Category: Configuration and security monitoring

SNC Certificate Expiry Monitoring…

SNC Certificate expiry is very critical for ABAP systems where SNC logon is used. As soon as the certificate expires users will no more be able to login to system.

In System Monitoring for ABAP systems SAP provides a standard metric called Expiring PSE Certificates which monitors all PSE certificates that includes SNC certificates. When this metric turns red it will tell how many certificates are expiring/expired but not which one. Hence its beneficial to monitor separately the status of SNC Certificates.

This monitoring can be achieved by using Config Validation.

You can create a custom policy with the below XML code that checks the PSE_CERT store to check on status of SNC Certificate.


<?xml version="1.0" encoding="utf-8"?>
<targetsystem desc="SNC Certificate about to expire" id="ASML_SNCERT_TOBE_EXP" multisql="Yes" version="0000">
  <configstore name="PSE_CERT" system_type="ABAP">
    <checkitem desc="Valid in range" id="1" operator="">
      <compliant>APPLICATION like '%SNCS%' and CONTEXT like '%' and TYPE like '%' and SUBJECT like '%sapci%' and ISSUER like '%' and SERIALNO like '%' and VALID_FROM like '%' and ( ( ( replace_regexpr ('^$' IN valid_to WITH (replace(current_date, '-', '')||replace(current_time, ':', '')))) &gt; to_number(replace(add_days(current_date, 30), '-', '')||replace(current_time, ':', '') ))
or (( replace_regexpr ('^$' IN valid_to WITH (replace(current_date, '-', '')||replace(current_time, ':', '')))) &lt; to_number(replace(add_days(current_date, 0), '-', '')||replace(current_time, ':', '') )) )</compliant>
      <noncompliant>APPLICATION like '%SNCS%' and CONTEXT like '%' and TYPE like '%' and SUBJECT like '%sapci%' and ISSUER like '%' and SERIALNO like '%' and VALID_FROM like '%' and not ( ( ( replace_regexpr ('^$' IN valid_to WITH (replace(current_date, '-', '')||replace(current_time, ':', '')))) &gt; to_number(replace(add_days(current_date, 30), '-', '')||replace(current_time, ':', '') ))
or (( replace_regexpr ('^$' IN valid_to WITH (replace(current_date, '-', '')||replace(current_time, ':', '')))) &lt; to_number(replace(add_days(current_date, 0), '-', '')||replace(current_time, ':', '') )) )</noncompliant>
    </checkitem>
  </configstore>
</targetsystem>

Note: In the above XML code, SUBJECT like ‘%sapci%’, you have to replace sapci with a hostname pattern that you use for all your SAP ABAP system hostnames.

To know more about policy maintenance you can refer to our below blog where in we have explained in detail with another example how to maintain policies, edit the XML code and then generate the policy.

Transport Tracking using SAP Focused Run Configuration Validation

Once you have created the policy, you can directly activate alerting on the policy.

For that go to the Configuration and Security Analytics app in the Advanced Configuration Monitoring area.

In the app navigate to Configuration Validation Alert Management under the the Related links tab.

In the Alert Management app click on Create button to create the alerting for the policy you just created.

In the next popup, enter details as shown below and then click on Select policy to select the policy for which you want to activate the alert.


In the next popup select the policy by clicking on the policy name.

Now click on Save to activate the alerting.

Additionally you can also activate email notification on the alert. For this in the Alert Management main screen, select the alert and then click on Notification/Outbound

In the next popup select the notification variant and save.

Now your alerting is active along with notification for SNC certificate expiry.

For more details on Config Validation you can refer to SAP documentation here.

Transport Tracking using SAP Focused Run Configuration Validation…

How to Track ABAP Transport Import Hisotry using Focused Run CSA Trend Analysis

For an SAP Application Management team in any IT landscape , doing a timewise tracking of transport movement across SAP System Landscapes is a very important monitoring requirement.

In this blog I’ll explain how you can do transport tracking, using Configuration Validation Trend Analysis application. With this you can track how many transports got imported verses how many got failed.

SAP provides a standard configuration validation policy called SAP_FAILED_TRANSPOTS that collects last 7 days data from config store ABAP_TRANSPORTS of SAP ABAP managed systems. SAP uses this policy result for the system monitoring metric for failed transport.

To be able to see a day wise trend for transports you will have to first copy this standard policy to a custom policy and change the time period of compliance rule in the policy from last seven days to last 1 day.

For this first you navigate to Policy Management app in Advanced Configuration Monitoring area in SAP Focused Run Launchpad.

In the Policy Management App select the policy SAP_FAILED_TRANSPORTS and copy.

Provide a custom policy name and description and copy.

Now you will be back in the main screen, click on the custom policy name you just created.

In the policy editor screen click on Edit button to start editing your policy.

In the compliance rule change the hour value in CURRENT_UTCTIMESTAMP,-3600*168 from 168 to 24 CURRENT_UTCTIMESTAMP,-3600*24

Save the policy by clicking on Save button.

Now generate the policy by clicking on Generate button.

Now you can validate if the policy is working fine by clicking on the Validate button.

If no error is there, in a new window you will see the validation results as shown below.

Now your custom policy is ready, but before you can use this policy for Trend Analysis you need to activate periodic data collection for this policy. For this navigate back to the main screen of Policy Management app.

In the main screen select the custom policy and click on Configure.

In the next pop-up window click on Edit button to continue.

You can now set the Validation run interval to Hourly or Daily and then save and exit.

After you schedule the validation wait for at least one week to see the data in the trend analysis app. Data will be available only from the time you activated the validation run schedule.

Now you can run Trend Analysis on this custom policy to do transport tracking. For this navigate to the Configuration & Security Analytics Trend Analysis App in the Advanced Configuration Monitoring area of Focused Run launchpad.

In the home screen app you will see the trend overview of the policies which are scheduled for validation run and for which data is available.

To do transport tracking on the custom policy you created and scheduled for validation, first select the managed system for which you want to do tracking in the scope selection.

After selecting scope, select the policy and in the the Key Figure dropdown select All items to see Number of transports imported to the managed system. If you select key figure Non Compliant it will show you the numbers for failed imports.

If you scroll down, you can also find details of each transport that were imported in the managed system in the specific time frame shown in the graph.

To know more possibilities with SAP Focused Run Configuration and Security Monitoring you can refer to our blogs here.

You can also find SAP manuals on Configuration and Security monitoring here.

Monitoring Changes in RFCs in SAP ABAP Systems using SAP Focused Run…

With SAP Focused Run 3.0 FP 2, its now possible to monitor changes in RFCs in SAP ABAP Systems.

In SAP Focused Run 3.0 FP 2, you can activate alerting and notification for any changes to the content of a CCDB config store. Using this functionality we can activate alerting and notification on the CCDB store that contains information about RFCs.

First we need to identify which CCDB store keeps the information on RFCs. For this you need to click on Configuration & Security Analytics – Administration app in the Advanced Configuration Monitoring section of SAP Focused Run Launchpad.

In the app select any of the SAP ABAP systems. Upon selecting a system you will see the list of available CCDB stores for the system.

Now you can filter on Description for text “RFC” to see RFC related CCDB stores.

You will see the following CCDB Stores. To monitor changes to RFCs either you can use the generic CCDB store to monitor on all type of RFCs or you can use the specific RFC type CCDB store. In this example we will use the RFC destinations type ‘3’ CCDB store.

Next you need to go to the main Configuration and Security Analytics app.

In the app, in the navigation area click on Related Links.

Select Configuration Validation Alert Management.

In the alert management app, click on create button.

Enter Alert ID, Description and then select the Alert Source as Store content change.

Click on Select a Config Store

In the next pop-up to select the store, filter on description “RFC”.

Then from the list select the specific RFC CDDB store you want to report on and then click on close.

Then back in Alert creation screen, you can select the scope as ALL or for specific system. In this example we selected a specific managed system.

You can set the frequency between Hourly, Daily or Weekly.

Then, set the Severity and click on Active button and then save.

Upon activation it will start monitoring is there are any change is performed to the specific RFC store. Changes include Creation/Deletion/Update.

Upon any change detected an alert will be generated of the below format. This alert will be visible in the Alert Inbox.

Use configuration analytics to determine Cryptolib versions across your landscape…

SAP Cryptolib is use for diverse security scenarios. In many cases it is simply installed and never updated.

This blog will explain how to use the configuration validation tool to quickly list all Cryptolib versions across your landscape.

Configuration analytics

Open the configuration and security validation FIORI tile:

Top left choose the searching for configuration items icon:

The search screen opens:

Now select the CRYPTOLIB store:

Now press the find button in the Find in configuration data field:

Results show:

Remark: the result is depending on your scope selected. Use the scope selection button to change the scope.

Other use cases

You can use the same method to get other information from the system.

Use the browsing for configuration items view to find what you are looking for:

Configuration validation to check for disablement of webadmin page…

OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface is describing the issue that the web administration interface is publicly available if you didn’t configure your system correctly. More background can be found in this blog. This item is misconfigured on a lot of systems. It is present in ABAP, JAVA and web dispatcher.

If you start to fix this item, you want to keep track of the progress, and also in the future you want to check if the setting is done correctly for new systems and after updates, upgrades, etc.

Setting up the configuration validation rule

Go to the security and configuration validation policy tile:

Create a new policy with the following syntax for ABAP:

<configstore name="ABAP_INSTANCE_PAHI">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
  <compliant>NAME = 'icm/HTTP/admin_0' and VALUE  like '%ALLOWPUB=FALSE%' </compliant>
  <complianttext/>
  <noncompliant>NAME = 'icm/HTTP/admin_0' and not ( VALUE like '%ALLOWPUB=FALSE%' ) </noncompliant>
  <noncomplianttext/>
</checkitem>
</configstore>

For JAVA and webdispatcher:

<configstore name="DEFAULT.PFL">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
      <compliant>TEXT like '%admin_0%' and TEXT  like '%ALLOWPUB=FALSE%' </compliant>
      <complianttext/>
      <noncompliant>TEXT like '%admin_0%' and not ( TEXT like '%ALLOWPUB=FALSE%' ) </noncompliant>
      <noncomplianttext/>
</checkitem>
</configstore>

The rule says: if the subparameter ALLOWPUB is defined with value FALSE it is ok. In all other cases it is not ok.

Running the rule

Now you can run the rule and check if your systems are compliant:

Age of system components…

Your system landscape contains a lot of components. For security and compliance it is important to keep the system in good shape with regards to patches and updates.

SAP Focused Run can help you with the check on the age of your system components;

  1. Tactical dashboard
  2. Configuration validation rule

Tactical dashboard

The first method to check for component age is the use of the tactical dashboard. The highlights are explained in this blog.

Result of the tactical dashboard for components:

In the threshold settings you can fine tune the levels to give warning or red flag:

Remark: this function works for ABAP and JAVA systems. Not for other SAP products.

Configuration validation rule

From the text below or from the github site of Focused Run you can download this policy:

COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and <?xml version="1.0" encoding="utf-8"?>
<!--
Exclude software components for which SP_REL_DATE is empty
Version: 002
Date:    July 16 2021
-->
<targetsystem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" desc="Age of component level" id="AGE_COMP" multisql="Yes" version="0000" xsi:schemaLocation="csa_policy.xsd">
  <!-- Basic -->
  <configstore name="COMP_LEVEL">
    <checkitem desc="Age of Component Level - ABAP" id="ABAP.AGE_COMP.01" not_found="ignore" system_attributes="SYSTEM_TYPE:ABAP">
      <compliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </compliant>
      <noncompliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and not (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </noncompliant>
    </checkitem>
    <checkitem desc="Age of Component Level - JAVA" id="JAVA.AGE_COMP.01" not_found="ignore" system_attributes="SYSTEM_TYPE:JAVA">
      <compliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != ''and (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </compliant>
      <noncompliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and not (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </noncompliant>
    </checkitem>
  </configstore>
</targetsystem>

Use this to set up a new policy called AGE_COMP (for detailed instructions for setting up new policy, see this blog):

By default the rule is taking 730 days. You can adjust the value as per your needs.

Now you can run the query to get an easy overview across the systems:

Don’t be afraid if you have high number in the beginning; most of the cases this is due to HR components being outdated.

Monitoring Cloud Connector BTP Certificate Expiry…

With SAP Focused Run 3.0 FP 2 SAP has delivered a configuration validation policy using which you can monitor Cloud Connector BTP Certificate expiry.

Note: For using this functionality you just have to ensure that you have registered your cloud connector managed system to your Focused Run System and have performed SSI for the cloud connector managed system.

You can do the monitoring via the Configuration & Security Analytics app in the Advanced Configuration Monitoring area of Focused Run Launchpad.

In the app click on the select button to select the policy to monitor Cloud Connector BTP Certificates.

In the pop-up you can search for SCC and then select the policy SAP_SCC_PSE_CERT. This is the standard policy delivered by SAP that performs configuration validation on Cloud Connector BTP Certificate expiry.

This policy monitors if a BTP certificate in cloud connector system is going to expire in less than 30 days or is already expired.

The first view upon selecting the policy is the Systems view. In this view all SAP Cloud Connector systems registered in Focused Run system are listed. A systems is marked as non compliant if it has any certificate which is going to expire in less than 30 days or has any expired certificates. This view also tells how many certificates are there in the system and how many are non compliant.

You can click on the row to see the details of the certificates which are expiring or expired.

To know more about Configuration and Security Analytics you can refer here.

Also you can find more detail at SAP documentation here.

Determining configuration changes…

In SAP Focused Run the Configuration and Security validation tool captures a lot of detailed configuration data. This tool can be used to determine configuration changes that were done to your systems.

Configuration changes

Go to the Configuration and Security Analytics FIORI tile:

On the left side choose the tool to display configuration changes:

In the next screen you can see the changes per system:

In the details you can see what has been changed and when.

Search for specific configuration changes

You can also search for specific configuration changes. Open the find tool and select the change store (in this example RFC destinations):

Now you get the detailed list of changes:

The easiest overview is the table view. This allows also for Excel download.

Remark: the time frame default 1 week. If you need search different period, change the time frame selection.

Trend analysis for configuration and security analytics…

Since Focused Run 3.0 feature pack 2 a new FIORI tile is present: trend analysis for configuration and security analytics:

Prerequisites

For the policy to work, you first need to schedule it in the policy management tile. Select the policy and press the Configure button:

On the popup screen press the Edit button:

Set the scheduling frequency and save the data.

Use of the trend analysis

Opening the trend analysis tile starts with the overview screen:

You can change the timeframe of the analysis and scope with the normal icons top right.

Selecting a policy will open the trend graph below:

Below that graph are the details for the systems:

Organizational use of the trend analysis

The trend analysis can be used to quickly see for your important security policies how the situation is developing.

When strengthening the policies, you will see many non compliant systems initially. Often some sandboxes, or development systems are forgotten. The trend analytics will spot it, and you can act on it.

Security and configuration validation to check if HTTP port is active…

Security & configuration validation can be used to check if on any ABAP stack the HTTP port is activated. Depending on your security concept this might be forbidden. Checking across all systems is a cumbersome job. Here the security and configuration check function of SAP Focused Run can help.

Setting up security and configuration validation rule to check if HTTP port is active

Go to the security and configuration validation policy tile:

Create a new policy with the following syntax:

<?xml version="1.0" encoding="utf-8"?>
<targetsystem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" desc="Checks whether only HTTPS is active in SMICM" id="SMICM_HTTPSONLY" multisql="Yes" version="0000" xsi:schemaLocation="csa_policy.xsd">
  <configstore name="ABAP_INSTANCE_PAHI">
    <checkitem desc="item description" id="1.0.0.0">
      <compliant>NAME like 'icm/server_port_%' and NOT (VALUE like '%HTTP,%' ) </compliant>
      <complianttext/>
      <noncompliant>NAME like 'icm/server_port_%' and VALUE like '%HTTP,%' </noncompliant>
      <noncomplianttext/>
    </checkitem>
  </configstore>
</targetsystem>

Basically the rule says: no http found is ok and any http found is not ok.

Running the check

Run the check will give you all systems in red where HTTP is active and green if only HTTPs is active, or nothing is active: