Author: saptechnicalguru

SE16N emergency edit mode

For emergency cases you might need to edit table data directly. This blog will describe the emergency edit mode of SE16N.

Questions that will be answered are:

  • How to get the SE16N emergency edit mode?
  • How to enable the SE16N emergency edit mode?
  • How to use the SE16N emergency edit mode?

Getting the SE16N emergency edit mode

The SE16N emergency edit mode is standard installed as of S4HANA 2020. For older versions, you need to apply OSS note 2911103 – SE16N: Alternative edit mode.

Enabling SE16N emergency mode

The SE16N emergency mode is started via transaction SE16N_EMERGENCY. This transaction is locked by default:

Please consult your security team before unlocking this powerful transaction.

Use transaction SM01_CUS to unlock the SE16N_EMERGENCY transaction. Read this blog on the use of SM01_CUS.

Use of the SE16N emergency mode

Use of the emergency mode is pretty simple. Start transaction SE16N_EMERGENCY enter the table and you are launched into edit mode immediately. Example is here for table T001:

Other ways

For more different ways of direct table hacking, read this blog.

Checking usage

Checking SE16N usage is explained in this blog.

Or configure audit log after applying/checking this OSS note: 3140539 – SAL | New event definition for change access in SE16N.

Bug fix OSS notes

Bug fix note:

SAP password hash hacking Part V: optimizing the attack speed

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this fifth blog we will focus on optimizing the speed of attack. The preventive measures will focus on reducing the attack speed.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For the third blog on attacking the SAP PWDSALTEDHASH has click here.

For the fourth blog on advanced topics, like the rule based attack, click here.

For more on extended word lists, click here.

Questions that will be answered in this blog are:

  • How to optimize the attack speed?
  • How to optimize getting hashes converted into real passwords?

Optimizing the attack

First check if you can get hold of PASSCODE or preferably BCODE hashes. These ones are 10 to 20 times faster to hack than PWDSALTEDHASH codes.

Assuming the administrators have done their work and only PWDSALTEDHASH remains, there are still options to speed up the attack.

Get faster graphical card(s)

Don’t do password hacking on a laptop. The graphical card in any laptop is simply too slow. Use a gaming specification graphical card or cards (cost range is about 300 to 500 dollar or Euro per card).

Preparation of the attack

First thing to do is to get the password rules. Most common is 1 letter, 1 digit, 1 special and minimum length of 8. But differences occur. If for example minimum length is 10, you can adjust your dictionaries to remove all small words that will not comply.

Check the language: use the webster dictionary for English in all cases, but based on language of the company, you must use German, French, Spanish, Italian, Dutch, etc dictionaries as well.

If possible filter out high potential targets from you list. It is best to have a high value administrator or CEO, then a warehouse person who can do simple movements and write time.

Sequence of attacks

Start first with your library of most frequently used passwords. Maybe there is already a hit.

You will be surprised that about 1% will hit.

Second run is with a list of company, product and department names. If you want to target company called TARGET with product name PRODUCT, make a special file with names like:

Target2021!

Product2021!

Use the password rulebooks to generate as many variations as possible (examples are T@rget2021, Pr0duct2021!).

You will be surprised that about another 1% will hit. Who is using these simple to guess passwords? More people than you think!

Third run should be dictionary run with rulebook. Start with English and primary language of the company. Most successful Rule is word plus digit plus special.

You will be surprised that about another 1 to 3% will hit.

Pending on the speed and sizes the rulebook is a very good one to run for a longer time (consider 1 week constantly running this).

Fourth run should be a keyboard walk rulebook. The keyboard walk contains passwords like QWERtyui1234%^&*, or 1qaz@WSX (walk on keyboard…).

You will be surprised that about another 1% will hit.

Re-using the output file to generate new attack: fingerprint attack

When your first attacks are done, there is one final surprisingly successful last attack possible. For this you take your file with all the passwords you have already cracked.

These passwords you now cut into 2. Example Target2021! is cut into:

T and arget2021!

Ta and rget2021!

….

Target2021 and !

And the word itself Target2021!

Now you have 2 files. Use these into a combinator attack mode (see hashcat wiki for the exact syntax to use).

This procedure is called a fingerprint attack.

This might give surprising results like TargetProduct2021!

This attack will bring a surprising high number of hits. The better the first passwords you have cracked, the better the result here. Save this attack till last, since it can be a very lengthy one, and a lot of duplication with the previous attacks can happen.

Strengthening password technical strength

The ABAP password can be made more strong by technical means, by increasing the hash salt size. This will take longer time to crack. OSS notes:

Read more in this dedicated blog on password hash strengthening.

BI queue deletion

During a SPAM import or during application of a TCI OSS note using SPAM, you can get errors due to BI queues. This blog will explain how to delete these queues.

Questions that will be answered in this blog are:

  • How to clean up the BI queues in case SPAM or TCI note is being blocked by it?

qRFC clean up

First start in transaction SMQ1 to delete the MCEX BI outbound queues:

SMQ1 BI outbound queues

Select all queues and press the delete button.

More blocks

If it is still blocking run program RMCEXCHK:

RMCEXCHK result

Look for the application number(s) that is blocking. In this example 04. For V3 updates read 2886816 – Supplement to Note 652310 & 67014 & 1083709 about error ‘due to open V3 proc not changed’.

Now start transaction LBWG to delete the setup for this application:

LBWG transaction

Details behind LBWG are explained in OSS note 1752439 – Explanation of transaction LBWG.

FIORI search setup

FIORI search is a very powerful tool for the end users. It enables a google like search on the business data.

Questions that will be answered in this blog are:

  • How does FIORI search work from the end user perspective?
  • How to set up FIORI search?
  • How to authorize search data?

FIORI search from end user perspective

From the end user perspective: open the search glass and key anything. Just like in Google:

Now wait for the search engine to give results:

Now you can select a record, or select a related app (with the … you get more options):

Set up of FIORI search

In the FIORI launchpad configuration parameters (see SAP help) make sure that the enableSearch is set to true. Otherwise the search icon does not appear.

In case you run a FIORI hub, make sure to setup the web dispatcher rules properly to the backend (see SAP help).

Next step is to activate the search models and the backend (see blog). The search setup for FIORI launchpad is fully dependent on the backend search.

Some apps use related links. For these related links, the related FIORI app or FIORI factsheet must be activated. See this blog on how to fast activate complete groups of FIORI apps.

FIORI search authorizations

FIORI search relies on the authorizations of the end user. First make sure that the general authorization for the search is active in this IMG node:

The setting Model Authorization must be set to Check:

In the search cockpit (transaction ESH_COCKPIT), make sure that the user authorizations are indexed. In case of doubt run it under the Actions button, and select Index User Authority:

If one end user gets results and the other one does not get the same result: the main reason might be difference in authorizations.

Useful OSS notes

For specific use cases the following OSS notes might be relevant:

Setting up trusted RFC connection

This blog will explain how to set up trusted RFC connection.

Questions that will be answered are:

  • How to setup a trusted RFC connection?
  • How to edit generated RFC in SM59 using the TOGL function?

     

Setting up trusted RFC

Start in transaction SM59 to create an RFC to the destination system:

Trusted RFC with user name

Fill out your own user ID first. Make sure your user ID is existing in the destination system and is having sufficient S_RFCACL rights in the destination system. See OSS note 128447 – Trusted/trusting systems for the details.

Test the connection including the remote logon.

If that is ok, start transaction SMT1 and start the roadmap for setting up the trusted connection:

SMT1 enter destination

Enter the destination and finish the roadmap:

SMT1 complete roadmap

Complete the roadmap. 

Now return to SM59 for the destination and remove the user ID, tick the box “Current User” and switch the Trust Relationship to Yes:

Trusted RFC with trust setting

Now test again. All should work.

Background SAP wiki can be found in this link.

Background notes:

Testing trusted RFC

A trusted RFC can be tested via the Remote Logon button:

If you now can jump from the current system to the connected system without password prompt: then all is fine.

If it is not working: check in the target system in ST22 for a remote logon failure dump. Must likely your user does not have sufficient rights in the target system.

RFC security settings

For checking RFC security settings, read this dedicated blog.

RFC Access Control List

In the newer S4HANA versions, you can switch from an authorization check towards a full Access Control List setup. Use transaction SMTACL and select the trust connection:

Switch here to Access Control List Check.

RFC hacking

Be aware that RFC’s and especially trusted RFC’s can be misused for hacking. Read this dedicated blog on how, and how to protect.

Checking which systems you trust

With transaction SMT2 you can check which systems have a trusted system setup towards the system you are currently logged in to.

Editing trusted connections

Trusted connections are generated. In case of emergency you might need to edit this, in the command bar enter keyword TOGL to go to SM59 edit mode:

See note 3212943 – How to edit the settings of unchangeable RFC destinations.

Trusted systems and installation number changes

If you have trusted systems and want to change an installation number of one of the systems, carefully read this OSS note: 2849941 – SMT1/SMT2 configuration after SID or installation number change.

Issues with trust certificates

In exceptional cases you might face issues with cache refresh of replaced certificates. See OSS note 2947038 – Error SOAP:1033 CheckPSE occurs in STRUST/STRUSTSSO2. Solution is to run program SRT_CFG_CLEAR_DESIGNTIME_CACHE.

Trusted RFC security note 3157268

Unfortunately SAP released security note 3157268 – How-To-Guide: Migration of Trusted/Trusting Relationships. Along with the FAQ note 3281854 – FAQ for Security Note 3089413. If you did not migrate your existing trusted RFC’s to the new setup, do it fast within reasonable time (which includes proper testing).

After migration is done, or when you have a new setup, make sure you have set parameter rfc/allowoldticket4tt to the value no.

Set up FIORI notifications

This blog will explain the setup of FIORI notifications. They are sometimes also called FIORI push notifications.

The notifications on the FIORI launchpad are pushed to the end user on the top right part of the screen:

In this case 22 notifications are present.

Questions that will be answered in this blog are:

  • How to generically activate FIORI notifications?
  • Which specific settings do I need to perform to activate notifications for my specific workflow?
  • Hot to test FIORI notificaitons?
  • Where to find more background on FIORI notifications?

Setting up the FIORI notifications

Goto the customizing entry for notification channel configuration. We will set up the scenario for embedded FIORI. If you want to set up notifications for the FIORI gateway as a central step, more activities are required. These are listed at the sap help site.

Start with the Notification Hub RFC destination:

Set the destination to NONE and press execute:

Now set the backend system alias to LOCAL and press execute:

Now goto the menu entry for Manage Notification Providers to activate the desired ones:

Now we will setup the notification channel hub. Goto this customizing actions:

Start with the action Manage SAP System Aliases and map the LOCAL gateway to RFC destination NONE:

Now select the Publish the Notification ODATA Service entry and make sure the service /IWNGW/NOTIFICATION_SRV is published:

If not done, push the button Publish Service Groups, select LOCAL, press button Get Service Groups and search for /IWNGW/NOTIFICATION_SRV:

And publish it.

Now check in Manage WebSocket Endpoint that service NOTIFICATION_PUSH_APC is active:

In the customizing entry Activate and Maintain Push Channels, check that the push channels are properly active, and if not activate it:

Go to transaction SWF_PUSH_NOTIF1 to add the workflow task for push notifications. We will add task TS00008267 (this is used in the generic workflow verification):

Click on the text icon to maintain the text:

Make sure that in the technical job repository SJOBREPO (see blog) that the jobs for deadline monitoring and push notifications are running:

Testing the push notifications

Now you can start the verification workflow in SWU3 (see blog) or start test transaction /IWNGW/BEP_DEMO:

The results can be seen on the FIORI launchpad:

Notification icon not visible on the FIORI launchpad

If the notification is hidden, check the configurations in transactions /UI2/NWBC_CFG_SAP and /UI2/NWBC_CFG_CUST. It can be that an adminstrator has suppressed this function.

Background information

The minimum requirements for FIORI notifications are described in OSS note 2578256 – What is the minimum requirement for Fiori Notification?.

Configuration restrictions are listed in OSS 2729492 – Configuring notifications in Fiori Launchpad and known restrictions.

See this SAP help file on the topic for setup FIORI notifications.

See this SAP help file for notification channel troubleshooting.

See this SAP help file for end user tips & tricks with regards to FIORI notifications.

For custom development of FIORI push notifications, read this SAP blog.

For a very good and extensive full setup description for 1809 FIORI 2.0 description, read this SAP blog.

Formal OSS note for error analysis: 3358966 – Fiori Push Notifications are not created – Help for analysis.

Bug fix notes

SUIM User Information System

SUIM is like a swiss knife for the authorization consultant. It has so many reporting tools it can basically answer any question.

Questions that will be answered in this blog are:

  • What are the most useful tools in SUIM?
  • How can I list users that never logged on to the system?
  • How can I list users that are locked, or have password issues?
  • How can I list users with critical authorizations?

SUIM

The SUIM tool is started with transaction SUIM:

Here you can select the reports from the different categories.

Most useful SUIM reports

In the subsections below you can find the most useful and most used SUIM reports.

Actual user columns are hidden in the examples below for privacy protection.

User with logon data and password change

Query need: to list when users did logon for the last time and when they last changed their password. This query can be very useful when you have to clean up for the yearly license measurement.

In SUIM select this report:

Start screen:

Example result screen:

Check on users with specific authorization value

One of the most used SUIM reports is to list which users have a specific authorization value:

In this example we will lookup users which have rights for debugging (object S_DEVELOP, value DEBUG):

On the result list you can see all users. Select the user you are interested in and select the button In Accordance with Selection to find out which role has the specifically requested authorization object:

Result can be multiple roles as well:

Remark: there are 3 single roles here which contain the object. The 3 roles are in 1 composite role that is assigned. That is why the number on top shows 1 roles and there are 3 detail lines.

Check on most common critical authorizations

SUIM has a nice check program to check on the most common critical authorizations:

You can select the default SAP variant and use display variant to see the list of checks:

Open the checks to see the details:

The result list can have many potential issues:

You again use the button In Accordance with Selection to find out which role is cause of the potential issue.

Be careful with the reporting of the numbers. A lot of managers cannot deal with the high amount reported. 'It is unbelievable that I have 91.493 critical authorization issues in my system!'. Most of the issues are simple to fix and bring the numbers down dramatically. Or some of the items are not relevant in your situation. Always handle the numbers with care.

SUIM_CHDOC_USER

This is new transaction to show user changes. Read more in this blog.

OSS notes

SUIM is constantly being improved. There are many small bug fix OSS notes. Don’t be scared off by the length of the list. SUIM is a very large function. So it will have many OSS notes.

Bug fix notes to consider:

Number ranges tips & tricks

This blog is about number ranges.

Questions that will be answered in this blog are:

  • How to maintain number ranges?
  • How to transport number ranges?
  • How to clean up old number ranges?
  • How to check if number ranges are full or almost full?
  • Which notes can help me when we have performance issues issues with number ranges?

SNRO number range maintenance

Number ranges can be maintained with transaction SNRO. After starting select the number range to maintain:

Now press the button Interval Editing:

Now you can display or change the intervals or current number:

Transport of number ranges

Number ranges are not directly put into a transport. If you want to transport them, select from the range maintenance screen the menu option Ranges / Transport. You will get this warning screen:

After pressing Yes, the popup for the transport request will come.

Number range fill up check

Program RSNUMHOT can be used to check if any number range is full or is at a certain percentage.

Output example:

For background running read the KBA note 2485249 – How to see the spool results of report RSNUMHOT.

Clearing abandoned number ranges: 3286395 – RSNUMHOT | Critical intervals are reported for abandoned number ranges.

Number range buffer

Using transaction SM56 you can check the number range buffer settings:

See also OSS note 2586414 – NUM: Increase default of number range buffer size.

Number range clean up

If you have an older SAP implementation, the amount of number ranges can go very high. There are many number ranges per year, especially in finance. The result can be that transaction SNRO gets very slow. If this is the case install OSS note 2931837 – NR: Reorganization of interval table. This will bring program NK_IV_REORGANIZE to reorganize the number range table:

Number range issues

Number ranges are know to have issues in 2 areas:

  • Performance (mainly on very large systems): can be seen in SM66 or SM50 with long updates on table NRIV
  • Gaps in number ranges where legal requirements exist

OSS notes to check when having number range issues:

Batch job result distribution

When a batch job finishes, there are use cases where you want to be informed on the results.

Questions that will be answered in this blog are:

  • How can I mail the spool result of a batch job?
  • How can I mail if the job went ok or not?

Mailing job status

As of version S4HANA 1709 (basis version 7.52), you can mail the batch job result for cancelled jobs, or in all cases when it finishes. In SM37 after job is planned goto change mode of the job and push the E-mail Notification button:

In case of issues check OSS note 2951767 – E-mail notifications are not sent.

Mailing spool result

For mailing spool results use the Spool List Recipient button:

On older systems there might be a cutoff after 1000 lines in the mail. See OSS note 329537 – Spool cut off at 1000 lines when sent to recipient. In case of issues, you can check OSS note 760838 – Spool lists are not sent and 930570 – Problems with sent OTF documents.

Mailing spool result to multiple mail addresses

In transaction SO15 create a distribution list:

Hit the create button to create a distribution list:

Goto the tab Dist. list content to enter the e-mail addresses:

Save the list.

Now you can go to SM37 and change the job:

In the recipient field hit F4 or the selection button and switch to the distribution list. Search the correct one and press ok:

In case somebody by accident deleted a shared distribution list, check OSS note 2477819 – Distribution Lists have been deleted for recovery options.

Bug fixes

Bug fix OSS notes:

SAP upgrade SPAU and SPAU_ENH handling

At the end of each upgrade or support package SPAU and SPAU_ENH handling is required.

Questions that will be answered in this blog are:

  • How to execute SPAU processing?
  • What is SPAU_ENH?
  • Where to find more background information on SPAU?

SPAU processing

General information on SPAU processing can be found in OSS note 1970888 – How To: SPDD/SPAU handling during the Update/Upgrade.

When you start transaction SPAU it will ask for a Protocol Title. Give it a meaningful name (background information on the protocol is in OSS note 2497863 – A protocol has to be created before SPAU/SPDD can be executed):

Now you enter the main SPAU screen. The first action to do is to push the button Prepare Notes:

This will start a batch job to download latest versions of the OSS notes and will check if they are relevant for your support pack or upgrade. You can monitor this job in SM37:

For a support pack this jobs can take up to 30 minutes. For an upgrade of ECC on large system it can easily run for 4 hours or more.

After the notes download is done SPAU has 3 tabs:

Notes, with assistant and without assistant. For each tab make download or screen shots of the items before starting with SPAU handling. For each item record your action for future reference. If anything is wrong with the note or ABAP object, you can refer back to this recorded decision.

OSS notes processing

First start with the OSS notes processing. Complete all OSS notes before proceeding to the next tab.

The processing sequence is top down: older OSS notes first, then work down all the list.

In principle, you want to return as much as possible to standard SAP. But be careful: the older OSS notes might be valid modification notes which need to be re-applied after support pack or upgrade. Check with these ones with the functional team.

Old modification OSS notes can give a warning like this before you Reset them to original:

Some OSS notes might give download issues:

In some cases the note might not even be available any more on support.sap.com. Check it there. If not available, check if the content can be ignored.

Some notes might give issues with content delivery event:

Check on support.sap.com if the note is still present. Check if the content can be ignored.

Some notes might be locked:

Most likely root cause: in SPDD processing sometimes you have to process OSS notes as well, and have to repeat in SPAU phase. In this case, release the SPDD transport from client 000 and redo the action in SPAU.

If you re-enter SPAU later (next day), you might encounter this screen:

In this case choose Continue with Current Protocol.

With modification assistant

Proceed with the tab With modification assistant only when the Notes tab has been processed. There might be some note items left due to the issues mentioned above. When agreed to ignore, you can proceed with the With modification assistant tab.

Reminder: download the items and record your decisions.

For each item you need to decide to Reset the object (return to standard SAP), or took fully keep the modification, or to do a manual adjustment. SAP can make guided proposals in this section.

It is an expert job to make the right decisions. Never let junior staff deal with this part. And when you do, you will regret it later on. It can take a huge amount of time to discover the issues and find out it was because of wrong handling in SPAU.

Without modification assistant

After you have completely done the With modification assistant tab, move on the to Without Modification tab.

Here the same processing as With Modification Assistant. SAP will not make any suggestions. Same expert warning as above.

Checking and activation

The other 3 tabs in SPAU (deletions, migrations and translations) are optional. Process as much as you can:

After SPAU has been done, goto SE80 and make sure that all objects are activated. If not activated, process each inactive object.

Never report back to the basis team to finalise SUM upgrade if you have inactive objects left. On older releases, when SUM is finalised and you still have inactive objects, you need to call off object keys.

SPAU_ENH

After SPAU, you are not yet done. You need to start SPAU_ENH transaction and take care of all the enhancements (explicit and implicit):

OSS note 2584912 – How to work with SPAU_ENH contains a word manual with tips and tricks.

With an S4HANA upgrade, you will regret the implicit enhancements. The code were they were applied to might simply have disappeared.

Including usage data

In newer versions of S4HANA SPAU processing, you can include SUSG usage data to make SPAU handling easier. Based on usage you can more comfortably decide to return an item back to standard SAP.

TRDIR and TADIR issues

For TRDIR and TADIR issues during upgrades, support packages, read this dedicated blog.

Finding not adjusted items quickly

Run program RS_FIND_NOT_ADJUSTED_OBJECTS to find out quickly which objects have not yet been adjusted. See also OSS note 2742627 – Display of objects still to be adjusted.

Bug fix and reference OSS notes

Reference OSS notes:

Bug fix notes:

Custom Z code

Custom Z code is not part of SPAU handling. This you do after the upgrade.

For S4HANA you need to do custom code adjustments. Read more in this blog.

Further upgrade post-processing

Pending on your use of functionality more upgrade or support package post processing might be required. Read this dedicated blog for more details.