Security and Identity Management
Page tree
Skip to end of metadata
Go to start of metadata

see also

Security Notes Webinar 2023-01, 2021-11

Note 3089413

RFC Security Optimization Projects

Renewing the Trust Relations according to this note is one of many optimization projects in the realm of RFC:

Updates

The correction note 3287611 gets updated in case of ABAP corrections.

Version 2 from 26.01.2023 and version 4 from 03.02.2023 solved following issues:

  • If you executed the migration report RS_MIGRATE_TTDESTS via transaction SA38 online (but not as a background job e.g via transaction SMT1) then you got a misleading negative result even for already migrated destinations.
  • Transaction SMT1 shows a popup when you migrate a trust relationship. On that popup, the input field about the SNC name was too short (33 instead of 255 characters), therefore you could only renew trust relations with active SNC if the SNC name of the trusting system fits into that field.
  • Transaction SMT1 shows a popup when you migrate a trust relationship. It was unclear which client is used in the trusting system. Now you enter the client into an input field.
  • A dynamic destination is used to renew the trust relation instead of a (maybe outdated) stored destination.
  • […]

The list of side effects of note 3089413 shows some more side effects solving notes. All of them (checked on 03.02.2023) are related to the Kernel and the required Kernel patch is already covered by the prerequisites list as described in 2023-01.

Note 3283804 - Dynamic RFC destination w/o type is not working
Version 1 from 21.12.2022
Kernel patch:
Release 7.22 patch 1214

Note 3242092 -AUTOABAP RFC Call to functions e.g. AMDP_CLEANUP fails
Version 6 from 20.01.2023
Kernel patch:
Release 7.53 patch 1100
Release 7.54 patch 23
Release 7.77 patch 516

Note 3274340 - RFC Ticket not working in None Unicode System
Version 1 from 24.11.2022
Kernel patch:
Release 7.53 patch 1011
Release 7.54 patch 24

Note 3242612 - Logon via SNC from external program is not possible
Version 3 from 17.01.2023
Kernel patch:
Release 7.53 patch 1031

Note 3240982 - bg/q/t-RFC raise error for none existing destination after applying 3127135
Version 1 from 29.08.2022
Kernel patch:
Release 7.53 patch 1035
Release 7.54 patch 16

Note 3254958 - Core Dump in classic RFC SDK
Version 1 from 16.01.2023 
Kernel patch:
Release 7.53 patch 1036
Release 7.54 patch 18

Note 3219564 - Trusted/Trusting Roundtrip done even in case it is useless
Version 1 from 30.06.2022
Kernel patch:
Release 7.81 patch 300

Note 3218599 - Core dump during sm50 trace component ABAP after note 3127135 
Published on 16.01.2023
Kernel patch:
Release 7.81 patch 300
Release 7.85 patch 130
Release 7.88 patch 21
Release 7.89 patch 10

How to use the SAP Solution Manager to get an overview about the implementation process

Report ZCHECK_NOTE_3089413 from Github - SAP security-services-tools provides a cross system view based on the data collected in the Configuration and Change Database (CCDB).

For every connected ABAP based system you validated information about following areas:

  • Kernel version
  • ABAP Release and Support Package
  • Implementation status of notes 3089413 and 3287611
  • Mutual trust relations
  • Migrated vs. old trust relations
  • Migrated vs. incomplete trusted destinations
  • Cross check for trusted destinations if a trust relation exist the other way around
  • Profile parameters

Selection screen:

You can adjust the layout of the main list, store that as a layout and then save a report variant using such a layout.

Check Kernel and ABAP:

Check trusted relations:

(In addition to the fact, that no trusted relation is migrated yet, it's critical that far too many trusted relations exist!)

A double click on count of trusted systems shows a popup with the details for that selection:

Keep in mind that columns like "no data found for trusted system" or "mutual trust relation" require to compare data across different systems. Therefore, you only could get complete results if all systems send data to the SAP Solution Manager and if you include all systems into the analysis.  

Check trusted destinations:

A double click on count of destinations shows a popup with the details for that selection - here is an example for some destinations which are already migrated:

All migrated trusted destinations of course show the system id (and the installation number) of the called system. In addition you can see the result of a cross-check: Does the target system of a trusted destination has a trusted relation to this calling system?

  • "migrated" yes, the target system has a trusted relation to this calling system and it is already migrated in transaction SMT1
  • "old" or "very old" yes, the target system has a trusted relation to this calling system but it is not yet migrated in transaction SMT1
  • "missing" no, the target system has no trusted relation to this calling system
  • <empty> No data available about the called system, either because
    • the system does not send data to the SAP Solution Manager,
    • you do not have selected this system on the selection screen,
    • or you have omitted the checkbox "Check Trusted Relations" on the selection screen. 


Please tell me via Github Issues or Discussions or via mail if you have suggestions how to improve the report. 

How to use the SAP Focused Run to get an overview about the implementation process

You can use the policy FRUN: Extended policy for note 3089413 for Configuration & Change Analysis.

Please tell me via mail if you have suggestions how to improve the policy. 

  • No labels