Fortinet black logo

SAP NetWeaver v1.1.0

1.1.0
Copy Link
Copy Doc ID 2f34b0cb-697d-11ed-96f0-fa163e15d75b:443

About the connector

SAP NetWeaver Remote Function Call (RFC) is the standard SAP interface for communication between SAP systems.

This document provides information about the SAP NetWeaver Connector, which facilitates automated interactions, with an SAP NetWeaver server using FortiSOAR™ playbooks. Add the SAP NetWeaver Connector as a step in FortiSOAR™ playbooks and perform automated operations leveraging the SAP Remote Function Modules using the SAP NetWeaver protocol.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 7.3.0-2034

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

The following enhancements have been made to the SAP NetWeaver in version 1.1.0:

  • Rebranded the SAP RFC connector to SAP NetWeaver.

Steps to install dependency python packages required by the SAP NetWeaver connector

If you are on FortiSOAR release 7.3.0 or later, i.e., your system is on RHEL or Rocky Linux, then before you install the dependency python packages, i.e., before you run install_dependencies.sh, you need to install 'g++' using the following command:
$ sudo yum groupinstall "Development Tools"

  1. Download the install_dependencies.sh file that is attached to this document.
  2. Run the shell script using the following command:
    sh install_dependencies.sh <RFC_SDK_zip_file_path>
    Note: The SAP NetWeaver RFC SDK zip file is available at https://support.sap.com/en/product/connectors/nwrfcsdk.html

Summary of what the install_dependencies.sh script does:

  1. Installs Cython in the integrations virtual environment.
  2. Installs pyrfc in the integrations virtual environment.
  3. Installs SAP NWRFC Libraries under /opt.
  4. Downloads RFC_SDK_zip file in /usr/local/sap/.
  5. Sets up the SAPNWRFC_HOME, SNC_LIB, and SECUDIR environment variables.
    Note: If your FortiSOAR version is 7.2.0 or higher, then the "fsr-integrations" user is used, or else the "nginx" user is used to set the SAP-related folders.

Configure SAP PyRFC with SNC (w/o SSO)

Installation and Setup

  1. Download the CommonCryptoLib from SAP and extract into e.g. /opt/SAPCRYPTOLIB/
    1. SAP Marketplace Path: https://support.sap.com/swdc -> Access downloads -> Support
      Packages & Patches -> By Category -> SAP Cryptographic Software -> SAPCRYPTOLIB
      -> COMMONCRYPTOLIB

Example commands:

$curl <URL of SAPCRYPTOLIB.zip file> -o /tmp/SAPCRYPTOLIB.zip
$ unzip /tmp/SAPCRYPTOLIB.zip -d /opt/
$ chown -R fsr-integrations:fsr-integrations /opt/SAPCRYPTOLIB

Note: If your FortiSOAR version is 7.2.0 or higher, then the "fsr-integrations" user is used, or else the "nginx" user is used to run the above commands.

Setup SNC PSE

The sapgenpse tool can be found in the same folder (/opt/SAPCRYPTOLIB).

  1. Generate a PSE for the SNC Client side. The file will automatically get stored in the SECUDIR directory:
    $ sapgenpse get_pse -p <PSE name e.g. pyrfc.pse> -x <password> <Distingushed
    name eg. CN=pyrfc>

    Example:
    $ sapgenpse get_pse -p pyrfc.pse -x password CN=pyrfc
  2. Setup SSO for the OS service account to avoid providing always a password:
    $ sapgenpse seclogin -p <PSE name e.g. pyrfc.pse> -x <password> -O <OS
    username>

    Example:
    $ sapgenpse seclogin -p pyrfc.pse -x password -O fsr-integrations
  3. Export the certificate as a base64 encoded .crt file:
    $ sapgenpse export_own_cert -o <Export file name> -p <PSE name e.g.
    pyrfc.pse> -x <password>

    Example:
    $ sapgenpse export_own_cert -o pyrfc_snc.crt -p pyrfc.pse -x password

Establish trust between PyRFC Client and SAP System

  1. Import the PyRFC Client certificate into the SNC trust store of the SAP System.
    1. Go to Transaction STRUST.
    2. Double-click on the SNC SAPCryptolib store.
    3. Import Certificate using Certificate -> Import.
    4. Enter the Path to the .crt file and click Enter.
    5. Check that the SNC PSE is selected and the imported certificate details are displayed correctly.
    6. Click on Add to Certificate List at the bottom. Then click Save (the Disk) on the top.

      After this, you should see your certificate's Distinguished name within the Certificate list.
  2. Export the SAP System SNC Certificate & import it into PyRFC PSE.
    1. To export the SAP System SNC certificate, double-click on the Subject name in the Own
      Certificate
      Section.
    2. At the bottom, select the export certificate and save it on your machine. After that copy it over to your system where you work with PyRFC.
  3. Import the certificate into the PyRFC PSE:
    $ sapgenpse maintain_pk -a <SAP System certificate file> -p <PSE name
    e.g. pyrfc.pse> -x <password>

    Example:
    $ sapgenpse maintain_pk -a a4h_snc.crt -p pyrfc.pse -x password
  4. Update the owner of the sec and SAPCRYPTOLIB folders:
    $ chown -R fsr-integrations:fsr-integrations /opt/sec
    $ chown -R fsr-integrations:fsr-integrations /opt/SAPCRYPTOLIB

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sap-rfc

Important: You must install the dependency packages (see Steps to install dependency python packages required by the SAP NetWeaver connector) and configure SNC (Configure SAP PyRFC with SNC (w/o SSO)) before you install the SAP NetWeaver connector.

Prerequisites to configuring the connector

  • You must have the hostname of the SAP NetWeaver server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
  • You must have access to the SAP NetWeaver RFC SDK.
  • The FortiSOAR™ server should have outbound connectivity to port 3300/tcp (non-SNC) – 3399/tcp or 4800/tcp-4899/tcp (SNC) on the SAP NetWeaver Server.

Minimum Permissions Required

  • If your FortiSOAR version is 7.2.0 or higher, then use the "fsr-integrations" user, or else the "nginx" user to install dependency packages and configure SNC. Ensure all SAP-related folders have "fsr-integrations" or "nginx" set as the owner. Check that the following paths have the "fsr-integrations" owner permission:
    /opt/sec
    /opt/SAPCRYPTOLIB
    /usr/local/sap

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SAP NetWeaver connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server Address The hostname of the SAP NetWeaver server to which you will connect and perform automated operations.
Username The username to access the SAP NetWeaver endpoint to which you will connect and perform the automated operations.
Password The password to access the SAP NetWeaver endpoint to which you will connect and perform the automated operations.
System Number The system number to access the SAP RPC server to which you will connect and perform the automated operations.
Client Number The client number to access the SAP RPC server to which you will connect and perform the automated operations.
SNC Configuration

Select this option to enable SNC Configuration within your script to connect with the SAP RPC server to which you will connect and perform the automated operations.

If you select this option, i.e., set it to 'True', then you can specify the following parameters:

  • SNC Partner Name: Specify the SNC name of the communication partner. This is the SNC identity of the SAP system to access the SAP NetWeaver server to which you will connect and perform the automated operations.
  • SNC SSO: Specify SAP SSO to access the SAP NetWeaver server to which you will connect and perform the automated operations. You can enter one of the following values:
    0-Login with username and password
    1-SSO Login
  • SNC Mode: Specify the SNC mode to access the SAP NetWeaver server to which you will connect and perform the automated operations. You can enter one of the following values:
    0 - Do not apply SNC to connections
    1 - Apply SNC to connections
  • SNC QoP: Specify the SNC QoP to access the SAP NetWeaver server to which you will connect and perform the automated operations. You can enter one of the following values:
    1 - Apply authentication only
    2 - Apply integrity protection (authentication).
    3 - Apply privacy protection (integrity and authentication)
    8 - Apply the default protection
    9 - Apply the maximum protection
Port Specify the port number to access the SAP ETD server to which you will connect and perform the automated operations. By default, this is set to 3300.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access the operations from FortiSOAR™:

Function Description Annotation and Category
Get Session List Retrieves a list of all sessions or specific sessions from SAP NetWeaver based on the tenant or client number and other input parameters you have specified. get_session_list
Investigation
End User Session Ends all the sessions of a specific tenant or client in SAP NetWeaver based on the tenant or client number and other input parameters you have specified. end_session
Investigation
Send Popup Sends a popup to a specific user using SAP NetWeaver based on the client number, username, and message you have specified. send_popup
Investigation
Lock User Locks a specific user account using SAP NetWeaver based on the username you have specified. lock_user
Investigation
Unlock User Unlocks a specific user account using SAP NetWeaver based on the username you have specified. unlock_user
Investigation
Remove User Profiles Deletes all profiles associated with the user using SAP NetWeaver based on the username you have specified. remove_all_user_profiles
Investigation
Remove User Roles Deletes all roles associated with the user using SAP NetWeaver based on the username you have specified. remove_all_user_roles
Investigation
Assign User Role Assign a specific role to a specific user based on the username, role name, and other input parameters you have specified. You can also assign the role to the user with a specific expiration date. assign_user_role
Investigation
Run RFC Function Runs an SAP remote function module based on the parameters you have specified. run_rfc_functions
Investigation

operation: Get Session List

Input parameters

Parameter Description
Tenant Specify the tenant or client Number whose associated sessions you want to retrieve from SAP NetWeaver.
Username (Optional) Specify the username whose associated sessions you want to retrieve from SAP NetWeaver.
Logon ID (Optional) Specify the logon ID whose associated sessions you want to retrieve from SAP NetWeaver.
Logon Handle (Optional) Specify the logon handle whose associated sessions you want to retrieve from SAP NetWeaver.
Terminal ID (Optional) Specify the terminal ID or client IP address whose associated sessions you want to retrieve from SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"SESSION_LIST": [
{
"STATE": "",
"TRACE": "",
"MEMORY": "",
"TENANT": "",
"RFC_HDL": "",
"LOGON_ID": "",
"PRIORITY": "",
"RFC_TYPE": "",
"IS_ACTIVE": "",
"LOGON_HDL": "",
"USER_NAME": "",
"LOGON_TYPE": "",
"OPEN_TASKS": "",
"ACT_PROGRAM": "",
"APPLICATION": "",
"MEMORY_ABAP": "",
"MEMORY_HEAP": "",
"SERVER_NAME": "",
"SESSION_HDL": "",
"MEMORY_HYPER": "",
"REQUEST_TIME": "",
"LOCATION_INFO": "",
"MEMORY_BRUTTO": "",
"PAGING_BLOCKS": "",
"CLIENT_IP_ADDR": "",
"LOGON_SUB_TYPE": "",
"SAP_GUI_VERSION": "",
"APPLICATION_INFO": "",
"SPECIAL_HANDLING": "",
"WEBSOCKET_HANDLE": ""
}
]
}

operation: End User Session

Input parameters

Note: You must specify at least one of the following parameters: Terminal ID (Client IP Address), Username, Logon ID, or Logon Handle.

Parameter Description
Tenant Specify the tenant or client number whose user session you want to end in SAP NetWeaver.
Username Specify the username whose user session you want to end in SAP NetWeaver.
Logon ID Specify the logon ID whose user session you want to end in SAP NetWeaver.
Logon Handle Specify the logon handle whose user session you want to end in SAP NetWeaver.
Terminal ID Specify the terminal ID or client IP address whose user session you want to end in SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Send Popup

Input parameters

Parameter Description
Client Number Specify the client number to which you want to send the popup message using SAP RPC.
Username Specify the username to which you want to send the popup message using SAP RPC.
Message Specify the popup message that you want to send to the specified user using SAP RPC.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Lock User

Input parameters

Parameter Description
Username Specify the username whose user account you want to lock using SAP RPC.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
]
}

operation: Unlock User

Input parameters

Parameter Description
Username Specify the username whose user account you want to unlock using SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
]
}

operation: Remove User Profiles

Input parameters

Parameter Description
Username Specify the username whose user profiles you want to remove using SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
]
}

operation: Remove User Roles

Input parameters

Parameter Description
Username Specify the username whose user roles you want to remove using SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
]
}

operation: Assign User Role

Input parameters

Parameter Description
Username Specify the username to whom you want to assign the specified role using SAP NetWeaver.
Role Name Specify the role name that you want to assign to the specified user using SAP NetWeaver.
From Date Specify the date from when you want to assign the role to the user.
Note: Use the From Date and To Date fields to define the expiration date of the role assigned to the user.
To Date Specify the date until when you want to assign the role to the user.
AGR TEXT Specify the AGR_TEXT that you want to assign to the specified user role.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
],
"ACTIVITYGROUPS": [
{
"TO_DAT": "",
"AGR_NAME": "",
"AGR_TEXT": "",
"FROM_DAT": "",
"ORG_FLAG": ""
}
]
}

operation: Run RFC Function

Input parameters

Parameter Description
Function Name Specify the SAP function module name that you want to run.
Note: This parameter will make an API call named "get_rfc_function_params" to dynamically populate the drop-down selections.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - SAP NetWeaver - 1.0.0 playbook collection comes bundled with the SAP NetWeaver connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SAP NetWeaver connector.

  • Assign User Role
  • End User Session
  • Get Session List
  • Lock User
  • Remove User Profiles
  • Remove User Roles
  • Run RFC Function
  • Send Popup
  • Unlock User

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Troubleshooting

The connectors.log file contains the "libsapnwrfc.so: cannot open shared object file: No such file or directory" error

Resolution

  1. Check the owner of the /usr/local/sap/nwrfcsdk/lib/libsapnwrfc.so file. The owner of this file should be 'fsr-integrations' if your FortiSOAR version is 7.2.0 or higher or 'nginx' user (commands in this section consider 'fsr-integrations' user).
  2. Run the following command to set the owner of the libsapnwrfc.so file as 'fsr-integrations':
    chown -R fsr-integrations:fsr-integrations /usr/local/sap/nwrfcsdk

The connector's configurations tab displays "Connector Dependencies Failed To Install"

The “Connector Dependencies Failed To Install" error on the Configurations tab, after you have installed the connector is displayed if you have not installed the dependency packages.

Resolution

Ensure you have installed the dependency packages using the attached install_dependencies.sh file and refer to the Steps to install dependency python packages required by the SAP NetWeaver connector section.

The "seclogin: Can't add credentials" error is displayed while setting up SNC PSE

You get the “seclogin: Can't add credentials” error when you are executing the "$ sapgenpse seclogin -p pyrfc.pse -x password -O fsr-integrations" command.

Resolution

Ensure that the “SECUDIR=/opt/sec“ environment variable is set. You must also reconnect your SSH session.

The /bin/gcc command fails while installing the 'pyrfc python' package on FortiSOAR releases 7.3.0 or later

The '/bin/gcc' command fails with the 'with exit code 1 ERROR: Failed building wheel for pyrfc' error while installing the 'pyrfc python' package on FortiSOAR releases 7.3.0 or later i.e. on Rocky Linux or RHEL systems.

Resolution

Ensure that 'g++' is installed before running the install_dependecies.sh. You can install g++ using the following command:
$ sudo yum groupinstall "Development Tools"

Check if the 'g++' is installed using the following command:
$ g++ —version

install_dependencies.sh

Previous
Next

About the connector

SAP NetWeaver Remote Function Call (RFC) is the standard SAP interface for communication between SAP systems.

This document provides information about the SAP NetWeaver Connector, which facilitates automated interactions, with an SAP NetWeaver server using FortiSOAR™ playbooks. Add the SAP NetWeaver Connector as a step in FortiSOAR™ playbooks and perform automated operations leveraging the SAP Remote Function Modules using the SAP NetWeaver protocol.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 7.3.0-2034

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

The following enhancements have been made to the SAP NetWeaver in version 1.1.0:

Steps to install dependency python packages required by the SAP NetWeaver connector

If you are on FortiSOAR release 7.3.0 or later, i.e., your system is on RHEL or Rocky Linux, then before you install the dependency python packages, i.e., before you run install_dependencies.sh, you need to install 'g++' using the following command:
$ sudo yum groupinstall "Development Tools"

  1. Download the install_dependencies.sh file that is attached to this document.
  2. Run the shell script using the following command:
    sh install_dependencies.sh <RFC_SDK_zip_file_path>
    Note: The SAP NetWeaver RFC SDK zip file is available at https://support.sap.com/en/product/connectors/nwrfcsdk.html

Summary of what the install_dependencies.sh script does:

  1. Installs Cython in the integrations virtual environment.
  2. Installs pyrfc in the integrations virtual environment.
  3. Installs SAP NWRFC Libraries under /opt.
  4. Downloads RFC_SDK_zip file in /usr/local/sap/.
  5. Sets up the SAPNWRFC_HOME, SNC_LIB, and SECUDIR environment variables.
    Note: If your FortiSOAR version is 7.2.0 or higher, then the "fsr-integrations" user is used, or else the "nginx" user is used to set the SAP-related folders.

Configure SAP PyRFC with SNC (w/o SSO)

Installation and Setup

  1. Download the CommonCryptoLib from SAP and extract into e.g. /opt/SAPCRYPTOLIB/
    1. SAP Marketplace Path: https://support.sap.com/swdc -> Access downloads -> Support
      Packages & Patches -> By Category -> SAP Cryptographic Software -> SAPCRYPTOLIB
      -> COMMONCRYPTOLIB

Example commands:

$curl <URL of SAPCRYPTOLIB.zip file> -o /tmp/SAPCRYPTOLIB.zip
$ unzip /tmp/SAPCRYPTOLIB.zip -d /opt/
$ chown -R fsr-integrations:fsr-integrations /opt/SAPCRYPTOLIB

Note: If your FortiSOAR version is 7.2.0 or higher, then the "fsr-integrations" user is used, or else the "nginx" user is used to run the above commands.

Setup SNC PSE

The sapgenpse tool can be found in the same folder (/opt/SAPCRYPTOLIB).

  1. Generate a PSE for the SNC Client side. The file will automatically get stored in the SECUDIR directory:
    $ sapgenpse get_pse -p <PSE name e.g. pyrfc.pse> -x <password> <Distingushed
    name eg. CN=pyrfc>

    Example:
    $ sapgenpse get_pse -p pyrfc.pse -x password CN=pyrfc
  2. Setup SSO for the OS service account to avoid providing always a password:
    $ sapgenpse seclogin -p <PSE name e.g. pyrfc.pse> -x <password> -O <OS
    username>

    Example:
    $ sapgenpse seclogin -p pyrfc.pse -x password -O fsr-integrations
  3. Export the certificate as a base64 encoded .crt file:
    $ sapgenpse export_own_cert -o <Export file name> -p <PSE name e.g.
    pyrfc.pse> -x <password>

    Example:
    $ sapgenpse export_own_cert -o pyrfc_snc.crt -p pyrfc.pse -x password

Establish trust between PyRFC Client and SAP System

  1. Import the PyRFC Client certificate into the SNC trust store of the SAP System.
    1. Go to Transaction STRUST.
    2. Double-click on the SNC SAPCryptolib store.
    3. Import Certificate using Certificate -> Import.
    4. Enter the Path to the .crt file and click Enter.
    5. Check that the SNC PSE is selected and the imported certificate details are displayed correctly.
    6. Click on Add to Certificate List at the bottom. Then click Save (the Disk) on the top.

      After this, you should see your certificate's Distinguished name within the Certificate list.
  2. Export the SAP System SNC Certificate & import it into PyRFC PSE.
    1. To export the SAP System SNC certificate, double-click on the Subject name in the Own
      Certificate
      Section.
    2. At the bottom, select the export certificate and save it on your machine. After that copy it over to your system where you work with PyRFC.
  3. Import the certificate into the PyRFC PSE:
    $ sapgenpse maintain_pk -a <SAP System certificate file> -p <PSE name
    e.g. pyrfc.pse> -x <password>

    Example:
    $ sapgenpse maintain_pk -a a4h_snc.crt -p pyrfc.pse -x password
  4. Update the owner of the sec and SAPCRYPTOLIB folders:
    $ chown -R fsr-integrations:fsr-integrations /opt/sec
    $ chown -R fsr-integrations:fsr-integrations /opt/SAPCRYPTOLIB

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sap-rfc

Important: You must install the dependency packages (see Steps to install dependency python packages required by the SAP NetWeaver connector) and configure SNC (Configure SAP PyRFC with SNC (w/o SSO)) before you install the SAP NetWeaver connector.

Prerequisites to configuring the connector

Minimum Permissions Required

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SAP NetWeaver connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Server Address The hostname of the SAP NetWeaver server to which you will connect and perform automated operations.
Username The username to access the SAP NetWeaver endpoint to which you will connect and perform the automated operations.
Password The password to access the SAP NetWeaver endpoint to which you will connect and perform the automated operations.
System Number The system number to access the SAP RPC server to which you will connect and perform the automated operations.
Client Number The client number to access the SAP RPC server to which you will connect and perform the automated operations.
SNC Configuration

Select this option to enable SNC Configuration within your script to connect with the SAP RPC server to which you will connect and perform the automated operations.

If you select this option, i.e., set it to 'True', then you can specify the following parameters:

  • SNC Partner Name: Specify the SNC name of the communication partner. This is the SNC identity of the SAP system to access the SAP NetWeaver server to which you will connect and perform the automated operations.
  • SNC SSO: Specify SAP SSO to access the SAP NetWeaver server to which you will connect and perform the automated operations. You can enter one of the following values:
    0-Login with username and password
    1-SSO Login
  • SNC Mode: Specify the SNC mode to access the SAP NetWeaver server to which you will connect and perform the automated operations. You can enter one of the following values:
    0 - Do not apply SNC to connections
    1 - Apply SNC to connections
  • SNC QoP: Specify the SNC QoP to access the SAP NetWeaver server to which you will connect and perform the automated operations. You can enter one of the following values:
    1 - Apply authentication only
    2 - Apply integrity protection (authentication).
    3 - Apply privacy protection (integrity and authentication)
    8 - Apply the default protection
    9 - Apply the maximum protection
Port Specify the port number to access the SAP ETD server to which you will connect and perform the automated operations. By default, this is set to 3300.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access the operations from FortiSOAR™:

Function Description Annotation and Category
Get Session List Retrieves a list of all sessions or specific sessions from SAP NetWeaver based on the tenant or client number and other input parameters you have specified. get_session_list
Investigation
End User Session Ends all the sessions of a specific tenant or client in SAP NetWeaver based on the tenant or client number and other input parameters you have specified. end_session
Investigation
Send Popup Sends a popup to a specific user using SAP NetWeaver based on the client number, username, and message you have specified. send_popup
Investigation
Lock User Locks a specific user account using SAP NetWeaver based on the username you have specified. lock_user
Investigation
Unlock User Unlocks a specific user account using SAP NetWeaver based on the username you have specified. unlock_user
Investigation
Remove User Profiles Deletes all profiles associated with the user using SAP NetWeaver based on the username you have specified. remove_all_user_profiles
Investigation
Remove User Roles Deletes all roles associated with the user using SAP NetWeaver based on the username you have specified. remove_all_user_roles
Investigation
Assign User Role Assign a specific role to a specific user based on the username, role name, and other input parameters you have specified. You can also assign the role to the user with a specific expiration date. assign_user_role
Investigation
Run RFC Function Runs an SAP remote function module based on the parameters you have specified. run_rfc_functions
Investigation

operation: Get Session List

Input parameters

Parameter Description
Tenant Specify the tenant or client Number whose associated sessions you want to retrieve from SAP NetWeaver.
Username (Optional) Specify the username whose associated sessions you want to retrieve from SAP NetWeaver.
Logon ID (Optional) Specify the logon ID whose associated sessions you want to retrieve from SAP NetWeaver.
Logon Handle (Optional) Specify the logon handle whose associated sessions you want to retrieve from SAP NetWeaver.
Terminal ID (Optional) Specify the terminal ID or client IP address whose associated sessions you want to retrieve from SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"SESSION_LIST": [
{
"STATE": "",
"TRACE": "",
"MEMORY": "",
"TENANT": "",
"RFC_HDL": "",
"LOGON_ID": "",
"PRIORITY": "",
"RFC_TYPE": "",
"IS_ACTIVE": "",
"LOGON_HDL": "",
"USER_NAME": "",
"LOGON_TYPE": "",
"OPEN_TASKS": "",
"ACT_PROGRAM": "",
"APPLICATION": "",
"MEMORY_ABAP": "",
"MEMORY_HEAP": "",
"SERVER_NAME": "",
"SESSION_HDL": "",
"MEMORY_HYPER": "",
"REQUEST_TIME": "",
"LOCATION_INFO": "",
"MEMORY_BRUTTO": "",
"PAGING_BLOCKS": "",
"CLIENT_IP_ADDR": "",
"LOGON_SUB_TYPE": "",
"SAP_GUI_VERSION": "",
"APPLICATION_INFO": "",
"SPECIAL_HANDLING": "",
"WEBSOCKET_HANDLE": ""
}
]
}

operation: End User Session

Input parameters

Note: You must specify at least one of the following parameters: Terminal ID (Client IP Address), Username, Logon ID, or Logon Handle.

Parameter Description
Tenant Specify the tenant or client number whose user session you want to end in SAP NetWeaver.
Username Specify the username whose user session you want to end in SAP NetWeaver.
Logon ID Specify the logon ID whose user session you want to end in SAP NetWeaver.
Logon Handle Specify the logon handle whose user session you want to end in SAP NetWeaver.
Terminal ID Specify the terminal ID or client IP address whose user session you want to end in SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Send Popup

Input parameters

Parameter Description
Client Number Specify the client number to which you want to send the popup message using SAP RPC.
Username Specify the username to which you want to send the popup message using SAP RPC.
Message Specify the popup message that you want to send to the specified user using SAP RPC.

Output

The output contains the following populated JSON schema:
{
"message": "",
"status": ""
}

operation: Lock User

Input parameters

Parameter Description
Username Specify the username whose user account you want to lock using SAP RPC.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
]
}

operation: Unlock User

Input parameters

Parameter Description
Username Specify the username whose user account you want to unlock using SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
]
}

operation: Remove User Profiles

Input parameters

Parameter Description
Username Specify the username whose user profiles you want to remove using SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
]
}

operation: Remove User Roles

Input parameters

Parameter Description
Username Specify the username whose user roles you want to remove using SAP NetWeaver.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
]
}

operation: Assign User Role

Input parameters

Parameter Description
Username Specify the username to whom you want to assign the specified role using SAP NetWeaver.
Role Name Specify the role name that you want to assign to the specified user using SAP NetWeaver.
From Date Specify the date from when you want to assign the role to the user.
Note: Use the From Date and To Date fields to define the expiration date of the role assigned to the user.
To Date Specify the date until when you want to assign the role to the user.
AGR TEXT Specify the AGR_TEXT that you want to assign to the specified user role.

Output

The output contains the following populated JSON schema:
{
"RETURN": [
{
"ID": "",
"ROW": "",
"TYPE": "",
"FIELD": "",
"LOG_NO": "",
"NUMBER": "",
"SYSTEM": "",
"MESSAGE": "",
"PARAMETER": "",
"LOG_MSG_NO": "",
"MESSAGE_V1": "",
"MESSAGE_V2": "",
"MESSAGE_V3": "",
"MESSAGE_V4": ""
}
],
"ACTIVITYGROUPS": [
{
"TO_DAT": "",
"AGR_NAME": "",
"AGR_TEXT": "",
"FROM_DAT": "",
"ORG_FLAG": ""
}
]
}

operation: Run RFC Function

Input parameters

Parameter Description
Function Name Specify the SAP function module name that you want to run.
Note: This parameter will make an API call named "get_rfc_function_params" to dynamically populate the drop-down selections.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - SAP NetWeaver - 1.0.0 playbook collection comes bundled with the SAP NetWeaver connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SAP NetWeaver connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Troubleshooting

The connectors.log file contains the "libsapnwrfc.so: cannot open shared object file: No such file or directory" error

Resolution

  1. Check the owner of the /usr/local/sap/nwrfcsdk/lib/libsapnwrfc.so file. The owner of this file should be 'fsr-integrations' if your FortiSOAR version is 7.2.0 or higher or 'nginx' user (commands in this section consider 'fsr-integrations' user).
  2. Run the following command to set the owner of the libsapnwrfc.so file as 'fsr-integrations':
    chown -R fsr-integrations:fsr-integrations /usr/local/sap/nwrfcsdk

The connector's configurations tab displays "Connector Dependencies Failed To Install"

The “Connector Dependencies Failed To Install" error on the Configurations tab, after you have installed the connector is displayed if you have not installed the dependency packages.

Resolution

Ensure you have installed the dependency packages using the attached install_dependencies.sh file and refer to the Steps to install dependency python packages required by the SAP NetWeaver connector section.

The "seclogin: Can't add credentials" error is displayed while setting up SNC PSE

You get the “seclogin: Can't add credentials” error when you are executing the "$ sapgenpse seclogin -p pyrfc.pse -x password -O fsr-integrations" command.

Resolution

Ensure that the “SECUDIR=/opt/sec“ environment variable is set. You must also reconnect your SSH session.

The /bin/gcc command fails while installing the 'pyrfc python' package on FortiSOAR releases 7.3.0 or later

The '/bin/gcc' command fails with the 'with exit code 1 ERROR: Failed building wheel for pyrfc' error while installing the 'pyrfc python' package on FortiSOAR releases 7.3.0 or later i.e. on Rocky Linux or RHEL systems.

Resolution

Ensure that 'g++' is installed before running the install_dependecies.sh. You can install g++ using the following command:
$ sudo yum groupinstall "Development Tools"

Check if the 'g++' is installed using the following command:
$ g++ —version

install_dependencies.sh

Previous
Next