{"id":830,"date":"2024-02-16T21:31:40","date_gmt":"2024-02-16T19:31:40","guid":{"rendered":"https:\/\/1coach.by\/wp\/?page_id=830"},"modified":"2024-02-16T21:51:12","modified_gmt":"2024-02-16T19:51:12","slug":"s4hana-1909","status":"publish","type":"page","link":"https:\/\/1coach.by\/wp\/s4hana-1909\/","title":{"rendered":"S4HANA 1909"},"content":{"rendered":"<table border=\"0\" cellspacing=\"0\">\n<colgroup width=\"128\"><\/colgroup>\n<colgroup width=\"110\"><\/colgroup>\n<colgroup width=\"349\"><\/colgroup>\n<colgroup width=\"179\"><\/colgroup>\n<colgroup width=\"423\"><\/colgroup>\n<colgroup span=\"2\" width=\"118\"><\/colgroup>\n<colgroup width=\"302\"><\/colgroup>\n<colgroup span=\"3\" width=\"412\"><\/colgroup>\n<tbody>\n<tr>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\" height=\"42\"><b><span style=\"color: #ffffff;\">Area<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">Type of setting<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">Name<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">Storage<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">Description<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">Relevant SAP Note<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">SAP Note URL<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">New recommended value<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">Impact to operations<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">Mitigation of impact<\/span><\/b><\/td>\n<td align=\"center\" valign=\"middle\" bgcolor=\"#404040\"><b><span style=\"color: #ffffff;\">Revert back method<\/span><\/b><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"154\"><span style=\"color: #000000;\">Authorizations<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">auth\/check\/calltransaction<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">Behavior of authority check during call transaction: Controls how CALL TRANSACTION statements in all programs react regarding missing entries in SE97 \/ table TCDCOUPLES. If not set to 3, authorization checks are not properly enforced.<\/td>\n<td align=\"center\" valign=\"middle\">515130<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/515130\">515130<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">3<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">In special cases, &#8220;jumps&#8221; from within one transaction into another may fail due to missing authorizations.<\/span><\/td>\n<td align=\"left\" valign=\"middle\">In case transactions cannot be started from other transactions, add relevant transactions to the role menu of relevant roles. This will add necessary authorizations automatically.<br \/>\nIn case authorization check should not be executed if a transaction is called from another transaction, maintain relevant entries in transaction SE97.<br \/>\nEntries in transaction SE97 only need to be maintained in case necessary, no \u201cpreventive\u201d maintenance required.<\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 2 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Authorizations<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">auth\/object_disabling_active<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">Enables to globally switch off authorization checks for selected authorization objects (prerequisite for transaction AUTH_SWITCH_OBJECTS). If not set to &#8220;N&#8221;, a global deactivation would be possible.<\/td>\n<td align=\"center\" valign=\"middle\">2926224<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2926224\">2926224<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">N<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">The disabling of authorization objects is strictly forbidden. This feature can no longer be used during operations.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\"> &#8211; <\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value Y (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"96\"><span style=\"color: #000000;\">Authorizations<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">auth\/rfc_authority_check<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">Execution option for the RFC authority check: Controls the behavior of enforced authentication and authorization checks when RFC function modules are called from remote. If not set to 6, an information disclosure vulnerability exists for unauthenticated users.<\/td>\n<td align=\"center\" valign=\"middle\">2216306<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2216306\">2216306<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">6<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">In certain cases, dumps may occur in the system where interfaces try to retrieve information without authentication. In transaction SM59, when calling certain functions like &#8220;Unicode test&#8221; for a destination without a user, a logon will be prompted.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Grant S_RFC authorization object for function group &#8220;SRFC&#8221; to affected interface users and administrative staff.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 1 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Server infrastructure<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">gw\/reg_no_conn_info<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">Specific security-related additional functions for the RFC gateway are activated depending on which bits are set in this bitmask. If not set to 255, not all security checks may be properly enforced in the RFC gateway.<\/td>\n<td align=\"center\" valign=\"middle\">2776748<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2776748\">2776748<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">255<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">In very rare situations, connects from 3rd party systems to the RFC gateway may fail. This will then affect interfaces requiring the 3rd party service.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Debug failure scenario and ask vendor of 3rd party interface to improve RFC gateway connection mechanism.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 1 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Server infrastructure<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">gw\/rem_start<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">This setting specifies with which method an RFC server might be started on OS level from an external endpoint. If not set to &#8220;DISABLED&#8221;, attempts to utilize an improper or even insecure OS logon method (like RSH) might be possible.<\/td>\n<td align=\"center\" valign=\"middle\">2776748<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2776748\">2776748<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">DISABLED<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">In very rare situations, connects from 3rd party systems to the RFC gateway may fail. This will then affect interfaces requiring the 3rd party service.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Debug failure scenario and ask vendor of 3rd party interface to improve RFC gateway connection mechanism.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter.<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"58\"><span style=\"color: #000000;\">Logon &amp; SSO<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">icf\/set_HTTPonly_flag_on_cookies<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">This parameter is used to set the attribute HTTPonly for ICF cookies. If not set to 0, javascript code running in the browser may inappropriately access sensitive cookies.<\/td>\n<td align=\"center\" valign=\"middle\">1277022<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/1277022\">1277022<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">0<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Custom coding may intentionally utilize access to cookies for application operation. Such access will be blocked, possible disrupting a seamless user experience.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Change coding of the application to not make use of ICF cookie access from within javascript.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 3 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Monitoring &amp; Logging<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">icm\/HTTP\/logging_0<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">An access log can be created with this parameter in which accesses from the Intranet and Internet are logged. If not set properly, important information may be missing in logs.<\/td>\n<td align=\"center\" valign=\"middle\">2788140<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2788140\">2788140<\/a><\/span><\/u><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">PREFIX=\/,LOGFILE=http_%y_%m.log,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF=month, LOGFORMAT=%t %a %u1 \\&#8221;%r\\&#8221; %s %b %Lms %{Host}i %w1 %w2<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Logging functions will be enabled\/enhanced. No impact other that disc space consumption is expected. However, if a SIEM system is active that consumes log entries, the corresponding interface may be impacted.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Monitor disk space properly. Adapt SIEM log consumer.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter.<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Monitoring &amp; Logging<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">icm\/HTTP\/logging_client_0<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">An access log can be created with this parameter in which outgoing ICM calls to the Intranet and Internet are logged. If not set properly, important information may be missing in logs.<\/td>\n<td align=\"center\" valign=\"middle\">2788140<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2788140\">2788140<\/a><\/span><\/u><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">PREFIX=\/,LOGFILE=http_client_%y_%m.log,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF=month, LOGFORMAT=%t %a %u1 \\&#8221;%r\\&#8221; %s %b %Lms %{Host}i<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Logging functions will be enabled\/enhanced. No impact other that disc space consumption is expected. However, if a SIEM system is active that consumes log entries, the corresponding interface may be impacted.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Monitor disk space properly. Adapt SIEM log consumer.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter.<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Monitoring &amp; Logging<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">icm\/security_log<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">This parameter is used to control the output of the security log from the ICM and SAP Web Dispatcher. If not set properly, important information may be missing in logs.<\/td>\n<td align=\"center\" valign=\"middle\">2788140<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2788140\">2788140<\/a><\/span><\/u><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">LOGFILE=dev_icm_sec_%y_%m,LEVEL=3,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF=month<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Logging functions will be enabled\/enhanced. No impact other that disc space consumption is expected. However, if a SIEM system is active that consumes log entries, the corresponding interface may be impacted.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Monitor disk space properly. Adapt SIEM log consumer.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter.<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"58\"><span style=\"color: #000000;\">Logon &amp; SSO<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">login\/disable_cpic<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">If this parameter is not set to 1, incoming connections of the type CPIC are not rejected. Incoming connections of the type RFC are not affected.<\/td>\n<td align=\"center\" valign=\"middle\">2926224<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2926224\">2926224<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">1<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Pure, native CPIC communication (which is obsolete) will no longer work.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Change old CPIC interfaces to properly make use of standard RFC calls.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 0 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"96\"><span style=\"color: #000000;\">Logon &amp; SSO<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">login\/password_downwards_compatibility<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">This parameter is used to control whether the system stores password hashes also in an obsolete, outdated format for compatibility reasons. If not set to 0, outdated hashes will be maintained that can be easily cracked by adversaries that are able to access the password hash storage tables.<\/td>\n<td align=\"center\" valign=\"middle\">1023437<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/1023437\">1023437<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">0<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">When running a central user administration (CUA) still making use of outdated hashes, the CUA central system has to implement the same technique. If this is not done properly, user password distribution and logon may fail.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Handle CUA system first. Set the profile parameter to value 3 and observe system behavior in the system log, set new complex password for affected users. <\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 1 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Logon &amp; SSO<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">login\/password_hash_algorithm<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">The hash value calculation can be improved with this parameter to make dictionary and brute force attacks more difficult.<\/td>\n<td align=\"center\" valign=\"middle\">2140269<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2140269\">2140269<\/a><\/span><\/u><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">When running a central user administration (CUA), the CUA central system has to implement the same technique. If this is not done properly, user password distribution and logon may fail.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Handle CUA system first. <\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter.<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"96\"><span style=\"color: #000000;\">Monitoring &amp; Logging<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">ms\/HTTP\/logging_0<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">This parameter is used to control the output of the log from the message server. If not set properly, important information may be missing in logs.<\/td>\n<td align=\"center\" valign=\"middle\">2794817<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2794817\">2794817<\/a><\/span><\/u><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">PREFIX=\/,LOGFILE=$(DIR_LOGGING)\/ms-http-%y-%m-%d.log%o,MAXFILES=7,MAXSIZEKB=10000,SWITCHTF=day,LOGFORMAT=%t %a %u %r %s %b %{Host}i<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Logging functions will be enabled\/enhanced. No impact other that disc space consumption is expected. However, if a SIEM system is active that consumes log entries, the corresponding interface may be impacted.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Monitor disk space properly. Adapt SIEM log consumer.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter.<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Monitoring &amp; Logging<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">ms\/http_logging<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">This parameter is used to activate the log from the message server. If not set properly, important information may be missing in logs.<\/td>\n<td align=\"center\" valign=\"middle\">2794817<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2794817\">2794817<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">1<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Logging functions will be enabled\/enhanced. No impact other that disc space consumption is expected. However, if a SIEM system is active that consumes log entries, the corresponding interface may be impacted.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Monitor disk space properly. Adapt SIEM log consumer.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 0 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"58\"><span style=\"color: #000000;\">Logon &amp; SSO<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">rdisp\/gui_auto_logout<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">Automatic user logoff after inactivity time is controlled with this setting. If not set, no auto logout will occour, making access to applications by improper personnel more likely.<\/td>\n<td align=\"center\" valign=\"middle\">&#8211;<\/td>\n<td align=\"center\" valign=\"middle\">&#8211;<\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">1H<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Dialog users will be logged off after one hour of inactivity. This may impact long running processes that are run in the foreground.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Create background jobs for long running processes.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 0 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"96\"><span style=\"color: #000000;\">Business data integrity<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">rdisp\/vbdelete<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">The parameter specifies the duration in days, after which an update request is deleted. At the end of this period, the update requests are deleted irrespective of their status. If the parameter has not value 0, update requests could potentially deleted that are still required by the business to ensure the integrity of the data.<\/td>\n<td align=\"center\" valign=\"middle\">2441606<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2441606\">2441606<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">0<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Broken update requests may pile up and slow down the system in the end if not handled in a timely manner.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Clean up update requests in SM13 frequently and adapt application \/ system setup to avoid updater issues.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 50 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">RFC interface<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">rfc\/callback_security_method<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">Permit or deny execution of RFC callbacks in accordance with configured allowlist and write corresponding entry in Security Audit Log. If not set to 3, improper RFC callback attempts are still allowed.<\/td>\n<td align=\"center\" valign=\"middle\">2678501<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2678501\">2678501<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">3<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Intended RFC callbacks (e.g. executed by custom coding) that are not properly covered by RFC callback allowlisting in SM59 of calling system (which receives the callback) will be denied. This then leads to dumps and application disruption.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Monitor RFC callback attempts in Security Audit Log (SM19 \/ RSAU_CONFIG) and maintain allowlist in SM59 on affected destinations.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 1 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"58\"><s><span style=\"color: #000000;\">RFC interface<\/span><\/s><\/td>\n<td align=\"left\" valign=\"middle\"><s><span style=\"color: #000000;\">Profile parameter<\/span><\/s><\/td>\n<td align=\"left\" valign=\"middle\"><s><span style=\"color: #000000;\">rfc\/ext_debugging<\/p>\n<p>Parameter was removed, refer to SAP Note 2909642<\/span><\/s><\/td>\n<td align=\"left\" valign=\"middle\"><s><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/s><\/td>\n<td align=\"left\" valign=\"middle\"><s>Activate external (HTTP) debugging for RFC. If not set to 0, debugging is possible.<\/s><\/td>\n<td align=\"center\" valign=\"middle\"><s>668256<\/s><\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\">\u00a0<\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><s><span style=\"color: #000000;\">0<\/span><\/s><\/td>\n<td align=\"left\" valign=\"middle\"><s><span style=\"color: #000000;\">RFC debugging is fully disabled.<\/span><\/s><\/td>\n<td align=\"left\" valign=\"middle\"><s><span style=\"color: #000000;\">This is a dynamic parameter, if debugging is required, it can be enabled (transaction RZ11).<\/span><\/s><\/td>\n<td align=\"left\" valign=\"middle\"><s><span style=\"color: #000000;\">Comment out profile parameter or set to value 3 (kernel default).<\/span><\/s><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"58\"><span style=\"color: #000000;\">Logon &amp; SSO<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">rfc\/reject_expired_passwd<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">Controls whether logon with expired or initial password via RFC is allowed or not. If not set to 1, users with a non-productive password are able to remotely call RFC function modules.<\/td>\n<td align=\"center\" valign=\"middle\">2579165<br \/>\n1591259<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2579165\">2579165<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">1<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Handling of password setup and expiry for technical users may be impacted. Interfaces may stop working if passwords are expired or initial.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Check password status in transaction SUIM, refresh affected passwords\/users.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value 0 (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Monitoring &amp; Logging<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Profile parameter<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">wdisp\/add_xforwardedfor_header<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">DEFAULT.PFL<\/span><\/td>\n<td align=\"left\" valign=\"middle\">Enables the inclusion of the client IP address the HTTP X-Forwarded-For header. If not set to &#8220;TRUE&#8221;, the client IP address will not be added, making the determination of request routes for applications harder and reducing useful log information.<\/td>\n<td align=\"center\" valign=\"middle\">2788140<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2788140\">2788140<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">TRUE<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">None.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\"> &#8211; <\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Comment out profile parameter or set to value &#8220;FALSE&#8221; (kernel default).<\/span><\/td>\n<\/tr>\n<tr>\n<td align=\"left\" valign=\"middle\" height=\"77\"><span style=\"color: #000000;\">Monitoring &amp; Logging<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Customizing<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Security Audit Log configuration<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">RSAU_CONFIG<\/span><\/td>\n<td align=\"left\" valign=\"middle\">Configures an initial setup of the Security Audit Log. If not configured, the Security Audit Log will not record any security events.<\/td>\n<td align=\"center\" valign=\"middle\">2838480<\/td>\n<td align=\"center\" valign=\"middle\"><u><span style=\"color: #0000ff;\"><a href=\"https:\/\/me.sap.com\/notes\/2838480\">2838480<\/a><\/span><\/u><\/td>\n<td align=\"center\" valign=\"middle\"><span style=\"color: #000000;\">If the Security Audit Log does not contain any active filters, recommended filter settings as of SAP Note 2676384 are set up.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Logging functions will be enabled\/enhanced. No impact other that disc space consumption is expected. However, if a SIEM system is active that consumes log entries, the corresponding interface may be impacted.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Monitor disk space properly. Adapt SIEM log consumer.<\/span><\/td>\n<td align=\"left\" valign=\"middle\"><span style=\"color: #000000;\">Delete new filter configuration in transaction RSAU_CONFIG.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Area Type of setting Name Storage Description Relevant SAP Note SAP Note URL New recommended value Impact to operations Mitigation of impact Revert back method Authorizations Profile parameter auth\/check\/calltransaction DEFAULT.PFL Behavior of authority check during call transaction: Controls how CALL TRANSACTION statements in all programs react regarding missing entries in SE97 \/ table TCDCOUPLES. If &hellip; <\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"elementor_header_footer","meta":{"telegram_tosend":false,"telegram_tosend_message":"","telegram_tosend_target":0,"footnotes":""},"_links":{"self":[{"href":"https:\/\/1coach.by\/wp\/wp-json\/wp\/v2\/pages\/830"}],"collection":[{"href":"https:\/\/1coach.by\/wp\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/1coach.by\/wp\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/1coach.by\/wp\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/1coach.by\/wp\/wp-json\/wp\/v2\/comments?post=830"}],"version-history":[{"count":2,"href":"https:\/\/1coach.by\/wp\/wp-json\/wp\/v2\/pages\/830\/revisions"}],"predecessor-version":[{"id":838,"href":"https:\/\/1coach.by\/wp\/wp-json\/wp\/v2\/pages\/830\/revisions\/838"}],"wp:attachment":[{"href":"https:\/\/1coach.by\/wp\/wp-json\/wp\/v2\/media?parent=830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}