3 Posts

Number of times, I have seen on SDN where people is not clear what is the way to make their new ERP system with Enhancement Packages ready to use that includes installation, configuration in solution manager, EHP upgrade, Business Function activation etc.


In my this blog, I am not going to dive deep in technical sea of how to do things but only how to make yourself float on the sea. Once you will float on the sea, rest you will learn how to dive :-)


When you install new ERP 6.0 system with Enhancement Packages either EHP4/EHP5/EHP6, you need to follow certian things to make it ready to use like:

1) Install ERP 6.0 EHP4/EHP5 system. If you install it as EHP5 system then after installation, your system will be on EHP5 in which SAP_APPL and EA-APPL (Central Application Components) will be on EHP5. So, after applying latest patches through SPAM/SAINT, you can use this system.

But in case of ERP 6.0 EHP4 system, this is not the case. When you install EHP4 system, then all netweaver components like Basis, ABAP etc. will be on 701 release but all ERP components will be on 600 release. So, this system is not ready to use. This system is called as ERP6.0 EHP4 Ready.

2) As of SAP Business Suite 7, you need to download all the packages from Solution Manager. So, if you want to upgrade your system or want to install patches then you need to configure MOPZ in solman.

  • If you want to upgrade your EHP4 Ready system to EHP4 level. Then first define your system in SMSY as Product Version ERP 6.0. Then you need to add your system to logical component, then define solution and assign logical system to solution.

All of this you can do in transaction DSWP and SMSY till solution manager 7.0 EHP1. But from Solution Manager 7.1 you need to use LMDB, solman_setup and solman_workcenter.

  • After you have defined your system in SMSY, you can download patches from MOPZ.
  • If you are not using any Technical usage then you can upgrade only Central application Technical usage (Component SAP_APPL & EA-APPL). But if you are using any other technical usage then you need to select that technical usage as well in MOPZ, only then you will get all packages.

If you are not sure which technical usage you need to install on your system. Then Check SAP note 1165438 for EHP4 systems & SAP note 1324838 for EHP5 system and there are guides attached to this note which maps Technical Usage to Component and to business functions.

Note: Please make sure before installing any technical usage, discuss with your functional team whether they need it or not.

  • In some cases, while you are selecting certian Technical usage type in MOPZ, checkbox against it is greyed out. In that case, you need to mark this Technical Usage as Relevant in SMSY for the system definiton e.g. Self Service (XSS) & LOSFE etc.
  • For upgrade, stack xml file is mandatory that you can get from MOPZ. But make sure that component information in SMSY for your system that you want to upgrade should be latest Otherwise stack xml file will contain outdated information about the patch level of your system and it can lead to problems during upgrade.

3) In case of EHP4 Ready system, where SAP_APPL and EA-APPL is on 600 release. You need to upgrade it with EHPi only. With this upgrade, you can combine upgrade of any other Technical Usage as well in case you want to use any other technical usage.

  • If you have upgraded Central Application but later on you want to install any other technical usage then you can upgrade that technical usage with SAINT as well.

But this is not the case in case of EHP5 system as in EHP5 system, Central Application Technical usage (SAP_APPL & EA-APPL) will be on 605 release only. So, if you want to upgrade SAP_APPL & EA-APPL then you can do it through SPAM. And even if you want to upgrade any other technical usage then same you can do it from SAINT as well. You can also use EHPi but it is not mandatory.

Note: If you want to upgrade any Technical usage to EHP4/EHP5 level then stack xml file is mandatory for upgrade whether you upgrade it from SAINT or EHPi.

4) When you want to activate any business function then same you should in accordance to Business needs and after discussing with functional team. You can activate Business function any time and it does not effect existing functionality. However, it is recommended to activate business function first in sandbox/test system and after testing transport it to other systems.

There is one exception in EHP5 systems where version of SAP_HR component is 604 only while for other components version will be 605.

5) If you are using Solution Manager 7.1, then you cannot define any system manually in SMSY as you do in case of Solution Manager 7.0 with EHP1. There you should follow below procedure:

  • Add you satellite system in SLD of Solution Manager. In case of ABAP system, you can add it to solman SLD with t-code RZ70 but in case of As Java system, either you can make local sld in As Java system only and then configure data bridge to send As Java system information to Solman SLD or configure your As Java system SLD to solution manager as cental SLD.
  • Once your system in Solman SLD then schedule job to sync LMDB with SLD autmoatically.
  • Now, run managed system step in solman_setup t-code and configure your system there. Once this is done then you can configure MOPZ.
  • In case of As Java system, once system will be there in solman SLD, it will come under Technical systems in SMSY, so for As Java system, you have to define Product System manually in SMSY and assign your As Java system to it.
  • Now, using solman_workcenter t-code, you can go to MOPZ and download patches. Make sure before that you have assigned your system to logical component and logical system in turn to solution.

Hope you will have an idea by now how to proceed in case you install new ERP system to make it ready for use.


Cheers !!!

Let's Begin- This is my second Blog on SAP Netweaver 7.3. In this blog, I will discuss about how to configure Single Sign-on between SAP Business Suite 7 & above system with SAP Netweaver 7.3 systems.  In my below example my As ABAP system is on SAP ERP 6.0 EHP5 and As Java system on SAP Netweaver 7.3.

Profile Parameters-

Set below parameters in As ABAP system in instance profile-

  1. login/create_sso2_ticket=2
  2. login/accept_sso2_ticket=1
  3. login/password_change_for_SSO=0 (Optional) (The obligation to change the password is ignored)
  4. icm/host_name_full= <FQDN>
  5. SAPFQDN=<domain name> (Set this parameter in Default Profile)

Set below parameters in As Java in default profile-

  1. SAPFQDN=<domain name>


Note: After all the parameters are set, restart your system.


1) Go to URL http://<server>:<port>/sso2

Click on Add Trusted system – By Querying Trusted System

Select system Type- ABAP (In case of single sign-on between 2 As Java systems, select Java)

On next screen, enter details of As ABAP system

























If you are not using SNC then keep option Disable in SNC Protection.

On next screen, click Finish.

Now system will be visible as trusted system.

2) Go to nwa of As Java (http://<server>:<port>/nwa)

Navigate to Configuration – Authentication and Single Sign-ON

Then select Authentication – Components. Select Policy Configuration Name- ticket.

a) Under authentication stack, select EvaluateTicketLoginModule Template, as a result of step 1, your called system will be automatically populated there.

Click on Edit.

b) Select Module CreateTicketLoginModule and Make its Flag as SUFFICIENT.

c) For CreateTicketLoginModule, Add following properties under Options of login module “CreateTicketLoginModule”

Name                                                 Value

Trusteddn1                                       CN=<SID>

Trustedss1                                         CN=<SID>

Trustedsys1                                       <SID>,<Client>                true


3) Go to nwa (http://<server>:<port>/nwa)

a) Go to Configuration- Certificates and Keys

b) Select TicketKeystore key storage views

c) Make sure that entry of your As ABAP system should be there.

d) Delete SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert under Details of view “TicketKeystore.

e) Click on Create Entry

Enter below details here-

Entry Name- SAPLogonTicketKeypair

Algorithm- DSA

Key Length- 1024

Select Store Certificate Option. And click next.

Enter below details-






Click on Finish. After that, SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert entries will populate.

4) Download certificate of As Java system and upload it on As ABAP system.

a) Go to nwa http://<server>:<port>/nwa

b) Go to Configuration- Certificates and Keys

c) Select TicketKeystore key storage views

d) Export SAPLogonTicketKeypair-cert certificate.

e) Select export format as Base64X.509


f) Import this portal certificate in As ABAP system in t-code strustsso2.

g) Add this portal certificate to Add to Certificate list  and Add to ACL (while adding to ACL list, Enter SID of As Java system and client as 000).

h) Restart the As Java system.


5) Go to http://<server>:<port>/irj/portal

a) Go to System Administration- System Landscape- System Landscape Overview- System Landscape

b) Click on New.


c) Create System Object using Template. Please choose system template as per your requirement. In my case, I selected system template- SAP system using dedicated application server.

d) Enter details as below

System Name

System ID



e) Enter Alias Name and click on Add.


f) On Next screen, enter details for Connector, ITS and Web Application Server.

  i) Connector


Enter all details (Under application host, please enter FQDN)

ii) ITS


Enter all details (Under ITS Host Name, please enter FQDN)

ITS Host Name- <FQDN>:<ITS Port>

ITS Path-  /sap/bc/gui/sap/its//webgui

ITS Protocal- HTTP (In case, HTTPS is activates then select HTTPS)

iii) User Management

iv) Web Application Server (Web AS)


Enter all details (Under ITS Host Name, please enter FQDN)

ICM Host Name- <FQDN>:<As ABAP port>

ICM Protocol- HTTP (In case, HTTPS is activates then select HTTPS)

Under Additional Wizard Steps, unmark checkbox. And click on Finish.

g) Click on Connection Test for this object and perform connection test for Connector, ICM & Web AS. And all tests should be successful.


6) Check Single Sign-On. Go to http://<server>:<port>/irj/portal

a) System Administration – Support- Application Integration and Session Management- Test and Configuration tools

b) Under Tool, Select Transaction and Click on run.

c) Under System, Select System that you created in step 5 and Enter any transaction code of your As ABAP system. And click on Go.

d) It should login to your backend As ABAP system without asking password.


By this way, Single Sign-On between your As ABAP and As Java system is configured.

In case, you face any problem during this test, then please refer to SAP note 495911 to activate trace and then analyze logs.

Cheers !!!

Let's Begin- There are 2 types of ADS Configuration-

1) Basic Authentication

2) SSL Authentication.


Here, I am discussing ADS Configuration using Basic Authentication for interactive Adobe Forms.



1) SAP Netweaver 7.3 As Java System (ADS should be installed).

2) SAP Business Suite 7 System


Profile Parameters-

1) Profile Parameter SAPFQDN should be set in both As Java and As ABAP system.



AS Java (Netweaver 7.3)


1) If UME is on As Java

a) Create ADSUSER as a Technical User in Identity management if it does not exist.

b) Create ADSCALLERS group in Identity Management.

c) Assign UME Role SAP_ADSCALLER (You need to assign this role only to users who need to access ADS). In my case, I assigned this role to the ADSCALLERS group in identity management.

d) Assign ADSCALLERS group to ADSUSER in identitiy management.


2) If UME of As Java is running on As ABAP system

a) Create ADSUSER in As ABAP.

b) Create ADSCALLERS role in PFCG and don't assign any authorization to it.

c) Assign ADSCALLERS role to ADSUSER.

d) Go to Identity Management of As Java, there search for role SAP_ADSCALLER and add user ADSUSER to it. Go to assigned Action Tab and search for adobe in available actions and add action AdobeDocumentServicesADSCaller to role and save it.


3) Go to SAP netweaver administrator (http://<server>:<port>/nwa).

Then Go to SOA. Under SOA, go to Technical Configuration --> Destination Template Management



Choose Create New Destination



Choose Destination Type as WSIL and enter Destination name as ConfigPort_Document

Enter URL as below:


Enter System name: <SID of As Java> and hostname: <hostname of As Java>



On next screen, Choose Authentication as HTTP Authentication and Select User ID/Password (Basic). Enter ADSUSER and password as shown below:



Then click on finish. Now, destination ConfigPort_Document will be created.

Note: If you are configuring Interactive Adobe Forms then first request SAP to provide Adobe Interactive form credentials and *.pfx file which you need to configure Reader Right credentials. In order to obtain Reader Right credentials then please follow SAP note 736902.

4) In order to install Reader Right credentials, go to nwa (http://<server>:<port>/nwa).

Go to Configuration --> Infrastructure --> Adobe Document Services


Choose Document Security and then select Credentials.


Click on Manage P12 Files. A Pop-up will be open where you need to provide path of *.pfx file that you got from SAP.



Choose Upload. Now, your *.pfx file will be uploaded.


Click on Add New Object and a pop-up will be opened.

In Alias, Select Reader Rights

Type should be P12.

P12 File should be automatically filled as we have already uploaded the file in previous step.

Enter Password for P12 file.


Save this record.


5) Restart the service Document Service Trust Manager Service and then the service PDF Manipulation Module for the changes to take effect.

In order to restart the service, go to Operations --> Systems --> Start & Stop.

Open Java Services Tab. In order to obtain list of services for ADS, filter the Service component Name column by Adobe. Restart the service.


6) Create Destination FP_ICF_DATA_<SID of As ABAP> in SOA.

Go to nwa (http://<server>:<port>/nwa)

Go to SOA --> Technical Configuration



Select Destinations


Click on Create.



Enter Destination Name as FP_ICF_DATA_<SID of As ABAP>

Select Destination Type as HTTP. Click Next.

Enter URL of As ABAP system (http://<server>:<port>) e.g.



Enter System ID and Client of As ABAP system.

On Next screen, Select Authentication as Basic.

Enter User as ads_agent and its password.


Click on Finish.



By this way, configuration of ADS on As Java side is complete.



Login to As ABAP system.

1) Create user ADSUSER as a system User in transaction SU01.

2) Create user ADS_AGENT as a system user in transaction SU01 and assign roles SAP_BC_FP_ICF, SAP_BC_FPADS_ICF & SAP_BC_JSF_COMMUNICATION.


Note: Either assign standard roles or make a copy of this role to Z roles. If you are assigning standard roles then make sure that profile of these roles should be generated.

3) Create role ADSCALLERS in PFCG and assign user ADSUSER to it.

4) Go to t-code SM59 and create ADS RFC as Type G.

a) In Target System settings, enter target host name and Service no. of your As Java systems.

b) In Path Prefix, enter- /AdobeDocumentServices/Config?style=rpc

c) In Logon & Security tab, select Basic Authentication. Then, enter user adsuser and its password.


Save the RFC.

5) Go to SICF and activate below services




By this way configuration of ADS is completed.


If you face any problem during ADS configuration or during testing, Please check below SAP notes:


944221- Troubleshooting if problems occur in forms processing

915399- com.adobe.ProcessingError File not found on URL Location


Link to for ADS Configuration-


Filter Blog

By date: By tag: