UME vs ABAP Security for VIRSA

Similar Messages

• How to create ABAP Proxy for SSL secured ABAP Service

  Hi guys,
  I try to set up transport security for my ABAP web service. The service should be called via a ABAP Proxy.
  These are my steps to create the ABAP web service:
  1. Create function module (se80)
  2. Create web service (web service definition) (service wizard)
  2.1 Authentication = STRONG
  2.2 Transport Guarantee = BOTH
  3. Activate service (wsconfig)
  4. Control service (wsadmin)
  Afterwards I tried to create the proxy but when I add the WSDL URI I always get an
  HTTP error (return code 407, message "ICM_HTTP_SSL_ERROR")
  I tried to find a "How to" but I was not successfull. Also the saphelp http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm was not helpful for me.
  Hopfully you can help me! Every comment is appreciated!
  Regards

  I advise to have a look into the ICM trace file (dev_icm) - either by using ABAP transaction ST11 or SMICM.
  There you should find error details. Most likely it's about the "chain verifier" complaining that he's unable to verify the certificate of the communication peer.
  In that case [SAP Note 1094342|https://service.sap.com/sap/support/notes/1094342] might be helpful.

• What are the pros and cons of installing java+abap stack for portal?

  Hi all,
    1.What are the pros and cons of installing java+abap stack for portal?
    2.what effect it does on the ume options to be choosen??
    3.for the purpose of integration of r3,bw and crm on portal and crm 4.0 60.2.3 business package which option of stack(java or abap or both)will be good option and which ume option while installation should be choosen?
  regards
  Rajendra

  Hi Rajendra,
  The NetWeaver Installation Master Guide offers some good scenarios on the pros and cons:
  https://websmp201.sapag.de/~sapidb/011000358700005412792005E.pdf
  In a nutshell:
  ABAP+JAVA
  Pros
  - Decrease # of servers required to administer the portal
  - Less costly
  Cons
  - Upgrades could be dependent on ABAP and Java release level
  - Additional load on the server due to ABAP stack
  - Limited scalability
  JAVA and ABAP on separate server
  Pros
  - Improved performance
  - Allows each system to be single-use purpose therefore downtime does not affect other components
  - More scalable
  Cons
  - Adds complexity to landscape
  - Additional costs
  Regards,
  Thomas Pham

• ABAP Tutorials for SSF_SIGN and SSF_VERIFY?

  Are there any ABAP tutorials for the SSFG function group function modules.  Especially SSF_SIGN and SSF_VERIFY?
  Thank you,
  Dean Atteberry.
  Edited by: Dean Atteberry on Jan 21, 2009 11:25 PM

  If the FM is not released, then any "tutorial" you might find would only be as reliable as the FM itself (particularly it's interface).
  Perhaps what you are looking for is FM [SSFT_PPPI_SIGN|Is it possible to use SNC and SSF together ?;?
  Note that I have a development request open on this function, but I hope that the interface will remain stable and only the existing "auth_method" (cannot remember the exact name) will be enhanced within the FM coding to make it more configurable.
  The reason for this relates to Single-Sign-On, in which case it is advisable to delete the ABAP password. But then the FM cannot work locally, and using the remote option is too confusing for the user as they cannot be expected to know where they are authenticating, as they innocently logged on (the opposite of what this method was intended to solve in the olden days).
  What I am hoping for, is that SAP will provide a secure LDAP bind to verify the signature (or at least add a configurable custom method to add custom coding to verify the authenticity of the caller).
  My understanding of interpretations of legal reasons, is that just clicking somewhere is not enough (even if it is unintuitive - which some cell phones are as well...).
  Cheers,
  Julius

• SAP Role Security for BSP

  Hello Experts,
  I am developing BSP application in BW Environment for some custom table maintenance which doesn't involve Portal.
  I call the BSP Application with "CALL_BROWSER" FM from Programs.They want to control the access to the users based on Role or Auth Objects or others inside the system.
  Because, if some user knew the URL for the BSP the security is pretty open.
  Is there anyway to do security for BSP based on roles?
  Best Regards
  Arun Prasad

  Hi,
  Here are the step:
  1. Create the Role in PFCG with following detail Auth Obecjt:
  2. Create the Authorization Check for ICF Access Internet communication Framework (S_ICF) & with Field ID is <b>ICF_FIELD</b>. Chcek the checkbox <b>SERVICES</b>. For the same Auth Object create another Field ID "<b>ICF_VALUE</b>", here assign you BSP Application ID lets say MYBSP.
  3. Then goto <b>SICF</b> transaction, goto your BSP Application node, undere service data mention this ID as MYBSP against SAP Auth.
  4. Now you need to check Auth obejct before calling the FM CALL_BROWER the way you do if for normal ABAP Report.
  Hope this will solve your problem. Let me know if you have any questiion.
  <i>* Reward each useful answer</i>
  Raja T
  Message was edited by:
          Raja T

• SAP ABAP secure coding related training session

  Hi Experts,
  Do you know of any training or code jams provided by SAP for organizations related to SAP ABAP secure coding?

  Thanks Alex for your reply.
  The course and goals look perfect.
  But I was looking for something that could be arranged in my company's Mumbai(India) office.
  Can anyone help me with any classroom/virtual training or Code Jams related to secure ABAP programming.

• Java UME to ABAP backend

  Can java UME support multiple ECC ABAP backends?
  I looked at the UME configuration for a java instance and it seems as though there is a one to one relationship.
  Is this a truly 1:1 relationship in UME - ABAP configuration.
  Thanks
  Weyland Yutani

  That is strange advice...
  CUA master is an ABAP logical system and Java SID is not client capable, it is the logical system itself. So it is 1 Java : 1 ABAP from the view of Java and n : 1 from the view of ABAP (with ALL consequences associated to it!)
  If you add Logon Tickets to the scenario then you have 1 : 1 <--> 1 --> n (where n is anything) but I don't think that is Weyland's question, so my answer is irrelevant here.
  Perhaps you are refering to the "circus solution" of creating an ABAP client for each Java system and provisioning them from the CUA?
  That is however not a solution, but rather more like a Chuck Norris fighting against a fleet of battleships (except with a more realistic ending...
  Enjoy the weekend,
  Julius
  Edited by: Julius Bussche on Aug 20, 2010 9:37 PM

• How to point UME to ABAP..

  Hi friends,
  I have configured UME to ABAP system....UME has to point to ABAP.
  I have done some steps through visual adminsitrator->UME Provider
  Under UME provider i have provided certain details like abap hostname, abap client number, sapjsf user.
  in ABAP Side, i have created roles SAP_BC_JSF_COMMUNICATION and SAP_J2EE_ADMIN for sapjsf user and profiles SAP_ALL and SAP_NEW.
  Apart from these what else has to be done in both java and abap side? I have gone through many forums but i dint find exact stuff that i needed.
  If everything is done, how to check whether UME has pointed to ABAP?
  please suggest.
  Thanks,
  KK

  Hello,
  My advice is to first check for the documentation instead search in forums:
  http://help.sap.com/saphelp_nw70/helpdata/en/9e/fdcf3d4f902d10e10000000a114084/frameset.htm
  If you've performed the steps as described there, your UME is correctly pointing to the ABAP client.
  Cheers,
  Diego.

• How to do security for query VIEW - BI 7

  Hi,
  I have created several query VIEWs and for some reason users can change the query VIEWs i created.
  How can i do security for VIEW making sure nobody will change them?
  I am using BI 7 and portal 7 as well.
  Thanks for your help.
  Cesar

  Hi there, I have the same concern.
  I have been trying to play around with object RSZCOMPID, restricting activities on QVW (query views)
  Activity                       03, 16                                                                      ACTVT
  InfoArea                       Z*                                                                          RSINFOAREA
  InfoCube                       *                                                                           RSINFOCUBE
  Name (ID) of a reporting compo Y, Z                                                                      RSZCOMPID
  Type of a reporting component  CKF, REP, RKF, SOB, STR, VAR                                                RSZCOMPTP
  Apparently there is a bug, or a higher level more permissive that is constantly allowing the related role to overwrite or create new views.
  Furthermore, we cannot troubleshoot with SU53 in the ABAP stack, since RSRT does not offer the creation of views. Only way to test this is either BexAnalyzer (which only saves user views, no tech name), or the Portal >> this is where my issue is.
  If anyone has a solution, would be greatly appreciated !
  Thanks
  Thierry

• Needs sample ABAP code for field routine

  Dear Expert,
  There is a field "Pay Scale Group" in my DSO which stores the data in the format
  AA1/B1/CCC2/DD2/EEE1, A1/BB2/CC2/DDD3/EE2 etc. These data has to be transferred to
  InfoCube where "pay Scale Group" in the InfoCube will store the data like EEE1,EE2 etc.
  I need to write a field routine on the transformation between DSO and Cube.
  Can any one please help me with the sample ABAP code for this scenario.
  Some more examples for better understanding of the requirement:-
  Data in DSO(Source)            Data in Cube(Target)
  ===================            ===================
  AA1/B1/CCC2/DD2/EEE1            EEE1
  AAA1/BB2/CC1/DDD3/EE2           EE2
  A2/BBB2/CC2/DDD3/EEE5           EEE5
  AA2/BB1/C1/DDD3/EE3             EE3
  A3/B1/CC2/DDD1/EE4              EE4
  Many thanks in advance.
  Regards,
  Prakash
  Please do not dump your code requirements in SDN
  Edited by: Pravender on May 18, 2011 11:37 AM

  Hi,
  You can use the following code :
  Suppose the technical name of the field coming from DSO is ZPAY_SGRP.
  And also for example let me take one record, that is ZPAY_SGRP = AA1/B1/CCC2/DD2/EEE1 .
  My assumption is that there will always be 4 '/'.
  In the field routine write the below code
  data: V1(5) type c,
            V2(5) type c,
           V3(5) type c,
            V4(5) type c,
           V5(5) type c.
  data : VAR1 TYPE /BIC/OIZPAY_SGRP.
  split VAR 1  at '/' into V1 V2 V3 V4 V5.
  result = V5.
  V5 will be having the characters after the last '/' .That is V5 = EEE1.
  Hope the above reply was helpful.
  Kind Regards,
  Ashutosh Singh
  Edited by: Ashutosh Singh on May 17, 2011 3:53 PM
  Edited by: Ashutosh Singh on May 17, 2011 4:17 PM

• ABAP code for BI 7.0 transformations start routine

  Hi all,
  I am trying to update data from DSO1 (Source1: transaction data) to Infocube(TARGET)
  In the transformations Start routine, I have to read DSO2(Source2: Master data) for some fields.
  DSO1 has CUSTOMER as part of key
  DSO2 has CUSTOMER (key) and other fields....FIELD1, FILED2, FIELD3
  Infocube to be updated with FIELDS1,2 & 3 WHILE READING DSO2.
  WHERE DSO1 CUSTOMER matches with DSO2 CUSTOMER.
  Also, data NOT TO BE UPLOADED into Infocube if FIELD1 in DSO2= NULL
  Please give me the abap code for the above logic.
  Appreciate any help in this regard.
  Thanks.

  This is a doc from this site:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6090a621-c170-2910-c1ab-d9203321ee19
  Ravi Thothadri

• Error while "Enabling Security for Oracle Management Service"

  Hi,
  I have installed OEM 10GR1 on Solaris 9. I am using 9.2.0 database for repository.
  My first installation of OEM and agent went smoothly, and everything was working fine.
  Then, I tried to follow configurating security for Grid Control Framework. I got following error:
  /oracle/app/oracle/product/10gEM>cd bin
  /oracle/app/oracle/product/10gEM/bin>./emctl secure oms
  Oracle Enterprise Manager 10g Release 10.1.0.3.0.
  Copyright (c) 1996, 2004 Oracle Corporation. All rights reserved.
  Enter Enterprise Manager Root Password :
  Enter Agent Registration password :
  Enter a Hostname for this OMS :
  Checking Repository... Done.
  Checking Repository for an existing Enterprise Manager Root Key... Done.
  Generating Enterprise Manager Root Key (this takes a minute)... Done.
  Fetching Root Certificate from the Repository... Done.
  Generating Registration Password Verifier in the Repository... Done.
  Generating Oracle Wallet Password for Enterprise Manager OMS... Done.
  Generating Oracle Wallet for Enterprise Manager OMS...Missing /oracle/app/oracle/product/10gEM/sysman/wallets/oms.uxtora1/ewallet.p12
  :/oracle/app/oracle/product/10gEM/bin>
  Please help.

  Thanks for response. I had temp space full issue with repository database. After bouncing database, the temp tablespace became empty, and the secure operation went smooth.

• " plug-in name does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari Security "Manage Website Settings"?

  Hi,
  Wondering why "<plug-in name> does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari > Security > "Manage Website Settings"?
  Have been trying to get to the root cause of the problem but did not find much on this. I am trying to figure out what can get the warning to go away completely than using the Allow/Always Allow options for the plug-in
  Thanks,
  Shyam

  Hi Linc,
  Thank you for your response. Here is the screenshot of the warning that I am talking about.
  Here is what I do:
  1. Launch Safari and open its Preferences. I have Safari 7.1 installed on my machine.
  2. Click Security Tab and click Manage WebSite Settings
  3. A window opens showing me all the Plug-ins that I have (listed on the left hand side).
  4. One of them is the Adobe Reader plug-in. When I click Adobe Reader, the following details about the plug-in show up on the right
  I was referring to the highlighted section that warns me about this plug-in not using the highest level of security for Safari Plug-ins.
  Note: I do not see this for all my plug-ins (QuickTime, Adobe Flash Player don't give me this warning) which tells me that there is a way to make the warning go away.
  Thanks again,
  Shyam

• Security for creating web templates using web application designer

  I work for ChevronTexaco as a BW Security Analyst. I have a request to set up roles for web template creation using the Web Application Designer. Where can I get help in setting up the security for these types of roles? My experience is in setting up roles for running and creating queries in BEX. I need to know what additional authorizations will enable web template creation. Setting up a trace in ST01 has been less than helpful since it dumps out tons of RS_COMP tracing that doesn't help me much.
  The user wants to be able to create web templates for existing queries in BEX and restrict by rs_comp infocubes/areas/reportid, etc. and to be able to save to restricted role names. Are there new auth groups specific to this type of activity that I need to code for in addition to the basic end user or report builder authorizations?
  Any help would be greatly appreciated.
  Jeff Ehritt
  925 827-6012
  ChevronTexaco

  Thanks Marc, I'll check it out. My problem was that I was trying to create the role by granting a userid sap_all, sap_new and s.a_system as well as power user auths for a specific application. I set up a trace in ST01 for authorization cking on the ID while one of our BW Central Support people went into Web Designer to create a template and everything else they wanted to do.
  The resulting trace spewed out so much stuff from S_RS_comp and comp1 as to be virtually useless since it named scores of different cubes and infoareas that the analyst wasn't even interested in. The results puzzled me and made it extremely difficult to pin down the required authorizations. Usually ST01 can be used as a blueprint to create the role,ie; everything that the user touches is traced but no more than that. Have you seen this before? With just the new role I had set up the user could not save to a role unless I coded the fully qualified role name such as YRH_SENDAT_USER. YRH* would not work.
  Thanks,
  Jeff Ehritt
  ERP COE SAP BW Security

• Security For BW Web Application Designer

  I work for ChevronTexaco as a BW Security Analyst. I have a request to set up roles for web template creation using the Web Application Designer. Where can I get help in setting up the security for these types of roles? My experience is in setting up roles for running and creating queries in BEX. I need to know what additional authorizations will enable web template creation. Setting up a trace in ST01 has been less than helpful since it dumps out tons of RS_COMP tracing that doesn't help me much.
  The user wants to be able to create web templates for existing queries in BEX and restrict by rs_comp infocubes/areas/reportid, etc. and to be able to save to restricted role names. Are there new auth groups specific to this type of activity that I need to code for in adition to the basic end user or report builder authorizations?
  Any help would be greatly appreciated.
  Jeff Ehritt
  925 827-6012
  ChevronTexaco

  Hi Jeff,
  there are no special authorization objects for Web Templates. RS_COMP will still only work for queries, structures.... Saving to roles requires certain authorizations for the role (s_agr_*), here you can define the roles you can save templates to.
  Regards, Klaus