successfully or not?
Suppose the user does not have rights to call SU01. The coding is still trying to go to this transaction.
Depending on the value of system parameter auth/check/calltransaction a couple of things can happen:
Table TCDCOUPLES links the calling transaction to the jumped to transaction and determines if the transaction authorization for the new transaction is required or not.
But what in case there is no entry or the entry in TCDCOUPLES is vague? Then it again determines on the value of parameter auth/check/calltransaction to be strict or not strict.
Entries in table TCDCOUPLES are maintained via transaction SE97:
Standard SAP example output:
Formal OSS note of SE97: 358122 – Description of functions of transaction SE97.
Updating TCDCOUPLES is a lot of work and no longer SAP best practice. See this SAP blog.
The correct way of coding is more simple: always indicate that the authority check is mandatory:
CALL TRANSACTION 'SU01' WITH AUTHORITY-CHECK.
In this way the coding forces the check independent of the system parameter and entries in TCDCOUPLES.
The fastest way of finding incorrectly coded call transactions is by running the SAP CVA (code vulnerability analysis) tool. This tool scans for CALL TRANSACTIONS with missing authority checks. It also scans for other variations like dynamic use of CALL TRANSCATION.
Alternatively you can use CODE_SCANNER (see blog on usage) with this special input:
Basically you tell the program to look for any program with CALL TRANSACTION and not having WITH AUTHORITY-CHECK in it. Do realize it can potentially miss programs in case there are 2 calls (1 correct and 1 incorrect). The CVA tool will not miss this case.
You might wonder: what is the situation for the LEAVE TO TRANSACTION statement? That is more simple. LEAVE TO TRANSACTION will always check the user rights for object S_TCODE for the transaction.
Report SNIF can be used to find active customer enhancements like BADI, user exit, BTE event.
To start the report go to transaction SA38, enter report SNIF and execute:
Select the items you want to search for that are implemented and press execute. Wait until the result shows:
Here you can see which exits are active. Double click on a line will jump to the code.
