Security Patch Process

Implementing SAP Security Notes: Tools and Best Practices

SAP Center of Excellence – Security Services

February 2017
Abstract

This session shows how to set up a monthly patch process based on the application System
Recommendations within the SAP Solution Manager to track down critical Security Notes which are
required for your systems.
See the integration with the Usage Procedure Logging (UPL) and the Business Process Change Analyzer
(BPCA) to identify business processes which might get affected by the implementation of security notes.
And you will get additional information about the cross-system queries of Configuration Validation which
can be used to analyze the security configuration for single systems as well as for the complete system
landscape.
Goals:
 Identify required security notes for a large system landscape.
 Manage work lists with notes that should be implemented.
 Audit successful implementation of required security notes.

© 2017 SAP SE. All rights reserved. 2

Agenda

 SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

 System Recommendations
Tool to find the applicability of notes to systems
 Usage And Procedure Logging (UPL)
Tool to find unused code notes address
 Business Process Change Analyzer (BPCA)
Tool to find the spots to test after note implementation
 Configuration Validation Configuration
Security Notes Report
Tool to run cross-system validation and System Validation
Recommendations
 SAP Security Patch Process
How to put all into a working mechanism SOS
© 2017 SAP SE. All rights reserved. 3
Security Notes

Security Notes
■ are standard SAP Notes / HotNews
■ with information about known security vulnerabilities
■ and appropriate countermeasures (correction instruction, configuration, service
pack, upgrade, manual measures)
■ whose corrections are contained in subsequently released Support Packages, if
possible

They can be found here: https://support.sap.com/securitynotes

■ Each customer has to regularly review this list and has to verify for each
entry whether the security note applies to his systems or not and what to
do if necessary

© 2017 SAP SE. All rights reserved. 8

Security Notes on the Support Portal
https://support.sap.com/securitynotes

New app showing

• A filtered list similar to the
old app “My Security Notes”
• Navigation to “All SAP
Security Notes”

How to define the filter

You find the filter in
the “TopNotes” App

© 2017 SAP SE. All rights reserved. 12

Security Notes in the Launchpad “General Search”
(not related to current app)

All SAP Security Notes Views

Download list

Filter

You can confirm notes which

you do not need anymore or
mark them as ‘not relevant’.
Feedback

© 2017 SAP SE. All rights reserved. 13

 Count of Security Notes per Month
Source: https://support.sap.com/securitynotes
Status from September 2016:
Covered by ~3730 Notes in total
Support Package
Upgrade
Caution: There New strategy:
Publish "Patch Day
are exceptions! Notes" only but postpone
"Support Package Notes"

Average
of ‘typical’
month

© 2017 SAP SE. All rights reserved. 19

Information about SAP Spotlight News
https://support.sap.com/securitynotes
SAP regularly publishes
“ad-hoc” information about
particularly important
security topics linked to
the SAP security notes.
Customers can find this
information at SAP
Support Portal.
This information should
not be confused with
HotNews or priority 1
notes. The difference is
that Spotlight News
primarily summarizes key
changes or
announcements with
regard to the security
maintenance of SAP.

© 2017 SAP SE. All rights reserved. 23

SAP Security Notes address vulnerabilities in SAP applications

Risk and impact

 Full control over SAP systems bypassing any other

SAP security controls
 Manipulation of data which endangers legal compliance
 Data theft
 No traceability due to missing audit trail
 Unavailability of data and systems

Manipulation of business processes in

SAP systems is possible, availability at risk

© 2017 SAP SE. All rights reserved. 25

Agenda

 SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

 System Recommendations
Tool to find the applicability of notes to systems
 Usage And Procedure Logging (UPL)
Tool to find unused code notes address
 Business Process Change Analyzer (BPCA)
Tool to find the spots to test after note implementation
 Configuration Validation Configuration
Security Notes Report
Tool to run cross-system validation and System Validation
Recommendations
 SAP Security Patch Process
How to put all into a working mechanism SOS
© 2017 SAP SE. All rights reserved. 26
The challenge! – Find the right note for the right systems

?
?
How to identify important
SAP Security Notes
that need to be implemented?

© 2017 SAP SE. All rights reserved. 27

SAP Notes
Security notes SAP's expert advice regarding important actions and patches to
ensure the security of your customers' systems:
https://support.sap.com/securitynotes

Performance relevant notes SAP notes containing information and

corrections for performance improvement of SAP systems

Java patches
A patch is a code-correction for a specific version of an SAP product.

SAP System
Legal Change notes
Respond to requirements caused by changes in legal regulation
You have to apply various
types of notes and patches to HotNews
keep your SAP systems up-to- SAP customer notes with priority 1 (very high priority) to resolve or avoid
date and secure. problems that can cause the SAP system to shut down or lose data.

General SAP notes

Notes having ABAP correction instructions

© 2017 SAP SE. All rights reserved. 29

Where to get information and recommendations about new released
SAP Notes
 Your can set up a filter for a (registered) Security notes
system in SAP Support Portal to show
new notes for that system in the SAP
ONE Launchpad: Performance
https://support.sap.com/kb- relevant notes
incidents/notifications.html
(Limitation: You cannot define notifications) ? ?
Java patches

or (recommended)
New released Legal Change notes
 You can use application System SAP notes
Recommendations in the SAP
Solution Manager to check all
relevant notes and patches for HotNews
the selected systems and easily
keep all of your systems up-to-
date. System
General SAP notes
Recommendations
© 2017 SAP SE. All rights reserved. 30
System Recommendations
Advantages & Features
 Increase system security by  The recommendations  Integration into Change
applying up-to-date security- comprise the following notes Request Management
relevant notes exactly tailored categories: (CharM) to directly create
for the respective system
 Security notes Requests for Change for the
 Provides a detailed selected notes
 Performance relevant notes
recommendation based on  Integration with Usage
 HotNews
the system release and Procedure Logging (UPL) to
already implemented SAP  Legal change notes
distinguish between used and
notes  Correction notes / Patch
unused code
notes (deactivated by default)
 Easy-to-use filter settings  Integration into Business
allow exact selection of Process Change Analyzer
system or solution (BPCA) to calculate the test
impact

© 2017 SAP SE. All rights reserved. 32

 How System Recommendations supports your security
Process flow
SAP Patch Day System Recommendations Implementation Tools

Select system(s) to check & update and the time frame

SAP releases security
patches on the
second Tuesday
every month The checked relevant
SAP notes and patches
https://support.sap.com/ are applied to the SAP
securitynotes system using the
corresponding tools,
e.g. SNOTE, SUM.
System Recommendations identifies the relevant
patches and SAP notes
© 2017 SAP SE. All rights reserved. 33
System Recommendations: Process Flow

Customer SAP
1. Select system to check
& update Connect to SAP Global
3. Support Backbone

2. Retrieve system
information (SP level, 5. Send information back to 4. Provide information on latest
patch level) the customer‘s SAP relevant notes (for SP level,
Solution Manager patch level)
system

6. Retrieve system infor-

mation (implemented 7. Calculate delta between OSS provided notes and already
notes) implemented notes. Show relevant notes of the system(s) via
System Recommendations or Configuration Validation
© 2017 SAP SE. All rights reserved. 34
System Recommendation in SAP Solution Manager 7.1
SAP Solution Manager Workcenter – Change Management

Quicklink for Easy Access Menu:

WebDynpro WDC_NOTE_CENTER

© 2017 SAP SE. All rights reserved. 36

System Recommendation in SAP Solution Manager 7.1
Key Elements
Filter by application Settings
component
Filter by solution, product
system, technical system
and date

Structured recommendations
for missing but relevant
Security Notes, HotNews, …

Filter

Multiple views

Export to
Excel
Status management

© 2017 SAP SE. All rights reserved. 37

System Recommendation in SAP Solution Manager 7.1
Extended Functions
Cross-system
BW reporting
Show object list for
Download selected
selected ABAP notes
notes into Note
including usage
Assistant (SNOTE) of
managed system Execute Business Process
Change Analyzer (BPCA) to
New list view identify business processes
which should be tested

Filter and sort list Additional information:

+ Note contains automatic correction instruction (SNOTE)
Integration of Change + Note contains manual correction instruction
Request Management + Note references to a Kernel Patch
and Maintenance + ABAP Support Package which contains the solution
Optimizer

© 2017 SAP SE. All rights reserved. 38

System Recommendation in SAP Solution Manager 7.1
Cross-System BW Reporting

List SAP notes not yet implemented in

the systems of the selected solution,
within the specified time period

© 2017 SAP SE. All rights reserved. 39

System Recommendation in SAP Solution Manager 7.1
Integration of CharM

Integration of
Change Request
Management and
Maintenance
Optimizer

© 2017 SAP SE. All rights reserved. 40

System Recommendation in SAP Solution Manager 7.1
Show object list for selected ABAP notes

Show object list for

selected ABAP notes

© 2017 SAP SE. All rights reserved. 41

System Recommendation in SAP Solution Manager 7.1
Collect Java Patches and create Maintenance Transaction

Integration with
Collect Java Patches Maintenance Optimizer
for selected Notes (MopZ)

© 2017 SAP SE. All rights reserved. 42

System Recommendation in SAP Solution Manager 7.1
Collect Java Patches and create Maintenance Transaction

2
1 Integration with
Collect Java Patches Maintenance Optimizer
for selected Notes (MopZ)

© 2017 SAP SE. All rights reserved. 43

System Recommendation in SAP Solution Manager 7.1
Setup
The following steps are necessary to set up System Recommendations:

Prerequisites:
 The SAP-OSS RFC connection needs to be set up correctly
 All managed systems have to be connected to SAP Solution Manager and documented in
transaction SMSY, and they have to be assigned to a product system and to a solution
 Authorization object: SM_FUNCS
 Control access and visibility of tabs in System Recommendations

To collect this data automatically for the use within System Recommendations you can set up a
batch job in the „Settings“ area of System Recommendations.

System Recommendations is part of the „Change Management“ Work Center in

SAP Solution Manager.
Blog: http://sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/24227
Online Help: http://help.sap.com/saphelp_sm70ehp1_sp26/helpdata/en/83/68fad4952d42a192469fa02586aeff/frameset.htm
Important Notes: Note 1554475 System Recommendations - corrections for SP26 Note 1577059 SysRec: No RFC authorization
Note 1624914 SysRec: Corrections for performance issue in SP26 & 27 Note 1634132 SysRec: Corrections for performance issue in 7.1 SP 1-3
© 2017 SAP SE. All rights reserved. 45
System Recommendation in SAP Solution Manager 7.1
Setup
According to chapter 16.6. of the Security Guide of the SAP Solution Manager
https://service.sap.com/~sapidb/012002523100016646822015E/SM_SEC_GUIDE_71SP14.pdf#page=239
you can use (a copy of) the composite role SAP_SYSTEM_RECOMMEND_COMP “Master: System Recommendation (full
authorization)”.

This roles contains following single roles:

SAP_SMWORK_BASIC_CHANGE_MAN Work Center: Basic Authorization for Change Management
SAP_SMWORK_CHANGE_MAN Work Center: Change Request Management
SAP_SM_SOLUTION_ALL Solutions - Full authorization
SAP_SYSREC_ALL System Recommendations (WC Change Management)
SAP_SYSTEM_REPOSITORY_ALL Solution Manager System Repository - full authorizations

Maybe you want to disable some work center views (see authorization object SM_WC_VIEW) in a copy of role
SAP_SMWORK_BASIC_CHANGE_MAN, for example CHANGE_DOC, CHANGE_REQ, LICENSE_MANAGEMENT, etc.

In a copy of role SAP_SM_SOLUTION_ALL you may want to change the visibility for solutions.

According to note 2019992 you may need to add role SAP_BI_E2E if you want to use the BW report for System
Recommendations results.
© 2017 SAP SE. All rights reserved. 46
Cross-System check for System Recommendations
Report ZSYSREC_NOTELIST @ SDN for SolMan 7.0 and 7.1
SDN
 http://wiki.sdn.sap.com/wiki/display/Snippets/SAP+AGS+Security+Services+-+Tools

© 2017 SAP SE. All rights reserved. 47

System Recommendations in SAP Solution Manager 7.2

 User Interface based on Fiori

 Individual views and selections as Fiori tiles
 Cross-system view
 Customizing for status values
 Status with history and cumulative comments
 Detail screens: Object List with Usage Data (UPL), Prerequisite Notes
 Hide Application Components which do not match to used DB or OS installations
 General Customizing and Personalization
 Simplified Activation

© 2017 SAP SE. All rights reserved. 50

Open the Fiori Launchpad

On the Solution Manager, start the Fiori Launchpad and navigate to the Fiori Tile Group
“SAP Engagement and Service Delivery”

How?
Start transaction “SOLMAN_WORKCENTER”
and then navigate to “SAP Engagement and ...”
or
Start the Work Center from the Easy Access menu tree
or
Add a link for the Fiori Launchpad on your Favorites.

© 2017 SAP SE. All rights reserved. 51

 Add Favorites link for Fiori Launchpad

3. Choose radio button

1 “SAP Fiori Launchpad”

Add a link on your Favorites.

2
How?

1. Go to the Favorites Menu and choose

“Add other objects”

2. In the “Add additional object” window, 3

scroll and select the “SAP Fiori App”

© 2017 SAP SE. All rights reserved. 52

 Add Favorites link for System Recommendations

3. Choose radio button “Intent”

Enter Semantic Object
“Action” and Action
“UISMMySAPNotes”
You can add parameters for
1 the client and language, too.

3
Add a link on your Favorites.
2
How?

1. Go to the Favorites Menu and choose

“Add other objects”

2. In the “Add additional object” window,

scroll and select the “SAP Fiori App”

© 2017 SAP SE. All rights reserved. 53

System Recommendations in SAP Solution Manager 7.2
Personnel Launchpad
Call transaction
SM_WORKCENTER to
start Fiori Launchpad

You can store

individual views and
selections as Fiori
tiles.

The example shows

security notes for
these systems for
which you are
responsible having
selected status values
(‘new’).
© 2017 SAP SE. All rights reserved. 54
System Recommendations in SAP Solution Manager 7.2
System Overview

Mark one or several systems

and select one of available
actions:
 Show Java Support
Packages and Patches to
prepare an update of the
selected system(s)
 Show SAP Notes to work
with the list of recommended
SAP notes for the selected
system(s)
 Refresh SAP Notes to run the
corresponding background
job, collecting the
information.

© 2017 SAP SE. All rights reserved. 55

System Recommendations in SAP Solution Manager 7.2
Note Overview
 You can filter this list of
available SAP notes by
 Technical system
 Release date
 Note type
 Note status
 Use “Advanced Search”
for further filter options.
 Click on the note number
or short text for more
details

 At “Actions” you can

navigate to the Object
List or Prerequisite Notes
for the selected SAP
notes
© 2017 SAP SE. All rights reserved. 56
System Recommendations in SAP Solution Manager 7.2
Advanced Search

In the Advanced search you can reduce the list of SAP notes.
 The SAP note status „New“ and „New version available“ are pre-selected, other could be
added manually. Keep this in mind working with the note list.
 SAP notes marked “Kernel” in the corresponding field contain kernel corrections.
 Release dependent SAP notes are relevant for the system they addressed to and should be
implemented.
 For release independent SAP notes it is not technically possible to determine its relevance.
Check the relevance by your own.
 After setting additional filters click on “Search” button.
© 2017 SAP SE. All rights reserved. 57
System Recommendations in SAP Solution Manager 7.2
Intergration with Service Marketplace

Clicking on the Note number or the

short text allows the navigation to
the note in the SAP Service
Marketplace / SAP Support Portal
http://support.sap.com/notes
Or choose the navigation to the
detailed information (explained on
the next slide)

© 2017 SAP SE. All rights reserved. 58

System Recommendations in SAP Solution Manager 7.2
Note Details: Overview

 Status records and comments are stored

with timestamp and user and never get
modified or deleted
 Using Actions  Change Status you can
change the current status or add a comment
to this SAP note

© 2017 SAP SE. All rights reserved. 59

System Recommendations in SAP Solution Manager 7.2
Status and Comments
Individual and cross-
system mass status
management possible

You can customize user

status values, e.g. for ‘fast
track transport’, ‘normal
transports’, or specific
projects.

Status records and

comments are stored with
timestamp and user and
never get modified or
deleted.

© 2017 SAP SE. All rights reserved. 60

Status and comments customizing (1)

Status ID Default Statuses

IMP To Be Implemented To add your own status proceed as follows:
 Call transaction SM30
INP New version available
 Maintain table AGSSR_STATUS
NEW New
 Select existing status and copy it with Copy as…
NOR Irrelevant  Edit the information in the table
PSP Postponed  Save your changes

© 2017 SAP SE. All rights reserved. 61

System Recommendations in SAP Solution Manager 7.2
Status and Comments

Transaction
SM30_AGSSR_STATUS

for customizing table

AGSSR_STATUS

© 2017 SAP SE. All rights reserved. 62

System Recommendations in SAP Solution Manager 7.2
Status and Comments

© 2017 SAP SE. All rights reserved. 63

System Recommendations in SAP Solution Manager 7.2
Note Details: Integration with Usage Procedure Logging (UPL)

The information about the usage count comes from UPL

© 2017 SAP SE. All rights reserved. 64

System Recommendations in SAP Solution Manager 7.2
Note Details: Prerequisite Notes
 A list of prerequisite SAP notes for the
selected one is available
 Using “Action” menu it is possible to change
the notes status
 Using “Integrated Desktop Actions” it is
possible to download the SAP notes into the
managed systems from SAP Solution
Manager directly
(If you have a trusted user in the managed
system with the role SAP_SM_S_RFCACL).
Or start integrated Change Impact Analysis
or Change Request Management

© 2017 SAP SE. All rights reserved. 65

System Recommendations in SAP Solution Manager 7.2
Confirm download of SAP Notes into managed system

 Check the system ID and click on Confirm Download

 Transaction SNOTE will be automatically called in the new window and you can start with the
note implementation

© 2017 SAP SE. All rights reserved. 66

System Recommendations in SAP Solution Manager 7.2
Show JAVA Support Package Patches

Select at least one system for which you want to install a support package patch and choose
Actions  Show (JAVA) Support Package Patches

© 2017 SAP SE. All rights reserved. 67

System Recommendations in SAP Solution Manager 7.2
JAVA Support Package Patch Overview

 Select the support package

patches, you want to download
and choose Put in Download
Basket.
 Open your web browser and
navigate to
https://support.sap.com/downloa
d-basket  my Download
Basket
 Download and install the support
package patches

© 2017 SAP SE. All rights reserved. 68

Integration with Business Process Change Analyser (BPCA) and
Change and Request Management (ChaRM)
 The BPCA has been automatically opened in
the new window
 The Object Type and Object Name of the
selected note are taken over.

 A new Request for Change (RfC) has been created automatically

 You can be navigated to the RfC by clicking on its number

© 2017 SAP SE. All rights reserved. 69

System Recommendations in SAP Solution Manager 7.2
Request for Change created from System Recommendations

 The RfC Description “Created from

System Recommendation” and the
user data are taken over into General
Data AB
 The notes number is added into SAP
Notes Assignment Block (AB)

© 2017 SAP SE. All rights reserved. 70

Filter by IT Admin Role or Priority

Use transaction LMDB to

maintain the IT Admin Role
and the Priority of systems.
You can use these fields
for filtering.

© 2017 SAP SE. All rights reserved. 71

System Recommendations in SAP Solution Manager 7.2
Adding additional SAP Note Types
Field Type Retrieved by default in
Value System
Recommendations
H HotNews
S Security Notes
L Legal Change Notes
P Performance Notes
C ABAP Correction Notes

Correction notes (Type C – normal notes having ABAP correction instructions) must be specified
manually to be retrieved:
 Call transaction SM30_DNOC_USERCFG_SR
 In the field SYSREC_NOTE_TYPES add or remove the relevant value, i.e enter HSLPC

© 2017 SAP SE. All rights reserved. 72

System Recommendations in SAP Solution Manager 7.2
Hide Application Components of not-used DB or OS installations

Transaction
SM30_AGSSR_OSDB

for customizing table

AGSSR_OSDB

Set components, do not

match your used OS and
DB to inactive (for
additional information
refer to the next slide).

© 2017 SAP SE. All rights reserved. 73

Overview about Application Components for DB/OS:

Databases Operating Systems

ADA BC-DB-SDB LVC BC-DB-LVC AIX BC-OP-AIX SINIX BC-OP-FSC-REL
ADA BW-SYS-DB-SDB AIX BC-OP-BUL
MSS BC-DB-MSS SOLARIS BC-OP-FSC-SOL
DB2 BC-DB-DB2 MSS BW-SYS-DB-MSS HP-UX BC-OP-HPX SOLARIS BC-OP-SUN
DB2 BW-SYS-DB-DB2
ORA BC-DB-ORA LINUX BC-OP-LNX SUNOS BC-OP-SUN
DB4 BC-DB-DB4 ORA BW-SYS-DB-ORA LINUX BC-OP-PLNX
DB4 BW-SYS-DB-DB4 LINUX BC-OP-ZLNX TRU64-UNIX BC-OP-CPQ
SAP BC-DB-SDB TRU64-UNIX BC-OP-TRU64
DB6 BC-DB-DB6 SAP BW-SYS-DB-SDB LINUX OS/3 BC-OP-LNX
DB6 BW-SYS-DB-DB6 LINUX OS/3 BC-OP-PLNX UNIX BC-OP-CPQ
SYB BC-DB-SYB LINUX OS/3 BC-OP-ZLNX UNIX BC-OP-TRU64
HDB BC-DB-HDB SYB BW-SYS-DB-SYB
HDB BW-SYS-DB-HDB OS/400 BC-OP-AS4 WIN-NT BC-OP-NT
HDB HAN-DB TD BC-DB-TD
TD BW-SYS-DB-TD Z/OS BC-OP-S390
INF BC-DB-INF
INF BW-SYS-DB-INF

© 2017 SAP SE. All rights reserved. 74

General Customizing and Personalization
Transaction SM30_DNOC_USERCFG_SR
SYSREC_STATUS_FILTER (*) Defines which SAP Notes are counted on the overview page: By default it only shows SAP Notes that are in
the 'new' or 'new version available' status.
SYSREC_UPL_ACTIVE (*) Activate/deactivate the integration with UPL while showing the object list of ABAP notes.
SYSREC_UPL_MONTH (*) Count of month for which UPL data get loaded. The default is 2 which represents the current and the
previous month.
SYSREC_NOTE_TYPES Defines for which types of SAP Notes the application calculates results. Enter the list of characters
representing the note types HotNews, Security, Performance, Legal Change, Correction.
SYSREC_LAST_MONTHYEAR Defines the earliest calculated SAP Notes. By default the application calculates all SAP Notes which were
released between January 2009 and the current month.
SYSREC_DELTA_DAYS Note delta calculation time period according to note 2304751 (default = 7 days).
SYSREC_BPCA_USER Defines if the current user should be added as selection for BPCA.
SYSREC_BPCA_DATE Defines the earliest filter for BPCA results. You can change the start date for this period.
SYSREC_CHARM_LOG_TYPE Defines the text id according to table TTXID for the text object CRM_ORDERH.
SYSREC_CHARM_USER Defines if the current user should be added as selection for ChaRM.
SYSREC_CHARM_DATE Defines the earliest filter for ChaRM results. You can change the start date for this period.
SYSREC_OBJECT_EXP Lifetime of the cache which contains the object list of SAP notes. The default is 14 days.
SYSREC_REQ_EXP Lifetime of the cache which contains the required notes of SAP notes. The default is 14 days.
SYSREC_SIDE_EFFECT Lifetime of the cache which contains the side-effect notes of SAP notes. The default is 14 days.
(*) User specific personalization
© 2017 SAP SE. All rights reserved. 75
System Recommendations in SAP Solution Manager 7.2
Simplified Activation

The activation of System Recommendations

is an automated activity within Managed
System Configuration.

© 2017 SAP SE. All rights reserved. 76

System Recommendations in SAP Solution Manager 7.2
Simplified Activation

In an upgrade to SolMan 7.2 you get a

notification if EWA Monitoring or System
Recommendations is not activated yet.

© 2017 SAP SE. All rights reserved. 77

System Recommendations: Setup in SAP Solution Manager 7.2
Entry point
Generally the System Recommendations scenario is ready to be used when the following guided procedures
have been successfully finished:

 Mandatory configuration
(transaction SOLMAN_SETUP)
 System Preparation
 Infrastructure Preparation
 Basic Configuration
 Managed Systems
Configuration

© 2017 SAP SE. All rights reserved. 78

System Recommendations: Setup in SAP Solution Manager 7.2
RFC connection SAP-OSS
Check setup of RFC destination SAP-OSS
 Transaction SOLMAN_SETUP
 System Preparation
 Step 3.1 Setup Connectivity
 RFC destination SAP-OSS should be successfully created
and rated green.

 You can additionally check this RFC in transaction SM59

 ABAP Connections
 Choose RFC destination SAP-OSS
 Utilities
 Test
 Authorization test

© 2017 SAP SE. All rights reserved. 79

System Recommendations: Setup in SAP Solution Manager 7.2
System Recommendations job

Check System Recommendations Job scheduling

 Transaction SOLMAN_SETUP
 Basic Configuration
 Step 2 “Schedule Jobs”
 Select the System Recommendations job SM:SYSTEM RECOMMENDATIONS and schedule it by clicking on
“Schedule Jobs as Planned”
 Ensure that you schedule the job weekly after PatchDay closing which is Tuesday morning right after midnight in CET
timezone

© 2017 SAP SE. All rights reserved. 80

System Recommendations: Setup in SAP Solution Manager 7.2
Enable System Recommendations for Managed Systems

Enable System Recommendations for

managed systems
 Transaction SOLMAN_SETUP
 Managed Systems Configuration
 Select technical system (with green
RFC status)
 Start full of minimal configuration
 Navigate to step 5 “Enter Landscape
Parameters”
 Set the mark to “Enable System
Recommendations”

© 2017 SAP SE. All rights reserved. 81

System Recommendations: Setup in SAP Solution Manager 7.2
Enable System Recommendations for Managed Systems

Apply Settings for System

Recommendations
 Transaction SOLMAN_SETUP
 Managed Systems Configuration
 Select technical system (with green
RFC status)
 Start full of minimal configuration
 Navigate to step 8 “Finalize
Configuration”
 Ensure that this step has been
executed and rated green

© 2017 SAP SE. All rights reserved. 82

System Recommendations: Setup in SAP Solution Manager 7.2
Requires roles

Roles having authorizations for running System Recommendations on SolMan (#):

SAP_SYSREC_DIS System Recommendations (with work center Change Management)

SAP_SYSREC_ALL System Recommendations (with work center Change Management)

Roles to show the Fiori application of System Recommendations on Fiori Hub:

SAP_STUI_SYSREC_TCR Solution Manager: System Recommendations Technical Catalogue

SAP_STUI_SYSREC_AUTH Solution Manager: System Recommendations Authorizations (*)

(#) There is no special display-mode in System Recommendations. Both roles offer same functionality including
entering status and comments for notes

(*) As described in the role documentation you have to add an authorization proposal into the role menu.
© 2017 SAP SE. All rights reserved. 83
System Recommendations: Setup in SAP Solution Manager 7.2
Requires roles
If you are using a separate Fiori Hub you need to
generate the OData service for System
Recommendations using transaction
/n/IWFND/MAINT_SERVICE as described in the
Security Guide of the SAP Solution Manager (see
chapter 4.6.1 SAP Fiori Launchpad and NWBC).

In any case for role SAP_STUI_SYSREC_AUTH you

have to add an ‘Authorization Default’ in the
role menu. Choose ‘TADIR Service’ with object
type IWSG and search for the TADIR service name
AGS_SYSREC_SRV_*

Navigate to the authorizations. You will see an

authorization for authorization object S_SERVICE.
Finally, generate the authorization profile and
assign the user(s).
© 2017 SAP SE. All rights reserved. 84
System Recommendations in SAP Solution Manager 7.2
Online Documentation
You find the Online Documentation about System Recommendations in the App section for Fiori

Navigation path, e.g. starting at SolMan documentation:

System Recommendations in SolMan 7.2

http://help.sap.com/saphelp_sm72_sp03/helpdata/en/61/d626565b13e121e10000000a4450e5/frameset.htm

→ Fiori
http://help.sap.com/solman_fiori

→ Application Help → SAP Solution Manager Fiori Apps →

System Recommendations
https://help.sap.com/saphelp_smfiori_102/helpdata/en/cb/e401557f614c55e10000000a4450e5/frameset.htm

SAP Support Portal https://support.sap.com/sysrec

© 2017 SAP SE. All rights reserved. 85

SAP Solution Manager 7.2
Additional Information

 Release Notes
Changes and New Features in SAP Solution Manager 7.2 SPS 1
Changes and New Features in SAP Solution Manager 7.2 SPS 2
 SAP Support Portal
https://support.sap.com/solutionmanager
 SAP Solution Manager WIKI @ SCN
https://wiki.scn.sap.com/wiki/display/SM/Solution+Manager+Home
 SAP Solution Manager Roadmap
https://service.sap.com/roadmaps
 Product and solution roadmaps  Database and Technology  Platform  SAP Solution
Manager.

© 2017 SAP SE. All rights reserved. 86

Benefit of SAP Solution Manager System Recommendations

Result and value

 Detailed gap analysis of SAP systems for
SAP Security Notes
 Listing of missing notes with possibility
to set status
 Integration into change management and reporting

Use System Recommendations to create

work list for SAP Security Notes

© 2017 SAP SE. All rights reserved. 87

Agenda

 SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

 System Recommendations
Tool to find the applicability of notes to systems
 Usage And Procedure Logging (UPL)
Tool to find unused code notes address
 Business Process Change Analyzer (BPCA)
Tool to find the spots to test after note implementation
 Configuration Validation Configuration
Security Notes Report
Tool to run cross-system validation and System Validation
Recommendations
 SAP Security Patch Process
How to put all into a working mechanism SOS
© 2017 SAP SE. All rights reserved. 88
The challenge! – Find notes addressing unused code

?
?
What code do I
use anyway?

© 2017 SAP SE. All rights reserved. 89

Usage and Procedure Logging (UPL)
The New Way Getting the Real System Usage
Require-
ments

SAP Kernel
Optimize Design
Custom Code
Lifecycle
Management

Build &
Operate
Test

Deploy

 Kernel based logging technology with no measurable performance impact

 Easy to activate via central Solution Manager 7.1
 100 % reliable based on execution of ABAP procedure units like methods, function modules,
subroutines and much more
 Data base for additional activities like clearing, test scoping, reduction of custom code
maintenance
 Indicator for business criticality based on time slices
 Full BW reporting capability
© 2017 SAP SE. All rights reserved. 90
SAP Usage and Procedure Logging (UPL)
FAQ about UPL

How to find out if UPL collection is collecting data?

Start transaction SCOV in the managed system. If UPL is activated, you will see a status information "SCOV lite is activated!"
Furthermore the traffic light under "Data collection" should be green. In this case everything is fine.
Will UPL have any impact on the system performance?
No, there is no measurable impact, because we count the usage as soon as the ABAP compiler is loading the code. This is
confirmed by the SAP benchmark team.
Are there any risks to activate UPL?
No, there is no known risk to activate UPL.
How much data will be consumed in the managed system?
We collect usage data on a daily basis. As soon as one ABAP program was executed, we increase only the execution
counter. From our experience the needed DB space is between 2-10 MB for 14 days of data. But this depends on the real
usage of different programs.
There is an error message "Data collection was not performed" in monitor of SCOV.
Ensure settings and server are correct. If not please use report /SDF/UPL_CONTROL to stop UPL mode. Start transaction
SCOV and correct the server settings. Then reactivate the UPL again.
In case of technical issues open a customer message on component SV-SMG-CCM-CDM

© 2017 SAP SE. All rights reserved. 91

Data Flow in Managed System

Report /SDF/SHOW_UPL
Work processes
Reports
Functions ABAP
Methods Code
Inspector
Procedures

Every 45 min* Once a day* Daily housekeeping*

Buffer in Collector Procedure Day Solution

Memory Job Daily Job Manager
Usage Extract

* Default setting
© 2017 SAP SE. All rights reserved. 92
SAP Usage and Procedure Logging (UPL)
Usage Analysis (local in managed system)

How to read the UPL data in the managed system?

Use the report /SDF/SHOW_UPL to show the UPL data on the managed system. This includes viewing of
existing time slices and also the current UPL collection in progress. In most cases the usage information is
instantly available.

Output format (selection of most important ones)

Date All entries with the same UPL date were executed at this date (no time available).
Object Type Describes the transport type of objects. PROG for programs, FUGR for function groups,
etc.
Object Name in Object Directory Name of the ABAP repository object (TADIR).
Tcode/Program Name of the ABAP include containing the ABAP procedure.
Type Type of ABAP processing block. You are able to distinct between executions of function
modules (FUNC), class methods (METH), selection screens, report events, user exits,
etc.
Processing Block Name of the ABAP processing block
Accumulated Executions Number of executions

© 2017 SAP SE. All rights reserved. 93

SAP Usage and Procedure Logging (UPL)
Usage Analysis (local in managed system)

© 2017 SAP SE. All rights reserved. 94

Dataflow in Solution Manager

Solution Manager 7.1

Solman Applications
Extractor
Framework Custom Code Lifecycle
Management

Solution Documentation
Once a day Assistant

RFC APIs on Business Process Change

Managed to Managed BW BW Analyzer
System System Cube queries
Scope & Effort Estimator

System Recommendations
Week Month
etc.

© 2017 SAP SE. All rights reserved. 95

SAP Usage and Procedure Logging (UPL)
Central Analysis using BW in SAP Solution Manager

BW Query 0SM_CCL_UPL_MONTH

© 2017 SAP SE. All rights reserved. 96

Analysis of Object Usage in System Recommendations
Data Collection of Usage Procedure Logging (UPL)

SAP ERP UPL Data Consolidated UPL analysis

DEV BW for main programs (transport
Load to SAP
TST
Solution object), and detailed counts for
PRD Manager functions and methods

System Recommendations

SAP CRM
DEV

TST UPL
1200
PRD 80
0
0
0
30
0
© 2017 SAP SE. All rights reserved. 97
Analysis of Object Usage in System Recommendations
Show object list for selected ABAP notes with usage data

© 2017 SAP SE. All rights reserved. 98

Cross-System check for System Recommendations
Report ZSYSREC_NOTELIST with object list and usage data

© 2017 SAP SE. All rights reserved. 99

Analysis of Object Usage in System Recommendations
Best practice
Preparation
• Connect DEV, TEST, and PROD Systems to System Recommendations
• Use DEV system to view notes which should be added to work lists for implementation
• Use PROD system to validate that selected important notes have reached production after given time
• Activate UPL for TEST and PROD systems
• You can skip DEV systems as these will not show useful usage data

Analysis of Results
• Zero count in PROD system
• No explicit testing required as you are not using the programs (but you still should implement the notes)
• High count in PROD system and high count in TEST system
• No explicit testing required as you are executing the programs with normal activities in test environment
• High count in PROD system and zero count in TEST system
• You might need explicit testing

© 2017 SAP SE. All rights reserved. 100

Analysis of Object Usage in System Recommendations
Best practice
Personalization
SysRec loads UPL data for the previous and current month by default (= 4 to 8 weeks). This seems
to be reasonable for TEST systems because you do not want to see very old usage data from test
systems.
However, you might want to increase the time period for PROD systems to catch rare execution of
programs, too.
In SolMan 7.1 you can personalize the time range via transaction SU3 using user parameter
SYSREC_UPL_MONTH

© 2017 SAP SE. All rights reserved. 101

SAP Usage and Procedure Logging (UPL)
Prerequisites for the monitored system

 SAP NetWeaver SAP_BASIS 7.01 SP10 or 7.02 SP9 (= SAP ERP 6.0 EHP4 or SAP ERP 6.0 EHP5)
 ST-PI 2008_1_700 SP4 or SP5 & Note 1683134 or ST-PI 2008_1_700 SP6 or higher
 Kernel 720 Patch 94 or higher according to …
 SAP Note 1785251 - SCOV/UPL: Error messages in monitor (Kernel 720 Patch 410 / 721 Patch 112)
 SAP Note 1822227 (to allow changing the data retention time using report /SDF/UPL_CONTROL )
 SAP Note 1906451 - Technical Preparation for Custom Code Management
 Based on our experience the space requirements are 2-10 MB for 14 days of data. So even data collection of
one year won´t massively affect space requirements. Nevertheless verify your individual storage settings /
database free space for a higher retention time value.
 Report /SDF/CONTROL shows the status of UPL:

 Tipp: use System Recommendations to search for latest

correction notes of application component SV-SMG-CCM-CDM
for the managed system and for the SAP Solution Manager

© 2017 SAP SE. All rights reserved. 102

SAP Usage and Procedure Logging (UPL)
Activation via SAP Solution Manager

The UPL activation procedure was subject of continuous enhancements in the SAP Solution
Manager infrastructure. Starting with many manual steps in SAP Solution Manager 7.1 SP5 it has
finally reached a fully guided and system supported version in SAP Solution Manager 7.1 SP 11.

The SOLMAN_SETUP scenario for Custom Code Management contains all necessary steps and
UIs to handle UPL configuration end to end including job scheduling of related UPL jobs.

See
Note 1955847 - UPL: Activation Procedure and Authorization Handling in SAP Solution Manager

Additional authorizations:
• S_COV_ADM with change activity
• S_RFC for function group /SDF/SCOV_LITE

© 2017 SAP SE. All rights reserved. 103

SAP Usage and Procedure Logging (UPL)
Guided Procedure as of SAP Solution Manager 7.1 SP 11

System specific part

© 2017 SAP SE. All rights reserved. 104

Analysis of Object Usage in System Recommendations
Troubleshooting
If you do not see the additional column in System Recommendations or if you get zero results only:

• Check if UPL is active in managed system

• Report /SDF/UPL_CONTROL should show
• Report /SDF/SHOW_UPL should show some data (run it for a previous day to get results faster)

• Check if SolMan gets usage data

• BW-Query 0SM_UPL_DATE_RANGE_BPCA respective 0SM_CCL_UPL_MONTH should show some data
Keep in mind that it takes some time (up to 2 days) to replicate usage data into this query
• Note 2077995 describes new report AGS_CC_INFRASTRUC_CHECK for SolMan 7.1 SP 12 which checks the UPL setup

• Check notes of application component SV-SMG-SR

• Note 2099728 - SysRec: Object list for ABAP notes does not show Usage Procedure Logging data (UPL)
from 02.12.2014 for SolMan 7.1 SP 9 - 12

 If UPL is not working ask for advice via application component SV-SMG-CCM-CDM
 If SysRec does not show existing usage data, create a ticket on application component SV-SMG-SR
 If report ZSYSREC_NOTELIST does not show existing usage data, send me a mail or comment on
http://scn.sap.com/community/security/blog/2011/07/18/report-zsysrecnotelist--show-results-of-system-recommendation
© 2017 SAP SE. All rights reserved. 105
System Recommendations and UPL

Combined value
 Retrieve affected objects from System Recommendations
 Retrieve used objects via UPL
 Compare both lists
 If objects from a Security Note are not in UPL list:
Note will not affect running processes
 Implement Security Note without testing

Effortless implementation of Security Notes

for unused components

© 2017 SAP SE. All rights reserved. 106

Agenda

 SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

 System Recommendations
Tool to find the applicability of notes to systems
 Usage And Procedure Logging (UPL)
Tool to find unused code notes address
 Business Process Change Analyzer (BPCA)
Tool to find the spots to test after note implementation
 Configuration Validation Configuration
Security Notes Report
Tool to run cross-system validation and System Validation
Recommendations
 SAP Security Patch Process
How to put all into a working mechanism SOS
© 2017 SAP SE. All rights reserved. 107
The challenge! – Find the right test for the changes a Note makes

?
?
Which process is
affected, where to
test for side effects?

© 2017 SAP SE. All rights reserved. 108

Business Process Change Analyzer (BPCA)
Motivation and Approach

Motivation SAP Solution updates occur frequently

 SAP triggered: Support Packages, Enhancement Packages, SAP Security Notes
 Customer triggered: Customizing changes, Custom code development

Pain Point Which critical business processes are affected by planned changes?

SAP Solution
Approach Update Change Impact Analysis Test Planning Test Execution

 Identification of  Test Case review  Regression Tests

business processes and creation of  Manual Tests
affected by change missing test cases
 Automated Tests
 Risk-based Test  Test Plan
Recommendation generation

© 2017 SAP SE. All rights reserved. 109

BPCA: Change Impact Analysis at an early stage

Solution Architect
impacted processes
A BPCA Change
Impact Analysis is
performed using the
top objects of the
planned development
against the business
processes for risk
assessment

© 2017 SAP SE. All rights reserved. 111

BPCA – Preparation
Business Process Documentation

Lean Process Documentation

BPCA requires a process hierarchy, system information and executables to be documented in a
project or a solution.
System Transactions, custom
information development

Process
hierarchy
 Business scenario
 Business
processes
 Business steps

© 2017 SAP SE. All rights reserved. 113

BPCA TBOM Generation
TBOM Creation during Manual Testing

Sales
Quotation Delivery Billing
Business Scenario “Order to Cash” Order

Process Step „Sales Order“ Business Blueprint

execute

Customer SAP Landscape (SAP ERP, …)

Tester starts Tester executes the process step in SAP Generated TBOM is assigned
manual test case managed System to Process Step / Business
from Tester Worklist while BPCA traces all SAP objects Process
used by the Process Step in the background

© 2017 SAP SE. All rights reserved. 114

BPCA - TBOM Generation
Current Alternatives plus new Approach

Static TBOM generation approach Dynamic TBOM generation approach

 Positive: background job to generate all TBOMs 1. Manual execution of business transaction by user
without manual effort with TBOM generation in the background

 Disadvantage: less precision compared to 2. Initial: Work-Item for Business User in PRD system
dynamic TBOMs due to limit to 4 branching levels Update: Manual Testers in TST system
3. Automatic generation via automated tests (eCATT,
SAP TAO, HP QTP, …)

Semi-dynamic TBOM generation approach

Semi-dynamic TBOM
BPCA
UPL Data in PRD
UPL Filter
 No manual effort through
system background processing (overnight)
TBOM
Background (Usage and Procedure
Logging of ABAP
for BPCA TBOM  High precision
generation
Job objects at Kernel level)  Repeatable at any time

© 2017 SAP SE. All rights reserved. 118

Don’t have documented processes yet?
Automatic generation of Business Blueprint / Process Step Library
Process Step Library
• List of Process Steps by any grouping, e.g. by SAP Modules
• Assigned entities like Executables (e.g. transaction codes)
and documentation

Example:
Process Steps and Transactions for SD

Automatic generation of Process Step Library

• Programm RUTILITY_BLUEPRINT_GENERATION via SAP Note 2061626 for SAP Solution
Manager SP10 - see next pages for details
• Application „Scope and Effort Analyzer“ (SEA) – available with SAP Solution Manager SP11
© 2017 SAP SE. All rights reserved. 119
Extended Functions in System Recommendations
Integration with Business Process Change Analyzer

Execute Business Process

Change Analyzer (BPCA) to
identify business processes
which should be tested

© 2017 SAP SE. All rights reserved. 123

System Recommendations and BPCA

Combined value
 Run BPCA to know which technical objects are used
in which process
 Hand over objects affected by SAP Security Notes
from System Recommendations to BPCA
 Determine affected processes
 Develop suitable test cases for side effects

Efficient testing after SAP Security Note

implementation

© 2017 SAP SE. All rights reserved. 124

Agenda

 SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

 System Recommendations
Tool to find the applicability of notes to systems
 Usage And Procedure Logging (UPL)
Tool to find unused code notes address
 Business Process Change Analyzer (BPCA)
Tool to find the spots to test after note implementation
 Configuration Validation Configuration
Security Notes Report
Tool to run cross-system validation and System Validation
Recommendations
 SAP Security Patch Process
How to put all into a working mechanism SOS
© 2017 SAP SE. All rights reserved. 125
Consider Customers Situation of Today …
Have we applied SAP
Have we imported
Are the OS, DB, Note xxxxx on all
Transport request xxxx
Software and Kernel on systems? …please report
(with important
the certain / latest level? implementation status for all
performance changes) on
… on all Systems? .. Please systems?
all systems? … could I have a
show me? list of the systems where it is still
missing?

Are all our CRM systems

compliant with the new
Configuration Baseline ?.. not Are security settings
compliant.. which systems? what applied? …on all systems? …
exactly? could you please confirm and
report?

Challenges
 A large number of systems… Complex SAP Landscape …
 … Need to perform comparison of current configuration status against a defined target or
standard configuration baselines
 … with minimum efforts and ASAP
© 2017 SAP SE. All rights reserved. 126
What is Configuration Validation?
The Idea behind Configuration Validation
A reporting to understand how homogeneous the configuration of systems is
Reference System Compared Systems
System 1 System N
Configuration Items

Software Packages
Configuration Items ... Configuration Items

ABAP Notes Configuration ABAP Notes ABAP Notes

Kernel level Validation Software Packages Software Packages
Transports Transports Transports
Parameters
... Parameters
... Parameters
...
Compliance with
Reference System
... Typical questions are:
System 1 System 2 System N  All systems on a certain OS level or DB level?
Software Packages  Template configuration (SAP or DB parameter) applied on
all systems?
ABAP Notes
 No kernel older than 6 month on all systems?
Transports  Security policy settings applied? Security defaults in place?
...  Have certain transports arrvied in the systems?

© 2017 SAP SE. All rights reserved. 127

Configuration Validation
Options to report about SAP Notes
A) Configuration Validation using a Target System which is based on EarlyWatch online
recommendations (RSECNOTE)
• Use this option to produce a cross-system analysis comparable to RSECNOTE (ABAP only)
• The target system defines which notes should be checked. The note list and the check
conditions are loaded from EarlyWatch online recommendations.

B) Configuration Validation using a Target System which is based on Notes

• Use this option to produce a cross-system analysis on selected notes (ABAP and Java)
• The target system defines which notes should be checked. The initial note list is loaded from
System Recommendations, and can be reduced or extended.
• The check conditions are loaded from note definition available at the SAPNet.

C) System Recommendations Reporting

• Use this option to produce a cross-system analysis for System Recommendations

© 2017 SAP SE. All rights reserved. 128

Configuration Validation
B) Configuration Validation using a Target System based on Notes
Option b) all notes based on System Recommendations

The SAP Notes relevant for the source system can

be restricted via
 Data Range
 Note Group – for example only Security and
Hotnews SAP Notes can be inserted
x

© 2017 SAP SE. All rights reserved. 130

Configuration Validation
C) System Recommendations Reporting
Using the predefined report
0TPL_0SMD_VCA2_SYS_RECOM_NOTES
of the application “Configuration
Validation” you can define arbitrary
selections, filters and views for a cross-
system report based on the results of the
application “System Recommendations”

Select note area ..

.. or select notes which have been

classified as being ‘important’ by
your CERT department

CERT = Computer Emergency Response Team

© 2017 SAP SE. All rights reserved. 131
Configuration Validation
C) System Recommendations Reporting
New option to paste note numbers into the
selection screen of the reporting as of
SolMan 7.1 SP 9 for the query showing
results of System Recommendations.
1. Step: Activate the new option
2. Step: Paste the system names or the
note numbers into the new popup

© 2017 SAP SE. All rights reserved. 132

Configuration Validation
Result

© 2017 SAP SE. All rights reserved. 133

Cross-System reporting about System Recommendations

Combined value
 Run cross-system BW reporting about System
Recommendations
 Validate if selected notes have reached production systems
 Determine quality of patch processes

Efficient validation after SAP Security Note

implementation

© 2017 SAP SE. All rights reserved. 137

Agenda

 SAP Security Notes and SAP Security Patch Day

What they are, when they’re published

Security Tools and Services EWA

 System Recommendations
Tool to find the applicability of notes to systems
 Usage And Procedure Logging (UPL)
Tool to find unused code notes address
 Business Process Change Analyzer (BPCA)
Tool to find the spots to test after note implementation
 Configuration Validation Configuration
Security Notes Report
Tool to run cross-system validation and System Validation
Recommendations
 SAP Security Patch Process
How to put all into a working mechanism SOS
© 2017 SAP SE. All rights reserved. 138
The challenge! – Weighting security risk against operational risk

?
?
Whether to patch,
or not to patch?

© 2017 SAP SE. All rights reserved. 139

Security Patch Day:
How to implement which note in which system?
Unfortunately the tools reduce the mass and effort issue only partially:

 Depending on the age of the system very  The effort to analyze and to implement security
many Security Notes (up to hundreds) are notes, to identity the test requirements and to
relevant per system document all activities is quite high

 You don‘t get any guarantee that there are no

 The priority of the notes is not a strong, notes which produce massive issues during
selective criteria as approximately 80% of all implementation or usage in production systems
notes have priority „HotNews“ or „high“
 Different technologies (especially ABAP,
Kernel, Java, HANA) require special patch
 Depending on the size of the system processes
landscape you have to patch many systems.
You have to align exceptional security  and in case of other products like Business
patches with regular maintenance activities. Objects or Mobile it’s even difficult to find
relevant notes

© 2017 SAP SE. All rights reserved. 141

The 5 Stages of a Security Patch Process

List of Security Notes

support.sap.com/securitynotes Reduction of test
effort using UPL or BPCA*
Check Security Notes
within
„Maintenance Optimizer“ 4 5
1
3
2 Continuous
Security Monitoring using
Monthly execution of
„Configuration Validation“
„System Recommendations“
Useful Documentation:
SAP Security Patch Day Working Paper support.sap.com/sos  Media Library (Deutsch/Englisch)
Security Patch Process FAQ scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
Details about System Recommendations:support.sap.com/sysrec
Demo of System Recommendations: Link
* UPL – Usage Procedure Logging, BPCA – Business Process Change Analyzer (support.sap.com/testing)

© 2017 SAP SE. All rights reserved. 142

Most Important: SAP Security (Patch) Policy

The best support to bring a patch process to live:

Describes organization (responsibilities) and processes relevant for implementing security patches

Defines the mandatory timelines for published security patches and implementation of SPs

Often dependent on security classification of systems or applications

Should provide hard targets but should also allow for documented, approved exceptions

Goal: Make patching mandatory but balance security risk against operational risk

© 2017 SAP SE. All rights reserved. 143

Trivial SAP Security Patch Policies

Business first
No patching at all. Only exceptions are SPs
every 2 years (or less) or one or two “Hot
News” notes a year for severe vulnerabilities

Security first
No discriminating patching policy, no
assessments, trade-offs. Security Notes are
implemented immediately regardless of priority
© 2017 SAP SE. All rights reserved. 144
Non-Trivial SAP Security Patch Policies

Business first
No patching at all. Only exceptions are SPs
every 2 years (or less) or one or two “Hot
News” notes a year for severe vulnerabilities

Patch with reason

Assess security and implementation risk,
weigh trade-off to determine best approach
for SAP Security Note implementation.

Security first
No discriminating patching policy, no
assessments, trade-offs. Security Notes are
implemented immediately regardless of priority
© 2017 SAP SE. All rights reserved. 145
The patching process: Actions to take

1. Find the notes. Use Support Portal and System Recommendations.

a) Ongoing project: Monthly patch process to catch new notes

b) Special project to cover the backlog of old notes once the monthly patch process works fine

2. Classify the notes for the patching policy: Assess the security risk (i.e. priority & CVSS).

3. Classify the notes for the patching policy: Assess the implementation risk (UPL, BPCA).

4. Apply patching policy. Results in timeline until when to patch.

5. Communicate targets. Follow up on implementation progress / patching compliance.

© 2017 SAP SE. All rights reserved. 147

Classification of Security Notes by Type

1. ABAP Correction Instructions

Use Note Assistant (transaction SNOTE) to implement the correction or apply the Support Package

2. ABAP Software-like manual corrections

Implement the correction manually, e.g. deactivate a web-based service, and use normal transports

3. Kernel Notes Install a new Kernel

Java Notes Install Java Support Packages or Patches
HANA Notes Install new revision

4. Notes about other components

Individual procedure to find notes and to update the CryptoLibrary, other Databases, SAPGUI, RFC Library,
Business Objects, Sybase, ..

5. Other manual instructions

Anything else. Sometimes described in White Papers or Documentation, too.
© 2017 SAP SE. All rights reserved. 148
Classification of Security Notes by Implementation Process

1. Implementation as part of a monthly standard patch process

e.g. for ABAP Correction Instructions or ABAP software-like manual
corrections

2. Implementation as part of a project

e.g. for notes about other components or other manual instructions

3. Implementation as part of maintenance activities

e.g. Support Package upgrade, Kernel upgrade, Java upgrade

4. Implementation after maintenance activities

e.g. manual instructions which require a Support Package upgrade or
Kernel upgrade as a prerequisite
© 2017 SAP SE. All rights reserved. 149
Sample SAP Security Patch Policy

1. Every system / application has to be put into a security category / classification

[Very High, High, Medium, Low]

2. No SP level must be older than 1,5yrs

3. Security Notes published by SAP must be assessed and classified by priority [Very High, High,
Medium, Low] and implementation process [Monthly, Maintenance, Project]

4. The following timelines System Class [Max] Note Priority Impl Process Deadline
apply (excerpt): Very High Very High <any> 30 days
Very High High Monthly 30 days
Very High High Maintenance 90 days
High High Project 180 days
……….

5. Exceptions are allowed for good reason but must be documented and approved by IT Security
© 2017 SAP SE. All rights reserved. 150
Sample patch process
Integrated approach with policy adoption and checks
Monthly on 2nd Within one month, three
The week after the Patch Day During next maintenance cycle
Tuesday months…

WORKFLOW: Apply within X Apply

SAP Security days (policy)
Patch Day Security Notes
Apply additional manual
configuration of SAP
Perform individual Security Notes
regression test if necessary

Check Support Portal Apply

WORKFLOW: Scheduled
/securitynotes Apply Kernel Patches, Complete test
implementation
patch Java Patches and
Check System policy ABAP Support
Recommendations Packages
in Solution Manager Document
exception
Check SAP Security
Notes Advisory
/sos  Media Library WORKFLOW: Check in X days Check
status

© 2017 SAP SE. All rights reserved. 152

What’s happening at the customer side?
Customers Demonstrate an Increasing Adoption of SAP Security Patches as a Corporate Policy

“ Trade-off tips to the patching side

“We apply SAP security patches immediately and move them to our productive systems after a
1 month cooling time whether or not we've had the time to test them.” ExxonMobil, October 2014

“ Time to patch follows priority

“We decided to apply all security notes (immediately after every patch day) and our operations
managers have to do it within the decided processing times per note priority.” BMW, October 2014

“ Negligible critical side effects

“From a security patching perspective we can confirm that we have had no impact on the
productivity of the systems in the last 6 months.” ExxonMobil, October 2014

© 2017 SAP SE. All rights reserved. 161

Join the monthly Security Notes Webinar

DSAG & ASUG & SAUG: Security Notes

Germany America Australia

ASUG Security SIG (English) You can find the latest version of the
presentation on SAP Support Portal /sos
SAP Australia User Group, SAUG (English)
https://support.sap.com/sos
DSAG AG SAP Security Notes (German)
→ Media Library → Security Notes Webinar

© 2017 SAP SE. All rights reserved. 162

SAP Security Notes Advisory by SAP Consulting

When publishing Security Notes on https://support.sap.com/securitynotes, SAP also publishes a prioritization.

This prioritization is based on certain criteria from a development / product point of view, also incorporating
CVSS scores where applicable.
With the SAP Security Notes Advisory, SAP Global Service & Support offers an additional prioritization.
This prioritization is no contradiction to the original priorities given by the SAP product development. It
supplements these priorities with a field view, adding experiences from both practical security and
implementation of SAP applications and operation of systems by SAP Global Service & Support. The Advisory
also gives hints on side-effects to expect and recommends an implementation approach for the Security Notes
published each month.
Important note: This service is delivered by the SAP Consulting (part of SAP Global Service & Support).
Please address any questions about this Advisory to security.consulting@sap.com
If you have issues with individual SAP Note implementation You can find the latest version of the Advisory on
steps, please open a message on the component of the SAP Support Portal /sos
SAP Note. https://support.sap.com/sos
→ Media Library → SAP Security Notes Advisory

© 2017 SAP SE. All rights reserved. 163

SAP Security Notes Advisory by SAP Consulting
Example

Information is contained in Excel download

of Security Notes from Support Portal

Information is contained inside Security

Notes text

Additional Information and

Recommendations from SAP Services

© 2017 SAP SE. All rights reserved. 164

Core elements of the advisory

The advisory is a simple Excel workbook with several data sheets

 Cover sheet  Notes list (month)

 Summary / Howto  Notes chart (all)
 Legend (color coding)  Notes statistics (all)
 Advisory sheet (main content)  Notes list (all)

© 2017 SAP SE. All rights reserved. 165

Color coding of the advisory sheet columns

The colors indicate the source of the information

 Grey: Original information from SAP Security Notes publication

(https://support.sap.com/securitynotes)

 Olive: Original information from individual SAP Security Note

(https://service.sap.com/sap/support/notes/<note number>)

 Blue: Additional information from SAP Services

© 2017 SAP SE. All rights reserved. 166

Header data from SAP Security Note

Basic information indicating applicability and severity of the issue

 Category: Programm error, Customing, Consulting

 System type: derived from affected compontent (Java, ABAP, HANA…)
 CVSS data
 External attention
 SPIN or PD note

© 2017 SAP SE. All rights reserved. 167

CVSS data from SAP Security Note

CVSS vector details

 Open additional columns with “+” at column H

 Automatically derived from vector spec
 Gives additional hints on
attack complexity
 Also has indicators on
damage (confidentiality,
integrity, availability)

© 2017 SAP SE. All rights reserved. 168

Note assessment (1/2)

Additional information on priority and risk (field point of view)

 Priority recommendation  Vulnerability type

 (Changed) Priority  Risk details
 Reason for deviation from product  Solution type
development priority

© 2017 SAP SE. All rights reserved. 169

Note assessment (2/2)

Additional information on implementation risk and approach

 Type of correction  Side effects, note dependencies

 Implementation recommendation  Additional topics to consider
 Effort indicators  Possible workarounds

© 2017 SAP SE. All rights reserved. 170

Correction data from SAP Security Note

Additional information on applicability

 SPs containing the correction

 ABAP objects affected
 Java components

© 2017 SAP SE. All rights reserved. 171

SAP Security Notes Advisory by SAP Consulting
Impact Analysis for ABAP Security Notes

The Patch Day Security Notes with ABAP corrections are supported by an impact analysis which will provide
information on which end user applications might be impacted by a given note.

This information enables customers to perform regression testing before patching the productive systems thereby
taking informed decisions and ensuring continuity of their processes.

The impact analysis is based on static analysis of dependencies performed internally at SAP on a standard
SAP system which is on the latest release. Custom coding is not supported.

The analysis currently supports dependencies related to Reports, Transactions, Remote-Enabled Functions (RFC)
and WebDynpro ABAP applications.

© 2017 SAP SE. All rights reserved. 172

Security Notes assessment: monthly steps

1. Receive the advisory via mail

2. Refine the advisory on a global (system independent) level

– Add company specific details and handling recommendations
– Add timeline-to-patch from company policy
– Remove irrelevant data

3. Either globally or per system owner:

Download list of applicable notes for each system from System Recommendations application

4. Merge Excels of applicable notes with refined recommendations from advisory

5. Send result to system owner / application manager to handle

On application level, exception might be necessary

© 2017 SAP SE. All rights reserved. 173

Handling best practices

If you are looking for an EWA / RSECNOTE like information:

 Filter “Correction type” for “SNOTE” (no manual steps)
 Filter “Recommended implementation process” for “Monthly patch process”
 Filter “Priority” to be at least “High”
 This will result in all notes that are important and easy to implement (which was the aim of RSECNOTES)

Testing recommendations
 Obsolete code: “Solution” columns
 When code is removed, it shouldn’t have been there right from the start
 High probability that this code had never been used in customer production either
 ABAP: Use UPL to measure object usage
 Performance impact negligible
 Reports /SDF/UPL_CONTROL, /SDF/SHOW_UPL
 UPL functionality is contained in ST-PI components
 Compare results with affected objects from advisory
 Objects that are not used might be used by an attacker. But patching is easy because no testing required.

© 2017 SAP SE. All rights reserved. 174

Handling best practices

By vulnerability type:
 Directory traversals: very often difficult to implement
A project approach is advisable for non-recent SP levels
Security risk depends highly on “read” vs. “write”
 Missing authorization: very often fairly easy to implement
(but watch out for objects that might be missing in roles)
 XSS: very often fairly easy to implement and test
 Code / SQL (write) / Command injection: dangerous! – and often easy to implement
 Information disclosure / SQL (read) injection:
No imminent danger to system integrity

Check “Additional comments” for implementation issues (dependent notes) and side effects

Some customers calculate time-to-patch on both implementation approach and security risk.

© 2017 SAP SE. All rights reserved. 175

Three key messages as take away!

Applying SAP Security Notes is a challenging

topic.

SAP provides tools for an efficient matching of

notes to systems and processes.

The setup of a proper patch process is key in

keeping important business systems secure.

© 2017 SAP SE. All rights reserved. 176

Contact information:

Frank Buchholz
SAP Active Global Support – Security Services
frank.buchholz@sap.com

Security Patch Process FAQ

https://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
© 2017 SAP SE. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads,
permission of SAP SE. The information contained herein may be changed without prior notice. Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice,
Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.
Some software products marketed by SAP SE and its distributors contain proprietary software components of
other software vendors. INTERMEC is a registered trademark of Intermec Technologies Corporation.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Wi-Fi is a registered trademark of Wi-Fi Alliance.
Microsoft Corporation.
Bluetooth is a registered trademark of Bluetooth SIG Inc.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System
Motorola is a registered trademark of Motorola Trademark Holdings LLC.
z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7,
POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere,
Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork,
SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are
Linux is the registered trademark of Linus Torvalds in the United States and other countries. trademarks or registered trademarks of SAP SE in Germany and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web
Systems Incorporated in the United States and other countries. Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects
Oracle and Java are registered trademarks of Oracle and its affiliates.
is an SAP company.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc.
registered trademarks of Citrix Systems Inc. Sybase is an SAP company.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG
Consortium, Massachusetts Institute of Technology. in Germany and other countries. Crossgate is an SAP company.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, All other product and service names mentioned are the trademarks of their respective companies. Data
and Xcode are trademarks or registered trademarks of Apple Inc. contained in this document serves informational purposes only. National product specifications may vary.
IOS is a registered trademark of Cisco Systems Inc. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied,
or transmitted in any form or for any purpose without the express prior written permission of SAP SE.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry
Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered
trademarks of Research in Motion Limited.

© 2017 SAP SE. All rights reserved. 178