http://sap-school.com/certificationquestionsBasis.html?

gclid=CMK56bfJ7q4CFU166wodnFbHKA
These questions are similiar to the ones asked in the actual Test. How should I know? I know, because although I got my Basis Certification five years back, I have re-certified with the latest version of the Associate Certification test. Before you start here are some Key features of the Basis Associate Certification Exam - The exam is Computer based and you have three Hours to answer 80 Questions. - The Questions are (mostly) multiple choice type and there is NO penalty for an incorrect answer. - Some of the Questions have more than one correct answers. You must get ALL the options correct for you to be awarded points. - The Official Pass percentage is 65% (But this can vary). You will be told the exact passing percentage before your begin your test.

Sample Questions
1. a) b) c) d) Which RFC will be used to Read system data remote from transaction SMSY? SM_<SID>CLNT<Client>_LOGON SM_<SID>CLNT<Client>_READ SM_<SID>CLNT<Client>_TRUSTED SM_<SID>CLNT<Client>_BACK

Answer: b RFC destinations within the Solution Manager are as below: SM_<SID>CLNT<Client>_READ: This RFC will be used to Read system data remote from the transaction SMSY, to read the Data Collection Method for system monitoring SM_<SID>CLNT<Client>_LOGON: This RFC will be used by the System Monitoring for accessing the Analysis Method. SM_<SID>CLNT<Client>_TRUSTED: This RFC will be used by the Customizing Synchronization functionality and by the System Monitoring for accessing the Analysis Method. This RFC exists in both Solution Manager and Satellite system

 SM_<SID>CLNT<Client>_BACK: This RFC will be used to send Service Data and Support Desk messages from the Satellite system to the SAP Solution Manager system. This RFC destination required in satellite system only.

2. a) b) c) d)

What is the common monitoring system used for Business process monitoring in the solution manager? CCMS WE02 WE05 None of the above

Answer: a Business Process Monitoring in SAP Solution Manager is based on CCMS (transaction RZ20). This means that with the setup of the monitoring so-called monitoring tree elements (MTEs) will be created. Both the CCMS on the SAP Solution Manager system and the satellite system are used. Most monitoring functionalities use the CCMS of the SAP Solution Manager system. These include:

Application monitors Job monitoring Document volume monitoring Application log monitoring Due list log monitoring

3. In your company data back-ups were scheduled as follows t1, t2, t3, t4 and t5 and the duration of back up cycle is 28 days. A disk crash occurred at a point t5 and the backup file t3 is defective. What action is required to recover the database without any data loss? (More than one option is correct) a) b) c) d) You must have all log info backups T4 backup file is sufficient T2 and T4 are required T3 and T4 are required

Answer: a & c

To recover the database without data loss, you must have all log info backups (in this case: t2 and t4) following the data backup t1 and the log information from 28. You must therefore keep older data and log information backups. Some database also requires log information to be able to reset the database. You should therefore ensure that you perform data and log backups regularly. It is recommended that the duration of backup cycle is 28 days. This means that the backup media for the data and log information backups are not overwritten for at least 28 days. Some databases allow you to import only the data files that are missing. The system then applies all the consecutive log information written since t1 (22, 23,..). No data will be lost if all log information since the data backup is available with no gaps. To prevent data loss it is advisable to perform complete data backups every day. Some databases offer the option of differential or incremental data backups that do not backup the complete data of the database, but only the data that has been changed. If you use incremental data backups, you must perform a complete data backup at least once a week. There must be at least four complete data backups contained in the backup cycle. The log information should be backed up at least once a day. It is always better to have two different backup media containing the same information. Perform a data and log information backup with verification of the backup media at least once in the backup cycle.

4. a) b) c) d)

How do you estimate the amount of DB space freed by archiving? (more than one option is correct) Transaction SARA SAR_DA_STAT_SPACE_ANALYSIS SAR_DA_STAT_ANALYSIS SARA_DA_STAT_ANALYSIS

Answer: a & c When writing, deleting, reading, or reloading, statistical data on each archiving run (such as the storage space that has been freed in the database by deletions or the number of deleted data objects) is automatically generated and is persistently stored in the database. The data archiving administrators can analyze these figures so that they can better plan future archiving projects and request the necessary resources. Statistics also provided pertinent information on the role of data archiving in reducing the data volume in the database. The actual data archiving is a process in three steps: 1. Creating the archiving file: In the first step, the write program creates one (or more) archive file (s). The data to be archived is then read from the database and written to the archive file(s). 2. Storing the archive file (s): After the write program has completed the creation of the archive file (s), these can be stored.

3. Deleting the data: the delete program first reads the data in the archive file and then deletes the corresponding records from the database. Steps to analyze the gained space: You can follow the below steps to analyze the gained space: 1. Go to the transaction SARA 2. Click on Statistics 3. You can pass the active archiving objects on the selection screen which you have used during launching the archiving jobs. 4. You can also pass the date range considering the data on which you have run the archiving jobs. 5. Keep the status only complete 6. Now execute i.e. display the statistics 7. In the final report, have a look on the Total for the DB space Deleted, Keep in mind that we have DB space write and DB space delete..db space deleted space will tell you the space you have freed up from the SAP R/3 database i.e. this much space gained after running the archiving runs. You can also use transaction SAR_DA_STAT_ANALYSIS. If you use this transaction, you must enter client and archiving object manually.

5. After an archiving session you have noticed that because of a selection error wrong data has been archived. Is it possible to reload the archive data without inconsistencies? (more than one option is correct) a) b) c) d) No it is not possible to load the data If the archiving object has reload function If has to be reloaded immediately to avoid inconsistencies Only customizing data can be reloaded

Answer: a & c From a technical point of view, archived data can be reloaded into the database. However, because this data is essentially historical data that has not been adjusted to changes in the database and its contents, if it is reloaded; you risk inconsistencies occurring in the system. For this reason SAP strongly recommends that you do not reload archived data. The only exception to this is where the dat Consequently, archiving master data is essentially the same as

deleting it from the system is reloaded directly after the archiving process. This function is only to be used when absolutely necessary. If, for example, you loaded data that is incorrect (the Customizing settings are wrong), you may have to do this. The reload function is not available for all archiving objects. Data archiving requires close cooperation between the user and the IT departments. You cannot reload archived master data at any chosen time. You can only do this if the same objects have not been recreated in the system. You can only reload this data if you have archived it incorrectly. There is only one situation in which data should be reloaded into the database: if, immediately after archiving data, you realize that, as the result of a selection error, too much data was archived, you can reload this data back into the database. Reloading historical data into the live systems database always carries certain risks. You should ask the following questions: 1. Can the data be completely reconstructed? 2. Does the data still comply with the current Customizing? 3. Has the data in the database been changed in the intervening period (for example, as a result of currency conversion)? 4. Has there been a release upgrade since the data was archived? In addition to these questions, there is the more general question of the practicability of archiving in practice. Usually, data is archived to make space for new data in the database. The greater the growth of data, the more frequently archiving has to be carried out. The more frequently data is archived, the more likely it becomes that access is required to archived data. It is also more likely that there will be sufficient space in the database to accommodate the required data. Reload procedure 1. 2. 3. 4. 5. 6. 7. 8. Use transaction code SARA to open the Archive Administration: Initial Screen window. Choose FI_BANKS as the object name. Press the Enter key. Click Goto > Reload on the main menu of the SAP GUI. Click the Continue icon in the Information window to confirm the message: In the Variant field, specify or select a variant. Press the Maintain button. In both, the Bank Country field and the to field next to it, type AD.

9. Clear Test Run. 10. Select Detail Log. 11. Click the Save icon. 12. Click the Back icon. 13. Click the Archive Selection button. A list of reloadable archive runs is displayed. 14. Mark the run to be reloaded. 15. Click the Continue icon at the bottom of the window. 16. Click the Start Date button. 17. Click the Immediate button. 18. Click the Save icon at the bottom of the window. 19. Specify or select a suitable printer in the Output Device field. 20. Click the Continue icon (green check mark). 21. Press F8 or click the Execute icon (clock symbol with green check mark) 22. Press Shift+F4 or click the Job Overview icon. You can see that a reload job (REL) has been started for this archiving session

6. a) b) c) d)

What is the transaction used to import SAP-provided support packages into your system. SPAM SAPM SNOTE SARA

Answer: a The SAP Patch Manager (SPAM) is the customer side of the Online Correction Support (OCS). Transaction SPAM lets you efficiently and easily import SAP-provided Support Packages into your system. The SAP Patch Manager (SPAM) is the customer side of the Online Correction Support (OCS). Transaction SPAM lets you efficiently and easily import SAP-provided Support Packages into your system. You can call Transaction SPAM in one of the following 2 ways: _ Go to the SAP menu and choose Tools _ ABAP Workbench _ Utilities _ Maintenance _Patches _ Enter the Transaction SPAM. The SAP Patch Manager offers you the following functions: _ Loading Support Packages: You can load the Support Packages you need from the SAPNet Web Frontend, the SAPNet R/3 Frontend, or

from Collection CDs into your system. _ Importing Support Packages _ Restart capability When you import a Support Package into your system, SPAM follows a predefined sequence of steps. If the Support Package process terminates, it can be resumed at a later point in time. Processing restarts at the step that failed. _ Displaying the import status in your system You can find the import status in your system at any time using Transaction SPAM. Transaction SPAM is integrated into the SAP upgrade procedure. You need the following authorizations to use all SAP Patch Manager Functions: _ S_TRANSPRT _ S_CTS_ADMIN You can find both of them in the authorization profile S_A.SYSTEM. If you log on in client 000 and your user master data contains the corresponding authorization Profile, you can use all the functions of the SAP Patch Manager. If you log on in another client or Without the correct user profile, you can only use the display functions. Only assign this authorization profile to the system administrator. Only the system administrator Should have authorization for: _ Downloading Support Packages _ Importing Support Packages _ confirming successfully imported Support Packages _ resetting the status of a Support Package

7. You were assigned to run an ABAP program with more than one selection screen as a background job. How do you supply input to the selection screen and run it as a back ground job? a) b) c) d) SPA/GPA Parameter ABAP Memory Variant Function Modules

Answer: c

Every ABAP program can be scheduled as a step of a job. If the ABAP program has one or more selection screens, you must create the input required there in advance in the form of a variant. A variant makes it possible to run an ABAP program in the background although the program requires input. The values stored in the variant are then used during the execution of the program. If an ABAP program has a screen output as its result, this is directed to a spool list. You can specify an email recipient for this spool list when defining the job. This recipient then receives the job output by email after the job has been executed. You must also specify a printer for the creation of spool lists even though, as a result of a background processing, there is not necessarily any direct output to a printer (this depends on the printers access methods. This may have to be explicitly started later. Screen variants allow you to simplify screen editing by: You can insert default values in fields Hiding and changing the ready for input status of fields Hiding and changing the attributes of table control columns A screen variant contains field values and attribute for exactly one screen. A screen variant may be assigned to multiple transaction variants, however. Screen variants are always cross-client; they may, however, be assigned to a clientspecific transaction. They can also be called at runtime by a program. The different possibilities for calling screen variants guarantee great flexibility of use. A specific namespace has been designated for screen variants and they are automatically attached to the Change and Transport System.

8. What is the scheduler that checks the job scheduling table in the databases that are waiting for processing and transfer them to the free background work process in accordance with their priority? a) b) c) d) Back ground job scheduler Time dependent job scheduler Dialog scheduler Standard job scheduler

Answer: b The profile parameter rdisp/bctime specifies the time period in which the time-dependent job scheduler is active. Executing jobs with the start condition immediate usually avoids the time-dependent job scheduler. In this case, the dialog work process of the scheduling user performs the job scheduling. Only if no free resources are found, is the job concerned scheduled in a time-based way. The scheduled time then corresponds to the time point at which it should have started.

Background work processes can be configured on every instance of the SAP system using the profile parameter rdisp/wp_no_btc. The number of background processes required in the SAP system depends on the number of tasks to be performed in the background. If the transport system is used, there must be at least two background work processes in the system. The combination of the job ID and the job name define the job uniquely in the system. On every SAP instance on which background work processes are defined, the time-dependent job scheduler runs every rdisp/bctime seconds (default value: 60 seconds) this is an ABAP program that runs automatically in a dialog work process. The time dependent job scheduler checks the job scheduling table in the database for jobs that are waiting for processing. These jobs are transferred to free background work processes in the SAP instance, in accordance with their priority and execution target. 1. Jobs that are not assigned any particular execution target can be executed with any free background work process. This means that the workload is automatically distributed between the SAP instances. 2. If a job is explicitly assigned an execution target ( such as a selected instance or a group of instances), the special properties of the execution target can be used ( for example, you can ensure that a job is performed on a particular operating system, or that the job is executed by a background work process that is running on the

same host as the database

9. What is the memory area in Java VM where objects that have been required for a longer period of time by an application are stored? a) b) c) d) Permanent generation Young generation Tenured generation Persistent generation

Answer: c The three main memory areas of the VM, the young, tenured and permanent generations differ from one another due to the data stored in them. The objects that have been newly created by the applications are stored in the young generation. Objects that have been required for a longer period of time by an application are automatically moved to the tenured generation. The newer objects are in the young generation and the older objects are in the tenured generation. Objects that are permanently required by the VM, such as classes and methods, are stored in the permanent generation. Objects that are no longer required by the applications are automatically removed from the generation. This process is known as garbage collection. For the young generation, you can define the initial size with the parameter XX:NewSize, and the max size with the parameter XX: PermSize and XX: MaxPermSize. You cannot directly define the initial and maximum sizes of the tenured generation. These are calculated from the parameters for the young generation and the parameters Xm and Xms. The parameter Xm is called the max heap size and defines the total size of the young and tenured generations. The parameter Xms is called the start heap size or initial heap size and defines the total initial size of the young and tenured generations.

In addition to the memory area for the generations, the VM also reserves space for its processes and threads.

10. What is the repository that provides versioning source code administration in the context of the SAP NetWeaver Development Infrastructure, and therefore allowing the distributed development of software in teams and transportation and replication of sources? a) b) c) d) Design Time Repository Version Management Application Repository Database Repository

Answer: a The Design Time Repository provides versioning of Source code administration in the context of the SAP Netweaver Development Infrastructure and therefore allowing the distributed development of software in teams and transportation and replication of sources. At the start of the development, you must make the repository aware of the intended change and arrange a change list (Activity) to record the changes. The files are then checked out of the DTR and changed locally (offline, as it was). After the changes have been successfully made, the sources are then checked back into the DTR. Using the check-in mechanism, the changes to the components take effect when the activities are released.

The DTR consists of two parts, the DTR client and DTR server. The main activities of the individual developers, such as checking files in and out, and creating sources, are performed in the SAPNetWeaver Developer Studio is, in turn, automatically performed. The DTR server manages the data versioning. All files are stored in a file. The resources are accessed in the context of a workspace, and version is administered in the context of activities. Put another way: the workspace refers to a set of resources, each in exactly one version. This also means a resource can be referenced in multiple workspaces. If a versioned resource is changed or deleted, a new version is created for this resource. Each version of the resource created in a specific workspace receives a unique sequence number. The sequence number specifies the order in which the version were created in this workspace. The DTR displays the relationship between individual versions of a versioned resource graphically as a version graph. The Structure of the DTR is illustrated below:

11. What is the thread pool that is responsible for system activities such as backup and background optimization for loaded and held data? a) b) c) d) Application thread pool System thread pool Cluster Manager HTTP requests pool

Answer: b The System Thread Pool exists both for the dispatcher and for the server. The Thread Manager transfers values to the System Thread Pool. The System Thread Pool is responsible for system activities such as backup and background optimization for loaded and held data. You do not usually adjust the server threads, since the time of the load is very short. By default, the value 100 is set.

The Application Thread Manager supports the threads in which source code must be executed. When a HTTP request reaches SAPNetWeaver AS Java this is passed on to an application thread. The Application thread pool shows the requests that arrive in the system.

The Cluster Manager is responsible for the communication within the SAP Netweaver AS Java cluster. It is used to exchange messages between the cluster elements. Every cluster node has a connection to the message server with which sort messages can be exchanged. Special services require server to server communication, which is always performed using the message server for small quantities of data. If the quantity of data is larger, a direct connection is provided. The lazy threshold parameter determines when each type of communication is used.

12. How can you obtain information related to individual (user) activities, which are running distributed across multiple components? a) b) c) d) Single Activity Trace Single User Trace Individual User Trace JRM User Trace

Answer: a The Single Activity Trace (SAT) is used to trace individual (user) activities, which are running distributed across multiple components. If a performance problem occurs, use SAT to start more detailed analysis in a component. The Single Activity Trace is based on data that is provided by Java Application Response Measurement (JARM).

This means in practice that all SAP Java applications that are instrumented with JARM can write an SAT. A separate single Activity Trace is written on each component. The traces are combined using passports. Each request receives a passport, which is transferred to all of the components involved.

All user actions that are processed within a called application are recorded. If, for example, you create users in the User Management Engine (UME), performance data is recorded for the logon process for the UME, for the call of the Create User application, and for saving of the details.

The SAT data is automatically written to the trace file for every request and component using the SAP Logging API. You can display this trace file using the Log Viewer.

Sample Questions
User Types Q1. The AS ABAP categorizes users into several types for different purposes. Which of the following are

NOT valid user types in AS ABAP. a) b) c) d) Service Reference Guest System

Answer: c The following User Types exist in the AS ABAP system.

User Type Dialog System

Purpose Individual, interactive system access. Background processing and communication within a system (such as RFC users for ALE, Workflow, TMS, and CUA). Dialog-free communication for external RFC calls. Dialog user available to a larger, anonymous group of users. General, non-person related users that allows the assignment of additional identical authorizations, such as for Internet users created with transaction SU01. No logon is possible.

Communication Service Reference

Q2. Security Java security roles on the AS Java can be defined either globally or locally. Which of the following are globally defined security roles in AS Java? a) Guest b) All c) System d) KeystoreViewCreator

Answer: a, b, d The following standard roles exist. Role All Administrators and services on the AS Java. Guests Permissions Security role used as a sum of all roles defined on the AS Java. This role has unrestricted administrative permissions over the applications

This role has read-only permissions on the AS Java.

KeystoreViewCreator This role has permissions to only create new keystore views. By default only the Admninistrators user group is mapped to this role.

Q3. The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. Which of the following statements are False? a) Business objects or transactions are protected by authorization objects b) The authorizations are combined in an authorization profile that is associated with a role. c) Authorization Changes only take effect when the user next logs on to the system. d) Aggregated Profile Consists of any number of authorization profiles. e) The objects (such as authorizations, profiles, user master records, or roles) are assigned independent of client.

Answer: e

To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that the user can use the appropriate transactions for his or her tasks. The following diagram shows the authorization components and their relationships.

Composite profile consists of any number of authorization profiles. Authorizations allow you to specify any number of single values or value ranges for a field of an authorization object. You can also allow all values, or allow an empty field as a permissible value. If you change authorizations, all users whose authorization profile contains these authorizations are

affected. As a system administrator, you can edit authorizations in the following ways: You can extend and change the SAP defaults with role administration. You can change authorizations manually. These changes take effect for the relevant users as soon as you activate the authorization. The programmer of a function decides whether, where and how authorizations are to be checked. The program determines whether the user has sufficient authorization for a particular activity. To do this, it compares the field values specified in the program with the values contained in the authorizations of the user master record. The objects (such as authorizations, profiles, user master records, or roles) are assigned per client. If you develop your own transactions or programs, you must add authorizations to your developments yourself (see Authorization Checks in Your Own Developments).

Q4. The AS ABAP communicates with its communication partners using various protocols. Each of these protocols use a specific security mechanism. Which of the following protocols are matched up correctly with the security mechanism? a) b) c) d) DIAG SSL RFC SSL HTTP SNC LDAP SSL

Answer: d AS ABAP Protocols are as below: Protocol DIAG RFC Security Mechanism SNC SNC

HTTP LDAP

SSL SSL

Q5. Functions in the SLD are protected from unauthorized access. For this purpose, you can find several AS Java security roles and User Management Engine (UME) actions that are assigned to different SLD functions. Before you can use SLD, you have to map these roles and actions to individual users or user groups. Which of the following user groups, exist in the standard system, and are matched correctly to the permissions they carry? a) SAP_SLD_GUEST Read access to SLD Data b) SAP_SLD_DEVELOPER Create, modify, and dlete CIM instances of the Name Reservation subset (includes all read permissions) c) SAP_SLD_DATA_CONSUMER Data consumer without access to the SLD UK d) SAP_SLD_ADMINISTRATOR Administrative tasks (Includes all other roles)

Answer: a, b, d The following User groups exist in the system: SAP_SLD_GUEST SAP_SLD_GUEST SAP_SLD_SUPPORT for SAP support) Read access to SLD dataUME Role/User Group Permissions Read access to SLD data Read-only access to all SLD data and UIs, including the Administration area (used

SAP_SLD_CONFIGURATOR Create, modify, and delete CIM instances of the Landscape Description and Name Reservation subsets (includes all read permissions).

SAP_SLD_DATA_SUPPLIER Create, modify, and delete CIM instances of the Landscape Description subset as a data supplier without access to the SLD UI. SAP_SLD_DEVELOPER Create, modify, and delete CIM instances of the Name Reservation subset (includes all read permissions). SAP_SLD_ORGANIZER permissions). Create, modify, and delete all types of CIM instances (includes all read

SAP_SLD_ADMINISTRATOR

Administrative tasks (includes all other roles)

Q6. With reference to the LDAP directory, and the UME, which of the following are true? a) The LDAP directory can either be connected as a read-only data source or as a writeable data source b) The UME can support Users as a tree or a Flat hierarchy c) The Distinguished Names (DNs) of user and group objects must not be longer than 240 characters. d) If you are using an LDAP directory with a deep hierarchy, you can assign users or groups as members of another group using the UME user administration tools.

Answer: a, b, c

User Management Engine (UME) can use an LDAP directory as its data source for user management data. The LDAP directory can either be connected as a read-only data source or as a writeable data source. Some of the Key features of the LDAP directory are:

The LDAP directory has a hierarchy of users and groups that is supported by UME. The hierarchies supported by UME are: Groups as tree Flat hierarchy The administrator of the LDAP directory must create a user that UME can use to connect to the

LDAP server. This user should have read and search permissions for all branches of the LDAP directory. If UME also needs to write to the LDAP directory, the user must additionally have create and change authorizations. The Distinguished Names (DNs) of user and group objects must not be longer than 240 characters.

You should not create groups with the names of the default groups, that is Everyone, Authenticated Users, and Anonymous Users. If you create a group with one of these names through the native user interface of your LDAP directory, you will not get an error message, and your user management will no longer function correctly. If you try to create a group with one of these names through the user management administration console, you will get an error message. Similarly, you should not create users with the same user ID as one of the service users used internally. The service users adhere to the naming convention XXX_service, where XXX is the name of the corresponding application. Again, if you use the native user interface of your LDAP directory, you will not get a message, and your user management will no longer function correctly. If user management is set up with write access to an LDAP directory, the following restriction applies: When assigning members to a group that is stored in the LDAP directory, you can only assign users or groups that are also stored in the LDAP directory. You cannot assign users or groups from the database to groups from the LDAP directory. You can, however, assign users and groups stored in the LDAP directory to a group in the database. If you are using an LDAP directory with a deep hierarchy, you cannot assign users or groups as members of another group using the UME user administration tools. Even if you use the native tools of the LDAP directory, you should not move users or groups to a different location in the directory. This is because the unique ID that the UME uses to uniquely identify the user or group contains the Distinguished Name of the user or group. If the user or group is moved to a different group in the LDAP

directory, the Distinguished Name changes and, as a result, the unique ID changes as well. Any information about roles that were assigned to the user or group are lost.

Q7. You have a mixed system landscape including both SAP and non-SAP systems, or you have an existing corporate LDAP directory in your system landscape. User management data is stored in a combination of an LDAP server and a database. Which of the following data is written to and read from the LDAP server? a) b) c) d) Additional data (for example, information about when a user was last changed) Other principal types (for example, roles) Groups (displayname, description, uniquename, and the group members) User accounts (logonid, password, ID of the assigned user)

Answer: c, d

The following data is written to and read from the LDAP server: Users (displayname, lastname, fax, email, title, department, description, mobile, telephone, streetaddress. uniquename, and group membership and any other attributes defined through attribute mapping) User accounts (logonid, password, ID of the assigned user) Groups (displayname, description, uniquename, and the group members) The following data is written to and read from the database: Additional data (for example, information about when a user was last changed) Other principal types (for example, roles) Additional attributes (for example, attributes not covered by the standard object classes of the LDAP server)

Q8. The LDAP Connector is called using ABAP functions and communicates with the directory server using

the Lightweight Directory Access Protocol (LDAP). The connection with the directory server can be created with various analysis methods, such as simple binding or anonymously. The above statement is: a) b) True False

Answer: a

The LDAP Connector is a software component that controls the access request of the SAP system to a directory server. The LDAP Connector is called using ABAP functions and communicates with the directory server using the Lightweight Directory Access Protocol (LDAP). The connection with the directory server can be created with various analysis methods, such as simple binding (user ID and password) or anonymously (guest account with no password).

Q9. The User Management Engine (UME) allows you to define a security policy. With reference to this, which of the following statements are true? a) The number of failed logon attempts after which a user is locked, is defined in the security policy. b) The UME security policy is independent of the security policy of the UME data source c) You can define a security policy for the UME that is the same or stronger than the corresponding security policy in the backend system.

Answer: a, b, c

The User Management Engine (UME) allows you to define a security policy that controls aspects such as the length and content of user passwords and user IDs, the validity length of user passwords, or the number of failed logon attempts after which a user is locked. The UME checks for compliance to this policy when users log on to the J2EE Engine, when users register themselves using the self-registration features of the UME, when users or administrators change user passwords in the J2EE Engine, or when administrators create new users on the J2EE Engine. If the security policy is not adhered to, the UME provides detailed error messages. The UME security policy is independent of the security policy of the UME data source, in particular if the UME uses ABAP user management or an LDAP directory as a data source. It does not take into account any special features of the data sources security policy. This means that if the data source has defined its own security policy, there is no standard interface to pass on any error messages received from the data source to the UME user in the same level of detail and in the correct language. The user only receives a very generic error message. For example, the UME security policy specifies a minimum password length of 6 whereas the ABAP user management defines a minimum password length of 8. When an administrator creates a user and defines a password of length 6 for the user, the password adheres to the UME policy but not to the ABAP policy. As a result, the administrator gets a generic error message saying that the password is invalid, but not specifying why it is invalid. There are two options to configure the security policy of the UME, both with different implications: 1. You define a security policy for the UME that is the same or stronger than the corresponding security policy in the backend system. Result: Users and administrators receive detailed error messages. Implication: Error tracing is easier because you only need to look in the log files of the UME. Only in very rare cases will you need to look in the log files of the data source (ABAP or LDAP)

Disadvantage: If the backend system can be accessed directly (for example an ABAP system) or serves as data source for other systems using a UME with different security policy settings, users or administrators might get different reactions for different access paths if the security policy is not the same. 2. You define a very relaxed security policy for the UME. Result: The UME security policy is so relaxed that any violations against the security policy will take place in the data source. The UME does not pass on the error messages from the backend in full detail and as a result users and administrators receive generic error messages. Implication: Users are confused as to how they violated the security policy. Error tracing becomes more difficult because you need to look in two locations, both in the UME log files and in the backend log files.

Q10. What are the best practices for establishing a connection type ' Establishing Trust for Server-Side authentication' ? a) Generate the key pair on the server component. b) Use a public-key certificate that is signed and issued by a CA c) Make sure the client components trust the issuing CA. d) It is necessary for the server to verify the identity of the client component Answer: a, b, c

SSL Scenario : Establishing Trust for Server-Side Authentication In this case, the client component needs to verify the identity of the server component, however, it is not necessary for the server to verify the identity of the client component. To establish the trust relationship for this type of connection when using either of the security products provided by SAP, the following are recommended: Generate the key pair on the server component.

 Use a public-key certificate that is signed and issued by a CA. In this way, it is easier to establish trust on the client components. If you use a self-signed certificate for SSL, then each client has to import the server's public-key certificate to establish the trust relationship. Make sure the client components trust the issuing CA. Most Web browsers are provided with a list of wellknown CAs, however, if you are working with other client components, you must import the CA's root certificate on this component. See the figure below for example for establishing trust between a Web browser client and an AS ABAP for server-side authentication only, and using a certificate that is signed by a CA.

Q11. The SAP Cryptographic Library is the default security product delivered by SAP for performing encryption functions in SAP systems. With reference to the SAP Cryptographic Library, which of the following are true?

a) You can only use the SAP Cryptographic Library for SNC between server components b) The server must possess a public and private key pair and public-key certificate, which is stored in the server's Personal Security Environment (PSE). c) SAP Cryptographic Library can be used for SNC between server components as well as front-end components. d) At run-time, the server must have active credentials.

Answer: a, b, c

The SAP Cryptographic Library is the default security product delivered by SAP for performing encryption functions in SAP systems. For example, you can use it for providing Secure Network Communications (SNC) between various SAP server components or for using the Secure Sockets Layer (SSL) protocol with the AS ABAP. You can only use the SAP Cryptographic Library for SNC between server components. If you want to use SNC for front-end components (for example, SAP GUI for Windows), then you must purchase an SNCcertified partner product. When using the SAP Cryptographic Library for SNC, the following information is necessary for the communication infrastructure: The server and its communication partners must be configured for using SNC.

The server must possess a public and private key pair and public-key certificate, which is stored in the server's Personal Security Environment (PSE). Although you may obtain a certificate from a trusted Certification Authority (CA), for easier administration we recommend using a certificate that is signed by the server itself (self-signed). This documentation refers only to configuring the server when using a selfsigned certificate. At run-time, the server must have active credentials. This is accomplished by using the configuration tool to "open" the server's PSE.

 The server must be able to verify its communication partner's identity. This is accomplished by importing the partner's public-key certificate into the server's own certificate list. As an alternative, you can use the same PSE for all server components.