Author: saptechnicalguru

SAP trust center

As company you are relying on SAP to provide support and services. But how do you know if SAP is doing a good job on this part?

If an internal auditor or external auditor asks you to show or explain the elements of SAP delivered support, where do you get the information?

SAP trust center

SAP has a good site to start with this information: the SAP trust center.

Here you can find:

  • Security policies
  • Security frameworks
  • List of sub-processors employed by SAP to provide services (sub-processor can be on infrastructure level like AWS, Azure, etc, but also manpower like Accenture, TCS, etc.)
  • Compliance documents like SOC1, SOC2, ISO 27001, ISO 9001, etc reports (or go directly to the compliance finder)

Not all reports are public. For some you must be customer of the product or service. Some parts require acknowledgement of non-disclosure agreement before you can get the report.

Security white paper

Another good document is the SAP security white paper.

SM05 HTTPs session management

Transaction SM05 can be used to manage HTTPs sessions in an ABAP stack in similar way as GUI sessions in SM04.

SM05 HTTPs session management

Start transaction SM05:

On top you can see % of free sessions.

In the table, you can see the sessions and if needed delete them. The right columns show the logon method (password, SAML, X.509, etc). This might be helpful in investigating issues with logon. The solution could be different per logon method.

OSS notes regarding SM05

Relevant OSS notes:

ABAP editor lock

ABAP programs can be protected from changes by setting the editor lock. Only do this for very critical programs.

This blog will primarily focus on methods to remove the editor lock.

Editor lock

The editor lock is set on the properties of an ABAP program:

The property to set is the Editor Lock tickbox.

When this is set only the author can change the program.

Change user for editor lock

In some cases you have a valid reason to lift the editor lock. If the person has left, or you need to change the program for bug fixing emergency and you can’t wait until the owner is back.

Change editor lock via SE03

As basis administrator you can change the owner of the editor lock in transaction SE03:

Change via SU01 usage

When person left: alter the password for this user in SU01. Log on as this user and remove the editor lock.

Via table editing of table PROGDIR

Goto table PROGDIR and view the content (via SE11). Search for your program and edit the entry:

Remove the EDTX flag and save. Editor lock is gone.

Via program

You can use Z program below to remove the lock:

REPORT  zedit_lock_remove.

TABLES: trdir.

PARAMETERS: p_prog LIKE trdir-name OBLIGATORY.

START-OF-SELECTION.
  SELECT SINGLE * FROM trdir WHERE name = p_prog.

  IF sy-subrc = 0.
    IF trdir-edtx = 'X'.
      MOVE ' ' TO trdir-edtx.
      MODIFY trdir.
      WRITE: /'Editor Lock was removed from', p_prog.
    ELSE.
      WRITE: /'Program', p_prog, 'does not have an Editor Lock'.
    ENDIF.
  ELSE.
    WRITE: /'No match found for program', p_prog.
  ENDIF.

SAP kernel patching

SAP kernel is the central software for the ABAP netweaver stack. It also contains bug and needs patching/updating from time to time.

Unlike support packages and OSS notes, the kernel patching has to be handled with more care.

Questions that will be answered in this blog are:

  • What is the SAP kernel deployment strategy?
  • When should I patch the SAP kernel?
  • What are known pain point in SAP kernel updates?
  • Where can I find kernel OSS notes updates?
  • Where can I find regressions on kernel updates?

SAP kernel deployment strategy

The full SAP kernel deployment strategy can be found as document on this link. Practical powerpoint for 2022 patches, use this link.

The basic strategy:

  • Update kernel with support package upgrade or main version upgrade
  • Apply kernel updates only when you experience issues

This is a sound approach. The kernel is quite black and white in updating. It is fully updated or not. Each new kernel might contain new bugs or unwanted side effects. If not properly tested you need to roll back the kernel update.

SAP kernel versions and SAP kernel patch levels

Versions and levels can be found in OSS note 2083594 – SAP Kernel Versions and SAP Kernel Patch Levels.

Known pain points in kernel updates

If you upgrade your SAP kernel, please pay attention to the following items:

  • Use of ITS webgui
    • Use of handheld scanners using the ITS webgui
    • Portal and other external integration of ITS webgui
    • Browser applications using ITS webgui
    • Logon issues for RFC
    • Logon issues for SNC
    • Logon issues for SSO
    • Logon issues for SAML2
    • Logon issues for LDAP connector
    • Logon issues for http(s)
  • SAP screen personas and other screen scraping tools like robotics process automation tools
  • ACF framework (do not use if possible, see blog)

Best practice is to assemble these test scenarios in your company. This way you know next time which tests to perform when applying a kernel patch or kernel update. The tests you execute on an acceptance or quality system before applying the kernel update to your productive system.

Kernel regression OSS note

SAP OSS note 1802333 – Finding information about regressions in the SAP kernel describes how to find the needed regression note for your SAP kernel. The regression notes describe the unwanted side effects and bugs in the kernels.

Kernel roadmap OSS notes

Roadmap OSS notes:

Business suite EHP8 and S4HANA till 1710: 1969546 – Release Roadmap for Kernel 74x and 75x.

S4HANA 1809, 1909 and 2020: 2907361 – Release Roadmap for Kernel 77x and 78x.

Kernel update information

News update on kernel are published on SAP wiki for kernel.

Suppressing SM02 messages

Suppressing SM02 messages can be needed for specific user ID’s.

Questions that will be answered in this blog are:

  • What are good reasons to suppress SM02 messages for certain users?
  • How to suppress SM02 messages for users on ABAP stack for GUI users?
  • How to suppress SM02 messages for users on ITS webgui?

Reasons to suppress SM02 message

There might be good reasons to suppress SM02 messages for certain users:

  • Robotics users that post and read data via scripts using SAP GUI
  • Monitoring tools that monitor via SAP GUI logon
  • Users on scanner devices that use the ITS webgui

Workaround program for suppression on ABAP stack for GUI users

SM02 has no out of the box option to skip or omit certain users from receiving system messages.

A workaround can be to create a Z program. This Z program has as input a single user or a list of users (it will not allow a range):

Run this program immediately after you set up SM02 message.

The program will simply flag this message as already read. When the user logs on, the system will think it has already sent the SM02 message to the user.

Code:

*&---------------------------------------------------------------------*
*& Report ZSM02SUPPRESS
*&---------------------------------------------------------------------*
*&
*&---------------------------------------------------------------------*
REPORT zsm02suppress.

DATA: lv_user TYPE sy-uname.
DATA: lv_last_message TYPE temsg-id.
DATA: lv_message_read TYPE temsgu.

SELECT-OPTIONS so_users FOR sy-uname NO INTERVALS.

START-OF-SELECTION.

  SELECT id FROM temsg ORDER BY id DESCENDING INTO @lv_last_message UP TO 1 ROWS.
  ENDSELECT.
  IF sy-subrc EQ 0.
    LOOP AT so_users.
      lv_message_read-mndt = sy-mandt.
      lv_user = so_users-low.
      lv_message_read-bname = lv_user.
      lv_message_read-langu = sy-langu.
      lv_message_read-bdate = sy-datum.
      lv_message_read-bid = lv_last_message.
      UPDATE temsgu FROM lv_message_read.
      WRITE:/ lv_user.
    ENDLOOP.
  ENDIF.

Suppressing messages for ITS webgui

For the ITS webgui, you can use parameter ~WEBGUI_SHOW_SYSTEM_MODAL to suppress the system messages. More background on this blog and this OSS note 1271339 – SAP GUI for HTML: Suppressing system dialogs in integr. ITS.

SM02 system messages

Transaction SM02 can be used to broadcast important messages to every user. This can be used in case of emergencies or for sending important messages to every users.

Questions that will be answered in this blog are:

  • How to set up a system wide message?
  • How to delete system messages?

Set up system message

Start transaction SM02 to set up a system message:

Press create to set up a new system message:

Text is limited to Twitter style: 3 rows of 60 characters.

Result is that each user gets a popup:

Suppressing messages for certain users

To suppress messages for certain users an ABAP trick is needed. Read more in this blog.

Technical background of SM02

SM02 messages are stored in 3 tables:

  • TEMSI for the message ID
  • TEMSG for the message text
  • TEMSGU to store last message read by user ID and logon.

Program RSM02INIT can be used to delete all SM02 content (see OSS note 1179456 – SM02: Resetting tables for system messages).

Or you can delete one by one in SM02, or simply wait for the retention period.

TCP/IP ports for SAP

In some cases you need detailed information on TCP/IP ports for SAP. This blog will also refer to notes from SAP with regards to network issues.

TCP/IP ports for SAP

All ports for SAP are listed on the SAP help site https://help.sap.com/viewer/ports.

When is this list important?

  • When you have to setup firewall rules
  • When you are doing changes: for example, changing from http to https, installation of web dispatcher, switch towards SNC

OSS notes

Other relevant TCP/IP related OSS notes:

SAP netweaver gateway FIORI user measurement and usage

SAP FIORI is used more and more. In some cases you need information about how much the FIORI tiles are actually used.

This might be interesting for IT management, but also for license measurement.

SAP background blog can be found here.

Listing users that have used SAP FIORI gateway

Weird but true, SAP does not out-of-the-box delivers a program to list the users that are using SAP FIORI. Install the Z program delivered in OSS note 2446887 – How to get a list of users that have used SAP Gateway to get this report.

FIORI metering

SAP netweaver gateway comes with an onboard set of metering transactions and programs. These are unfortunately not widely known. Background OSS note is 2237375 – SAP Netweaver Gateway Metering FAQ.

Program /IWFND/R_METERING_VIEW can be used to view the metering data for FIORI ODATA calls:

This measures which calls are made, duration of the calls, size of the calls, user that made the call, browser type from which the call came, etc.

Report /IWFND/R_METERING_AGGREGATE is used to aggregate this data. /IWFND/R_METERING_DELETE can be used to delete old data.

User measurement on FIORI

User measurement program USMM is firing function module /IWFND/METERING_AUDIT to retrieve information about usage of FIORI in your system.

FIORI App Recommendations

SAP has a tool called FIORI app recommendations to give you a view on potential FIORI apps you might be able to use. The source is the ST03 usage data from your system.

Questions that will be answered in this blog are:

  • How to run the FIORI app recommendation tool?
  • How to feed it with the ST03 data?
  • How to view the results of the FIORI app recommendation tool?

Running the analysis

Goto the Fiori Reference Library. There you will find a button to go to the FIORI app recommendations tool:

Create a new analysis:

In step 2 you need to upload the ST03 usage profile in CSV format. This is described in this SAP help file. So first create the file (in short, goto ST03, select last month, transaction profile standard, download to xls, remove header and save as CSV), then upload it in this step:

Upload front end and backend profile (in case on S4HANA embedded FIORI these are identical):

Name the analysis in step 4 and press the button to get to the analysis results:

Viewing the results

In step 1 above now select view results:

Background information

More background can be found in OSS note 2696033 – How to Generate SAP Fiori App Recommendations.

System usage: SCMON ABAP call monitor

For several use cases you might need to get a more detailed insight into your SAP system. One of the tools is ST03N (read more about it in this blog), but it focuses on transactions. If you need more details on the calling ABAP coding, the SCMON tool might be a better solution. SCMON is the successor of the UPL tool (Usage and Procedure Logging).

Questions that will be answered in this blog are:

  • How to switch on SCMON tool?
  • How to use the results of the SCMON tool?
  • How can I find back from a piece of code to where it is actually used in a transaction, RFC call, ODATA call, etc?
  • What is the impact of the SCMON tool on system performance?

Activation of SCMON

The minimum requirements of SCMON are described formally in OSS notes 1828848 – Usage & Procedure Logging and ABAP Call Monitor: Technical prerequisite (UPL/SCMON) and 2679723 – ABAP Call Monitor, but basically it is available on any supported modern ABAP stack.

Start transaction SCMON:

Press the activate button and set the end time settings for the SCMON monitor:

Use of SCMON data

If data is gathered you can already use the results, or you can wait until the data collection time is completed. To display the data start transaction SCMON and hit the Display Data button:

Here you can already see a benefit over ST03N: you can select request type batch jobs, URL, ODATA call, or RFC call next to transaction.

As example we show the result of transaction VA01:

Now you can see in very much detail which ABAP points are called for VA01.

You can also use it the other way around. Suppose we apply an OSS note to class CL_UKM_BUPA_FACTORY and want to determine the impact. If we do a where used list in SE24 on this class we get 134 new calling points and we don’t even know which ones are used.

If we input CL_UKM_BUPA_FACTORY in the CLASS field and search for it, we get this result:

Now you can see that in our system the transactions VA01, VA02 and BP are using this class. Those need to be tested.

This is the big advantage of SCMON: it only takes used code and the code is related back to the start point which you can relate to, like a transaction, batch job, ODATA call, etc.

Performance of SCMON

If you worry about SCMON performance on your production system, it is about the same load as the old UPL. There is a parameter to fine tune performance described in OSS note 2657522 – New profile parameter and improvements for ABAP call monitor.

The exact impact of SCMON on performance is clearly described in OSS note 3098211 – Memory and performance requirements of the ABAP Call Monitor.

Condensing data with SUSG

With transaction SUSG the SCMON data can be condensed. Read more about it in this blog.

SAP background

Background of SCMON can be found in this SAP blog.

Bug fix OSS notes

Bug fix OSS notes that might be relevant for you: