Certificates in SAP Systems


In this digital era, data is the most valuable asset, even more than gold. Hence Security is top most priority for any system in IT. And SAP is no exception to this. Now days everything is access via Web or Internet. Hence its must to have all security measures implemented while accessing systems on internet. This is achieved by the installing Certificates on the Web Server.

An organization needs to install the SSL Certificate onto its web server to initiate a secure session with browsers. Once a secure connection is established, all web traffic between the web server and the web browser will be secure.

What are Certificates

Certificates or SSL (Secure Socket Layer) Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser.

SSL Certificates bind together :

  • A domain name, server name or hostname.
  • An organizational identity (i.e. company name) and location.

Cryptography is way or science of sending secret messages. When it comes to SSL, SAP uses Public Key Cryptography, which is based on PKI (Public Key Infrastructure). This particular kind of cryptography harnesses the power of two keys which are long strings of randomly generated numbers. One is called a private key and one is called a public key. A public key is known to your server and available in the public domain. It can be used to encrypt message.

How Public and Private Key Works

Lets take a scenario, Ms. XYZ and Mr. BASIS are two good friends. XYZ want to send a secret message to BASIS so that no one can see it. Hence she uses Public Key from BASIS to encrypt it. Now as message is encrypted, no one can read it, except BASIS as he has the Private Key to decrypt the message. So simple right.

Certificate Details

While working with certificates, we often hear terms like CA, PKI, TLS, DN, CN and so on. Lets check what is actually mean by these.

  • CA (Certificate Authority) – Responsible for Root/Intermediate Cert
  • PKI (Public Key Infrastructure) – It’s Platform
  • TLS – Transport Layer Security Protocol, Current Versions are TLS 1.0, 1.1, 1.2. For details please refer SAP Note 2781565 & 510007.
  • DN – Distinguished Name
  • CN – Common Name
  • SSL – Secured Socket Layer
  • PSE – Personal Security Enviroment

CA or Certificate Authority is the one who issue or sign the Certificates created, thus binding those with the CA’s Root Certificate and Intermediate Certificate. On very broad scale you can consider Root certificate as CA’s Private key as per example we discussed previously.

When ever certificates are created, those will be by default Self Signed means not signed by external CA. Thus security level of such Self Signed Certificates is very low and hence not recommended. Creation of Certificate in SAP means creation of DN which consist of below details

  • DN (Distinguished Name)
    • CN (Common Name)
    • OU (Organization Unit)
    • O (Organization)
    • S (State)
    • L (Locality)
    • C (Country)
    • SAN (Subject Alternative Name)

As name suggest, each entity defines the organization and combining all creates a unique DN. Once its created, we need to create a CSR request which is encoded form of the cert which will be then Signed by the CA. When CA signed the cert, they provide their own root and intermediate cert. Thus while importing the signed response from CA in our certificate, we need to make sure that we import root and intermediate cert as well, completing the certificate chain.

How to access Certificates

In SAP R/3 or ABAP system, you can access it via transaction STRUSTSSO2. This transaction mainly deals with PSE which consist of DN. Types of PSEs are as follows.

  • System PSE
  • SSL Server PSE
  • SSL Client PSE
  • SNC PSE
  • Anonymous PSE

While working with SSO (Single Sign-On) via SSL, we mainly interact with SSL Server PSE and SSL Client PSE by exchanging certificates between two SAP Systems. In case of any issue, you can troubleshoot it by checking logs in transaction SMICM.

In case of JAVA systems, you can access certificates via Visual Admin or NWA. Now a days with latest version of SAP NW, Visual Admin is void and only NWA is available as admin access tool. In JAVA, certificates mainly available via Key Store which consist of different Views like Default, TicketKeyStore, TrustedCAs etc. But main part of any view is Key-Pair Cert which is nothing but a DN which we discussed previously.

For rest of the SAP systems like Web Dispatcher or HANA, certificates are accessible via respective PSE management tools (Admin URLs) or via Key Stores. HANA system internally used Web Dispatcher only, thus accessing PSEs is same i.e. via admin URL.

Certificate Checks

You can check certificates if those are active and accepted by browser by looking for the Padlock.

If you double click on it, it will show details for the certificate.

Very simple right. So next time you visit any website do verify the padlock and certificate validity. Also make sure that your SAP system Web host have Signed Certificate installed and accessible with padlock.


SAP SLD Change Log Housekeeping (BC_SLD_CHANGELOG)


SAP SLD i.e. System Landscape Directory is a key system in any SAP landscape. It is the central provider of landscape information in the SAP system landscape. Systems report their data, automatically updating their data regularly in the SLD. These updates are tracked as change logs in SLD.

But due to this regular updates into SLD from all system across landscape, the table BC_SLD_CHANGELOG can grow big in size. In some cases it may be the top table with size in SLD system. Hence to keep its size in control, regular cleanup of SLD change logs is recommended.

Change Log Cleanup

To perform the change log cleanup, follow below steps.

  • Login to SLD, http(s)://<host>:<port>/sld
  • In the SLD UI, choose Administration -> Changes -> Administrate Change Log
  • Under Remove Entries older than, select a date from the drop-down calendar
  • Click on Count to get exact number of entries which will get deleted as per selected date
  • Once you are satisfied with selection, click on Remove Entries

Note : Do not delete entries still needed for incremental exports. If incremental export data are affected by your deletion, follow the system warnings. Also do not try to do deletion for very long range with high count, as it may halt your System.

Periodic Changelog Cleanup Task

You can also set the periodic task to delete change log.

  • Login to SLD, http(s)://<host>:<port>/sld
  • In the SLD UI, choose Administration -> Changes -> Cleanup Task Configuration
  • If no task is scheduled, click on Schedule Task
  • On next screen, enter Interval in Hours for periodic run, Click Next
  • On next Screen, enter number of days beyond which entries to be deleted, then click Finish

This will create task Changelog Cleanup Task in JAVA Scheduler.

Reference SAP Notes

  • 1792134 – Table BC_SLD_CHANGELOG Overflow
  • 1840184 – Features which relies on the SLD change log
  • 1799613 – SLD Change Log clean up tool

How to check SAPUI5 Version in SAP FIORI


While working with SAP FIORI, many times we come across a situation where we need to check the SAPUI5 version of the FIORI system. This is required for the compatibility checks or verification of different apps. In this article we will see how to check SAPUI5 version in FIORI system.

SAPUI5 Version nomenclature

SAPUI5 is versioned as follows :

<major version>.<minor version>.<patch level>

That means that, for example, if we have SAPUI5 1.44.13, then major version is 1, minor version is 44 and patch level is 13.

Steps to check SAPUI5 Version

To check SAPUI5 version, follow below steps.

  1. Login to FIORI Launchpad
  2. On keyboard, press key combination CTRL+ALT+SHIFT+P
  3. This will show the SAPUI5 version & OpenUI5 version as well.

Note that in FIORI launchpad, if you go-to your user -> About path, there also it will show you SAPUI5 version, but its normally aligned with OpenUI5 version, hence best way to check is as mentioned above with key combination CTRL+ALT+SHIFT+P.


SAP ABAP Performance Check : Quick Reference


SAP System Performance depends upon wide varieties of parameters and system components. There are multiple key T-Codes which can be used for SAP performance check and tuning like ST03N, STAD, ST02, ST06 and so on, but here we will focus on quick reference for the performance check of SAP system.

When user execute any transaction in SAP, it undergoes multiple checks and performs steps. Quick overview is as follows.

Fig. 1 SAP Transaction Steps

Response time from SAP transaction mainly depends on its activity execution across Presentation Layer, Application layer and Database layer. Quick reference of response time and its components is as follows.

Fig. 2 Transaction Response Time & It’s Components

Good response time for a transaction depends upon the response time of the each component involved. Below table shows guideline Values for across components.

TimeGuided ValueProblem Indicated
Dispatcher Wait Time
(Avg. Wait Time)
< 10% of response time
< 50 ms
General performance problem with many causes
Load Time
(Avg. Load & Gen. time)
< 50 msProgram buffer too small or CPU bottleneck
Roll-in time, Roll-out time
(Avg. roll-in time, Avg. roll-out time)
< 20 msSAP roll buffer or Extended memory too small or CPU Bottleneck
Roll-wait time
(Avg. roll-wait time)
< 200 msProblem with front end communication or with external component communication
GUI Time
(Avg. GUI Time)
< 200 msProblem with front end communication
Enqueue Time
(Avg. Lock time)
< 5 msProblem with enqueue, network problem
Processing Time, CPU TimeqProcessing Time < 2 x CPU TimeCPU Bottleneck
Database Time
(Avg. DB Time)
< 40 % Total Response Time minus dispatcher wait time
200-600 ms
Database problem, CPU Bottleneck
Direct Read< 2 msDatabase Problem
Sequential Read< 10 msDatabase Problem
Logical Changes< 25 msDatabase Problem

For workload monitoring, ST03N transaction to be used which provide multiple options to check the activities happening in system during specific time. We have option to check activities by Day, Week or Month. Also checks can be performed for specific duration via “Last Minute Load” option.

Based on the data available, further checks can be planned as below.

Fig. 3 ST03N Checks 1
Fig. 4 ST03N Checks 2

Details about SAP Work Processes can be checked via SM50/SM66.

Fig. 5 SM50/SM66

Details about application Server CPU, Memory, Disk, I/O etc. can be checked via ST06.

Fig. 6 ST06 Checks 1
Fig. 7 ST06 Checks 2

Another major area for performance check is SAP Memory, which can be checked via transaction ST02. SAP Memory consist of three main areas

  • Roll Memory
  • Extended Memory
  • Heap Memory
Fig. 8 SAP Memory areas & Parameters

The way memory used by dialog work process and background work process is different in UNIX environment. Flow is as follows.

Dialog Work ProcessBackground Work Process
Local SAP Roll Memory up-to ztta/roll_firstLocal SAP Roll Memory up-to ztta/roll_first
SAP Extended Memory, until ztta/roll_extension is reached or extended memory is used upSAP Heap memory until abap/heap_area_nondia is reached or SAP heap memory is used up
Local SAP roll memory up-to ztta/roll_area
SAP Heap memory until abap/heap_area_dia is reached or SAP heap memory is used upSAP Extended Memory, until ztta/roll_extension is reached or extended memory is used up
Program TerminationProgram Termination

SAP Database related checks can be performed via transaction DBACOCKPIT or ST04 or DB02, each of them provide access to approx. same information via different tabs.


SAP JAVA HTTPS Cert update with SAN entry


Steps

  • Login with sidadm
  • Set ENV variable SECUDIR pointing to /usr/sap/<SID>/<Instance>/sec
  • Take backup of all files under /usr/sap/<SID>/<Instance>/sec
  • Generate new PSE with SAN
    • sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p <SID>J2eeSystemSAN.pse -k GN-dNSName:<hostname with fqdn>
    • Provide Password : *********
    • Provide Distinguished name of PSE owner : CN=<hostname with fqdn>
  • <SID>J2eeSystemSAN.pse will get created and CSR request is printed on to the screen, copy it and submit it to the issuing Certificate authority (like Entrust etc.) to get response
  • Once you get response from CA (Certificate Authorities), you may need to add root and/or intermediate certificate as well.
  • Once response is available, copy it to server as <SID>JavaSSL.csr
  • Import csr in PSE
    • sapgenpse import_own_cert -c <SID>JavaSSL.csr -p <SID>J2eeSystemSAN.pse
  • To upload certificate in NWA/VISUAL-ADMIN, convert it to p12 file
    • sapgenpse export_p12 -p <SID>J2eeSystemSAN.pse -x <PSE Password> -z <PSE Password> <SID>_SSL_<Hostname>
  • For 7.0X or lower systems (Visual Admin)
    • Load this p12 file in KeyStorage -> service_ssl, it will ask for PSE password.
    • Add Name of new entry created as per above step in Server Identity tab under Dispatcher -> Services -> SSL Provider via VISUAL ADMIN
  • For Systems > 7.0X (NWA)
    • Check the Keystore used for SSL in NWA -> Configuration -> SSL
    • Import p12 file in NWA -> Configuration -> Certificate & Keys -> <keysore found in above step>, normally it will be ICM_SSL_<Instance ID>, it will ask for Password
    • Take backup of existing SSL private Key if any by exporting it
    • Delete old Private SSL key if there are two keys now after import of newly generated p12 file
    • Restart ICM

List of SAP Printers, Corresponding Print servers and print queue with Port used


If we need to check printer, access method used in printer, print server and print queue name, then we can get all this information from T-Code SPAD. This is useful if printer list is small, but getting this information for large number of printers is not practical from SPAD.

We can get this information form DB level via table TSP03D. Below command will give you all required information.


# Set output format

COLUMN NAME FORMAT A15
COLUMN PALPDHOST FORMAT A20 WORD_WRAPPED
COLUMN PAMETHOD FORMAT A6
COLUMN PAPROSNAME FORMAT A15
COLUMN NAME HEADING PRINTER
COLUMN PALPDHOST HEADING PRINT-SERVER
COLUMN PALPDPORT HEADING PORT
COLUMN PAMETHOD HEADING METHOD
COLUMN PAPROSNAME HEADING PRINT-QUEUE

# Command

select Name, PAMETHOD, PAPROSNAME, PALPDHOST, PALPDPORT from SAPSR3.TSP03D;


Above command can be updated with where clause if you need information specific to one print server or any other requirement.


How to check if oracle general settings are according to the SAP recommendations


  • Oracle version is supported?

The oracle server version can be checked with the following select:

select * from v$version;

The result of the before select must be checked in the following note:

1174136 – Oracle: End of Support Dates

 

  • SAP Bundle Patch (SBP) is up-to-date?

The installed SBP can be checked with the following select:

select * from dba_registry_history order by action_time;

More detailed output can be displayed with the following command:

$ORACLE_HOME/OPatch/opatch lsinventory

The result should be compared with the latest version described in the following notes:

1431799 – Oracle 11.2.0: Current Patch Set

871735 – Current patch set for Oracle 10.2.0

 

  • Oracle parameters are OK?

The recommended parameters can be checked with the script attached to the following note:

1171650 – Automated Oracle DB parameter check

The output contains the recommended changes (add, delete, change, check).

 

  • Environment variables are OK?

Environment variables can be checked based on the following notes:

556232 – Environment settings for R/3/Oracle on Windows

830578 – Environment variable on Unix for ora and adm

 

  • Oracle client version is according to the server version?

Login with the <sid>adm user and go to the instant client directory and start the following command:

genezi -v

If the client version is old, it should be updated. The following notes describes, how to do it:

998004 – Update the Oracle Instant Client on Windows

819829 – Oracle Instant Client Installation and Configuration on Unix

The above notes contains also information, where is the instant client directory.

 

Reference: SAP Note 1918230


Roadmap: As of Release 7.4, SAP NetWeaver discontinues dual-stack implementations


An SAP system is dual-stack, if it contains both SAP NetWeaver Application Server ABAP and Java with one common SAP system ID (SAPSID), one common start-up framework, and one common database.

Advantages of Dual-stack system

  • Save Hardware cost for DB and Application as Java and ABAP part are installed on same physical machine
  • Software Life Cycle management process was same i.e. ABAP and JAVA part is treated as a single UNIT
  • Reduce Operation Cost

Disadvantages of Dual-stack system

  • The tight coupling between the ABAP and Java stacks became more and more an innovation hurdle
  • Downtime of one stack in a dual-stack system affected the whole system
  • Dual-stack systems could not be scaled independently

Going forward SAP is recommending Single stack installation of ABAP and JAVA stack & supporting it with Dual-stack Split tool & with latest Business suit package. As of NW 7.4 no dual-stack installation will be supported.

Only dual-stack systems which will be available are SAP Solution Manager & SAP PI. SAP PI also available with Single JAVA stack version with NW 7.4 which covers 95% of a classical PI environment & capabilities.

For more details please refer SAP Roadmap