SAP performance optimization
SAP systems also need to be maintained
User authentication is usually performed by entering a user name and password. This information is called user credentials and should only be known to the user, so that no third party can gain access to the system under a false identity. This post explains how a user's password protection can be circumvented and how to prevent it. SAP system legacy data The login data of a user, including password, are saved in the USR02 database table. However, the password is not in plain text, but encrypted as a hash value. For each user there are not only one but up to three generated password hashes. Different algorithms are used to calculate these values, but only the Salted SHA1 can be considered sufficiently safe. Table deduction USR02 The secure password hash is located in the fifth column of the pictured table deduction with the heading Password hash value. The corresponding data field in the column is called PWDSALTEDHASH. Weak Password Hash Risks You have a good and working permission concept that ensures that no processes or data can be manipulated or stolen. A potential attacker now has the ability to read out your database with the password hashes. The hash values are calculated using password crackers, which are available on the Internet at home, and the attacker now has a long list of user credentials. To damage your system, the user will now search for the appropriate permissions and perform the attack under a false identity. Identifying the actual attacker is virtually impossible. Check if your system is vulnerable too Your system generates the weak hash values if the login/password_downwards_compatibility profile parameter has an unequal value of 0.
This access method depends solely on the rights assigned to the user. System users: Users of this user group are comparable to SAP*. They act as administrator in the system. Therefore, they should be deactivated / set to inactive as soon as possible, as soon as the system operation is ensured. You should still be aware of the SAP ERP environment to address this security risk. In a HANA system, there are privileges instead of permissions. The difference is first of all in terms of terminology. Nevertheless, the permissions are assigned differently (directly / indirectly) via the assignment of roles. These are thus accumulations of privileges. As in older SAP systems, system users must be disabled and certain roles that already exist must be restricted. Compared to an SAP ERP system, small apps are allowed instead of large applications. In this case, attention should be paid to an individual authorisation. It should be a matter of course for users to have implemented secure password rules. Settings Securing the system also means securing the underlying infrastructure. Everything from the network to the host's operating system must be secured. When looking at the system landscape, it is striking that the new technology brings many connections that need to be secured. The SAP Gateway, which is responsible for the connection between backend and frontend, is also a security risk and must be considered. All security settings of existing and future components must be validated to HANA compatibility. Secure communication of connections is obtained when you restrict access where possible. Encryption of the data of a HANA system is disabled by default. Be sure to encrypt sensitive data anyway. Especially data that is archived. If an attack is made on your system, you should be able to run forensic analysis, so you should enable the audit log. Moreover, few users should have access to it.
Implementing applications
For existing solutions, it is necessary to assess to what extent the solution is customised. A modification is the more serious the more time-consuming the maintenance is, including testing, e.g. in the case of upgrades. The fewer customer specifications are available, the more suitable a system or application is for external operation by a service form to be chosen.
If you want to skip the backgrounds and prefer a direct step-by-step guide, you can jump directly into the last section. Preparation For this workaround, you need access to both the source system and the BW system. In addition, they shall have the possibility to access the SE37 and execute functional modules there. Especially in production systems this is a very critical justification. So assume that you may need a Firefighter user for this action. Working in the BW system Now that the preparations have been completed, you have to call a FuBa on the BW system and on the source system, which solves the connection on the respective page. Beginning on the BW system, go into the transaction SE37 and call the function block "RSAR_LOGICAL_SYSTEM_DELETE": RSAR_LOGICAL_SYSTEM_DELETE Enter the required values here. The following table helps you fill in: Field Description I_LOGSYS The logical name of the source system. The name of the source system, as found in RSA1, will be entered here. In addition, this name can also be found in the DB table TBDLT. I_FORCE_DELETE Boolean, X = Delete despite error messages I_NO_TRANSPORT Boolean, X = This change should not be transported to subsequent systems I_NO_AUTHORITY Boolean, X = Ignore Permission Checks Work in the source system In the source system, go to transaction SE37 and call the function block "RSAP_BIW_DISCONNECT" : The descriptions of the fields are as follows. These can be found in the RSBASIDOC source system connection table Field Description I_BIW_LOGSYS The logical name of the BW system. In the RSBASIDOC table, find the correct value in the column "RLOGSYS". I_OLTP_LOGSYS The logical name of the source system. The column ‘SLOGSYS’ in the table RSBASIDOC. I_FORCE_DELETE The logical name of the BW system. In the RSBASIDOC table, find the correct value in the column "RLOGSYS". Completion In the end, you have to call the respective function block in the BW and source system, fill in the parameters and execute the function block.
Use "Shortcut for SAP Systems" to accomplish many tasks in the SAP basis more easily and quickly.
The measures can now be scheduled and included in a cost overview.
SAP Basis refers to the administration of SAP system that includes activities like installation and configuration, load balancing, and performance of SAP applications running on Java stack and SAP ABAP. This includes the maintenance of different services related to database, operating system, application and web servers in SAP system landscape and stopping and starting the system. Here you can find some useful information about SAP Basis: www.sap-corner.de.
Also, the operational aspects of this role are suitable for outsourcing.