Julius -- any idea how to make this work or will we need 2 clients?
↧
Re: SAP Security - create 2 completely separate companies on 1 instance
↧
Re: SAP Security - create 2 completely separate companies on 1 instance
Hi Cheryl,
I've seen something like this before but my memory is hazy. It was a time of un-bundling utility companies. My understanding is that you would like to re-use as much as possible. You could try to keep using one client and try to use standard authorization objects to separate users. The success of this approach depends on how much separate data should be. Unfortunately, the enabler roles are not going to improve your situation. For example we can agree that it won't be a big task to separate GL between two companies. This is easily supported by authorization model of FI module. But how are you going to protect against users with more powerful authorizations such as SE16? I think the biggest issue will be power users. You will realize that there are many spots where you will have leaks of data between two companies (e.g. search helps). Sometimes these leaks can be resolved with standard authorizations, sometimes you will have to add additional checks.So it depends on level of separation between those 2 companies. But it's possible that cost of properly separating these 2 companies will be higher than loss by not sharing data.
Other approach of having a separate client for each company will give you much better separation but you will lose on sharing side. You will just share code and some basic stuff.
Cheers
↧
↧
Re: SU25 UPG ENHP : how to find modified roles?
Yes, current system is a copy of production and its available for few days only. We have to do our analysis and then we will start with the upgrade in dev.
with the changes in SU25 date/time stamps are used to identified if a transaction was updated. i can't remember all the tables of top of head but SU25 is typically ran in Development and resulting PFCG and SU24 changes are transported to production
If you are using a copy of production to test you aren't really testing your approach and your data may vary. Maybe one of the security experts can join in here.
I would have thought you'd take a copy of you DEV environment as a sandpit as this is development work you are testing?
Regards
Colleen
↧
Re: Profile is automatically getting generated in production ??
Hi,
is a job like "PFCG_TIME_DEPENDENCY" running on your system?
One step is the report "RHAUTUPD_NEW"
This one generates the assignment of authorization to users active profile.
Perhaps it's generating the role too?
Greetings
Lars
↧
Re: Store sensitive credentials for https connections?
Hi Steffen,
I think your threat model is too strict. Yes, a user with access to debugger (read-only is enough) will be able to put a break point after your programs reads data from secure store and see it. But that's why you restrict access to debugger in production. I can't imagine any technical implementation when a user with sufficient debugging authorization can't recover a key. The only way to solve this is to push this out of ECC. You could do this in PI and hence there won't be need to store secret in ECC (I assume here that we are talking about ECC). but you would have same problem in PI. It would be a bit easier because you usually don't have regular users in PI but these regular users usually don't have access to debugger either. And if you want to protect against malicious developer then you have same problem.
For example ABAP AS uses secure store to store predefined password of SICF services. Again, this is sufficient to prevent users with regular access to retrieve passwords but it does not stop developer with debugger.
Martin
↧
↧
SSF and digital signatures
Hi Guys!
I need to exchange XML documents with third-party. The aproach is to generate it from SAP and then sign it with Digital Signature.
I found information, that I could use SSF to achieve it. On help.sap.com I found information, that I could use SAP Cryptographic library.
I have installed SAP Crypto and I maintained ssfrfc.ini file:
SSF_LIBRARY_PATH = D:\CRYPTO\sapcrypto.dll
SSF_TRACE_LEVEL = 3
SSF_MD_ALG = MD5
SSF_SYMENCR_ALG = DES-CBC
Now I want to test it with report SSF01 - but I'm getting an error:
Result: SSF_API_NOSECTK
Version information: 61
SSFRFC V1.46.3 No security toolkit version information found.
So I thought I will manually run ssfrfc.exe. And again I'm getting an error:
=================================================
=== SSF INITIALIZATION:
===... SSF initialization file ssfrfc.ini found.
===...SSF library is D:\CRYPTO\sapcrypto.dll .
===...SSF trace level is 3 .
===...SSF hash algorithm is MD5 .
===...SSF symmetric encryption algorithm is DES-CBC .
===...completed.
=================================================
=================================================
=== LOAD SSF FUNCTIONS:
===...could not load SSF library D:\CRYPTO\sapcrypto.dll .
I checked two libraries:
SAPCRYPTOLIBP_8412-20011729
SAPCRYPTOLIB_36-10010888
I checked all file destinations and so on at least three times. I don't have any new idea to make it working. Please help me.
Best regards
Ana
↧
Re: SSF and digital signatures
↧
Re: SSF and digital signatures
I want to run it from Front-End to be able to communicate with smartcard.
Best regards
Ana
↧
Re: SSF and digital signatures
You can't invoke it directly, it is invoked by RFC from AS ABAP and for it to work you need to have SAP GUI installed and be connected to the AS ABAP.
↧
↧
Re: SSF and digital signatures
I can do a test with ssfrfc.exe. And it's telling me that the DLL cannot be loaded.
I found one more DLL: secgss.dll.
This one was loaded successfully, but doesn't have functions that I'm interested in.
=================================================
=== SSF INITIALIZATION:
===... SSF initialization file ssfrfc.ini found.
===...SSF library is C:\Program Files (x86)\SAP\FrontEnd\SapGui\Encryption\secgss.dll .
===...SSF trace level is 3 .
===...SSF hash algorithm is MD5 .
===...SSF symmetric encryption algorithm is DES-CBC .
===...completed.
================================================= =================================================
=== LOAD SSF FUNCTIONS:
===...SSF library C:\Program Files (x86)\SAP\FrontEnd\SapGui\Encryption\secgss.dll loaded successfully.
===... could not load function SsfVersion from SSF library.
===... could not load function SsfEncode from SSF library.
===... could not load function SsfDecode from SSF library.
===... could not load function SsfSign from SSF library.
===... could not load function SsfVerify from SSF library.
===... could not load function SsfEnvelope from SSF library.
===... could not load function SsfDevelope from SSF library.
===... could not load function SsfAddSign from SSF library.
===... could not load function SsfDigest from SSF library.
===... could not load function SsfDELSsfOctetstring from SSF library.
===... could not load function SsfNEWSigRcpSsfInfo from SSF library.
===... could not load function SsfDELSigRcpSsfInfo from SSF library.
===... could not load function SsfINSSigRcpSsfInfo from SSF library.
===... could not load function SsfDELSigRcpSsfInfoList from SSF library.
===... could not load function SsfQueryProperties from SSF library.
Best regards
Ana
↧
Re: SSF and digital signatures
Hi Ana,
as far as I am aware the crypto library from SAP does not support smartcards. So unless this has changed recently you are wasting your time with SAP library. A quick google query returns some 3rd party vendors with solution that supports smartcards. I do not have any practical experience with any 3rd party solution.
Cheers
↧
Re: SSF and digital signatures
Well, according to help.sap.com: http://help.sap.com/saphelp_nw04/helpdata/en/62/459f34f36311d3a6510000e835363f/content.htm
SSF requires the use of a security product to perform its functions. Per default, we deliver the SAP Security Library (SAPSECULIB) as the security provider. SAPSECULIB is a software solution with capabilities limited to digital signatures. For support of crypto hardware (for example, smart cards or crypto boxes) or digital envelopes, we also offer the SAP Cryptographic Library, which is available for download on the SAP Service Marketplace.
↧
Re: SSF and digital signatures
I think that documentation is misleading in this case. Check note 86927 It's from 2009 but I think it's still valid. It seems like SAP has a lirbary that supports smartcards but it's part of NW SSO 2.0.
Cheers
↧
↧
Re: SSF and digital signatures
Hi Anatoly,
the page you are referring to is related to the features of security products of third party companies, not the features of the crypto libraries provided by SAP. If you want to do front-end signatures with smart cards, you need such a product. However at the moment I can not find any partner which is certified for the SSF interface and supporting what you want. Maybe if you describe the use case, there is an other solution, that can be used instead?
Regards,
Patrick
↧
Re: SSF and digital signatures
Patrick is correct about the statement. We have since improved the wording of the statement to make the distinction clearer (fromGeneral Information - SAP NetWeaver Application Server ABAP Security Guide - SAP Library):
Security Product
SSF requires the use of a security product to perform its functions. Per default, we deliver the SAP Cryptographic Library as the security provider. For more information, see SAP Note 1848999 
..
For support of cryptographic hardware (for example, smart cards or hardware security modules) or digital envelopes, you need to use an external security product. SAP offers SAP NetWeaver Single Sign-On in addition to external security products offered by our partners.
For SAP-certified partner products, see the SAP Software Partner Program on the SAP Service Marketplace (SSF interface).
Sorry for the confusion.
-Michael
↧
Re: Store sensitive credentials for https connections?
Hi Martin,
Why not put the reading and sending of the secret into a macro? As far as I know one cannot debug those, not even with system debugging. If one creates the key only with reading rights for the class that exclusively handles the secret... - it would be secure, right?
Best Regards,
Steffen
↧
Re: Profile is automatically getting generated in production ??
Hello Dayanand, Lars
Thank you for the replies. It seems someone moved only those 5 MTs in another revtrac path. Hence I didn't get that transport in workbench where I searched using the normal path.
Apologies for taking up your time.
Regards
↧
↧
STAUTHTRACE not returning values for objects
while determining a role for a service (as in an interface service / SPROXY) user using STAUTHTRACE, I came across something unusual.
the services (6 in total) are called externally and handled by one user. when checking STAUTHTRACE, I can see that it does show the authorization objects that are checked. however, the values for these objects are not shown.
when tracing the same user and the same services in ST01, I am able to see the values.
this is what part of the trace looks like in STAUTHTRACE:
and this is the same part of the trace in ST01:
if I change the user type of the user from communication to dialog and log in manually, the values do appear again in STAUTHTRACE as well.
it seems that only when the services are called externally (PI), the values go missing.
has anyone come across this issue and knows what to do about it?
thanks for your help!
↧
Re: SSF and digital signatures
Hello, thanks for the information.
For me it's really unclear and the documentation provided is very misleading.
My problem is that I need to sign XML documents with XaDES. So far we recieved our certificates as files - co we created a small Java app that was able to do the work (background job that was runing app and signing XMLs) . Nowadays policy has changed and we need to use security tokens / smart cards.
I found information about SSF and I thought it has all I need - smartcards and envelopes - but you say it's not working 
Do you know any 3rd party product that we could use for this purpose?
Best regards
Ana
↧
Re: Security Audit Log is not active (0170)
Hi Pavan,
I recreate all filter as described this http://scn.sap.com/thread/3298688
And start security audit. Result the same: Security Audit Log is not active (0170).
May you have idea why system return this message.
↧