SAP NOTE 1298433 Bypassing security in reginfo & secinfo

Similar Messages

• How to resolve Issues while implement gateway security by using reginfo,secinfo?

  Hi,
  I want to implement gateway security using  gw/reg_info,  gw/sec_info,  gw/reg_no_conn_info.
  so far I have created reginfo and secinfo files to allow all internal traffic and I kept gw/reg_no_conn_info=11, gw/acl_mode=1
  reginfo
  ======
  #VERSION=2
  P TP=*,HOST=local
  P TP=*,HOST=internal
  P TP=*,HOST=*.abc.com
  with the above setting I believe all the programs with in sap systems(including app servers), also system from domain abc.com can register programs with out having any issues.
  secinfo:
  ======
  #VERSION=2
  P TP=* USER=* USER-HOST=local HOST=local
  P TP=* USER=* USER-HOST=internal HOST=internal
  similarly  as per secinfo content I believe that all the internal traffic can go with out any issue with in sap system.
  beside that I have activated gateway logging to find the rejecting connections if any.
  I have following questions:
  ===================
  1)As the reginfo,secinfo files maintained can I remove gw/acl_mode=1 parameter ?
  2)if I want to add a specific programs to register from 3rd party system, suppose a program called "zram" from system "172.198.10.1" where I suppose to add it. Do I need to add that IP to secinfo along with reginfo?
  3)when I set parameter gw/reg_no_conn_info=11 when convert to binary it equals to 00001011
  what exactly this means from the following definitions from note 1444282
  1 1298433 Bypassing security in reginfo & secinfo
  2 1434 117 Bypassing sec_info without reg_info
  4 1465129 CANCEL registered programs
  8 1473017 Uppercase/lowercase in the files reg_info and sec_info
  will that means 8+2+1 means satisfying the above 3 lines except condition 4 ?
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  5)From simulation mode I got to know that It will satisfy reginfo,secinfo restrictions and it will allow all other traffic.so what is the added advantage with this when activate?
  6)is there any sap native tools which help while preparing reginfo, secinfo files?
  Regards,
  Koteswararao.Davuluri(Koti).

  Hi,
  Here is answers for questions 4 and 5.
  4) I enabled  gateway logging, how could I catch rejecting connections from third party systems?
  SMGW->Goto->Expert functions->logging
  In the above path if you select security->(under that)->Rejected access only
  when you select that it should show you the connections getting rejected.
  5)For simulation mode you have 2 options. you can activate directly from the above path.Other option  if you maintain gw/sim_mode = 1  that will make the permanent simulation mode. But once after all the entries set in reginfo you have to disable simulation mode. with secinfo you will not have much problems.
  After doing steps 4, 5 you can see rejected entries in Gateway log.

• Microsoft security patch  KB834707 side effects in NW. SAP Note 785308

  I figured we should make a thread with information known about this problem.
  Since the problem comes in the javascripts, I would belive the problem is on the client-side, not server side.
  Does anyone know exactly what the problem is (what has Microsoft changed) ?
  Please contribute with information you get from OSS's.
  I'll update this first post with all available information
  Information:
  15.11: Microsoft
  have to provide a solution to this problem and that it could take
  some time. The problem lies on the
  Microsoft side so we must wait for them before a solution can be
  provided.
  - Development has found that by adding the site to the intranet zones of
  the client browser, the problem is solved, some experience of late has
  shown that in some cases you have to add the full machine name to the
  intranet sites and not just in the form of *.somedomain.com.
  Microsoft and SAP are currently working on the problem and a proper and
  long term solution is expected shortly. However no exact date has been
  specified.
  - It is possible that the problems are caused by event handlers pointing directly to a DOM function:
  http://support.microsoft.com/kb/887741
  - I've noticed that we don't have a problem on a portal running EP 6 SP2 P3 Hf4 , after installing the hotfix on the client side. Maybe the problem is on the server side or maybe because it is an intranet portal only(however, I had no problems when setting it to be in the internet security zone). Awaiting confirmation from SAP
  SAP Note 785308
  http://service.sap.com/~form/sapnet?_FRAME=CONTAINER&_OBJECT=012006153200001521102004
  (direct link I think, albeit very slow)
  Microsoft KB834707
  http://support.microsoft.com/?id=834707
  Microsoft Security Bulletin 04-038
  http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx
  Last edited 2004-11-15 13:27
  Message was edited by: Dagfinn Parnas
  More information

  > Does anyone know exactly what the problem is (what has Microsoft changed) ?
  a) Go to <http://www.ciac.org/ciac/bulletins/p-006.shtml> and search for the "CAN-" links. Each component has a one paragraph description.
  b) According to <http://patch-info.de/IE/2004/10/12/20-35-16.html> it contains:
  mshtml.dll (6,0,2800,1476 - 29,09,2004)
  urlmon.dll (6,0,2800,1474 - 23,09,2004)
  shdocvw.dll (6,0,2800,1584 - 27,08,2004)
  wininet.dll (6,0,2800,1468 - 23,08,2004)
  browseui.dll (6,0,2800,1584 - 22,08,2004)
  shlwapi.dll (6,0,2800,1584 - 20,08,2004)
  c) Some of the things that could be breaking are DOM references and DHTML, which are advanced features that not every application uses.
  From <http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx>:
  "Caveats: Microsoft Knowledge Base Article 834707 <http://support.microsoft.com/?id=834707> documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues."
  Among other issues, that page says [<b>emphasis</b> added]:
  - After you install the MS04-038 security updates for Internet Explorer, some dynamic HTML (DHTML) <b>drag-and-drop operations are blocked</b> by Internet Explorer.
  - Security update 834707 includes a change to the way that Internet Explorer handles function pointers. This change in functionality occurs when an event handler points directly to a Document Object Model (DOM) function [...] Change in Internet Explorer function pointer behavior <b>causes code to not be executed</b> when an event handler is set to directly reference a DOM function after installing MS04-038 security updates.
  BTW, Note 785308 has been updated with a workaround.
  Regards,
  Sean

• Securing payload in message monitoring using SAP note 1370334

  Hi Experts,
  I am working to implement SAP note 1370334 to PI server.For that i have created :
  1. an xml file having actions and roles according to the SAP note and zipped in .EAR file and given to BASIS team to deploy that .EAR file.
  2.BASIS deployed that .EAR file successfully.
  To test whether the SAP note has been uploaded successfully or not, we asked BASIS to create two 'test user ids' with minimum authorisation.
  When I am testing through RWB to see payload without assigning any roles to the created test user, it is showing 'No authorisation'.
  But when we assigned role to one test user, both the test user are able to see the payload.But according to the SAP note, payload should be visible to one user only not to the other.
  And according to roles assinged in Action.xml file, display authorisation is only from sender service 'A' to receiver service 'B' but message content are visible for all services.
  Canm anyone help me why is it happening or where I am going wrong or suggest me if I am testing in wrong way??
  It's Urgent!!!
  thanks in advance.

  hi debraj..
  is ur mesage ie sxmb_moni in red staus or scheduled status...??
  if in scheduled cud be errors with queues ...delete ur queues with tcodes : smq1 and smq2...
  and also hopefully u must have configured ur idoc correctly..
  https://websmp101.sap-ag.de/~form/sapnet?_SHORTKEY=01200252310000071155&_SCENARIO=01100035870000000202
  regards..
  vishal

• SAP Note 1304803(Security Note : Changing a transport w/o authorization)

  Hi experts,
  I have this SAP note downloaded and saved in a local folder on my PC.. I just would like to know if there is any technical procedure on how to implement this patch on our SAP system.
  Thanks,
  Deo Pasion

  Hi
  First of all this is a note implementation and not patch.
  You have to apply this note using transaction SNOTE.
  For doing this,find the procedure at:
  http://www.sappoint.com/PHPWebUI/Documents/OSS%20Note%20Application%20-%20Using%20SNOTE.pdf
  Rohit

• Installation of SAP Note 612011

  Hi,
  Iu2019m going to install SAP note 612011 in order to make sure that the system no longer automatically sets the final indicator 'Clearing Indicator for GR/IR Posting for External Services' while processing an incoming invoice.
  As itu2019s possible to read in the noteu2019s text, u201Cthis modification is not a function in the standard SAP system. SAP takes no responsibility and provides no maintenance for problems that may occur as a result of this modificationu201D.
  So Iu2019d like to know if someone, after having installed this note, encountered any problem.
  Thanks in advance,
  Elisa

  Hello,
  As you know data and log entries of a MaxDB database instance are stored on so called volumes which are either files or, where this is possible, raw devices.
  The benefits of a RAW device is a faster write performance. Also, a RAW device is much more secure because of the direct write to disks instead of caching the writes.  The caching of writes could  cause inconsistencies if a crash occurs.    
  Please go at :
  http://dev.mysql.com/doc/maxdb/ -> MaxDB Library
  -> Concepts of the Database System -> Creating and Configuring a Database Instance
  -> Planning the Database Instance < & Technical Restrictions >
  At the 'Planning the Database Instance' section in the paragraph 'Database Size and Configuration of Volumes' you will find more information.
  And you could see in more details, why we recommend to use raw devices for
  data and log volumes in MAXDB on UNIX systems.
  Please also review the information at link - MaxDB FAQ (frequently asked questions) on the MySQL site (target audience: Open Source) :
  http://dev.mysql.com/doc/maxdb/maxdb_faq.html
  < '5.2. How do I configure the database files?' >
  SAP customers can find more information in SAP Note 820824.
  And if you are SAP customer please review the SAP notes for additional
  information:
  628131 SAP DB / MaxDB operating system parameters on Unix
  767598 Available documentation
  748225 Measurement IO times on liveCache/SAP DB/MaxDB DATA/LOG
              Volumes
  Thank you and best regards, Natalia Khlopina

• QM Digital Signature SAP System's Personal Security Environments (PSEs)

  Hi All,
  We want to introduce the Digital Signatures for Quality Management Result Recording and Usage Decision. (Transaction Codes :QE01,QE02,QA11,QA12).
  We have made some studies.Still we need some suggessions to achieve the final goal.
  ==============================================================
  1.
  SSF settings for system signature
  Check and if necessary maintain the standard settings. To do this, execute the following activities in the IMG under SAP Web Application Server -> System Administration -> Digital Signature:
  • Define application-dependent parameters for SSF functions
  • Define security settings for the system
  The above IMG Structure
  SAP Web Application Server -> System Administration -> Digital Signature:
  Is not appearing in ECC6.0. Where we can find the above structure in ECC6.0?
  2. SAP Netweaver
  --> Application Server
  --> System Administration
  -> Maintain the Public Key information for the system
  --> Maintaining the system security information.
  This IMG Actvity "Maintaining the System Security information"
  Environment.
  We have to create new “SAP System's Personal Security Environments (PSEs)” ?
  What is the procedure to create SAP System's Personal Security Environments (PSEs) ?
  We are unable to proceed.
  Plz. help.
  With Best Regards,
  Raghu Sharma.

  Dear All,
  Basis involment is very much required.
  Hence we are closing this issue.
  With Best Regards,
  Raghu Sharma

• Bypass security question in Password self service in AC 10

  We have configured Password self service in AC10. But as we have integrated with SSO so we do not want a security question registration and its answer to be filled during reset .
  So my query, is it possible to bypass the security question and reset the password successfully.

  we could have password self service running without security question.
  regards
  Hemant

• INI file preference not being followed - Regarding SAP Note 1409494

  Hi,
  Following SAP Note 1409494, it seems like there is a preference over locations of INI files.
  I have setup on my Citrix servers, the environment variable (SAPLOGON_INI_FILE) pointing to a central location of INI file.
  The problem is that in the same server there is the BW logon pad that requires a different set of configurations, therefore a second INI file.
  When I try to use the first option on the note (command line parameter /INI_FILE) pointing to a second INI file, it uses the one on the environment variable.
  Is that the way it's supposed to work???
  Is there a way to bypass this?
  Thanks!

  Hello Vijith,
  I guess you are talking about <a href="https://service.sap.com/sap/support/notes/1034932">note 1034932</a>. It is currently being changed, what it will basically say is:
  If you put the jars somewhere in /usr/sap and later on upgrade the engine you will actually loose the entire folder and will have to copy the jar files again.                                                   
  As a permanent solution you could define an <a href="http://help.sap.com/saphelp_nw04/helpdata/en/ee/0618d0899001408d821096c85ff8a2/frameset.htm">HTTP Alias</a> on the engine (not an application alias but an http alias) which will point to a folder on the file system outside the /usr/sap folders.       
  After that just set JavaGuiCodeBase for the applet to whatever you chose for the http alias name.
  If you have suggestions to further improve the note, please let us know.
  Best regards
  Rolf-Martin

• Composite SAP Note 1261193 : HCM Authorizations Documentation

  Hi Team,
  For what it's worth, I have consolidated all the relevant Support notes, in the field of HCM authorizations, during my project involvements.
  Composite SAP Note 1261193 : HCM Authorizations Documentation
  Symptom                                                              
  You would like to have a consolidated view of must read OSS notes when
  deealing with HCM Authorizations. This list is not exhaustive and    
  contains useful notes. It is provided as a courtesy.                 
  Other terms                                                          
  HCM Authorizations Security Personnel Administration Personnel       
  Development                                                          
  Reason and Prerequisites                                             
  Documentation.                                                       
  Solution                                                             
  Read the documentation listed in this note.                          
  Attend standard SAP class HR940 - SAP HCM Authorizations for HCM for 
  hands-on experience.                                                                               
  List of related transaction codes for HCM Authorizations (non        
  exhaustive, for information purpose only) is also included.                           
  Let me know if you have other notes to add.
  Keep up the good work,
  Cheers,
  Martin

  Thanks Sergio
  Thanks for the reminder, I had already the WIKIs under my radar, Marcio amongst other people has done a great job.
  Plus I provide the WIKI [http://wiki.sdn.sap.com/wiki/display/ERPHCM/XSSHCMSelfServicesDocumentation |http://wiki.sdn.sap.com/wiki/display/ERPHCM/XSSHCMSelfServicesDocumentation] in order to introduce this consolidated XSS note.
  Keep up the good work.
  Br,
  Martin

• How to test/Verify SAP Notes

  Hi Gurus,
  Appreciate if you could share on how to test/verify the following sap notes:-
  1) 1330776
  2) 1143177
  3) 1271688
  4) 1302928
  5) 1329090
  Thank you,
  Green Choc

  I generally agree with Mylene here, however this is also a special case.
  If you read SAP note 888889 then you will see that it is an intentional "heads-up" from SAP to take a look into the related notes, and (as was before) not the case that you have to find the problem first to need to fix the program error in your system.
  The related notes of 888889 are to my knowledge designed in such a way that you can install them using SNOTE without any manual corrections required, and they fix only undesirable SAP standard system behaviour without any reasonable chance of customer specific use of it being impacted.
  Basically, it blocks a known (and published) security error.
  > do you actually expect us to come up with follow-up notes of the ones you wrote down here and develop a test-scenario for them, too?
  This is true. It would go on forever... Just dumping note numbers into the forum is not the intention of them.
  I think the thread can be closed and more specific questions about the content of individual notes or risk rating of them etc can be asked, if required. Generally, if you look at the correction blocks you can anyway work out what's going on and would probably want to implement them as a result.
  Cheers,
  Julius

• I can not remember my security question answers, how can I change them?, I can not remember my security question answers, how can I change them?

  I can not remember my security question answers, is there a way to change them, I want to purchase apps and I can not because I can't answer the security questions.

  You need to ask Apple to reset your security questions; this can be done by clicking here and picking a method, or if your country isn't listed, filling out and submitting this form.
  They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
  (107849)

• I can not remember my security questions and it will not let me reset

  I can not remember my security questions and it will not let me reset

  You need to ask Apple to reset your security questions; this can be done by clicking here and picking a method, or if your country isn't listed, filling out and submitting this form.
  They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
  (108234)

• Acwebsecagent: Connection : Auth key is not provided, bypassing towers. CMode : 2 TMode : 0

  I am getting a lot of these errors in the Console. It may mean nothing (and looking there is like staring into a dark deep abyss for me: VERTIGO)
  11/19/11 10:55:26.417 AM acwebsecagent: Connection : NULL license/public key provided
  11/19/11 10:55:26.417 AM acwebsecagent: Connection : Auth key is not provided, bypassing towers. CMode : 2 TMode : 0
  11/19/11 10:55:28.758 AM acwebsecagent: Connection : NULL license/public key provided
  11/19/11 10:55:28.758 AM acwebsecagent: Connection : Auth key is not provided, bypassing towers. CMode : 2 TMode : 0
  11/19/11 10:55:31.431 AM acwebsecagent: Connection : NULL license/public key provided
  11/19/11 10:55:31.431 AM acwebsecagent: Connection : Auth key is not provided, bypassing towers. CMode : 2 TMode : 0
  11/19/11 10:55:44.727 AM acwebsecagent: Connection : NULL license/public key provided
  11/19/11 10:55:44.727 AM acwebsecagent: Connection : Auth key is not provided, bypassing towers. CMode : 2 TMode : 0
  11/19/11 10:55:48.208 AM acwebsecagent: Connection : NULL license/public key provided
  11/19/11 10:55:48.208 AM acwebsecagent: Connection : Auth key is not provided, bypassing towers. CMode : 2 TMode : 0
  11/19/11 10:55:48.413 AM acwebsecagent: Connection : NULL license/public key provided
  11/19/11 10:55:48.413 AM acwebsecagent: Connection : Auth key is not provided, bypassing towers. CMode : 2 TMode : 0
  Does this mean something?
  (I recently played around with rSync and wonder if it is related to that.
  thanks

  Not sure that is it:
  JIPs-MacBook-Air:~ jport$ sudo /opt/cisco/anyconnect/bin/websecurity_uninstall.sh
  Password:
  Uninstalling Cisco AnyConnect Web Security Module...
  mv: rename /opt/cisco/anyconnect/bin/plugins/libacwebsecapi.dylib to /opt/cisco/anyconnect/libacwebsecapi.dylib: No such file or directory
  mv: rename /opt/cisco/anyconnect/bin/plugins/libacwebsecctrl.dylib to /opt/cisco/anyconnect/libacwebsecctrl.dylib: No such file or directory
  Successfully removed Cisco AnyConnect Web Security Module from the system.
  JIPs-MacBook-Air:~ jport$
  Not sure how it could remove what it never found!
  But the acwebsecagent error appears to have vanished, at least for now (before this attempt at uninstalling); hadn't checked recently but it's not in the logs
  What IS appearing is this
  10/10/12 8:51:11.533 AM acvpnagent[100]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 400 Invoked Function: getProfilePath Return Code: -31391739 (0xFE210005) Description: CERTSTORE_ERROR_NULL_POINTER
  Is that related?

• Regarding Applying SAP Note 820622

  Hi,
  Can any one pls let me know applying this SAP Note 820622 is suggestible in Production XI Server or not
  Regards
  Vamsi

  Thanks Michal,
  when our SAP Security person ran Early Watch reports for PX1 show a Critical error related to a reorganization job.
  Then they found this SAP Note and reviewing to apply  this note,  is there any harm??
  So now i can suggest them to apply this Note...
  Thanks so much
  REgards