ANST: automated notes search tool

This blog will explain one of the most usefull new tools from SAP when having to find bugs in standard SAP coding. The ANST (automated notes search tool) is not receiving the recognition that is should get. In usability it is same ease as the SNOTE tool.

If you love SNOTE you will also love the ANST tool! Just try it out.

Questions that will be answered in this blog:

  • What is the ANST automated notes search tool?
  • How does is work?
  • Why should I always use this tool before submitting an incident to SAP?

ANST (advanced notes search tool)

The ANST tool can help you in:

  • Quickly finding OSS notes for your issue
  • Check if you Z code is causing the issue or dump, or it is a standard SAP issue

OSS note 1818192 is the ANST FAQ note which also has the minimum version. This note also has an extensive explanation. The how to use below is just a summary.

OSS note 2605555 also contains an excellent PDF inside as attachment, that gives a step by step manual.

How to use the ANST tool?

Start tcode ANST.

ANST start screen

If you launch it for first time you might get an error "ANST001 Fatal Error. Customizing table is not filled". If this is the case follow the solution steps in OSS note 1909768.

In the transaction code box key in the transaction where you have the issue. As example we will use tcode S_BCE_68001417 (search for authorizations by complex criteria). The user admin is complaining about an incorrect number of selected authorizations that are shown in that transaction.

So key in the transaction code and description (you can keep it same).

Now press execute: the transaction will be called. In the authorization object screen fill out S_DEVELOP and execute again to get the results:

Initial S_BCE_68001417

Now leave the transaction recording.

In the left bottom of the screen you can see the recording being written into the trace file:

Create trace file

Depending on the complexity and amount of screens you have passed this can take up to 1 to 10 minutes.

The result is shown after the trace file. The result is sorted per SAP module. If you open the details, you can also see the exact program blocks that were hit during the recording.

ANST trace result list per module and program block

Now you can select the modules (if wanted specific code blocks) where you thinks is the issue. After selection hit the Note Search button. The SAP system will now connect to SAP service marketplace and look for the most recent notes for your version, which have not yet been implemented.

Note search result

The middle note seems to be very relevant. From this screen you can can already link to the note (click on note number) and start download to SNOTE already.

Tips on the selection of the components:
1. Never select more than 1000 components: ANST will reject this
2. The less components you select the faster you get results, and shorter list of potential notes as well
3. If you want you can later retrieve the recording and make a different search on different components: no need to re-record
4. Most of the times you can ignore the basis and cross application and basis notes
5. Run the recording and the result together with your functional consultant: he can help filter the components and select usefull notes

Using ANST to analyze short dumps

The ANST tool can be used as well to analyze short dumps. Just start the ANST tool and run the steps including the step where the dump occurs. After the dump the ANST tool will trace the modules including the point where the dump occurs.

Make sure OSS note 2535278 is applied: this contains bug fix for the short dump case.

Checking for customer code issues

After the trace file is generated and you have searched for OSS notes, it can be there is still an issue caused by your own customer code. To exclude this (or to check it anyhow), you have to use the buttton Customer Code from the trace result screen with all the components. Be a bit patient while the tool is scanning for modifications, user-exits, BADI implementations and enhancement spots it came across in the recording.

If you want to analyze implicit and explicit enhancements as well with ANST you must apply OSS note 2408785 first.

ANST clickable demo

SAP has made a nice clickable demo to show you how it works: link to demo.

Use of ANST tool before submitting incident to SAP

Even if the ANST tool does not help you search for the correct OSS note for your issue, the ANST tool can help you in speed up of the incident solution for SAP.

If you want to report the issue to SAP as an incident download the ANST trace file. If you report the incident mention:

  • ANST tool is used and add the recording
  • Add list of already implemented OSS notes
  • You alredy checked for customer code

With this information the first line processor will have a quick job assigning the incidinet to the real issue solvers in Walldorf. This will save you valuable time, since the first line normally come with simple list of notes, or also run the ANST tool themselves, and then come with obvious notes.

Increasing the maximum number of objects limit

If you are using the ANST tool on a transaction with many objects (for example ME21n purchase order), you will notice that you cannot search for more than 1000 objects at the same time. Then you have to open subsection and select subtree and run it more than once with different selections. But sometimes one node really expands into more than 1000 objects. In this case, you best increase the maximum object limit. In ANST start screen choose the Settings button can increase the Max.Object counter on the far right of the settings (scrolling required)

ANST max notes search settings

Needless to say, more objects do take more time to analyze. But it is worth the wait.

Relevant OSS notes

Some interesting OSS notes to review:

2735032 – ANST: Scan Source Code for Implicit Enhancements

ANST for web applications and FIORI

ANST can also be used for web applications and FIORI. See this blog.

Retrieving actual detailed SAP component information

This blog will explain you how to retrieve actual detailed SAP component information.

Questions that will be answered:

  • How do I get detailed system component information?
  • How do I download these to compare them across the landscape?

System / Status

The most simple way of getting installation component information is by using the menu System/Status. Then click on the Status details button:

System status details

Now the installed software components and product versions will be shown:

Getting the details as download

The system status details cannot be downloaded. If you want to compare the software components in detail across your system landscape (sandbox, development, test, acceptance, productive, training etc environments), you are in need of these details in downloadable format. With the downloaded data it is easy in Excel to compare all details.

To get the details goto transaction SE37.

For the installed software use function module OCS_GET_INSTALLED_SWPRODUCTS. Execute it and click on the ET_SWPRODUCTS outcome table.


For the details on all installation components and support pack status use function module OCS_GET_INSTALLED_COMPS. Execute it and click on the TT_COMPTAB:

Installed components via OCS_GET_INSTALLED_COMPS

In an ECC system this list will be very long. Use the option System / List / Save as / local file to download the complete list in text format.

Warning: don't rely on the content of table CVERS. In the past this used be reliable, but currently it is not any more. Warning from SAP not to rely on this is written in OSS note 2464887. The routines above read the PAT03 table, which holds all the installs, and then determine the most recently installed patch to show.

SAP GUI patching

This blog will zoom in on SAP GUI patching.

Questions that will be addressed are:

  1. Where can I find the latest SAP GUI patch availablitily status?
  2. Where can I find the planning for SAP GUI ptaches?
  3. What should be my SAP GUI patch and upgrade policy?

SAP GUI latest patch availability overview and future planned patches

One of the best places to check the latest available is on the SAP blog: SAP GUI latest patch. This site also contains the planning for the next upcoming patch.

Current SAP GUI support overview

The SAP GUI support dates are published by SAP in OSS note 147519.

Corresponding NWBC backend OSS notes

When patching the NWBC front end, or when using NWBC html client, you should also check for server side corrections. The list of most recent note(s) to be applied is kept in OSS note 1353538 – NWBC -Patch Collection- SERVER SIDE (ABAP)+NWBC for HTML. To retrieve your current NWBC backend server patch version follow the instructions in OSS note 1864151 – How to determine the version and Patch Level of NWBC Runtime Environment.

SAP GUI patching policy

SAP GUI and its patches tend to have very short support timelines. An SAP GUI version nowadays is only supported up to max 2 years after release. Reason behind this: the SAP GUI builds on top of windows component which have very short support cycle.

If your company policy is to always have support IT software, you will have to plan and execute an SAP GUI upgrade almost yearly to stay within full SAP support. Put it on your yearly budget and execution calendar as a recurring item.

If you don’t want to go into this yearly effort of testing, packaging and deploying the SAP GUI to your end users, you can opt for this, as long as you are aware of the consequences. Just make sure of the following two main items:

  1. Inform your IT management and service managers that you run the GUI without support, and they approve it.
  2. Check with your windows team that they will still have the libraries in windows desktop/laptop that the SAP GUI needs.

SAP system hacking using RFC jump

This blog will explain the SAP system hacking using RFC jump method. It will show the simplicity of the hack, and tell you what to do in preventing this method to be used on your SAP system.

Question that will be answered:

  • How does the RFC jump SAP system hack work?
  • How do I check all my RFC’s for this weakness?
  • What can I do to prevent this hack from happening on my system?

RFC jump hack background

SAP uses RFC connections between SAP systems to send and received business data. For example the BI system will pull data from the ECC system via an RFC connection. The SAP solution manager system is fed from the ECC system via an RFC connection. Or a SAP netweaver gateway system serving SAP FIORI tiles.

In the RFC setup the system admin will have to set the connection details and its logon method. The logon methods can be:

  • Current user via logon screen
  • Current user via trust logon screen
  • Fixed user ID: dialog user ID or background user ID

The first method with logon screen will promt for user ID and password and is not usefull for hacking.

The trusted connection will check the rights in the other SAP system using your own user ID and privileges.

The RFC’s with fixed user ID’s will use the user ID and privileges of the user ID in the RFC connection and also using password entered by the admin. So you don’t even need to know the password…..

3 methods of misusing the RCF jump

3 methods of misuing the RFC jump will be explained. All of the scenario’s start from a already compromised system.

RFC jump explained

You have gained access to an SAP system, which in first instance is less important. For example by using standard SAP passwords (see blog on this topic).

1. Using the weakness to jump from one system to another: named dialog users in RFC

Now you start to scan the RFC’s of this server in SM59.

RFC with admin password

You notice that there is an RFC to another system which has the user ID and password of the system admin. You now simply click the remote logon button and you jump to the other system.

Remote logon button

You are logged on now into this system with the user ID and privileges of this other user ID. From this system you can even jump further.

This way you could go from a development to productive server. Or from a BI to an ECC server. Or from Solution manager to ECC productive server.

2. Using the weakness to jump from one system to another: named background users in RFC

The jump will not work if the user ID in the RFC is a background user ID. One example here is the ALEREMOTE user in ECC, which is used by the BI system to extract data from ECC. Since this user has to pull a lot of data and is needing a lot of privileges this user ID is sometimes given SAP_ALL privileges.

If this is the case the hacker can still misuse this RFC. In the hacked system he goes to transaction SE37 and creates a test function module sequence consisting of 2 calls: BAPI_USER_CHANGE and BAPI_TRANSACTION_COMMIT.

function modules

The first call will have the input to change user ID ALEREMOTE user type from B (background) to type A (dialog). The commit is needed to actually confirm and push the change to the database. Once the sequence is setup the hacker will use the test function to fire the sequence. In the testing the hacker will put in the RFC with the ALEREMOTE user. Now this sequence will be fired with the privileges of the ALEREMOTE user (it has SAP_ALL). So it will then itself change its own user type remotely…. After this is done the dialog jump will work from the remote system and the hacker comes into the system with user ALEREMOTE and the attached SAP_ALL rights.

3. Using the weakness to jump from one system to another: trusted RFC’s

If you have taken over one system and you see a trusted RFC towards another system this can be misused for hacking.

Trusted connection

But you need extra information. If you know the user ID of the admin in the system target, set up the user ID in the system already taken over, or if already there reset password. Then logon in the taken over system with the admin user ID. Goto SM59 to the trusted connection. Click remote logon and you jump to the other system without having to logon, but with the user ID and priviliges of the admin.

How to detect the jumps which are misused?

The complexity in detection is not to detect the jumps itself, because there is also good use of the jumps (via the trusted RFC’s), but to detect the misused jumps. This is hardly possible.

Detection can be done for the user changes executed by background users. Detection could be done with tracking the terminal ID suddenly switching user ID.

The SAP audit log can help you find traces to what has happened as detective after the fact method. But it will not help you detect or prevent misuse.

How to scan your RFC’s for potential misuse?

SAP provides a program to check RFC’s for weak settings: RSRFCCHK.

If you start the program select all the destinations and optionally the connection test to see if the connections work at all.

RSRFCCHK program

The result will give you a list of potentially dangerous RFC connections and the user ID’s used.

RSRFCCHK program result including connection test

This you can use as a worklist for checking.

Protection measures

Protection is possible by a series of actions (a single acction will not be sufficient):

  • Access restriction. Restriction of access to SU01 user management and SM59 RFC setup. Not only on main systems, but also on connected trusted systems.
  • Remove SAP_ALL and user rights from background and RFC users.
  • At least yearly scan systems for wrongly setup RFC’s and delete them.
  • Instruct basis team never to put in their own account into an RFC connection.

The most though misunderstanding is with some security and control teams themselves. They heavily underestimate the danger of the trusted connections. They come with statements like “we focus on production only”, or “that system is not part of our compliance XYZ framework check”.

Basic golden principle:
The trusted system must have same protection level and control measures as the system it is connected to.