Quantcast
Channel: SCN : Discussion List - Security
Viewing all 2353 articles
Browse latest View live

SSL Certificate Mismatch on 2 SSL Certificates on Same Hostname

$
0
0

Hello everybody,

 

 

We have two websites, e.g. www.a.com and www.b.com running on the same server (a single hostname and IP  address for the two websites) .

We imported their SSL certificates into transaction STRUST without any problems.

(Certificates are OK and can be verified in web browser)

 

SSL configuration on R/3 is OK.

 

We created two  RFC destinations in SM59 to test the connection from R/3 to websites.

Connection to www.a.com is ok, SMICM logs show an exact match between the requested websites address and it's certificate.

 

<<- SapSSLSetTargetHostname(sssl_hdl=00000000399975C0)==SAP_O_K

     in: hostname = "a.com"

NiIBlockMode: set blockmode for hdl 550 TRUE

NiIBlockMode: set blockmode for hdl 550 FALSE

NiIBlockMode: set blockmode for hdl 550 TRUE

  Subject Alt Names: dNSName=a.com, dNSName=www.a.com

  MatchTargetName("a.com", dNSName="www.a.com") MISmatch

  MatchTargetName("a.com", dNSName="a.com") == EXACT match

 

 

 

But connection to www.b.com fails with message "SSL handshake with b.com:443 failed:"

SMICM logs show a weird situation:

 

<<- SapSSLSetTargetHostname(sssl_hdl=0000000039997240)==SAP_O_K

     in: hostname = "b.com"

NiIBlockMode: set blockmode for hdl 1334 TRUE

NiIBlockMode: set blockmode for hdl 1334 FALSE

NiIBlockMode: set blockmode for hdl 1334 TRUE

  Subject Alt Names: dNSName=a.com, dNSName=www.a.com

  MatchTargetName("b.com", dNSName="www.a.com") MISmatch

  MatchTargetName("b.com", dNSName="a.com") MISmatch

  MatchTargetName("b.com", "CN=www.a.com") MISmatch

<<- ERROR: SapSSLSessionStart(sssl_hdl=0000000039997240)==SSSLERR_SERVER_CERT_MISMATCH

  Subject DN = "CN=www.a.com, O=.....

*** ERROR => SSL handshake with b.com:443 failed: SSSLERR_SERVER_CERT_MISMATCH (-30)

 

SAP is requesting a connection to b.com but the returned certificate is the one of website a.com.

How can this be possible? I am not sure if SAP's SLL lib is supporting such a scenario with two certificates on the same host (IP address)

Has anyone experienced the same situation before?

 

Any help will be much appreciated since we are stuck.

 

Best regards,

 

Ozcan.

 

Message was edited by: Ozcan Gurdal


CUA - Use RFC destination name different from Logical system name assigned to Client

$
0
0

Hello,

 

I need to use RFC destination name different from the logical system name assigned to the client in SCC4.

 

The problem is that in master system (ADMCLNT100),  I cannot use RFC destination name of child (PRDCLNT100) that matches the name of Logical system (PRDCLNT100) attached to the client. I created new logical system (PRDCUA100) and RFC name matching that to connect child system to the master.

 

I understand from documentation and different posts that the name of Logical system and RFC destination has to match. So, I created another Logical system name (but its not assigned to client as only one logical name of the system can be assigned to a client) and a RFC destination matching that.

 

After following the steps and connecting child to master, BD64 in master system and child system shows that child system is connected to master. However, SCUG wouldn't push users to the child system and I am still able to do provisioning directly in the child system. Basically, child is not connected to the master.

 

Does the logical system name to be attached to the client in SCC4 a must?

 

What options do I have?

 

Thanks,

Akash

Auto-Logout after 15 Minutes, but rdisp/gui_auto_logout is set to 0

$
0
0

Hi

 

everyone is logged out of our Solution Manager GUI-Session after 15 Minutes.

 

The parameter rdisp/gui_auto_logout is set to 0.

 

We tried also to set it to 7200 (2h), but the same effect... We will be logged out after 15 minutes.

 

Is there another parameter to control this ? Or what can be the cause for it ?

How to find change history of a role in SAP?

$
0
0

Hi Experts,

 

is there a way to find out when a tcode has been added to a role and when an authorisation object has been added to a role in SAP Security?

Mass change of single authorization object in more than 400 Roles

$
0
0

Hi,

 

We want to mass change the value of an authorization object which is present in more than 400 roles. Has anyone done this using ecatt, LSMW or any other method?

 

Kind Regards

Mohsin

How to know the SAP System from Authorization object ?

$
0
0

Hi Experts,

 

                  From a given authorization object,for example (V_GB_CNFTX - Activity 02) , How can we know which system (EG: CRM, ISU, ERP) this authorization object belong to ?

 

Best Regards.

Data encryption during interface

$
0
0

I am not sure i am posting in the right place. During interface from Ariba(or any system) to SAP, my client is asking is the all the data is encrypted ? as per the document, data is transferring in 256 RSA bit encryption and data is transferring through HTTPS. But i don't know the data is encrypted ? If the client required all the data to be encrypted what are the options ? Thanks, Narayan

Regarding SAP User License Fee Calculation

$
0
0

Hello,

 

Can someone explain in detail; how SAP user license fee is calculated( preferably by giving an eg ), please?

 

Thanks & Regards,

Vinay Gaddam


How can i activate TLS 1.1+ on SAP AS JAVA 7.31 client-side?

$
0
0

I only know sap note"510007 - Setting up SSL on Application Server ABAP".

 

If i apply the informations of this note to AS JAVA,

 

 

"The built-in defaults for the client-side enables only SSLv3 + TLSv1.0 for SAPCRYPTO 5.5.5pl28+ and CommonCryptoLib 8, corresponding to client-side protocol version flags (128+64) = 192.  It is recommended to request TLS protocol version TLSv1.1 and TLSv1.2 with the flags "Best" and "NO_GAP", because only the latter is future-friendly and is fully compatible with older libraries."

 

 

i have to set the following sap profile parameters, like for example:

 

ssl/ciphersuites = 135:HIGH:MEDIUM:+e3DES

ssl/client_ciphersuites = 198:HIGH:MEDIUM:+e3DES

 

Unfortunately the AS Java already "requesting version 3.1..."

 

I suspect that these sap profile parameters don't work for AS JAVA?

 

Any experiences?

Any ideas?

 

Thanks in advance,

Matthias

 

- SAP NW PO 731 SPS12 (AS JAVA only)

- Currently we use CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.37 pl40 (May 12 2015) MT-safe.

- Kernel = 721_EXT 64Bit Patch 300

ALV Layout restriction

$
0
0

Hi All,

 

Our users are restricted from changing default layouts. Superusers are allowed to change default layouts for specific reports, we are using the S_ALV_LAYR authorisation object to achieve this.

We are now required to allow some of the super users to change layouts for transaction code FBL5N, this transaction code does not get checked against the above mentioned authorisation object.

Any idea how to allow users to change the default layout for this transaction code without giving the users access to authorisation object S_ALV_LAYO?

 

Thanks

Transaction text not populated in TSTCT table

$
0
0

Hi Experts,

 

 

I would need your help on the below.

 

I have tried to extract the list  of transaction code texts from the table TSTCT by giving few transaction codes as input. However, I am not able to retrieve the data for all the Tcodes, though the transaction text is available and can be viewed in PFCG role.

 

Please advice.

Issues in USMM user classification tab

$
0
0


As part of system measurement , First We have updated the license type of the 6000 dialog users that are active in SAP using SU10 (Classification based on the assigned roles).After that when we ran the USMM and click on the user classification tab we are only getting 4500 users .Can any one suggest what would be the reason for the difference in numbers.

 

Do we get the same results after clicking on the system measurement too ?

CRM Web UI - remove marketing attribute from account

$
0
0

Just upgraded CRM support packs.

 

SAP_BASIS         740    0012    SAPKB74012    SAP Basis Component

SAP_ABA         740    0012    SAPKA74012    Cross-Application Component

SAP_GWFND    740    0013    SAPK-74013INSAPGWFND    SAP Gateway Foundation 7.40

SAP_UI              740    0014    SAPK-74014INSAPUI    User Interface Technology 7.40

PI_BASIS         740    0012    SAPK-74012INPIBASIS    Basis Plug-In

ST-PI              740    0002    SAPK-74002INSTPI    SAP Solution Tools Plug-In

SAP_BW         740    0012    SAPKW74012    SAP Business Warehouse

MDG_FND         747    0010    SAPK-74710INMDGFND    MDG Foundation 732

SAP_AP              700    0033    SAPKNA7033    SAP Application Platform

SAP_BS_FND    747    0010    SAPK-74710INSAPBSFND    SAP Business Suite Foundation

WEBCUIF         747    0010    SAPK-74710INWEBCUIF    SAP Web UI Framework

BBPCRM         713    0010    SAPKU71310    BBPCRM

MOB_CRMS    210    0000    -    SAP CRM Sales 2.0 Addon 2.1

FLDQ    440_740    0004    SAPK-45104INFLDQ    SAP BusinessObjects DQM for SAP Solution

OTEXBAS    1000_700    0000    -    OpenText Archiving and Document Access f

ST-A/PI    01R_700    0002    SAPKITAB7P    Servicetools for other App./Netweaver 04

 

..& found that removing marketing attributes from an account is now checking auth object C_KLAH_BKPfor 06 delete for the auth group assigned to the attribute in web ui.  If user doesn't have this, dustbin icon is not displayed.

 

Gui remains ok.

 

I know that SAP introduces new auth checks in sp's, & can understand a delete check, but would have expected C_KLAH_BKL / 06 to be checked instead.  (C_KLAH_BKP is for maintaining actual marketing attributes, not assignments).


Anybody got thoughts?

Secude (securelogin) as SSO application for SAP

$
0
0

Hi everyone,

 

We are currently evaluating the Secude product securelogin for an SSO implementation at a client.

 

I was wondering if any of you have come across or are currently implementing this product. I would appreciate it if you could let me know of any concerns/problems with using this product.

 

Thanks & regards

Sujeet

Sign ArchiveLink-URL in non-SAP applications

$
0
0

Dear all,

 

we're archiving documents from SAP to an Open Text archive which should be accessed from other non-SAP applications.

 

According to the ArchiveLink specification access to the documents is protected with seckeys on the archive server.

 

When a SAP System accesses a document the ArchiveLink-URL for retrieving is signed automatically by the corresponding function module.

 

If I want to access a document from a non-SAP Applikation I have to sign the ArchiveLink request by my own and therefore had a look in the corresponding specification:

 

http://help.sap.com/printdocu/core/Print46c/de/data/pdf/BCSRVARL/BCSRVARL.pdf (Page 243)

 

Depending on the access-type (https://cw.sdn.sap.com/cw/docs/DOC-33934 --> SAP Content Server HTTP 4.5 Interface --> Introduction --> Security --> secKey)  the the values of the parameters contRep, docId, accessMode, authId, expiration are concatenated to a string which should be signed with a private key. Verfication is done by the archive server who has imported a certificate containing the public key of my key pair.

 

According to the documentation the following algrithms are used to create / verify the signature

Format of digital signature: PKCS#7 "signed data"

Public key procedure: DSS

Key length: 512 u2013 1024 bits

Public exponent: 216 + 1

Public key format: X.509 v3 certificate

MD (message digest) algorithm: MD5 or RIPEMD-160

 

 

My Example:

Content Repository: ZZ

DociD: 12334

acessMode: r

authID: CN%3DTestClient,%20OU%3DmyOrgUnit,%20C%3DDE

expiration: 20101231120000

 

What do I have to do if I want to sign the string "ZZ12334rCN%3DTestClient,%20OU%3DmyOrgUnit,%20C%3DDE20101231120000" with the algorithms needed by archive link standard.

 

I'm looking for an example in Open SSL (prefered so I can adapt it to other programming languages), JAVA, PHP or C#

 

Thanks in advance

Christoph


SAP Security

$
0
0

Dear Experts,

 

Which SAP note mandates S_DEVELOP authorization object for table maintenance via SE17, SE16 & SE16N ? Actually we don't have

access to SAP notes but client is asking which SAP notes so since we never say NO to clients so I am posting this question. Kindly help me out

 

 

 

 

 

Thanks

Generated Analytic Privileges from BW Analysis Authorizations

$
0
0

Hi Experts,

 

I need some information. We are using BW on HANA in our landscape. In BW, DSOs are being used as info provider. While activating DSOs, our  developers select the check box "External SAP HANA view". This generates an analytic view in HANA for the DSO. Also an analytic privilege (and HANA role) is generated for the DSO.

 

I have below queries related to these generated analytic privileges and roles:

 

1. In development system, we got the analytic privilege and roles generated from BW. How these will be moved to QA HANA system? BW team has transported to DSOs to BW QA system and automatically the HANA views were generated in HANA QA system. But I can't see the privileges and roles in QA system.

Do we have to make sure that before DSOs are moved to QA system, info objects are auth relevant and analysis authorizations are transported there?

 

2. Is this generated analytic privilege a must for users to view data from HANA views?

 

Thanks

Nitesh Gupta

Where to find the transction related other Transctions

$
0
0

Hi

 

i  am using transaction code st03  every user   using last three months t-codes collected,and create one singel role and add transaction codes and authorizationa is full  and genrate profile and save after that transport create

and movd transport prodution.

 

but after 1 week client audit roles ,he has somee error,

tranaction call othertransactions that are not icked up

example tranasaction VAO2 calling sevaral tranaction that were not picked up in the audit

 

any solution

 


thanks and regards

srinivas

SAP Password Policy in NW ABAP for group of users?

$
0
0

Hi

 

Is it possible to setup a policy for SAP passwords in NW ABAP system, which is specific to a group of users. For example, 100 users might have password expiry after 90 days but rest of users in system have password expiry every 45 days.

 

Thanks

Tim

Create PFCG role for maintaining the context authorization objects.

$
0
0

Hello Experts,

 

I am a CRM developer and I am facing a requirement to implement the structural authorizations.

I have created an authorization profile in table T77PR and then assigned my user to it in table T77UA and it works.

But I don't want to maintain the last table manually so I have implemented BADI HRBAS00_GET_PROFL.

 

Here I'm checking object P_ORGINCON from the user where I should find the assigned  Authorization Profile.

 

Now I am at the step where I have to create these PFCG roles and maintain those context authorization objects on them.

 

As I am not a security resource I am not very sure what or how I can create them with the right objects.

 

Has anyone faced the same requirement and can help me with the details about this type of role?

 

 

Many thank in advance.

 

Best regards,

Elena Hutanu

Viewing all 2353 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>