Can somebody help me with this issue.

FYI - The report is working fine when the we execute via RSRT, but the moment we execute the same on portal, we get this error message.

All checks(ST01 and RSECADMIN) are successful.

"Cannot load Query"XYZ"(data provider "dp_1": No authorization for requested service)"

another point to note, this report works fine for some in portal, it gives error msg to only few members, I believe there's something we need to maintain in portal. Not sure what as I don't have any background on portal security

Really appreciate if someone can help me with this ASAP.

Thanks

Ritesh

Hello list,

I'm glad to let you know that a new version of sapyto, the SAP Penetration Testing Framework, is available.

You can download it by accessing the following link: http://www.cybsec.com/EN/research/sapyto.php

News in this version:

This version is mainly a complete re-design of sapyto's core and architecture to support future releases. Some of the new features now available are:

. Target configuration is now based on "connectors", which represent different ways to communicate with SAP services and components. This makes the

framework extensible to handle new types of connections to SAP platforms.

. Plugins are now divided in three categories:

     . Discovery: Try to discover new targets from the configured/already-discovered ones.

     . Audit: Perform some kind of vulnerability check over configured targets.

     . Exploit: Are used as proofs of concept for discovered vulnerabilities.

. Exploit plugins now generate shells and/or sapytoAgent objects.

. New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more...

. Plugin-developer interface drastically simplified and improved.

. New command switches to allow the configuration of targets/scripts/output independently.

. Installation process and general documentation improved.

. Many (many) bugs fixed. :P

Enjoy!

Cheers,

Mariano

SAP has released the monthly critical patch update for April 2015. This patch update closes a lot of vulnerabilities in SAP products. Most of them are potential information disclosure vulnerabilities.

The most critical issues found by other researchers

Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Notes:

2067830: SAP Web Dynpro Java has an Implementation Flaw (CVSS Base Score: 5.8). An attacker can upload a malicious file to a system when the virus scanner is not configured correctly. It is recommended to install this SAP Security Note to prevent risks.

2094830: SAP Sybase Unwired Platform Online Data Proxy has an Information Disclosure vulnerablity (CVSS Base Score: 4.7). An attacker can use Information Disclosure to learn additional information (system data, debugging information, etc.) which will help them plan other attacks. It is recommended to install this SAP Security Note to prevent risks.

2084037: SAP NetWeaver RFC SDK has an Information Disclosure vulnerability (CVSS Base Score: 4.3). An attacker can use Information Disclosure to learn additional information (system data, debugging information, etc.) which will help them plan other attacks. It is recommended to install this SAP Security Note to prevent risks.

Hi All,

We have a requirement to restrict users from changing Billing Plan Start/End/Date Until dates of subscription item data from VA42.

Can you please suggest how this can be done? Can this be done via an autorization object restriction?

Regards,

Sireesha

With this article we are starting a new series of guidelines describing some basic assessment procedures one can carry out on various business applications that would help security professionals to expand their ERP systems’ immunity to attacks.

As we all know, ERP systems such as SAP may favour the quality of management of all the information and resources involved in a company's operations.

However, while ERP applications promote the way business processes are organized, they also may undermine information security within organizations.

We should not forget how important it is to secure enterprise applications and various ERP systems.

No need to say, that the ERP system is in the core of any large company: it deals with all processes critical for business – purchases, payments, logistics, HR, product management, financial planning etc.  All information stored in the ERP systems is sensitive, and any unauthorized access to this information can cause huge damages up to a business interruption.

According to the report[1] by the Association of Certified Fraud Examiners (ACFE), in 2006 - 2010, the organizations losses caused by the internal fraud (the IT-frauds ) amounted to app. 7% of annual revenue [2].

For the last five years, a widespread myth that the ERP security is only a SOD matrix was over, and today this belief seems to become a history for many people. For that time, the SAP security experts have presented lots of detailed reports on various attacks on the internal SAP subsystems:

     — the RFC protocol,

     — the SAP ROUTER access control system,
     — the SAP web-applications, 
     — the SAP GUI client workstations, and many others.

The interest for this area grows exponentially every year: compared to only 1 report on SAP Security [3] in 2006, more than 30 of such reports were presented in 2013 at specialized hacking and security technical conferences. Lately, a number of hacking utilities were released, and thus confirmed the possibility of attacks on the SAP solutions.

According to the business application vulnerability statistics [4] and [5], more than one hundred vulnerabilities in the SAP products were fixed in 2009, while this figure was more than 500 in 2010. In July 2014, there were more than 3000 SAP Security Notes, i.e. notifications on various SAP components vulnerabilities.

This entry will help you to get extended info about what is going to come next. And why it is so important to know everything about it.

General information

"The Enterprise Application System Vulnerability Assessment Guide" describes 9 most known business application security areas relating to implementation and operation. This top list was prepared by the authors during vulnerability assessments of multiple business applications; this list may be applied to any of them. These areas are weighty factors for many emerging threats and related attacks. Securing of these areas means getting ready to prevent numerous attacks targeted at business application security.

This series of posts contains a detailed analysis of the most widespread business application platform - the SAP NetWeaver ABAP. During this analysis 33 key settings were identified and distributed between 9 areas mentioned above. This post will  show how to protect against the most widespread vulnerabilities in this area as well as provide further steps on securing all 9 areas  .

The top-9 critical areas for business applications

Below, you can find the list of Top-9 critical areas for vulnerability assessment of business application. They are ranked from 1 to 9 according to their severity and impact on the ERP system, business applications and related security. For this list, 3 main parameters were considered:

     1. initial access to exploit the vulnerability;
     2. severity of vulnerability (a potential impact if exploited);
     3. complexity of vulnerability exploitation.

This list is the same for all the business applications. In the next chapters, checks for each of these items (specific to the SAP NetWeaver ABAP platform) are described in detail. However, these descriptions are stated in a way to ensure understanding of the basic principles relating to vulnerability assessment for any enterprise application systems.

The Guide description

Our approach contains 33 steps to securely configure SAP NetWeaver ABAP platform, that were distributed among 9 areas mentioned above.

The authors' efforts were to make this list as brief as possible but also to cover the most critical threats for each area. This approach is the main objective of this Guide: as despite best practices by the SAP, ISACA and DSAG, our intention was not to create just another list of issues with no explanation on why a particular issue was (not) included in the final list, but to prepare a document that may be easily used not only by SAP security experts. Report should also provide comprehensive coverage of all critical areas of SAP Security.

At the same time, the development of the most complete guide would be a never-ending story as at the time of writing there were more than 7000 checks of security configuration settings for the SAP platform as such, without those of specific role-based access and in-house applications.

As a result, each of the 9 areas includes major checks that must be implemented first and can be applied to any system regardless of its settings and custom  parameters. It also important that these checks are equally applicable both to production systems and those of testing and development.

In addition to major all-purpose checks, each item contains a subsection called "Further steps". This subsection gives major guidelines and instructions on what should be done in the second and third place, and then how to further securely configure each particular item. The recommended guidelines are not always mandatory and sometimes depend on a specific SAP solution. On the one hand, with this approach, the authors were able to highlight key security parameters for a quick assessment of any SAP solution (from the ERP to the Solution Manager or Industry Solution) based on the NetWeaver ABAP platform and, on the other hand, to cover all issues and give complete recommendations on them.

In terms of quality, this makes the present Guide different from the SAP best practices that also contain few items, but do not cover the overall picture, as well as from best practices by ISACA and DSAG that have a lot of items, but the priorities are unclear and too complicated for the first step (though these papers are highly valuable and necessary).

33 steps to security

So, here it is. Our list of most critical checks for SAP NetWeaver ABAP - based systems

1. Patch management flaws
[EASAI-NA-01] Check for components update (SAP Security Notes)
[EASAI-NA-02] Check for kernel updates

2. Default passwords for access to the application
[EASAI-NA-03] Default password check for a SAP* user
[EASAI-NA-04] Default password check for the DDIC user
[EASAI-NA-05] Default password check for the SAPCPIC user
[EASAI-NA-06] Default password check for the TMSADM user
[EASAI-NA-07] Default password check for the EARLYWATCH user

3. Unnecessary functionality
[EASAI-NA-08] Access to the RFC-function via the SOAP interface
[EASAI-NA-09] Access to the RFC-function via the form interface
[EASAI-NA-10] Access to the Exchange Infrastructure (XI) via the SOAP interface

4. Open remote management interfaces
[EASAI-NA-11] Unauthorized access to the SAPControl (SAP MMC) service functions
[EASAI-NA-12] Unauthorized access to the SAPHostControl service functions
[EASAI-NA-13] Unauthorized access to the Message Server service functions
[EASAI-NA-14] Unauthorized access to the Oracle DBMS

5. Insecure settings
[EASAI-NA-15] Minimal password length
[EASAI-NA-16] Number of invalid logon attempts before the user account lock out
[EASAI-NA-17] Password compliance with the security policies in place
[EASAI-NA-18] Access control settings for RFC-service (reginfo.dat)
[EASAI-NA-19] Access control settings for RFC-service (secinfo.dat)

6. Access control and SOD conflicts
[EASAI-NA-20] The check for SAP_ALL profile accounts
[EASAI-NA-21] The check for accounts that may start any programs
[EASAI-NA-22] The check for accounts that may modify USH02 table
[EASAI-NA-23] The check for accounts that may execute OS commands
[EASAI-NA-24] Check for disabled authorizations

7. Unencrypted connections
[EASAI-NA-25] The SSL encryption to protect HTTP connections
[EASAI-NA-26] The SNC encryption  to protect the SAP GUI client connections
[EASAI-NA-27] The SNC encryption  to protect RFC connections between systems

8. Insecure trusted connections
[EASAI-NA-28] RFC connections that store user authentication data
[EASAI-NA-29] Trusted systems with low security level

9. Logging of security events
[EASAI-NA-30] Logging of security events
[EASAI-NA-31] Logging of HTTP requests
[EASAI-NA-32] Logging of table changes
[EASAI-NA-33] Logging of SAP Gateway activities

As you can see – the guide is not as enormous as it could have been due to the complicity of the topic. We tried to maximize the clarity of the guide to security assessments for you.

Stay in touch with us as next week we’ll come back with the new article where the guideline will reappear in its all glory. We’ll provide you with detailed explanation of each step.

Hi All,

To assign separate password policy for the users,

I have configured the profile parameters like (length, minimum digits, uppercase and lowercase letters) in the 'default' profile in RZ10 transaction. While creating users in SU01 do i need to give the "default" profile?

Thanks in advance,

Thanks & regards,

NarsiReddy.

Hi All,

I found the following error in ICMAN Trace. Do you have any suggestion to troubleshoot the issue?

I have created SAPSSLS using Trust Manager and have the certificate signed by our Secure Login Server. In addition, I also import the root CA Certificate of Secure Login Server (and also the SSL Sub CA Certificate) to the certificate list of corresponding PSE. Also, at the client side, the root CA certificate also imported to client's certificate store.

I would be very grateful for any contribution.

Best regards,

Duy

Hi All,

Is there any table where we can check all the derived roles of a Parent.

Will it be possible to maintain the role relationship in the table itself?

Thanks,

Arjun

Facing a weird issue with PFCG role generation.

Not able to generate the role in PFCG, attached error screenshot too. This error is started coming up after creation of Z authorization object.
Please share your ideas if anyone has came across with such error.

It NW 7.4 system.

Regards,

Jay

Hello experts!, we are working with digital invoice solution for Mexico in SAP ERP

SAP Notes mention how to create PSE file from several cer and crt files (including key file) from the digital signature of customer

We think that we can skip Operating system interaction using STRUST transaction, but we don't find how to upload our PSE file to system

Notes mention that we have to log on to operating system with sidadm user, run a few commands with sapgenpse tool y PSE is created, but we believe that we can skip these steps with strust transaction, is this right?

thanks for your answers

Hello Experts,

We are trying to build up SAML SSO with EP 7.31 and ARIBA with Below Scenario.

1. ARIBA Portal is Service Provider

2. EP 7.31 is Identity Provider

3. End user will try to access ARIBA Portal, Due to SAML Switch On, request will be redirected to EP 7.31 URL

4. End User will ask to enter EP credentials

5. Post successful login , Ticket will be passed to ARIBA with Ticket

6. Once Validating Ticket, end user should directly get home page of ARIBA

Please let us know if there is any help available for above mentioned configuration.

Regards,

Prashant

Hi Support,

In our company peoples are working in tcode PMEVC - Variant Configuration Modeling Environment. Now we want to restrict peoples in plant field. How to do it ? what is the authorization object for it. Can anybody help me for it? If yes then please.

Thanks

Asad

Hello all !

I'm encountering an issue while testing the connection to a HTTPS Webservice

Considering HTTPS and SSL have been installed correctly in our SAP system and the HTTPS is activated (green flag in SMICM)

I have done the following things :

1) I have configured a logical port in SOAMANAGER

Within the Consumer Security TAB (X.509 SSL Client PSE)

I put DFAULT value in the SSL Client PSE (STRUST)

the authentification Method is sapsp:HTTPX509

In the transport settings Port is 443 (port of HTTPS is configured differently in our SAP system)

2) In transaction STRUST I added the certificate of my webservice (imported from Firefox)

in the SSL client (Standard), there is a own certificate self signed by SAP Trust Community for my SAP instance

There I imported my certificate from the Webservice I need to reach and added it to the certificate list.

3)When I ping my WebService,

I receive the following Log in SMICM ==> (Trace Level 3)

[Thr 1286]   SSL NI-sock: local=xxx  peer=xxxx:443

[Thr 1286] <<- SapSSLSetNiHdl(sssl_hdl=116c58850, ni_hdl=129)==SAP_O_K

[Thr 1286] ->> SapSSLSetSessionCredential(sssl_hdl=116c58850, &cred_name=116c58810)

[Thr 1286]   SapISSLComposeFilename(): Filename = "/usr/sap/XXX/DVEBMGS50/sec/SAPSSLC.pse"

[Thr 1286]   SecudeSSL_SetSessionCred(): request for default client credentials

[Thr 1286] <<- SapSSLSetSessionCredential(sssl_hdl=116c58850)==SAP_O_K

[Thr 1286]      in: cred_name = "/usr/sap/XXX/DVEBMGS50/sec/SAPSSLC.pse"

[Thr 1286] IcmConnInitClientSSL: using pse /usr/sap/XXX/DVEBMGS50/sec/SAPSSLC.pse, show client certificate if available

[Thr 1286] ->> SapSSLSetTargetHostname(sssl_hdl=116c58850, &hostname=116c587d0)

[Thr 1286] <<- SapSSLSetTargetHostname(sssl_hdl=116c58850)==SAP_O_K

[Thr 1286]      in: hostname = "www.XXX.xx" (hostname of my webservice)

[Thr 1286] ->> SapSSLSessionStart(sssl_hdl=116c58850)

[Thr 1286]   SapISSLUseSessionCache(): Creating NEW session (0 cached)

[Thr 1286] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_CONNECTION_LOST

[Thr 1286]    session uses PSE file "/usr/sap/XXX/DVEBMGS50/sec/SAPSSLC.pse"

[Thr 1286] No Secude Error present in trace stack!

[Thr 1286]   SSL_get_state() returned 0x00002120 "SSLv3 read server hello A"

[Thr 1286]   No certificate request received from Server

[Thr 1286] <<- ERROR: SapSSLSessionStart(sssl_hdl=116c58850)==SSSLERR_SSL_CONNECT

[Thr 1286] ->> SapSSLErrorName(rc=-57)

[Thr 1286] <<- SapSSLErrorName()==SSSLERR_SSL_CONNECT

[Thr 1286] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {00010077} [icxxconn_mt.c 1989]

[Thr 1286] ->> SapSSLSessionDone(&sssl_hdl=1107eebd8)

[Thr 1286] <<- SapSSLSessionDone()==SAP_O_K

[Thr 1286]      in: sssl_hdl   = 116c58850

[Thr 1286]          ... ni_hdl = 129

Could you tell me what's wrong ? or what I'm missing ?

Is it the right place I have put my certificate in STRUST ? According to the Webservice I call It needs to be a one-way authentification (no client certificate needed)

I saw that the SNC SAPCryptoLib node is not activated, is it the reason of the error ?

I'm a bit lost...

Many Thanks !!!

Kr,

Jonathan,

Hi All,

As we know that S_RFCACL (Authorization Check for RFC User (e.g. Trusted System)) is required for having access to the trusted systems.

In most of our roles for this authorization Object we have maintained the * value for the following fields:-

RFC_SYSID

RFC_TCODE

This has been made as an observation by the auditors as having this critical access with the users.

But my question is how can it be the critical access when the user should have id's in both the systems(trusted and trusting) to login to the called system.

Also even if the user logs into the called system he will only be able to execute the list activities/t-codes that he is authorized to in that system, it will override the * value maintained in RFC_TCODE.

What possibly could be the risk from this authorization object ?

Regards,

Parichay

Hi,

I am apply ssl in Abap stack STRUST.  When i apply the certificate respond from the CA , it showing error

Issuer certificate missing in database:CN=DigiCert High Assurance CA-3, OU=www.digicert.c

Any idea??

Thanks

Is there any solution out in market which support two factor authentication for the SAP GUI users? SAP Log on module source is protected which may not be suitable to extend for customization for 2nd step verification. Are there any SAP deliverable or 3rd party API available for two factor authentication ?

Dear gurus,

In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.

Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.

But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.

Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?

Cheers,

Julius

Hi All,

One of our user is facing authorization issue in SM50. He goes to SM50 and tries to open a work process. This is where he gets message "You are not authorized to use function Work Process List".

When I check the trace, I see only missing access for SM04. I checked trace for my own id (with no error) and found that SM04 is not even checked for my id and rest all authorization checked are same for both ids.

I assigned a BASIS role to this user and that resolved the issue. But strange thing is still that user's trace shows SM04 missing. (SM04 is not there in that Basis role).

Now I don't understand what exactly is the missing authorization for this user. Definitely SM04 is not the one and I can't assign this basis role to him. Could any one guide with this issue? Below is the trace for the user in both cases (without Basis role assigned and with this role assigned).

Dear Experts,

I found a strange behaviour in our ECC 6 system (BASIS release 702). System is not prompting for password change after password expiration time and this is happending for few users. So far five users have reported this behaviour. Users are happy indeed for this

We have parameter login/password_expiration_time = 30.

These users are even not able to change their password themselves. When they are trying to change their password using "New Password" button in login screen, system is giving message as "you can change your password only once a day". Even though user did not change password in that day at all.

Initially I though there may be any parameter where users' id maintained to exclude password policy, but seems there is no paramter like this in ECC6.

Your help will be appreciated to find out reason for this strange behaviour.

Regards

Aktar

Read Access Logging is often required to comply with legal regulations or public standards such as data privacy, for example in banking or healthcare applications. Data privacy is about protecting and restricting access to personal data. In some countries, data privacy regulations even require that access to certain personal data be reported. Companies and public institutions may also want to monitor access to classified or other sensitive data for their own reasons.

The Read Access Logging tool for SAP NetWeaver Application Server ABAP allows you to monitor and log read access to sensitive data.

For more information, see:

• Overview Presentation
• Documentation on SAP Help Portal
• SAP Insider Article: Protect Sensitive Data and Prevent Security Violations
• SAP Note 1969086 - Release Informations
• SAP Note 2053988 - Information on Logging with the ABAP Dynpro Channel

Introduction Video (2 minutes):	Live Expert Session (29 minutes):