Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Introduction

These pages describe different used cases of Configuration Validation in detail.

Content

Where can I find Configuration Validation?

Configuration Validation can be found in the Work Center Change Management in Related Links. You can start Solution Manager Work Center either via direct URL link or via the transaction SM_WORKCENTER from the SAP GUI.

Starting with SAP Solution Manager 7.1 SP05 Configuration Validation is also part of the RCA Workcenter.

Is there a training for Configuration Validation available?

Yes, you can participate in an Expert Guided Implementation session which is offered by the SAP Enterprise Support Academy.

Goto SAP Enterprise Support Academy in SAP Enterprise Support and start the course catalog with link "Register for upcoming EGIs"  and search for the course using pattern "Configuration Validation".  Within the catalog entry expand "View Course Dates" to display the upcoming course dates.

Overview

Introducing Change Diagnostics Capabilities

This link introduces the change diagnostics capabilities in SAP Solution Manager 7.10. 

It comprises the following applications:

  • Change Reporting
  • E2E Change Analysis
  • Configuration Validation

Change Diagnostics Intro

Change Diagnostics Intro Page

Configuration Validation in SAP Solution Manager 7.2

What's new in SAP Solution Manager 7.2 for Configuration Validation

Demos

There are demos available recorded for the Meet the Expert program of the SAP Enterprise Support Academy (SAP Service Marketplace s-user required).

Go to the SAP Enterprise Support Academy in "View By Delivery Format" choose "Meet The Expert (MTE)" which opens the SAP Enterprise Support Academy - Learning Studio.
Within the Learning Studio in "Delivery Method" check: Meet the Expert - Replay Libray. Then search the catalog using: Configuration Validation.

4 recordings are available

  • Configuration Validation for Security  
  • SAP Enterprise Support – Security Configuration Validation  
  • SAP Solution Manager 7.1: Configuration Validation  
  • SAP Solution Manager Security Dashboard ( for this one search for: Security Dashboard)

Another good recording is that one from TechEd 2013 Security Control Center by SAP Active Global Support

Introducing the Report Directory

This page describes the use of the report directory of the Configuration Validation to explore Configuration Items, e.g. ABAP transport requests. The Configuration and Change database (setup via RCA setup) collects for each technical system of type ABAP the import history of transports starting with the setup day. A config store called ABAP_TRANSPORTS contains the recorded transports.

Using the Reporting Directory

Configuration Validation Special Features

This page describes the use of Configuration Validation using special customizing and features:

  • Selective read of data and filtering
  • Using outdated Config Stores
  • Validation of instance or node type dependent Config Stores

Configuration Validating Special Features

Alert Inbox

This page describes the integration of Configuration Validation into the Alert Inbox

Alert Inbox and Configuration Validation

SAP Knowledge Base Articles describing Target Systems

  1. SAP KBA 2253549 contains target systems derived from the SAP Security Baseline Template which are ready to use and may used as base for customer target systems.
  2. SAP KBA 2317318 describes how to validate Java systems for property EnableInvokerServletGlobally using Configuration Validation (CERT Alert TA16-132A)

Best Practices 

ABAP Parameter Validation

This page describes the use of Configuration Validation in the context of ABAP parameters. The Configuration and Change database (setup via RCA setup) collects for each technical system and its instances of type ABAP the information about the parameter used by the SAP system.

Use Case:
The runtime of a daily job has sometimes a long runtime. Most of the daily runs are quite fast. Investigating the symptom it was found out that the long runtime is related to one definite instance on which the job is running.
The configuration validation can help to identify parameters which have a value that is different from other instances.

Validating ABAP Parameter

Validating ABAP Parameter step by step guide

ABAP Software Level Validation

This page describes the use of Configuration Validation in the context of Software level validation. The Configuration and Change database (setup via RCA setup) collects for each technical system of type ABAP the currently implemented software components and their release.  A Config Store called ABAP_COMP_SPLEVEL contains the recorded info on implemented software components.

Validating ABAP Software Level

J2EE Software Level Validation

This page describes about the use cases of Configuration Validation in the content of J2EE Software level and deployed objects.

Validating J2EE Software Level

SAP Kernel Validation

This page describes about the use cases of Configuration Validation in the content of ABAP kernel.

Validating SAP Kernel Level

Working with XML config stores in Configuration Validation

This page describes the use of config stores of type xml for Configuration Validation. Two config stores of type xml are going to be used as examples.For host related information config store saposcol is available. It contains basic information about the configuration of the host used by a technical system. For J2EE technical system for each J2EE node a config store SAP_J2EEClusterNode exists. It contains basic information about the node configuration.

Validating XML config stores

ABAP Basis Security Validation

This page describes use cases of Configuration Validation with focus on security items.

ABAP Basis Security compliance

ABAP Basis Security Validation using the Management Dashboard

This pages describes the reporting upon ABAP Basis Security content using the Management Dashboard.

Management Dashboard using Configuration Validation

ABAP and J2EE notes validation

This page describes the use of Configuration Validation in the context of ABAP Notes. The Configuration and Change database (setup via RCA setup) collects for each technical system of type ABAP the SAP Notes implemented via the transaction SNOTE. A Config Store called ABAP_NOTES contains the recorded information on implemented SAP Notes. The example uses a Solution Manager 7.10 where a development System (SD7 as DEV) and an integration system (SI7 as PROD) are connected to as managed systems.

ABAP and J2EE notes compliance

Reporting the results of System Recommendations using Configuration Validation

This page describes the reporting in Configuration Validation upon missing SAP Notes which were calculated by System Recommendation.

Reporting System Recommendations Results

Using System Recommendations to create target systems containing SAP security notes

This page describes how to create and use the stores filled with the security SAP Notes from System Recommendations source for Configuration Validation. The Configuration and Change database (setup via RCA setup) collects for each technical system of type ABAP the SAP Notes implemented for this system via the transaction SNOTE. The config store named ABAP_NOTES contains the applied SAP Notes using SNOTE. In the example used it would be considered how to validate which security SAP Notes are missing in the compared systems.

Validating security notes using System Recommendations

ABAP Transports Validation

This page describes which out-of-the-box validation reports are available in reporting directory regarding ABAP transports.

ABAP transports compliance

Aggregating Check Results

This page shows how to detect vulnerable systems based on two checks in two different config stores but getting one compliant status reported for each system.

Aggregating Check Results

Content of CCDB for a Technical System of type ABAP

This page introduces the available config stores for a technical system of type ABAP.

CCDB content for ABAP 

CCDB Administration

This page describes the new CCDB Administration application:

CCDB Administration Introduction

Transporting Target Systems

This page describes how to transport target systems:

Transporting Target Systems

Optimize Reporting

This page describes how to optimize reporting:

Optimize Reporting

Adding User and Role Information for J2EE

This page describes how to add config stores with user and role information for J2EE based on SPML.

J2EE config stores based on SPML

This page is part of the Application Operations Wiki. Notice that Application Operations itself is a use-case of SAP Solution Manager

  • No labels

24 Comments

  1. Hi everyone, the links to the feature documents are not working. Is there any other source for this?

    1. Hello Thorben, links are working again.

  2. Hello Rene, How do we decide which ConfigStores we need to use for creating a Security Control Center Dashboard for Java single-stack PI 7.4 system? For ABAP stack, we used the config stores that are part of the 0SEC_NEW target system.

  3. Hello Raveendra,

    in general I recommend to have a look into the SAP Security Baseline Document to understand which config stores could be used to check which security item. The baseline document is here: http://support.sap.com/sos / Media Library / Security Baseline Template (current Version is 1.8).  However, the current version does not yet contain links to config stores for j2EE (it does for ABAP) here are the config stores you could use for J2EE:

    • UME Parameters: com.sap.security.core.ume.service
    • System Cookies and Security session: http
    • Ports: http.properties
    • Invoker Servlet and Session Id Regeneration: servlet_jsp
    • J2EE Support Package Level: J2EE_COMP_SPLEVEL

     

     

     

  4. Hi Rene,

    Thanks for replying to Raveendra's query. I have been working with him on this. Can we use the the config stores under the Group: J2EE SECURITY for this? If yes, is there any place where we can find the standard values do be populated in these config stores?

     

    1. Hello Dipyaman,

      the idea is that the Security Baseline Template Document contains the rules and values you could use for your security policy and (in case it suitable for Configuration Validation) refers to the corresponding config store. However, the current version does not yet contain links to config stores for j2EE (it does for ABAP) so please refer to the stores above.

  5. Hi Rene,

    I found this document: https://support.sap.com/content/dam/library/support/support-programs-services/support-services/SOS_J2EE_Checks.pdf. Can this be used to identify the Java related stores. How can we find the store in the configuration validation section in solution manager system using the number associated with a particular type of check? E.g.  Use of a Firewall or Router (0870) ?

  6. Hello

    I am trying to deploy a configuration validation to check validity of RFC connections. Is there any store to perform this validation?

     

    1. Hello Angel,

      the following config stores contain RFC connections:

      • RFCDES - contains all connections. However, difficult to check since all settings are concatenated into one string.
      • RFCDES_TYPE_[3,G,H,L,T]: RFC destinations per type, each attribute is a column. Best if you want to check certain setttings.
      • ŸRFCDES_TYPE_3_CHECK: (Security): Is a user with critical authorizations used in an RFC destination?

      ABAP content is described in above link CCDB content for ABAP 

  7. good morning

    I am trying to deploy a configuration validation to check content of table DEVACCES. I want to check if tables has no entries

  8. I am developing a configuration validation to check if host of RFCDES is not hostname. I realized that RFCDES_TYPE_3_CHECK config store has HOST_NAME i am looking for

    Question is how to create rule to check if HOST_NAME contains only numbers?

     

  9. Check RFCDEST for Cointains *

    Use a regular expressions for HOST_NAME like one of these:

    Only digits (or empty):
    ^[0-9]*$
    Only digits or '.' (or empty):
    ^[0-9\.]*$
    At least 1 digit:
    ^[0-9]*$
    At least 1 digit or '.' :
    ^[0-9\.]*$
    At least 2 groups of digits which are separated by a '.' :
    ^[0-9]+\.[0-9]+$
    At least 1 character:
    .*[a-zA-Z]+.*

    Use a Regex Tester like 
    http://www.regextester.com 
    to experiment and construct regular expressions.

    Set all other fields to 'Ignore'.

    I suggest to show following columns for reporting:

    System
    Configuration item
    0SMD_CSPV
    0SMD_CSV2
    0SMD_CSV3
    0SMD_CSV4
    0SMD_CSV5
    Compliance
    Key figures

     

    1. Hi Frank, thanks for your suggestion

      Unfortunately for me is not clear wich operation should I user for this rule. Enclosed you will see actual status of my rule

      Field Name         Operator           Value

      RFCDEST           =                       *

      HOST_NAME     Contains           ^[0-9]+\.[0-9]+$

      All rest is ignored

      That's correct?

  10. Use the Operator 'Contains' for RFCDEST and the operator 'Regex' for HOST_NAME.

     

    1. Thanks so much for your explanation.

    2. Also about reporting, can you show me how to deply it?

      Regards

       

  11. Hi, 

    is it possible to somehow combine the target systems from the security baseline template into one target system? 

    we want to run "all"of those checks per system and have them  in a single report .

     

    thanks, 

    swe

    1. Hallo Steve-Wesley,

      there is no merge function available which does it for you. You can do it only manually.

      Best Regards,

      René

  12. Hi,

    The links are not working. Can you please suggest me where to find them in case they are relocated.

    Many thanks in advance.

     

    1. Hallo Ashwini,

      links to the presentations are working again.

      Best Regards,

      René

  13. Hi, i developed a configuration validation  to show non compliant RFC DNS at the hostname

    I use Only Non Compliant Ítems With Value and Target Value report. it is posible to configure layout of it?

    1. Hallo Angel,

      in chapter Optimize Reporting you find several examples hwo to change the layout of a report.

      Best Regards,

      René

  14. I uploaded a Target System from the SAP Security Baseline (BL_S-5).  Now I want to add Stores to it (specifically the http store, for my own special checks).  So I changed the attributes of the Store to specify a Source System of type Java.  Then I click the button Add/Remove Stores.   It shows the list of many Java stores including http, but when I select it, and try to Add it, I always get error "Special caracters are not allowed".  Why?  Rene, do you have any screenshots or Help pages describing how to add Stores to an existing Target System?  I would rather not create a new TargetSystem every time we have a new requirement.   Maybe I'm doing something wrong but I don't see any other way to do it than what I described.

    1. Hallo Kesayamol,

      There is a target system name check triggered when adding a config store. The name check fails because of the '-' in BL_S-5. I'm going to correct it. In the meantime I would recommend to upload the target system again using name BL_S_1 or you copy BL_S-1 to BL_S__1 in Target System Maintenance / Edit / Copy target sytsem under another name.

      Best Regards,

      René