Dear Sir / Madam,

During our annual disaster recovery drill (which try to restore a dual stack netweaver environment from one server to another server, using system copy), We found that the netweaver platform can successfully start off - ASCS, SCS, ABAP server, but failed to start off its Java server.

From "dev.jstart", we see something like :

F  [Thr 10624] *** LOG => Process collector started (pid 7384).

F 

F [Thr 10624] Tue Oct 20 18:07:38 2015

F  [Thr 10624] *** LOG => Process server0 stopping (pid 7320).

F 

F [Thr 8788] Tue Oct 20 18:07:38 2015

F  [Thr 8788] *** LOG => Signal 13 SIGCHLD.

F  [Thr 10624] *** LOG => Process server0 stopped (pid 7320).

F  [Thr 10624] *** WARNING => Node server0 failed: result 1, exit code 2150. [sfxxnode.hpp 1024]

From stdout.server0, we see below :

Hallo,

Recently we did the upgrade to 7.4 (ECC and EP). After the upgrade from time to time there is build up of Http sessions.

The amount of sessions that are being created, if not manually terminated on time (SM04), start to block the whole system.

When started most of the times it takes an hour for it to stop generating sessions. Sometime sooner and sometime later.

The rdisp/plugin_auto_logout and rdisp/gui_auto_logout are both set to 3600.

I know there is not much info to go about but maybe somebody has experienced this behavior before.

If so how was it resolved?

Thank you!.

Kind Regards.

J

*** WARNING => IcmSendRq: resources of ABAP server exhausted

*** ERROR => IcmCreateDpRequest: Server overload

Dear Experts,

TMS: Check Transport Tool ended with error

This is tp version 380.38.89 (release 722, unicode enabled)

ERROR: Connect to EC1 failed (20151023144446, probably wrong environmenment).

TRACE-INFO: 1:  [     dev trc,00000]  Fri Oct 23 14:44:45 2015

TRACE-INFO: 2:  [     dev trc,00000]  DlLoadLib success: LoadLibrary("dbmssslib.dll"), hdl 0, addr 0000000186CA0000

TRACE-INFO: 3:  [     dev trc,00000]      using "E:\usr\sap\EC1\DVEBMGS

TRACE-INFO: 4:  [     dev trc,00000]  Thread ID:976

TRACE-INFO: 5:  [     dev trc,00000]  Thank You for using the SLODBC-interface

TRACE-INFO: 6:  [     dev trc,00000]  Using dynamic link library 'E:\usr\sap\EC1\DVEBMGS00\exe\dbmssslib.dll'

TRACE-INFO: 7:  [     dev trc,00000]  7220 dbmssslib.dll patch info

TRACE-INFO: 8:  [     dev trc,00000]    SAP patchlevel  0

TRACE-INFO: 9:  [     dev trc,00000]    SAP patchno  13

TRACE-INFO: 10:  [     dev trc,00000]    Last MSSQL DBSL patchlevel 0

TRACE-INFO: 11:  [     dev trc,00000]    Last MSSQL DBSL patchno    12

TRACE-INFO: 12:  [     dev trc,00000]    Last MSSQL DBSL patchcomment Memory leak of DSQL cursors (2211549)

TRACE-INFO: 13:  [     dev trc,00000]  ODBC Driver chosen: SQL Native Client native

TRACE-INFO: 14:  [     dev trc,00000]  Network connection used from CCIVSRV005 to (local) using tcp:(local)

TRACE-INFO: 15:  [     dev trc,00000]  Fri Oct 23 14:44:46 2015

TRACE-INFO: 16:  [     dev trc,00000]  Network connection used from CCIVSRV005 to (local) using tcp:(local)

TRACE-INFO: 17:  [     dev trc,00000]  Network connection used from CCIVSRV005 to (local) using tcp:(local)

TRACE-INFO: 18:  [     dev trc,00000]  Driver: SQLNCLI.DLL Driver releaease: 09.00.3042

TRACE-INFO: 19:  [     dev trc,00000]  GetDbRelease: 09.00.3080.00

TRACE-INFO: 20:  [     dev trc,00000]  GetDbRelease: Got DB release nummbers (9,0,3080,0)

TRACE-INFO: 21:  [     dev trc,00000]  i'm dbo but there exists 1 users <> dbo with tables SVERS ==> connect terminated

Please help.

Thank you.

BR,

Fadzly Iqbal

Hello Experts,

We need to create a seld-signed SSL Standard Server certificate with a Subject Alternative Name. Our system is ECC6 with EHP6 and SPS12 and we can see the Subject Alternative Name field in the SSL certificate which we generate, but we are not sure how do we generate it

Can you please help here?

Regards,

Diptee

About a month ago, I was questioned about password hash algorithms, as the questioner attended to the SEC105 TechEd session (SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect).

Before answering I decided to go through SAP note 1458262 (ABAP: recommended settings for password hash algorithms).

What I did

First I had a look at table USR02, in client 001:

For testing purposes, I disabled the password for the last user ID in the list:

Then I executed report CLEANUP_PASSWORD_HASH_VALUES:

USR02 after report's execution:

After setting an initial password for the third user (bottom to top of the list):

And after the password was changed by the user:

Conclusions

My experiment was conducted in a standalone ABAP system. For systems that are part of a CUA, additional steps are required.

The report is very useful, making your system more secure - note that the report recommends an action: enforce the usage of stronger passwords. This will lead to password changes (a SM50 logon trace, per SAP note 495911, will show what happens behind the scenes).

After executing the report, you can find at least 3 "categories" in USR02:

• Password disabled users, with the following entries:

BCODE = 0000000000000000

CODVN = X

PASSCODE = 0000000000000000000000000000000000000000

PWDSALTEDHASH = blank

• Users with PWDSALTEDHASH filled:

BCODE and PASSCODE as above

• Users with PASSCODE filled:

BCODE as above, PWDSALTEDHASH blank and CODVN = F.

For the last case, the code version F means:

suboptimal, records with 7.00/7.01 hash value found

so a hash password is already in place.

It is important to realize that the report solely delete existing (duplicate weaker) hashes but cannot create new ones, for this the report would have to know the passwords.

In case the "strongest" password hash of some users are passcode then this is because of the time when they were entered the system created those.

If you would like to have only pwdsaltedhash passwords, then the system administrator would have to provide new passwords for all users with codvn=F.

There is no automated change for this, as the password is unknown.

References

SEC105 – SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect

SAP note 2467 - Password rules and preventing incorrect logons

SAP note 495911 - Logon problem trace analysis

SAP note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)

SAP note 1023437 - ABAP syst: Downwardly incompatible passwords (since NW2004s)

SAP note 1237762 - ABAP systems: Protection against password hash attacks

SAP note 1458262 - ABAP: recommended settings for password hash algorithms

We can use report SSF_ALERT_CERTEXPIRE to check for expired certificates in PSEs (or certificates that are about to expire):

The expected message is an email containing the PSE name that needs to be analyzed:

It is possible that, given a configuration issue, the actual message is not valid:

This can be resolved by using transaction code ALRTCATDEF.

After double clicking "Security-Relevant Alerts", the properties present "Expiry of Certificates (SNC, SSF, SSL...)".

The messages are defined in tab "Long and Short Text":

If there are red lights in "Short Text (SMS, Pager)" and "Long Text (E-Mail, Fax)", then this is the reason for the incorrect message.

It is necessary to edit it (clicking "Display/Change" button in the toolbar), adding:

"...

Certificate expires in &DAYS& in system &SYS& (PSE type > &PSE&)

..."

for the first (short text):

And:

"...

The system determined that a certificate of PSE type >&PSE&<(administered by system &SYS&) expires in &DAYS&.

You must extend or renew this certificate immediately.

Run the report SSF_ALERT_CERTEXPIRE. This report produces a list of all installed certificates, together with their expiration dates.

Alternatively, call transaction STRUST. The message displayed contains the PSE type (a node) in which you can find the certificate in question.

..."

for the second (long text):

The issue is resolved.

References

SAP note 572035 - Warning about expired security certificates

SAP note 588297 -  Warnings about security certificates in the system logs

Database was restored and I tried to redownload/reimplement SAP NOTE 2150018 but the error below appeared:

I checked in SE03 and it is already present. I tried to delete it but the below error appeared:

Really appreciate any help! Thanks in advance!

A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.

Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.

It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note 2209439.

A quick test:

sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k GN-dNSName:myehp7system.mydomain.com

Please enter PSE PIN/Passphrase: *********

Please reenter PSE PIN/Passphrase: *********

get_pse: Distinguished name of PSE owner: CN=vertigo.mydomain.com, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR

Certificate Request:

  Signed Part:

    Subject     :CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

    Key:

      Key type    :rsaEncryption (1.2.840.113549.1.1.1)

      Key size    :2048

    Attributes:

      element#no="1":

        Type        :extensionRequest (1.2.840.113549.1.9.14)

        Value 1:

          Alternative names:

            Significance:Non critical

            Value:

              element#no="1":

                GeneralName :GN-dNSName:myehp7system.mydomain.com

  Signature:

    Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

    Signature bits ( size="2048" ):

PKCS#10 certificate request for "SAPSAN.pse":

-----BEGIN CERTIFICATE REQUEST-----

...

-----END CERTIFICATE REQUEST-----

Importing the response:

sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse

CA-Response successfully imported into PSE "SAPSAN.pse"

Checking the content:

sapgenpse get_my_name -p SAPSAN.pse

Subject               :   CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

Issuer                :   ...

Serialno              :   ...

KeyInfo               :   RSA, 2048-bit

Validity  -  NotBefore:   ...

             NotAfter :   ...

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:myehp7system.mydomain.com

Time to open the PSE via STRUST, saving it as the SSL server PSE identity.

I created a new server identity, for testing purposes (Environment -> SSL Server Identities):

I used option File to open the PSE created:

Finally, I used menu PSE -> Save as..., to replace the current PSE by the one created using sapgenpse:

The result: a SSL server PSE with SAN:

help me solve this problem, I want to know the reason,like the picture error

Hi all,

Good day...!!

Our management want to restrict multiple gui logons of some users in our system. I created the parameter "login/disable_multi_gui_login" in RZ10, but in one single line only 21 entries is allowing

I want to add more users . How should i add ?

I searched in net about this, but all results are explaining about the disabling of multiple logons.

Please help on the above matter....

Regards

Praveen

Dear Experts,

we have ADS configured from ABAP to Java system but

"fp_test_00" is giving com.adobe.ProcessingException(200101) error for any selected OUTPUTDEVICE.

     A.  HTTP RFC is giving error 403 FORBIDDEN

     B. In VISUAL ADMINISTRATOR ->  destination ->  HTTP service FP_ICF_DATA_<SID>  giving HTTP Ping Error 404.

Any help much appreciated.

Kind Regards,

Domnic.

Hi Guys,

I am facing an issue with certain background users.

when these users try to send email to some recipient, sender email address comes as SAPUSER@default-domain.

I am facing this issue in 2 scenario. one while send email notification during PO release strategy using workflow. In this case sender email id shown is

WF-BATCH@default-domain. where in it has to be the one maintained in SU01.

In second scenario I have scheduled few background jobs. On execution of these jobs I send Email to few recipient. In this case the sender ID shown in Email is SAPUSER@default-domain. wherein it has to be the one maintained in SU01.

Kindly advice if any one has faced same issue in past.

Regards,

Bhawarlal C

Hello !

I have a question about performance monitoring in ST03 / STAD.

I thought that "GUI time" only applies to Dialog Task type, but now I see that for Task type RFC this timeis also notequal to zero.

Also in some STAD records for program "RFC" GUI time isn't 0. It seems to methat this happenswhen the RFC destination is NONE.

An example ofsuch a record:

 

What is "GUI time" in this record ?

Hello Experts,

I am not able to test my webdynpro application. When i test it is ended with blank page with warning as 'Invalid Argument' . Can you please any one help me to fix this issue.

I am using SAP IDES with Virtual Box.

Thanks and Regards,

Jayakumar Mani.

HI Experts,

I needed to schedule a job today, and during implementing found and issue/interesting question and would like to ask your help on this.

So the situation is the following:

- i scheduled a job what will run periodically (once per month) and will responsible for Close (open) Period for Material Master Records (MMPV)

- used RMMMPERI and saved variant etc.....

My main question/issue is that: I wanted to schedule this job in such a way as it will run the last day of every month. Since not each month contains 31 days (for example february has just 28 days next year) so i can not enter into the date field e.g.: 31.11.2015 and set it to run periodically becuase if i think well (correct me if i am wrong) this job will not run in february 2016 since february has just 28 days.

Anyway i have scheduled the job to run 28. 10.2015 at 23:50 and set it to run periodically ( there is no month what contains less than 28 days) so it will run in case of month contains 30,31 or 28 days.

So all in all my question is:

- is there any option to schedule a job in such a way as it runs the last day of every month without reference to that how many days the month contains ?

Many thanks in advance,

Br David

Hello community,

I have a simple scenario where the Web Dispatcher should forward incoming HTTP/HTTPS call to a HTTPS endpoint on external system.

I have tried to setup the demo scenario just by defining the system as follows:

wdisp/system_0 = SID=EXT, EXTSRV=https://www.google.com, SRCSRV=*:443

Now when I connect to the web dispatcher via HTTPS/443 I get 500 Dispatching Error:

I have read that HTTPS to external systems was not possible in earlier Kernels so we did an upgrade and not the Kernel is 740, Patch Number 42 and the issue still persists.

The complete profile is as follows:

SAPSYSTEMNAME = WD1
SAPGLOBALHOST = webdispatcher
SAPSYSTEM = 00
INSTANCE_NAME = W00
DIR_CT_RUN = $(DIR_EXE_ROOT)\$(OS_UNICODE)\NTAMD64
DIR_EXECUTABLE = $(DIR_CT_RUN)
DIR_PROFILE = \\webdispatcher\sapmnt\WD1\SYS\profile
_PF = $(DIR_PROFILE)\WD1_W00_wdf-ci-disp
SETENV_00 = PATH=$(DIR_EXECUTABLE);%PATH%
_WD = $(DIR_EXECUTABLE)\sapwebdisp$(FT_EXE)
Start_Program_00 = local $(_WD) pf=$(_PF)
ssl/ssl_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
sec/libsapsecu = $(ssl/ssl_lib)
ssf/ssfapi_lib = $(ssl/ssl_lib)
DIR_INSTANCE = C:\usr\sap\WD1\W00
SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec
icm/server_port_0 = PROT=HTTP,PORT=81$$
icm/server_port_1 = PROT=HTTP,PORT=8200
icm/server_port_2 = PROT=HTTPS,PORT=443
icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=81$$,443
wdisp/system_0 = SID=EXT, EXTSRV=https://www.google.com, SRCSRV=*:443
icm/max_conn = 500
icm/max_sockets = 1024
icm/req_queue_len = 500
icm/min_threads = 10
icm/max_threads = 50
mpi/total_size_MB = 80
is/HTTP/show_detailed_errors = true
icm/HTTP/logging_0 = PREFIX=/, LOGFILE=access_log-%y-%m, MAXSIZEKB=10000, SWITCHTF=day, LOGFORMAT=SAPSMD
wdisp/HTTP/max_pooled_con = 500
wdisp/HTTPS/max_pooled_con = 500
ssl/server_pse = C:\usr\sap\WD1\W00\sec\SAPSSLS.pse
ssl/client_pse = C:\usr\sap\WD1\W00\sec\SAPSSLC.pse

Hoping for some advice,

Best regards,

Ilja.

Hi , I'm new in basis performance administration

We have a problem in our production server , slow system , we have page_out in red , what need to do??

I appreciate help,

regards.

hi experts,

we installed long back bi server in windows 2003 on vm were.but we forgot the password.we are using db as oracle.

i tryed by changing the parameter login/no_automatic_login_sapstar=0 and restarted the instance.but even though i am unable to login that.can any one guide me how to unlock them if any alternate procedure is available. we dont know even the other users also in this server.it's completely locked is there any possibility to unlock at least 001 client.

thanks&regards

kishore

Dear expert

There is a way to find history of  WP?

Forexample ifbetween 07 - 08  I had freewp?freeDIA?in SAP system.

Thanks

Naor

Dear all,

In our BI many messages in system log(sm21) which following type:

Missng:TSL1TE,BI1):_REPAIR_FF_MISMATCH-05- QCUBE:LE

Missng:TSL1TE,BI1):_REPAIR_FF_MISMATCH-05- CACHE:-E

Missng:TSL1TE,BI1):_REPAIR_FF_MISMATCH-02- CACHE:E8

Missng:TSL1TE,BI1):_REPAIR_FF_MISMATCH-05- QCUBE:-E

I know that language-dependent table TSL1T contains system log messages. These

messages may occur if the syslog message does not exist in the logon

language.

In the se92 i cant find  Message BI1, only BI0. Can anybody know how to solve this issue?