Transport Tracking using SAP Focused Run Configuration Validation

How to Track ABAP Transport Import Hisotry using Focused Run CSA Trend Analysis

For an SAP Application Management team in any IT landscape , doing a timewise tracking of transport movement accross SAP System Landscapes is a very important monitoring requirement.

In this blog I’ll explain how you can do transport tracking, using Configuration Validation Trend Analysis application. With this you can track how many transports got imported verses how many got failed.

SAP provides a standard configuration validation policy called SAP_FAILED_TRANSPOTS that collects last 7 days data from config store ABAP_TRANSPORTS of SAP ABAP managed systems. SAP uses this policy result for the system monitoring metric for failed transport.

Tobe able to see a day wise trend for transports you will have to first copy this standard policy to a custom policy and change the time period of compliance rule in the policy from last seven days to last 1 day.

For this first you navigate to Policy Management app in Advanced Configuration Monitoring area in SAP Focused Run Launchpad.

In the Policy Management App select the policy SAP_FAILED_TRANSPORTS and copy.

Provide a custom policy name and description and copy.

Now you will be back in the main screen, click on the custom policy name you just created.

In the policy editor screen click on Edit button to start editing your policy.

In the compliance rule change the hour value in CURRENT_UTCTIMESTAMP,-3600*168 from 168 to 24 CURRENT_UTCTIMESTAMP,-3600*24

Save the policy by clicking on Save button.

Now generate the policy by clicking on Generate button.

Now you can validate if the policy is working fine by clicking on the Validate button.

If no error is there, in a new window you will see the validation results as shown below.

Now your custom policy is ready, but before you can use this policy for Trend Analysis you need to activate periodic data collection for this policy. For this navigate back to the main screen of Policy Management app.

In the main screen select the custom policy and click on Configure.

In the next pop-up window click on Edit button to continue .

You can now set the Validation run interval to Hourly or Daily and then save and exit.

After you schedule the validation wait for atleast a week to see the data in the trend analysis app. Data will be available only from the time you activated the validation run schedule.

Now you can run Trend Analysis on this custom policy to do transport tracking. For this navigate to the Configuration & Security Analytics Trend Analysis App in the Advanced Configuration Monitoring area of Focused Run launchpad.

In the home screen app you will see the trend overview of the policies which are scheduled for validation run and for which data is available.

To do transport tracking on the custom policy you created and scheduled for validation, first select the managed system for which you want to do tracking in the scope selection.

After selecting scope, select the policy and in the the Key Figure dropdown select All items to see Number of transports imported to the managed system. If you select key figure Non Compliant it will show you the numbers for failed imports.

If you scrole down, you can also find details of each transport that were imported in the managed system in the specific time frame shown in the graph.

To know more possibilities with SAP Focused Run Configuration and Security Monitoring you can refer to our blogs here.

You can also find SAP manuals on Configuration and Security monitoring here.

Use configuration analytics to determine Cryptolib versions across your landscape

SAP Cryptolib is use for diverse security scenarios. In many cases it is simply installed and never updated.

This blog will explain how to use the configuration validation tool to quickly list all Cryptolib versions across your landscape.

Configuration analytics

Open the configuration and security validation FIORI tile:

Top left choose the searching for configuration items icon:

The search screen opens:

Now select the CRYPTOLIB store:

Now press the find button in the Find in configuration data field:

Results show:

Remark: the result is depending on your scope selected. Use the scope selection button to change the scope.

Other use cases

You can use the same method to get other information from the system.

Use the browsing for configuration items view to find what you are looking for:

Configuration validation to check for disablement of webadmin page

OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface is describing the issue that the web administration interface is publicly available if you didn’t configure your system correctly. More background can be found in this blog. This item is misconfigured on a lot of systems. It is present in ABAP, JAVA and web dispatcher.

If you start to fix this item, you want to keep track of the progress, and also in the future you want to check if the setting is done correctly for new systems and after updates, upgrades, etc.

Setting up the configuration validation rule

Go to the security and configuration validation policy tile:

Create a new policy with the following syntax for ABAP:

<configstore name="ABAP_INSTANCE_PAHI">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
  <compliant>NAME = 'icm/HTTP/admin_0' and VALUE  like '%ALLOWPUB=FALSE%' </compliant>
  <noncompliant>NAME = 'icm/HTTP/admin_0' and not ( VALUE like '%ALLOWPUB=FALSE%' ) </noncompliant>

For JAVA and webdispatcher:

<configstore name="DEFAULT.PFL">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
      <compliant>TEXT like '%admin_0%' and TEXT  like '%ALLOWPUB=FALSE%' </compliant>
      <noncompliant>TEXT like '%admin_0%' and not ( TEXT like '%ALLOWPUB=FALSE%' ) </noncompliant>

The rule says: if the subparameter ALLOWPUB is defined with value FALSE it is ok. In all other cases it is not ok.

Running the rule

Now you can run the rule and check if your systems are compliant: