Use configuration analytics to determine Cryptolib versions across your landscape

SAP Cryptolib is use for diverse security scenarios. In many cases it is simply installed and never updated.

This blog will explain how to use the configuration validation tool to quickly list all Cryptolib versions across your landscape.

Configuration analytics

Open the configuration and security validation FIORI tile:

Top left choose the searching for configuration items icon:

The search screen opens:

Now select the CRYPTOLIB store:

Now press the find button in the Find in configuration data field:

Results show:

Remark: the result is depending on your scope selected. Use the scope selection button to change the scope.

Other use cases

You can use the same method to get other information from the system.

Use the browsing for configuration items view to find what you are looking for:

Configuration validation to check for disablement of webadmin page

OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface is describing the issue that the web administration interface is publicly available if you didn’t configure your system correctly. More background can be found in this blog. This item is misconfigured on a lot of systems. It is present in ABAP, JAVA and web dispatcher.

If you start to fix this item, you want to keep track of the progress, and also in the future you want to check if the setting is done correctly for new systems and after updates, upgrades, etc.

Setting up the configuration validation rule

Go to the security and configuration validation policy tile:

Create a new policy with the following syntax for ABAP:

<configstore name="ABAP_INSTANCE_PAHI">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
  <compliant>NAME = 'icm/HTTP/admin_0' and VALUE  like '%ALLOWPUB=FALSE%' </compliant>
  <complianttext/>
  <noncompliant>NAME = 'icm/HTTP/admin_0' and not ( VALUE like '%ALLOWPUB=FALSE%' ) </noncompliant>
  <noncomplianttext/>
</checkitem>
</configstore>

For JAVA and webdispatcher:

<configstore name="DEFAULT.PFL">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
      <compliant>TEXT like '%admin_0%' and TEXT  like '%ALLOWPUB=FALSE%' </compliant>
      <complianttext/>
      <noncompliant>TEXT like '%admin_0%' and not ( TEXT like '%ALLOWPUB=FALSE%' ) </noncompliant>
      <noncomplianttext/>
</checkitem>
</configstore>

The rule says: if the subparameter ALLOWPUB is defined with value FALSE it is ok. In all other cases it is not ok.

Running the rule

Now you can run the rule and check if your systems are compliant:

Age of system components

Your system landscape contains a lot of components. For security and compliance it is important to keep the system in good shape with regards to patches and updates.

SAP Focused Run can help you with the check on the age of your system components;

  1. Tactical dashboard
  2. Configuration validation rule

Tactical dashboard

The first method to check for component age is the use of the tactical dashboard. The highlights are explained in this blog.

Result of the tactical dashboard for components:

In the threshold settings you can fine tune the levels to give warning or red flag:

Configuration validation rule

From the text below or from the github site of Focused Run you can download this policy:

COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and <?xml version="1.0" encoding="utf-8"?>
<!--
Exclude software components for which SP_REL_DATE is empty
Version: 002
Date:    July 16 2021
-->
<targetsystem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" desc="Age of component level" id="AGE_COMP" multisql="Yes" version="0000" xsi:schemaLocation="csa_policy.xsd">
  <!-- Basic -->
  <configstore name="COMP_LEVEL">
    <checkitem desc="Age of Component Level - ABAP" id="ABAP.AGE_COMP.01" not_found="ignore" system_attributes="SYSTEM_TYPE:ABAP">
      <compliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </compliant>
      <noncompliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and not (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </noncompliant>
    </checkitem>
    <checkitem desc="Age of Component Level - JAVA" id="JAVA.AGE_COMP.01" not_found="ignore" system_attributes="SYSTEM_TYPE:JAVA">
      <compliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != ''and (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </compliant>
      <noncompliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and not (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </noncompliant>
    </checkitem>
  </configstore>
</targetsystem>

Use this to set up a new policy called AGE_COMP (for detailed instructions for setting up new policy, see this blog):

By default the rule is taking 730 days. You can adjust the value as per your needs.

Now you can run the query to get an easy overview across the systems:

Don’t be afraid if you have high number in the beginning; most of the cases this is due to HR components being outdated.

Monitoring Cloud Connector BTP Certificate Expiry

With SAP Focused Run 3.0 FP 2 SAP has delivered a configuration validation policy using which you can monitor Cloud Connector BTP Certificate expiry.

Note: For using this functionality you just have to ensure that you have registered your cloud connector managed system to your Focused Run System and have performed SSI for the cloud connector managed system.

You can do the monitoring via the Configuration & Security Analytics app in the Advanced Configuration Monitoring area of Focused Run Launchpad.

In the app click on the select button to select the policy to monitor Cloud Connector BTP Certificates.

In the pop-up you can search for SCC and then select the policy SAP_SCC_PSE_CERT. This is the standard policy delivered by SAP that performs configuration validation on Cloud Connector BTP Certificate expiry.

This policy monitors if a BTP certificate in cloud connector system is going to expire in less than 30 days or is already expired.

The first view upon selecting the policy is the Systems view. In this view all SAP Cloud Connector systems registered in Focused Run system are listed. A systems is marked as non compliant if it has any certificate which is going to expire in less than 30 days or has any expired certificates. This view also tells how many certificates are there in the system and how many are non compliant.

You can click on the row to see the details of the certificates which are expiring or expired.

To know more about Configuration and Security Analytics you can refer here.

Also you can find more detail at SAP documentation here.

Determining configuration changes

In SAP Focused Run the Configuration and Security validation tool captures a lot of detailed configuration data. This tool can be used to determine configuration changes that were done to your systems.

Configuration changes

Go to the Configuration and Security Analytics FIORI tile:

On the left side choose the tool to display configuration changes:

In the next screen you can see the changes per system:

In the details you can see what has been changed and when.

Search for specific configuration changes

You can also search for specific configuration changes. Open the find tool and select the change store (in this example RFC destinations):

Now you get the detailed list of changes:

The easiest overview is the table view. This allows also for Excel download.

Remark: the time frame default 1 week. If you need search different period, change the time frame selection.

Trend analysis for configuration and security analytics

Since Focused Run 3.0 feature pack 2 a new FIORI tile is present: trend analysis for configuration and security analytics:

Prerequisites

For the policy to work, you first need to schedule it in the policy management tile. Select the policy and press the Configure button:

On the popup screen press the Edit button:

Set the scheduling frequency and save the data.

Use of the trend analysis

Opening the trend analysis tile starts with the overview screen:

You can change the timeframe of the analysis and scope with the normal icons top right.

Selecting a policy will open the trend graph below:

Below that graph are the details for the systems:

Organizational use of the trend analysis

The trend analysis can be used to quickly see for your important security policies how the situation is developing.

When strengthening the policies, you will see many non compliant systems initially. Often some sandboxes, or development systems are forgotten. The trend analytics will spot it, and you can act on it.

Security and configuration validation to check if HTTP port is active

Security & configuration validation can be used to check if on any ABAP stack the HTTP port is activated. Depending on your security concept this might be forbidden. Checking across all systems is a cumbersome job. Here the security and configuration check function of SAP Focused Run can help.

Setting up security and configuration validation rule to check if HTTP port is active

Go to the security and configuration validation policy tile:

Create a new policy with the following syntax:

<?xml version="1.0" encoding="utf-8"?>
<targetsystem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" desc="Checks whether only HTTPS is active in SMICM" id="SMICM_HTTPSONLY" multisql="Yes" version="0000" xsi:schemaLocation="csa_policy.xsd">
  <configstore name="ABAP_INSTANCE_PAHI">
    <checkitem desc="item description" id="1.0.0.0">
      <compliant>NAME like 'icm/server_port_%' and NOT (VALUE like '%HTTP,%' ) </compliant>
      <complianttext/>
      <noncompliant>NAME like 'icm/server_port_%' and VALUE like '%HTTP,%' </noncompliant>
      <noncomplianttext/>
    </checkitem>
  </configstore>
</targetsystem>

Basically the rule says: no http found is ok and any http found is not ok.

Running the check

Run the check will give you all systems in red where HTTP is active and green if only HTTPs is active, or nothing is active:

ABAP system certificate monitoring

In system monitoring you can monitor if ABAP system certificates are expiring or are already expired. For centrally monitoring SSL certificates, read this blog.

SAP provides a standard metric for this based on configuration validation rule SAP ABAP PSE CERTIFICATES CHECK. This rule is taking all certificates that are to be expired in the next 7 days and all expired certificates.

This rule has two setbacks:

  • 7 days upfront warning might be too short
  • It reports all expired certificates that are already years expired and don’t harm the system

New rules

For the improved setup we will defined 2 new rules:

  • To be expired certificates, with date selection -30 till tomorrow
  • Expired certificates, with date selection today till next 30 days.

Start with creating the policy in configuration validation (more on configuration validation in this blog):

Add a new policy Z_ABAP_PSE_TO_BE_EXP for the to be expired, and give it this syntax:

Add a new policy Z_ABAP_PSE_EXP for the expired ones:

Both are basically a copy of the standard SAP one with the changed dates.

Please note you need to change both the dates in the Compliant and Non-Compliant section.

Create custom metric

Now you can create a custom metric using the newly created rule. For full description on how to create custom metrics, read this blog. Create the custom metric in the ABAP system template:

Refer to the newly create custom CoVa (configuration validation) rule:

And set the threshold:

For the to be expired certificates, we only want warning.

We repeat the same for the expired certificates, but now we make it a red alert by setting the thresholds differently.

Make sure both are now activated for monitoring:

Trouble shooting

There might be false alerts raised for this metric. This is for both the custom and standard SAP metric. The source is usually the data collection.

SAP note 3138046 – False Alert ABAP PSE certificates expiring in Focused Run describes the checks to perform.

Go to the configuration and configuration validation FIORI tile:

Select the system and search for the PSE certificates data collection details:

Security & configuration validation check for client 001 and 066 existence

Security & configuration validation can be used to check for the existence of clients 001 and 066.

The 066 early watch client and old delivery clients 001 are only security risks (unless in rare cases 001 has been chosen as execution client). Best to delete them from security point of view (see reference blog).

Setting up security and configuration validation rule to check for existence of clients 001 and 066

Go to the security and configuration validation policy tile:

Create a new policy with the following syntax:

<?xml version="1.0" encoding="utf-8"?>
<targetsystem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" desc="Test CLIENTS Store" id="TEST_CLIENTS" multisql="Yes" version="0000" xsi:schemaLocation="csa_policy.xsd">
  <configstore name="CLIENTS">
    <checkitem desc="CLIENTS_CHECK" id="1.0.0.0">
      <compliant>MANDT = '000' or MANDT = '010' or MANDT = '100'        </compliant>
      <noncompliant> MANDT = '001' or MANDT = '066' </noncompliant>
    </checkitem>
  </configstore>
</targetsystem>

In the compliant section add more clients that are valid and/or change the numbers to your own situation.

Basically the rule says: 000 and main client(s) listed are compliant. 001 and 066 are not compliant.

Running the check


Run the check will give you all existing 001 and 066 clients as incompliant items:

Automatic eMail for Security Validation of SAP Systems

In a similar fashion to setting up email notification for system health check reports, you can also setup Automatic eMail for Security Validation of SAP Systems. For this you need a guided procedure that can run a security validation policy instead of running the system health check.

In our previous blog we have explained how you can setup the Security Validation policy.

Follow the following steps to create the guided procedure that can automatically execute the policy check on your SAP systems.

Creating Guided Procedure for Configuration and Security Analytics

For creating the guided procedure navigate to the Guided Procedures app in the Focused Run launch pad.

In the Guided Procedures app navigate to the Catalog page and click on the sign to create a new Guided Procedure.

In the pop-up provide a name and description for the guided procedure and click on Create.

Back in the catalog page, click on the newly created guided procedure name to open it in edit mode.

The guided procedure will now open in a new tab in the browser. Click on the edit button to start editing the guided procedure.

Now you need to add a automatic step to the guided procedure that will execute the security validation policy. For this, in the Step Details section, enter a step name and description.

Navigate to Step Content block. In the Automatic Activities tab and click on New.

In the pop-up, select the option “Select a Plugin” and select the plugin Configuration & Security Analytics

After selecting the plugin, expand the attribute section and provide the CSA policy name and click on OK.

Back in the main screen save and activate the Guided procedure.

Now you can use this guided procedure to schedule an automatic execution to send an email report. You can do it in a similar fashion to sending email for System Health check report as explained here.

For more details on what all you can do with guided procedures, refer to the SAP Focused Run Expert Portal.