Hi,

We have setup SSO with Kerberos and SPNEGO for NWBC and now we want to expose it to the internet via SAP Webdispatcher.

NWBC is on a singelstack ABAP system on server1 and we have configured a standalone J2EE system on server 2 for isuing the saplogon ticket.

This works fine with the redirect from icf NWBC -> Error Pages -> Logon Error -> Redirec to URL (Form Fields) http://server2:port/redirect/redirect.jsp

on server2 we have a java application (redirect/redirect.jsp) witch has %response.sendRedirect("http://server1:port/nwbc")%

Problem is that when the webdispatcher calls http://server1:port/nwbc the URL in the browser is hidden with MYDOMAIN.COM/nwbc but when the Logon-error (no saplogon ticket yet) is redirecting to  http://server2:port/redirect/redirect.jsp the browser is showing the actual URL http://server2:port/redirect/redirect.jsp and also when returning to NWBC the browser is showing http://server1:port/nwbc.

And we don't wan't to expose hostnames (server1 and server2) to the internet.

Anyone knows how to solve this?

Hi fellow SAP experts,

I need some advice on system performance impact when switching on Table Logging for T000 - configuration in production please?

We have decided to turn on Table Logging for auditing purposes, only allowing developer config in production following a volume of evidence being supplied.

I need to know how much this activation is going to impact the performance of the companies production environments, how much storage, memory, performance, etc. this function is going to consume and how much of the above consumables I need to cater for now and in the future?

We have a Dual Track environment, BAU want to switch on Table Logging for fix on fail, I want to swich it on for Project deliveries.

Please advise, with referencing if possible?

Thank you kindly

Paul

Hi Gurus,

I am trying to develop a security report having below fields and I am using these tables to develop this SQ01 query/t-code = AGR_USERS, USER_ADDR, ADR6

But, I am not able to build a relationship between user id of table USER_ADDR and ADR6. Can anyone please help me how should I proceed ?

Regards,

Salman

Hi Gurus,

I am trying to find root cause analysis why the users in BW/BOBJ production were not able to use password suddenly and when I checked it was incorrect logon locks set for almost 100 users.

These are the users who use BOBJ/BW daily. We use third party tool to reset password which is a self service tool.

Did anyone faced this issue before ? I have checked our login password parameters which are correct in all sap systems.

Regards,

Salman

Hello, I hope someone can help me out (or at least give me a hint) with this problem.

I have a requirement to encrypt files to send them to an external application. This is the schema of my problem:

1- The envelop/encryption of the file consists of a symmetric algorithm, using a generated key

2- This generated key is encrypted with the public key(Asymmetric algorithm) of this external application (I have the respective certificate to do this).

3- All this information is sent respecting the PKCS#7 format. This means that I can use any algorithm for the encryption that is supported by this format, like AES-256-CBC, AES-128-CBC, etc...

Also, I was supplied with a sample code of this process. Is written in java, using bouncy castle:

public byte[] envelop(InputStream inputFile, InputStream certif)
throws IOException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException, CMSException {
X509Certificate cert = null;
//obtiene los datos del archivo a encriptar 
int sizecontent = inputFile.available();
byte[] contentbytes = new byte[sizecontent];
inputFile.read(contentbytes, 0, sizecontent);
inputFile.close(); 
//obtiene el certificado de IB 
CertificateFactory cf = CertificateFactory.getInstance("X.509"); 
cert = (X509Certificate) cf.generateCertificate(certif); 
certif.close(); 
//Ensobra el archivo utilizando AES256_CBC con 128 bits 
String algorithm = CMSEnvelopedDataGenerator.AES256_CBC;
int keysize = 128; // bits 
CMSEnvelopedDataGenerator fact = new CMSEnvelopedDataGenerator(); 
//agrega el certificado al sobre
 fact.addKeyTransRecipient(cert); 
CMSProcessableByteArray content = new CMSProcessableByteArray(contentbytes); 
//encripta 
CMSEnvelopedData envdata = fact.generate(content, algorithm, keysize, "BC"); 
//devuelve el resultado 
byte[] enveloped = envdata.getEncoded(); 
return enveloped; 
}

I found some information about the CMSEnvelopedDataGenerator.generate(), and effectively, it generates a random key.

Also, I found this link where it explains how to do this with OpenSSL. (search "CMS (RSA + AES)").

Is it possible to achive this with ABAP?

I had tried with the FM SSF_KRN_ENVELOPE, but it seems to not resolve my problem.

Thank you in advance.

Regards.

--

German Guzelj

Hello All,

I have renewed saprouter cert and everyting seem work but cannot pass RFC SAPOSS.

and this is error in dev_rout. I just need to use Tcode SNOTE.

Wed Jul 16 15:51:52 2014

*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

      GSS-API(maj): No credentials were supplied

      GSS-API(min): No credentials found for this name (not logged on) (USER=SYSTEM)

    Could't acquire INITIATING credentials for

    name="p:CN=macdermid-asia, OU=0000195593, OU=SAProuter, O=SAP, C=DE"

<<- SncSessionInitiatorAK()==SNCERR_GSSAPI

  'target_acl_key' (addr=000000000CB9C9F4, len=86) full hexdump

  0x00000  00030401 00080606 2b240301 25010000  ........ +$..%...

  0x00010  00443042 310b3009 06035504 06130244  .D0B1.0. ..U....D

  0x00020  45310c30 0a060355 040a1303 53415031  E1.0...U ....SAP1

  0x00030  12301006 0355040b 13095341 50726f75  .0...U.. ..SAProu

  0x00040  74657231 11300f06 03550403 13087361  ter1.0.. .U....sa

  0x00050  70736572 7632                        pserv2          

*** ERROR => NiSncIInitHdlSecurity: SncSessionInitiatorAK failed (sncrc=-4;0000000002552770) [nisnc.c      1185]

*** ERROR => NiSncHandleForAddr C12/-1, 194.39.131.34 (rc=-17) [nirout.cpp   3275]

*** ERROR => NiRClientHandle: NiRExRouteCon for C12/-1 'ASSAPECCSDX' failed (rc=-17) [nirout.cpp   2653]

Wed Jul 16 15:52:50 2014

*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

      GSS-API(maj): No credentials were supplied

      GSS-API(min): No credentials found for this name (not logged on) (USER=SYSTEM)

    Could't acquire INITIATING credentials for

    name="p:CN=macdermid-asia, OU=0000195593, OU=SAProuter, O=SAP, C=DE"

<<- SncSessionInitiatorAK()==SNCERR_GSSAPI

  'target_acl_key' (addr=000000000CB9C9F4, len=86) full hexdump

  0x00000  00030401 00080606 2b240301 25010000  ........ +$..%...

  0x00010  00443042 310b3009 06035504 06130244  .D0B1.0. ..U....D

  0x00020  45310c30 0a060355 040a1303 53415031  E1.0...U ....SAP1

  0x00030  12301006 0355040b 13095341 50726f75  .0...U.. ..SAProu

  0x00040  74657231 11300f06 03550403 13087361  ter1.0.. .U....sa

  0x00050  70736572 7632                        pserv2          

*** ERROR => NiSncIInitHdlSecurity: SncSessionInitiatorAK failed (sncrc=-4;0000000002552770) [nisnc.c      1185]

*** ERROR => NiSncHandleForAddr C13/-1, 194.39.131.34 (rc=-17) [nirout.cpp   3275]

*** ERROR => NiRClientHandle: NiRExRouteCon for C13/-1 'ASSAPECCSDX' failed (rc=-17) [nirout.cpp   2653]

Seem work in saprouter checking:

C:\Users\Administrator>cd..

C:\Users>cd..

C:\>cd saprouter

C:\saprouter>sapgenpse get_my_name -v -n validity

Opening PSE "C:\saprouter\local.pse"...

PSE (v2) open ok.

Retrieving my certificate... ok.

Getting requested information... ok.

SSO for USER "Administrator"

  with PSE file "C:\saprouter\local.pse"

Validity  -  NotBefore:   Tue Jul 15 11:29:42 2014 (140715032942Z)

              NotAfter:   Fri Jan 01 08:00:01 2038 (380101000001Z)

C:\saprouter>sapgenpse get_my_name -v -n Issuer

Opening PSE "C:\saprouter\local.pse"...

PSE (v2) open ok.

Retrieving my certificate... ok.

Getting requested information... ok.

SSO for USER "Administrator"

  with PSE file "C:\saprouter\local.pse"

Issuer  : CN=macdermid-asia, OU=0000195593, OU=SAProuter, O=SAP, C=DE

C:\saprouter>sapgenpse get_my_name -v -n Issuer

Opening PSE "C:\saprouter\local.pse"...

PSE (v2) open ok.

Retrieving my certificate... ok.

Getting requested information... ok.

SSO for USER "Administrator"

  with PSE file "C:\saprouter\local.pse"

Issuer  : CN=macdermid-asia, OU=0000195593, OU=SAProuter, O=SAP, C=DE

C:\saprouter>sapgenpse seclogin -p local.pse -O svc-administrator

running seclogin with USER="Administrator"

ERROR in lookup_sid_by_username: (10/0x000a) LastError=1332: No mapping between

account names and security IDs was done.

C:\saprouter>sapgenpse seclogin -p local.pse -O svc-saprouter

running seclogin with USER="Administrator"

ERROR in lookup_sid_by_username: (10/0x000a) LastError=1332: No mapping between

account names and security IDs was done.

C:\saprouter>sapgenpse seclogin -p local.pse -O administrator

running seclogin with USER="Administrator"

creating credentials for user "MACDERMID-ASIA\Administrator" (yourself)...

Please enter PIN:

Adjusting credentials and PSE ACLs to include "MACDERMID-ASIA\Administrator"...

Oh, you supplied your own name explicitly ... ok.

   C:\saprouter\cred_v2  ... ok.

   C:\saprouter\local.pse  ... ok.

   C:\saprouter\SECUDIR\local.pse  ...

   C:\saprouter\SECUDIR\local.pse  ...

   C:\saprouter\SECUDIR\new.pse  ...

Updated SSO-credentials (#0) for PSE "C:\saprouter\local.pse"

Warning (for SNC): later/hidden SSO credentials with same DName:

1: CN=macdermid-asia, OU=0000195593, OU=SAProuter, O=SAP, C=DE

         C:\saprouter\SECUDIR\local.pse

      Options:  LIFETIME= Sat, 12 Jul 2014 07:05:37 (GMT)

                DIRACCESS=FALSE

                CRLCHECK=FALSE

   "CN=macdermid-asia, OU=0000195593, OU=SAProuter, O=SAP, C=DE"

C:\saprouter>saprouter -r -G routerlog -S 3299 -K "p:CN=macdermid-asia, OU=00001

95593, OU=SAProuter, O=SAP, C=DE"

trcfile  dev_rout

logfile  routerlog

WARNING: wildcard character used in route target

I have requirement to get the user count for previous year in SAP. Is it possible to get the user count for a previous date in SAP..?

Can anyone suggest a way for this.? I also have GRC (Risk and Remediation alone configured for the system.

Hello together,

I have a problem in SE09/SE10 with a transport request.

The request is as follows:

Modifiable

    D01K939667 100   Username     /Description

        D01K939668   Username          Customizing Task

The requests itself has the status "Modifiable". The task D01K939668 within the request is already released. I have to delete the whole request now, but when trying to delete it, it says "Request D01K939668  already released". How can I delete a task within a request, that is already released?

Thank you for any help!

Best regards

Klaus Hirschegger

We have been able to get SSO working with between the SAPPortal and JAVA applications but we are not having the same luck with .NET applications.

There is not much documentation available on this topic. I have found a couple of whitepapaers and downloaded the examples available from SAP.  However, we are still unable to get the SSO to work properly.

It looks like we may have an issue with the registration and use of sapssoext.dll and sapsecu.dll.  But I am not entirely certain. I was also expecting to have to create the PSE on the .NET application server using sapgenpse, but I do not see this captured anywhere in the documentation either.

I have captured the current error we are seeing below.  Any ideas?

Server Error in '/SAP_SSO' Application.

-

Ticket verifying failed. Return codes error=1 and ssf error=0

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Runtime.InteropServices.COMException: Ticket verifying failed. Return codes error=1 and ssf error=0

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 

Stack Trace:

[COMException (0x80040001): Ticket verifying failed. Return codes error=1 and ssf error=0]

[TargetInvocationException: Exception has been thrown by the target of an invocation.]

   System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters) +0

   System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams) +2501104

   SSO_NSPC.SSO.evalLogonTicket(String ticket, String pab, String pab_password) +127

   Default.PageLoad(Object sender, EventArgs e) +207

   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +15

   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +34

   System.Web.UI.Control.OnLoad(EventArgs e) +99

   System.Web.UI.Control.LoadRecursive() +47

   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1061

-

Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.42

Thanks ahead of time or your help.

Michael

This is my first experience with an Enhancement Pack implementation, so please forgive me if my questions are very basic. Our company implemented EHP 5 and is now moving to EHP 7 for ECC and I was not involved with EHP 5, but was informed that we did not run SU25.

My first question is whether or not it is recommended to run SU25 for EHPs? I've searched SCN and Google and cannot seem to find the right guidance yet. I understand that after an 'upgrade', it is recommended, but can someone please shed some light on whether or not an EHP should prompt running SU25 in our systems?

If not is not necessary, what is the recommended Security approach to an EHP installation to ensure our roles and profiles are updated appropriately?

I've searched through the EHP 7 release notes and forums, but still cannot find the guidance to give me peace of mind. Hoping the Security gurus here can at least give me a push in the right direction.

Thanks for your help,
Chris

Hi Experts.

Just a quick one, I currently performing an audit, SAP basis review, and in one the tests I check if PFCG_TIME_DEPENDENCY  job is run on a daily basis for user master data comparison.

However on this particular client, this job is not scheduled to run, not running at all, and the excuse is that they are using GRC to for access provisioning.

But my take is even if they use GRC this job should still be scheduled to run on production.

Is that correct?

SAP’s New Cryptographic Library “CommonCryptoLib”

In her latest blog, Martina Kirschenmann presents SAP’s new cryptographic library “CommonCryptoLib”, the technical successor of the well-known SAPCRYPTOLIB, and explains how you will benefit from its deployment. July 17, 2014

SP3 for SAP Single Sign-On 2.0 Now Available

SAP just released the latest Support Package for SAP Single Sign-On 2.0. For more information and to download the new SP3, read Regine Schimmer's blog. May 13, 2014

SAP Insider: Are Your Applications Safe in the Cloud?

SAP HANA Cloud Platform not only implements multiple levels of organizational and technical security measures for SAP customers, it is designed to ensure secure user authentication and data protection in the cloud. In his new SAP Insider article, Martin Raepple looks at how SAP HANA Cloud Platform addresses these areas. April 28, 2014

Hi experts,

I need your recommendation in SAP role assignment domain. 

At my current client, they DO NOT have workflows, portal or GRC or AIM or any other security tool.  They will have only sap backend and IDM probably.

The user id and their belonging organization unit, will be maintained in LDAP.     There will be daily synchro between LDAP and IDM.   We will create the back-end roles in SAP, and IDM will manage the sap role assignment based on the org unit of users.

The question is the following : client wants to manage automatically (if possible) the delegation of user authorization.   They want that a user X in cost center X is able to delegate his access authorization to another user Y.   With the result, the user Y will be able to do his job and the job of user X.   

They want to have the flexibility of start and end period of this delegation, the end of delegation being managed automatically.

What happened if the user X loses his access in sap, does user Y also lose the same access?

I need your recommendations on how I can manage this situation please.

Thanks a lot

Cheers

Dear gurus,

I have problem like this:

On November 2010, I see from ST03N that a user has access to tcode FBZ1.

From roles assigned, that user has no access to that tcode (I saw in menu and auth object S_TCODE).

I tried to login as that user, and I can't directly access by typing FBZ1 from the tcode shortcut.

From SUIM -> change document, I see there's no additional role assigned or role change to that user.

What could possibly allow that user to access that tcode?

Thanks for help.

Best Regards,

Dear Expert,

I would like to know more about LAW, what type of data that I can generate from report? Actually I would like to get some information from multiple logon e.g.: how many PC are using multiple logon, rate or status. Could you advice? Thanks!

Rdgs,
Emily

Good morning everybody!

I have a requirement from business and I need to prepare some documents for our Basis Team but I'm not familiar with the Authorisation topic and I would be very grateful if you could help me on this.

Business wants 3 groups of buyers assigned to 3 groups of Vendors. This groups should have the PUR Rolle + MIGO and all the other Buyers outside this groups should have just the PUR Rolle.

Buyer group 1  -------->  Vendor group A

Buyer group 2  -------->  Vendor group B

Buyer group 3  -------->  Vendor group C

At the moment the PGr ist defined as Person. As fair as I understood, the PUR Authorization is on PGr level?

So, how can we organize that? How does the assignment to Vendor works? Which information do I need from Business for Basis Team?

Thank you very much in advance for your help!!!

Paola

Hi Experts.

I am configuring SAML2 SSo with ADFS as Identity Provider and SAP ABAP as Service Provider. I am configuring it for FIORI Applications. It is working fine with internal hostname, redirecting, authenticating etc. For example the URL https:/<internal_hostname>:8081/sap/bc/ui5_ui5/ui2/launchpage/index.html?sap-client=100 is going to ADFS and after AD ID/password, it is coming back to URL launchpage and works fine.

Now the issue is when we want to use it through internet. We have a URL external-hostname.domain,com which is pointing to internal launchpage URL listed above. This external URL also redirects to ADFS and after authenticating it is redirecting to INTERNAL URL which I think is the issue.

Since both external and internal hostnames are different, so we are getting error after authenticating. The error is ""No RelayState mapping found for RelayState value ouceytztvrqordzvoreeuoytbyoxufcuyuytuxz""

I understand this is because we access a protected resource using one host name, but identity provider is returning the SAML response to a different host name.

Now I am not sure how to solve this problem. External and Internal hostnames will be different, but how to get it working? Is there any setting we can do?

Is something can be done through internet proxy?

I would appreciate any help on this.

Regards,

Tajinder

Hi,

Is there a way to set a 'Valid To' Time for a User Role Assignment.

I know there is a 'Valid To' Date field in SU01. But we need to expire a few Role Assignment at a particular time of the Day.

But we are looking for a 'Valid To' Time as well, along with the Date. We may create a Z TCode for this but what I want to know is there a Function Module which can be used or any other Inputs?

Thanks!

Dear Team,

We are getting the Yellow rating in EWA , I wanted to know how much user with SAP_all Profile is allowed .

How we can remove the Yellow rating from EWA.

RK

Hello,

I'm not sure whether this is the right forum to discuss this issue,if its not, please redirect me to the right group.

I'm stuck in a place in my project where the requirement is to implement some security parameter related to dialog IDs, mainly the following:

1.) Password rules (viz, uppercase, lowercase, etc etc.)

2.) Password change on next Dialog log-on

3.) Expiry of Dialog IDs not logging into the system for more than 90 days.

Now, the catch comes here!!.

I work in SolMan security and we have around 65 managed systems connected with it. Hence there could be many RFCs, many background jobs,

many Batch Jobs, some JCo connections (and others which I might have missed here since I'm not a Basis guy).

There are high chances that we could have at-least one Dialog ID maintained in any of these connections which is destined to fail after the implementation of these security parameters and we want to eliminate this risk by doing a impact analysis in DEV before doing it in PROD as the risk is high and the consequences are critical

Now what I'm unable to find here is a exhaustive list of user IDs (all types) maintained in these connections so that I can segregate out the dialog ones from them and highlight the risk areas. However, i'm unable to find any table or any other method which could provide me, if not 100%, a fair glimpse of the IDs maintained in RFCs and background Jobs. I sought help from my Basis team also, however, they are saying it would be a cumbersome task in looking out for details of each connection manually and they know no other way to do it.

Any help on the ways out would be highly appreciated. Do let me know if I have missed out something in explaining the scenario.

Thanks,

Deepanshu