Application Operations in SAP Solution Manager 7.2 provides System and Application Management capabilities for central monitoring, alerting, analytics, and administration of SAP centric cloud and on-premise solutions.
This wiki content has been moved to the SAP Solution Manager 7.2 expert portal. Any child pages of this wiki are deprecated and no longer maintained.
Introduction
These pages describe different used cases of Configuration Validation in detail.
Content
Where can I find Configuration Validation?
Configuration Validation can be found in the Work Center Change Management in Related Links. You can start Solution Manager Work Center either via direct URL link or via the transaction SM_WORKCENTER from the SAP GUI.
Starting with SAP Solution Manager 7.1 SP05 Configuration Validation is also part of the RCA Workcenter.
Overview
Introducing Change Diagnostics Capabilities
This link introduces the change diagnostics capabilities in SAP Solution Manager 7.10.
It comprises the following applications:
- Change Reporting
- E2E Change Analysis
- Configuration Validation
Change Diagnostics Intro
Configuration Validation in SAP Solution Manager 7.2
What's new in SAP Solution Manager 7.2 for Configuration Validation
Demos
There are demos available recorded for the Meet the Expert program of the SAP Enterprise Support Academy (SAP Service Marketplace s-user required).
Go to the SAP Enterprise Support Academy in "View By Delivery Format" choose "Meet The Expert (MTE)" which opens the SAP Enterprise Support Academy - Learning Studio.
Within the Learning Studio in "Delivery Method" check: Meet the Expert - Replay Libray. Then search the catalog using: Configuration Validation.
4 recordings are available
- Configuration Validation for Security
- SAP Enterprise Support – Security Configuration Validation
- SAP Solution Manager 7.1: Configuration Validation
- SAP Solution Manager Security Dashboard ( for this one search for: Security Dashboard)
Another good recording is that one from TechEd 2013 Security Control Center by SAP Active Global Support
Introducing the Report Directory
This page describes the use of the report directory of the Configuration Validation to explore Configuration Items, e.g. ABAP transport requests. The Configuration and Change database (setup via RCA setup) collects for each technical system of type ABAP the import history of transports starting with the setup day. A config store called ABAP_TRANSPORTS contains the recorded transports.
Configuration Validation Special Features
This page describes the use of Configuration Validation using special customizing and features:
- Selective read of data and filtering
- Using outdated Config Stores
- Validation of instance or node type dependent Config Stores
Configuration Validating Special Features
Alert Inbox
This page describes the integration of Configuration Validation into the Alert Inbox
Alert Inbox and Configuration Validation
SAP Knowledge Base Articles describing Target Systems
- SAP KBA 2253549 contains target systems derived from the SAP Security Baseline Template which are ready to use and may used as base for customer target systems.
- SAP KBA 2317318 describes how to validate Java systems for property EnableInvokerServletGlobally using Configuration Validation (CERT Alert TA16-132A)
Best Practices
ABAP Parameter Validation
This page describes the use of Configuration Validation in the context of ABAP parameters. The Configuration and Change database (setup via RCA setup) collects for each technical system and its instances of type ABAP the information about the parameter used by the SAP system.
Use Case:
The runtime of a daily job has sometimes a long runtime. Most of the daily runs are quite fast. Investigating the symptom it was found out that the long runtime is related to one definite instance on which the job is running.
The configuration validation can help to identify parameters which have a value that is different from other instances.
Validating ABAP Parameter step by step guide
ABAP Software Level Validation
This page describes the use of Configuration Validation in the context of Software level validation. The Configuration and Change database (setup via RCA setup) collects for each technical system of type ABAP the currently implemented software components and their release. A Config Store called ABAP_COMP_SPLEVEL contains the recorded info on implemented software components.
Validating ABAP Software Level
J2EE Software Level Validation
This page describes about the use cases of Configuration Validation in the content of J2EE Software level and deployed objects.
Validating J2EE Software Level
SAP Kernel Validation
This page describes about the use cases of Configuration Validation in the content of ABAP kernel.
The CommonCryptoLib uses a specific version number.
Working with XML config stores in Configuration Validation
This page describes the use of config stores of type xml for Configuration Validation. Two config stores of type xml are going to be used as examples.For host related information config store saposcol is available. It contains basic information about the configuration of the host used by a technical system. For J2EE technical system for each J2EE node a config store SAP_J2EEClusterNode exists. It contains basic information about the node configuration.
ABAP Basis Security Validation
This page describes use cases of Configuration Validation with focus on security items.
ABAP Basis Security compliance
ABAP Basis Security Validation using the Management Dashboard
This pages describes the reporting upon ABAP Basis Security content using the Management Dashboard.
Management Dashboard using Configuration Validation
ABAP and J2EE notes validation
This page describes the use of Configuration Validation in the context of ABAP Notes. The Configuration and Change database (setup via RCA setup) collects for each technical system of type ABAP the SAP Notes implemented via the transaction SNOTE. A Config Store called ABAP_NOTES contains the recorded information on implemented SAP Notes. The example uses a Solution Manager 7.10 where a development System (SD7 as DEV) and an integration system (SI7 as PROD) are connected to as managed systems.
ABAP and J2EE notes compliance
Reporting the results of System Recommendations using Configuration Validation
This page describes the reporting in Configuration Validation upon missing SAP Notes which were calculated by System Recommendation.
Reporting System Recommendations Results
Using System Recommendations to create target systems containing SAP security notes
This page describes how to create and use the stores filled with the security SAP Notes from System Recommendations source for Configuration Validation. The Configuration and Change database (setup via RCA setup) collects for each technical system of type ABAP the SAP Notes implemented for this system via the transaction SNOTE. The config store named ABAP_NOTES contains the applied SAP Notes using SNOTE. In the example used it would be considered how to validate which security SAP Notes are missing in the compared systems.
Validating security notes using System Recommendations
ABAP Transports Validation
This page describes which out-of-the-box validation reports are available in reporting directory regarding ABAP transports.
Aggregating Check Results
This page shows how to detect vulnerable systems based on two checks in two different config stores but getting one compliant status reported for each system.
Content of CCDB for a Technical System of type ABAP
This page introduces the available config stores for a technical system of type ABAP.
CCDB Administration
This page describes the new CCDB Administration application:
CCDB Administration Introduction
Transporting Target Systems
This page describes how to transport target systems:
Optimize Reporting
This page describes how to optimize reporting:
Adding User and Role Information for J2EE
This page describes how to add config stores with user and role information for J2EE based on SPML.
J2EE config stores based on SPML
This page is part of the Application Operations Wiki. Notice that Application Operations itself is a use-case of SAP Solution Manager
25 Comments
Thorben Velden
Hi everyone, the links to the feature documents are not working. Is there any other source for this?
Rene Muth
Hello Thorben, links are working again.
Former Member
Hello Rene, How do we decide which ConfigStores we need to use for creating a Security Control Center Dashboard for Java single-stack PI 7.4 system? For ABAP stack, we used the config stores that are part of the 0SEC_NEW target system.
Rene Muth
Hello Raveendra,
in general I recommend to have a look into the SAP Security Baseline Document to understand which config stores could be used to check which security item. The baseline document is here: http://support.sap.com/sos / Media Library / Security Baseline Template (current Version is 1.8). However, the current version does not yet contain links to config stores for j2EE (it does for ABAP) here are the config stores you could use for J2EE:
Former Member
Hi Rene,
Thanks for replying to Raveendra's query. I have been working with him on this. Can we use the the config stores under the Group: J2EE SECURITY for this? If yes, is there any place where we can find the standard values do be populated in these config stores?
Rene Muth
Hello Dipyaman,
the idea is that the Security Baseline Template Document contains the rules and values you could use for your security policy and (in case it suitable for Configuration Validation) refers to the corresponding config store. However, the current version does not yet contain links to config stores for j2EE (it does for ABAP) so please refer to the stores above.
Former Member
Hi Rene,
I found this document: https://support.sap.com/content/dam/library/support/support-programs-services/support-services/SOS_J2EE_Checks.pdf. Can this be used to identify the Java related stores. How can we find the store in the configuration validation section in solution manager system using the number associated with a particular type of check? E.g. Use of a Firewall or Router (0870) ?
Angel Kaiser
Hello
I am trying to deploy a configuration validation to check validity of RFC connections. Is there any store to perform this validation?
Rene Muth
Hello Angel,
the following config stores contain RFC connections:
ABAP content is described in above link CCDB content for ABAP
Angel Kaiser
good morning
I am trying to deploy a configuration validation to check content of table DEVACCES. I want to check if tables has no entries
Angel Kaiser
I am developing a configuration validation to check if host of RFCDES is not hostname. I realized that RFCDES_TYPE_3_CHECK config store has HOST_NAME i am looking for
Question is how to create rule to check if HOST_NAME contains only numbers?
Frank Buchholz
Check RFCDEST for Cointains *
Use a regular expressions for HOST_NAME like one of these:
Only digits (or empty):
^[0-9]*$
Only digits or '.' (or empty):
^[0-9\.]*$
At least 1 digit:
^[0-9]*$
At least 1 digit or '.' :
^[0-9\.]*$
At least 2 groups of digits which are separated by a '.' :
^[0-9]+\.[0-9]+$
At least 1 character:
.*[a-zA-Z]+.*
Use a Regex Tester like
http://www.regextester.com
to experiment and construct regular expressions.
Set all other fields to 'Ignore'.
I suggest to show following columns for reporting:
System
Configuration item
0SMD_CSPV
0SMD_CSV2
0SMD_CSV3
0SMD_CSV4
0SMD_CSV5
Compliance
Key figures
Angel Kaiser
Hi Frank, thanks for your suggestion
Unfortunately for me is not clear wich operation should I user for this rule. Enclosed you will see actual status of my rule
Field Name Operator Value
RFCDEST = *
HOST_NAME Contains ^[0-9]+\.[0-9]+$
All rest is ignored
That's correct?
Frank Buchholz
Use the Operator 'Contains' for RFCDEST and the operator 'Regex' for HOST_NAME.
Angel Kaiser
Thanks so much for your explanation.
Angel Kaiser
Also about reporting, can you show me how to deply it?
Regards
Former Member
Hi,
is it possible to somehow combine the target systems from the security baseline template into one target system?
we want to run "all"of those checks per system and have them in a single report .
thanks,
swe
Rene Muth
Hallo Steve-Wesley,
there is no merge function available which does it for you. You can do it only manually.
Best Regards,
René
Former Member
Hi,
The links are not working. Can you please suggest me where to find them in case they are relocated.
Many thanks in advance.
Rene Muth
Hallo Ashwini,
links to the presentations are working again.
Best Regards,
René
Angel Kaiser
Hi, i developed a configuration validation to show non compliant RFC DNS at the hostname
I use Only Non Compliant Ítems With Value and Target Value report. it is posible to configure layout of it?
Rene Muth
Hallo Angel,
in chapter Optimize Reporting you find several examples hwo to change the layout of a report.
Best Regards,
René
Former Member
I uploaded a Target System from the SAP Security Baseline (BL_S-5). Now I want to add Stores to it (specifically the http store, for my own special checks). So I changed the attributes of the Store to specify a Source System of type Java. Then I click the button Add/Remove Stores. It shows the list of many Java stores including http, but when I select it, and try to Add it, I always get error "Special caracters are not allowed". Why? Rene, do you have any screenshots or Help pages describing how to add Stores to an existing Target System? I would rather not create a new TargetSystem every time we have a new requirement. Maybe I'm doing something wrong but I don't see any other way to do it than what I described.
Rene Muth
Hallo Kesayamol,
There is a target system name check triggered when adding a config store. The name check fails because of the '-' in BL_S-5. I'm going to correct it. In the meantime I would recommend to upload the target system again using name BL_S_1 or you copy BL_S-1 to BL_S__1 in Target System Maintenance / Edit / Copy target sytsem under another name.
Best Regards,
René
Thomas Manz
Hi
i try to find a solution to check the configuration of sapconnect with ConVal. Does anyone know a way to check mailserver-settings (i.e. table SWNODES) within ConfVal?
Best Regards,
Thomas