When I am in Projects I see often that People do not understand how certificates work,

However this is easy to answer...


A Protocol like https, ldaps or what ever need certificates to work secure as the encryption is

based on the them. You can have selfsigned certificates (normal case when you have just installed a Netweaver System)

or CA signed certificates. Using self signed certificates in a Project can make a lot of effort, use a CA when ever possible.


But why there are certificate errors?

Once the communication starts the Caller check the following things in the Certificate he received:

1. Do I know the Issuer of the certificate?

2. Is the certificate in a valid time window.

3. Is the CN exactly that what was called


How to check whats wrong with the Certificate?


1. Do I know the Issuer of the certificate?




Check the certificate:

CA Certificate_1.png


If  you don't trust this CA or self signed certificate it looks like this:

CA Certificate_3.png

Read and execute

To Trust the certificate import it:

CA Certificate_2.png

CA Certificate_1.png

CA Certificate_1.png

CA Certificate_1.png

CA Certificate_2.png

Now you trust the Certificates from this Issuer.

If you still receive Errors check the next Question:


2. Is the certificate in a valid time window.

After some time Certificates are on their EOL. ^

You can check easily by looking into the Valid from - to Property

CA Certificate_3.png


The most common problem come from different CNs what bring us to the last question:


3. Is the CN exactly that what was called

Each Certificate have a CN Which you can see in the Issued to Property:

CA Certificate_3.png

Assuming this certificate is issued to CN=hostname.domain.local, ensure that you exactly call this within your application,

otherwise it will fail.

Often in Projects is that someone calls https://hostname:port/application instead of https://hostname.domain.local:port/application

and then is blaming about certificate errors



To segregate the developments in the phases of project deployments/ BU implementations, you can create a local project and assign the transports.

different Phases like

  • Development phase
  • Break fix phase etc.


     Go to t code SPROJECT_ADMIN

  Click on create

Give the project name


Fill the required details



Once you fill the details go to transport requests tab


Click on Activate CTS functionality as below, to enable the

transport functionality.


Then the CTS functionality will activated.





I tried local client copy after installation while scheduling the client copy the below error came and solved as below.


Local client copy
error:  FINBTR@<SID>CLNT<client> destination not exist error



When I tried to
perform a client copy I got the above error in new system (after installation).



Create entry in SCC4 for new client


And logged in the target client


T Code: SCC4


Source 001


Target is 100



  •      Clicked on schedule as background job and next screen as





After this click on schedule job.


  • Then it gave an error with a pop up of FINBTR@<SID>CLNT<client>
    destination not exist



Solution:  Create the above destination by clicking on WIZARD option in the pop up (once the
error came)



  • It will open new screen and continue with RFC creation and
    give a password and proceed next.
  • Then the RFC will be created successfully and the actions as




Click on tick mark and check sm59 ….FINBTR* RFC will be



Now you can proceed with client copy without any error.


and continue



successfully completed.






Hi Experts,


I will explain the procedure for changing released TR into unrelased TR. i.e; modifiable state. There is no option given explicitly for chaning the released TR into unreleased TR in STMS or SE01 Transactions. we have to follow the below steps.


1. Go to SE38

2. execute the report RDDIT076




3. now, we will get the below screen which asks for TR/Tasks . give the released TR number and execute (F8)



4. Once executed, you will get the below window,



5. first we need to change the task to unreleased. double click on the task number. now, click on the pencil button to enter edit mode.then click on input help on the filed "Status"



6. change the status from "R" to "D" and save


7. now repeat the steps 5 and 6 for Transport request. finally the status column should be in "D" as shown in below. To_blog_6.jpg


8. now goto SE01 or SE09, type the TR number and check. it will be in modifiable state.





  • When you access NetWeaver java for example NWA, portal,
  • You see script error relevant to messagebundle_xx_XX.properties. e.g. messagebundle_ja_JP.properties
  • Or in httpwatch trace, you see the 404 request like:404 messagebundle_ja_JP.properties.PNG


[reason and prequist]

This 404 JS error is not real error and can be ignored.

The user has been assigned the locale as "ja_JP" and the resourcebundle for Japanese is with "_jp" and not with "ja_JP".

So first it tries to look for the locale specific file if not found it loads the language based file which will works.




The SAP Net Weaver Application Server is a web application server defined for SAP solutions. The Web AS is the base on which most of SAP products operate. The SAP application server consists of five layers including presentation layer, business layer, integration layer, connectivity layer, and persistence layer. However, the SAP Net Weaver Application Server supports HTTPS for encrypted communication. In this article, we will reveal about installation of SSL certificate into SAP Web Application server 6.10+.

Before going through the installation of SSL certificate, we have to aware about SSL Server PSE (Personal Security Environment). It contains the application server’s security information that is being used while SSL communication. It is a certificate list used by the server for the authentication purpose. The application server makes use of this list to decide which CAs the server believes. Now let us go through the procedure of SSL installation into SAP server.

Generate CSR:

To install SSL certificate, you must create a certificate request (CSR) that uses an SSL server PSE. Check individual SSL server PSE in Trust Manager by elaborating SSL server PSE node and click on the server, it appears the server’s name and for which you have to generate the CSR.


  • Browse Trust Manager and expand the SSL server PSE node.
  • Select the application server, in the PSE maintenance section it shows the application server’s certificate.
  • Select “Create Certificate Request” from the PSE maintenance section, and a dialogue box will be there showing the certificate request.
  • Select the content shown in the certificate request and copy or save the content to a local file (<file name>.P10).


Installation of SSL certificate on SAP Net Weaver Application Server 6.10+:

  • Download the Intermediate Certificate and save as it as "intermediate.crt" on your server.
  • Open the Trust Manager and click to elaborate the SSL server PSE node.
  • To assign an individual Certificate to each application, you should follow the below steps.
    • Click on the desired application server, you will see SSL server PSE in the PSE maintenance section.
    • Import Cert. Response. You will find a dialog box for the certificate request response.
    • In the dialogue box, paste the content of Certificate Request Response or select the local file from the system.
    • Now, you can see in the PSE maintenance section a signed public key certificate that is imported into the SSL server PSE.
    • To view information about the imported certificate, click on it. The details of the certificate will be shown in the certificate maintenance section.
    • Finally, save the complete data.


Importing the CA's Root Certificates if Not Located in the Certificate Database

  • Go to Certificate section and select “Import Certificate”, it will show a certificate dialogue.
  • Choose the Database tab.
  • Choose the certificate from the certificate database and select Enter.
    You can see the certificate in the certificate section.
  • Now, select “Add to Certificate List”.
    The certificate will be added to the certificate list, which you can see in the PSE maintenance section.
  • Save the data.


Importing the CA's root certificate from the File System:

  • Go to Certificate section and select “Import Certificate”, it will show a certificate dialogue.
  • From the file system, enter the suitable file name and choose the file format. In case, if you are not sure about the certificate’s file format, then open the certificate in a Notepad. If the content of the certificate is readable then it is a Base 64 format.
  • You can see the certificate in the certificate maintenance section.
  • Now select “Add to Certificate List”. The certificate will be added to the certificate list, which you can see in the PSE maintenance section.
  • Save your data.


Importing the CA's root certificate from Different PSE:

  • Click on SSL Server PSE node to choose the application server. Check PSE maintenance section where PSE and the certificate list will be shown.
  • You can see the certificate in the certificate maintenance section. Click on the certificate.
  • In the SSL server PSE node, choose a single application server with a double click.
  • Now select “Add to Certificate List”. The certificate will be added to the certificate list, which you can see in the PSE maintenance section.
  • Save your data.
Samuli Kaski

HTTPURLLOC demystified

Posted by Samuli Kaski Jun 4, 2014

Recently I had to configure table HTTPURLLOC in order to support a scenario where users were either accessing the system externally through a hardware reverse proxy connected to SAP Web Dispatcher or the SAP system directly. In this blog I want to share my experience with SCN members.


The first take away from this blog is that HTTPURLLOC can't be used for switching from one protocol to another nor rewriting URLs, that happens elsewhere (e.g. Web Dispatcher modification rules, portal configuration, ICF node settings, etc). HTTPURLLOC has values with valid protocol, host and port combinations that can be used to generate URLs, otherwise the generic URL generation of the system is used. That is why HTTPURLLOC is called an exception table, not a URL generation table.


So now how does it work? Basically the system looks at the request object and tries to determine the requested host, this is usually the virtual host name, DNS alias, etc. which was requested by the client, e.g. the browser. This is the second take away. The host as requested by the client should be preserved throughout the request, even if there are other proxies, load balancers, etc. in the loop. If the client browser requests abc.company.com, this host should be visible in the request object of the SAP system. The only way to guarantee it is that all appliances/programs are instructed to preserve the host that was requested by the client. Apache has the PreserveProxyHost directive for it, Web Dispatcher does it automatically, others might require further configuration.


The third take away is that as with the host requested by the client, the protocol used by the client must be preserved as well. This is especially important if HTTPS is terminated before the request hits the SAP system. Again, configuration directives might be required to insure this. Apache has the RequestHeader directive which can be used to set variable clientprotocol to either HTTPS or HTTP depending on the scenario. Web Dispatcher does it automatically assuming wdisp/add_client_protocol_header is set to true, others might require further configuration.


The fourth take away is to understand how entries in HTTPURLLOC are matched against the request. The most important variable is the protocol, second most important variable is the host, third most important variable is the application and last one is the domain. If the client requested abc.company.com with protocol HTTPS and assuming that the host and protocol are preserved meaning the SAP system sees the original values, the HTTPURLLOC table is queried first for all entries that have the protocol HTTPS. Next the requested application is checked, then the domain and finally the host. There are several rules which will affect the end result meaning whether the entry in HTTPURLLOC will be used or not, the best way is to figure it out yourself by debugging method IF_HTTP_SERVER~GET_LOCATION_EXCEPTION of ABAP class CL_HTTP_SERVER.


The fifth take away is to understand that HTTPURLLOC is client specific and especially if you are using System Logon, you will have to configure HTTPURLLOC for client 000 as well as the clients you use.


The sixth and last take away is to understand that in case the requested host is unknown (it is possible in some scenarios), HTTPURLLOC will be queried based on the protocol and the first match will be used (in ascending order, based on SORT_KEY).


I hope this blog will save others time and headaches trying to figure out the mysteries of HTTPURLLOC. See also the official documentation on URL Generation in an AS-ABAP - Web Dispatcher Configuration.




The upgrade of our BI 7.01 (ABAP+JAVA Dualstack) was requested by our BW-team. They wanted
to use the new features of NW 7.3. The better integration of the BO tools was
also a benefit of an upgrade. The upgrade was divided into two parts:



Part 1: The Dual Stack Split.


This procedure separates the JAVA stack from the ABAP stack.  Before the dual stack split the JAVA and ABAP runs under one SID. After the split you have two SIDs (the old SID for ABAP and one new SID for JAVA).


Part 2: The Upgrade


This was an usual upgrade.



The Problem


Before the split we had this topology:


After the split and the upgrade the HA features didn't work anymore In a dualstack system the sap gateway service is addressed by sapgw$$. $$ is substituted by the actual system number.


The following picture shows the topology after the split:


The problem is the Gateway service.  sapgw00 is configured in several destinations, in the UME and the JCO.

It was quite plain to me. The gateway service is HA critical!


A little shame on SAP


This is what you find about "high availability" in the documentation of the Dual stack split:


In the installation documentation of a java stack you find the HA configuration of a "normal" java stack! But what is the difference between a "normal" java stack and a split java stack? It is the UME! In a split java stack the UME is in ABAP!  I'm very glad to know that nobody heard my comments when doing the HA cluster test on our production system!!!


In this picture you see the topology of a HA java stack (found in the installation guide).  But what is to do,  when using the java stack in a BI system with HA? I know somewhere in the paper jungle of SAP you can find something. But sap gives no hint in the standard documentation


The solution

The following configuration needs to be changed:


1. separate the gateway service
2. logon groups in ABAP
3. the UME Backend Connection
4. JCo RFC-Provider
5. SLD


Separate the gateway service. OSS note 1010990 " Configuring a Standalone Gateway in an HA ASCS instance" explains how to configure the gateway service.


Step 1:
*Changes to the exe-directory
sidadm> cdexe               

*gives you the path <exe_path> of exe-directory
sidadm> pwd                    

*edit the sapcpe config file
sidadm> vi <exe_path>/scs.lst      

*add this line to the file      

Step 2:
*Changes to the profile-directory
sidadm> cdpro                  

*gives you the path <pro_path> of profile-dir.
sidadm> pwd                    

*edit ASCS instance profile
sidadm> vi <pro_path>/<SID>_ASCS<Sys.Nr.>_<hostname>

*add this line to the profile
gw/netstat_once = 0         

Step 3:
*edit the start profile of ASCS

sidadm> vi <pro_path>/START_ASCS<Sys.Nr.>_<hostname>

*Search the first Start_Program_<xx>-entry in the profil, then enter

*earch the Start_Program_<xx>-entry with the highest value of <xx>, then enter:

Start_Program_<xx+1> = local $(DIR_EXECUTABLE)/$(_GW) pf=$(DIR_PROFILE)/<SID>_ASCS<Sys.Nr.>_<hostname> -no_abap


Step 4:
*check in /etc/services the entries:


restart system

The new gateway service is sapgw<Sys.Nr.> because of the system number of ASCS.


logon groups in ABAP


Logon to the ABAP system and enter transaction SMLT. Configure for each Instance a logon group (in the picture it is PUBLIC)



UME Backend Connection



You can determine the hostname of

- message server (1)

- gateway server (2)

(1) The name of the Instance Profile of ASCS is <SID>_ASCS<Nr.>_<hostname>

(2) Same hostname as hostname of ASCS


http://<hostname>:50<Sys.Nr. of java>0/nwa








JCo RFC-Provider


http://<hostname>:50<Sys.Nr. of java>0/nwa









http://<hostname>:50<Sys.Nr. of java>0/nwa



  ->Jco RFC Provider





Login to the ABAP BI system. Go to Transaction SE16 -table-> RSPOR_T_PORTAL


In field RFCDEST you can find the JCo RFC-Destination in ABAP. Go to transaction SM59 and find the RFC destination.


Enter the gateway configuration



http://<hostname>:50<Sys.Nr. of java>0/sld



Logon to ABAP BI system and go to transaction SM59. Enter the gateway configuration (like in RFC destination of JCo) in the following  RFC destinations:





Be aware: You get no hint in the documentation of the dual stack split or the installation about the correct HA settings.




Best regards

Willi Eimler

I noticed that recently many of you have problems implementing this note, while in transaction SNOTE  the following error message is displayed when downloading SAP note 1900200 - "Directory traversal in BC-SRV-ARL":

SAP Note 0001900200 incomplete

     Message no. SCWN106


     SAP Note 0001900200 is incomplete.

System Response

     This SAP Note cannot be imported.


Follow the (general procedure from) SAP KBA 1939285 - "SCWN106 - SAP Note incomplete in transaction SNOTE or SPAU" in order to implement the note.

I would like to share with you that I'm currently engaged in one of my personal projects creating the Generic Object Services (GOS) Troubleshooting Guide.

Please check it and update me with your feedback in a direct message on SCN. More information about GOS can be found in the online help documentation.

The GOS FAQ (created in 2009 and updated frequently) can also provide helpful information regarding the most common questions in GOS, but I decided to create this troubleshooting guide to provide step-by-step guides for errors and questions on the behavior in different scenarios.

When you using GOS toolbox menu in some transactions the Attachment list service is active, but when you opened it there are no attachments in it. Previously this was the designed behavior when the application published GOS with more than one business object. Recently an enhancement was released in SAP note 1966453 in order to give the control to the customers to decide:


  • have a consistent behavior of the active / inactive status of the Attachment list, so when no attachment exists make the service always inactive or as usual active when there is least one attachment in it, but in this case some delays may occur when the GOS toolbox menu is opened


  • have the standard behavior, so when the application publishes GOS with more then one business object the Attachment list stays always active and in this case no performance problems can happen


You can find more information about this in the GOS Troubleshooting guide under the section The Attachment list is active, but no attachment displayed in it and in SAP note 1966453.

What's new in SAP NetWeaver 7.3 - A Basis perspective Part-I

Posted by Ishteyaque Ahmad in SAP NetWeaver Administrator on May 22, 2012 11:41:22 AM



There are various materials present about features of SAP NetWeaver 7.3 but not all of them are directly useful for Basis people like us. So I thought to collect some of differences/features which I noticed.

I know some folks will say that not all features are introduced in 7.3 some of them were introduced in 7.1 and 7.2, but I am a greedy man and I wanted to increase number of features in this blog so I included them as well. Beside it will be helpful to those who haven't got chance to work with 7.1 or 7.2 and directly started working with 7.3.

So lets begin...


1. SAP NetWeaver 7.3 Goes Green


With NW7.3 you can save more energy from architectural perspective, you can get details of it here, I find it interesting.



2. SAP NetWeaver 7.3 – Lean Avatar

  • In the process integration, a Java-only, lightweight advanced adapter engine is now available for NetWeaver 7.3, eliminating the need to run SAP NetWeaver Process Integration (SAP NetWeaver PI) as a dual stack.
  • From SAP NetWeaver 7.30, customers can reduce their hardware needs as a result of common deployment options for all Java usage types, including enterprise portals, SAP NetWeaver BW, and SAP NetWeaver Composition Environment (SAP NetWeaver CE), with one unified Java application server.
  • NetWeaver Portal 7.3 uses half as much memory on average to execute navigations.
  • NetWeaver Portal 7.3 server node starts up much faster than 7.01, with improvement of 33% in average.


3. Instances Naming convention

As of SAP NetWeaver 7.1, the concept and naming of SAP system instances has changed. The terms “central instance” and “dialog instance” are no longer used. Instead, the SAP system consists of the following instances:

  • Application server instances

Application server instances can be installed as “primary application server instance” (PAS) or “additional application server instances” (AAS).

  • Central services instance
  • Database instance


4. The Central Services Instance ABAP - ASCS

The central services instance for ABAP (ASCS instance) is now installed with every SAP ABAP system distribution option: Standard System      Distributed System      High-Availability SystemThe enqueue replication server instance (ERS instance) can now be installed  together with the central services instance for every installation :

  • Standard System (optional)
  • Distributed System (optional)
  • High-Availability System (mandatory)

ERS.pngAt the time of SCS installation if we can select the above option it will install ERS instance as well.Though I am such a naive person who is failed to understand the purpose of having ERS instance on same host where we are having Enqueue server.

5. The Central Services Instance ABAP - ASCS

With new Installation Master for ABAP+Java, SAPInst does not provide option for separate ASCS and SCS Instance.  Though it can be separated manually after installation on different host.ASCS.png

6. Split Off ASCS Instance

SAPInst now has an option to "Split Off ASCS Instance"With the option Split Off ASCS Instance from Existing Primary Application Server Instance, you can split off an central services instance for ABAP (ASCS instance) from the primary application server instance of an existing ABAP system or ABAP+Java (dual-stack) system.ASCSsplit.png

7. Solution Manager Key

As of SAP NetWeaver 7.3, Solution-Manager-Key at the time of Installation is not asked/required by SAPInst.Even in previous installation people found out the way to generate the Solution Manager Key out of SolMan System.http://kohanov.com/tmp/sap_keys.vbs

8. Start Profile Merged

As of SAP NetWeaver 7.3, Start Profile has been removed as separate file.In earlier versions of NetWeaver there were 1 Default profile per SAP system, 1 Start profile per Instance and 1 Instance profile per instance.Now the Start profile contents are merged with Instance profile. With help of new Instance profile SAP processes are started and at the same time instance specific parameters are read.This removed total number of profile files. 1 Default profile per SAP System, 1 instance profile per instance. Now Profile Directory will look neater !!

9. JSPM (Java Support Package Manager) Initial credential requirement changed

  • While starting JSPM – SDM password is not being prompted, Instead you need to provide Java Admin User ID and password.


  • While deploying and upgrading components it needs restart of just Java and sometime complete SAP restart, for which Admin User ID at OS level and its password is asked.


  • SDM is replaced with JSPM and directory SDM is altogether removed.


  • Un-deployment of SCA’s/EAR files are not possible using JSPM. You have to use NWDI for this purpose.
  • No support for PAR files. All portal applications are now EAR (Enterprise Archive) based, PAR migration tool for converting PAR files to EAR files

10. JCMON changed menu



After NetWeaver 7.01 JCMON menu 20: Local Administration Menu is non functional.


Select opton Solid Rock ....  name is funny I mean Rocks are solid anyway

and you will able to see which state of different components/nodes. Unlike previous version I didn't find refresh option here, so go back and come to this menu again for recent view.


11. Visual Admin Vs NWA


As of SAP NetWeaver 7.1, Visual Admin has been replaced with NWA



12. Support Pack Stack



Earlier in NetWeaver 7.0, For a Support Pack Stack the  release level of BW component was generally  2 release ahead of the ABAP and Basis component.

Now all components are  released on same level.


Please continue with second part of this blog.

What's new in SAP NetWeaver 7.3 - A Basis perspective Part-II

Are you experiencing a strange behavior in GOS? Icons for services not displayed as expected? Some functions are inactive or hidden which should not be? First check the possible custom modifications in GOS (tables SGOSATTR and SGOSCUST or the BAdI implementations etc.) using the GOS check report from note 1873544.


For more information check the GOS online help documentation here and the GOS FAQ here.

Before using the functionality delivered with SAP note 1851646 please make sure that the prerequisites regarding: SAP BASIS Support Package, Kernel and SAP GUI version and patch levels are fulfilled from SAP note 1415647.

The code corrections delivered with 1851646 are created for older SAP BASIS Support Package levels too due to sustainability and code maintenance reasons. This doesn't mean, that the functionality can be used without fulfilling the requirements of note 1415647.

(If dump raised in class CL_GOS_STARTER implement SAP note 1892609 too.)

Upgrading a kernel was an easy move. But the growing complexity of SAP-systems, makes an
upgrade of the kernel more difficult than it was in the past.


I was motivated to change the kernel by the PAM on the SAP service marketplace. I checked the "lifetime" of the kernel by:







searching my sap product


Hmm bad news A System without supported kernel? No way !

I needed a new kernel and the newest was 7.21 EXT I looked at the PAM and found:


In order to be able to do the kernel upgrade in a proper way, I searched for the necessary
notes. I found 3 essential notes for the kernel upgrade.


1716826  - Usage of the downward compatible kernel 721 (EXT)            

1728283  - SAP Kernel 721: General Information            

1713986  - Installation von Kernel 7.21 (EXT)            


Now I had all the information I needed. The next task was to download the new kernel.

http://service.sap.com/patches -> Support Packages and Patches -> A - Z Index -> ....


And now a little happy question time:

Question: When I search the kernel for a SAP PI 7.1 EHP 1 system, where do I have to search?

1. S for SAP?

2. P for PI?

3. Z for Zorro?

Answer: No,  it's N for Netweaver -> 1 hour lost for the answer of this question


http://service.sap.com/patches -> Support Packages and Patches -> A - Z Index -> SAP NETWEAVER PI 7.1X -> SAP EHP1 FOR SAP NW PI 7.1 -> Entry by Component -> Application Server ABAP


I downloaded the following archives:


SAPCAR_315-20010445.EXE                 SAPCAR
DBATL720O10_31-20006704.SAR             DBATOOLS Package for Oracle 10g and 11g
SAPEXE_100-10011322.SAR                 Kernel Part I (database independent)
SAPEXEDB_100-10011323.SAR               Kernel Part II (database specific)
igsexe_5-20007786.sar                   Internet Graphic Server (IGS)
igshelper_3-10010245.sar                IGS Helper
sapwebdisp_421-20008606.sar             SAP Webdispatcher
SAPCRYPTOLIB_34-10010842.SAR            SAP Kryptolib
SAPHOSTAGENT147_147-20005726.SAR        SAPhostagent 7.20

SAP_112035_201303_HPUXIA64.zip          SAP Bundle Patch


After analyzing the 3 notes, I identified the next tasks:


1. ) check Note 1610716 - Correcting runtime objects with incorrect alignment
2.) update SAPJVM 5.1.047 to 5.1.084
3.) implement the latest SBP (SAP bundle patch)
4.) Upgrade the kernel


ok 4 tasks to do. Let's do it:


Task 1: check Note 1610716 - Correcting runtime objects with incorrect alignment


I had to implement Note 1610716 with the transaction SNOTE and I got the report RUT_NOTE_1610716. I started the report first with option check and after that with option repair. It ran several minutes. Task was done.


Task 2:  update SAPJVM 5.1.047 to 5.1.084

Ok, now I need to search all relevant notes for patching a SAPJVM. I found:

1683392 - SAP JVM 5.1 Patch-Collection 58 (Build 5.1.074)
1434916 - How to find out the SAP JVM build version
1367498 - Installationsvoraussetzungen für SAP JVM
1025085 - How to manually patch the SAPJVM
1133020 - Importieren eines SAP-JVM-Patchs in Application Server Java


With note 1434916 I was able to identify the SAPJVM-Version. I was not able to identify the version of sapjvm on the system information page:( In my opinion the system information page of NW 7.0 is much better than on NW 7.1! The system information page of NW 7.0 is more simple, but the information is well-arranged.

Note 1025085 states:
"Patching the SAP JVM on an SAP NetWeaver system is only supported using the Software Update Manager (SUM) or the Java Support Package Manager (JSPM)."
I chose the JSPM.

After patching sapjvm I started the system and... it started without any error and... no java page could be displayed

I posted my problem and a guru (big thanx to Reagan Benjamin) found the solution see:
http://scn.sap.com/thread/3388835 (No http page available after upgrade of SAPJVM)
After implementing Note 1625051 - "Wily Introscope agent: IllegalAccessError" the system runs fine again

ok next step:




Task 3) implement the latest SBP (SAP bundle patch)

Where can I find the SBP?
http://service.sap.com/patches -> Database and Database Patches (from other vendors) -> Oracle -> Oracle Patches

a) Checks
orasid> cd /oracle/SID/11203; bdf .
orasid> cd /oracle/stage/11203/database/SAP; bdf .
both filesystems should be 1GB free


b) Patche Opatch and MOPatch
orasid> setenv IHRDBMS /oracle/SID/11203; setenv OHRDBMS /oracle/SID/112_64; setenv ORACLE_HOME /oracle/SID/11203
orasid> cd /oracle/stage/11203/database/SAP
orasid> cp -p /inst_cd_sap/IA64/Oracle110203/updates/SAP_112035_201303/SAP_112035_201303_HPUXIA64.zip .
orasid> unzip -qd $IHRDBMS/sapbundle SAP_112035_201303_HPUXIA64.zip 'SBP_112035_201303/OPatch/*'
orasid> mv $IHRDBMS/OPatch $IHRDBMS/OPatch-pre-SBP_112035_201303
orasid> mv $IHRDBMS/sapbundle/SBP_112035_201303/OPatch $IHRDBMS/OPatch
orasid> unzip -qd $IHRDBMS/sapbundle SAP_112035_201303_HPUXIA64.zip 'SBP_112035_201303/MOPatch/*'
orasid> test -d $IHRDBMS/MOPatch && mv $IHRDBMS/MOPatch $IHRDBMS/MOPatch-pre-SBP_112035_201303
orasid> mv $IHRDBMS/sapbundle/SBP_112035_201303/MOPatch $IHRDBMS/MOPatch

orasid> $ORACLE_HOME/OPatch/opatch version


  orasid> $ORACLE_HOME/MOPatch/mopatch.sh -h



The following versinos should be displayed:
OPatch version
MOPatch version 2.1.13


c) stop the system
sidadm> stopsap
orasid> lsnrctl stop
orasid> ps -efax | grep ora
no ora process should run!


d) install SBP

orasid> setenv ORACLE_HOME /oracle/SID/11203
orasid> cd /oracle/stage/11203/database/SAP
orasid> /bin/sh $ORACLE_HOME/MOPatch/mopatch.sh -v -s SAP_112035_201303_HPUXIA64.zip


orasid> lsnrctl start


<open a new session>
oraSID> sqlplus "/as sysdba"
SQL> startup


<old session>
oraSID> cd $OHRDBMS/rdbms/admin
oraSID> env ORACLE_HOME=$OHRDBMS $OHRDBMS/bin/sqlplus "/as sysdba"

SQL> @?/sapbundle/SBP_112035_201303/catsbp.sql


Hmmmm, INCOMPLETE. This is a word sap administrators don't like! After reading Note 1509324 I did as it was recommended in the note.

SQL> select action_time from registry$history group by action_time having count(*) > 1;

If rows appear then read OSS-Note: 1508602.


no rows, great.

SQL> @?/rdbms/admin/utlrp.sql;



SQL> shutdown

SQL> startup

SQL> @?/sapbundle/SBP_112035_201303/catsbp.sql


No errors and two COMPLETEs. That was good.

I had to set two parameters ->


     '10995 level 2',
     '38068 level 100',
     '44951 level 1024'

SQL> shutdown immediate
SQL> startup
SQL> shutdown immediate
SBP is installed, Task done!


Task 4: Upgrade the kernel


This is not as easy as it was in the good old days! Now you have to do some more steps. In the good old  days (when SAP ERP was R/3) you patched the system between 12:00 and 12:30 when users were at lunch! (Is it lunch or dinner? Hmm I don't know. Please excuse my bad English!) But today you have to do it on weekend.

So let's start.


Step 1: saphostagent upgrade


root> cd /tmp

root> mkdir saphostagent; cd saphostagent

root> /sapmnt/SID/SAPCAR -xvf /inst_cd_sap/IA64/kernel/PI_721_EXT_100/SAPHOSTAGENT147_147-20005726.SAR

root> ./saphostexec -upgrade




Step 2: stop the system


Stopping the saphostagent:
root> /usr/sap/hostctrl/exe/saphostexec -stop
root> /usr/sap/hostctrl/exe/saposcol -k



Stopping the sapwebdisp:

<user of sapwebdisp> stopsap all W90


Stopping sapstartsrv:


sidadm> sapcontrol -nr <Systemnummer Instanz z.B. 00> -prot NI_HTTP -function StopService;

sidadm> sapcontrol -nr <Systemnummer ASCS> -prot NI_HTTP -function StopService;

sidadm> sapcontrol -nr <Systemnummer SCS> -prot NI_HTTP -function StopService;

sidadm> sapcontrol -nr <Systemnummer ERS> -prot NI_HTTP -function StopService;


Deregister and stop CCMS-Agenten:


sidadm> cd /usr/sap/SID/SYS/exe/run/
sidadm> ./sapccm4x -u pf=/usr/sap/SID/SYS/profile/SID_DVEBMGS<Sy.Nr.>_<host>
sidadm> ./ccmsping -u pf=/usr/sap/SID/SYS/profile/SID_DVEBMGS<Sy.Nr.>_<host> -push -n<Sy.Nr>


stop Diagnosticagent
<D-Agentuser> stopsap SMDA90




Step 3: Clear shared memory


sidadm> /usr/sap/SID/SYS/exe/run/showipc all
Shows all shared memorys of all systems.


sidadm> /usr/sap/SID/SYS/exe/run/cleanipc <SystemNrIPC> remove
Now check for open shared memory segments. There should be no segment
sidadm> /usr/sap/SID/SYS/exe/run/showipc all



Step 4: get SAPCAR


sidadm> mkdir /tmp/sapcar
sidadm> cd /tmp/sapcar
sidadm> SAPCAR -xfv /<directory of sar-files>/SAPEXE_100-10011322.SAR
sidadm> cp SAPCAR /sapmnt/SID/


Step 5: removing the old kernel


root> cd /usr/sap/SID/SYS/exe/run/
root> rm -rf *


Step 6: implement the new kernel


sidadm> cd /usr/sap/SID/SYS/exe/run/
sidadm> /sapmnt/SID/SAPCAR -xfv /<directory of sar-files>/SAPEXE_100-10011322.SAR
sidadm> /sapmnt/SID/SAPCAR -xfv /<directory of sar-files>/SAPEXEDB_100-10011323.SAR
sidadm> /sapmnt/SID/SAPCAR -xfv /<directory of sar-files>/DBATL720O10_31-20006704.SAR
sidadm> /sapmnt/SID/SAPCAR -xfv /<directory of sar-files>/igsexe_5-20007786.sar



Step 7: implement sapcryprtolib


sidadm> mkdir /tmp/sapcrypto
sidadm> cd /tmp/sapcrypto
sidadm> /sapmnt/SID/SAPCAR -xfv /<directory of sar-files>/SAPCRYPTOLIB_34-10010842.SAR
sidadm> cp -p hpia64-11.31-64/* /usr/sap/SID/SYS/exe/run/
sidadm> cp -p hpia64-11.31-64/ticket /usr/sap/SID/DVEBMGS<Sy.Nr>/sec


Step 8: start saproot


root> cd /usr/sap/SID/SYS/exe/run/
root> ./saproot.sh SID



Step 9: install igshelper

sidadm> cd /usr/sap/SID/DVEBMGS<Sy.Nr.>; mv igs igs_old;
sidadm> /sapmnt/SID/SAPCAR -xfv /<directory of sar-files>/igshelper_3-10010245.sar



Step 10: new kernel for sapwebdisp


<user of sapwebdisp> cd /usr/sap/SWP_SID/SYS/exe/run
<user of sapwebdisp> rm -rf *
<user of sapwebdisp> /sapmnt/SID/SAPCAR -xfv /<directory of sar-files>/sapwebdisp_421-20008606.sar



Step 11: delete the exe-directories of all instances

root> cd /usr/sap/SID/DVEBMGS<Sy.Nr. of instance>/exe
root> rm -rf *

root> cd /usr/sap/SID/ASCS<Sy.Nr. of ASCS>/exe
root> rm -rf *

root> cd /usr/sap/SID/SCS<Sy.Nr. of SCS/exe
root> rm -rf *

root> cd /usr/sap/SID/ERS<Sy.Nr.of ERS>/exe
root> rm -rf *



Step 12: execute SAPCPE

It is recommended by sap to start sapcpe for every instance. Be aware to use the scs.lst file for the central services and the ERS!

For the central instance:

sidadm> cd /usr/sap/SID/DVEBMGS<Sy.Nr. instance>/work
sidadm> sapcpe pf=/usr/sap/SID/SYS/profile/SID_DVEBMGS<Sy.Nr. instance>_<host>


For the central services:

sidadm> cd /usr/sap/SID/SCS<Sy.Nr. SCS>/work
sidadm> sapcpe pf=/usr/sap/SID/SYS/profile/SID_SCS<Sy.Nr. SCS>_<host> list:/usr/sap/SID/SYS/exe/run/scs.lst

sidadm> cd /usr/sap/SID/ASCS<Sy.Nr. ASCS>/work
sidadm> sapcpe pf=/usr/sap/SID/SYS/profile/SID_ASCS<Sy.Nr. ASCS>_<host> list:/usr/sap/SID/SYS/exe/run/scs.lst


And for the Enhanced Replication Services (I only show it for one ERS because I'm too lazy;))

sidadm> cd /usr/sap/SID/ERS<Sy.Nr. ERS>/work
sidadm> sapcpe pf=/usr/sap/SID/SYS/profile/SID_ERS<Sy.Nr. ERS>_<host> list:/usr/sap/SID/SYS/exe/run/scs.lst


Last but not least the jvm needs it's binaries too:

sidadm> sapcpe /usr/sap/SID/SYS/profile/SID_DVEBMGS<Sy.Nr. instance>_<host> source:/sapmnt/SID/exe/jvm/hpia64/sapjvm_5.1.084 list:/sapmnt/SID/exe/jvm/hpia64/sapjvm_5.1.084/sapjvm_5.lst


Step 12:  post activities

Enter line 
rslg/new_layout = 9
in file /usr/sap/SIS/SYS/profile/DEFAULT.PFL
Then you have to delete the files of the syslog.



Final Step (13):  startsap

Puhhh 13 steps…I entered


sidam> startsap


Sometimes startsap is a liar, so verified it:


sidadm> ps -efax | grep sap


ok. ABAP was running, but J2EE is a diva. I took a look at the dev_server0 and…


Thanx god java (the beast) is up and running


That was my adventure kernel patching a PI system. Finally I leaved the office and tried to relax at the rest of Sunday .


Best regards

Willi Eimler


Filter Blog

By author:
By date:
By tag: