1 2 3 5 Previous Next

SAP NetWeaver Application Server

63 Posts

A few days ago I saw (and answered) a question related to how to create a SSL server PSE with SAN.

Since via STRUST it is not possible, the alternative is using the command line tool, sapgenpse.

It is necessary to use version 8.4.42 (or higher), so the Subject Alternative Name can be added. More details can be found in point 4 of SAP note 2209439.


A quick test:


sapgenpse gen_pse -s 2048 -a sha256WithRsaEncryption -p SAPSAN.pse -k GN-dNSName:myehp7system.mydomain.com


Please enter PSE PIN/Passphrase: *********

Please reenter PSE PIN/Passphrase: *********

get_pse: Distinguished name of PSE owner: CN=vertigo.mydomain.com, OU= SAP Active Global Support,OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP= Rio Grande do Sul, C=BR

Certificate Request:

  Signed Part:

    Subject     :CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR


      Key type    :rsaEncryption (1.2.840.113549.1.1.1)

      Key size    :2048



        Type        :extensionRequest (1.2.840.113549.1.9.14)

        Value 1:

          Alternative names:

            Significance:Non critical



                GeneralName :GN-dNSName:myehp7system.mydomain.com


    Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

    Signature bits ( size="2048" ):


PKCS#10 certificate request for "SAPSAN.pse":







Importing the response:


sapgenpse import_own_cert -c cert.p7b -p SAPSAN.pse


CA-Response successfully imported into PSE "SAPSAN.pse"



Checking the content:


sapgenpse get_my_name -p SAPSAN.pse


Subject               :   CN=vertigo.mydomain.com, OU=SAP Active Global Support, OU=SAP Labs Latin America, O=SAP, L=Sao Leopoldo, SP=Rio Grande do Sul, C=BR

Issuer                :   ...

Serialno              :   ...

KeyInfo               :   RSA, 2048-bit

Validity  -  NotBefore:   ...

             NotAfter :   ...

KeyUsage              :   digitalSignature keyEncipherment

ExtKeyUsage           :   ServerAuthentication ClientAuthentication

SubjectAltName        :   GN-dNSName:myehp7system.mydomain.com



Time to open the PSE via STRUST, saving it as the SSL server PSE identity.


I created a new server identity, for testing purposes (Environment -> SSL Server Identities):



I used option File to open the PSE created:



Finally, I used menu PSE -> Save as..., to replace the current PSE by the one created using sapgenpse:



The result: a SSL server PSE with SAN:


We can use report SSF_ALERT_CERTEXPIRE to check for expired certificates in PSEs (or certificates that are about to expire):


The expected message is an email containing the PSE name that needs to be analyzed:



It is possible that, given a configuration issue, the actual message is not valid:




This can be resolved by using transaction code ALRTCATDEF.


After double clicking "Security-Relevant Alerts", the properties present "Expiry of Certificates (SNC, SSF, SSL...)".

The messages are defined in tab "Long and Short Text":



If there are red lights in "Short Text (SMS, Pager)" and "Long Text (E-Mail, Fax)", then this is the reason for the incorrect message.


It is necessary to edit it (clicking "Display/Change" button in the toolbar), adding:


Certificate expires in &DAYS& in system &SYS& (PSE type > &PSE&)


for the first (short text):





The system determined that a certificate of PSE type >&PSE&<(administered by system &SYS&) expires in &DAYS&.

You must extend or renew this certificate immediately.

Run the report SSF_ALERT_CERTEXPIRE. This report produces a list of all installed certificates, together with their expiration dates.

Alternatively, call transaction STRUST. The message displayed contains the PSE type (a node) in which you can find the certificate in question.


for the second (long text):



The issue is resolved.


SAP note 572035 - Warning about expired security certificates

SAP note 588297 -  Warnings about security certificates in the system logs

About a month ago, I was questioned about password hash algorithms, as the questioner attended to the SEC105 TechEd session (SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect).



Before answering I decided to go through SAP note 1458262 (ABAP: recommended settings for password hash algorithms).


What I did


First I had a look at table USR02, in client 001:



For testing purposes, I disabled the password for the last user ID in the list:






USR02 after report's execution:



After setting an initial password for the third user (bottom to top of the list):



And after the password was changed by the user:




My experiment was conducted in a standalone ABAP system. For systems that are part of a CUA, additional steps are required.


The report is very useful, making your system more secure - note that the report recommends an action: enforce the usage of stronger passwords. This will lead to password changes (a SM50 logon trace, per SAP note 495911, will show what happens behind the scenes).


After executing the report, you can find at least 3 "categories" in USR02:


  • Password disabled users, with the following entries:

BCODE = 0000000000000000


PASSCODE = 0000000000000000000000000000000000000000


  • Users with PWDSALTEDHASH filled:

BCODE and PASSCODE as above


  • Users with PASSCODE filled:

BCODE as above, PWDSALTEDHASH blank and CODVN = F.


For the last case, the code version F means:


suboptimal, records with 7.00/7.01 hash value found


so a hash password is already in place.


It is important to realize that the report solely delete existing (duplicate weaker) hashes but cannot create new ones, for this the report would have to know the passwords.


In case the "strongest" password hash of some users are passcode then this is because of the time when they were entered the system created those.


If you would like to have only pwdsaltedhash passwords, then the system administrator would have to provide new passwords for all users with codvn=F.


There is no automated change for this, as the password is unknown.




SEC105 – SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect

SAP note 2467 - Password rules and preventing incorrect logons

SAP note 495911 - Logon problem trace analysis

SAP note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)

SAP note 1023437 - ABAP syst: Downwardly incompatible passwords (since NW2004s)

SAP note 1237762 - ABAP systems: Protection against password hash attacks

SAP note 1458262 - ABAP: recommended settings for password hash algorithms

Russell Milliner

Blog post ideas

Posted by Russell Milliner Oct 20, 2015

Would anyone be interested in reading about one of the following topics?

  • How I use Splunk to follow and monitor user traffic through Akamai to our Netweaver Java server and backend systems?
  • How I created my own java thread dashboard and alerting using Polymer, PERL, SAPControl, and JMX
  • Controlling environments with Rundeck
  • Managing Java deployments/undeployments with Jira/Jenkins/XL-Deploy
  • Load balancing/Traffic management/system monitoring using F5 LTM


If any of these sound like interesting blog post topics, let me know.

From time to time it is necessary to update the kernel. But what about finding a maintenance schedule to stop and start the system with the new kernel? Tricky... That's why I became addicted to RKS. This article tells about my experience using it.


Getting started!


The first time I read about RKS I thought it was a complicated thing. I couldn't be right. Then I found the correct steps: the SAP Help page brings all the information to setup the use of the Rolling Kernel Switch.

It is very important to consider the recommendations for using RKS, even more in a system with a lot of application servers, logon groups, batch processing and spool settings.


My experience


After following the recommendations, the adoption of RKS was smooth.


Now it is only a matter of download a new kernel patch level, put in the central executable directory, and use SAPMMC interface:



RKS 001.jpg

Good to go:

RKS 002.jpg



RKS 003.jpg


Timeout settings:

RKS 004.jpg




RKS 005.jpg




RKS 006.jpg



Additional reading:



953653 - Rolling Kernel Switch


1104735 - Upgrade to the new Instance-Specific Directory on UNIX


2077934 - Rolling kernel switch in HA environments



     There was a requirement to do Quality System copy from Production.The SAP version was Netweaver 7.0 and it was installed with earlier tool SAPINST. During that time the SID provided was not coming under the reserve SID.But now the SAPINST tool is no more available, So SWPM is the only option for doing the system copy after database backup restore method.


     I exported dump from the production system and uninstalled the quality system with SWPM and everything got removed. But during the installation in the Quality system with SWPM it gave error <SID> is reserved for SAP.

I checked the SAP note "1979280 - Reserved SAP System Identifiers (SAPSID) with Software Provisioning Manager 1.0" and found that the <SID> of Quality system is there.


     The only option was to rename the Quality system <SID>. But its connected to lots of SAP and non-SAP third party system and after renaming to new SID, lots of work need to reconfigure. So thought if I do some changes in the SWPM and remove the <SID> which is now blocking during the installation.


     So removed the <SID> in the following .xml file after extracting the SWPM.


1. Find the <SID> containing files with the below OS command.


find ../SWPM -type f -print -exec grep "<SID>" {} \;

(Where <SID> is the SID of the Quality system)














2. Remove the <SID> from the below .xml files.













Then re-executed the SWPM in the Quality system with the same <SID> as it was earlier and it proceeded further.


Please reward if you find helpful.





In our continuous endeavors to improve product supportability, we recently created a new visual, flow oriented page to support resolution of critical SAP Netweaver Application Server issues. It’s in the format of a Decision Tree in the newly revamped Client Server Technology WIKI page.


The approach looks at the landscape from the perspective of an SAP Administrator that will troubleshoot SAP Netweaver Application Server issues based on observed behaviors. Just like real life is!! It provides an end-to-end view of the system logic to support the decision process of where to go next and what to look for.


The objective is to allow Netweaver Administrators identifying errors affecting the entire services of an Application Server and, even more, to solve the problem. It cannot be and does not aim to be a complete documentation describing all possible error scenarios.




This is a browsable interactive tree where actions to test every Application Server component can be found in each step, allowing to Identify the issue, Resolve it and, if not possible, Collect the right traces to submit for analysis.


Check the decision tree out in this link.






Related Spaces

This is the sequel of my first blog, presenting a new UI interface available for SAP Web Dispatcher.

1. Prerequisites


In order to use the PSE Management in Web Administration Interface of SAP Web Dispatcher, it necessary to use version 7.42 of the load balancer, as of patch level 22.


It is necessary that the user ID used for the administration has Admin rights (set the "admin" group while creating the user ID):

WDP 05.jpg


2. Initial view


By starting the Web Dispatcher Administration page, the left hand menu presents the PSE Management link:

WDP 01.jpg

If the PSEs are already created in the $SECUDIR directory, the following screen is displayed:

WDP 02.jpg

In the example above, note that there is one certificate in the PKList.

By clicking in the "Recreate PSE" button, the PSE will be recreated, thus you can use one algorithm from the SHA-2 family.


3. Recreating the PSE


The Distinguished Name needs to be informed, using in the Common Name the FQDN of the Web Dispatcher.

In the Algorithm dropdown box, it is possible select the SHA-2 algorithm:

WDP 03.jpg

It is also possible to select the key length (usually higher than 1024 bits, as CAs are no longer signing CSRs with 1024 bits) and a PIN.

Since this is a new PSE, it is necessary to create a CSR and submit to a CA, once it current PSE has a self-signed certificate (validity until 2038):

WDP 04.jpg

It is also necessary to import additional certificates, as the PKList is now empty.

After creating the CSR, it is possible to read its content (using a third party tool) and see:


Certificate Request:


        Version: 0 (0x0)

        Subject: CN=

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (4096 bit)



                Exponent: 65537 (0x10001)



    Signature Algorithm: sha256WithRSAEncryption




The Signature Algorithm shows the use of sha256, as selected during the PSE creation.


4. Reference Documents


Willi Eimler

Understanding saprouter

Posted by Willi Eimler Jul 8, 2015




In the past I always worked with saprouter without understanding the mechanism of the saprouter-rules completely. Thus resulted a saproutertab with lots of useless entries and the inflationary use of *. In order to be able to use a short saproutertab it is necessary to understand the effectiveness of a saprouter entry.

This BLOG is not a full documentation of the saprouter tool! For details please take a look at: http://sap.help.com/



The saprouter controls connections. He permits or disables connection. This behavior depends on the rules defined in the saproutertab. A rule consists of 4 parts:


Part 1          Part 2                    Part 3                  Part4


D or P          Hostname of a             Hostname of an          Port

                starting point            ending point

                of a connection.          of a connection.





In Part 1: D stands for disable and P for permit. If you want to permit a connection from  server1 to server2 with port 3255 than the rule is:


          P    server1        server2        3255


In my sap router tab I always disable all connections with:


         D    *    *    *


I put this rule to the end of the saprotertab, because it would kill all P rules if it is the first rule. Every P rule after D * * * is ignored.  Then I allow each connection I want to use.


So far it is very simple. But what rules are needed to allow a connection passing several saproutes? For this scenario I use an example with 3 saprouter hops for a connection. I describe how to maintain the saproutertab and how to test the connection with niping. In order to understand the mechanism of the following scenario it is crucial to know, that saprouters communicate with other saprouters via the standard saprouter port (3299).



Scenario Port 1442

We want to communicate from Server A with Server B via port 1442. In the following picture you can see the path of communication and the Names and hostnames of each saprouter.



Now let's consider how to maintain the saproutertab:

We know:


     1.    The saprouter communicate with other saprouter via standard saprouter port (in this case 3299).

     2.    The saprouter disables/permits connections.

     3.    The port of the addressed server is used.


With this 3 points we can maintain the saproutertab of every saprouter:



Saprouter 1

P    Host_A    Host_2        3299

D    *         *             *     

Saprouter 2

P    Host_1     Host_3       3299

D    *          *            * 


Saprouter 3

P    Host_2    Host_B        1442

D    *         *             *  


For the rules the port used on the destination host is important. For the rule in saprouter 1 the port is 3299 because saprouter 2 communicates with saprouter 1 via port 3299. With niping you can test your saproutertab entries. For the simulation of a server use:

          niping -s -I 0 -S 1442 -R -P

And for the corresponding client use:

     niping -c -H /H/Host_1/H/Host_2/H/Host_3/H/Host_B -S 1442 -R -P

I like to use the niping in raw mode, because in raw mode I can simulate communication with any port I want.


Testing with niping:

niping tests the connection via the saprouter and gives an error message, when a communication is not possible. Lets change the rule in saprouter 2 from

P Host_1 Host_3     3299


P Host_1 nonsense   3299

niping -c -H /H/Host_1/H/Host_2/H/Host_3/H/Host_B -S 1442 -R -P

Now niping will throw the following error:


The error states the information you need to repair the wrong saproutertab configuration:

     Error     Host_2: route permission denied ( Hoste_1 to Host_3, 3299)

The error states the saproutertab entry needed to permit the connection.

     P Host_1 Host_3     3299

Scenario Port 3200

Now, we want to connect to a sap system via the tree saprouters. The following picture shows this:


The 32<SysNr.> Port is the SAP Dispatcher port, used by SAP GUI. SysNr. is the Systemnumber of the sap system. In this case the systemnumber is 00 and we use 3200.


In Saprouter 1 we have to add the rule (this rule is going to overrule the entry P     Host_A     Host_2     3299):


     P     *               Host_2     3299

This rule is necessary because we want to login with every frontend with a sap-gui. If you want to login only with one frontent Forntend_1 you have to add rule:

    P     Frontend_1      Host_2     3299


In Saprouter 2 we don't have to add a new rule because the communication between the saprouters was not changed. In the last saprouer we have to add the rule for the communication via port 3200:


     P     Host_2          Host_B     3200


The configuration of the saproutertabs is:



Saprouter 1

P    *         Host_2        3299

P    Host_A    Host_2        3299


D    *         *             *


Saprouter 2

P    Host_1     Host_3       3299


D    *          *            * 

Saprouter 3

P    Host_2    Host_B        3200

P    Host_2    Host_B        1442


D    *         *             *   

In order to test the connection we make the following entry in the sap logon:


If there is an error in the configuration of the saproutertabs you are will get an error like this:


In this case the error can only be located in the 1st or second saprouter (because of port 3299). If the entry in the last saprouter is wrong you get an error with port 3200. If there is no error you get the login screen.


Hope you enjoy this blog.

Usefull links



[http://www.easymarketplace.de/saprouter.php | http://www.easymarketplace.de/saprouter.php]


SAProuter Strig



nipping als Portprüfung (RAW-Mode)



OSS zu niping

500235 - Network Diagnosis with NIPING


Configure SNC saprouter

[http://www.erpgenie.com/sapgenie/docs/SAP%20SNC%20CONFIGURATION.pdf | http://www.erpgenie.com/sapgenie/docs/SAP%20SNC%20CONFIGURATION.pdf]

When trying to import the certificate response into the SSL server Standard PSE (or another PSE), an error might happen, informing that the "Verification of Certificate chain failed".


It is possible that a wrong intermediate and/or root certificate is being used.


This post will show how to extract the intermediate and the root certificates using the Windows Crypto Shell Extension.



First step

Double click the certificate response file (<filename>.cer):



Go to "Certification Path" (third tab):



Double click in the intermediate certificate (a new popup will be displayed):



Click in "Details" (second tab):



Click in "Copy to File..." to start a wizard. Select "Base-64 encoded X.509 (.CER)" to export the file.



Next step



Repeat the first step for the root certificate


Now it is possible to combine:


certificate response +

intermediate certificate +

root certificate


and paste them into the dialog box:


displayed after clicking in the "Import Cert. Response" button ("Own Certificate" section of the PSE):






1. Goto  Tx: SICF and Select Client from Menu  Proxy Setting (Ctrl+F2),


2.In Global Setting Tab:

Provide the below details,

a). Authorization: S_ICF

b). No proxy for the following addresses: *.sap.corp;*.sap-ag.de;*.sap.com;



3.In HTTP Protocol Tab:

Technical Setting  : Give Hostname and port number

Logon Data           : Give username and password


Click on OK.


4.For Testing Goto Tx. SE38  Run the Program (/IANWM/CHECK_WS),



Click on Execute.


5.Check Result:



Thank you...!

Activating HTTPS in SAP system:

In Latest version of SAP system we do not need any SAPCRYPTOLIB file and profile parameters, why because it will come by default.



1. Download the SAPCRYPTOLIB, extract the sar file and place it into the

$DIR_EXECUTABLE directory, we can find this path in Tx – AL11

(eg : D:\usr\sap\SID\DVEBMGS05\exe)


Note 397175 describes the prerequisites for downloading the library.


2. Set the Environmental Variable in the User Variables and place ticket got from SAPCRYPTOLIB

in the below directory,




3. Maintain the below parameters in the Instance Profile,



4. Goto SMICM and Select E symbol


5. Select checkbox https and goto Service --> Activate




7. Https is activated,





Thank You..

It is becoming common the need of replacing old PSEs, created with SHA-1 algorithm, by new PSEs, using SHA-2 algorithm family.

Here you will find the steps to replace a PSE in STRUST and the steps to create a PSE using sapgenpse (e.g. when using the SAP Web Dispatcher).



1. Prerequisites



The system must have SAPCRYPTOLIB 5.5.5 patch level 34 (or higher) or any CommonCryptoLib installed.


It is possible to verify the SAPCRYPTOLIB/CommonCryptoLib version by executing the command:




in the command line interface (running as SIDadm) or via report RSBDCOS0.




Loaded CommonCryptoLib from sapgenpse folder



Platform: linux-gcc-4.3-x86-64 (linux-gcc-4.3-x86-64)

Versions: SAPGENPSE 8.4.35 (Mar 16 2015)


            CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.35 pl40 (Mar 16 2015) MT-safe




Environment variable $SECUDIR is defined:




It is also important to have the kernel patch level mentioned in SAP note 1739681 running in the system.

In your ABAP system, use SNOTE to implement SAP note 1740744. For newer releases, e.g. Netweaver 7.40, the correction is already in place.



2. Replacing a PSE in STRUST



Access STRUST, right click in the PSE you want to use SHA-2 algorithm an click in replace.

Now select the relevant algorithm in the dropdown box, as shown below:

STRUST SHA-256.jpg


Enter the remaining details and confirm.


If a PSE from a productive system needs to be replaced, then it is recommended to follow the steps from SAP note 1178155.


You can confirm the use of SHA-2 algorithm by double-clicking the Own Certificate. The Certificate section presents the details:

STRUST SHA-256 Certificate.jpg


After you have imported the certificate response, verify whether the ICM was notified about the change. It might be necessary to import the corrections from SAP note 2417844.



3. Creating a PSE using sapgenpse



In a command line interface execute the following command:


sapgenpse gen_pse -p <PSENAME> -a sha256WithRsaEncryption -x <PIN>

(replace <PSENAME> and <PIN> for the necessary PSE name and PIN).


Inform the relevant DN and see the CSR as output.


In order to verify the algorithm, just execute:


sapgenpse get_my_name -p <PSENAME> -v -v -x <PIN>


In section "My Certificate" should be presented:


  Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)




4. Reference Documents



2147844 - STRUST | ICM is not always notified when SSL Server PSEs are created or deleted

1740744 - SSFPSE_CREATE: Support creation of RSA-PSEs with SHA-256

1739681 - Kernel: Support creation of RSA-PSEs with SHA-256

1689776 - SAPCRYPTOLIB 555pl34: bugfixes, AES-NI support

1178155 - Replacing PSEs in productive SSL Servers

Hello all,


SAP note 2180736 was just released as initiative to centralize documentation on how to handle such shortdumps, all the way from how to start the analysis to the possible solutions.


For OS specifics on memory management, please check the CST wiki page on TSV_TNEW_PAGE_ALLOC_FAILED here.


Ian Segóbio.

SAP Kernel


Kernel upgrade is a keen and effective process to keep SAP system health in a high.

As part of Basis, we all come across kernel upgrade. I would like to share my experience in a kernel upgrade, process.


In general, what is Kernel?


In computing, the kernel is a computer program that manages I/O (input/output) requests from software, and translates them into data processing instructions for the central processing unit and other electronic components of a computer. The kernel is a fundamental part of a modern computer's operating system.


kernel_what is.jpg


Now how we relate a kernel to SAP:

Running Applications: All ABAP applications run on software processors (virtual machines) within this component.

User and process administration: This component is responsible for the tasks that usually belong to an operating system.

Database access: Each NetWeaver AS ABAP is linked to a database system, consisting of a database management system (DBMS) and the database itself.

Communication: ABAP applications can communicate both with other SAP Systems and with external systems.





Types of Kernel are available in service market place.


  • 32/64 bit Unicode & extended
  • 32/64 non Unicode systems & extended


By executing disp+work in a cmd line of OS level we can easily get the kernel version, release, Unicode or non Unicode, real or extended. We need to log as a SIDADM or navigate to existing kernel directory to get this information.


Need to download the exact kernel as per:

  • Operating system
  • Unicode/Non Unicode
  • Real/extended


Kernel files are divided in to 2 parts:

  • Kernel Part I (database independent)
  • Kernel Part II (database specific)


Before Kernel Upgrade:



In the above example: We need to Upgrade N-1. ( N is the latest version)

SAP kernel 7.21 64 BIT Unicode files / patch 402 Part 1 and Part 2, once we downloaded the file we can extract.



STOPSAP and stop services – disable SAP services before we implement a new kernel.


                Reason behind is few files and executables are responsible to start and run SAP application server and few executables are responsible to write logs or update. If we try to replace SAP kernel on fly it may prompt an error file in use.

We have caused a corruption in the kernel directory; new files might be overwritten already.  It’s a severe error that we leave a corrupted kernel directory. Few scenarios we may need to restart SAP or if any cause of system shutdown. SAP may through some errors while starting up back when it has a corrupted kernel directory.


Recommended process to STOP SAP, stop SAP services and disable SAP services in services.msc.


Take a back up of existing kernel directory and keep in a safe place. Just in case if we need to revert back to older kernel

Replace existing kernel directory with a new kernel files.


Kernel directory will be located in


After implementing new kernel we can start SAP

To verify kernel use same CMD: disp+work



Tricky Part:

After replacing kernel if it’s failed to start SAP service:

  • Check the kernel file whether we have downloaded the appropriate one if there is a mismatch in Unicode to non Unicode.
  • Replace with old back up file by renaming back to same before; do not try to copy and paste again with kernel directory as of few files might have been overwritten already.
  • If we still have error in starting SAP. We can try to replace with dev/Qas/prd kernel in the same landscape for time being.

Wrapping up:


Replacing kernel upgrade is a small effort but it’s important one to keep system up and running in a stabilized manner. Though we get a minimal down time to upgrade kernel, utilize time by preparing it before  with guidelines and read kernel upgrade Note first and follow it up for a smoother implementation of new kernel.



Rathish Soundrapandian.


Filter Blog

By author:
By date:
By tag: