Hello;
Is it possible to set that the user do not change the initial password
when created or even if the SAP Administrator reset it, the first time
the user log on the system.
Thanks;
Ali Gumusoglu
↧
Disable Initial Password Reset.
↧
Issues after import of transports with updated roles
Hi experts,
I have the following issue: After the import of new transports with updated roles and profiles into a system, RFC users with the updated Roles get authorization errors. Transport Log and Security Audit Log has no issues. Problem disappears when changing anything in SU01 or when execution user buffer reset report RSUSR405 which could lead to issues on systems with high user amount.
Any suggestions how to avoid this problem?
I found sap notes 1828354 ,1544295 or 1614407 but I don´t know if these notes would help ?
Thanks and regards,
↧
↧
Authorization groups in MM01
I'm trying to restrict material creation by material type, but with no positive results.
First I created an authorization group via SE54 and then asigned it to the material type via T134. Then I add the authorization group in object M_MATE_MAR to the role but this didn't work.
I appreciate your help!
Thanks in advance.
Rosina Fernandez
↧
How to control tampering the Server Response and Request.
Dear Experts,
An Adversary can bypass the login page by manipulating the response coming from server.Capturing the Success response and request from the server to the client using Proxy tool.The Application directly taking in to the power access application thus bypassing the authentication modes entirely.How to find third party tool hitting server.Because we are implemented 2FA Two-factor authentication in login portal.Here there using one tool and getting Our Successful Request(HTTP/1.1 302 Found ) and Response.Based on there By Passing enter process.Without 2FA also we are loging into portal successful landed Request getting also there use to Bypassing.we are using https and SSL that configurations done.But no use there getting final request based on there BYPASS.
Please tell me solution are configurations for server side validations to protect against unauthorized access .This is a Security Issue that to Urgent.
Thank for Advance 
Thanks and Best Regards,
Durga Rao.
↧
unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest
unable to delete Role from User ID in SAP SOLMAN production system but able to from DEV with the same authorization, pls suggest
↧
↧
EHP 7 - Recommended Security Approach?
This is my first experience with an Enhancement Pack implementation, so please forgive me if my questions are very basic. Our company implemented EHP 5 and is now moving to EHP 7 for ECC and I was not involved with EHP 5, but was informed that we did not run SU25.
My first question is whether or not it is recommended to run SU25 for EHPs? I've searched SCN and Google and cannot seem to find the right guidance yet. I understand that after an 'upgrade', it is recommended, but can someone please shed some light on whether or not an EHP should prompt running SU25 in our systems?
If not is not necessary, what is the recommended Security approach to an EHP installation to ensure our roles and profiles are updated appropriately?
I've searched through the EHP 7 release notes and forums, but still cannot find the guidance to give me peace of mind. Hoping the Security gurus here can at least give me a push in the right direction.
Thanks for your help,
Chris
↧
How to use one PSE with multiple URLs?
I need to hit my DMZ SAP Web Dispatcher with multiple unique URLs. I am starting off using webdisp1.abc.com and webdisp2.vde.com. DNS will resolve both the Web Dispatcher Host. Following Tobias Winterhalter's Blog: Name-based virtual hosts and one SAP Web Dispatcher to access multiple SAP systems.
My question is how do I go about generating the pse so I can store both webdisp1.abc.com and webdisp2.vde.com? Do I just import the first request and initiate another certificate request using the same pse?
Example
sapgenpse gen_pse -s 2048 -p D:\<file path>\SAPSSLS.pse -r D:\<file path>\webdisp1.req CN=webdisp1.abc.com, OU=IT, O=XYZ Inc., C=US
Cheers,
Dan Mead
↧
Recommended Settings for the Security Audit Log (SM19 / SM20)
Hi Security-Folks,
I like to discuss with you the recommended settings for the Security Audit Log (SM19 / SM20).
Here's my proposal:
Profile Parameters:
rsau/enable = 1
rsau/selection_slots = 10
rsau/user_selection = 1
Filter settings in SM19:
1. Filter: Activate everything which is critical for all users '*' in all clients '*'.
- You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM anyway.
- Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ
- If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT
2. Filter: Activate everything for users 'SAP*' in all clients '*'
This includes the built-in user 'SAP*' as well as all users account names starting with 'SAP', e.g. 'SAPSUPPORTx' because of rsau/user_selection = 1
To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead.
3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'
4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).
5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066 ).
6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free ).
7.-10. Filter: free for other project specific purpose
What settings are you using and why?
Kind regards
Frank Buchholz
Active Global Support - Security Services
↧
How to restrict users for create to PM notification and order 1 months earlier?
Hi everyone,
i have requirement as follow;
the users should not create any notification or order before one months earlier. How can perform it?
↧
↧
how to restrict bypassing of authentication
HI experts,
we have second factor authentication involved in our portal product , by using hacking tool burp Suite im able to capture the response and request coming from the server .
Case 1 : user have primary authentication with user name and password , and secondary authentication as his OTP send to his mobile , after entering this OTP , he can login into the portal .Now at the end stage im getting an Authenticated response from the server as show below
HTTP/1.1 302 Found
content-type: text/plain
set-cookie: MYSAPSSO2=********************************************************************************************************************************************************************************************
***************************************************************************************************************************************************
************************************************************************************************************%3D;path=/;domain=.*************;HttpOnly
set-cookie: JSESSIONMARKID=(J2EE2816900)ID1049281650DB414bde284b5152939d4cf5487d21ccc0cffd7091End; Version=1; Path=/; Secure; HttpOnly
location: https://hosthttps://host/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default:443/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default
content-length: 0
date: Wed, 28 May 2014 05:27:09 GMT
set-cookie: com.sap.engine.security.authentication.original_application_url=; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
This is the reponse which we are able to capture and now again we can login , using wrong user name and wrong password using burp suite tool intercept the response and replaing the above response we are able to login.
Here we are not able to restrict this particular stage.
is there any solution to stop this please suggest us..
Regards
Govardan Raj S
↧
How to restrict the Request and Response process in that cookies should be Secure way SAP Portal 7.0 ?
Dear Experts,
Please any one can help me i am getting one security issue.Some third party tools using and hacking the Request and Response of the Server.That time there taking one successfully Request (GET http://1.1 302 found) and Response (http://1.1 200 ok).In this request based on again there giving some invalidate credential in that time server giving request replacing for success fully Request that time there login in to portal successfully(Bypassing).In this Request level only getting the information for URL and set-cookies only.Here any process is there to restrict the set cookies.like JSESSIONMARKID and JSESSIONID SAP_LB.
We are using 7.0 Version and SP 12. Please share you are solutions because of this is very high problem here.
Thanks for Advance
Thanks and regrades,
Durga Rao.
↧
webservice call failed during execution (SSL and certificates) on NetWeaver 7.30
Hey experts,
i need your help!
We make webservice calls to sap me with our own software.
We connect to our software via SSL and certificates e.g. https://host:50001/XMII/CM/POD/MEDialogsWeb.irpt
At the beginning the software runs without any problems and than we become the following message on all our webservice:
thats the webservice configurations
(configuration - connectivity - single service administration):
(configuration - security - authentication and single sign-on)
if we restart the software after the error display, the webservice call runs successfully again.
is it a timeout?
can anybody help us?
Thanks,
Markus
our system info:
NetWeaver 7.30 Java
SAP ME 6.0
----
software runs log looks as following
software doesn't runs log looks as following
security Log Entry
more info from security_00.0.log
#2.0 #2014 06 06 14:51:17:136#+0200#Warning#/System/Security/WS#
com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tc~sec~wssec~service#C0000A650AD826FF0000000100000BEC#3855850000000005#sap.com/me~ws#com.sap.engine.services.wssec.authentication#Guest#0##207092CAED7111E3A01A0000003AD5EA#23386e31ed7911e39d560000003ad5ea#23386e31ed7911e39d560000003ad5ea#0#Thread[HTTP Worker [@648881277],5,Dedicated_Application_Thread]#Plain##
Received unsupported callback: com.sap.engine.interfaces.security.auth.SetLogonTicketCallback
Received unsupported callback: com.sap.engine.lib.security.http.HttpSetterCallback
Read data of type username and value MEFLEX from wsse:Security header and set on module javax.security.auth.callback.NameCallback
Read data of type username and value from HTTP header and set on module javax.security.auth.callback.NameCallback
Read data of type password and value xxx from wsse:Security header and set on module javax.security.auth.callback.PasswordCallback
Read data of type password and value xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback
Authentication for web service ShopOrderService, configuration ShopOrderService using security policy BASIC*SSO2*_*_*ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).
#
↧
Firewall between SAP application and database.
Hi,
1. I plan to install Biller Direct Java instance and MS SQL server database across the firewall. Would that be an issue? What ports should be open for installation?
2. The R3 back end is also in the same subnet as the Biller Direct database in.If I use HTTP SSL for connecting Biller Direct to R3, what ports should be open?
3. What's the port for Jco connection between Java instance and abap instance? I know for abap instance we need port 3300, but what port it is when data send back to Java instance from abap?
Thanks.
↧
↧
Job role design - transaction role and auth object role
Hi all, please kindly comment following job role design:
(1) transaction role:
Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA. CO: maintain cost center, internal order HR: maintain org structure, personnel management.
The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
(2) authorization role
Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role. Objects of HR in HR role.
Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
User will be assigned transaction role + auth object role. For example, user of company A to perform MM and CO functions will be assigned
with MM transaction role + company A MM role + company A CO role.
Please let me know the pros and cons of above design. Thanks.
Regards,
Donald
* I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role
↧
SCU3 Activity 02 on S_TABU_DIS Auth Group SA?
Hi,
We recently moved from EHP5 to EHP7 and an additional check is done when using transaction SCU3 for S_TABU_DIS / Group SA / Activity 02.
We have 2 Z tables maintained by our data team; 2 Z transactions allows for the table maintenance via SM30; both tables have been associated to a Z authorisation group.
Since EHP7 has been implemented we can no longer view the log on these tables.
SU53 and traces are listing the need for S_TABU_DIS Activity 02 for the SA Auth group; that group is created by SAP and covers quite a few other tables; I have tried to limit the access to the log table DBTABLOG via S_TABU_NAM but it is still not working.
I can't understand why activity 02 should be required at all in that scenario and can't find any related OSS Note.
Has anyone come accross a similar issue. I am not sure why a change activity shoudl be required when I only want to display the change log.
thank you
Coco
↧
Authorization to limited Master data to Users
Dear Experts,
We have a requirement from our client with regards to Authorization of Master data
Example:Indian users can only able to access Indian company code data (Vendor,material or customer data) means they cannot be able to see foreign vendors or customers,is there any way in Sap we can meet this requirement.
Thanks
Vijaya Rebala
↧
PFCG - change authorisation is not showing
Hi,
i have created another user by copying my id through SU01 in BW 7.0 . But when the new user is going to PFCG and try to chnage any role only following tab is showing description menu authorsation , user .. under authorisation tab change authoration data is not showing . it is only showing displaying data
while when im' trying my user id i . perfectly able to go and able to change the profile and auhorisation . When i tried to log in the my sap sytem using his id . it is still showing the same error .
Please suggest what changes i need to do work his PFCG propoerly.
Thanks
↧
↧
NW 7.3 SSO to SuccessFactors
Anyone come across the following issue with single sign on between SAP and SuccessFactors?
Caused by: dk.itst.oiosaml.sp.model.validation.ValidationException: The assertion must contain the service provider https://www.successfactors.eu or the company-wide service provider https://www.successfactors.eu/<companyID> within the Audience list: [https://www.successfactors.com]
at com.successfactors.authentication.service.saml2.extend.SFSAML2AssertionValidator.validate(SFSAML2AssertionValidator.java:90)
at dk.itst.oiosaml.sp.model.OIOAssertion.validateAssertion(OIOAssertion.java:217)
at com.successfactors.authentication.service.saml2.SFSAML2AssertionConsumerHandler.handleSAMLResponse(SFSAML2AssertionConsumerHandler.java:525)
... 58 more
OUr SF instance is in Amsterdam - perhaps there is a certificate for .eu rather than .com. Any pointers most welcome!
↧
Log Out Activity Report
Is there a way to run an activity report on the exact time a user has logged out of the system?
Also, where would I view "idle" minutes or seconds set in SAP to automatically logs a user out of the system?
↧
Password Encryption
Hi experts ,
In my logon module , after user name and password verification from the UME data base , we are using
this code
//----------------------------------------------------------------------------------------------------------------------------------------------------
req.setAttribute("j_user", myBean.getUid());
req.setAttribute("j_password",UMEFunction.getDecryptedPwd(myBean.getSecurityCode(), myBean));
UMEFunction.checkLogonStatus(myBean.getUid(),session.getId(),0,"LE");
UMFactory.getLogonAuthenticator().logon(req,resp,"uidpwdlogon");
resp.sendRedirect("/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default");
//----------------------------------------------------------------------------------------------------------------------------------------------------
req -- > http request and resp--> Http Response
here we can see that in the request we are storing j_user --> having the login Id and then in j_password having the password as clear text,
can we pass a hashed password to this instead sending password in plain text .
Regards
Govardan Raj
↧