We are currently on ECC 6.0 SAP_BASIS Release 731, SP 4. We are upgrading to SP13. Is there a check off list (from a SAP Security perspective) available that can assist me with any and all changes or gotcha's with this upgrade or any upgrade? Something that could also tell me where to go for information specific for upgrade from one SP to another.
↧
SAP ECC Upgrade Checkoff List
↧
Enable System --> List--> Save -->Local File option in ECC6
Hi Friends,
When I try to transfer SU53 data to text file or some other format I am unable to do it. Because the "Local File" option is disable and '%PC' also not working. Please help me out to get rid of this.
Sri.
↧
↧
Login from GUI and Portal - Backend Logged Information
Hi All,
We have a scenario below and required suggestion on this...Pls help
We have created 2 Employee Ids and One logged in to GUI and other Logged into Portal...
We have checked logged on information in SAP and we couldn't find the difference when login to SAP and when logged into portal...
Please suggest on how to check user logged into portal...
↧
SNC Without SSO - Multiple Domains
Hi Everyone,
We are trying to enable SNC without SSO and have some queries around. I have gone through different posts discussing views and solutions in this area and I noticed mostly they are addressing the context where SSO is involved.
With SAP GUI 7.2 SP 7 we have this feature in GUI where we can configure logon with user ID & Password without SSO.
In the below thread it is discussed that if we are passing the user id & password then there is no trust required between the domains though multiple domains are involved as the system recognizes the user with the user id and password supplied and authenticates.
In our context there are multiple domains involved.
SAP System - Domain A
User Group 1 - Domain B (Scenario 1)
User Group 2 - Domain C (Scenario 2)
User Group 3 - Work from home through VPN. (Scenario 3)
Domain A is used for hosting SAP Systems and the User ID/SPN of SAP Service is to be defined in the Domain B. Without trust between the Domains and no requirement of SSO can you please provide inputs if SNC can work in the three scenarios described above.
Please let me know if you require any further details here.
Thanks & Regards
Jay
↧
Check which authentication method a user has used
Hi,
As part of a custom system login class (subclass of CL_ICF_SYSTEM_LOGIN), I would like to determine the method of authentication used.
Specifically I want to confirm that the logon method was SAML based.
Is there a way I can do this from the ABAP side?
Regards
Dagfinn
↧
↧
Possibility to allow only digit based passwords in NetWeaver ABAP
Hi,
Is it possible to setup up the password rules for NetWeaver ABAP, so that it's only possible to have password with digits?
Based on the password rules here https://help.sap.com/saphelp_nw70ehp1/helpdata/en/d2/141fb593c742b5aad8f272dd487b74/content.htm it ought to be possible.
For a six-digit password I would try:
login/min_password_lng = 6
login/min_password_digits=6
login/min_password_letters=0
login/min_password_specials=0
login/min_password_lowercase=0
login/min_password_uppercase=0
Any one tried this before?
Regards
Dagfin
↧
Unpersonalized users
Hello All,
we are having a discussion about the use of unpersonalized (dialog) users for business in our organisation.
Business want's to use these for trainees and maintain a log who used the user when. Including usage of valid-to and valid-from dates. External auditor has agreed to that.
I don't like the idea at all, but lacking valid points to discuss this, as this was not an option in any of the companies I've worked so far, and with the auditor agreeing to this, it is even harder. Just want to avoid getting into trouble at some point in the future. Could you please share some impacts that this could have?
greetings
Alexander Walkenhorst
↧
Role description change
Hey all,
I have a question for all of you here: I want to make changes in the description of a master role and further to the derived roles. Is there a shortcut where i can update the description in master role and it get updated in all the derived roles....
Thanks
Gagan
↧
Need to know regarding Authroization object S_PROGNAM
Hi Experts,
During upgrade we have found switchable authorization object S_PROGNAM is getting checked in BW while trying to activate a data source through SE38. However, we have not found out any transaction in SU22 which is tied with this authorization object.
My question is for which transaction authorization object S_PROGNAM needs to be checked and maintained ?
Also, will this authorization object S_PROGNAM also needed in ECC and needs to be checked and maintained for any transaction?
Thanks
Somnath
↧
↧
LX16 Restriction to Specific Warehouse Numbers
Hi Experts,
Currently i am facing a weired situation in restricting the transaction LX16 for one of client. Basic scenario is
1) User wants to exeute LX16 for only specified warehouse numbers/ plants
2) Same user should have access to see the inventory for all warehouse numbers/ Plants
In both the scenarios, from ST01, i noticed that auth object L_LGNUM is being checked. I have create two roles here
Role 1 - Gives access to LX16 and restricting L_LGNUM to Specific WH number
Role 2 - Gives access to other WH display transactions like LS03N with L_LGNUM is '*'
As per the basic security concept, the display role is overwriting Role 1 and user is able to execute LX16 for other WH numbers as well.
Any idea how can we restrict the access? Your help is highly appriciated.
Thanks,
Krish
↧
Communication vs. System User Types
All:
I was researching something else when I came across an article or note (forgot already) but what I do remember is that SAP was moving more towards System ids and not using Communication Ids. Furthermore Communication ids could be changed over to System ids with no impact (to account behavior).
My searches have come up short and now seeking out to see if any one read this or has insights into this.
- Matt
↧
Could not validate SPNEGO token.java.lang.Exception: Checksum error.
Hello consultant:
We are trying configurated SSO usind SPNEGO module
We have a portal 7.0 ehp1 and Active Directory Microsoft versión 2003 native
we have followed the steps described in note Sap 1457499"Note 1457499 - SPNego add-on"
When we have logged with user Active Directory and we try access to portal we obtain following error:
Authorization check user error
We have Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform the
following steps:
1. Select "Component" = "security" and "Activity" = "all"
2. Click the "Go" button, followed by the "Add All" button
3. Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"
4. Click the "Go" button, followed by the "Add All" button
5. Start the tool
Then we have reproduce the problem and stop the tool. The generated zip file will contain following error:
15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~p.security.spnego.krb5.crypto.DesCrypto Checksum error! checksum: 0xc46bfed8d0dbc54221ee75405c8cd5ac; calculated checksum: 0x6ead7e801608b729a6957597327f2ba5
15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~m.sap.security.spnego.SPNEGOLoginModule Could not validate SPNEGO token.
java.lang.Exception: Checksum error.
at com.sap.security.spnego.krb5.crypto.DesCrypto.decrypt(DesCrypto.java:43)
at com.sap.security.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:81)
at com.sap.security.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:67)
at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:234)
at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:181)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:541)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:430)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Could you help us?
Many thanks for your collaboration
↧
Problem with PRGN_INTERFACE_USER deleting SAP_ALL and SAP_NEW.
Hi all.
I'm having trouble deleting of users with sap_all and sap_new. I am using the FM PRGN_INTERFACE_USER but is not solving the .Passo following parameters: Profile: sap_all, user: ALEBWSEMBPS, action: 'D' and perform_checks: 'X'. Anyone have any idea what is happening. Have sy-SUBRC = 0 return.
Thank you and regards.
Erlon Lourenço
↧
↧
SSF signature using SHA1 and digtal certificate
Hello
I have a requirement that I sign data in an internal table using a certificate and then append the detached signature to a file which is to be sent to the bank. I have managed to import the certificate and i am signing using ssf_krn_sign, however the bank says the digital signature being produced is too long, its supposed to be 128 characters, we are using SHA1 algorithm BTW.
Regards
Florence
↧
SU24 Customer Data Upload Issue
Hi All,
I have started the Security Upgrade activity (system upgraded from NW7.31 to NW7.4, SAP_BASIS 740 SP 0006)in Sandbox system S30 (GTS ABAP).
Before starting SU25, I want to take a backup of USOBT_C and USOBX_C and ensure I'm able to upload them again.
But I'm currently facing issue while trying to upload customer data in SU24 tcode.
Procedure:
1) Execute SU24. Select "Download".
Enter tcode:/IWBEP/CACHE_CLEANUP (for simplicity). I tried first with *.
Uncheck "Originals only".
I have downloaded the file for this tcode successfully.
2) Execute SU24. Select "Upload". Select Type of Application as "Transaction" and enter the above tcode.
Execute and upload our above downloaded file.
I'm getting the below error message:
The error shown above is for object S_TCODE.
------------------------------------------------------------------------------------------
My Analysis:
I have debugged the standard and exact issue is found at:
Issue: This tcode has TSTCA entry (S_TCODE auth check maintained in SE93) and USOBX_C entry (S_TCODE SU24 auth check).
-----------------------------------------------------------------------------------------------------------------------
I replicated this for a Z tcode and had the same issue.
But when I removed S_TCODE check in SE93 for this Tcode, I was able to SUCCESSFULLY upload.
But the issue with this manual procedure is, I have got so many Tcodes similar to this with so many different auth. objects. i.e. Large entries in TSTCA which are also in USOBX_C table.
I already tried SU24_AUTO_REPAIR,related OSS notes, went through alot of forums - but the issue still existing.
----------------------------------------------------------------------------------------------------------------------
Am I doing something wrong while trying to download/upload SU24 data? Or is this something SAP should fix?
Can anyone please help me with this issue ?
Your help is much appreciated. Thanks in advance.
Cheers,
Srini.
↧
Directly assigned Roles and users.
Friends,
We are role based secruity in ECC 6.0, however, some of the roles have been assigned directly to the users.
How can I find out the the list of users and Roles that are directly assigned?
SUIM, I did not see it. Is there a report that would provide this list?
Praveen.
____________________________________________________
↧
custom user attributes in SAP Cloud Identity
Hi all,
I'm considering SAP Cloud Identity as user engine for my HCP application.
In my undestanding, HCP maps users to groups and roles based on rules stored in the HCP account.
These rules are based on user attributes, and user attributes are stored in the Identity Provider.
Let's assume that I've configured SAP Cloud Identity as IdP for my HCP account.
Can I create custom attributes for users, so that HCP rules can map then to roles and groups?
Thanks, regards
Vincenzo
↧
↧
ERROR: -> Cannot export - JAVA is not the current PSE provider!
Hello Colleagues,
in our SAP PI 7.31 Dual-Stack system we facing following error "ERROR: -> Cannot export - JAVA is not the current PSE provider!" under Netweaver Administrator (NWA) -- > Certificates and Keys: Key Storage, if we executing button "Export View to PSE" for view "ICM_SSL_*".
As by default for ABAP and Dual-Stack systems, profile parameter "ssl/pse_provider" is set to ABAP.
How we are able to solve that issue?
Many thanks in advance!
Regards,
Jochen
↧
Difference between SAP BI and SAP BPC in terms of security
Hi Gurus,
Is there any difference between SAP BI and SAP BPC systems in terms of security ? Does SAP BPC uses analytical authorizations?
Thanks and Regards,
Syam
↧
SAML2 Web Single Sign-on updates too many services.
We have just gone through the process of setting up Microsoft ADFS to be our Identity Provider for SAML2. This allows our users to access web content in SAP based on their windows PC logon.
After going through the process of using the SAML2 transaction to establish the trust relationship, we find that SAML2 web single sign-on is now enabled for way more than we ever intended. Two examples of where this is a problem include: 1) OData web services (/default_host/sap/opu/odata/sap) and 2) the Netweaver Business Client (/sap/bc/nwbc).
What is the best process for selectively enabling SAML2 web single sign-on? It seems that we could go into SICF and switch individual service nodes to using the 'Alternate Logon Procedure' and then remove 'SAML Logon' from the Logon Procedure list. However, this requires us to touch way too many nodes. This process is, in effect, selectively disabling SAML2 web single sign-on. We are looking for a process where we can selectively enable SAML2 web single sign-on for the few places where we want it to be enabled (e.g. /default_host/sap/bc/webdynpro/sap).
Thank you in advance for your help.
↧