Security Notes Webinar 2023-01, 2021-11
RFC Security Optimization Projects
Renewing the Trust Relations according to this note is one of many optimization projects in the realm of RFC:
The correction note 3287611 gets updated in case of ABAP corrections.
Version 2 from 26.01.2023 and version 4 from 03.02.2023 solved following issues:
- If you executed the migration report
SA38online (but not as a background job e.g via transaction
SMT1) then you got a misleading negative result even for already migrated destinations.
SMT1shows a popup when you migrate a trust relationship. On that popup, the input field about the SNC name was too short (33 instead of 255 characters), therefore you could only renew trust relations with active SNC if the SNC name of the trusting system fits into that field.
SMT1shows a popup when you migrate a trust relationship. It was unclear which client is used in the trusting system. Now you enter the client into an input field.
- A dynamic destination is used to renew the trust relation instead of a (maybe outdated) stored destination.
The list of side effects of note 3089413 shows some more side effects solving notes. All of them (checked on 03.02.2023) are related to the Kernel and the required Kernel patch is already covered by the prerequisites list as described in 2023-01.
Note 3283804 - Dynamic RFC destination w/o type is not working
Version 1 from 21.12.2022
Release 7.22 patch 1214
Note 3242092 -AUTOABAP RFC Call to functions e.g. AMDP_CLEANUP fails
Version 6 from 20.01.2023
Release 7.53 patch 1100
Release 7.54 patch 23
Release 7.77 patch 516
Note 3274340 - RFC Ticket not working in None Unicode System
Version 1 from 24.11.2022
Release 7.53 patch 1011
Release 7.54 patch 24
Note 3242612 - Logon via SNC from external program is not possible
Version 3 from 17.01.2023
Release 7.53 patch 1031
Note 3240982 - bg/q/t-RFC raise error for none existing destination after applying 3127135
Version 1 from 29.08.2022
Release 7.53 patch 1035
Release 7.54 patch 16
Note 3254958 - Core Dump in classic RFC SDK
Version 1 from 16.01.2023
Release 7.53 patch 1036
Release 7.54 patch 18
Note 3219564 - Trusted/Trusting Roundtrip done even in case it is useless
Version 1 from 30.06.2022
Release 7.81 patch 300
Note 3218599 - Core dump during sm50 trace component ABAP after note 3127135
Published on 16.01.2023
Release 7.81 patch 300
Release 7.85 patch 130
Release 7.88 patch 21
Release 7.89 patch 10
How to use the SAP Solution Manager to get an overview about the implementation process
ZCHECK_NOTE_3089413 from Github - SAP security-services-tools provides a cross system view based on the data collected in the Configuration and Change Database (CCDB).
For every connected ABAP based system you validated information about following areas:
- Kernel version
- ABAP Release and Support Package
- Implementation status of notes 3089413 and 3287611
- Mutual trust relations
- Migrated vs. old trust relations
- Migrated vs. incomplete trusted destinations
- Cross check for trusted destinations if a trust relation exist the other way around
- Profile parameters
You can adjust the layout of the main list, store that as a layout and then save a report variant using such a layout.
Check Kernel and ABAP:
Check trusted relations:
(In addition to the fact, that no trusted relation is migrated yet, it's critical that far too many trusted relations exist!)
A double click on a count of trusted systems shows a popup with the details for that selection:
Keep in mind that columns like "no data found for trusted system" or "mutual trust relation" require to compare data across different systems. Therefore, you only could get complete results if all systems send data to the SAP Solution Manager and if you include all systems into the analysis.
Check trusted destinations:
A double click on a count of destinations shows a popup with the details for that selection - here is an example for some destinations which are already migrated:
All migrated trusted destinations of course show the system id (and the installation number) of the called system. In addition you can see the result of a cross-check: Does the target system of a trusted destination has a trusted relation to this calling system?
- "migrated" yes, the target system has a trusted relation to this calling system and it is already migrated in transaction
- "old" or "very old" yes, the target system has a trusted relation to this calling system but it is not yet migrated in transaction
- "missing" no, the target system has no trusted relation to this calling system
- <empty> No data available about the called system, either because
- the system does not send data to the SAP Solution Manager,
- you do not have selected this system on the selection screen,
- or you have omitted the checkbox "Check Trusted Relations" on the selection screen.
How to use the SAP Focused Run to get an overview about the implementation process
You can use the policy FRUN: Extended policy for note 3089413 for Configuration & Change Analysis.
Please tell me via mail if you have suggestions how to improve the policy.