How to check SE16N usage?

SE16, SE16N and SE16H are frequently used transactions. They can be used in positive way to quickly fetch data. They can also be a security risk, since it might lead to unwanted data display.

Questions that will be answered in this blog are:

  • Which users used SE16N?
  • How much data do the user pull using SE16N?
  • Which tables did the users read using SE16N?
  • How to check which changes were performed using SE16N?

Which users are using SE16?

Start transaction ST03 or ST03N, and create detailed settings for recording of SE16N:

Save the values and let the system collect the data.

Now in ST03 in the tree below Transaction Profile, the Details for SE16N are shown. Double clicking on the EXEC function will give details on the execution step:

The DB data is normally shown more to the right.

This will give you information on who used SE16N, and how much data transfer was happening.

Which tables were read using SE16N?

If you want to know which table was read during SE16N, you must first activate activity DU9 (generic table access) in the SAP audit log. Go to transaction RSAU_CONFIG and make sure this activity is on:

Now you can use audit log display the audit log with transaction RSAU_READ_LOG or RSAU_READ_LOG_ADM (this is the version without user ID and terminal):

Select DU9 only to make the report faster.

You can now see the tables accessed via SE16N:

In many analysis cases it is sufficient to see which tables are read, and how frequently.

Use RSAU_READ_LOG to see also user and terminal information.

The audit log is a powerful tool. Be aware of privacy related rules in your company.

SE16N performance

Notes on SE16N performance:

Changes done with SE16N

On ECC or S4HANA systems, changes to SE16N are recorded in tables SE16N_CD_DATA and SE16N_CD_KEY. You can display the changes done using report RKSE16N_CD_DISPLAY:

OSS notes for RKSE16N_CD_DISPLAY:

How to check RFC usage in your ABAP system?

Security teams might request to you as basis administrator: which RFC calls are being made to and from your ABAP system? And you need to know which users and applications are calling on RFC.

Questions that will be answered in this blog are:

  • Which users and systems are calling my ABAP system using RFC?
  • Which programs and processes are using RFC?
  • How much data is transferred using RFC?

If you need to check HTTP usage in your ABAP system: read this blog.

RFC statistics in ST03

Go to transaction ST03N or ST03, and open the total for this month. Then open the analysis view for RFC statistics. First check the WEB Client Statistics:

This already gives a lot of information: function modules and amount of data. On the tabs for Transaction, User and Remote destinations, Remote servers and Local servers you can get even more details you need for RFC transaction source.

On all 6 tabs on all 4 reports you can double click to get more details:

Tab PageMeaning
Function ModuleTransactionUserWhat workload is caused by the function modules, transactions, or users (depending on the selected RFC profile, as the RFC client or the RFC server)?
Remote DestinationRemote ServerLocal ServerWhere is the RFC workload created?

Reference OSS notes

OSS notes:

How to check HTTP usage in your ABAP system?

Security teams might request to you as basis administrator: which HTTP calls are being made to and from your ABAP system? Or you might be requested to switch off HTTP (allowing only HTTPs) and you need to know which users and applications are still calling on HTTP.

Questions that will be answered in this blog are:

  • Which users and systems are calling my ABAP system on HTTP?
  • Which systems does my ABAP system call using HTTP?
  • Which programs and processes are using HTTP?

If you need to check RFC usage in your system: read this blog.

Web statistics in ST03

Go to transaction ST03N or ST03, and open the total for this month. Then open the analysis view for web statistics. First check the WEB Client Statistics:

This already gives a lot of information: host and port information, amount of calls. On the tabs for Transaction, User and URL you can get even more details you need for transaction source, user and URL’s on HTTP.

On all 4 tabs on all 4 reports you can double click to get more details. After double-click both HTTPs and HTTP are show. Be sure to filter on HTTP:

StatisticsDescription
WEB Client StatisticsWorkload due to requests for which the system acts as a Web client
WEB Client Dest. StatisticsWorkload due to requests for which the system acts as a Web client, broken down by different client destinations
WEB Server StatisticsWorkload due to requests for which the system acts as a Web server
WEB Server Dest. StatisticsWorkload due to requests for which the system acts as a Web server, broken down by different server destinations

Common cases

Common cases you might want to check for HTTP use:

End users using HTTP

Most of the calls will work on HTTPs as well as HTTP. The most common problem is that end users will have bookmarked the HTTP version in their browser. They will need to be informed the HTTPs version (with a different port number). If you switch off HTTP in this case when a lot of people are still using HTTP you will get a lot of tickets and complaints. Use the web client statistics as explained above to see which entry URL’s they are using. Then mail them to use the new HTTPs entry URL’s with the appropriate port and ask them to switch. Repeat this a few times until the amount of stubborn users is low enough to disable HTTP.

Disabling HTTP check

In transaction SMICM go to the Services icon and then check there is nothing running with an HTTP port.

If you are using SAP Focused Run, read this blog to set up a Security and Configuration validation rule to execute a landscape wide scan on use of HTTP port.

Sending hyperlink in email with ABAP code

This blog will explain the ABAP code you can use to send an email from SAP system which is in HTML format including hyperlink.

Questions that will be answered in this blog are:

  • Which basis settings do I need to make for HTML mail format sending?
  • What code snippets can I re-use to send a hyperlink in an email from my custom ABAP program?

Basis settings for HTML mail

In order to be able to send an mail with a hyperlink the mail must have HTML format.

First check this table entry exists in table SXCONVERT2:

If not create it.

Now go to transaction SCOT and set the output format of RAW to HTM:

Save the settings.

ABAP code to mail hyperlink

The ABAP code to mail is as follows:

*&---------------------------------------------------------------------*
*& Report zemail_cl_bcs
*&---------------------------------------------------------------------*
*&
*&---------------------------------------------------------------------*
  REPORT  zemail_cl_bcs.

  CONSTANTS:
    gc_subject TYPE so_obj_des VALUE 'ABAP Email with CL_BCS',
    gc_raw     TYPE char03 VALUE 'HTM'.

  DATA:
    gv_mlrec         TYPE so_obj_nam,
    gv_sent_to_all   TYPE os_boolean,
    gv_email         TYPE adr6-smtp_addr,
    gv_subject       TYPE so_obj_des,
    gv_text          TYPE bcsy_text,
    zls_text         TYPE soli,
    xhtml_string     TYPE xstring,
    gr_send_request  TYPE REF TO cl_bcs,
    gr_bcs_exception TYPE REF TO cx_bcs,
    gr_recipient     TYPE REF TO if_recipient_bcs,
    gr_sender        TYPE REF TO cl_sapuser_bcs,
    t_hex            TYPE solix_tab,
    gr_document      TYPE REF TO cl_document_bcs.

  DATA: zlv_longstring_message TYPE string.
  DATA: zlt_et_soli TYPE soli_tab.
  DATA: zls_et_soli TYPE soli.

  TRY.
      "Create send request
      gr_send_request = cl_bcs=>create_persistent( ).

      "Email FROM...
      gr_sender = cl_sapuser_bcs=>create( sy-uname ).
      "Add sender to send request
      CALL METHOD gr_send_request->set_sender
        EXPORTING
          i_sender = gr_sender.

      "Email TO...
      gv_email = 'guru@saptechnicalguru.com'.
      gr_recipient = cl_cam_address_bcs=>create_internet_address( gv_email ).
      "Add recipient to send request
      CALL METHOD gr_send_request->add_recipient
        EXPORTING
          i_recipient = gr_recipient
          i_express   = 'X'.

      CONCATENATE '<html><strong>Decission needed</strong><br/><br/>'
      '<tr><th style="color:blue;">Approval item</th>'
      '<a href=https://server:port/sap/bc/ui2/flp#WorkflowTask-displayInbox?allItems'
      '=true&/detail/XXX999_PGW/000000226597/TaskCollection(SAP__Origin=&#39;XXX999_PGW&#39;,InstanceID=&#39;000000226597&#39;)> click here to decide 000000226597</a>'

                   INTO zlv_longstring_message.

      CONCATENATE zlv_longstring_message '</html>' INTO zlv_longstring_message.

      CALL FUNCTION 'SCMS_STRING_TO_XSTRING'
        EXPORTING
          text   = zlv_longstring_message
        IMPORTING
          buffer = xhtml_string
        EXCEPTIONS
          failed = 1
          OTHERS = 2.

      CALL FUNCTION 'SCMS_XSTRING_TO_BINARY'
        EXPORTING
          buffer     = xhtml_string
        TABLES
          binary_tab = t_hex.

      gr_document = cl_document_bcs=>create_document(
                      i_type    = gc_raw
                      i_hex    = t_hex
                      i_length  = '1200'
                      i_subject = gc_subject ).
      "Add document to send request
      CALL METHOD gr_send_request->set_document( gr_document ).

* set send immediately flag
      gr_send_request->set_send_immediately( 'X' ).
      "Send email
      CALL METHOD gr_send_request->send(
        EXPORTING
          i_with_error_screen = 'X'
        RECEIVING
          result              = gv_sent_to_all ).
      IF gv_sent_to_all = 'X'.
        WRITE 'Email sent!'.
      ENDIF.

      "Commit to send email
      COMMIT WORK.

      "Exception handling
    CATCH cx_bcs INTO gr_bcs_exception.
      WRITE:
        'Error!',
        'Error type:',
        gr_bcs_exception->error_type.
  ENDTRY.

The end result is as follows in the mail:

The hyperlink in the mail jumps to the URL, which in this case is the URL link to this specific workflow item in the FIORI inbox.

The coding explained

We use the CL_BCS class from SAP. BCS stands for Business Communication Service. This class provides all modern options to send mail. We set the sender and receiver.

We now build the mail in HTML. All is stored in zlv_longstring_message. We start with the <html> tag, and a header text in bold (strong). Then we add the text with the hyperlink (a href) in blue color.

The hyperlink towards the FIORi inbox contains ‘ characters. This does not convert well for all further on steps. So we replace ‘ instead the &#39 text. This &#39 text is the HTML character coding for an apostrophe (‘). In this way there is no misinterpretation at any browser.

At the end, we add the closing tag </html>. Now the HTML build up is ready and can be used to send.

The HTLM is converted via function modules SCMS_STRING_TO_XSTRING and SCMS_XSTRING_TO_BINARY to a binary. This binary is set as document with type HTM to the mail. The mail is then sent with immediate flag.

OS commands

In some cases OS commands might be needed to perform maintenance work. It can also be misused by hackers.

Questions that will be answered in this call are:

  • How to fire OS commands via SM49 or SM69?
  • How to fire OS command via program RSBDCOS0?

OS commands via SM49 and SM69

OS commands can be defined and executed using transaction SM49 or SM69:

You can use the SAP standard commands and define your own Z commands.

Issues with external commands? Read OSS note 1328083 – An external command behaves differently than expected.

OS command via ABAP program RSBDCOS0

There is also an ABAP program to fire external commands: RSBDCOS0. OSS note for this program: 2443193 – Report RSBDCOS0 – Execute OS command from SAP GUI.

Start the program and enter the command (in this case ls command):

Output is shown:

The action is registered in the SM21 system log:

See also OSS note 117657 – Reports RSBDCOS0, RSNNUXCD are deleted or changed.

SAP Activate methodology for S4HANA implementations

In the past there was the RunSAP implementation methodology. This is now succeeded with the SAP Activate methodology. The most important one is the S4HANA implementation.

You can go to the methodology using this link.

The roadmap now opens:

The methodology is split into several phases:

  • Discover
  • Prepare
  • Explore
  • Realize
  • Deploy
  • Run

The method is focusing more on using out-of-the-box SAP software and focused on Agile/Scrum way of implementing S4HANA.

On the tab content you can find useful content per phase:

And accelerators per phase:

Keep in mind the method is focusing on green field implementation. Nevertheless you can still use the content and accelerators in your own projects.

PDF converter in SAP ABAP kernel

The newer SAP ABAP kernels and system (781 kernel and 755 system) can support PDF converter from the SAP ABAP kernel.

Using the kernel it will speed up PDF generation for ABAP list, SAP Script and SmartForms.

Background

The background of the SAP ABAP kernel is explained in OSS note 2991197 – Using the kernel PDF converter in ABAP.

Switching on PDF generation via SAP kernel

To switch on, start program RSTXPDF3KRN and choose to change the parameter PDF_KERNEL:

Confirm to turn on:

Fonts

Fonts and fonts mapping can still be maintained via program RSTXPDF2UC:

SAP for me

SAP for me is an alternative to the SAP support marketplace.

Questions that will be answered in this blog are:

  • What functions does SAP for me offer?

Start of SAP for Me

You can easily start SAP for Me with the URL me.sap.com.

SAP for Me versus support.sap.com

SAP for Me provides some extra functions that are not offered yet by support.sap.com. The general overview of functions is listed in the chapters below.

Highlights:

  • Calendar function
  • Financial invoices and licenses
  • Statistics on open SAP messages

Calendar function

In the calendar function you can quickly see which upcoming maintenance activities there are for your cloud products, planned expert sessions, software release dates, and security patch days:

Portfolio and products overview

In the portfolio and products overview you can see the products (both on premise and cloud) that you are licensed for. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Finance and legal

In the finance and legal overview you can see the products (both on premise and cloud) that you are licensed for, the invoices and for cloud the current usage. You need authorizations to view this page. Authorizations are taken from the rights of your S user.

Services and support

The services and support overview page is a different view on your tickets open at SAP. It provides quick insight into which tickets are with SAP, and which ones are at customer action (which do require your attention):

Systems and provisioning

Systems and provisioning provides an overview of both on premise and cloud systems:

Users and contacts

Users and contacts page gives overview of your important contacts.

Information disclosure of SAP Web Administration Interface

Despite the fact that this is a know issue, in many cases still it is seen that the SAP web administration interface is still set to fully public. This way an attacker can still retrieve vital release information.

You should check this carefully, also for newer system installations, this might be not ok.

Questions that will be answered in this blog are:

  • What is the web administration interface?
  • Why is it dangerous to have this public?
  • How to close the gap and make the web administration interface shielded again?

What is the web administration interface?

The web administration interface can be started on your netweaver system by using a browser and keying in <host:port>/sap/admin/public/index.html:

Here you can see the status and also the version information:

If you keyed in the URL and you got a password prompt like this:

If you did not get it, that means this page is still public.

Why is this public release information dangerous?

This page is present in ABAP, JAVA stacks and webdispatcher. Portals and Netweaver gateway systems are often exposed to external world for partners, customers and suppliers. If you did not do a good job on security with reverse proxies and the SAP systems themselves, this page is available on internet. Hackers scan for it, get the release information and know if you are vulnerable or not.

Dangerous? Yes, very. See the last very high Hotnews security note on ICMAD:

How to solve the issue?

The solution is described in OSS note 2260323 – Internet Communication Manager (ICM) 7.20 security settings and more specifically in OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface.

The solution is to set the sub parameter ALLOWPUB (it is a sub parameter of icm/HTTP/admin) to NO. See screen shot on how to see the sub parameters:

Checking if it is done properly is simple: start the page again and see that it disabled:

SAP support log assistant

Many SAP applications generate logs with errors. These can be hard to analyze.

SAP now offers online tool to quickly scan a log for known issues and provide potential OSS notes with hints and solutions.

Questions that will be answered in this blog are:

  • What is the SAP support log assistant?
  • How to use the SAP support log assistant?

How to run and use the SAP support log assistant

To start the SAP support log assistant, use this URL.

Use the button to upload your log file. In this case a SAP cloud connector log file with errors:

After the upload, press the button Scan files to start the scan. The results:

The third screen is the summary:

Here you can download your results, submit to SAP or provide SAP with feedback.

Background of the SAP support log assistant

SAP note 2990062 – What is the Support Log Assistant and how can I use it to find known issues and solutions? describes the full background.

Wiki page: link.

File types that can be analyzed: link.

Explanation blog: link.