Use configuration analytics to determine Cryptolib versions across your landscape

SAP Cryptolib is use for diverse security scenarios. In many cases it is simply installed and never updated.

This blog will explain how to use the configuration validation tool to quickly list all Cryptolib versions across your landscape.

Configuration analytics

Open the configuration and security validation FIORI tile:

Top left choose the searching for configuration items icon:

The search screen opens:

Now select the CRYPTOLIB store:

Now press the find button in the Find in configuration data field:

Results show:

Remark: the result is depending on your scope selected. Use the scope selection button to change the scope.

Other use cases

You can use the same method to get other information from the system.

Use the browsing for configuration items view to find what you are looking for:

Configuration validation to check for disablement of webadmin page

OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface is describing the issue that the web administration interface is publicly available if you didn’t configure your system correctly. More background can be found in this blog. This item is misconfigured on a lot of systems. It is present in ABAP, JAVA and web dispatcher.

If you start to fix this item, you want to keep track of the progress, and also in the future you want to check if the setting is done correctly for new systems and after updates, upgrades, etc.

Setting up the configuration validation rule

Go to the security and configuration validation policy tile:

Create a new policy with the following syntax for ABAP:

<configstore name="ABAP_INSTANCE_PAHI">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
  <compliant>NAME = 'icm/HTTP/admin_0' and VALUE  like '%ALLOWPUB=FALSE%' </compliant>
  <noncompliant>NAME = 'icm/HTTP/admin_0' and not ( VALUE like '%ALLOWPUB=FALSE%' ) </noncompliant>

For JAVA and webdispatcher:

<configstore name="DEFAULT.PFL">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
      <compliant>TEXT like '%admin_0%' and TEXT  like '%ALLOWPUB=FALSE%' </compliant>
      <noncompliant>TEXT like '%admin_0%' and not ( TEXT like '%ALLOWPUB=FALSE%' ) </noncompliant>

The rule says: if the subparameter ALLOWPUB is defined with value FALSE it is ok. In all other cases it is not ok.

Running the rule

Now you can run the rule and check if your systems are compliant: