Category: Security

security

SNC encryption tips and tricks

This blog will give tips and tricks around the topic SNC encryption.

SNC encryption exists for both SAP GUI and RFC connections.

Formal documentation about SNC can be found on help.sap.com.

SAP GUI client encryption

Central OSS notes for SAP GUI client encryption:

How to check if all GUI’s are using SNC encryption? The audit log can register unencrypted us of the GUI: 2122578 – New: Security Audit Log event for unencrypted GUI / RFC connections. Activate this in the main client(s) as well as in client 000 (3577840 – Information about Security Audit Log event BUJ are required).

Use of insecure SAP GUI

Use of insecure SAP GUI can be detected by using the SAP audit log events. Event BUJ is recording the insecure use: 2122578 – New: Security Audit Log event for unencrypted GUI / RFC connections and 3577840 – Information about Security Audit Log event BUJ are required.

See OSS note 3552348 – Record failed SAP GUI SNC logon attempts in Security Audit Log for attempts.

SAP GUI SNC log on enforcing

As explained in OSS note 3249205 – Difference between snc/only_encrypted_gui and snc/accept_insecure_gui – SAP for Me parameter snc/only_encrypted_gui can be set to 1 to reject any non-SNC GUI connection. Parameter snc/accept_insecure_gui determines if user password logon is still allowed (using SNC), or only password less SSO.

SAP RFC encryption

Generic SAP to SAP RFC encryption is explained in OSS note 2653733 – Enabling SNC on RFCs between AS ABAP and 3373138 – SNC for SM59 destinations that use load balancing.

Specific use case: SNC for STMS

Note 3025554 – SNC for STMS explains the SNC setup for RFC needed in STMS. If not setup properly, you might get the error as described in this OSS note 3477342 – RFC communication error with system/destination : 00024 error during logon.

Specific use case: SNC for JAVA and MII

Note 3394750 – SNC configuration issue between SAP MII Java and ERP explains the SNC setup for RFC needed in JAVA MII. Which refers also to the generic JAVA to ABAP SNC setup note 2573413 – How to configure SNC from 7.1x onwards AS Java to AS ABAP.

Specific use case: CPI-DS

Note 3280758 – Enabling SNC between CPI-DS and ABAP backend fails with “Test failed for the default configuration ‘default'” gives hints on SNC for CPI-DS.

Specific use case: SNC for SAP Router

For SNC for SAP router read this OSS note: 525751 – Installation of the SNC SAPRouter as NT Service.

Good blog on SNC setup for SAP router: link, and standard SAP help content on SCN for SAP router.

Specific note: 3464887 – SAPRouter SNC error -> SNCERR_BAD_NT_PREFIX.

SNC issue solving notes

List of notes to help solve issues:

Audit log integrity protection

This blog will explain how to switch on integrity protection for file based audit log. For full explanation of the SAP audit log, read this blog.

The main OSS note for this feature is 2033317 – Integrity protection format for Security Audit Log.

Activation steps

Step 1. In RZ11 set parameter rsau/integrity to 1.

Step 2. In transaction RSAU_CONFIG set the Protection format active tick box in the Parameter section:

Step 3. In transaction RSAU_ADMIN and create the HMAC key:

Step 4. Save this HMAC key properly including the passphrase!

Checking and validation steps

To validate if the audit log files integrity is ok (no tampering has been done), start transaction RSAU_ADMIN and select the option: Check Integrity of the Files:

Now run and see the results.

You can also run program RSAU_FILE_ADMIN in batch mode (for example every weekend), so that the integrity checking is done on regular basis. In that case, you can use the faster option to Display the Last Integrity Check Status.

Reference OSS notes

Solving generic SM30 and SE16 access with dedicated transactions

In a high secure environment data access to SE16 and SM30 needs to be restricted. In many cases either IT or business still needs to maintain data via SM30 mechanism or some support people still need to see certain table data.

This blog will explain a more dedicated approach to create a dedicated transaction for each table. The generic SM30 and SE16 access can be revoked and replaced with targeted authorizations for the specific table and transaction.

Setup transaction to call SM30 for single table

Start transaction SE93 and enter the transaction you want to created and push the Create button:

On the next screen provide a description and choose the option Transaction with Parameters:

Now fill out the transaction detail:

The text is free of choice. In the transaction put SM30 (we will create a parameterized version) and select to skip initial screen. You can inherit the GUI attributes. In the default values put VIEWNAME and in the value the table you want to update. Add the second value for UPDATE with value X.

Save your work and test the transaction.

By entering the transaction code you now jump to the maintenance of the table (in our case the ZTESTTABLE as specified).

Setup transaction to call SE16 for single table

For SE16 repeat the above steps:

The text is free of choice. In the transaction put SE16 (we will create a parameterized version) and select to skip initial screen. You can inherit the GUI attributes. In the default values put DATABROWSE-TABLENAME and in the value the table you want to update.

Authorization team work

The authorization team can now remove SM30, SE16 and generic table access. Only table maintenance for this specific table is required along with access the newly created Z transaction.

Security Services Tools

SAP offers on GitHub some extra Security Service Tools. These are custom Z ABAPs you can download and modify to your needs.

Link to GitHub:

GitHub – SAP-samples/security-services-tools: If you use security-related services and tools such as EWA, SOS, System Recommendations, Configuration Validation, or a security dashboard in SAP Solution Manager, the ABAP reports in this repository can help with further analysis and development.

Interesting programs from Security Service Tools

Some highlights from the Security Service Tools page:

  • Extensive cleanup program for weak hashes (including the password history data)
  • Workload statistics of RFC calls
  • Show SNC status of active users on application server
  • Show RFC gateway and logging settings
  • History of dynamic profile parameters
  • ….
  • Many more

STUSERTRACE: User trace for authorization checks

ST01 and STAUTHTRACE transactions can be used for short term in-depth authorization traces. The problem is that these traces are very detailed and generate a lot of data.

For some use cases, you need to know what authorizations are needed for a user for longer period of time. Example: you have some background users with too many authorizations and your are tasked to reduce this. Then you want to enable a long term trace that records which authorizations are used by this user ID. You are not interested in how many times and when, but just need a complete list over a very long time (for example 2 months). Another example is when you are tasked to S_TABU_NAM full * authorization with actual table names. How to find out which tables are actually needed?

This is the goal of the STUSERTRACE: long term recording of authorization checks called including detailed table level.

STUSERTRACE enabling settings

The activation is described in OSS note 2220030 – STUSERTRACE: User trace for authorization checks. The first step is to switch parameter auth/auth_user_trace to value F. There is an option to set to Y for full, but don’t do this since then you might run into performance issues. F is the value where filtering happens.

As explained in OSS note 2220030 there is a minor performance impact. To limit the impact, use filtering.

Now start transaction STUSERTRACE to set the filters:

Choose the Change Filter button to add filters:

In this case we add the standard SAP workflow user to trace.

STUSERTRACE results

After you let the trace run, you can use the STUSERTRACE transaction to see which authorization checks were executed for this user ID:

STUSERTRACE will also capture detailed table access down to actual table level:

This means this transaction STUSERTRACE can also be used help replace * values in S_TABU_NAM with the actual tables.

Reorganization of data

Reorganization of data to clean up can be done using menu function Goto/Reorganize:

Relevant OSS notes

SUIM_CHDOC_USER: new transaction to show user changes

In SUIM there is a function to show changes for users, but this transaction can be performing very poor with higher data volumes.

SAP has developed successor transaction SUIM_CHDOC_USER that is giving the same data, but faster.

How to get transaction SUIM_CHDOC_USER?

It is import to know transaction SUIM_CHDOC_USER only works on HANA database. If you are not running on HANA, don’t continue.

Implementation steps:

  1. Apply OSS note 3399100 – SUIM | change history calculation for user/profile assignment
  2. Apply OSS note 3418682 – SUIM_CHDOC_USER | Implementation prerequisite for SAP Note 3405921. Run the generation program.
  3. Apply OSS note 3405921 – SUIM | Read Change Documents for User. Important here: do execute the manual steps here first. These final steps are NOT covered in the previous note.

Transaction SUIM_CHDOC_USER

Now you can start transaction SUIM_CHDOC_USER:

Input is the same as you were used to. Output as well. The new transaction is simply faster.

Bug fix notes

PFCGMASSDELETE: mass deletion of roles

To get the function for mass role deletion, you first need to apply OSS note 3360981 – PFCGMASSDELETE: Mass deletion of roles.

Mass deletion of roles

After the note is applied transaction code PFCGMASSDELETE can be started:

The I information button provides the description of the functions of the program:

The SCC4 functions are described in OSS note 1723881 – Application of client-specific customizing settings to role maintenance.

New way of activating super user SAP*

In SAP note 3303172 – Activating a Super-User SAP* SAP is describing a new alternative to activate user SAP*.

The SAP* activation is required in some cases. Systems that are protected well have the parameter login/no_automatic_user_sapstar set to 1 which will forbid the logon with SAP* (see also blog on SAP standard users). To use SAP* this parameter has to be set to 0, followed by system restart to activate it (the parameter is not dynamic). Often after using SAP* it is forgotten to undo the SAP* activation or to set the parameter login/no_automatic_user_sapstar to the secure 1 status again.

The new way described is available as of kernel release 790 and a separate tool with a short lived password only.

SAP Focused Run security notes validation

In the blog on security and configuration validation overview, we have explained to run a validation of ABAP security notes against your systems using Focused Run configuration and security validation.

Questions that will be answered in this blog are:

  • How can I quickly run an entire year of security OSS notes versus my systems?

SAP github with security policy source files

SAP publishes files for the ABAP security notes each month on the SAP Focused Run Best Practices GitHub:

Here the policy files for the ABAP security notes are stored per year and per month.

Not all security notes for ABAP stack are in these files: only the ABAP notes which can be applied via SNOTE. Security notes for ABAP stacks which require parameter changes or patches are not part of this check!

For convenience I have collected the files per year.

2020-security-OSS-notesDownload
2021-security-OSS-notesDownload
2022-security-OSS-notesDownload
2023-security-OSS-notesDownload
2024-security-OSS-notesDownload
2025-security-OSS-notesDownload
These files are for convenience only. It can be I made a mistake in assembling them.

Uploading the files

Goto the Configuration validation policy maintenance Fiori tile:

Create new policy and copy paste the text from the file:

Do this by choosing Edit and copy and paste the text in the editing section:

Now Save the policy. Check the XML. Generate the policy and check it by pressing Test Policy. Note that these are large files with many checks, so the testing can take some time. Run can be done via the Validate button or by following the instructions below.

Running the Security notes checks against the connected systems

To run the checks, goto the Configuration and Security Analytics Fiori tile:

Select the policy file to run:

Now be patient until the results are ready.

Make sure you expand the amount of columns.

If an ABAP notes is not applied it does not mean your system is not safe. You have define for which CVSS score and which systems you want to apply the security OSS notes, within which timeframe.

More on CVSS score see OSS note 2463332 – Security Note CVSS vector computation – SAP Solution Manager 7.1 and 7.2 and this SAP blog explaining the CVSS scoring in general.

<< This blog was originally posted on SAP Focused Run Guru by Frank Umans. Repost done with permission. >>