Activate Clickjacking-Framing-Protection service

SAP NetWeaver comes with its own solution to prevent clickjacking for its most relevant UI frameworks. For more information about this protection, see the corresponding SAP Notes.

By default, clickjacking protection is disabled. To activate it, you need to insert a value into table HTTP_WHITELIST.

Insert values into table HTTP_WHITELIST

Transaction: SE16

Check if clickjacking protection service is enabled or disabled. It is disabled, if no record with ENTRY_TYPE=30 is in the table, or if the table is empty.

Table name: HTTP_WHITELIST

Execute

Result

By default, no values are in the table and the service is not enabled. For data that needs to be inserted into table HTTP_WHITELIST, see SAP Note 2142551. Creating an entry type with vale 30 activates the whitelist.

Transaction: SE16

Select F5 or click on the new entry icon.

Insert data. See links below for additional information on possible values.

Click save to persist the entry in the table.

Afterwards, the table will contain one record. As the record has value 30 for column ENTRY_TYPE, the clickjacking protection service is enabled.

Activate ICF whitelist service

Adding a record activates the service, but to make apps working, additional configuration steps must be taken. For instance, accessing now a WDA app (e.g. SAML2) will resolve in a HTTP 500 internal server error. This is caused by having the clickjacking protection activated, but not the whitelist service.

To solve the HTTP 500 error, you need to activate the ICF whitelist service.

Transaction SICF_INST
Technical name: UICS_BASIC

Execute. This will activate the ICF node

/sap/public/bc/uics/whitelist

Result

After enabling the service and the ICF node, the above WDA app will open in the browser.

https://vhcalnplci:44300/sap/bc/webdynpro/sap/saml2

Additional information on setting whitelist entries.

 

SAP Web IDE: Invalid backend response received by SCC

Connectivity between SAP Cloud Platform and an on premise SAP NetWeaver system is normally achieved via SAP Cloud Connector. A nice feature depending on this is the remote connection of SAP Web IDE to an on premise ABAP system. The feature allows to easily load apps from the ABAP system and change or extend them from everywhere.

For this feature to work, some ICF services must be active on the ABAP system and remote access enabled on SCC. If not, Web IDE cannot “talk” to NW ABAP. Some possible errors and solutions regarding the setup are shown in this blog.

Scenario

A NetWeaver ABAP system with Fiori apps is available and the SAP Cloud Connector is configured to expose the system to SAP Cloud. I am using the SAP NetWeaver ABAP 7.51 Developer Edition for the scenario.

In the destination section of SCP, the SCC is shown as connected and the destination NPL is configured and working. A connection tests gives back a successful message: SCP <–> SCC <–> NW works.

Problem

A developer tries to extend a Fiori app. In Web IDE, the project wizard for an extension project is used.

After selecting the on premise system destination, an error message is displayed. The actual error message can differ. Sometimes you see an informative error message or just some red text or maybe nothing.

Error messages

In all cases, you can check the log of SCC and see a detailed information on the error.

The error message is:

Access denied to /sap/bc/adt/discovery for virtual host npl:443

Solution

The ICF service /sap/bc/adt/discovery is not accessible. This can be because the user does not have the right permissions, or the service is not active in the NW system, or SCC is not exposing the service.

Alternative A: SCC not exposing service

Adding a service in SCC will only expose the exact path, not the sub path. Either you add all paths exactly in the resource list, or change the access policy to accept sub-paths too.

Root cause: Path only, excluding sub-paths.

Solution: Change this to will allow Web IDE to access the resource.

Alternative B: ICF service not active

In the NW ABAP system, got to transaction SICF and check node /sap/bc/adt. This node must be activated. By default, this node is deactivated and must be activated by Basis.

Root cause: Service deactivated

Solution: Activate node adt. Right click and select Activate Service.

Alternative C: Missing authorization

Check with SU53 and SAP Help what is missing and assign the right permissions to your user.

Result

After applying the correct solution, the developer can use the extension project wizard in SAP Web IDE to load available applications.

 

Connect to NetWeaver ABAP instance running inside Docker

This blog will help you to connect to your SAP NetWeaver ABAP instance running inside a Docker container. For how to get NetWeaver running inside a Docker container, please see my blog Docker for SAP NetWeaver ABAP 7.5x Developer Edition.

SAPGui

Open SAPGui and create a new connection.

Give a name for the connection and click on tab Advanced. I use NPL Docker. Activate expert mode and give the correct connection String. Check to which port the message server port is mapped to by Docker. Inside the container, the port is 3200, and in my case, the external port is 32771. Therefore, the connection String is:

Connection String: conn=/H/localhost/S/32771

Note: the port information is specified when you start the container. As an alternative, you can use Kitematic to see the port mapping.

Save and connect to NetWeaver.

The users and passwords can be found in the readme.html of the extracted SAP NW ABAP 751 download. Standard users are SAP* and Developer.

HTTP Access

You can test if access to your new SAP system is working via HTTP by calling the ping service: http://localhost:32769/sap/public/ping

For this to work, first activate the ping service in SICF.

When you get the response “Server reached.” you can start using the HTTP access.

SAP WebGui

For general WebGui activation, you can see my previous blog “Activation of SAP WebGui”. Here is a short version of this guide. As in the previous HTTP service access, the same procedure must be followed to have access to NPL via WebGui.

Activate the service webgui

To activate the SAP WebGui service, activate the node:

/sap/bc/gui/sap/its/webgui

Activation of public resources

You also need to activate the public service that contains the HTML files (JS, etc):

/sap/public/bc/its

Note

It is not sufficient to only activate the webgui node. The app is using additional resources that are available under /sap/public/bc/its. If this node is not activated, you’ll get an error message when logging in to webgui.

Therefore, for SAP WebGui to load the node /sap/public/bc/its must be activated too.

Activate the node its and its subnodes. Select Activate Service.

Activate with all sub nodes nodes (second Yes).

Result

After activating these two nodes, access to WebGui should work. To test this, call the URL http://localhost:32769/sap/bc/gui/sap/its/webgui After logging in, you should see the SAP Menu.

Make logoff really work for Personas

This blog mentions personas, but the problem and solution is equal to any WebGUI scenario: you can log on, but never leave. Some changes were introduced in later NetWeaber ABAP version, making it impossible to logoff without further configuration that ensures the cookies and session are really deleted. The cause is that by default, the logoff ICF service is not active and the services like personas do not call the logoff service. You can find more information on this in SAP Note 1777513: WebGUI logoff does not work

Symptom

As an example, I’ll use SAP Screen Personas. Keep in mind the same happens when using WebGui. You log on to Personas and see your main menu: https://server:port/sap/bc/personas

Now you log off and hit F5 to reload the page. And you are logged on automatically. Meaning you were never really logged out of the system. What you want and need is to ensure that logout means logout. The following steps show how to achieve this by configuring the personas service to call the logoff service.

Solution

Logoff service

Transaction: SICF

Make sure the logoff service is active. If not, activate the service. This service is responsible for logging you out and deleting the cookies in the browser.

Personas service

Transaction: SICF

Change the personas service (or webgui service, etc).

Check the logoff settings under “Error Pages” > “Logoff Page”. By default there is no redirect activated, meaning that the logoff service is not called. Because of this you are not logged out, the cookies are not deleted.

Change to edit mode. Activate “Redirect to URL” and set as URL /sap/public/bc/icf/logoff.

Parameter: /sap/public/bc/icf/logoff.

Alternative

The above URL will log you out, but you won’t see any nice page that shows this. It may be a error page (404) or a blank page. To redirect the user again to the personas logon page, use the

Parameter: /sap/public/bc/icf/logoff?redirectURL=/sap/bc/personas.

Save.

Add the change to a request.

Done.

Test

Log on to the system via WebGui and then log off. You should see the logon page next time you try to access a service.

Initial setup of Personas 3 – 2 – ICF nodes

Personas 3 is a web application. ICF is a pre-requisite. As flavors are based on WebGui, this is also a pre-requisite. For anyone that thinks he can use Personas 3 but not permit usage of WebGui: that`s not how it works (but there is the option to run Personas from within SAPGui). As you will need web skills for Personas, your users will use a browser to connect to SAP, and your SAP system must be prepared for this. Also, consider looking at your web landscape for SAP: consider that your users will access Personas 3 through a reverse proxy like Web Dispatcher. Nevertheless, you will have to activate some ICF nodes to be able to use Personas 3.

Activate ICF nodes

  • /default_host/sap/bc/personas
  • /default_host/sap/bc/personas3
  • /default_host/sap/bc/gui/sap/its/webgui

Tx: SICF

Node: default_host/sap/bc/personas

Activate service.

Node: /default_host/sap/bc/personas3

Activate service.

Yes

Node: /default_host/sap/bc/gui/sap/its/webgui

Activate service.

Test

Check the pre-requisites for having a working SAP WebGui installation. Validate that all services needed to run SAP WebGui are up and running. Not sure how to do that? Take a look at my previous blog on how to set up WebGui.

  • Tx: SICF
  • Virtual Host: DEFAULT_HOST
  • Service Path: /sap/bc/gui/sap/its/webgui

Filter

Test service

Result

Working.

Initial setup of ICF

To be able to use of SAP NetWeaver ABAP ICF, for instance, to be able to log on via ICF, you need to activate some nodes. Check SAP Note 517484 for more details. Without these nodes activated, you cannot access SAP WebGui. For instance, accessing it via http://nw75.tobias.de:8000/sap/bc/gui/sap/its/webgui gives an error message.

Note: /sap/public/bc should already be active. It was at least in my fresh NW 7.5 installation.

  • Tx: SICF
  • Virtual Host: DEFAULT_HOST
  • Service Path /sap/public/bc/ur

Filter

Activate service

Initial setup of SAP NetWeaver ABAP ICM for HTTP

SAPGui is just one way to access an SAP system. A more and more common way to interact and work with SAP is through a browser. As with all web sites, a web server must handle the browser requests. For SAP NetWeaver ABAP, the web server is ICM. ICM is integrated with NW ABAP, no need to install it as an additional package. The only task to be execute by BASIS is to configure ICM. First step is to validate that ICM is working and no errors are occurring. For a browser to be able to access NW ABAP through HTTP, ICM must be up and running and listening on a HTTP port. Without this port, no communication from a browser to NW ABAP is possible. To see the configured HTTP port of ICM, you can either look at the profile parameter or use SMICM to see the service information.

Check ICM HTTP Port configuration

  • Tx: SMICM

Goto -> Services

This shows the active services handled by ICM. As you can see, HTTP is just one of several possible services. SMTP is available, as can be telnet too! For each service you can see additional information like host name, and port. Port is given a 0. Check the ICM parameters to find out why. Also, take a look at SAP Help about this.

“Default Values AS ABAP

icm/server_port_0 = PROT=HTTP , PORT=0 , TIMEOUT=30 , PROCTIMEOUT=60

Outbound connections across HTTP and SMTP are possible with default values, but no ports for inbound connections are open.”

Configure ICM HTTP Port

Security first. That`s how SAP rolls. To allow someone accessing your SAP ABAP system via HTTP, you must explicitly activate this. Gives you also a hint if or if not SAP sees HTTP based access in ABAP as an equal citizen compared to SAPGui. To see the (default) parameter used by ICM, select:

Goto -> Parameters -> Display.

This will show you the parameters used by ICM. The ICM server parameters are given by icm/server_port_X.

Default parameter for HTTP is icm/server_port_0. Value for port is PORT=0. 0 meaning no incoming communication possible. A browser won`t be able to connect to NW ABAP. You have two options to change this: temporarily or permanent.

Change the HTTP port temporarily

  • Tx: SMICM

Goto -> Services

Select the service: Service -> Change.

In the dialog, enter the new parameters. For port, you can use 8080. Confirm the data to start the service.

This _should_ start the HTTP service using the informed port. In my case – obviously – this did not work.

Change the HTTP port permanently

As the above solution is only a temporary workaround, the error message can be ignored (well, not sure if it is an error message, looks green, OK, and so). To change the profile parameter of ICM, RZ10 is used. This makes the HTTP port change permanent.

  • Tx: RZ10
  • Profile: Default
  • Type: extended maintenance

Select create parameter

Values

  • icm/server_port_0
  • PROT=HTTP,PORT=80$$

Copy the parameter

The comment line changes and includes a change value. Also shows who did the change (blame).

Back at the parameter list, you can now see that the added parameter is listed.

Save the changes to the profile file.

Select yes to activate the new profile.

Confirmation that everything worked.

Note that you`ll have to restart your NW ABAP server to take effect.

Restart NW ABAP.

Test ICM HTTP Port

Did it work? How to test it? Easy: take a look at ICM service and access a service using a web browser. First, let`s see if ICM is listening on port 80$$ (btw: $$ is the ID).

SMICM

  • Tx: SMICM
  • Path: Goto -> Services

  • ICM is listening on port 8000 for HTTP connections!

SICF

Very easy to test. Just access a ICF node using your web browser.

Gateway – Activate ICF Services

Gateway exposes services via HTTP, therefore the Gateway services must be activated on the NetWeaver ABAP system. As HTTP services are run by ICF, they are controlled by transaction SICF. The services to be activated for Gateway system that d not care about compatibility mode for SP02 are

  • /sap/public/opu
  • /sap/opu/odata

More information: SAP Help

These services are activated by activating the corresponding node and all sub elements.

Sap/public/opu

  1. Go to transaction SICF
  2. Execute and navigate to sap/public/opu

  3. Select Activate Service
  4. Select Yes

  5. Node is activated

/sap/opu/odata

  1. Go to transaction SICF

  2. Execute and navigate to sap/opu

  3. Select Activate Service
  4. Select Yes

  5. Node is activated

  6. Make sure that the handler for /sap/opu/odata is /IWFND/CL_SODATA_HTTP_HANDLER