Despite the fact that this is a know issue, in many cases still it is seen that the SAP web administration interface is still set to fully public. This way an attacker can still retrieve vital release information.
You should check this carefully, also for newer system installations, this might be not ok.
Questions that will be answered in this blog are:
What is the web administration interface?
Why is it dangerous to have this public?
How to close the gap and make the web administration interface shielded again?
What is the web administration interface?
The web administration interface can be started on your netweaver system by using a browser and keying in <host:port>/sap/admin/public/index.html:
Here you can see the status and also the version information:
If you keyed in the URL and you got a password prompt like this:
If you did not get it, that means this page is still public.
Why is this public release information dangerous?
This page is present in ABAP, JAVA stacks and webdispatcher. Portals and Netweaver gateway systems are often exposed to external world for partners, customers and suppliers. If you did not do a good job on security with reverse proxies and the SAP systems themselves, this page is available on internet. Hackers scan for it, get the release information and know if you are vulnerable or not.
Dangerous? Yes, very. See the last very high Hotnews security note on ICMAD:
In SOAMANAGER you can test if a web service can be reached by pressing the test connection button. Unfortunately there is no standard SAP program that performs this test in the background. So how to monitor the availability of a web service?
Solution: custom Z program that can be run online or in background.
In this case we have chosen to put the alert into SM21 system log. But you can also replace this part of the code with sending an email.
Preparation
In SE92 (see this blog) create a new message for the system log.
Z program for monitoring web service
Now create a new Z program:
REPORT z_bc_ws_check.
CONSTANTS zmesid TYPE char3 VALUE 'ZZ1'. "system log message ID defined in SE92
DATA: zif_soap_ping TYPE REF TO cl_soap_ws_ping.
DATA: zlv_ok TYPE boolean.
PARAMETERS zservice TYPE seoclsname. "webservice name
PARAMETERS zlp TYPE prx_logical_port_name. "logical port name
START-OF-SELECTION.
AUTHORITY-CHECK OBJECT 'S_SRT_CF_C' "check soap runtime auhtorizations.
ID 'ACTVT' FIELD '03'.
IF sy-subrc EQ 0.
* create object for soap ping test
CREATE OBJECT zif_soap_ping TYPE cl_soap_ws_ping.
* initialize ok code
zlv_ok = 'X'.
* try the ping test
TRY.
CALL METHOD zif_soap_ping->if_soap_ws_ping~ping_ws
EXPORTING
service = zservice
lp_name = zlp.
CATCH cx_soap_ping.
* any error, clear the ok flag
zlv_ok = ' '. "not ok
ENDTRY.
IF zlv_ok EQ ' '. "not ok* write to SM21 system log
WRITE: / TEXT-004. "ping not ok
CALL FUNCTION 'RSLG_WRITE_SYSLOG_ENTRY'
EXPORTING
sl_message_area = zmesid(2)
sl_message_subid = zmesid+2
data_word1 = zservice ##NO_TEXT.
IF sy-subrc EQ 0.
WRITE: / TEXT-001. "succes to write to SM21
ELSE.
WRITE: / TEXT-002. "fail to write to SM21
ENDIF.
ELSE.
WRITE: / TEXT-003. "ping ok
ENDIF.
ELSE.
WRITE: / TEXT-005. "not authorized
ENDIF.
Enter the webservice name and logical port. Hit execute.
You can also run the program in background mode. For example every 15 minutes. Create multiple steps for multiple web services to test.
Explanation
The program simply creates the object of type CL_SOAP_WS_PING to perform the web service ping. The ping test is then performed. Based on the result the text ok or an entry to SM21 is written.
In the previous blog we have exposed a web service. Now we will show how to consume a web service in ABAP. As example we will consume the web service we exposed in the previous blog. This blog assumes you have configured the basic web service SOAP runtime (if not, read this blog).
Questions that will be answered in the blog are:
How to generate a web service consumption proxy?
How to setup SOAMANAGER for web service consumption?
How to test the web service consumption setup in SE80?
How to use the generated web service consumption proxy in ABAP code?
What are the authorisation and security aspects for web service consumption?
Generating web service consumption proxy
Start in SE80 by exporting the WSDL file from your previously generated webservice. Goto the WSDL tab and press export to save the WSDL file locally:
In SE80 in your package select Enterprise Services and right click on it to create a new service:
In the object type screen select Service Consumer:
Now select External WSDL/schema:
Select local file:
Select the local file:
Select the package, transport and use Z as prefix:
Then select Finish to complete the roadmap.
Wait for the system to compile the software:
Save and Activate. Now the design time proxy is ready.
SOAMANAGER settings
In the previous steps we have setup the design time proxy. Now we add the runtime artefacts as well.
Now goto transaction SOAMANAGER:
Select Web Service Configuration, and search for the newly created design time object:
Click on the blue internal name to reach the configuration screen:
On the screen press Create and then manual configuration:
Give the logical port a name and description and mark the logical port is Default tickbox to true. Then continue with the roadmap.
Now fill out user ID and password. Continue and fill out user ID and password:
You can lookup the access URL from the service defined in the previous blog and check on the transport settings tab:
Do not use the WSDL URL address, but the binding URL!
Now fill out the URL details in the next screen.
Now finish the roadmap. And on this screen hit the ping web service test button to check if all is ok:
The design time artefacts can be transported. The SOAMANAGER settings need to be repeated in each system. This is wanted as well, since on a test system you might want to call a test web service URL and on production the same web service from the production URL.
Testing the web service consumption setup
Now go back to SE80 and test the web service consumption:
Select the port you created above in SOAMANAGER:
Edit the data:
And press test to get the results:
Using the web service consumption proxy in ABAP code
Now we are ready to use the web service consumption proxy in our ABAP code. ABAP code example:
* Data Declarations DATA: zcl_proxy TYPE REF TO zco_zbapidemowebservice, " Proxy Class zdata_in TYPE zzbapidemo, " Proxy Input zdata_out TYPE zzbapidemoresponse, " Proxy Output zfault TYPE REF TO cx_root. " Generic Fault
* Instantiate the proxy class providing the Logical port name CREATE OBJECT zcl_proxy EXPORTING logical_port_name = 'ZDEMOWS'.
* Set Fixed Values zdata_in-zimport = '1'.
TRY . zcl_proxy->zbapidemo( EXPORTING input = zdata_in IMPORTING output = zdata_out ). WRITE: / zdata_out-zexport. CATCH cx_root INTO zfault. * here is the place for error handling
ENDTRY.
Run the ABAP and see the result:
How to get the right parameters? All the required structures can be found on the SE80 ABAP web service consumption proxy internal view:
Authorizations
The end users using the ABAP that is consuming the web service must be given the rights for the correct S_SERVICE object. Otherwise they will get an error that they are not authorized to call the proxy service object.
Monitoring the availability of the web service
It was explained you can test the connection. Unfortunately there is no out of the box way to test this connection in a batch job on a frequent basis. If you want to frequently test and be alerted on issues with connection to the web service, you can read this blog to deploy a simple custom program that executes this function and can be planned in the background.
Background notes and blogs
More information and details can be found in these 2 SAP wiki’s: wiki1 and wiki2.
Use transaction SRT_ELOG to go to the web service error log.
Setting retention period of webservice message deletion
Webservice messages will get deleted automatically in the SAP system. The default value is one week. You might need to keep the messages longer. The setting that controls this retention period is quite hidden. To change the setting, you need to start transaction SXMB_ADM and then select the option Schedule Delete Jobs:
Then you change the retention settings as per need:
Web service tracing
Web service tracing can be activated in transaction SRT_UTIL.
This blog will explain how to activate the SOAP runtime inside the ABAP stack. This is a mandatory step before you can set up web services in transaction SOAMANAGER.
Questions that will be answered are:
What steps are required for the setup?
How can I check if the setup is done properly?
What are potential issue solving actions?
What other tools are available?
Setting up the SOAP runtime
Setting up the SOAP runtime is extensively explained in OSS note 1043195 – Configuration of Web service runtime. The basic steps below have to be repeated twice: first you execute the actions in client 000, then in the main data client again.
Start transaction SRT_TOOLS for reaching the main tool set:
In the Technical Configuration section select the tool for Technical Web Service Configuration. This will bring you to the main activation program:
During setup things might go wrong. If you run without SAP_ALL, please check the notes that you have sufficient authorization. In the process both a background user (SAP_WSRT and DELAY_LOGON) and RFC (BGRFC_SUPERVISOR) are created. If you don’t have authorization for that, issues will happen.
Use transaction code SU01D to see if the users are created properly with the correct roles.
Use transaction code SBGRFCCONF and check the last tab that the supervisor destination is assigned. In systems with CUA there might be an issue with creating the supervisor destination. In this case follow the steps of OSS note 2775490 – Error in customizing while creating supervisor destination.
Issue solving program (run in SE38): WSS_SETUP.
Issue solving transaction: WSIDPADMIN.
Issue solving after setup
If you have issues after setup, run the above check tool via SRT_TOOLS, or directly via transaction SRT_ADMIN_CHECK.
Common root causes: changes in authorization, overzealous user admin deleted SAP_WSRT or DELAY_LOGON user, or somebody deleted the supervisor RFC destination, etc.
The SRT_TOOLS transaction also lets you jump to other useful tools such as the WS message monitor and the web services utilities tool.
Webservice issues after system copy and other system changes
After a system copy you might be confronted with data inconsistencies. Upon start of SOAMANAGER you might get this screen:
Follow the instructions from OSS note 2353589 – Consistency Check for Soamanager. It might mean you need to run program SRT_WSP_INITIALIZE_WS_CFG to re-initialize the complete setup and reconfigure all the webservices again.
Start transaction SRT_UTIL to go to the Web Service Utilities screen. From the menu now select the option Tools, Global Configuration. Here you can set the retention times (in days) to keep the SOAP messages:
Some web services will use idocs. To use this feature basis first needs to enable this option by registering this service. This registration is performed via transaction SRTIDOC.
