Author: Frank Umans

Working in SAP since 1998. Started as ABAP developer and later moved to SAP basis and authorizations. Since 2020 working with SAP Focused Run.

Detecting long running DIA process…

In some exceptional cases you can have a DIA process that runs for a long time without action and still occupies the resources.

You can create a custom monitoring metric to measure and act on this.

Creation of the custom metric for detecting long running DIA processes

Create a custom metric following the steps in this blog. The template to be adjusted is the technical system SAP ABAP 7.10 and higher template.

Don’t forget to tick it on for monitoring otherwise it is not active.

In expert mode create a custom metric.

Create technical name Z_METRIC_LONGRUN_DIA_WP_36HRS:

Now setup the definition for the data collection:

It is using the Push.

And set the usage:

Last but not least: you need to set the alerting threshold:

The alert is raised if a single DIA work process is running longer than 36 hours.

Save the custom metric and make sure the template reassignment is done to activate the custom metric for your systems.

Determining configuration changes…

In SAP Focused Run the Configuration and Security validation tool captures a lot of detailed configuration data. This tool can be used to determine configuration changes that were done to your systems.

Configuration changes

Go to the Configuration and Security Analytics FIORI tile:

On the left side choose the tool to display configuration changes:

In the next screen you can see the changes per system:

In the details you can see what has been changed and when.

Search for specific configuration changes

You can also search for specific configuration changes. Open the find tool and select the change store (in this example RFC destinations):

Now you get the detailed list of changes:

The easiest overview is the table view. This allows also for Excel download.

Remark: the time frame default 1 week. If you need search different period, change the time frame selection.

Health monitoring overview…

Health monitoring can be used to monitor special use cases:

Health monitoring

Health monitoring can be started with the FIORI tile:

The overview screen opens:

From the overview you can immediately zoom to the error by clicking on the red bar:

Health monitoring content update

For updating content of health monitoring, follow the instructions in OSS note 3360399 – Unable to import the FRUN-CONT package FRUNCONT40003_0-80008241.ZIP.

Configuration and Alerts

Each scenario needs to be configured. For the configuration per scenario read the separate detailed blogs:

Per scenario you can choose to create an alert in case of issues. The alert is then send to the central Alert overview.

Hotnews note 3145987…

Unfortunately SAP had to release hotnews OSS note 3145987 – [CVE-2022-24396] Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0). More background can be found in that note and in the Q&A note: 3148440 – Q&A for SAP Security Note 3145987.

What is the problem?

From the note “The Simple Diagnostics Agent 1.0 (up to version 1.57.*) does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify or delete sensitive information and configurations.”.

What to do to fix it?

The fix is two steps:

1. Update the host agent to version 7.22 PL55 or later as a prerequisite (see OSS note 3113553 – SAP Host Agent 7.22 PL55)

2. After step 1 update the SDA (simple diagnostics agent) to version 1.58.0 or later (see OSS note 3113553 – SAP Host Agent 7.22 PL55). You can do a mass deployment using the Agent Mass Update tile.

How to monitor the follow up?

Open the Self monitoring FIORI tile:

Click on the SDA icon on the left:

Check that all versions are ok:

Trend analysis for configuration and security analytics…

Since Focused Run 3.0 feature pack 2 a new FIORI tile is present: trend analysis for configuration and security analytics:

Prerequisites

For the policy to work, you first need to schedule it in the policy management tile. Select the policy and press the Configure button:

On the popup screen press the Edit button:

Set the scheduling frequency and save the data.

Use of the trend analysis

Opening the trend analysis tile starts with the overview screen:

You can change the timeframe of the analysis and scope with the normal icons top right.

Selecting a policy will open the trend graph below:

Below that graph are the details for the systems:

Organizational use of the trend analysis

The trend analysis can be used to quickly see for your important security policies how the situation is developing.

When strengthening the policies, you will see many non compliant systems initially. Often some sandboxes, or development systems are forgotten. The trend analytics will spot it, and you can act on it.

Housekeeping in SAP Focused Run…

Housekeeping in SAP Focused Run is needed for 3 reasons:

  1. Keep performance high
  2. Reduce data footprint on the database
  3. Stay within the licensed volume (see more on licenses of SAP Focused Run in this blog)

Questions that will be answered in this blog are:

  • Which housekeeping settings can I make in SAP Focused Run?

Housekeeping for alert and event management

For alert and event management housekeeping program AEM_HOUSEKEEPING should be running in batch:

Housekeeping for system analysis and root cause analysis

For system analysis housekeeping schedule program SRAF_LOG_HOUSEKEEPING and WEA_AGG_STORE_PARTITIONING. For root cause analysis schedule program RCA_HOUSEKEEPING.

Detailed settings for RCA housekeeping are done in table RCA_HKCONFIG. You can maintain this table with SM30:

Housekeeping for application integration monitoring

For application integration monitoring housekeeping schedule program /IMA/HOUSEKEEPING for older releases and /IMA/HOUSEKEEPING_NEW for FRUN 3.0 FP01 onwards.

In the tile for integration monitoring you maintain the detailed settings and retention periods:

Press the change button to alter the data retention periods towards your need:

Housekeeping for EWA data

For EWA data housekeeping schedule program FRUN_DELETE_SERVICE_DATA:

Important year: default 1 year of EWA data is kept. If you need more, increase the days kept. If you want to clean up more, you can reduce the days.

Housekeeping for health monitoring

For health monitoring housekeeping, schedule program OCM_HOUSEKEEPING.

Housekeeping for statistical records

For housekeeping of statistical records, schedule program AI_STATRAGG_HOUSEKEEPING:

Housekeeping for work mode management

For housekeeping of work mode management, schedule program WMM_HOUSEKEEPING:

Housekeeping for security and configuration validation

In the Configuration and configuration analytics Administration tile, choose the configuration icon:

Here you can set the retention period.

Technical clean up

The above describes the housekeeping for Focused Run objects. If you also want to perform a technical clean up, read this dedicated blog.

Security and configuration validation to check if HTTP port is active…

Security & configuration validation can be used to check if on any ABAP stack the HTTP port is activated. Depending on your security concept this might be forbidden. Checking across all systems is a cumbersome job. Here the security and configuration check function of SAP Focused Run can help.

Setting up security and configuration validation rule to check if HTTP port is active

Go to the security and configuration validation policy tile:

Create a new policy with the following syntax:

<?xml version="1.0" encoding="utf-8"?>
<targetsystem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" desc="Checks whether only HTTPS is active in SMICM" id="SMICM_HTTPSONLY" multisql="Yes" version="0000" xsi:schemaLocation="csa_policy.xsd">
  <configstore name="ABAP_INSTANCE_PAHI">
    <checkitem desc="item description" id="1.0.0.0">
      <compliant>NAME like 'icm/server_port_%' and NOT (VALUE like '%HTTP,%' ) </compliant>
      <complianttext/>
      <noncompliant>NAME like 'icm/server_port_%' and VALUE like '%HTTP,%' </noncompliant>
      <noncomplianttext/>
    </checkitem>
  </configstore>
</targetsystem>

Basically the rule says: no http found is ok and any http found is not ok.

Running the check

Run the check will give you all systems in red where HTTP is active and green if only HTTPs is active, or nothing is active:

ABAP system monitoring detecting resource exhaustion…

From availability perspective, you want to detect as quickly as possible if you are suffering from resource exhaustion.

You can create a custom monitoring metric to measure and act on this.

Creation of the custom metric for resource exhaustion

Create a custom metric following the steps in this blog. The template to be adjusted is the technical instance SAP ABAP 7.10 and higher template.

Don’t forget to tick it on for monitoring otherwise it is not active.

In expert mode create a custom metric.

Create technical name Z_EXHAUST:

In the data collection:

Data to enter: RFC on diagnostics agent (push). Select ABAP System Log Stats. Filter on message number Q40. This is the message for resources exhausted. For more information on system log messages, read this blog.

Set the usage to monitoring:

Define the threshold for alerting:

And assign the metric to the ABAP Instance not available alert group:

ABAP system monitoring detecting PRIV modes…

When you system has too many PRIV modes, it is about to fall over. This situation must be detected and acted upon.

You can create a custom monitoring metric to measure and act on this.

Creation of the custom metric for detecting PRIV modes

Create a custom metric following the steps in this blog. The template to be adjusted is the technical system SAP ABAP 7.10 and higher template.

Don’t forget to tick it on for monitoring otherwise it is not active.

In expert mode create a custom metric.

Create technical name Z_METRIC_DIA_WP_PRIV:

Now setup the definition for the data collection:

This will collect the PRIV dialog processes in percentage.

Mark the custom metric as relevant for monitoring:

And set the usage:

Last but not least: you need to set the alerting threshold:

Save the custom metric and make sure the template reassignment is done to activate the custom metric for your systems.

ABAP system certificate monitoring…

In system monitoring you can monitor if ABAP system certificates are expiring or are already expired. For centrally monitoring SSL certificates, read this blog.

SAP provides a standard metric for this based on configuration validation rule SAP ABAP PSE CERTIFICATES CHECK. This rule is taking all certificates that are to be expired in the next 7 days and all expired certificates.

This rule has two setbacks:

  • 7 days upfront warning might be too short
  • It reports all expired certificates that are already years expired and don’t harm the system

New rules

For the improved setup we will defined 2 new rules:

  • To be expired certificates, with date selection -30 till tomorrow
  • Expired certificates, with date selection today till next 30 days.

Start with creating the policy in configuration validation (more on configuration validation in this blog):

Add a new policy Z_ABAP_PSE_TO_BE_EXP for the to be expired, and give it this syntax:

Add a new policy Z_ABAP_PSE_EXP for the expired ones:

Both are basically a copy of the standard SAP one with the changed dates.

Please note you need to change both the dates in the Compliant and Non-Compliant section.

Create custom metric

Now you can create a custom metric using the newly created rule. For full description on how to create custom metrics, read this blog. Create the custom metric in the ABAP system template:

Refer to the newly create custom CoVa (configuration validation) rule:

And set the threshold:

For the to be expired certificates, we only want warning.

We repeat the same for the expired certificates, but now we make it a red alert by setting the thresholds differently.

Make sure both are now activated for monitoring:

Trouble shooting

There might be false alerts raised for this metric. This is for both the custom and standard SAP metric. The source is usually the data collection.

SAP note 3138046 – False Alert ABAP PSE certificates expiring in Focused Run describes the checks to perform.

Go to the configuration and configuration validation FIORI tile:

Select the system and search for the PSE certificates data collection details: