Question:
Hi everyone.
I logged onto our 4.7 IDES non-production development system this morning (we are not a "production" user of SAP, rather an SAP middleware product company and thus only use a single IDES system for our development/testing. yes we have a valid license, etc, and actually have 4.6 IDES, 4.7 IDES, 5.0 IDES, and 6.0 IDES), running on NT/Oracle.
I haven't logged in for a few days and received a very strange "pke certificate is only valid for 4 days" or something type message after the login (did not take note of it and it did not come up again the next time I logged in).
Anyways, to get to my question, the message did say to refer to SM21 for more information, which I did, and I was very suprised to see the results.
I see 2 users on my system that I have no idea who they are, and a whole bunch of "gethostbyname" operating system calls failing, along with various others (looks like some access to the IDES provided training/case study tables SCARR, SPFLI), and a "Failed to activate authorization check for user HAMED" as well (no idea who this user is)>
My aplogies for the long cut/past below (will do this immediately following in a second post), but I would assume this would be of interest.
I have checked USR02 to see if anyone has explicity logged in, and no one has by the 2 user names in question (HERRMANNSPAH, HAMED). I have checked our VPN router, in which the SAP system sits behind, and no unauthorized access there.
One more quick piece of info: as we are a small company in the middleware space, we do not have a dedicated Basis resource, I have built our IDES systems and know enough to "keep us going", so am quite lost with this one.
Thus, my knowledge may not be enough to make assumptions, but it sure looks like someone from SAP remotely has accidently accessed our system, or worse yes, someone NOT from SAP accessing our system on purpose.
Any suggestions/feedback? I have locked these user id's in the meantime, but am now very leary about all the exsiting user id's in our system that came with the IDES version, and obviously very worried about any authorized system access, especially since this is behind our vpn/firewall.
Thanks in advance,
Greg
Answer:
Here is an excerpt from the SM21 log:
|00:00:16|BTC| 9|000|SAPSYS | |EBF|Failed to activate authorization check for user D001571 |
|00:00:16|BTC| 9|000|SAPSYS | |D01|Transaction Canceled 00 560 ( D001571 800 ) |
|00:00:16|BTC| 9|000|SAPSYS | |R68|Perform rollback |
|03:01:05|DIA| 1|000|SAPSYS | |PM4|Validity of certificate from list with PSE type >SystemPSE< ends in 3 days |
|03:01:05|DIA| 1|000|SAPSYS | |PM4|Validity of certificate from list with PSE type >SystemPSE< ends in 21 days |
|08:01:20|BTC| 9|000|SAPSYS | |EBF|Failed to activate authorization check for user HIRT |
|08:01:20|BTC| 9|000|SAPSYS | |D01|Transaction Canceled 00 560 ( HIRT 800 ) |
|08:01:20|BTC| 9|000|SAPSYS | |R68|Perform rollback |
|12:43:19|BTC| 9|000|DDIC | |Q0I|Operating system call getservbyname failed (error no. 0 ) |
|12:43:19|BTC| 9|000|DDIC | |Q0A|Service sapmsCMP not known |
|12:43:20|BTC| 9|000|DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|12:43:20|BTC| 9|000|DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|12:43:20|RD | | |DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|12:43:20|RD | | |DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|12:43:20|RD | | |DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|12:43:20|RD | | |DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|12:43:20|BTC| 9|000|DDIC | |R49|Communication error, CPIC return code 020, SAP return code 497 |
|12:43:20|BTC| 9|000|DDIC | |R64|> CPI-C function: CMINIT(SAP) |
|12:43:23|BTC| 9|000|DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|12:43:23|BTC| 9|000|DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|12:43:23|RD | | |DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|12:43:23|RD | | |DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|12:43:23|RD | | |DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|12:43:23|RD | | |DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|12:43:23|BTC| 9|000|DDIC | |R49|Communication error, CPIC return code 020, SAP return code 497 |
|12:43:23|BTC| 9|000|DDIC | |R64|> CPI-C function: CMINIT(SAP) |
|12:43:23|BTC| 9|000|DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|12:43:23|BTC| 9|000|DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|12:43:23|RD | | |DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|12:43:23|RD | | |DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|12:43:23|RD | | |DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|12:43:23|RD | | |DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|12:43:23|BTC| 9|000|DDIC | |R49|Communication error, CPIC return code 020, SAP return code 497 |
|12:43:23|BTC| 9|000|DDIC | |R64|> CPI-C function: CMINIT(SAP) |
|14:01:20|BTC|10|800|HERRMANNSPAH| |R0P|Entries in the number range buffer were deleted (count: 1 ) |
|14:01:20|BTC|10|800|HERRMANNSPAH| |R0P|Entries in the number range buffer were deleted (count: 1 ) |
|14:01:20|BTC|10|800|HERRMANNSPAH| |R0P|Entries in the number range buffer were deleted (count: 1 ) |
|14:01:21|BTC|10|800|HERRMANNSPAH| |R0P|Entries in the number range buffer were deleted (count: 1 ) |
|14:01:21|BTC|10|800|HERRMANNSPAH| |R0P|Entries in the number range buffer were deleted (count: 1 ) |
|14:01:21|BTC|10|800|HERRMANNSPAH| |BBC|Nametab-Inconsistency for Table SCARR regarding buffering of database views |
|14:01:24|BTC|10|800|HERRMANNSPAH| |BBC|Nametab-Inconsistency for Table SPFLI regarding buffering of database views |
|14:01:46|BTC|10|800|HERRMANNSPAH| |BBC|Nametab-Inconsistency for Table SCARR regarding buffering of database views |
|14:01:52|BTC|10|800|HERRMANNSPAH| |BBC|Nametab-Inconsistency for Table SPFLI regarding buffering of database views |
|15:15:22|DIA| 1|000|SAPSYS | |EEA|OPERATION MODES: Switch to operation mode Normalbetrieb triggered |
|22:01:22|BTC|10|000|DDIC | |Q0I|Operating system call getservbyname failed (error no. 0 ) |
|22:01:22|BTC|10|000|DDIC | |Q0A|Service sapmsCMP not known |
|22:01:23|BTC|10|000|DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|22:01:23|BTC|10|000|DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|22:01:23|RD | | |DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|22:01:23|RD | | |DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|22:01:23|RD | | |DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|22:01:23|RD | | |DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
|22:01:23|BTC|10|000|DDIC | |R49|Communication error, CPIC return code 020, SAP return code 497 |
|22:01:23|BTC|10|000|DDIC | |R64|> CPI-C function: CMINIT(SAP) |
|22:01:27|BTC|10|000|DDIC | |Q0I|Operating system call gethostbyname failed (error no. 0 ) |
|22:01:27|BTC|10|000|DDIC | |Q09|Host name cmpmain.wdf.sap.corp not known |
, etc, etc, etc....there are a number of pages for the past few days very similar.
Thanks again,
Cheers,
greg
Answer:
Have you opened your system to SAP support via saprouter?
_________________
SapFans Moderator
NetWeaver ‘04–SAP Web AS for ORACLE certified
Search: /forums/search.php
SAP Notes: http://service.sap.com/notes
SAP Help: http://help.sap.com
Basic Rules: /forums/viewtopic.php?t=222759
Answer:
i could recommend reading note 572035 and follow the mentioned notes backward - but not sure this is meant for IDES-systems.
_________________
rgds
fish
Answer:
cmpmain.wdf.sap.corp
This is a intranet address which cannot be accessed outsite SAP network.
Answer:
I would suggest that you run SM19 to setup an audit trail (just to check Login's) and then run sm20 to view the audit log. You should see all login's, both failed and successful, in your system. The audit log also show the terminal / IP from which the login was made. Furthermore, you could search on the UserID that of of particular concern. When oy finf a record for that UserID, look at the terminal from which the login was made. That should point you to the culprit
Answer:
Thanks for the replies.
Re: saprouter: not that I know of (I know, sounds silly but this was not explicity setup unless IDES comes with something preconfigured).
Re: the intranet address: I figured with was internal to SAP, so that made me think that someone within SAP was on our system by mistake.
Re: SM19: I will set this up and update the post when/if anything further happens.
I've locked every user id except DDIC, SAP*, Wf-Batch, and mine so hopefully at least this will help the issue (and the password were/have been changed from their default install pswd).
Cheers,
/g
Answer:
Furthermore on the saprouter side, even if this was configured/open, why would someone be on the system deleting number ranges and look at scarr and spfli, etc?
Answer:
Hi,
The systems name cmpmain.wdf.sap.corp is an SAP internal system, and hence sapmsCMP
The username D001571 is as per SAP employee ID so may be the user who setup the test scenarios in IDES.
More over the messages in SM21 by user HERRMANNSPAH all comes from BTC processes, so check all SM37 jobs and whichever are not needed, you can delete them.
Check all your RFC connections in SM59 for unwanted entries.
It seems normal. Nothing to worry.
The only thing that you are seeing it for the first time.
Secondly, thre PSE related entries are may be some jobs use SNC stuff. Check TA PSEMAINT and check the local PSE validity date. You create a new PSE certificate yourself (Self Signed)
Over all. No issues.
Regards,
Yatin
Answer:
-You appear to be working with temporary license. Using Slicense permanent license is not applied hence message “pke certificate is only valid for 4 d- - -“.
-preloaded data comes with IDES is what you see and worried I believe.
-P.Shah