Category: Basis

basis

RAL: read access logging

The SAP audit log records transactions, program executions and much more. But it cannot answer questions that are more sensitive. For example, how can you proof that your employee did or did not see a bank account number, or a basic salary pay? Here is where the RAL read access logging function will help. It will record if a user did have display access to a sensitive field (and the value shown to the user). It can be used to proof a user did see. Or when there is no logging (and the logging is setup correctly), help the employee to proof he/she did not see any sensitive data.

This blog will explain the technical setup. Please do check carefully any privacy, legal, HR and other implications of switching on this functionality.

Questions that will be answered in this blog:

  • How to setup up RAL from the basis technology side?
  • How to create a RAL recording?
  • How to activate RAL?
  • How to use RAL monitoring?

RAL technical setup

Activate in SICF transaction the following services:

  • SRALCONFIG
  • SRALMANAGER
  • SRALMONITOR
  • SRALUTIL

If needed set in RZ11 the parameter sec/ral_enabled_for_rfc to 1.

Now start transaction SRALMANAGER:

Choose the option Enabling in Client:

Press change, enable, and Save.

You can run program SRAL_CHECK_PREREQUISITES to see if all activations are done correctly (oss note 2158630 – RAL: Program to check prerequisites).

Create a RAL recording

A recording is needed to indicate which fields need to be added to the read access log. In transaction SRALMANAGER, choose recordings and then create a new one:

We use the example ZTESTBP for business partner.

In the line for the recorder there are 3 buttons:

First one is to display.
Second one to start the recording.

Third one is to add the recording user.

Start the recording:

Now important: keep the web session open.

Go to the SAP GUI and execute your transaction. When you want to add a field to the RAL logging, select the field, press CTRL, right click and select the option “RAL: record field” or use the CTRL+L shortcut.

If you do not add fields the recording is empty!

When completed go back to the RAL admin web screen and press the icon to Stop the recording.

Now you can display the recorded fields:

Create a RAL configuration

We can now use the recording to create a configuration. In the transaction SRALMANAGER choose configurations and create a new one:

In the new complex screen, create a new log group. Then drag and drop from the field list on the bottom left to the target fields:

Then first Check the consistency and when ok, activate the configuration:

Using the RAL logging database

In the administration use the second tab for monitoring, or use transaction RALMONITOR to jump directly to the monitoring database. Important here: select the RAW database first! Then select your criteria:

In the search results you can select the details. In the Field Value at the bottom, you can see the actual value that the user has seen on its screen.

SAP background and references

RAL help file: Read Access Logging | SAP Help Portal.

Background on recording function: Read access logging(Recording functionality) – SAP Community.

Background on dynpro: Read Access Logging – Dynpro Configuration Step-by… – SAP Community.

Background OSS notes:

Bug fixes:

SAP GUI 64 bit

SAP GUI comes with a 32 and 64 bit version. The advantage of the 64bit version is the performance. The setback is its dependency on, and its compatibility with, the 64bit Microsoft Office products.

A user cannot have both versions installed on a single machine. It is either the 32bit or 64 bit version.

Download location: 3398259 – Where to download 64-bit patches for SAP GUI for Windows 800. – SAP for Me.

Keep track of the SAP GUI build in this blog. With the upcoming SAP GUI 8.10 the information below (which is valid for 8.0) might be different.

Differences between 32bit and 64bit

The main differences are describes in OSS note 3218166 – SAP GUI for Windows: Functional differences of the 64bit version compared to the 32bit version.

The better performance of the controls and download functions are described in this OSS note: 2724656 – SAP GUI NWRFC Controls: 64bit support for Logon, Table, Function and BAPI controls – SAP for Me.

Compatibility issues

The Office compatibility issues are described in the following OSS notes:

Basic rule: when SAPGUI 64bit is to work with Office products, make sure also the Office products are installed with 64bit version.

Enable SNC settings for SAP Cloud Connector

Secure Network Communication (SNC) is a key requirement in enterprise landscapes where SAP BTP interacts with ABAP systems via SAP Cloud Connector (SCC). Enabling SNC ensures encrypted RFC communication, mutual authentication, and end‑to‑end protection of sensitive data.

This blog provides a generic, implementation‑ready guide for enabling SNC between SAP Cloud Connector and SAP ABAP systems.
It combines the official SAP documentation with hands‑on technical steps commonly followed in real projects.

Background OSS note: 3536285 – SAP Cloud Connector – How to set up general SNC settings for SAP Cloud Connector.

Why Enable SNC?

SNC provides:

  • ✅ Encryption of RFC traffic
  • ✅ Strong authentication between Cloud Connector and ABAP systems
  • ✅ Integrity protection
  • ✅ Compliance with corporate security policies
  • ✅ Reduced risk of man‑in‑the‑middle attacks

SNC is increasingly mandatory in SAP landscapes, especially when integrating BTP services with ERP systems.

High-Level Steps

Below is the complete workflow followed during SNC enablement.

1. Create SEC Directory and Deploy Required SAP Cryptographic Files

On the SAP Cloud Connector host:

  1. Create a secure SECUDIR directory(/usr/sap/sec/)
  2. Download and extract the SAP Cryptographic Library from the Download Center (search for sapcryptolib).
  3. Make sure the Cloud Connector process is running.
  4. Place the required SAP CommonCryptoLib files inside(/usr/sap/sec/):
    • libsapcrypto.so (Linux)
    • sapgenpse tool

This directory holds the Personal Security Environment (PSE) used by SNC.

2. Configure Environment Variables

Set the following environment variables:
SECUDIR=<path to sec directory>
SNC_LIB=<path to SAP crypto library>
setenv SNC_NAME=<p:CN..>

Restart the Cloud Connector service after updating.

3. Generate SNC PSE in Cloud Connector

Using sapgenpse, generate a PSE & Sign the Certificate through Your Internal Certificate Authority.

This converts the self‑signed PSE into a fully trusted SNC PSE.

Please read the blog on Certificate Automation for Linux based: https://www.saptechnicalguru.com/automating-sap-certificate-management-using-sls/ for the detailed instructions.

4. Validate SNC Configuration in Cloud Connector

In the SCC Admin UI:

Configuration → On-Premise → SSL/SNC

Verify:

  • SNC is enabled
  • SNC name (p:CN=…) is visible
  • PSE is correctly detected

5. Enable SNC in BTP Subaccount (On‑Prem → Cloud Direction)

In SAP BTP Cockpit:

Connectivity → Cloud Connectors → ABAP Systems

For each RFC connection:

  • Enable “Use SNC”
  • Maintain SNC partner name of the ABAP system
  • Upload the ABAP system’s SNC certificate if required

6. Configure SNC in the ABAP System (Transaction SNC0)

In the on‑premise ABAP system:

  • Maintain SNC names
  • Import Cloud Connector certificate into the ABAP Trust Manager
  • Ensure profile parameters such as snc/enable and snc/identity/as are set

Restart the cloud connection if profile parameters are updated.

7. Enable SNC in RFC Destinations (SM59)

For each RFC destination:

  • Activate SNC
  • Maintain the partner SNC name
  • Set Quality of Protection (e.g., 3 – integrity + encryption)

Test the RFC connection to verify SNC handshake.

8. Enable SNC in BTP (Cloud → On‑Prem Direction)

For outbound connections from BTP:

  • Enable SNC
  • Configure the SNC partner name (ABAP system)
  • Set QOP (quality of protection)

Test communication via integration flows or services.

9. Functional Validation by Application Teams

Functional teams should validate:

  • All RFC-based interfaces
  • Connectivity from BTP services (e.g., IBP, CPI)
  • Replications and data transfers

All connections should show SNC encryption enabled.

Data archiving: Idocs

This blog will explain how to archive idocs via object IDOC. Generic technical setup must have been executed already, and is explained in this blog.

Object IDOC

Go to transaction SARA and select object IDOC.

Dependency schedule:

Main tables that are archived:

  • EDIDC (idoc control record)
  • EDIDS (idoc status record)
  • EDID4 (idoc content)

Technical programs and OSS notes

Write program: RSEXARCA

Delete program: RSEXARCD

Read program: RSEXARCR

Reload program: RSEXARCL

Relevant OSS notes:

Application specific customizing

In transaction WE47 the idoc status must be set to archive-able:

Executing the write run and delete run

In transaction SARA, IDOC select the write run:

Select your data, save the variant and start the archiving write run.

Give the archive session a good name that describes idoc type and year. This is needed for data retrieval later on.

After the write run is done, check the logs. IDOC archiving has average speed, and high percentage of archiving (up to 100%). Mostly errors are not archived due to status (transaction WE47).

Deletion run is standard by selecting the archive file and starting the deletion run.

Data retrieval

Data retrieval is via program RSEXARCR is extremely poor. Setup archive infostructure SAP_IDOC_001, and use transaction SARI (with IDOC and SAP_IDOC_001) to search and retrieve the idocs:

Or use WE09 transaction and include the selection for Archive:

Support maintenance overview on me.sap.com

On me.sap.com there is a support maintenance overview page. You can reach this page via this direct URL: Reporting – SAP for Me. A full explanation of all functions can be found on this blog. The below is the quick manual.

Support maintenance overview

When you start the page you get the total overview:

By clicking on a segment, you can zoom in:

By clicking on the system number you can go to the system administration details:

This can be used to update wrong old information, or to delete systems which have been decommissioned, but are still present in the SAP administration.

Navigation options

You can navigate from the System to the products and addons. Do this by selecting the system in the left part:

Another option is to start with the leading product or addon to see on the left side, which systems have this component installed:

MaxDB tips & tricks

MaxDB has 3 main use cases for SAP:

  • Standalone database (not so much in use)
  • As database for SCM livecache
  • As database for content server

Basically the current 7.9 version is the last supported version until 31.12.2027. Prepare for new solutions if you are still using MaxDB.

Generic MaxDB OSS notes

End of support:

Generic database features of MaxDB:

MaxDB for content server

MaxDB for livecache

S4HANA supports livecache as embedded option. Read more in this blog.

MaxDB management transaction DB59

You can use a central system like SAP solution manager, SAP Focused Run or SAP GRC system to setup a central MaxDb management. For each MaxDB server setup a DB02 secondary database connection.

Then you can use transaction DB59 to get the central overview:

From here you can jump to DBA Cockpit, or run the connection test:

SAP readiness check for SCM

If you are running SCM – APO solution, you need to consider what to do with the functions running there. The extended support of the SCM – APO solution will end by 31.12.2030.

To check the current usage and potential solutions, you can run the SAP readiness check for SAP Supply Chain Solution.

Running the check

Install the check program by applying OSS note 3477050 – SAP Readiness Check for SAP Supply Chain Solutions.

Then start program RC_SCM_COLLECT_ANALYSIS_DATA and execute it:

Schedule the analysis in batch job. When the batch jobs are completed, use the Download Analysis Data button to download the results to your laptop.

Upload the results in the SAP readiness site: https://me.sap.com/readinesscheck .

Results for the SCM readiness check

After uploading the analysis will take a few minutes. When completed, you can see the results:

SAP Certificate Automation for Linux-Based Components

This blog is a continuation of the generic setup explained in the blog on this page.

Many SAP components running on Linux (Host Agent, Web Dispatcher, Message Server, and HANA) store their certificates in local PSE files instead of STRUST.
To automate certificate enrollment and renewal, these components use two tools:

  • sapgenpse → creates PSE files and generates CSRs
  • sapslcscli → enrolls and renews certificates through SAP Secure Login Server (SLS)

This page describes the generic and simplified approach for automating certificate enrollment and renewal for:

  • SAP Host Agent
  • SAP Web Dispatcher
  • SAP Message Server / ICM (Linux)
  • SAP HANA pse

All of them use the same command‑line workflow.

Process:

1. Create the Registration PSE (ra.pse)

This PSE is used by the system to authenticate with Secure Login Server (SLS).

sapgenpse gen_pse -p <PSE_PATH>/ra.pse “CN=<SystemID>

Note: It is recommended to use password‑less certificates for automated renewals to ensure the process runs smoothly without requiring manual input.

2. Add the Root CA Certificate

sapgenpse maintain_pk -p <PSE_PATH>/ra.pse -a <Root_CA_File>.cer

This allows the RA PSE to trust your PKI.

3. Generate the TLS Server PSE & CSR

sapgenpse get_pse -p <pse_path>SAPSSLS.pse -r csr.txt “CN=<Server-FQDN>”

Generates the HTTPS certificate request (CSR). Used for Host Agent, Web Dispatcher, Message Server, HANA, etc..

4. Maintain DNS / SAN in SLS (Fresh Enrollment Only)

Before performing the first enrollment:

  • Open SLS administration
  • Go to the TLS profile (example: Initial_TLS_Cert_SAN)
  • Add correct DNS / SAN values
  • Save

This ensures the certificate is issued correctly.

5. Perform the Initial Enrollment

/<sapslscli_path>/sapslscli enroll -r /<pse_path>/ra.pse -i -e ‘SLS_enrollemnt_metadata’

This will:

  • Send CSR → SLS → PKI
  • Retrieve certificate
  • Update SAPSSLS.pse

Enrollment is one-time only.

6. Renew the Certificate (Automated)

/<sapslscli_path>/sapslscli renew -r /<pse_path>/ra.pse -p /<pse_path>/SAPSSLS.pse -g 365 -e ‘SLS_Renewal_Profile_URL’

-g 365 = renew 365 days before expiry. (you can adjust it)
Each SLS certificate profile has its own metadata URL.
Renewal replaces the certificate in the PSE automatically

7. Automate with a Cron Job (Linux Scheduler)

To enable automation, configure a cron job that periodically executes the renewal command with the corresponding SLS certificate profile.

We use background job in SAP ABAP and Job Scheduler in SAP JAVA system. In case of non-ABAP non-JAVA systems we can use OS tool like Cron jobs to execute this script on daily basis.

Explanation of Each Placeholder:

PlaceholderMeaning
<PSE_PATH>Directory where PSE files are stored (e.g., /usr/sap/<SID>/<INSTANCE>/sec)
<sapslcscli_path>Directory containing the sapslcscli executable (e.g., /usr/sap/<SID>/<INSTANCE>/exe)
<SLS_Renewal_Profile_URL>Metadata URL of the specific SLS certificate profile used for renewal
-g 30Renews the certificate 30 days before expiry (you can adjust this)


Now all certificates can be renewed automatically using command line tool of SLS server and it will save manual efforts by enabling automation using SLS certificate life cycle management functionality.

SAP Certificate Enrollment & Renewal Automation Process (Java)

This blog is a continuation of the generic setup explained in the blog on this page.

To enable certificate automation in an AS Java system, you must first deploy the Secure Login Library 3.0. (official help.sap.com link).
The operating‑system‑independent package is delivered as an SCA file, which can be installed on AS Java through the telnet deployment tool.

Once deployed, the system automatically provides access to the CLM application, available at: https:/<host>:<port>/sapsso/clm

In the NWA, go to Configuration → Certificates and Keys.
Under Key Storage, open Security → Permissions by Domain, search for the CLM application, and grant it full access to the keystore views that should be renewed automatically.

Open the CLM application in the browser. Start by registering the system (initial enrollment).

  • Enter the metadata URL and click Fetch.

  • When prompted, log in with a user allowed to perform CLM enrollment.

Click Register, then Save

To renew certificates, go to the Enrollment tile.

  • The metadata URL is already stored, so select the keystore view and the certificate you want to renew.
  • After choosing Enroll Certificates, the updated certificates appear.
  • You can review them using Show Details.

Finally, you may create a scheduled task so renewals run automatically.

  • The task executes under the currently logged‑in user.

Conclusion

After this configuration, the certificates in AS Java should be renewed regularly before reaching the end of their lifetime.

SAP Certificate Enrollment & Renewal Automation Process (ABAP)

To organize certificate profiles and control which SAP systems participate in the automation process, you need to create an Application Server Profile Group in the Secure Login Administration Console (SLAC).

This blog is a continuation of the generic setup explained in the blog on this page.

For ABAP certificate renewal OSS note 2452425 – Collective Note – SAP SSO Certificate Lifecycle Management for ABAP contains full list of bug fix notes to apply or to check in case of issues.

Reference to official help.sap.com for SLS for ABAP.

1. Create a New Profile Group

In SLAC, navigate to: Application Server Profile Groups → Create New Group

Give the group a name that clearly identifies its purpose.

2. Assign System Identifiers

Under System Identifiers, add the SIDs of all SAP systems that will participate in certificate renewal. Important notes: SIDs can contain uppercase letters and digits.

3. Configuration on AS ABAP

Configuring ABAP for CLM automation involves running two key reports.
Most recent NetWeaver releases already include them, but to ensure you are using the latest versions, SAP recommends implementing the corrections from SAP Note 2452425 – Collective Note – SAP SSO Certificate Lifecycle Management for ABAP.

Run the SSF_CERT_ENROLL Report

This report performs the initial connection between the ABAP system and Secure Login Server (SLS).

Metadata URL of the Application Server Profile Group in SLS

Technical user with password authentication that is authorized to perform the enrollment

Running this report enrolls the system for the first time and retrieves the required certificate information.

Once the enrollment report has been executed successfully, the system displays an overview of all certificate objects that are available for renewal. This screen also shows the certificate profiles assigned to the different PSEs.

Check OSS note 3115847 – CLM: SSF_CERT_RENEW cannot renew certificates where subject and SANs extend 255 characters for very long subjects.

Select Certificates for Renewal

You will see a list of certificate entries along with the available certificate profiles. For each entry:

  • Choose the appropriate certificate profile
  • Select the certificates you want to renew

This allows you to control exactly which PSEs should be processed.

2. Execute the Renewal

After starting the renewal process, the system will update the selected certificates through the Secure Login Server. When the renewal completes successfully, you should receive a confirmation message for each certificate that was processed.

3. Schedule Automated Renewal

To avoid manual renewals in the future, you should save the selection in a variant and set up a scheduled job of program SSF_CERT_RENEW. You need a batch job per application server and per certificate type.

Conclusion

After this configuration, the certificates in AS ABAP should be renewed regularly before reaching the end of their lifetime.