Hello All,


I am writing this blog to discuss the use of RFC nodes for sending messages with SAPconnect (e.g. Fax, Internet Mail, etc.) from the SAP system in Netweaver Release >730.


Since SAP NetWeaver release 7.0, the SAPconnect RFC interface was no longer supported for e-mail however it was still supported for the transmission of different send methods (e.g. Fax). Since SAP release Netweaver 7.3, you can maintain only SMTP nodes in transaction SCOT, it is no longer possible to maintain RFC nodes in SCOT.


Before I go any further I will quickly discuss the differences in functionality between SMTP and RFC nodes. In my opinion SMTP is much superior, this is due to the features provided by using a SMTP node. Faxes, SMS, etc. can also be sent/received in the SAP system using SMTP since release 6.20, see note 455140. I do not know why anyone would choose RFC over SMTP. Read on for my reasons!


The administration of SMTP requires less effort than RFC due to the direct communication with the SMTP Plug-in and the mail server, an additional connector, setting-up and maintaining an RFC connection is no longer required. SMTP offers much better monitoring and analysis options, e.g. storing MIME documents, monitoring outgoing/incoming messages and an improved trace. Another advantageous feature is the creation and processing of SMTP status notifications (DSN, MDN).


Security is a hot topic at present, the SMTP interface has much more security than RFC can offer. SMTP supports transmission through a secure connection (TLS, Transport Layer Security). It also supports mechanisms for authentication on the SMTP server (SMTP AUTH). None of these are available when using the RFC interface. Also certain application scenarios can only be carried out for incoming e-mails using the SMTP interface, for example Inbound distribution.


On a side note the 'look' of SCOT has changed in the newer release as you can see in screenshot below, please review this wiki for an more in-depth description of the new layout.



However it is still possible to maintain RFC nodes in the SAP system, this must now be done through transaction SCON which has the look of the 'old' transaction SCOT as you can see below:


The steps to create the RFC node are the same as in earlier release's using the Wizard, that is in the menu follow path Node -> Create -> RFC node, then you choose the Name of the node, the RFC Destination, Address type and the general configuration.


More details on configuring the RFC node can be found in SAP Help.


The following note offers more information related to the end of support for RFC interface: Support for SAPconnect RFC interface


Thanks for reading!!

I could also have called it

"The missing or outdated documentation syndrome"


"Stop playing with my SPRO path"

or just

"700, 701, 702, 710, 711, 720, 730, 731, 740"


Warning this blog post contains cryptic SAP acronyms that might be ununderstandable for non-basis consultant...


SAP always had a problem with documentation... and in some area if you finally succeed in finding some explanations they are either outdated or not relevant to your specific scenario. For instance on AD/SSO solution for BO the latest available documentation (from 2013) is still based on Windows 2000 and the sestspn parameter are wrong !


I just went through some rough time on ADS configuration for printing PDF from a GRC RM WDA (WebDynrpo Abap).

A Non SAP-aware person would consider this to be a very simple task like installing a PDFcreator on the client PC... but the printing solution is really complex and requires installing a Java instance for hosting ADS, and also installing BI Java usage on it.

I was not able to find a clear and complete documentation so I did first install a java instance with only ADS usage... and it was not working... so I found some document that suggest that BI Java usage was required. Too bad for me, I was on a 740 system and now the SUM is required to install new Java usage... this imply connecting my Java system to solution manager and run an MOPZ scenario...


After installing and configuring all the mess (JCO, RFC dest...) I did get an error :

(sap.com/com.sap.ip.bi.webdynpro.alv.pdf, BW-BEX-ET-WJR) Exception Message no. SALV_WD_MSG701

That error did reference note 1413938 - WD ABAP ALV - creating print version that tells to "Specify the service to generate the PDF document" through a SPRO path valid for 740… but I did not find that path on my 740 SP05 system.

After spending some more time searching SCN / SMP I did found note 1630587 - WD ABAP ALV: IMG paths for Customizing Settings that did provide all the different possible SPRO paths for that option depending on NW release.

Too bad none of these paths were available in my version…. I've tried on few 740 systems and in fact the path provided in the note only exist on the latest SP08 version, for all previous SP no access to that option !

I did catch the underlying report / table (SALV_WD_CUSTOMIZING / SALV_WD_ADMIN) and could run it on my 740 SP05.. to find that the point was already appropriately configured !


I did notice that the ADSUSER account gets locked… and I was not able to track how. I did activate the SM19 security audit log but no events were logged, no records for these failing connections. So the wrong logging must come from the Java WAS.


By the end my problem was a stupid misconfigured password (and a wrong account as I used ADSUSER instead of ADS_AGENT) in the SOA template destination "ConfigPort_Document".




Just a simple BC work by the end, it took me a week to install & configure everything.

It was tough to explain to my customer that 5 days are required to configure PDF printing !

Then I almost lost a full day to track a simple password error.


As a BC freelance consultant I make my living on SAP complexity … so I should not criticize it too much, but sometime it really going too far !


I hope the new S/4 will make everything simpler… but I'm afraid that this "simplicity" will only concern business process and not the basis layer nobody cares about.






1413938 - WD ABAP ALV - creating print version

This SAP Note is valid only for the following releases (related to your Application Server ABAP):

    SAP NW Release 7.02

    SAP NW Release 7.30

    SAP NW Release 7.31

    SAP NW Release 7.40

Navigate to the following folder (see SAP Note 1630587 as well)

Path for releases < SAP_BASIS Release 7.40:

-> Application Server -> SAP List Viewer (ALV)

Path for releases as of SAP_BASIS Release 7.40:

-> SAP NetWeaver -> UI Technologies -> SAP List Viewer (ALV)


1882863 - WD ABAP ALV - Troubleshooting for print version

First check your installation and configuration in accordance with SAP Notes:

    918236 - WD ABAP ALV - creating print version

    valid for SAP NetWeaver Releases 7.00, 7.01, 7.10, 7.11

    1413938 - WD ABAP ALV - creating print version

    valid for SAP NetWeaver Releases 7.02, 7.30, and higher


1630587 - WD ABAP ALV: IMG paths for Customizing Settings

SAP_BASIS 7.00 & 7.01

  + SAP NetWeaver Implementation Guide    + Application Server     + Web Screen for ABAP     + Set-Up Printing for Web Screen ABAP ALV         - System-Wide Settings for the Web Dynpro ABAP ALV


  + Implementation Guide for R/3 Basis Customizing    + Base      + SAP List Viewer (ALV)


  + SAP NetWeaver Implementation Guide    + Application Server      + Web Dynpro for ABAP

        + Set-Up Printing for Web Dynpro ALV      - System-Wide Settings for the Web Dynpro ABAP ALV


  + SAP NetWeaver Implementation Guide   + Application Server      + Web Dynpro ABAP

        + Set-Up Printing for Web Dynpro ALV     - System-Wide Settings for the Web Dynpro ABAP ALV


+ Implementation Guide for R/3 Basis Customizing     + Base       + Web Dynpro for ABAP     + Set-Up Printing for Web Dynpro ABAP ALV      - Client-Sprecific Settings for the Web Dynpro ABAP ALV       - Generic Crystal Report Layout Maintenance


+ Implementation Guide for R/3 Basis Customizing     + Application Server       + SAP List Viewer (ALV)


+ SAP Customizing Implementation Guide     + SAP NetWeaver       + Application Server         + SAP List Viewer (ALV)


+ SAP Customizing Implementation Guide     + SAP NetWeaver       + UI Technologies         + SAP List Viewer (ALV)

So far there has been many incidents with such complaint.

However system administrators seem to have different definition of 'hang'.
Although such issue can usually be resolved by a restart, Root Cause Analysis is usually pursued.


This blog tries to sort things out for system admins.

At least, the system admin had better know which logs should be collected before the restart, so that we can grab a chance for RCA.


/* 'Server hang' is definitely a gigantic topic - this blog will try not to dig into further technical details. */

1. Clearly define the symptom.

  • Is it occurring only upon some specific operation? Or on whole system?
  • Is it occurring only for specific J2EE / Portal user?
  • Is it occurring only on specific client PC / browser?
  • Is it occurring only on newly-logged-on users? Is it also occurring on already-logged-on users?
  • Is it occurring with or without load balancer?
  • Is it occurring on all instances / server nodes?
  • Is AS Java 'green' in SAP MMC / SAP MC?

Besides all above, screenshots / HTTP Watch trace are definitely helpful.

These questions help you as well as SAP support to understand your problem.

2. How to proceed the RCA

Firstly some basic rules:

- If Load Balancer blocks the way -> check with LB vendor.

- If dispatcher / ICM / server node has died -> don't expect a normal behavior. Check work folder and defaultTrace.

- If issue only occurs on specific client PC / browser -> check if browser is supported as per PAM. And check if this PC has any peculiarities against others.

- If issue only occurs on certain instance / server nodes -> check below steps agains that specific instance / server node.

- If issue occurs on consumer portal under FPN scenario, also check the provider system.

- Last but not least, make sure there's enough CPU/RAM/Disk resource on OS.

Regarding other scenarios, for simplicity, you can collect below trace together.

- HTTP Watch trace

- Thread dump or SAP JVM Profiler trace, on server node (and also dispatcher for 7.0X)

- work folder

- defaultTrace

- SAP MMC Snapshot

// If you have to know why these traces are necessary:


- Scenario 1

  AS Java is running, responding, but some specific application returned a blank page (browser is no longer loading the page). Other applications are working fine.

  In this case, server is not actually in 'hang' status.

  -> Collect HTTP Watch trace so that we can see where it stopped.

  -> Also check PAM to see if the IE version is supported.


- Scenario 2

  AS Java is running, responding, but some specific application did not respond and browser is still waiting. Other applications are working fine.

  We must check where it actually hangs during HTTP traffic - it might be on AS Java, on AS ABAP, or on 3rd party system, or simply on network.

  -> In this scenario, HTTP Watch trace will be necessary at very first place.

  -> In many cases it is indeed hanging on AS Java - see below.



- Scenario 3

  AS Java is running but not responding. Or, it is refusing new requests but still serving the old ones.
  It is very likely that (some specific kind of) threads are exhausted, and we must check at runtime.

  -> Collect thread dump or SAP JVM Profiler trace when issue IS OCCURRING. This is necessary to tell the root cause.

  -> Collect SAP MMC Snapshot for 7.10 onwards.

  -> Collect work folder logs

  -> Collect defaultTrace



N.B., it's not a guarantee that the logs listed above are 100% enough for every issue. But it's a good start.

At least it's better than "Hey, system hang occurred. What's the root cause? We MUST prevent it."

Immediately after installing a NetWeaver Java system there are a handful of basic configuration steps common to most systems, regardless of usage type. For the most part these are well-covered in the installation guide and the online help documentation, as well as various SAP Notes, but here I will summarize the steps and give a few recommendations about options. Examples will be for a Windows/SQL Server platform, but generally you should be able to substitute your own platform.


NetWeaver 7.4 SR2 Java Post-Install Basic Configuration



Options During Installation

Installation Guide

The installation itself is well described in the installation guide found at http://service.sap.com/instguides -> Installation & Upgrade Guides -> SAP NetWeaver -> SAP NetWeaver 7.4 -> Installation -> 2 - Installation - SAP NetWeaver Systems -> Installation: Systems Based on SAP NetWeaver 7.1 and Higher -> MS SQL Server -> Java.



You will need to download from http://support.sap.com/software.html -> Installations and Upgrades -> Browse our download catalog -> SAP NetWeaver and complementary products -> SAP NetWeaver -> SAP NETWEAVER 7.4 -> Installation and Upgrade -> Microsoft Windows -> Microsoft SQL-Server:

  • NW 7.4 SR2 Java 1/2
  • NW 7.4 SR2 Java 2/2
  • SAP Kernel 7.42 Windows Server on x64 64bit


Then from Installation and Upgrade -> SOFTWARE PROVISIONING MGR 1.0 -> Windows on x64 64bit:

  • SWPM10SP07 (or successor)


If you don't already have a copy of SAPCAR for unpacking archives, you can find it at Support Packages and Patches -> Browse Download Catalog -> Additional Components -> SAPCAR -> SAPCAR 7.20 -> Windows on x64 64bit.


Diagnostics Agent

It's easy to miss in the guide, but the recommendation is to install the Diagnostics Agent before installing the application server. This is done with the same SWPM tool as for the primary installation, and uses the same kernel archive as a source. After launching SWPM, choose Generic Installation Options -> Diagnostics in SAP Solution Manager -> Install -- Diagnostics Agent with 7.41/7.42 Kernel.


The Diagnostics Agent installation will simultaneously install the SAP Host Agent.


One important note is to choose your destination drive carefully, as this will end up being the same destination drive for your AS Java (they both reside under the same \usr\sap folder, in different subfolders). Subsequent installations of SAP components on the same host will default to (and generally be forced to) the same drive as the first installation, so this is when you are making that decision.


NetWeaver Administrator Remote Access

Typically the first step after completing the installation (and getting a backup) is to allow remote access to NetWeaver Administrator (NWA). As you will be using this tool quite a bit for the remainder of the configuration, it makes sense to do this first. By default, access to NWA is restricted to browsers installed on the local host, i.e. the server itself, which is only useful if you intend to constantly use Remote Desktop to the server console. While it certainly makes sense to restrict which workstations or network segments have access to this powerful tool, you will likely want to expand it to beyond just the server console.


From the server console, open Windows Explorer and navigate to \usr\sap\<SID>\SYS\global\security\data. Make a backup copy of the file icm_filter_rules.txt and then edit the file.


First, you will probably want to insert some line breaks to make it more readable, as out-of-the-box it appears to be all on one line. Then insert one or more lines so that the resulting file looks like this:


# ICM Rewrite Rules for NWA (restrict access to local host and internal segment)

if %{REMOTE_ADDR} !stricmp [AND]

if %{REMOTE_ADDR} !stricmp ::1 [AND]

if %{REMOTE_ADDR} !regimatch 10.x.x.*

RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/.*$ /nwa/remote_access_error [QSA]


In the 4th line, substitute the appropriate network segment for "10.x.x.*" to include your administrative workstation.


Restart the system and confirm that you can access NWA via http://<hostname>:50000/nwa to confirm correct configuration.


SAP License

Next up is the SAP License. From NWA, navigate to Configuration -> Infrastructure -> Licenses. Use Change System Type to set the type of system (dev, test, production, etc). Make a note of the hardware key.


In a different browser window, navigate to http://support.sap.com -> Keys, Systems & Installations -> View or request license keys -> Request Key from Install. Select the appropriate Installation Number, click New System, and fill in the appropriate information, including the hardware key. After submitting, you will typically get an email response back from SAP in a matter of minutes with the license in an attached file. Save the file.


Back in NWA, in the Licenses screen, click Install from File and browse to the received file.


System Data in SAP Support Site

Now, switch back to your support.sap.com window. Select Keys, Systems & Installations -> Manage my system data -> View and edit your system data. Search on your new SID and edit the system.


At this time you should maintain the Usage Type (i.e., Adobe Document Services, etc), the kernel version and patch, the SAP Router information, and basic details about the DB Server (hostname, IP address, instance numbers (00 and 01), and 'yes' to Message Server; don't worry about OS and DB versions, as they'll be corrected automatically later). This provides a base to which Solution Manager can later synchronize details.


SPML Access

Later, when you execute Managed System Configuration in Solution Manager, it will be necessary for at least one administrative user to have spml (Service Provisioning Markup Language) access, as described in Note 1647157 (How to Set up Access to the SPML Service on AS Java).


From NWA, navigate to Configuration -> Identity Management. Switch to view Roles, then click Create Role. Give the new role the following attributes:

  • Unique Name: Z_SPML_FULL_ACCESS
  • Assigned Users: Administrator (or create a dedicated service user for Solution Manager access with user management privileges)
  • Assigned Actions:
    • Search on *spml* and select and add the following two Actions:
      • Spml_Write_Action
      • Spml_Read_Action



Configuration of SSL is described in the online help at http://help.sap.com/saphelp_nw74/helpdata/en/4a/015cc68d863132e10000000a421937/frameset.htm. Here, however, is an overview of the steps.


Cryptographic Library

The cryptographic library (CommonCryptoLib 8.4) is included with the 7.42 kernel, so there is no need to separately download and install it. You will find it already present at \usr\sap\<SID>\SYS\exe\uc\NTAMD64\sapcrypto.dll.


Ticket File

What is missing, however, is the 'ticket' file. You can create your own easily enough, however.


Navigate to \usr\sap\<SID>\J00\sec. Create an empty text file and save it as ticket (no extension). That's it. Without this, SSL will not function.


SSL Access Point

In NWA navigate to Configuration -> Security -> SSL. Under SAP Java Instances confirm that SSL Status is green. If it's not, the most likely cause is a missing ticket file (see above). Note at this point it is normal for the Status under SSL Access Points to be red.


  • Under SSL Java Instances click Edit.
  • Under SSL Access Points click Add.
    • Set the Port to 50001 and save. Do not restart at the prompt.


SSL Key Pair

  • Ensure you have the appropriate CA (Certificate Authority) root certificate available. If not, you can generally download it as an X.509 Certificate (.cer) file from your chosen CA. If there are any other CA root certificates necessary to enable trust of other systems by this system, make them available now, too.
  • Select Back or Home at the top of the screen and navigate to Configuration -> Security -> Certificates and Keys.
  • Select the Key Storage View ICM_SSL_xxxxx.
  • Delete all the default View Entries (SAPPassportCA, ssl-credentials, and ssl-credentials-cert). Note that these are copies of templates found in the service_ssl view, so they can always be recovered.
  • Click Import Entry.
    • Entry type: X.509 Certificate
    • Browse to and import the CA root certificate.
  • Click Create.
    • Entry Name: <hostname of this system>
    • Leave most other fields at default (RSA, 2048 bits, etc).
    • Select the checkbox for Store Certificate.
    • For commonName enter the fully-qualified domain name (FQDN) of your system. I.e., javahost.domain.com
  • Select the new private key you just created and click Generate CSR Request.
    • Choose the options required by your CA. If this is an internal-only server and you are using your own CA, such as Microsoft Certificate Services, select Base64 PKCS#10 and download the .pem file.
  • In a new window, navigate to your CA and submit your certificate request using the file you just downloaded. If you are using MS Certificate Services as an internal CA, choose Advanced certificate request and Submit a certificate request by using a base-64... Open the file you downloaded with Notepad and copy the contents into the Saved Request field and submit.
  • When you have the response from the CA, download it as Base64 encoded certificate chain and save it as hostname.p7b.
  • Back in NWA, with your private key selected, click Import CSR Response, browse to the p7b file, add it and import it.
  • Under Key Storage Views, with the ICM_SSL_xxxxx view selected, click Export View to PSE. A restart of the SSL Provider is necessary, but you can wait until after you configure the next section.


SLD Data Supplier Connection

Although you probably configured this during the installation, it's likely that it didn't "take" and you'll need to configure it again now.


  • Still in NWA, navigate to Configuration -> Infrastructure -> Destinations
  • Under Destination List click Create.
    • Destination Name: SLD_DataSupplier
    • Destination Type: HTTP
    • URL: http(s)://<SLD hostname>:<SLD http(s) port>/sld
    • Select the checkbox for Ignore SSL Server Certificates
    • Authentication: Basic (User ID and Password)
    • User Name: SLDDSUSER (or SLD_DS_<SLDSID> if you have a newer release SLD)
  • Click Create again
    • Destination Name: SLD_Client
    • All other details are the same as for SLD_DataSupplier
  • Navigate to Configuration -> Infrastructure -> SLD Data Supplier Configuration
  • Click Collect and Send Data and ensure success.


Restart System

Restart your application server (to enable SSL), then logon using https://<hostname>:50001 to check the certificate and configuration.


Logon to your SLD system and confirm successful registration of your new AS Java.


You're now ready to proceed with Managed System Configuration in Solution Manager, after which you can set up a maintenance transaction to apply the latest Support Package Stack. That, however, is beyond the scope of this blog post.


This has been a quick overview of the basic initial configuration steps common to all AS Java 7.4 systems.



In Java 8, PermGen (i.e., the memory space defined by -XX:PermSize and –XX:MaxPermSize) is removed.


This change has come to SAP JVM:

2109745 - SAP JVM 4.1 Patch Collection 48 (build 4.1.048)

2109829 - SAP JVM 5.1 Patch Collection 82 (build 5.1.099)

2109726 - SAP JVM 6.1 Patch Collection 68 (build 6.1.073)

2109853 - SAP JVM 7.1 Patch Collection 25 (build 7.1.026)


It is mentioned:

The permanent generation (aka. PermGen) was removed. Classes metadata, previously stored in the permanent generation, has been moved to either native memory or the Java heap. This change does not impact the user. In fact, it simplifies the process of sizing the Java Virtual Machine’s memory generations. The parameters 'PermSize' and 'MaxPermSize' no longer need to be specified.



What is changed


Now the memory model is changed as below – simply removed the PermGen.


Where has the objects in PermGen gone?

  • Class metadata will be moved to a new space called metaspace (in native memory, on OS, out of JVM).
  • Interned strings and class statics will be moved to Java heap.



How are we affected

/* This section is mainly for SAP NetWeaver Java (EP, XI, BI, ...) */


Perhaps you'll ask (some did already): “Do we have to set larger heap size? It includes Perm now!”

  • Legacy parameter –XX:PermSize and –XX:MaxPermSize will be ignored by JVM now.
  • Generally VM parameters does not require further tuning.
    • Class metadata is now out of JVM, hence there's no need for tuning of VM parameter.
    • Class statics usually takes very limited memory space, hence there's little impact.
    • In most cases, -XX:-StringInternTableInPermGen is already set. That means, the interned Strings are already in Java heap.
      Hence you there's no need for tuning either.
    • The only exception is when -XX:-StringInternTableInPermGen is not set, plus significant amount of interned strings are used.
      In this situation, heap size should be increased accordingly.
  • Memory usage on OS level should not change significantly. I have contacted note owner of Note# 1824799 to see if an update is possible.



Hope this helps


BR, Tom

of course it depends what is in the transport but its always a good solution to do transports at times with low activity like lunch or evenings


for program-changes, there might occur a DUMP (/NST22) Type LOAD_PROGRAM_LOST, this is nothing critical as the next time when the user calls the program it will be the new version.


For Classes (typical CRM) there might be DUMPS with LOAD_PROGRAM_CLASS_MISMATCH (Users have to re-login into CRM Session again)

for CRM it might be necessary to reset Shared Memory (Webui caching) using /NSHMM see  KB http://service.sap.com/sap/support/notes/1870987


most critical are changes in data dictionary structures (tables and structures):


if after a transport into the production system a lot of transaction generate a short dump with 'LOAD_TYPE_VERSION_MISMATCH', one of the transported tables/structures/append was used during generation of the new structure which causes a mismatch in dictionary and not matching with the current load of the abap reports.

if this is for example VBAP or BSEG, you might have thousands of dumps in a short time an nobody can work


the table is active in data dictionary and also the new field is corretly transported, its just a load-version that does not match. solution is described in sap note 1567187 - LOAD_TYPE_VERSION_MISMATCH


in the dump you see the table name which causes the problem

first you should just activate this table in se11 again


if this does not help, use program TOUCHTAB, after that all programs using this structure will be generated next time someone calls the report (this takes just a sec, or select 'direct generation' for immediate generation - this will take some time

if you have multiple appservers they need to be restarted (you can try with transaction code $sync first)



another common issue with transports into production is, that if a db-index has to be re-generated, the update process is stopped during the generation,

this might be too long for large tables

Many a times you raise an incident with SAP Support about a performance issue on Java server, only to realize that you missed saving the necessary logs. The problem you face now is : You have already restarted the system or the problem seems to disappear  but you still need the root cause lest the problem should appear again

This article provides you some guidelines on which logs need to be collected before you trigger that all important "restart" of Java server.



1) Slow Java start-up : That moment when you wait forever for the state to change from starting application/framework to running

- Thread Dumps(Most Important) : When the start-up or the system even when it is up hangs, trigger thread dumps. To do so, use these notes depending on the Netweaver release


1955835 - AS Java server node hangs at starting phase - What To Do for 7.0X

1953845 - AS Java server node hangs at starting phase - What To Do for 7.10+



You need to capture at-least 3-4 dumps at an interval of 1 minute. This is done to get a complete picture of the hang situation. For example, if a thread consistently shown as blocked/hanged in all the thread dumps then the problem lies there. You can also do thread dump analysis on your own using the tool in SAP note#1020246 - Thread Dump Viewer for SAP Java Engine


Apart from the above method, you can use SAPJVM profiler tool as well. The SAP JVM Profiler helps to analyze the resource consumption of a Java application running on a SAP Java VM.

To collect profiling information for a slow start-up , use the SAP Knowledge Base Article(KBA) 1995883 - Analyzing slow AS-JAVA startup using the SAPJVM profiler. Send the output *.prf file to SAP Support.



2) High CPU consumption : You have situations where some Java processes start consuming High CPU. It is very important to collect the right logs while the issue is happening. Thread dumps come handy here as well but for systems running on SAPJVM, it is recommended to use SAPJVM profiler to collect the required data. For this, use the SAP KBA#1783031 - Analyzing AS Java performance with SAP JVM Profiler



3) Outofmemory issues. Many a times you'll see Java server restarts/becomes unresponsive with "outofmemory"(dev_serverX log in work directory says "JControlCloseProgram: good bye... (exitcode = 666)" or "java.lang.OutOfMemoryError "). The most important log file is the heap dump generated during the crash. This dump will usually be found  /usr/sap/<SID>/<instance>/j2ee/cluster/serverX. It will normally have the format *.hprof. The size of this file will be equal to the heap memory consumption at the time of the crash. Send this file to SAP support before deleting it permanently. This file is automatically generated if the profile parameter is set.  Note 1004225 - How to create a full HPROF heap dump of J2EE engine ; will help you in setting these parameters.



4) Slow response from the server/ enterprise portal: Here again thread dumps and SAPJVM profiler output are needed. Capture the logs when the issue is occurring in the same way as for slow startup.



6) It is always recommended to attach these logs while raising an incident 1) Logs mentioned in 1867207 - Collecting traces to troubleshoot Netweaver AS Java runtime/startup issues 2) SAPMMC snapshot : Refer to KBA 1847251 How to create an MMC snapshot about an SAP system. If the issue is not reproducible at will, mention the last time-stamp when the issue occurred(of course, attach the logs from the same time period). In addiction, do inform about any changes that were done on the system.


Like we all know, there is an option to push the data from an ABAP only satellite system to a Java only based SLD. However, the same old technique doesn't help when you have your SLD on a netweaver platform equivalent or above 7.3.


We have recently completed 7.4 AEX (Advanced Adapter Engine Extended) on Linux platform with Oracle DB. Post AEX installation, we have decided to push the data of our existing ERP system to the SLD of the newly installed AEX. As we all know, in a Java only SLD system, we have to edit the profile at the SLD level to adapt and use the gateway of an existing ABAP system of your choice (may be highly available) to receive data from the ABAP only systems (eg. ERP). The same approach did not help as Java itself has its own gateway service/process from NW 7.3 and above as shown below.


<host name>:<sid>adm 51> ps -ef|grep gw

<sid>adm 10542 10522  0 Nov05 ?        00:00:10 gw.sap<SID>_SCS01 pf=/usr/sap/<SID>/SYS/profile/<SID>_SCS01_<host name> -no_abap



As we have the Java only SLD on NW 7.4, you can use its own gateway service provided you set the parameter "gw/acl_mode = 0" in the SCS instance profile of SLD. But, this parameter can also be set to 1 ensuring that you have properly maintained the reg_info and sec_info files in your Java only SLD system.


Once you are done with maintaining this parameter, you have to restart the SLD system (SAP) and proceed with the below steps.


Steps to be followed in your Java only SLD system:

Launch SLD (http://<host name of SLD>:5<instance number>00/sld).

Click on administration

Click on Settings


In the Section drop-down, select ALL. Ensure you have the entries maintained for Gateway Host and the Gateway Service as shown below.


Save the settings. Restart the SLD.


Steps to be followed in your ABAP only satellite systems:

Go to RZ70, adapt the gateway parameters as shown below.



Activate these settings and click on “Start the data collection”.

This should push the information of the satellite ABAP only system to the Java only SLD.

When I am in Projects I see often that People do not understand how certificates work,

However this is easy to answer...


A Protocol like https, ldaps or what ever need certificates to work secure as the encryption is

based on the them. You can have selfsigned certificates (normal case when you have just installed a Netweaver System)

or CA signed certificates. Using self signed certificates in a Project can make a lot of effort, use a CA when ever possible.


But why there are certificate errors?

Once the communication starts the Caller check the following things in the Certificate he received:

1. Do I know the Issuer of the certificate?

2. Is the certificate in a valid time window.

3. Is the CN exactly that what was called


How to check whats wrong with the Certificate?


1. Do I know the Issuer of the certificate?




Check the certificate:

CA Certificate_1.png


If  you don't trust this CA or self signed certificate it looks like this:

CA Certificate_3.png

Read and execute

To Trust the certificate import it:

CA Certificate_2.png

CA Certificate_1.png

CA Certificate_1.png

CA Certificate_1.png

CA Certificate_2.png

Now you trust the Certificates from this Issuer.

If you still receive Errors check the next Question:


2. Is the certificate in a valid time window.

After some time Certificates are on their EOL. ^

You can check easily by looking into the Valid from - to Property

CA Certificate_3.png


The most common problem come from different CNs what bring us to the last question:


3. Is the CN exactly that what was called

Each Certificate have a CN Which you can see in the Issued to Property:

CA Certificate_3.png

Assuming this certificate is issued to CN=hostname.domain.local, ensure that you exactly call this within your application,

otherwise it will fail.

Often in Projects is that someone calls https://hostname:port/application instead of https://hostname.domain.local:port/application

and then is blaming about certificate errors



To segregate the developments in the phases of project deployments/ BU implementations, you can create a local project and assign the transports.

different Phases like

  • Development phase
  • Break fix phase etc.


     Go to t code SPROJECT_ADMIN

  Click on create

Give the project name


Fill the required details



Once you fill the details go to transport requests tab


Click on Activate CTS functionality as below, to enable the

transport functionality.


Then the CTS functionality will activated.





I tried local client copy after installation while scheduling the client copy the below error came and solved as below.


Local client copy
error:  FINBTR@<SID>CLNT<client> destination not exist error



When I tried to
perform a client copy I got the above error in new system (after installation).



Create entry in SCC4 for new client


And logged in the target client


T Code: SCC4


Source 001


Target is 100



  •      Clicked on schedule as background job and next screen as





After this click on schedule job.


  • Then it gave an error with a pop up of FINBTR@<SID>CLNT<client>
    destination not exist



Solution:  Create the above destination by clicking on WIZARD option in the pop up (once the
error came)



  • It will open new screen and continue with RFC creation and
    give a password and proceed next.
  • Then the RFC will be created successfully and the actions as




Click on tick mark and check sm59 ….FINBTR* RFC will be



Now you can proceed with client copy without any error.


and continue



successfully completed.






Hi Experts,


I will explain the procedure for changing released TR into unrelased TR. i.e; modifiable state. There is no option given explicitly for chaning the released TR into unreleased TR in STMS or SE01 Transactions. we have to follow the below steps.


1. Go to SE38

2. execute the report RDDIT076




3. now, we will get the below screen which asks for TR/Tasks . give the released TR number and execute (F8)



4. Once executed, you will get the below window,



5. first we need to change the task to unreleased. double click on the task number. now, click on the pencil button to enter edit mode.then click on input help on the filed "Status"



6. change the status from "R" to "D" and save


7. now repeat the steps 5 and 6 for Transport request. finally the status column should be in "D" as shown in below. To_blog_6.jpg


8. now goto SE01 or SE09, type the TR number and check. it will be in modifiable state.





  • When you access NetWeaver java for example NWA, portal,
  • You see script error relevant to messagebundle_xx_XX.properties. e.g. messagebundle_ja_JP.properties
  • Or in httpwatch trace, you see the 404 request like:404 messagebundle_ja_JP.properties.PNG


[reason and prequist]

This 404 JS error is not real error and can be ignored.

The user has been assigned the locale as "ja_JP" and the resourcebundle for Japanese is with "_jp" and not with "ja_JP".

So first it tries to look for the locale specific file if not found it loads the language based file which will works.




The SAP Net Weaver Application Server is a web application server defined for SAP solutions. The Web AS is the base on which most of SAP products operate. The SAP application server consists of five layers including presentation layer, business layer, integration layer, connectivity layer, and persistence layer. However, the SAP Net Weaver Application Server supports HTTPS for encrypted communication. In this article, we will reveal about installation of SSL certificate into SAP Web Application server 6.10+.

Before going through the installation of SSL certificate, we have to aware about SSL Server PSE (Personal Security Environment). It contains the application server’s security information that is being used while SSL communication. It is a certificate list used by the server for the authentication purpose. The application server makes use of this list to decide which CAs the server believes. Now let us go through the procedure of SSL installation into SAP server.

Generate CSR:

To install SSL certificate, you must create a certificate request (CSR) that uses an SSL server PSE. Check individual SSL server PSE in Trust Manager by elaborating SSL server PSE node and click on the server, it appears the server’s name and for which you have to generate the CSR.


  • Browse Trust Manager and expand the SSL server PSE node.
  • Select the application server, in the PSE maintenance section it shows the application server’s certificate.
  • Select “Create Certificate Request” from the PSE maintenance section, and a dialogue box will be there showing the certificate request.
  • Select the content shown in the certificate request and copy or save the content to a local file (<file name>.P10).


Installation of SSL certificate on SAP Net Weaver Application Server 6.10+:

  • Download the Intermediate Certificate and save as it as "intermediate.crt" on your server.
  • Open the Trust Manager and click to elaborate the SSL server PSE node.
  • To assign an individual Certificate to each application, you should follow the below steps.
    • Click on the desired application server, you will see SSL server PSE in the PSE maintenance section.
    • Import Cert. Response. You will find a dialog box for the certificate request response.
    • In the dialogue box, paste the content of Certificate Request Response or select the local file from the system.
    • Now, you can see in the PSE maintenance section a signed public key certificate that is imported into the SSL server PSE.
    • To view information about the imported certificate, click on it. The details of the certificate will be shown in the certificate maintenance section.
    • Finally, save the complete data.


Importing the CA's Root Certificates if Not Located in the Certificate Database

  • Go to Certificate section and select “Import Certificate”, it will show a certificate dialogue.
  • Choose the Database tab.
  • Choose the certificate from the certificate database and select Enter.
    You can see the certificate in the certificate section.
  • Now, select “Add to Certificate List”.
    The certificate will be added to the certificate list, which you can see in the PSE maintenance section.
  • Save the data.


Importing the CA's root certificate from the File System:

  • Go to Certificate section and select “Import Certificate”, it will show a certificate dialogue.
  • From the file system, enter the suitable file name and choose the file format. In case, if you are not sure about the certificate’s file format, then open the certificate in a Notepad. If the content of the certificate is readable then it is a Base 64 format.
  • You can see the certificate in the certificate maintenance section.
  • Now select “Add to Certificate List”. The certificate will be added to the certificate list, which you can see in the PSE maintenance section.
  • Save your data.


Importing the CA's root certificate from Different PSE:

  • Click on SSL Server PSE node to choose the application server. Check PSE maintenance section where PSE and the certificate list will be shown.
  • You can see the certificate in the certificate maintenance section. Click on the certificate.
  • In the SSL server PSE node, choose a single application server with a double click.
  • Now select “Add to Certificate List”. The certificate will be added to the certificate list, which you can see in the PSE maintenance section.
  • Save your data.
Samuli Kaski

HTTPURLLOC demystified

Posted by Samuli Kaski Jun 4, 2014

Recently I had to configure table HTTPURLLOC in order to support a scenario where users were either accessing the system externally through a hardware reverse proxy connected to SAP Web Dispatcher or the SAP system directly. In this blog I want to share my experience with SCN members.


The first take away from this blog is that HTTPURLLOC can't be used for switching from one protocol to another nor rewriting URLs, that happens elsewhere (e.g. Web Dispatcher modification rules, portal configuration, ICF node settings, etc). HTTPURLLOC has values with valid protocol, host and port combinations that can be used to generate URLs, otherwise the generic URL generation of the system is used. That is why HTTPURLLOC is called an exception table, not a URL generation table.


So now how does it work? Basically the system looks at the request object and tries to determine the requested host, this is usually the virtual host name, DNS alias, etc. which was requested by the client, e.g. the browser. This is the second take away. The host as requested by the client should be preserved throughout the request, even if there are other proxies, load balancers, etc. in the loop. If the client browser requests abc.company.com, this host should be visible in the request object of the SAP system. The only way to guarantee it is that all appliances/programs are instructed to preserve the host that was requested by the client. Apache has the PreserveProxyHost directive for it, Web Dispatcher does it automatically, others might require further configuration.


The third take away is that as with the host requested by the client, the protocol used by the client must be preserved as well. This is especially important if HTTPS is terminated before the request hits the SAP system. Again, configuration directives might be required to insure this. Apache has the RequestHeader directive which can be used to set variable clientprotocol to either HTTPS or HTTP depending on the scenario. Web Dispatcher does it automatically assuming wdisp/add_client_protocol_header is set to true, others might require further configuration.


The fourth take away is to understand how entries in HTTPURLLOC are matched against the request. The most important variable is the protocol, second most important variable is the host, third most important variable is the application and last one is the domain. If the client requested abc.company.com with protocol HTTPS and assuming that the host and protocol are preserved meaning the SAP system sees the original values, the HTTPURLLOC table is queried first for all entries that have the protocol HTTPS. Next the requested application is checked, then the domain and finally the host. There are several rules which will affect the end result meaning whether the entry in HTTPURLLOC will be used or not, the best way is to figure it out yourself by debugging method IF_HTTP_SERVER~GET_LOCATION_EXCEPTION of ABAP class CL_HTTP_SERVER.


The fifth take away is to understand that HTTPURLLOC is client specific and especially if you are using System Logon, you will have to configure HTTPURLLOC for client 000 as well as the clients you use.


The sixth and last take away is to understand that in case the requested host is unknown (it is possible in some scenarios), HTTPURLLOC will be queried based on the protocol and the first match will be used (in ascending order, based on SORT_KEY).


Update 11/22/14: in case you want to generate URLs in an offline scenario (background job, classic GUI transaction, basically anything where there is no IF_HTTP_SERVER object), you should create a default entry in HTTPURLLOC and set the SORT_KEY value to the smallest value of all entries. For example, if you want to generate all NWBC URLs with specific protocol, port and host values, create an entry with the lowest SORT_KEY value and set the application to /NWBC/. That way, regardless in which context the NWBC URL is generated, the URL to NWBC will be generated using the values you specified with the lowest SORT_KEY. The key here is to set a value for APPLICATION.


I hope this blog will save others time and headaches trying to figure out the mysteries of HTTPURLLOC. See also the official documentation on URL Generation in an AS-ABAP - Web Dispatcher Configuration.


Filter Blog

By author:
By date:
By tag: