How to check HTTP usage in your ABAP system?

Security teams might request to you as basis administrator: which HTTP calls are being made to and from your ABAP system? Or you might be requested to switch off HTTP (allowing only HTTPs) and you need to know which users and applications are still calling on HTTP.

Questions that will be answered in this blog are:

  • Which users and systems are calling my ABAP system on HTTP?
  • Which systems does my ABAP system call using HTTP?
  • Which programs and processes are using HTTP?

If you need to check RFC usage in your system: read this blog.

Web statistics in ST03

Go to transaction ST03N or ST03, and open the total for this month. Then open the analysis view for web statistics. First check the WEB Client Statistics:

This already gives a lot of information: host and port information, amount of calls. On the tabs for Transaction, User and URL you can get even more details you need for transaction source, user and URL’s on HTTP.

On all 4 tabs on all 4 reports you can double click to get more details. After double-click both HTTPs and HTTP are show. Be sure to filter on HTTP:

StatisticsDescription
WEB Client StatisticsWorkload due to requests for which the system acts as a Web client
WEB Client Dest. StatisticsWorkload due to requests for which the system acts as a Web client, broken down by different client destinations
WEB Server StatisticsWorkload due to requests for which the system acts as a Web server
WEB Server Dest. StatisticsWorkload due to requests for which the system acts as a Web server, broken down by different server destinations

Common cases

Common cases you might want to check for HTTP use:

End users using HTTP

Most of the calls will work on HTTPs as well as HTTP. The most common problem is that end users will have bookmarked the HTTP version in their browser. They will need to be informed the HTTPs version (with a different port number). If you switch off HTTP in this case when a lot of people are still using HTTP you will get a lot of tickets and complaints. Use the web client statistics as explained above to see which entry URL’s they are using. Then mail them to use the new HTTPs entry URL’s with the appropriate port and ask them to switch. Repeat this a few times until the amount of stubborn users is low enough to disable HTTP.

Disabling HTTP check

In transaction SMICM go to the Services icon and then check there is nothing running with an HTTP port.

If you are using SAP Focused Run, read this blog to set up a Security and Configuration validation rule to execute a landscape wide scan on use of HTTP port.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.