There was a requirement to do Quality System copy from Production.The SAP version was Netweaver 7.0 and it was installed with earlier tool SAPINST. During that time the SID provided was not coming under the reserve SID.But now the SAPINST tool is no more available, So SWPM is the only option for doing the system copy after database backup restore method.

 

     I exported dump from the production system and uninstalled the quality system with SWPM and everything got removed. But during the installation in the Quality system with SWPM it gave error <SID> is reserved for SAP.

I checked the SAP note "1979280 - Reserved SAP System Identifiers (SAPSID) with Software Provisioning Manager 1.0" and found that the <SID> of Quality system is there.

 

     The only option was to rename the Quality system <SID>. But its connected to lots of SAP and non-SAP third party system and after renaming to new SID, lots of work need to reconfigure. So thought if I do some changes in the SWPM and remove the <SID> which is now blocking during the installation.

 

     So removed the <SID> in the following .xml file after extracting the SWPM.

 

1. Find the <SID> containing files with the below OS command.

 

find ../SWPM -type f -print -exec grep "<SID>" {} \;

(Where <SID> is the SID of the Quality system)


../SWPM/resourcepool.xml

../SWPM/PVIND/XML70X_SBC/resourcepool.xml

../SWPM/PVIND/XML70X_SBC/keydb.xml

../SWPM/PVIND/XML70X_SBC/control.xml

../SWPM/PVIND/XML70X_DSS/resourcepool.xml

../SWPM/PVIND/XML70X_DSS/keydb.xml

../SWPM/PVIND/XML70X_DSS/control.xml

../SWPM/PVIND/XML70X/keydb.xml

../SWPM/PVIND/XML70X/control.xml

../SWPM/ORA/NUC/dboraslib.so

../SWPM/ORA/UC/R3ta

../SWPM/ORA/UC/R3load

 

2. Remove the <SID> from the below .xml files.

 

../SWPM/resourcepool.xml

../SWPM/PVIND/XML70X_SBC/resourcepool.xml

../SWPM/PVIND/XML70X_SBC/keydb.xml

../SWPM/PVIND/XML70X_SBC/control.xml

../SWPM/PVIND/XML70X_DSS/resourcepool.xml

../SWPM/PVIND/XML70X_DSS/keydb.xml

../SWPM/PVIND/XML70X_DSS/control.xml

../SWPM/PVIND/XML70X/keydb.xml

../SWPM/PVIND/XML70X/control.xml

 

 

Then re-executed the SWPM in the Quality system with the same <SID> as it was earlier and it proceeded further.

 

Please reward if you find helpful.

 

Thanks

Hi,

 

In our continuous endeavors to improve product supportability, we recently created a new visual, flow oriented page to support resolution of critical SAP Netweaver Application Server issues. It’s in the format of a Decision Tree in the newly revamped Client Server Technology WIKI page.

 

The approach looks at the landscape from the perspective of an SAP Administrator that will troubleshoot SAP Netweaver Application Server issues based on observed behaviors. Just like real life is!! It provides an end-to-end view of the system logic to support the decision process of where to go next and what to look for.

 

The objective is to allow Netweaver Administrators identifying errors affecting the entire services of an Application Server and, even more, to solve the problem. It cannot be and does not aim to be a complete documentation describing all possible error scenarios.

 

decistiontree.png

 

This is a browsable interactive tree where actions to test every Application Server component can be found in each step, allowing to Identify the issue, Resolve it and, if not possible, Collect the right traces to submit for analysis.

 

Check the decision tree out in this link.

 

Regards

Clebio

 

 

Related Spaces

This is the sequel of my first blog, presenting a new UI interface available for SAP Web Dispatcher.


1. Prerequisites

 

In order to use the PSE Management in Web Administration Interface of SAP Web Dispatcher, it necessary to use version 7.42 of the load balancer, as of patch level 22.

 

It is necessary that the user ID used for the administration has Admin rights (set the "admin" group while creating the user ID):

WDP 05.jpg

 

2. Initial view

 

By starting the Web Dispatcher Administration page, the left hand menu presents the PSE Management link:

WDP 01.jpg


If the PSEs are already created in the $SECUDIR directory, the following screen is displayed:

WDP 02.jpg


In the example above, note that there is one certificate in the PKList.


By clicking in the "Recreate PSE" button, the PSE will be recreated, thus you can use one algorithm from the SHA-2 family.


 

3. Recreating the PSE

 

The Distinguished Name needs to be informed, using in the Common Name the FQDN of the Web Dispatcher.


In the Algorithm dropdown box, it is possible select the SHA-2 algorithm:

WDP 03.jpg


It is also possible to select the key length (usually higher than 1024 bits, as CAs are no longer signing CSRs with 1024 bits) and a PIN.


Since this is a new PSE, it is necessary to create a CSR and submit to a CA, once it current PSE has a self-signed certificate (validity until 2038):

WDP 04.jpg


It is also necessary to import additional certificates, as the PKList is now empty.


After creating the CSR, it is possible to read its content (using a third party tool) and see:

"...

Certificate Request:

    Data:

        Version: 0 (0x0)

        Subject: CN=

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (4096 bit)

                Modulus:

...

                Exponent: 65537 (0x10001)

        Attributes:

            a0:00

    Signature Algorithm: sha256WithRSAEncryption

..."

 

 

The Signature Algorithm shows the use of sha256, as selected during the PSE creation.

 

4. Reference Documents

 

Willi Eimler

Understanding saprouter

Posted by Willi Eimler Jul 8, 2015

Introduction

 

 

In the past I always worked with saprouter without understanding the mechanism of the saprouter-rules completely. Thus resulted a saproutertab with lots of useless entries and the inflationary use of *. In order to be able to use a short saproutertab it is necessary to understand the effectiveness of a saprouter entry.




This BLOG is not a full documentation of the saprouter tool! For details please take a look at: http://sap.help.com/

 

 

The saprouter controls connections. He permits or disables connection. This behavior depends on the rules defined in the saproutertab. A rule consists of 4 parts:

 

Part 1          Part 2                    Part 3                  Part4

 


D or P          Hostname of a             Hostname of an          Port

                starting point            ending point

                of a connection.          of a connection.


 

 

 

 

In Part 1: D stands for disable and P for permit. If you want to permit a connection from  server1 to server2 with port 3255 than the rule is:

 

          P    server1        server2        3255

 

In my sap router tab I always disable all connections with:

 

         D    *    *    *

 

I put this rule to the end of the saprotertab because it would kill all P rules if it is the first rule. Every P rule after D * * * is ignored.  Then I allow each connection I want to use.

 

So far it is very simple. But what rules are needed to allow a connection passing several saproutes? For this scenario I use an example with 3 saprouter hops for a connection. I describe how to maintain the saproutertab and how to test the connection with niping. In order to understand the mechanism of the following scenario it is crucial to know, the saprouters communicate with other saprouters via the standard saprouter port (3299).

 

 

Scenario Port 1442

We want to communicate from Server A with Server B via port 1442. In the following picture you can see the path of communication and the Names and hostnames of each saprouter.

bild1.png

 

Now let's consider how to maintain the saproutertab:

We know:

 

     1.    The saprouter communicate with other saprouter via standard saprouter port (in this case 3299).

     2.    The saprouter disables/permits connections.

     3.    The port of the addressed server is used.

 

With this 3 points we can maintain the saproutertab of every saprouter:

 

 

Saprouter 1

P    Host_A    Host_2        3299

D    *         *             *        


Saprouter 2

P    Host_1     Host_3       3299

D    *          *            *      

 

Saprouter 3

P    Host_2    Host_B        1442

D    *         *             *       


bild2.png

For the rules the port used on the destination host is important. For the rule in saprouter 1 the port is 3200 because saprouter 2 communicates with saprouter 1 via port 3299. With niping you can test your saproutertab entries. For the simulation of a server use:


          niping -s -I 0 -S 1442 -R -P


And for the corresponding client use:


     niping -c -H /H/Host_1/H/Host_2/H/Host_3/H/Host_B -S 1442 -R -P


I like to use the niping in raw mode, because in raw mode I can simulate communication with any port I want.

 

Testing with niping

niping tests the connection via the saprouter and gives an error message, when a communication is not possible. Lets change the rule in saprouter 2 from


P Host_1 Host_3     3299

to

P Host_1 nonsense   3299


niping -c -H /H/Host_1/H/Host_2/H/Host_3/H/Host_B -S 1442 -R -P


Now niping will throw the following error:

bild3.jpg

The error states the information you need to repair the wrong saproutertab configuration:


     Error     Host_2: route permission denied ( Hoste_1 to Host_3, 3299)


The error states the saproutertab entry needed to permit the connection.


     P Host_1 Host_3     3299


Scenario Port 3200

Now, we want to connect to a sap system via the tree saprouters. The following picture shows this:


bild4.jpg

The 32<SysNr.> Port is the SAP Dispatcher port, used by SAP GUI. SysNr. is the Systemnumber of the sap system. In this case the systemnumber is 00 and we use 3200.

 

In Saprouter 1 we have to add the rule (this rule is going to overrule the entry P     Host_A     Host_2     3299):

 

     P     *               Host_2     3299


This rule is necessary because we want to login with every frontend with a sap-gui. If you want to login only with one frontent Forntend_1 you have to add rule:


    P     Frontend_1      Host_2     3299

 

In Saprouter 2 we don't have to add a new rule because the communication between the saprouters was not changed. In the last saprouer we have to add the rule for the communication via port 3200:

 

     P     Host_2          Host_B     3200

 

The configuration of the saproutertabs is:

 

 

Saprouter 1

P    *         Host_2        3299

P    Host_A    Host_2        3299

 

D    *         *             *    

 

Saprouter 2

P    Host_1     Host_3       3299

 

D    *          *            *     


Saprouter 3

P    Host_2    Host_B        3200

P    Host_2    Host_B        1442

 

D    *         *             *   


In order to test the connection we make the following entry in the sap logon:

bild5.jpg

If there is an error in the configuration of the saproutertabs you are will get an error like this:

bild6.png

In this case the error can only be located in the 1st or second saprouter (because of port 3299). If the entry in the last saprouter is wrong you get an error with port 3200. If there is no error you get the login screen.


bild7.jpg


Hope you enjoy this blog.


Usefull links

 

Portmapping

[http://www.easymarketplace.de/saprouter.php | http://www.easymarketplace.de/saprouter.php]

 

SAProuter Strig

https://help.sap.com/saphelp_nw04/helpdata/de/4f/992dd7446d11d189700000e8322d00/content.htm

 

nipping als Portprüfung (RAW-Mode)

 

http://darrylgriffiths.blogspot.de/2014/01/network-port-test-using-sap-niping.html

OSS zu niping

500235 - Network Diagnosis with NIPING

 

Configure SNC saprouter

[http://www.erpgenie.com/sapgenie/docs/SAP%20SNC%20CONFIGURATION.pdf | http://www.erpgenie.com/sapgenie/docs/SAP%20SNC%20CONFIGURATION.pdf]

When trying to import the certificate response into the SSL server Standard PSE (or another PSE), an error might happen, informing that the "Verification of Certificate chain failed".

 

It is possible that a wrong intermediate and/or root certificate is being used.

 

This post will show how to extract the intermediate and the root certificates using the Windows Crypto Shell Extension.

 

 

First step


Double click the certificate response file (<filename>.cer):

1.jpg

 

Go to "Certification Path" (third tab):

2.jpg

 

Double click in the intermediate certificate (a new popup will be displayed):

3.jpg

 

Click in "Details" (second tab):

4.jpg

 

Click in "Copy to File..." to start a wizard. Select "Base-64 encoded X.509 (.CER)" to export the file.

 

 

Next step

 

 

Repeat the first step for the root certificate

 

Now it is possible to combine:

 

certificate response +

intermediate certificate +

root certificate

 

and paste them into the dialog box:

6.jpg

displayed after clicking in the "Import Cert. Response" button ("Own Certificate" section of the PSE):

5.jpg

Error:ICM_HTTP_CONNECTION_FAILED

 

Solution:

 

1. Goto  Tx: SICF and Select Client from Menu  Proxy Setting (Ctrl+F2),

1.JPG

2.In Global Setting Tab:

Provide the below details,

a). Authorization: S_ICF

b). No proxy for the following addresses: *.sap.corp;*.sap-ag.de;*.sap.com;

2.JPG

 

3.In HTTP Protocol Tab:

Technical Setting  : Give Hostname and port number

Logon Data           : Give username and password

3.JPG

Click on OK.

 

4.For Testing Goto Tx. SE38  Run the Program (/IANWM/CHECK_WS),

 

4.JPG

Click on Execute.

 

5.Check Result:

5.JPG

 

Thank you...!

Activating HTTPS in SAP system:


In Latest version of SAP system we do not need any SAPCRYPTOLIB file and profile parameters, why because it will come by default.

 

 

1. Download the SAPCRYPTOLIB, extract the sar file and place it into the

$DIR_EXECUTABLE directory, we can find this path in Tx – AL11

(eg : D:\usr\sap\SID\DVEBMGS05\exe)

 

Note 397175 describes the prerequisites for downloading the library.

 

2. Set the Environmental Variable in the User Variables and place ticket got from SAPCRYPTOLIB

in the below directory,

1.JPG

 

 

3. Maintain the below parameters in the Instance Profile,

 

2.JPG

4. Goto SMICM and Select E symbol


3.JPG



5. Select checkbox https and goto Service --> Activate

 

4.JPG

 

7. Https is activated,

 

5.JPG

 

 

Thank You..

It is becoming common the need of replacing old PSEs, created with SHA-1 algorithm, by new PSEs, using SHA-2 algorithm family.

Here you will find the steps to replace a PSE in STRUST and the steps to create a PSE using sapgenpse (e.g. when using the SAP Web Dispatcher).

 

 

1. Prerequisites

 

 

The system must have SAPCRYPTOLIB 5.5.5 patch level 34 (or higher) or any CommonCryptoLib installed.

 

It is possible to verify the SAPCRYPTOLIB/CommonCryptoLib version by executing the command:

 

sapgenpse

 

in the command line interface (running as SIDadm) or via report RSBDCOS0.

 

Example:

"...

Loaded CommonCryptoLib from sapgenpse folder

"/usr/sap/SID/DVEBMGS00/exe/libsapcrypto.so"

 

Platform: linux-gcc-4.3-x86-64 (linux-gcc-4.3-x86-64)

Versions: SAPGENPSE 8.4.35 (Mar 16 2015)

            FILE-Version 8.4.35.0

            CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.35 pl40 (Mar 16 2015) MT-safe

 

USER="sidadm"

 

Environment variable $SECUDIR is defined:

"/usr/sap/SID/DVEBMGS00/sec"

..."

 

It is also important to have the kernel patch level mentioned in SAP note 1739681 running in the system.

In your ABAP system, use SNOTE to implement SAP note 1740744. For newer releases, e.g. Netweaver 7.40, the correction is already in place.

 

 

2. Replacing a PSE in STRUST

 

 

Access STRUST, right click in the PSE you want to use SHA-2 algorithm an click in replace.

Now select the relevant algorithm in the dropdown box, as shown below:

STRUST SHA-256.jpg

 

Enter the remaining details and confirm.

 

If a PSE from a productive system needs to be replaced, then it is recommended to follow the steps from SAP note 1178155.

 

You can confirm the use of SHA-2 algorithm by double-clicking the Own Certificate. The Certificate section presents the details:

STRUST SHA-256 Certificate.jpg

 

After you have imported the certificate response, verify whether the ICM was notified about the change. It might be necessary to import the corrections from SAP note 2417844.

 

 

3. Creating a PSE using sapgenpse

 

 

In a command line interface execute the following command:

 

sapgenpse gen_pse -p <PSENAME> -a sha256WithRsaEncryption -x <PIN>

(replace <PSENAME> and <PIN> for the necessary PSE name and PIN).

 

Inform the relevant DN and see the CSR as output.

 

In order to verify the algorithm, just execute:

 

sapgenpse get_my_name -p <PSENAME> -v -v -x <PIN>

 

In section "My Certificate" should be presented:

"...

  Signature algorithm:sha256WithRsaEncryption (1.2.840.113549.1.1.11)

..."

 

 

4. Reference Documents

 

 

2147844 - STRUST | ICM is not always notified when SSL Server PSEs are created or deleted

1740744 - SSFPSE_CREATE: Support creation of RSA-PSEs with SHA-256

1739681 - Kernel: Support creation of RSA-PSEs with SHA-256

1689776 - SAPCRYPTOLIB 555pl34: bugfixes, AES-NI support

1178155 - Replacing PSEs in productive SSL Servers

Hello all,

 

SAP note 2180736 was just released as initiative to centralize documentation on how to handle such shortdumps, all the way from how to start the analysis to the possible solutions.

 

For OS specifics on memory management, please check the CST wiki page on TSV_TNEW_PAGE_ALLOC_FAILED here.

 

Cheers,
Ian Segóbio.

SAP Kernel

 

Kernel upgrade is a keen and effective process to keep SAP system health in a high.

As part of Basis, we all come across kernel upgrade. I would like to share my experience in a kernel upgrade, process.

 

In general, what is Kernel?

 

In computing, the kernel is a computer program that manages I/O (input/output) requests from software, and translates them into data processing instructions for the central processing unit and other electronic components of a computer. The kernel is a fundamental part of a modern computer's operating system.

 

kernel_what is.jpg

 

Now how we relate a kernel to SAP:


Running Applications: All ABAP applications run on software processors (virtual machines) within this component.

User and process administration: This component is responsible for the tasks that usually belong to an operating system.

Database access: Each NetWeaver AS ABAP is linked to a database system, consisting of a database management system (DBMS) and the database itself.

Communication: ABAP applications can communicate both with other SAP Systems and with external systems.

 

 

 

Downloads:


Types of Kernel are available in service market place.

 

  • 32/64 bit Unicode & extended
  • 32/64 non Unicode systems & extended

 

By executing disp+work in a cmd line of OS level we can easily get the kernel version, release, Unicode or non Unicode, real or extended. We need to log as a SIDADM or navigate to existing kernel directory to get this information.

 

Need to download the exact kernel as per:

  • Operating system
  • Unicode/Non Unicode
  • Real/extended

 

Kernel files are divided in to 2 parts:

  • Kernel Part I (database independent)
  • Kernel Part II (database specific)

 

Before Kernel Upgrade:

kernel_before.jpg

 

In the above example: We need to Upgrade N-1. ( N is the latest version)

SAP kernel 7.21 64 BIT Unicode files / patch 402 Part 1 and Part 2, once we downloaded the file we can extract.

 

Process:


STOPSAP and stop services – disable SAP services before we implement a new kernel.

 

                Reason behind is few files and executables are responsible to start and run SAP application server and few executables are responsible to write logs or update. If we try to replace SAP kernel on fly it may prompt an error file in use.

We have caused a corruption in the kernel directory; new files might be overwritten already.  It’s a severe error that we leave a corrupted kernel directory. Few scenarios we may need to restart SAP or if any cause of system shutdown. SAP may through some errors while starting up back when it has a corrupted kernel directory.

 

Recommended process to STOP SAP, stop SAP services and disable SAP services in services.msc.

 

Take a back up of existing kernel directory and keep in a safe place. Just in case if we need to revert back to older kernel

Replace existing kernel directory with a new kernel files.

 

Kernel directory will be located in

\usr\sap\SID\SYS\exe\uc\NTAMDXX

After implementing new kernel we can start SAP

To verify kernel use same CMD: disp+work

kernel_after.jpg

 

Tricky Part:


After replacing kernel if it’s failed to start SAP service:

  • Check the kernel file whether we have downloaded the appropriate one if there is a mismatch in Unicode to non Unicode.
  • Replace with old back up file by renaming back to same before; do not try to copy and paste again with kernel directory as of few files might have been overwritten already.
  • If we still have error in starting SAP. We can try to replace with dev/Qas/prd kernel in the same landscape for time being.


Wrapping up:

 

Replacing kernel upgrade is a small effort but it’s important one to keep system up and running in a stabilized manner. Though we get a minimal down time to upgrade kernel, utilize time by preparing it before  with guidelines and read kernel upgrade Note first and follow it up for a smoother implementation of new kernel.

 

Regards,

Rathish Soundrapandian.

Semester 1 - 2015

Victoria University

Lecturer - Tony De Thomassis

 

Title:

Blog on SAP BRFPLUS and how I arrived here through attending classes in BCO6181

 

Intro:

At the start of the semester, we were taught that the Cloud would be the central focus of our lectures. A run down of SAP, specifically SAP HANA and the Cloud, InMemory Database Technology, Industry Trail Blazers, evolution of In Memory Technology, where it is heading and Social Media and the impact it has in the IT World.    Along the way though, other more contemporary aspects of modern SAP Technology and techniques on how to obtain information to develop our career, see where the Industry is heading with guest presenters from the Industry.

 

The moment:

In week 2, Tony introduced the class to SAP NetWeaver BRFPLUS -> "Business Rules Framework" on a MiniSAP Environments in our Virtual Environment.

From that night, I've been hooked by BRFPLUS and I wanted to learn everything BRFPLUS and continue to do so.

 

Why BRFPLUS?:

Having worked with the SAP GUI (traditional user interface(UI))for over 10 years, we were introduced to Web Dynpro and SAP Netweaver Technology.

After years of working with the traditional SAP GUI to get a new look UI, Web Based, modern was terrific in itself.

Having Programmed at University in Java and now having a transaction that is user friendly to both developers and end users adds new dimension.

 

The old way of application development:

1. The customer Application needs to be changed/created.

2. Log a request with the developers, wait long periods of time, pay large sums of money for a new/changed app

3. Potential poor communication between IT and the business may prove disastrous for the business.

 

The BRFPLUS way:

Control of developing/changing customer specific application moved closer towards the business with less dependence on traditional IT thus empowering the Business to create and manage the change more effectively by making business specific platforms easier to create and manage.

 

The Class Room SetUp:

With the tools provided to the class which included, a virtual environment platform, a MiniSAP  (MiniWas) environment, logging into to brfplus in SAP: Trancode: "BRFPLUS" and correcting errors in account settings in Trancode: "SICF", a BRFPLUS in SAP Netweaver Environment for Development of applications was created.

 

The Presentation:

Base on content provided in CD 160 (referenced below), BRFPLUS Simulated Application for the Sale of sporting goods incorporating the basics

of BRFPLUS with defined business rules such as the sale of goods under $100 USD that have shipping costs added.

 

Video Presentation:

http://prezi.com/ryivapomjfvo/?utm_campaign=share&utm_medium=copy&rc=ex0share

 

CE5ARjMUIAECyB2[1].jpg

 

Key Aspects of Learnings from BCO6181

 

  • Introduced to Cloud Technology in a simulated environment
  • Use of Social Media such as LinkedIn and Twitter as methods to build a professional profile,

        build Networks and obtain important information

  • A framework provided where the individual student can find their passion in the SAP World
  • Exposure to Industry Professionals and Events
  • Information sharing and collaboration opportunities among Students

 

References:

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=322570106

http://en.wikipedia.org/wiki/BRFplus

CD 160 SAP Netweaver Decision Service Management - A Paradigm Shift, Ziegler, C., Held, A. Nov. 2013

If you want (or need) to have the most secure environment possible, there are a couple of things that you can do to secure the communication between an SAP Web Dispatcher and its backend system.

 

You can enable SSL at the backend as well (SAP note 510007 for ABAP - SAP Marketplace login required; Configuring the Use of SSL on the AS Java), and configure the Web Dispatcher for SSL re-encryption (parameter "wdisp/ssl_encrypt = 1").

 

With these settings, the communication from the end users to the backend system will be protected (encrypted) throughout the entire communication path (notice that no other components are considered here, like a hardware load balancer in front of the Web Dispatcher), assuming that the Web Dispatcher already had an HTTPS port configured .

 

However, the Web Dispatcher needs to fetch data from the backend, periodically, in order to operate.

By default, this is performed using HTTP. You can switch this metadata exchange to HTTPS by setting the following parameters:

 

wdisp/server_info_protocol = https

wdisp/group_info_protocol = https

wdisp/url_map_protocol = https

wdisp/ping_protocol = https

 

For this to work, you need to enable an HTTPS port at the Message Server (parameter "ms/server_port_X", at the backend), and configure the Web Dispatcher to use this HTTPS port (parameter "ms/https_port" or the MSSPORT option of the parameter "wdisp/system_X").

 

OK! Now all communication is encrypted.

Is there anything else that can be done? If you have SSO enabled, yes!

 

You can configure a client certificate at the Web Dispatcher, and set the parameters "icm/HTTPS/trust_client_with_subject" and "icm/HTTPS/trust_client_with_issuer" at the backend.

 

In the past, managing the SSL certificates (the "PSE" files) at the Web Dispatcher was possible only with the sapgenpse command line tool.

In recent versions, PSE management was introduced at the Web Dispatcher Administration page.

This WIKI page shows this new interface.

 

You also have to import the required certificates at both the Web Dispatcher and the backend:

  • At the Web Dispatcher client PSE file, you also need to import the Root and all Intermediate CAs certificates ("certificate chain") of the CA that signed the backend server certificate. In case a self-signed server certificate is used at the backend, import the self-signed certificate instead;

 

  • At the backend server PSE file, you need to import the Root and all Intermediate CA certificates of the CA that signed the Web Dispatcher client certificate. In case a self-signed client certificate is used at the Web Dispatcher, import the self-signed certificate instead.

 

Now, the backend will not accept client certificates forwarded as HTTP headers unless the intermediary (the Web Dispatcher, in this case) authenticates itself with a client certificate that matches the values configured at the "icm/HTTPS/trust_client_with*" parameters.

 

Update on May/14/2015: The SAP KBA 2160678 has the list of all certificates required in each PSE file involved, in case SSO is enabled and you want to maintain the "icm/HTTPS/trust_client_with*" parameters.

 

Cheers!

Isaías

 

 

Related spaces:

Hello All,

 

I am writing this blog to discuss the use of RFC nodes for sending messages with SAPconnect (e.g. Fax, Internet Mail, etc.) from the SAP system in Netweaver Release >730.

 

Since SAP NetWeaver release 7.0, the SAPconnect RFC interface was no longer supported for e-mail however it was still supported for the transmission of different send methods (e.g. Fax). Since SAP release Netweaver 7.3, you can maintain only SMTP nodes in transaction SCOT, it is no longer possible to maintain RFC nodes in SCOT.

 

Before I go any further I will quickly discuss the differences in functionality between SMTP and RFC nodes. In my opinion SMTP is much superior, this is due to the features provided by using a SMTP node. Faxes, SMS, etc. can also be sent/received in the SAP system using SMTP since release 6.20, see note 455140. I do not know why anyone would choose RFC over SMTP. Read on for my reasons!

 

The administration of SMTP requires less effort than RFC due to the direct communication with the SMTP Plug-in and the mail server, an additional connector, setting-up and maintaining an RFC connection is no longer required. SMTP offers much better monitoring and analysis options, e.g. storing MIME documents, monitoring outgoing/incoming messages and an improved trace. Another advantageous feature is the creation and processing of SMTP status notifications (DSN, MDN).

 

Security is a hot topic at present, the SMTP interface has much more security than RFC can offer. SMTP supports transmission through a secure connection (TLS, Transport Layer Security). It also supports mechanisms for authentication on the SMTP server (SMTP AUTH). None of these are available when using the RFC interface. Also certain application scenarios can only be carried out for incoming e-mails using the SMTP interface, for example Inbound distribution.

 

On a side note the 'look' of SCOT has changed in the newer release as you can see in screenshot below, please review this wiki for an more in-depth description of the new layout.

 

SCOT.PNG

However it is still possible to maintain RFC nodes in the SAP system, this must now be done through transaction SCON which has the look of the 'old' transaction SCOT as you can see below:

SCON.PNG

The steps to create the RFC node are the same as in earlier release's using the Wizard, that is in the menu follow path Node -> Create -> RFC node, then you choose the Name of the node, the RFC Destination, Address type and the general configuration.

 

More details on configuring the RFC node can be found in SAP Help.

 

The following note offers more information related to the end of support for RFC interface: Support for SAPconnect RFC interface

 

Thanks for reading!!

I could also have called it

"The missing or outdated documentation syndrome"

or

"Stop playing with my SPRO path"

or just

"700, 701, 702, 710, 711, 720, 730, 731, 740"

 

Warning this blog post contains cryptic SAP acronyms that might be ununderstandable for non-basis consultant...

 

SAP always had a problem with documentation... and in some area if you finally succeed in finding some explanations they are either outdated or not relevant to your specific scenario. For instance on AD/SSO solution for BO the latest available documentation (from 2013) is still based on Windows 2000 and the sestspn parameter are wrong !

 

I just went through some rough time on ADS configuration for printing PDF from a GRC RM WDA (WebDynrpo Abap).

A Non SAP-aware person would consider this to be a very simple task like installing a PDFcreator on the client PC... but the printing solution is really complex and requires installing a Java instance for hosting ADS, and also installing BI Java usage on it.

I was not able to find a clear and complete documentation so I did first install a java instance with only ADS usage... and it was not working... so I found some document that suggest that BI Java usage was required. Too bad for me, I was on a 740 system and now the SUM is required to install new Java usage... this imply connecting my Java system to solution manager and run an MOPZ scenario...

 

After installing and configuring all the mess (JCO, RFC dest...) I did get an error :

(sap.com/com.sap.ip.bi.webdynpro.alv.pdf, BW-BEX-ET-WJR) Exception Message no. SALV_WD_MSG701


That error did reference note 1413938 - WD ABAP ALV - creating print version that tells to "Specify the service to generate the PDF document" through a SPRO path valid for 740… but I did not find that path on my 740 SP05 system.

After spending some more time searching SCN / SMP I did found note 1630587 - WD ABAP ALV: IMG paths for Customizing Settings that did provide all the different possible SPRO paths for that option depending on NW release.

Too bad none of these paths were available in my version…. I've tried on few 740 systems and in fact the path provided in the note only exist on the latest SP08 version, for all previous SP no access to that option !

I did catch the underlying report / table (SALV_WD_CUSTOMIZING / SALV_WD_ADMIN) and could run it on my 740 SP05.. to find that the point was already appropriately configured !

 

I did notice that the ADSUSER account gets locked… and I was not able to track how. I did activate the SM19 security audit log but no events were logged, no records for these failing connections. So the wrong logging must come from the Java WAS.

 

By the end my problem was a stupid misconfigured password (and a wrong account as I used ADSUSER instead of ADS_AGENT) in the SOA template destination "ConfigPort_Document".

 

 

 

Just a simple BC work by the end, it took me a week to install & configure everything.

It was tough to explain to my customer that 5 days are required to configure PDF printing !

Then I almost lost a full day to track a simple password error.

 

As a BC freelance consultant I make my living on SAP complexity … so I should not criticize it too much, but sometime it really going too far !

 

I hope the new S/4 will make everything simpler… but I'm afraid that this "simplicity" will only concern business process and not the basis layer nobody cares about.

 

 

 

 

References


1413938 - WD ABAP ALV - creating print version

This SAP Note is valid only for the following releases (related to your Application Server ABAP):

    SAP NW Release 7.02

    SAP NW Release 7.30

    SAP NW Release 7.31

    SAP NW Release 7.40

Navigate to the following folder (see SAP Note 1630587 as well)

Path for releases < SAP_BASIS Release 7.40:

-> Application Server -> SAP List Viewer (ALV)

Path for releases as of SAP_BASIS Release 7.40:

-> SAP NetWeaver -> UI Technologies -> SAP List Viewer (ALV)

 

1882863 - WD ABAP ALV - Troubleshooting for print version

First check your installation and configuration in accordance with SAP Notes:

    918236 - WD ABAP ALV - creating print version

    valid for SAP NetWeaver Releases 7.00, 7.01, 7.10, 7.11

    1413938 - WD ABAP ALV - creating print version

    valid for SAP NetWeaver Releases 7.02, 7.30, and higher

 

1630587 - WD ABAP ALV: IMG paths for Customizing Settings

SAP_BASIS 7.00 & 7.01

  + SAP NetWeaver Implementation Guide    + Application Server     + Web Screen for ABAP     + Set-Up Printing for Web Screen ABAP ALV         - System-Wide Settings for the Web Dynpro ABAP ALV

SAP_BASIS 7.02

  + Implementation Guide for R/3 Basis Customizing    + Base      + SAP List Viewer (ALV)

SAP_BASIS 7.10

  + SAP NetWeaver Implementation Guide    + Application Server      + Web Dynpro for ABAP

        + Set-Up Printing for Web Dynpro ALV      - System-Wide Settings for the Web Dynpro ABAP ALV

SAP_BASIS 7.11

  + SAP NetWeaver Implementation Guide   + Application Server      + Web Dynpro ABAP

        + Set-Up Printing for Web Dynpro ALV     - System-Wide Settings for the Web Dynpro ABAP ALV

SAP_BASIS 7.20

+ Implementation Guide for R/3 Basis Customizing     + Base       + Web Dynpro for ABAP     + Set-Up Printing for Web Dynpro ABAP ALV      - Client-Sprecific Settings for the Web Dynpro ABAP ALV       - Generic Crystal Report Layout Maintenance

SAP_BASIS 7.30

+ Implementation Guide for R/3 Basis Customizing     + Application Server       + SAP List Viewer (ALV)

SAP_BASIS 7.31

+ SAP Customizing Implementation Guide     + SAP NetWeaver       + Application Server         + SAP List Viewer (ALV)

SAP_BASIS 7.40

+ SAP Customizing Implementation Guide     + SAP NetWeaver       + UI Technologies         + SAP List Viewer (ALV)



So far there has been many incidents with such complaint.

However system administrators seem to have different definition of 'hang'.
Although such issue can usually be resolved by a restart, Root Cause Analysis is usually pursued.

 

This blog tries to sort things out for system admins.

At least, the system admin had better know which logs should be collected before the restart, so that we can grab a chance for RCA.

 

/* 'Server hang' is definitely a gigantic topic - this blog will try not to dig into further technical details. */



1. Clearly define the symptom.


  • Is it occurring only upon some specific operation? Or on whole system?
  • Is it occurring only for specific J2EE / Portal user?
  • Is it occurring only on specific client PC / browser?
  • Is it occurring only on newly-logged-on users? Is it also occurring on already-logged-on users?
  • Is it occurring with or without load balancer?
  • Is it occurring on all instances / server nodes?
  • Is AS Java 'green' in SAP MMC / SAP MC?


Besides all above, screenshots / HTTP Watch trace are definitely helpful.


These questions help you as well as SAP support to understand your problem.




2. How to proceed the RCA


Firstly some basic rules:

- If Load Balancer blocks the way -> check with LB vendor.

- If dispatcher / ICM / server node has died -> don't expect a normal behavior. Check work folder and defaultTrace.

- If issue only occurs on specific client PC / browser -> check if browser is supported as per PAM. And check if this PC has any peculiarities against others.

- If issue only occurs on certain instance / server nodes -> check below steps agains that specific instance / server node.

- If issue occurs on consumer portal under FPN scenario, also check the provider system.

- Last but not least, make sure there's enough CPU/RAM/Disk resource on OS.



Regarding other scenarios, for simplicity, you can collect below trace together.

- HTTP Watch trace

- Thread dump or SAP JVM Profiler trace, on server node (and also dispatcher for 7.0X)

- work folder

- defaultTrace

- SAP MMC Snapshot



// If you have to know why these traces are necessary:

/*

- Scenario 1

  AS Java is running, responding, but some specific application returned a blank page (browser is no longer loading the page). Other applications are working fine.

  In this case, server is not actually in 'hang' status.

  -> Collect HTTP Watch trace so that we can see where it stopped.

  -> Also check PAM to see if the IE version is supported.

 


- Scenario 2

  AS Java is running, responding, but some specific application did not respond and browser is still waiting. Other applications are working fine.

  We must check where it actually hangs during HTTP traffic - it might be on AS Java, on AS ABAP, or on 3rd party system, or simply on network.

  -> In this scenario, HTTP Watch trace will be necessary at very first place.

  -> In many cases it is indeed hanging on AS Java - see below.

 

 

- Scenario 3

  AS Java is running but not responding. Or, it is refusing new requests but still serving the old ones.
  It is very likely that (some specific kind of) threads are exhausted, and we must check at runtime.

  -> Collect thread dump or SAP JVM Profiler trace when issue IS OCCURRING. This is necessary to tell the root cause.

  -> Collect SAP MMC Snapshot for 7.10 onwards.

  -> Collect work folder logs

  -> Collect defaultTrace

*/

 

N.B., it's not a guarantee that the logs listed above are 100% enough for every issue. But it's a good start.

 

 

Reference Documents

1095473 - How to get a full thread dump in AS Java

1558903 - How To Trace a Portal Scenario Using HttpWatch

1783031 - Analyzing AS Java performance with SAP JVM Profiler

1847251 - How to create an MMC snapshot about an SAP system


Actions

Filter Blog

By author:
By date:
By tag: