SAP Basis Differentiation from SAP ABAP

Direkt zum Seiteninhalt
Differentiation from SAP ABAP
SCC4 Client administration
User authentication is usually performed by entering a user name and password. This information is called user credentials and should only be known to the user, so that no third party can gain access to the system under a false identity. This post explains how a user's password protection can be circumvented and how to prevent it. SAP system legacy data The login data of a user, including password, are saved in the USR02 database table. However, the password is not in plain text, but encrypted as a hash value. For each user there are not only one but up to three generated password hashes. Different algorithms are used to calculate these values, but only the Salted SHA1 can be considered sufficiently safe. Table deduction USR02 The secure password hash is located in the fifth column of the pictured table deduction with the heading Password hash value. The corresponding data field in the column is called PWDSALTEDHASH. Weak Password Hash Risks You have a good and working permission concept that ensures that no processes or data can be manipulated or stolen. A potential attacker now has the ability to read out your database with the password hashes. The hash values are calculated using password crackers, which are available on the Internet at home, and the attacker now has a long list of user credentials. To damage your system, the user will now search for the appropriate permissions and perform the attack under a false identity. Identifying the actual attacker is virtually impossible. Check if your system is vulnerable too Your system generates the weak hash values if the login/password_downwards_compatibility profile parameter has an unequal value of 0.

If your system is already above SAP NetWeaver Release 7.0, then you must either import SAP Note 1731549 or a corresponding Support Package. Afterwards, when creating new users, it is no longer possible to assign user names that are only composed of variants of spaces or other invisible special characters. Important: Changes to already existing users with these names or their deletion option are not affected by this! The SAP Note also adds the customizing switch BNAME_RESTRICT, whereupon you can control yourself whether alternative spaces are allowed to appear in certain places in the user name. For this, the following values must be set in the customizing table PRGN_CUST: NO = The alternative spaces are still allowed in the user name. ALL = The character set is reduced to a defined range, excluding certain special characters because they have specific meanings in certain operating systems or databases. This predefined character set is: ABCDEFGHIJKLNMOPQRSTUVWXYZ_0123456789,;-§&()={[]}+#. FME = The letters F, M and E stand for Front, Middle and End. With an 'X' in this three-digit switch value you can now explicitly specify at which position in the user name no wide spaces and control characters may occur. All combinations are possible, e.g.: XME = None of these special characters may occur at the BEGINNING of the user name. XMX = In the user name none of these special characters may occur at the BEGINNING and at the END. FME = One of these special characters may occur at any position in the user name (this corresponds to the default setting, i.e. as if no entry was maintained in PRGN_CUST for the switch). SAP recommends the use of the value ALL.

On www.sap-corner.de you will also find useful information about SAP basis.
Network infrastructure management
In the SAP product world, the presentation layer is based on several modules that are grouped under the collective term SAP GUI. SAP GUI for Windows, SAP GUI for Java, Web Dynpro for ABAP (WDA) and SAP GUI for HTML ("Web GUI") are widely used.

The support packages were successfully fed into a system (test or development system). You performed the modification synchronisation. Procedure Load the support packages into the next system (quality or production system). You must distinguish between the following cases: Their systems have a common transport directory: Release Level 3.x: If the *.ATT files are not present, run RSEPSDOL in the source system and then RSEPSUPL in the target system. If the *.ATT files are present, run only RSEPSUPL in the target system. Release level 4.x: Select SPAM Support Package Upload in the target system. Your systems do not have a common transport directory: Release Level 3.x: Run RSEPSDOL in the source system to create the *.ATT files if they do not already exist. With ftp, transfer all files with the *.PAT extension in binary mode and all files with the *.ATT extension in ASCII mode from the /usr/sap/trans/EPS/in directory (UNIX and AS/400) or :\usr\sap\trans\EPS\in (Windows NT) of the source system to the target system transport directory. Run RSEPSUPL in the target system. Release level 4.x: With ftp in binary mode, transfer all files with the *.PAT extension from the source system's /usr/sap/trans/EPS/in (UNIX and AS/400) or :\usr\sap\trans\EPS\in (Windows NT) directory to the target system's transport directory. Select SPAM Support Package Upload in the target system. Play the Support Packages as usual. Import the Modification Balance Transport. Steps of the SPAM The SAP Patch Manager informs you about the step in progress in the status bar. If you want to know what steps are being performed for which scenario, run RSSPAM10.

With "Shortcut for SAP Systems" a tool is available that greatly facilitates some tasks in the SAP basis.

DBACOCKPIT handles the call control permissions similar to the SE16 / SE16N transaction.

So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.


You can call the SPAM transaction in one of the following ways: Select SAP menu Tools Maintenance Patches.
Zurück zum Seiteninhalt