Hotnews note 3145987

Unfortunately SAP had to release hotnews OSS note 3145987 – [CVE-2022-24396] Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0). More background can be found in that note and in the Q&A note: 3148440 – Q&A for SAP Security Note 3145987.

What is the problem?

From the note “The Simple Diagnostics Agent 1.0 (up to version 1.57.*) does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify or delete sensitive information and configurations.”.

What to do to fix it?

The fix is two steps:

1. Update the host agent to version 7.22 PL55 or later as a prerequisite (see OSS note 3113553 – SAP Host Agent 7.22 PL55)

2. After step 1 update the SDA (simple diagnostics agent) to version 1.58.0 or later (see OSS note 3113553 – SAP Host Agent 7.22 PL55). You can do a mass deployment using the Agent Mass Update tile.

How to monitor the follow up?

Open the Self monitoring FIORI tile:

Click on the SDA icon on the left:

Check that all versions are ok:

Identifying all grey metric in System Monitoring

In SAP Focused Run there is no standard mechanism to identify and display all grey metrics in System Monitoring, a grey metric can cause critical situations not being captured and alerted in monitoring hence we need to monitor such grey metrics.

In this blog we explain how you can list all the grey metrics by directly reading from database tables that store the monitoring data.

Focused Run system monitoring metric aggregate data is stored in table AEM_METRIC_AGGR. We can filter on metric status = Grey to see the list of grey metrics.

Open the table in transaction SE16

Increase the width and no of hits and click on execute

Now you have all the data that you can export to an excel sheet. For this select the following menu option.

Select file type as Text with Tabs.

Provide the path and filename to save the file and then click on Generate button.

Now open the .txt file in MS Excel.

In the Home tab select option for filtering as shown below

Now set the following filter for the column LAST_RAT

Now you will get the list of all grey metrics as shown below.

Note: The Context_ID value will give you the ID of the managed object, Metrtric_type_ID will give you the ID of the metric name and the Last_text will give you the return text of the last data collection which will give you the reason for grey metric.

In order to get the managed object name and metric type you can use the following in transaction MAI_TOOLS –> Metric Event Alert Details.

In the selection screen for Managed Object ID enter the Context ID from the excel and for Metric Type ID enter the same from the excel. Also select the checkboxes as shown below and execute.

Now you will get the info on the Template as well as the Metric name which is currently in grey.

Housekeeping in SAP Focused Run

Housekeeping in SAP Focused Run is needed for 3 reasons:

  1. Keep performance high
  2. Reduce data footprint on the database
  3. Stay within the licensed volume (see more on licenses of SAP Focused Run in this blog)

Questions that will be answered in this blog are:

  • Which housekeeping settings can I make in SAP Focused Run?

Housekeeping for alert and event management

For alert and event management housekeeping program AEM_HOUSEKEEPING should be running in batch:

Housekeeping for system analysis and root cause analysis

For system analysis housekeeping schedule program SRAF_LOG_HOUSEKEEPING and WEA_AGG_STORE_PARTITIONING. For root cause analysis schedule program RCA_HOUSEKEEPING.

Detailed settings for RCA housekeeping are done in table RCA_HKCONFIG. You can maintain this table with SM30:

Housekeeping for application integration monitoring

For application integration monitoring housekeeping schedule program /IMA/HOUSEKEEPING for older releases and /IMA/HOUSEKEEPING_NEW for FRUN 3.0 FP01 onwards.

In the tile for integration monitoring you maintain the detailed settings and retention periods:

Press the change button to alter the data retention periods towards your need:

Housekeeping for EWA data

For EWA data housekeeping schedule program FRUN_DELETE_SERVICE_DATA:

Important year: default 1 year of EWA data is kept. If you need more, increase the days kept. If you want to clean up more, you can reduce the days.

Housekeeping for health monitoring

For health monitoring housekeeping, schedule program OCM_HOUSEKEEPING.

Housekeeping for statistical records

For housekeeping of statistical records, schedule program AI_STATRAGG_HOUSEKEEPING:

Housekeeping for work mode management

For housekeeping of work mode management, schedule program WMM_HOUSEKEEPING:

Housekeeping for security and configuration validation

In the Configuration and configuration analytics Administration tile, choose the configuration icon:

Here you can set the retention period.

Invalid entries in MAI_UDM_PATHS

If table MAI_UDM_PATHS is getting large, follow the instructions from OSS note 3030652 – Cleanup invalid entries from database table mai_udm_paths to clean up.

Decommissioning Managed Systems

We need to perform decommissioning of a managed system if

1. The managed system itself has been decommissioned or

2. The managed system is not required to be monitored in the Focused Run system anymore.

Case 1: Managed System is Decommissioned

Step 1: The first step of decommissioning would be to disconnect the Simple Diagnostic Agent from the Focused Run system. For this you can directly uninstall the Host Agent.

You can uninstall by running the following command at OS level

  • UNIX, IBM i: ./saphostexec -uninstall
  • Windows: saphostexec.exe -uninstall

Step 2: Deactivate all monitoring for managed system in Focused Run system

For this in transaction SA38 execute report RSRSM_SSI_CLEANUP

  1. Select a Customer Network
  2. Go to the Cleanup Technical System tab
  3. Select a Technical System
  4. Select the option to Cleanup unused hosts
  5. Press Delete Selected Objects
Case 2: Managed System is not required to be monitored in the Focused Run System

Step 1: You have to ensure the managed system is no more sending landscape data to the Focused Run system. For this disable all SLD data suppliers for the technical system. (In case of ABAP systems its in transaction RZ70 and in case of Java systems its the Data Supplier settings in the NWA.)

Step 2: Disable outside discovery for all hosts of the technical system by executing the following command.

  • UNIX, IBM i:¬†./saphostctrl -function ConfigureOutsideDiscovery -disable
  • Windows:¬†saphostctrl.exe -function ConfigureOutsideDiscovery -disable

Step 3: Execute the decommissioning report RSRSM_SSI_CLEANUP as mentioned in step 2 of case 1.

For further details you can refer to SAP documentation here.

In addition to the above two cases, you might need to decommission system if the system is being migrated or upgraded to a different or higher version. For example migrating a standard ECC system to S4HANA. Instead of adjusting the monitoring of existing system, you decommission the system and then reconnect the system to Focused Run system. In our future blog we will explain how to decommission in such cases.

Upgrading SAP Focused Run

All new functions and innovations for SAP Focused Run are delivered in either upgrades or feature packs. This blog will explain how to plan and execute upgrade for SAP Focused Run.

Questions that will be answered in this blog are:

  • What is the SAP Focused Run release strategy?
  • How to prepare for the SAP Focused Run upgrade?
  • How do I execute the SAP Focused Run upgrade?

Release strategy of SAP Focused Run

In the SAP Focused Run overview document created by SAP there is one slide containing the SAP Focused Run release strategy:

All new functions and innovations are delivered in either upgrades or feature packs.

Preparations for SAP Focused Run upgrade

First look up the specific upgrade OSS note. In case of upgrade to Focused Run 3.0 SP02 these are OSS notes 3116196 – Release Information Note for Focused Run 3.0 FP02 and 3127574 – Focused Run 3.0 Feature Pack 02 – Update Preparation and Postprocessing Documentation.

In this note you will find:

  • HANA database version needed
  • Needed versions of the SDA (simple diagnostics agent)
  • Scenario specific pre and post actions required
  • Updates to authorizations in SAP Focused Run
  • Updates to authorizations in the connected systems
  • Pre upgrade and post upgrade actions to be performed

The HANA database can be upgraded before the actual upgrade or can be combined with the upgrade. The same applies for the SDA agent.

Best practice is to execute the HANA and SDA upgrades before. Upgrade your Focused Run test system first, leave the versions there for a few weeks to prove stability, then deploy on productive Focused Run system.

In case of changes to authorizations in the connected systems, you can already update these before the upgrade.

In case you use custom descriptions in the metrics, you must download them before the upgrade and upload them again after the upgrade. More information in OSS note 3077162 – Backup and Restore of MAI Custom description BEFORE and AFTER system Update/Upgrade.

ZDO upgrade option

As of Focused Run 3.0 you have the choice to go for a ZDO (Zero Downtime Option) upgrade to reduce the downtime of the upgrade.

Read the following notes carefully before deciding to go for this option:

Executing the SAP Focused Run upgrade

Start your upgrade first on your SAP Focused Run development system and write down all the steps you execute. You will need to repeat all steps in your productive system later on.

During the technical upgrade, you will have to perform with the SUM tool, you will need to execute the SPDD and SPAU technical upgrade actions. Store the actions in transport to be used in productive upgrade. After SPUA is done, also apply the updated collective notes listed in the central note 3116196 – Release Information Note for Focused Run 3.0 FP02.

After the technical upgrade has been completed, follow and document carefully all the steps in the OSS upgrade note. For example running extra tasks lists, programs, redo SSI for JAVA, etc.

It can also be you come across items and issues that are not documented in the OSS note. Please write them down in your own runbook for production. When upgrading to SAP Focused Run 3.0 we found that the standard jobs are switched to the technical job repository SJOBREPO (since the 3.0 ABAP stack is based on the S4HANA 1909 version).

Apply all collective notes for all functions you are using. The collective note numbers are listed in the Release Information Note.

After the documented steps, update the authorizations in SAP Focused Run to get the new tiles for new functions available.

Rerun the task lists for the initial setup in STC01 (SAP_FRUN_SETUP_FOUNDATION and SAP_FRUN_SETUP_USECASE) with the variants of the use cases that you are using.

Update the monitoring content according to OSS note 2991255 – Manual content update for FRUN-CONT 300 in SAP Focused Run (FRUN-CONT). For the steps in detail, read this blog.

Check in the upgrade manual if any SSI needs to be redone. This is often the case with JAVA systems.

Finally when all actions are done, refresh your browser cache and backend FIORI cache (follow all steps from this blog).

Testing

Before deploying the Focused Run upgrade in production, you must test all your functions in the Focused Run development system. It is very helpful if you have a set of documented test cases that you can easily repeat each upgrade. With testing first focus on testing the current functions you are using. In a later stage you can explore, activate and test new functions.

While testing you will find issues. Solutions are normally:

  • Updates in authorizations
  • OSS notes to be applied
  • SICF services and Gateway services activation
  • Forgotten step in the activation

Capture all fixes in either transports or in your runbook.

If you still have key issues with bugs, you will need to raise a message to SAP.

Focused Run license and usage

SAP Focused Run is a licensed product. The metric is amount of GB stored in the application.

If you have more systems, more detailed metrics, with short measurement times and many functions, the more GB you will use.

Questions that will be answered in this blog are:

  • How to check the current license usage?
  • What drives the usage?
  • How can I get a cost estimate?
  • How can I create a business case for Focused Run?

Checking the license usage

In SE38 start program FRUN_USAGE_UPDATE:

Now you can see which Focused Run function uses how many MB’s.

What drives the usage?

Usage is driven by:

Getting a cost estimate

Your SAP account manager or the Focused Run team in Germany can give you a good cost estimate. Material number for Focused Run in the price list is 7019453.

Input for cost estimate: sizes and numbers of systems, functions of Focused Run you want to deploy, and the retention period of the data.

Output: cost estimate.

Creating the business case

The business case has 2 aspects:

  • Cost: infrastructure, license, implementation
  • Benefits

Benefits is easier to quantify if your IT service is more mature.

Elements to consider:

  • How much does an hour of outage cost on your main ECC or S4HANA core system? For lager companies, this is easily 10.000 Euro per hour or more.
  • How much does your complaint handling cost per ticket?
  • How much time is currently spent on manual monitoring?

Benefits of Focused Run are then in avoiding half the outages by faster insights and reducing the outage costs. You cannot avoid all outages, but you can act faster.

Benefits of Focused Run are in improved clean up and issue solving. This will both reduce issues in your systems and reduce complaints and tickets you need to handle.

For lager system landscapes (more than 50 systems) the business case is quite easy to create and will be positive fast.

SAP Focused Run Rule Based Template Assignment

Introduction

When we perform Simple System Integration (SSI) on a managed system , it automatically activates the SAP default monitoring template on the managed system. However, in most of the SAP Focused Run (FRUN) implementation scenarios, we create customer defined monitoring templates (Custom Templates), which we then manually assign/activate on the managed system.

Rule Based Template Assignment is a feature in FRUN by which we can define based on managed system category which custom monitoring template to be assigned and activated directly when we perform SSI on the managed system.

Defining Rule Based Template Assignment

For Rule Based Template Assignment navigate to the FIORI tile Individual Maintenance in the Advanced System Management section of FIORI launch-pad.

In the Individual Maintenance App navigate to the Rule Maintenance by clicking on the button as shown below.

In the Rule Rule Based Assignment Screen, on the left hand side panel, select the specific Managed Object type for which you want to define the Rule Based Template Assignment.

In this blog we take the example of defining a Rule Based Template Assignment for managed system of type SAP ABAP BASIS 7.10 and higher and specify the custom template for System Level monitoring template. So we select Technical Systems upon which the right side panel now gives a list of all product types. In the right side panel we scroll down and select SAP ABAP BASIS 7.10 and higher.

Now we need to define the Rule based on which the Custom Defined Template to be defined. In this blog we take the example that we have defined 2 custom templates one for Production Systems and one for Non Production Systems. So we will need to define rule to assign template based on filters System Type ABAP and IT Admin role defined in LMDB. For more information on this function read this blog.

In the subsequent screen select Maintain Rules.

In the Maintain Rule screen we select the following filters.

Name your Rule and Save.

Similarly you can create Rule ABAP Non production, just ensure to select the following IT Admin Roles.

Now back in the main screen select the Rule you created from the drop down.

And for Template select the custom template you want to select for the assignment.

Add the assignment.

Now click in Continue with Next Step button till you come to the Reconfiguration tab and then close. This will allow you to save your Rule Assignment.

Once you have assigned the ABAP Production and ABAP Non production rules in the main screen you will see the following assignments listed.

After the assignments done, the next time SSI performed on any ABAP system will take up the custom monitoring template as defined in these rules.

In Individual Maintenance system list you can also see whether current assignment is SAP default or Rule Based Template Assignment.

LMDB: set IT admin role

This blog will explain how you can set the IT admin role in the LMDB (Landscape Management Database).

Questions that will be answered in this blog are:

  • How to set the IT admin role in LMDB?
  • Why is it important to set the correct role?

Setting the IT admin role in LMDB

Goto the LMDB Object Maintenance FIORI tile:

Search for your system:

Select the system and press Display to open the detail screen:

Press Edit to change. Now change the IT Admin Role and press Save.

Why is this important?

The IT admin role is important for the scope selection. When you have set the IT admin roles properly it is easy to filter the scope to for example productive systems only. More details on the blog on System monitoring tips & tricks.