Personal Insights
Making life easier for yourself with Keepass
Hi all,
If you are in any way like me then you feel like you are constantly asking your security people for unlocks to various systems and clients. I keep forgetting my passwords, enter them for the wrong systems. Or maybe you are like some other people i’ve seen who keeps their passwords in an excel sheet or text file, which obviously is a no-go!
I started using Keepass to handle my passwords, but got annoyed with always having to ALT+TAB between my sapgui logon window and the keepass window. Yes I know i’m petty.
But i want to show you how I managed to open the SAP GUI directly from within keypass.
This has been blogged about before for example by Peter Langner
https://blogs.sap.com/2012/01/29/using-keepass-instead-of-sap-logon/
But because i’m lazy and know when copying from one to another that I’ll miss something when recreating, I modified his script just slightly to be able to fetch the name and client from the title.
So download the latest keepass version and add this as URL
cmd://sapshcut –maxgui -system={T-REPLACE-RX:/{Title}/([^A-Z])+//} -client={T-REPLACE-RX:/{Title}/([^0-9])+//} -user={USERNAME} -pw={PASSWORD}
Now in your title you just maintain the system ID and client. Like DEV 100
That’s it. the regression takes the letters and add as systemid and the numbers as the client. Easy peasy and a breeze to copy and paste now 😉
Now when you want to log into a new SAP GUI session, just open keepass instead of the SAP GUI logon, find your entry and press CTRL + U.
Thanks for sharing!
Great alternative for the plugin that supports SAP GUI logon.
https://keepass.info/plugins.html#keesaplogon
Hello.
Thank you for the time taken to explain.
My system is a combination of letters and numbers so your above formula separates the letters in one field(system) and all numbers in the second one(client), in other words for a combination of PA2 100 your formula returns
PA
2100
Can you adjust it to cope with the case of alphanumeric system?
Thank you in advance.
*******
December 4th:
Never mind, after several hours of searches (and feeling stupid in all this time because RegEx syntax looks like Chinese encrypted in Arabic to me) I finally found what I need, the script version that works for me is:
cmd://sapshcut –maxgui -system={T-REPLACE-RX:/{Title}/(.{3}).*/$1/} -client={T-REPLACE-RX:/{Title}/.*(.{3})/$1/} -user={USERNAME} -pw={PASSWORD}
The change in the script simply pulls the first and last 3 characters from the Title and feeds the system with the first and the client with the last.
Thanks for sharing.
Even though password-times are almost over they are still alive and sometimes the only option for a login 😉 ... especially as an IT consultant handling various customers and landscapes.
We did some more thoughts on the solution over the years since we read the post in 2012 and want to give back some information/tweaks - maybe its useful for others.
Goals:
Prerequisites/Situation:
URL overrides defined in Keepass options:
cmd://"{ENV_PROGRAMFILES_X86}{ENV_DIRSEP}SAP{ENV_DIRSEP}FrontEnd{ENV_DIRSEP}SAPgui{ENV_DIRSEP}SAPgui.exe" /SHORTCUT="-gui="/M/sap{T-REPLACE-RX:!{TITLE}!.{0,3}$!!}.domain.com/S/{S:MSSERV}/G/SPACE /SUPPORTBIT_ON=NEED_STDDYNPRO" -SID={T-REPLACE-RX:!{TITLE}!.{0,3}$!!} -client={T-REPLACE-RX:!{TITLE}!^.{0,3}!!} -u={T-REPLACE-RX:!{USERNAME}!^(.*)\\!!} -pw= -l=EN -snc_name=p:SAPService{T-REPLACE-RX:!{TITLE}!.{0,3}$!!}@domain.com -reuse=1 -snc_qop=9 -max"
cmd://"{ENV_PROGRAMFILES_X86}{ENV_DIRSEP}SAP{ENV_DIRSEP}FrontEnd{ENV_DIRSEP}SAPgui{ENV_DIRSEP}SAPgui.exe" /SHORTCUT="-gui="/M/sap{T-REPLACE-RX:!{TITLE}!.{0,3}$!!}.domain.com/S/{S:MSSERV}/G/SPACE /SUPPORTBIT_ON=NEED_STDDYNPRO" -SID={T-REPLACE-RX:!{TITLE}!.{0,3}$!!} -client={T-REPLACE-RX:!{TITLE}!^.{0,3}!!} -u={T-REPLACE-RX:!{USERNAME}!^(.*)\\!!} -pw={PASSWORD} -l=EN -snc_name=p:SAPService{T-REPLACE-RX:!{TITLE}!.{0,3}$!!}@domain.com -reuse=1 -snc_qop=9 -max"
cmd://"{ENV_PROGRAMFILES_X86}{ENV_DIRSEP}SAP{ENV_DIRSEP}FrontEnd{ENV_DIRSEP}SAPgui{ENV_DIRSEP}SAPgui.exe" /SHORTCUT="-gui="/M/sap{T-REPLACE-RX:!{TITLE}!.{0,3}$!!}.domain.com/S/{S:MSSERV}/G/SPACE" -SID={T-REPLACE-RX:!{TITLE}!.{0,3}$!!} -client={T-REPLACE-RX:!{TITLE}!^.{0,3}!!} -l=EN -snc_name=p:SAPService{T-REPLACE-RX:!{TITLE}!.{0,3}$!!}@domain.com -reuse=1 -snc_qop=9 -max"
Custom Auto-Type sequences:
Window match: {T-REPLACE-RX:!{TITLE}!.{0,3}$!!}*{T-REPLACE-RX:!{TITLE}!^.{0,3}!!}*Password Change Prompt*
Keystroke sequence: {C:Change PW SSO}{PASSWORD}{TAB}{NEWPASSWORD:/Profile/}{TAB}{NEWPASSWORD:/Profile/}{ENTER}
Window match: {T-REPLACE-RX:!{TITLE}!.{0,3}$!!}*{T-REPLACE-RX:!{TITLE}!^.{0,3}!!}*SAP Easy Access*
Keystroke sequence: {C:Change PW Easy Access}^/{DELAY 1000}/nSU3{ENTER}{DELAY 5000}{F6}{DELAY 2500}{PASSWORD}{TAB}{NEWPASSWORD:/Profile/}{TAB}{NEWPASSWORD:/Profile/}{ENTER}
Window match: SAP Logon*
Keystroke sequence: {C:Change PW logonpad}{CMD:!{T-CONV:${T-REPLACE-RX:#{URL}{S:PW_URL}#(sapgui.*?(?=sapgui:\/\/|cmd:\/\/))|(_.*?(?=:\/\/)|S:PW_URL)##}$Raw$}!W=0!}{DELAY 15000}{F1}{DELAY 2000}{T-REPLACE-RX:!{TITLE}!^.{0,3}!!}{TAB}{T-REPLACE-RX:!{USERNAME}!^(.*)\\!!}{TAB}{PASSWORD}{F5}{DELAY 5000}{NEWPASSWORD:/Profile/}{TAB}{NEWPASSWORD:/Profile/}{ENTER}
Window match: {T-REPLACE-RX:!{TITLE}!.{0,3}$!!}*000 SAP
Keystroke sequence: {C:Fill CLNT+ID+PW}{F1}{DELAY 2000}{T-REPLACE-RX:!{TITLE}!^.{0,3}!!}{TAB}{T-REPLACE-RX:!{USERNAME}!^(.*)\\!!}{TAB}{PASSWORD}{ENTER}
Why so many URL overrides and Auto-Type sequences?
We started with one only in the past but created more soon after. The URL overrides build the backbone for login and password change. sapgui:// is the only one which allows an automated password change via auto-type. sapgui_id+pw:// & sapgui_sso:// perform automated login – which one to use depends on personal requirement. The auto-type sequences offer different ways of password change or logon.
By purpose SU01/SU10 have been excluded as those are Admin functions, no end user functions.
Examples:
An entry is maintained like SIDCLNT, e.g. APD000. The username is referenced to DOMAIN\USER (can be simplified according to needs of course). URL field maintained with sapgui_sso:// to allow a seamless login via SSO to the system/client. Custom string MSSERV maintained with the message server port. Custom string PW_URL can exist, but mustn´t. If it exists it can be blank, can contain another URL override that allows password change dialog or it can contain a dedicated command that allows for password change also (e.g. in case when a system needs a special connection string). Fallback is always sapgui://. The fallback is arranged via regex which matches and replaces with nothing so the outcome of the regex is either the custom cmd:// or sapgui:// (https://regex101.com/r/B1Yyct/1)
How to use for logon?
How to use for password change?
Just a hint in general:
Global hotkeys can also make life MUCH easier. You can just stay in the application, press CTRL+ALT+A to initiate auto type. In case Keepass identifies only 1 sequence as a fit, it will start typing. Otherwise it will show a selection screen to choose from:
The above is quite optimized for certain situations but also gives some flexibility for system specific deviations. It hasn’t been really tested with old system types (R/3) – but those will anyhow die out. Everything >=NW7 should work.
Hopefully I was able to explain in good words and maybe it is useful for others.
EDIT 1: The hostnames in the above examples are very well structured and follow naming convention sapSID. Otherwise that part of the cmd needs to be changed of course
EDIT 2: Based on feedback the article has been reworked entirely. Option to define extraordinary URL for password change added. Examples and step by step guide added.