Let’s assume you run a project to encrypt all communication channels.
It’s easy to enable servers to support encryption and to allow clients to choose about encryption even within a productive system landscape (despite the fact that it requires some profile parameter changes which require restarts of the servers):
- You can activate SSL for web-based connections, LDAP connections and database connections
- You can activate SNC for SAPGUI, e.g. using SNC Client Encryption, and RFC
However, as soon as you want to enforce encryption for a specific channel, e.g. by deactivating the profile parameter snc/accept_insecure_gui to secure SAPGUI connections, you are in trouble: Most likely you are only allowed to change the profile parameter in a productive world if you can prove that all clients in fact are requesting encryption.
Here’s one of the questions: How can you verify if all SAPGUI sessions use SNC?
Use the Security Audit Log (SAL), Transaction SM19 and SM20, to log when an unencrypted SAPGUI or RFC communication has been detected.
See note 2122578 – New: Security Audit Log event for unencrypted GUI / RFC connections
If this solution is not available you can use transaction SM04 and check every line using the menu path Users -> Technical Info to inspect the field snc_count. (Thanks to Wolfgang Janzen who pointed me to that piece of information.) Or you can use the report ZSM04000_SNC (which is based on the SM04 coding) respective ZRSUSR000_620 (which is based in transaction AL08) to view this information directly on the main list.
ABAP Source Code
You find the source code on the corresponding wiki page.
ABAP source code:
Report ZSM04000_SNC shows a cross-client list about users, their terminals, the connection type and the SNC status. You can add the profile parameters about SNC to the header of the list. Here’s an example without IP addresses and without terminal names:
Limitation: The reports inspects the current sessions on the current application server only.
Run this report regularly on all application servers and as soon as it turns green completely for a specific connection type you can deactivate the corresponding profile parameter to avoid insecure connections in the future.
(By the way: Extreme security nerds now would discuss if this is sufficient to prove if encryption is active, as the QOP, quality of protection, is not considered, too. Well, I know about this limitation, but let’s begin the journey with the first step…)