Tadm10 2 en Col99 Fv Part a4
April 6, 2017 | Author: richard_o | Category: N/A
Short Description
Download Tadm10 2 en Col99 Fv Part a4...
Description
TADM10_2 SAP NetWeaver AS – Implementation & Operation I SAP NetWeaver
Date Training Center Instructors Education Website
Participant Handbook Course Version: 99 Course Duration: 10 Day(s) Material Number: 50118031
An SAP course - use it to learn, reference it for work
Copyright Copyright © 2013 SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Trademarks Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Apple, App Store, FaceTime, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. Bluetooth is a registered trademark of Bluetooth SIG Inc. Citrix, ICA, Program Neighborhood, MetaFrame now XenApp, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. Edgar Online is a registered trademark of EDGAR Online Inc., an R.R. Donnelley & Sons Company. Facebook, the Facebook and F logo, FB, Face, Poke, Wall, and 32665 are trademarks of Facebook. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik, and Android are trademarks or registered trademarks of Google Inc. HP is a registered trademark of the Hewlett-Packard Development Company L.P. HTML, XML, XHTML, and W3C are trademarks, registered trademarks, or claimed as generic terms by the Massachusetts Institute of Technology (MIT), European Research Consortium for Informatics and Mathematics (ERCIM), or Keio University. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. INTERMEC is a registered trademark of Intermec Technologies Corporation. IOS is a registered trademark of Cisco Systems Inc. The Klout name and logos are trademarks of Klout Inc. Linux is the registered trademark of Linus Torvalds in the United States and other countries. Motorola is a registered trademark of Motorola Trademark Holdings LLC. Mozilla and Firefox and their logos are registered trademarks of the Mozilla Foundation. Novell and SUSE Linux Enterprise Server are registered trademarks of Novell Inc.
g201332495638
OpenText is a registered trademark of OpenText Corporation. Oracle and Java are registered trademarks of Oracle and its affiliates. QR Code is a registered trademark of Denso Wave Incorporated. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry AppWorld are trademarks or registered trademarks of Research in Motion Limited. SAVO is a registered trademark of The Savo Group Ltd. The Skype name is a trademark of Skype or related entities. Twitter and Tweet are trademarks or registered trademarks of Twitter. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Wi-Fi is a registered trademark of Wi-Fi Alliance. SAP, R/3, ABAP, BAPI, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, Sybase, Adaptive Server, Adaptive Server Enterprise, iAnywhere, Sybase 365, SQL Anywhere, Crossgate, B2B 360° and B2B 360° Services, m@gic EDDY, Ariba, the Ariba logo, Quadrem, b-process, Ariba Discovery, SuccessFactors, Execution is the Difference, BizX Mobile Touchbase, It's time to love work again, SuccessFactors Jam and BadAss SaaS, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany or an SAP affiliate company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
Disclaimer These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
g201332495638
g201332495638
About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study.
Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used. Type Style
Description
Example text
Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths, and options. Also used for cross-references to other documentation both internal and external.
2013/Q1
Example text
Emphasized words or phrases in body text, titles of graphics, and tables
EXAMPLE TEXT
Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example SELECT and INCLUDE.
Example text
Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, and passages of the source text of a program.
Example text
Exact user entry. These are words and characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
v
About This Handbook
TADM10_2
Icons in Body Text The following icons are used in this handbook. Icon
Meaning For more information, tips, or background
Note or further explanation of previous point Exception or caution Procedures
Indicates that the item is displayed in the instructor's presentation.
vi
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Contents Course Overview .......................................................... ix Course Goals ........................................................... ix Course Objectives ...................................................... x
Unit 1: Technology Components for Browser-Based User Dialogs........................................................................ 1 Internet Scenarios with SAP Systems................................3 The Internet Communication Manager (ICM) ..................... 10 Internet Communication Framework ............................... 28 The SAP Web Dispatcher............................................ 57 Load Balancing in the SAP NetWeaver AS Java Environment . 93
Unit 2: AS ABAP – Fundamentals of User Administration .... 109 User Administration Concept ....................................... 110 Authorization Concept...............................................121 Login Parameters and User Info ...................................139 Appendix: Advanced User Administration Topics ...............149
Unit 3: Setting up SSL for AS Java ................................. 159 Network Security .....................................................160 Setting Up SSL .......................................................168
Unit 4: AS Java – User and Authorization Concept............. 193 Structure and Configuration of the User Management Engine (UME) ..............................................................195 User and Group Administration ....................................222 The Java Authorization Concept ...................................235 Special Principles ....................................................253 Logon Procedure of the AS Java ..................................264
Unit 5: RFC Connections, Communication and Integration Technologies ............................................................. 285 Fundamentals and Variants for Using RFC.......................286 Setting Up RFC Connections.......................................298
Unit 6: Java Connector and Destinations ......................... 315 Connections to other Systems .....................................316 Appendix: Connections to other Systems with the Java Connector Architecture .......................................................332
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
vii
Contents
TADM10_2
Unit 7: AS ABAP – System Monitoring and Troubleshooting 345 Monitoring Architecture..............................................347 Configuring System Monitoring in CCMS.........................361 Introduction to Monitoring using SAP Solution Manager .......383 Traces and Logs .....................................................398 Troubleshooting Procedure ......................................... 411
Unit 8: AS Java – Monitoring......................................... 419 Monitoring SAP NetWeaver AS Java .............................420 Connecting to a Central Monitoring System......................432 Availability Monitoring ...............................................451 Log Viewer and Log Configuration ................................464
Unit 9: Software Lifecycle Management ........................... 489 Glossary................................................................... 493 Index ....................................................................... 497
viii
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Course Overview Course TADM10 is the foundation for various, further training courses for consultants. After TADM10, you can continue your training to become a (Technical) PI or Portal Consultant. Alternatively, you can proceed to course TADM12 where you will further expand your knowledge of SAP NetWeaver AS. This training content is largely independent of the type of operating system and database technology. Like the other TADM courses, TADM10 comprises several individual courses (or parts thereof), which are arranged here in a way that will enable you to gain the knowledge you require as an SAP Technology Consultant as efficiently as possible. Week 1 of Course TADM10 is Based On Content Taken from the Following Courses: 1. 2. 3.
SAPTEC ADM100 ADM800
Week 2 of Course TADM10 is Based On Content Taken from the Following Courses: 1. 2. 3. 4.
SAPTEC ADM100 ADM103 ADM800
Target Audience This course is intended for the following audiences: •
SAP Technology Consultants (Associate Level)
Course Prerequisites Required Knowledge • •
2013/Q1
Basic knowledge of IT Basic knowledge of operating systems and databases
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
ix
Course Overview
TADM10_2
Course Goals This course will prepare you to: • • •
Work as a Technology Consultant Configure and manage AS ABAP Configure and manage AS Java
Course Objectives After completing this course, you will be able to: •
x
Process administrative tasks in SAP systems
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Unit 1 Technology Components for Browser-Based User Dialogs Unit Overview In this unit, you learn about a number of central technology components that are important if SAP systems are used for intranet or internet applications. In course ADM103, the focus is on administration of the components that are introduced, not on development. •
• •
• •
The SAP Internet Transaction Server (ITS) is used with Web applications (IACs) and with SAP GUI for HTML. Depending on the system release and scenario in question, the functions of the SAP ITS can be implemented by means of a standalone ITS or using the ITS integrated in the AS ABAP. The Internet Communication Manager (ICM) is the process that turns the conventional ABAP application server into a Web server or Web client. The Internet Communication Framework (ICF) provides an environment for handling HTTP(S) requests in the ABAP work process using Web applications such as BSPs or Web Dynpro ABAP. With the usage type AS Java, the SAP NetWeaver Application Server provides a complete runtime environment for Java EE applications. The SAP Web Dispatcher distributes HTTP(S) requests to a suitable application server (instance).
Unit Objectives After completing this unit, you will be able to: • • • • • • •
2013/Q1
Describe the options that SAP provides for intranet and internet scenarios Describe the areas of use of SAP ITS, ICM, AS ABAP, and AS Java Describe the implementation area of the ICM Configure and monitor the ICM Explain the importance of the Internet Communication Framework (ICF) for handling HTTP requests Outline the interaction model Describe what constitutes an ICF service
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
1
Unit 1: Technology Components for Browser-Based User Dialogs
• • • • •
TADM10_2
Activate and use the integrated ITS Outline the function of the SAP Web Dispatcher Explain how you can use the SAP Web Dispatcher to distribute workload across the different SAP instances and/or SAP systems Install, update and operate the SAP Web Dispatcher Explain how load balancing can be realized in the SAP system
Unit Contents Lesson: Internet Scenarios with SAP Systems ................................3 Lesson: The Internet Communication Manager (ICM) ...................... 10 Exercise 1: Administration of the ICM .................................... 19 Lesson: Internet Communication Framework ................................ 28 Exercise 2: Administrative Work with the ICF ........................... 43 Lesson: The SAP Web Dispatcher ............................................ 57 Exercise 3: Administration of the SAP Web Dispatcher ................ 71 Lesson: Load Balancing in the SAP NetWeaver AS Java Environment.. 93
2
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Internet Scenarios with SAP Systems
Lesson: Internet Scenarios with SAP Systems Lesson Overview SAP provides a number of ways in which applications can be created for intranet or internet users. This lesson introduces the technologies on which these applications are based and explains the differences between them.
Lesson Objectives After completing this lesson, you will be able to: • •
Describe the options that SAP provides for intranet and internet scenarios Describe the areas of use of SAP ITS, ICM, AS ABAP, and AS Java
Business Example Your company wants to allow its customers browser-based access to data in the SAP system (for example, in the context of Web-based purchasing). As a member of the system administration team, it is your task to compare and evaluate different methods of realizing this.
SAP Internet Transaction Server (SAP ITS) (Standalone)
Figure 1: As of SAP Basis 3.1G: Web-Enabling Using SAP ITS (Standalone)
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
3
Unit 1: Technology Components for Browser-Based User Dialogs
TADM10_2
SAP delivered the first version of the SAP Internet Transaction Server (SAP ITS) with SAP R/3 3.1G in 1996. It is a software component that acts as a gateway between a Web server and an SAP system. SAP ITS switches between internet protocols and formats (such as HTTP, HTTPS, and HTML) and those of the SAP system (such as DIAG, RFC, and dynpros (screens)). First, the SAP ITS was implemented as standalone software, that was used “in front of” an ABAP-based SAP system. This “standalone” ITS existed as of Release 3.1G up to and including 6.20 (upwardly and downwardly compatible with SAP systems up to and including AS ABAP 6.40). As of AS ABAP 6.40, the new ITS is integrated in AS ABAP on all platforms with a simplified architecture. Web applications that were developed specifically for SAP ITS are called Internet Application Components (IACs). These include Employee Self Services (ESS) that are based on SAP R/3 and SAP R/3 Enterprise or the SAP Online Store. The SAP GUI for HTML also uses the SAP ITS. SAP ITS functionality (either standalone or integrated) is therefore required for existing Web applications (in IAC technology) and the SAP GUI for HTML, regardless of the basis release of the corresponding SAP system.
Internet Communication Manager (ICM)
Figure 2: As of SAP Web AS 6.10: Openness Using the ICM
Based on the highly-scalable infrastructure, new technologies are used as of SAP Web AS 6.10 to process HTTP requests (and other protocols) directly from the internet or to send HTTP client requests to the internet. To achieve this, the SAP Kernel has been extended with the Internet Communication Manager (ICM) process.
4
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Internet Scenarios with SAP Systems
The ICM process forwards requests to the Internet Communication Framework (ICF), which supports numerous programming models. This is how the SAP CRM, SAP BW, and SAP PI software components use this infrastructure. A programming model for such applications (among others) are the Business Server Pages (BSPs).
AS Java
Figure 3: As of SAP Web AS 6.20: Integrated J2EE Runtime Environment
With the AS Java, SAP has a complete J2EE-compatible application server in its product range. The SAP NetWeaver Application Server provides the following installation options (as of Release 6.20): • • •
SAP Netweaver Application Server ABAP (AS ABAP) SAP Netweaver Application Server Java (AS Java) SAP Netweaver Application Server ABAP+Java (AS ABAP+Java, dual stack)
Developers, therefore, have a mature development and runtime environment for applications based on Java / J2EE. Examples of SAP software components that use the J2EE engine include SAP NetWeaver Portal (usage type EP), SAP NetWeaver Process Integration (usage type PI), and some functions in SAP Customer Relationship Management (SAP CRM). Note that the J2EE standard not only describes the (browser-based) user dialog, but also specifies a complete application server.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
5
Unit 1: Technology Components for Browser-Based User Dialogs
TADM10_2
Web Dynpro Web Dynpro is the preferred programming model for business application Web interfaces in SAP systems based on SAP NetWeaver. It provides a clear distinction between the user interface (UI) and the business logic. It also provides functions that are not usually available as part of the standard tools for developing professional user interfaces. These include functions for checking entries, providing input help, supporting multiple languages, and handling errors comfortably, as well as caching mechanisms that ensure fast response times and are therefore especially useful for interactive user interfaces. The Web Dynpro programming model is available as Web Dynpro Java (as of AS Java 6.40) and Web Dynpro ABAP (as of AS ABAP 7.00). The basic concepts of these two flavors are very similar, and so the user cannot easily recognize the technology used.
Figure 4: As of SAP Web AS 6.40: Web Dynpro Java
6
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Internet Scenarios with SAP Systems
Figure 5: As of SAP NetWeaver AS 7.00: Web Dynpro ABAP
SAPUI5 is the SAP implementation of the open HTML5 standard. After deploying the plug-in UI_INFRA (available for AS ABAP 7.00 onwards), the ICF can process Web pages based on HTML5. OData is an open standard that can be consumed by any software or device that can communicate using the HTTP(S) protocol and can parse and construct an XML document. OData can also be described as “ODBC for the Web”. SAP NetWeaver Gateway (a new product; do not confuse with the Gateway process) is the implementation of the OData standard on an AS ABAP system (available for AS ABAP 7.00 onwards).
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
7
Unit 1: Technology Components for Browser-Based User Dialogs
TADM10_2
Architectural Changes
Figure 6: As of SAP NetWeaver AS 7.10: Architectural Changes
Some of the changes introduced with AS Java 7.10 are • •
8
The Java Dispatcher process was replaced by the ICM process. The SDM process was discontinued.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Internet Scenarios with SAP Systems
Lesson Summary You should now be able to: • Describe the options that SAP provides for intranet and internet scenarios • Describe the areas of use of SAP ITS, ICM, AS ABAP, and AS Java
Related Information •
SAP Community Network, Quick Links – – – – – – –
2013/Q1
/community/ui-technology /community/its /community/gui /community/web-dynpro-abap /community/web-dynpro-java /community/netweaver-business-client /community/developer-center/front-end
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
9
Unit 1: Technology Components for Browser-Based User Dialogs
TADM10_2
Lesson: The Internet Communication Manager (ICM) Lesson Overview In this lesson, you will learn about the Internet Communication Manager (ICM) process and administration options.
Lesson Objectives After completing this lesson, you will be able to: • •
Describe the implementation area of the ICM Configure and monitor the ICM
Business Example As part of the conversion to a modern, service-oriented IT infrastructure, new SAP applications based on Web Dynpro and SOAP services are implemented in your company. As a member of the system administration team, it is your task to configure the AS ABAP based SAP systems in accordance with your requirements. You therefore require an overview of the central process of intranet and internet connection – the Internet Communication Manager (ICM).
Architecture of the ICM Process
Figure 7: System Landscape with AS ABAP (Example)
10
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Internet Communication Manager (ICM)
The figure above shows an example of a system landscape in which Web browsers from the internet and intranet are connected with an AS ABAP. Important features are: • • •
Support for standard Web protocols such as HTTP, HTTP, WebDAV, SOAP, and SMTP Display of standard Web formats such as HTML, XML, and XSLT Complete integration into the SAP environment (development environment, user administration, authorization concept, system monitoring, and communication protocols)
As of Release 6.10, the AS ABAP can function both as a Web server (server role) and as a Web client (client role). The server role, in which the AS ABAP can accept and process HTTP requests from any Web client (such as a Web browser) and send back an HTTP response, is what we will discuss in this lesson. Within a work process, the Internet Communication Framework (ICF) provides the environment for handling HTTP requests. The ICF is the bridge between the C kernel of the SAP system and the application program created in ABAP. As of AS ABAP 6.10, work processes can directly generate Web-compatible content in a way that can be forwarded to a browser using the ICM. One way of creating content of this type is to use applications with Busines Server Pages (BSPs) that were developed in the SAP system using a tool of transaction SE80, the Web Application Builder for BSPs. Starting with AS ABAP 7.00, Web Dynpro ABAP was introduced – a new programming framework for state-of-the-art Web applications.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
11
Unit 1: Technology Components for Browser-Based User Dialogs
TADM10_2
Figure 8: Internal Structure of the ICM Process
From a technical point of view, the ICM is a separate process (icman at operating system level) that is started and monitored by the ABAP dispatcher. Its task is to ensure that the SAP system can communicate with the outside world (using HTTP, HTTPS, and SMTP). In the server role, it can process requests from the intranet/internet that arrive with URLs with the server/port combination for which
12
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Internet Communication Manager (ICM)
the ICM is listening. The ICM then calls the appropriate local handler, depending on the URL. The ICM process uses threads to process the created workload in parallel. The components of the ICM are: • •
•
• • •
Thread Control: This thread accepts the incoming TCP/IP requests and creates (or raises) a worker thread from the threadpool to process the request. Worker Thread: This thread handles requests and responses for a connection. A worker thread contains an I/O handler for the network input and output, and various plug-ins for the different supported protocols. Watchdog: A worker thread usually waits for a response (whether it is client or server); if a timeout occurs, the watchdog takes over the task of waiting for the response. The worker thread can then be used for other requests. Signal Handler: Processes signals that are sent from the operating system or another process (such as the ABAP dispatcher). Connection Info: Table with information for each existing network connection. Memory Pipes: These memory-based communication objects allow data transfer between the ICM and the ABAP work processes. Hint: As of AS Java 7.10, the ICM has replaced the former Java dispatcher process – so the ICM is also part of every AS Java instance (except the Java Central Services instance).
The ICM uses plug-ins to implement the following communication protocols: • • •
2013/Q1
HTTP HTTPS SMTP
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
13
Unit 1: Technology Components for Browser-Based User Dialogs
TADM10_2
Figure 9: Internet Server Cache (ISC)
A part of the ICM that is important for performance is the Internet Server Cache (ISC), which stores HTTP(S) objects before they are sent to the Web browser. The next request can then be made directly from the ISC, provided that the expiry time has not elapsed. This avoids branching to the ABAP work process, which can accelerate access considerably. Some features of the ISC: •
•
• •
•
14
Two-level hierarchy: When objects are stored, the advantages of both the high speed of main memory (memory cache) and the storage capacity of hard disks (disk cache) are used. Dynamic Caching: Traditional products are based on HTTP proxies and usually offer caching only of static content, such as images. The ISC can also cache dynamic content such as JSPs or BSPs. Active Caching: The application has full control over ensuring that the objects in the cache are up to date. UFO Caching: Invalid requests (“UnFound Objects”) that lead to error situations in the application server or the database are directly rejected, so that the system is protected against invalid or malignant requests. Browser-dependent Caching: The developer of Web objects can define whether his or her application is dependent on browser type. If this indicator is set, the ISC uses the data in the cache only for requests from the same browser type.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Internet Communication Manager (ICM)
The ISC is configured using the profile parameter icm/HTTP/server_cache* and can be monitored and invalidated from the SAP system.
Start Procedure and Monitoring
Figure 10: Starting the ICM
The profile parameter rdisp/start_icman controls whether an ICM process is also started when an application server is started. If no value is specified, the default setting true applies. You configure the ICM using profile parameters (most of which begin with icm/. The settings for icm/server_port_ are of particular importance.These settings determine the port used for each protocol, as well as other attributes of the protocol (such as timeout). In the SAP system, you can quickly obtain an overview of which application servers are running with an ICM using the server overview (transaction SM51). For more detailed information (such as the thread ID), see the ICM monitor (transaction SMICM). From this transaction, you can choose the menu path Administration → ICM → Exit ... to terminate the ICM with a soft termination (corresponds to Unix signal 2) or a hard termination (corresponds to Unix signal 9). The ABAP dispatcher then starts a new ICM process. By choosing Administration → ICM → Restart → Yes/No, you can control whether the ABAP dispatcher restarts the ICM if it was terminated by an error or at the request of an administrator.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
15
Unit 1: Technology Components for Browser-Based User Dialogs
TADM10_2
Figure 11: Functions of the ICM Monitor
16
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Internet Communication Manager (ICM)
The most important tool for an administrator in the ICM environment is the ICM monitor (transaction SMICM). Note that the data displayed is instance-dependent (in the same way as the work process overview SM50). Some administrative activities (all available from transaction SMICM) are: • • • •
•
•
•
Monitoring and restarting the ICM Configuring the trace level (Goto → Trace Level → ...), values from 0 to 3. Evaluating the trace files (Goto → Trace File → ...); the system reads the dev_icm file from the work directory of the current instance. Overview of the profile parameters (Goto → Parameters → Display/Change). The ICM is configured using profile parameters. The displayed values apply for the instance to which you are currently logged on. For documentation on the parameters, see the ICM monitor (Goto → Parameters → Change and choose Documentation), transaction RZ11, and SAP online documentation. Display the statistics (Goto → Statistics → Display). You can use these statistics to find out how many requests the ICM has processed since it was started (or since the statistics were reset). The system also displays information about processing duration. Monitoring (Goto → HTTP Plug-In → Server Cache → Display) and resetting (Goto → HTTP Plug-In → Server Cache → Invalidate → ...) the ICM server cache. The ICM server cache stores HTTP objects before they are sent to the client. The next time that this object is requested, the content can be sent directly from the cache to the client. In maintenance mode, the ICM logs off from the ABAP message server and is not available for Web requests. The ICM processes only the remaining requests. If an internet user accesses an ICM in this status from the browser, the system issues a message stating that the ICM is in “Maintenance Mode”.
You can determine some of the listed data at operating system level using the icmon program. The call icmon -h displays the possible parameters for this small program, which can also, among other things, generate requests to simulate normal system workload.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
17
Unit 1: Technology Components for Browser-Based User Dialogs
18
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: The Internet Communication Manager (ICM)
Exercise 1: Administration of the ICM Exercise Objectives After completing this exercise, you will be able to: • Monitor the ICM process
Business Example As part of SAP BI, your company uses browser-based functions such as Web reporting, interactive charts, and the Business Explorer Browser (BEx Browser). As an administrator, you are responsible for monitoring the ICM processes that establish the connection between the Web browser and the SAP system.
Task 1: Checking the ICM Settings
Figure 12: Complete Scenario of the Training Landscape
Number, port, and release of the ICM processes in the training environment. 1.
How many ICM processes are running in your SAP ECC system?
2.
Determine the port through which requests in the HTTP protocol are processed for the application server to which you are currently logged on. Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
19
Unit 1: Technology Components for Browser-Based User Dialogs
3.
TADM10_2
Which release of the ICM is used on the training system?
Result You know the port and release for the ICM process on the training system.
Task 2: Simple HTTP Requests Start a request in the Web browser and monitor it with the ICM monitor. 1.
Launch the following URL: http://twdfSSSS.wdf.sap.corp:80$$/sap/public/ping (example for group QCC and server twdf0042 http://twd0042.wdf.sap.corp:8010/sap/public/ping). The message “Server reached successfully” appears.
2.
Open the ICM monitor and note how many requests from your Web browser (you may have to Refresh the URL above) have been processed by the worker threads. Hint: The data in the ICM monitor is instance-specific.
3.
Launch the following URL: http://twdfSSSS.wdf.sap.corp:80$$/sap/public/icman/ping.
4.
Launch the following URL: http://twdfSSSS.wdf.sap.corp:80$$/sap/public/icman/mime/theme.jpg.
Result You can monitor the activity of the ICM.
Task 3: Load Test with icmon Tool Monitor the ICM worker threads under a generated workload. 1.
At operating system level of your server, start the icmon pf= command and enter an instance profile of your ECC system for instance profile name. Launch the menu (by pressing m) and generate load (by pressing g) with the following values:
Continued on next page
20
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Internet Communication Manager (ICM)
Host
Host on which your SAP system is running, such as twdfSSSS.wdf.sap.corp (default setting)
Port
An ICM Port valid for your system, such as 8011
'1.x'=HTTP/1.x or '9.x' 1.1 (default setting) HTTPS
2.
Get request data from file
No (default setting)
Path
/sap/public/icman/mime/theme.jpg
Optional Attributes
No (default setting)
Expected OK-Code
0 (default setting)
Think time in millisecs
0 (default setting)
Number of requests
7500
Number of threads
10
Wait time in millisecs between thread creation during rampup
0 (default setting)
Observe in the ICM monitor how the requests generated by icmon are processed by the worker threads.
Result You can use the icmon tool to monitor the ICM and to start workload simulations.
Task 4: Maintenance Mode Setting the ICM process into the maintenance mode. 1.
Using the ICM monitor (transaction SMICM), active the maintenance mode.
2.
Launch the following URL: http://twdfSSSS.wdf.sap.corp:80$$/sap/public/ping (and make sure that $$ matches the instance on which you activated the maintenance mode).
3.
Using the ICM monitor (transaction SMICM), deactive the maintenance mode.
Result You can enter and leave the maintenance mode.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
21
Unit 1: Technology Components for Browser-Based User Dialogs
TADM10_2
Solution 1: Administration of the ICM Task 1: Checking the ICM Settings
Figure 13: Complete Scenario of the Training Landscape
Number, port, and release of the ICM processes in the training environment. 1.
How many ICM processes are running in your SAP ECC system? a)
In the server overview (transaction SM51), count the application servers for which the ICM process is listed. An ICM process should be configured for each of your ABAP instances.
Continued on next page
22
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Internet Communication Manager (ICM)
2.
Determine the port through which requests in the HTTP protocol are processed for the application server to which you are currently logged on. Check the value of the profile parameters icm/server_port_, for example:
a)
• • •
In the ICM monitor (transaction SMICM) by choosing Goto → Parameters → Display By executing report RSPFPAR In transaction RZ10 Hint: The determined port is instance-specific. In the training systems, the parameter icm/server_port_0 has the value PROT=HTTP,PORT=80$$ (and further timeout settings). The variable $$ is replaced by the instance number when the ICM is started, ensuring that ports are unique per host in all cases.
3.
Which release of the ICM is used on the training system? a)
You can determine the ICM release in the ICM monitor (transaction SMICM) by choosing Release Notes or Goto → Release Notes. The information that you are looking for is at the start of the list. At the end of the list, all problems that are solved with the current patch level are listed (with associated SAP Notes).
Result You know the port and release for the ICM process on the training system.
Task 2: Simple HTTP Requests Start a request in the Web browser and monitor it with the ICM monitor. 1.
Launch the following URL: http://twdfSSSS.wdf.sap.corp:80$$/sap/public/ping (example for group QCC and server twdf0042 http://twd0042.wdf.sap.corp:8010/sap/public/ping).
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
23
Unit 1: Technology Components for Browser-Based User Dialogs
TADM10_2
The message “Server reached successfully” appears. Enter the specified URL in your local Web browser and choose Enter.
a)
Hint: All services under /sap/public use a predefined user (SAPSYS); therefore, no logon is required for this request. As of AS ABAP 6.20, services must be explicitly activated. This should already been prepared in the training system for the services specified in this exercise. 2.
Open the ICM monitor and note how many requests from your Web browser (you may have to Refresh the URL above) have been processed by the worker threads. Hint: The data in the ICM monitor is instance-specific. In the ICM monitor (transaction SMICM), choose the Refresh button after you have sent a few requests to the ICM.
a) 3.
Launch the following URL: http://twdfSSSS.wdf.sap.corp:80$$/sap/public/icman/ping. a)
4.
See task description. The message “server on host twdfSSSS system twdfSSSS__ (000) successfully reached” appears.
Launch the following URL: http://twdfSSSS.wdf.sap.corp:80$$/sap/public/icman/mime/theme.jpg. a)
See task description. A small image should appear.
Result You can monitor the activity of the ICM.
Task 3: Load Test with icmon Tool Monitor the ICM worker threads under a generated workload. 1.
At operating system level of your server, start the icmon pf= command and enter an instance profile of your ECC system for instance profile name. Launch the menu (by pressing m) and generate load (by pressing g) with the following values:
Continued on next page
24
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Internet Communication Manager (ICM)
Host
Host on which your SAP system is running, such as twdfSSSS.wdf.sap.corp (default setting)
Port
An ICM Port valid for your system, such as 8011
'1.x'=HTTP/1.x or '9.x' 1.1 (default setting) HTTPS Get request data from file
No (default setting)
Path
/sap/public/icman/mime/theme.jpg
Optional Attributes
No (default setting)
Expected OK-Code
0 (default setting)
Think time in millisecs
0 (default setting)
Number of requests
7500
Number of threads
10
Wait time in millisecs between thread creation during rampup
0 (default setting)
a)
If you have not already done so, log onto the Terminal Services Client (also known as the RDP Client) at operating-system level using the user adm.
b)
Open Windows Explorer and navigate to the directory D:\usr\sap\\SYS\profile. Click the profile directory (in the left pane) with the right mouse button and choose CMD Prompt Here.
c)
Within the command prompt, start the icmon program with an instance profile: icmon pf= (example for the dialog instances of group QCC on server twdf0042: icmon pf=QCC_D11_twdf0042). Hint: You can drag&drop a file name from the Windows explorer into the command prompt window.
d)
Enter the command m to switch to the Monitor-Menue and generate load by entering the command g and the parameters specified in the task description.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
25
Unit 1: Technology Components for Browser-Based User Dialogs
2.
TADM10_2
Observe in the ICM monitor how the requests generated by icmon are processed by the worker threads. In transaction SMICM, choose the Refresh function to observe the activity of the worker threads. You may notice that the ICM starts further worker threads.
a)
Remember that the display in transaction SMICM is not system-wide, but only applies to your instance. Note: The default load data generates 75,000 requests (that is, number of requests multiplied by number of threads).
Result You can use the icmon tool to monitor the ICM and to start workload simulations.
Task 4: Maintenance Mode Setting the ICM process into the maintenance mode. 1.
2.
3.
Using the ICM monitor (transaction SMICM), active the maintenance mode. a)
In the ICM monitor (transaction SMICM) choose Administration → ICM → Maintenance Mode → Activate.
b)
Note that the ICM Status is Maintenance now.
Launch the following URL: http://twdfSSSS.wdf.sap.corp:80$$/sap/public/ping (and make sure that $$ matches the instance on which you activated the maintenance mode). a)
200 Maintenance Mode
b)
See task description. The message “200 Maintenance Mode” appears.
Using the ICM monitor (transaction SMICM), deactive the maintenance mode. a)
In the ICM monitor (transaction SMICM) choose Administration → ICM → Maintenance Mode → Deactivate.
b)
Note that the ICM Status is Running again.
Result You can enter and leave the maintenance mode.
26
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Internet Communication Manager (ICM)
Lesson Summary You should now be able to: • Describe the implementation area of the ICM • Configure and monitor the ICM
Related Information •
• • •
2013/Q1
SAP NetWeaver 7.31 online documentation, path SAP NetWeaver Library: Function-Oriented View → Application Server → Application Server Infrastructure → Internet Communication Manager (ICM) SAP Note 737625: Parameter Recommendations for the ICM SAP Note 421359: ICM: Binding initial password).
Figure 49: System Parameters for User Logons 2/2
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
141
Unit 2: AS ABAP – Fundamentals of User Administration
TADM10_2
You can set the number of failed logon attempts after which SAP GUI is terminated using the parameter login/fails_to_session_end. If the user wants to try again, he or she must restart SAP GUI. You can set the number of failed logon attempts after which a user is locked in the SAP system using the parameter login/fails_to_user_lock. The failed logon counter is reset after a successful logon attempt. Hint: At midnight (server time), the users that were locked as a result of incorrect logon attempts are no longer automatically unlocked by the system (default value since SAP NetWeaver 7.0). You reactivate this automatic unlocking with the parameter login/failed_user_auto_unlock = 1. The administrator can unlock, lock, or assign a new password to users in user maintenance (transaction SU01). If the parameter login/disable_multi_gui_login is set to 1, a user cannot log on to a client more than once. This can be desirable for system security reasons. If the parameter is set to 1, the user has the following options when he or she logs on again: Continue with this logon and end any other logons in the system or terminate this logon. Users to whom this should not apply should be specified in the parameter login/multi_login_users, separated with commas, and with no spaces.
Initial Passwords for Standard Users
Figure 50: Standard Users
Essentially, there are two types of standard users: those created by installing the SAP system and those created when you copy clients.
142
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Login Parameters and User Info
During the installation of the SAP system, the clients 000 and 066 are created (the client 001 is not always created during an SAP installation; it is also created, for example, during an SAP ECC installation). Standard users are predefined in the clients. Since there are standard names and standard passwords for these users, which are known to other people, you must protect them against unauthorized access. The SAP system standard user, SAP* SAP* is the only user in the SAP system for which no user master record is required, since it is defined in the system code. SAP* has, by default, the password “PASS”, and unrestricted access authorizations for the system. When you install the SAP system, a user master record is created automatically for SAP* in client 000 (and in 001 if it exists). At first, this still has the initial password “06071992”. The administrator is required to reset the password during installation. The installation can continue only after the password has been changed correctly. The master record created here deactivates the special properties of SAP*, so that only the authorizations and password defined in the user master record now apply. The DDIC user This user is responsible for maintaining the ABAP Dictionary and the software logistics. When you install the SAP system, a user master record is automatically created in client 000 [001] for the user DDIC. With this user too, you are requested to change the standard password of “19920706” during the installation (similar to the user SAP*). Certain authorizations are predefined in the system code for the DDIC user, meaning that it is, for example, the only user that can log on to the SAP system during the installation of a new release. Caution: To protect the system against unauthorized access, SAP recommends that you assign these users to the user group SUPER in the client 000 [001]. This user group is only assigned to superusers. The EarlyWatch user
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
143
Unit 2: AS ABAP – Fundamentals of User Administration
TADM10_2
The EarlyWatch user is delivered in client 066 and is protected with the password “SUPPORT”. The EarlyWatch experts at SAP work with this user. This user should not be deleted. Change the password. This user should only be used for EarlyWatch functions (monitoring and performance). Hint: Special features for the user “SAP*” If you copy a client, the user “SAP*” is always available. This user does not have a user master record, and is programmed into the system code. To protect your system against unauthorized access, you should create a user master record for this standard user. Create a “superuser” with full authorization. If you now delete the user master record “SAP*”, the initial password “PASS” with the following properties becomes valid again: • •
The user has full authorization since no authorization checks are made. The standard password “PASS” cannot be changed.
How can you counter this problem to protect the system against misuse? •
•
144
You can deactivate the special properties of SAP*. To do this, you must set the system profile parameter login/no_automatic_user_sapstar to a value greater than zero. If the parameter is active, SAP* no longer has any special properties. If the user master record SAP* is deleted, the logon with PASS no longer works. If you want to reinstate the old behavior of SAP*, you must first reset the parameter and restart the system.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Login Parameters and User Info
Determining User Information
Figure 51: Information System
You can call the Information System (transaction SUIM) in the SAP Menu by choosing Tools → Administration → User Maintenance → Information System or in user maintenance (transaction SU01) by choosing Information → Information System. You can obtain an overview of user master records, authorizations, profiles, roles, change dates, and so on using the information system. You can display lists that answer very varied questions. For example: • • • •
2013/Q1
Which users have been locked in the system by administrators or failed logon attempts? When did a user last log on to the system? What changes were made in the authorization profile of a user? In which roles is a certain transaction contained?
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
145
Unit 2: AS ABAP – Fundamentals of User Administration
TADM10_2
Figure 52: System Trace for Authorization Checks
You can display the last failed authorization check (transaction SU53) by choosing System → Utilities → Display Authorization Check. The system displays the most recently checked authorization object for which the authorization check was unsuccessful with the checked values. Hint: Users can only display values for the checked object if they have authorizations for the object S_USER_AUT. Otherwise, the text: No authorization to display authorization values appears. The system administrator can use transaction SU53 to check which authorizations were missing for a user for the execution of his or her last (unsuccessful) action. If system administrators have authorizations for S_USER_AUT too, they can also display the values that the user has for the checked object. You can record authorization checks in your own and other sessions using the system trace function : System Trace for Authorization Checks STAUTHTRACE. As an alternative you can also use the system trace Tools → Administration → Monitor → Traces → System Trace (transaction ST01). Caution: This only works if the instance (application server) is the same, though. All checked authorization objects including the checked values are recorded here. The system trace is suited to finding multiple missing authorizations. The system trace is activated for the authorization check of a special user who has all
146
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Login Parameters and User Info
required authorizations for the actions to be checked. The actions are performed with this special user. The trace records all authorization checks. These can then be evaluated.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
147
Unit 2: AS ABAP – Fundamentals of User Administration
TADM10_2
Lesson Summary You should now be able to: • Set system parameters for user logons • Name standard users in the SAP system • Locate authorization problems
Related Information SAP Notes: 2467 - Password rules & preventing unauthorized logons 862989 - New password rules as of SAP NetWeaver 2004s (NW AS ABAP 7.0)
148
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Appendix: Advanced User Administration Topics
Lesson: Appendix: Advanced User Administration Topics Lesson Overview In this lesson, you will obtain an overview of Central User Administration and connections to directory services. These topics are dealt with in detail on the SAP training course ADM102 and TZNWIM.
Lesson Objectives After completing this lesson, you will be able to: • •
Describe the concept of Central User Administration Describe connection to directory services
Business Example You want to structure user administration in your company more efficiently through centralization.
Work Center: User Management The work center User Management offers common local acting user administration functionality for both ABAP and Java. It provides a list of tools for the ABAP and the Java user management. These are for example the ABAP transactions “User Administration” (SU01) and “Role Maintenance” (PFCG). In the case of AS ABAP+Java systems or AS Java systems core administration functionality of SAP NetWeaver Administrator is linked in.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
149
Unit 2: AS ABAP – Fundamentals of User Administration
TADM10_2
Figure 53: Work Center: User Management
Central User Administration
Figure 54: Central User Administration
150
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Appendix: Advanced User Administration Topics
If you are operating multiple SAP systems with a number of clients, and identical users are created a number of times in different clients, you can significantly reduce your administrative effort for user administration using Central User Administration (CUA). You can perform user maintenance centrally from one client with CUA. This client is then described as the central system. The clients for which user administration is performed from the central system are called child systems. You can specify for every user which clients it can log on to. Using CUA does not mean that all users can be used in all clients of the system landscape. You can also specify which user data can only be maintained centrally and which data can also be maintained locally. It is sometimes useful to allow data to be locally maintained by the users or by an administrator. Local maintenance with distribution to all other clients is also possible (for example, in the case of address data being changed). The user master data is exchanged using ALE. ALE stands for Application Link Enabling, and is a technology for setting up and operating distributed SAP applications. ALE allows the process-controlled exchange of business messages between loosely connected SAP systems. Asynchronous processing of the communication ensures that application operation is error-free. Systems that you want to include in a CUA must have at least SAP Basis 4.5.
Figure 55: Which Data Can Be Distributed?
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
151
Unit 2: AS ABAP – Fundamentals of User Administration
TADM10_2
The following data can be distributed using Central User Administration (CUA): • •
• •
User master records: Addresses, logon data, user defaults, and user parameters Users are assigned the associated single and composite roles and profiles for all child systems. Using CUA has the advantage that you no longer need to log on to each individual client to maintain these assignments locally. Initial password: When users are newly created, an initial password is transferred to the child systems. This can be changed in the usual way. Lock status: In addition to the familiar lock reasons (failed logon attempts or locked by an administrator) there is a new general lock. This takes effect in all child systems in which the affected user is permitted and can be removed either centrally or in an individual child system.
You can assign single or composite roles and authorization profiles from the central system. However, the authorization profiles are maintained locally rather than centrally, since different system settings and release statuses require local administration of authorization profiles. Note: With central role maintenance, you can define the menu of a role in an SAP system for a different target system. The authorization profiles are always to be maintained in the target system. You can implement the CUA and central role maintenance concepts together or independently.
Directory Services
Figure 56: Connection to Directory Services
152
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Appendix: Advanced User Administration Topics
Directory services allow various applications in an IT landscape to access shared information at a central location. The information is stored on a central directory server that the various systems of your IT landscape can access. In this way, the directory server acts as an “IT address book” for information that is usually used in common, such as personnel data (name, department, organization), user data, and information about system resources and system services. You can use directory services to maintain information in SAP systems for directory-compatible applications (such as user administration or Business Workplace). The standardized Lightweight Directory Access Protocol (LDAP) is usually used as the access protocol. Directory services provide a central information and administration point and therefore simple shared information usage between various applications. Your SAP system can exchange data with directory services using the LDAP protocol. You specify the synchronization direction for each field, that is, whether the SAP system overwrites the data in the directory, or the directory overwrites the data in the SAP system. The SAP system can exchange data with directory services from various vendors. The SAP system may require attributes that are not in the standard schemata of the directories. SAP usually provides a schema extension for this purpose. Note: As of SAP Web AS 6.10, SAP systems can easily connect to a directory service. It was possible to connect to a directory service before SAP Web AS 6.10, although rather more effort was involved. Hint: A connection to a directory service can extend a Central User Administration. That is, these two concepts are in no way mutually exclusive, but rather work together very well.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
153
Unit 2: AS ABAP – Fundamentals of User Administration
TADM10_2
SAP NetWeaver Identity Management
Figure 57: SAP NetWeaver Identity Management
In SAP NetWeaver Identity Management, SAP provides integrated, business process-driven Identity Management functions for a heterogeneous system landscape. SAP NetWeaver Identity Management uses a central identity store to consolidate and save data from various source systems (SAP HCM for example). This information is distributed to connected target systems. User accounts and role assignments for SAP and non-SAP applications are distributed. Role assignments can be automated using rule definitions. A very important function of SAP NetWeaver Identity Management is the option of making the authorization assignment workflow-controlled. The integration with HCM as one of the possible source systems for identity information is a key function for business process-driven Identity Management. For more information about SAP NetWeaver Identity Management, go to the SAP Developer Network (https://www.sdn.sap.com/irj/sdn/nw-identitymanagement).
154
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Appendix: Advanced User Administration Topics
Lesson Summary You should now be able to: • Describe the concept of Central User Administration • Describe connection to directory services
Related Information
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
155
Unit Summary
TADM10_2
Unit Summary You should now be able to: • Create users • Copy, create, and maintain roles • Maintain the assignment of roles and users • Describe the concept of a work center role • Set system parameters for user logons • Name standard users in the SAP system • Locate authorization problems • Describe the concept of Central User Administration • Describe connection to directory services
156
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Test Your Knowledge
Test Your Knowledge 1.
How are authorizations assigned to a user? Choose the correct answer(s).
□ □ □ □
2.
A B C D
Users are assigned authorizations using profiles. Users are assigned authorizations using roles. Users are assigned authorizations using user names. Users are assigned authorizations using a Certification Authority (CA).
The SAP authorization concept is a positive concept because ... Choose the correct answer(s).
□ □ □ □ 3.
A B C D
Every user automatically receives all authorizations. Authorizations must be explicitly assigned. The range of features of the authorization check is so large. The developers programmed it efficiently.
. To display System parameters for the user logon are in the area user's incorrect logon attempts, call the Information System with transaction . The system trace function is called using transaction . Fill in the blanks to complete the sentence.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
157
Test Your Knowledge
TADM10_2
Answers 1.
How are authorizations assigned to a user? Answer: A, B Authorizations are combined into profiles. The roles assigned to users contain profiles with appropriate authorizations for the role. Authorizations are not assigned using user names or a CA.
2.
The SAP authorization concept is a positive concept because ... Answer: B SAP uses a positive authorization concept. This means that everything that is not explicitly allowed is automatically forbidden.
3.
System parameters for the user logon are in the area login. To display user's incorrect logon attempts, call the Information System with transaction SUIM. The system trace function is called using transaction ST01. Answer: login, SUIM, ST01 User logon settings are implemented using the login/* parameter. The Information System is called with transaction SUIM, the system trace function with ST01.
158
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Unit 3 Setting up SSL for AS Java Unit Overview A secure infrastructure is a prerequisite for different aspects of security in SAP systems, for example access control and data security. The first lesson should give an overview of different aspects of network security, whereas the second lesson concentrates on the theoretical background and concrete configuration activities with regard to the Secure Socket Layer (SSL).
Unit Objectives After completing this unit, you will be able to: • • • • • • •
explain why safeguarding the network communication is necessary describe which technical components can be protected via secure network protocols Classify concepts of the Web Service Security Describe different encryption processes Point out the relationship between authentication and digital signatures Explain the server authentication mechanism used within SSL Set up SSL with the SAP NetWeaver Administrator
Unit Contents Lesson: Network Security......................................................160 Lesson: Setting Up SSL .......................................................168 Exercise 6: Setting up SSL................................................183
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
159
Unit 3: Setting up SSL for AS Java
TADM10_2
Lesson: Network Security Lesson Overview An SAP NetWeaver Composition Environment system is part of a complex system landscape. Business processes in this system landscape are distributed across several systems and access takes place using Intranet and Internet. Safeguarding the landscape against unauthorized accesses is essential. This lesson gives an overview of the types of communication used in an SAP system landscape and how they can be safeguarded.
Lesson Objectives After completing this lesson, you will be able to: • • •
explain why safeguarding the network communication is necessary describe which technical components can be protected via secure network protocols Classify concepts of the Web Service Security
Business Example As part of the implementation of a service-oriented architecture using the SAP NetWeaver Composition Environment, the company ABC AG wants to introduce a new business process that requires access to sensitive data both internally and externally via the Internet.
Reasons for Secure Communication Protecting the data exchange between SAP systems is essential. This communication contains users' access data (passwords for example) and sensitive business data. If unauthorized users have access to this data, this may have serious consequences for the company in question. Secure communication • • • •
safeguards against unauthorized access to logon data safeguards against unauthorized access to sensitive data implements legal requirements or privacy policies of the company reduces the chances of compromising system and application security.
Security of the Communication Layer Different technologies are available to safeguard communication depending on the communication protocol used. In the SAP environment, these are usually Secure Socket Layer (SSL) for Internet protocols (HTTP for example) and Secure Network Communication (SNC) for SAP protocols (RFC for example).
160
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Network Security
Figure 58: Communication Protocols as of the AS Java 7.1x
The figure shows the possible communication protocols of the AS Java as of Release 7.1x. A Web Application Client (a Web Browser for example) can access the Internet Communication Manager (ICM) of the AS Java via HTTP either directly or using an Application Gateway. The User Management Engine (UME) of the AS Java accesses user data using different protocols depending on the configured User Persistence Store. The RFC protocol is frequently used for communication with other SAP systems. HTTP communication is also possible here. Furthermore, the protocol P4 is used in some scenarios.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
161
Unit 3: Setting up SSL for AS Java
TADM10_2
Figure 59: Communication Protocols from Web Container and EJB Container
The protocols P4 and IIOP are used between the Web Container and EJB Container. In addition, P4 and IIOP are used to call objects in remote application servers. The following table provides an overview of the security of the different communication protocols. Security of Communication for AS Java
162
Protocol
Security mechanism
Note
HTTP
Secure Socket Layer (SSL)
HTTP is the standard protocol for Web applications. SSL can be used for authentication, integrity and encryption.
P4
Secure Socket Layer (SSL)
P4 is the transfer protocol for the Java-specific communication Remote Method Invocation (RMI). P4 supports HTTP tunneling.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
2013/Q1
Lesson: Network Security
Protocol
Security mechanism
Note
IIOP
Secure Socket Layer (SSL)
IIOP is an alternative transfer protocol for RM. IIOP can also be used for communication with CORBA application servers.
LDAP
Secure Socket Layer (SSL)
If the User Management Engine of the AS Java has connected a directory service via the LDAP protocol as a Persistence Store, SSL can be used for communication security.
RFC
Secure Network Communication (SNC)
The SNC interface can be used for the SAP-specific protocols RFC and DIAG.
JDBC
Driver-dependent
JDBC is a communication protocol for the database connection. Communication can be secured depending on the driver that is used.
Telnet
Not available
Communication via Telnet is not encrypted. Therefore, Telnet access to the AS Java has been restricted to host 127.0.0.1 (localhost).
Session
Not available
Session is a communication protocol that is used only between ICM and server process. Since this communication is not used outside an instance, encryption is not required.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
163
Unit 3: Setting up SSL for AS Java
TADM10_2
Due to the architecture changes in AS Java as of Release 7.1x, there are also some differences in the occupancy (and configuration) of the communication ports. The table below contains some important ports for AS Java. $$ stands for the instance number here. Important Standard TCP/IP Ports in AS Java Service
Port Number
Process
HTTP
5$$00
ICM
P4
5$$04
ICM
IIOP
5$$07
ICM
Telnet
5$$08
ICM
HTTP
5$$13
sapstartsrv
HTTP
81$$
MS
You can find a complete list of the ports used by SAP applications on SAP Service Marketplace under Quick Link /security and under Security in Detail → Infrastructure Security → TCP/IP Ports Used by SAP Applications.
Web Service Security The SAP NetWeaver Composition Environment plays the role of the development environment for composite applications in the implementation of the service-oriented architecture (SOA). The SAP NetWeaver CE system is also the runtime environment for such applications. The Web service technology is a technical foundation for SOA. The security requirements for Web services go beyond the encryption of the HTTP log via SSL. A Web service (WS) is a modular function that can be published, localized and called via a network. A Web service provides functions that are based on the technological communication layer. Any flow logic can be offered as a Web service, for example EJBs, Java classes or portal services. The Web Service Framework of the AS Java transfers the incoming XML/SOAP data and calls the Web service. The following figure gives a rough overview of the communication.
164
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Network Security
Figure 60: Communication in the Web Service Scenario
The Web service provider publishes the Web service in Universal Description, Discovery, and Integration (UDDI). The WSDL file (Web Service Description Language) of the Web service is stored in the UDDI for this purpose. A Web service user can now find the Web service in the UDDI and call it for the provider. The Simple Object Access Protocol (SOAP) is used for this communication. The SOAP request is transported via the HTTP protocol. The transfer can be safeguarded either via SSL or the standard WS security. Web services can communicate using any number of connections and intermediary stations. A connection-based security of communication, such as via SSL, is therefore insufficient or inadequate. Therefore, the OASIS standard Web Service Security (WSS) has been implemented for AS Java. The following table gives an overview of the security mechanisms for Web services. . Web Service Security Communication Method
Protocol
Execution
SOAP via HTTP
Transferred Data
Security By
Application data
SSL
Logon data
or for messages XML Signature XML Encryption
Publication and localization
HTTP
WSDL data
SSL
Logon data
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
165
Unit 3: Setting up SSL for AS Java
TADM10_2
Network Topology The network topology can also safeguard your system landscape. SAP recommends that you use separated network zones and demilitarized zones (DMZ), as shown in the following figure.
Figure 61: Network Topology
Systems with sensitive business data, such as SAP ECC or SAP CRM for example, should be protected from uncontrolled access by a firewall. Also in the case of Web applications, such as a portal for example, only a controlled access should be allowed by a firewall for users. In particular, with regard to Internet scenarios, we advise you to use so-called Application Gateways within a DMZ. In practice, an Application Gateway is implemented, for example, by a reverse proxy, a load balancer or similar products.
166
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Network Security
Lesson Summary You should now be able to: • explain why safeguarding the network communication is necessary • describe which technical components can be protected via secure network protocols • Classify concepts of the Web Service Security
Related Information •
• •
2013/Q1
For more information about security aspects of SAP systems, we recommend that you attend course ADM960 - Security in SAP System Environments http://service.sap.com/securityguide. More information is also available on SAP Service Marketplace under Quick Link /security: http://service.sap.com/security. The SAP Library for SAP NetWeaver 7.3, including the section SAP NetWeaver Security Guide, is available under http://help.sap.com.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
167
Unit 3: Setting up SSL for AS Java
TADM10_2
Lesson: Setting Up SSL Lesson Overview This lesson gives you a brief introduction to cryptography and its adoption in the communication between different communication partners. In the second part you will learn how to set up a secure http-communication (SSL).
Lesson Objectives After completing this lesson, you will be able to: • • • •
Describe different encryption processes Point out the relationship between authentication and digital signatures Explain the server authentication mechanism used within SSL Set up SSL with the SAP NetWeaver Administrator
Business Example Your corporation wants to provide access to composite applications on the SAP NetWeaver AS Java system for its business partners. Since sensitive data is transferred between the SAP system and the client (a Web browser for example), a secure connection should be established.
Introducing Cryptography Cryptography is the science of encrypting information. Why is this a very important topic in today's IT world? The standard protocol used for transporting http requests, TCP/IP, is a potentially insecure transport mechanism. Everyone connected to a specific network is able, with more or less effort and knowledge, to listen to the packages and its content transferred with the IP protocol in that network. This vulnerable protocol makes it necessary to encrypt the transferred data itself. For a better understanding we describe here a possible attack against the TCP/IP protocol and the data transferred with this protocol.
168
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Figure 62: Threat: Eavesdropping
In the above example, Alice (1) initiates a communication with Bob and requests some data about customers from him. Bob gathers the requested data and responds to Alice's request (2). The entire exchange is eavesdropped by Mallory. He now knows about the information that was discussed (3). In the context of TCP/IP, Alice (stands for a Web browser), for example, requests some data via an http request that is transferred via the TCP/IP protocol. The server (here represented by Bob) responds and transfers some sensitive customer data from the server to the client via the TCP/IP protocol. Mallory, an attacker, is on the same network and therefore is able to eavesdrop on this TCP/IP communication. The solution for securing this communication is the encryption of the transferred data; this involves making the conversation impossible for the attacker to understand but making it understandable to the participants involved in the conversation only.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
169
Unit 3: Setting up SSL for AS Java
TADM10_2
Figure 63: Protection: Encryption
Encryption Methods Encryption itself is based on mathematical operations. A key therefore has to be exchanged between the communication partners in order to have a computable basis for encrypting and decrypting information. There are three different methods for exchanging these keys.
Figure 64: Encryption Methods
170
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Symmetric Key Encryption is the classical cryptography method for encrypting and decrypting messages. In this case, both the sender and receiver of a message share a “secret” called a secret key. The sender uses this key to encrypt the message. The receiver also uses this key to decrypt the message.
Figure 65: Symmetrical Encryption
The shared secret is called a secret key. It consists of a value of a certain length, 256 bits for example. These encryption algorithms are in widespread use and are employed in most Web browsers and Web servers. Typical Symmetric Key Encryption Algorithms include: • • • • • • •
Digital Encryption Standard (DES) Triple DES Advanced Encryption Standard (AES) International Data Encryption Algorithm (IDEA) RC4 RC5 Blowfish
Asymmetric Key Encryption uses a different algorithm than Symmetric Key Encryption. Asymmetric Key Encryption uses a key pair that consists of a private and a public key. These keys belong to each other. A message that is encrypted with the public key can only be decrypted with the matching private key. The public key can be made public. The owner of the key pair “publishes” the public key and can distribute it as required. The private key must be kept secret.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
171
Unit 3: Setting up SSL for AS Java
TADM10_2
Figure 66: Asymmetrical Encryption
The person who is sending a confidential message uses the recipient‘s public key to encrypt the message. Only the recipient can then decrypt the message using his or her private key. Typical public key encryption algorithms are: •
RSA (Rivest, Shamir, Adleman), Diffie-Hellman
Disadvantages of Public Key Encryption: • • •
It is slower than Symmetrical Key Encryption. Encryption is only possible in one direction with a single key pair. Alice can encrypt a message to send to Bob, but not vice versa. If Alice also has a key pair, then Bob can send her an encrypted message. However, there is an easier way.
Hybrid Encryption Process is the combination of both above explained encryption processes. The Hybrid Encryption Process make use of the advantages of both process types. For the better understanding we describe this process in the following example.
172
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Figure 67: Hybrid Encryption
Process: 1. 2. 3. 4. 5.
6. 7.
The client (browser) contacts the SAP NetWeaver Application Server Java The Application Server responds and sends its Public Key Client-side a Secret Key is created and encrypted with the Public Key the server sent before The client sends back the encrypted Secret Key On the server the Secret Key is decrypted using the Private Key. Only the server can decrypt the received Secret Key cause its holding the Private Key which is necessary for the decrypting. The communication partners perform a "Handshake"; they shake hands. Further communication between the client and the server is encrypted using the Secret Key
Authentication and Digital Signatures In the first part of this lesson we described a possible attack to the transport protocol and what can be done to secure this communication. But what happens if Mallory interferes with the communication and pretends to be Bob? He may even provide Alice a public key, saying that is Bob's key. The question here is now, how can we make sure that Alice is really communicating with Bob and therefore the public key she received is really Bob's public key?
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
173
Unit 3: Setting up SSL for AS Java
TADM10_2
Figure 68: Threat: Masquerading
The problem is also covered by cryptography and is called Authentication. Authentication normally takes place using the user ID and password. But with cryptographic mechanisms it is possible to authenticate communication partners, in means of verifying that the communication partner is the one she or he pretends to be. Basis for the authentication of communication partners are Digital Certificates.
Figure 69: Protection: Authentication
174
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Understanding Digital Certificates and Digital Signatures The digital certificate is the individual's "digital identity card" on the Internet. Compared to the "real world", digital certificates can be compared to a passport which contains information about owner, issuer, serial number, and validity period. The format of the certificate is specified by the X.509 standard for digital certificates.
Figure 70: Digital Certificates (X.509)
Beneath some general information the certificate contains also the public part of the key pair whereas the private key is not included in the certificate. This one must be kept on a safe place. The certificate is issued to a person or server by an authorized entity called a Certification Authority (CA). The CA ensures by digitally signing the certificate that the public key, which matches to a private key, belongs to a specific person or server. Thus, the CA ensures that the certificate cannot be "faked". The complete infrastructure that manages the issue and verification of certificates is called the Public Key Infrastructure (PKI).
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
175
Unit 3: Setting up SSL for AS Java
TADM10_2
Figure 71: Certification Authority
Examples of well-known Certification Authorities: • •
Verisign Inc. TC Trust Center
SAP also runs a CA that issues digital certificates to customers. Follow the Quick Link /tcs (Trust Center Services) on the SAP Service Marketplace.
Figure 72: Certificate Enrollment
The certification of digital certificates is performed, for example, as follows: 1. 2. 3. 4.
176
A public and private key pair is generated on the server The public key is sent to the CA (it is called a Certificate Signing Request short CSR) The CA digitally signs the server's public key and sends it back to the requestor Import of the CSR response, the digitally signed certificate, into the server
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Different CA’s use different policies, on how to check the identity of a person or system, before issuing a digital certificate. SAP's process for applying for a digitally signed certificate is as follows:
Figure 73: Certificate Order Process via SAP TCS
1. 2. 3. 4. 5.
Create CSR and send it to SAP via the SAP Service Marketplace Enter some additional data You receive a contract. Check the details entered before, print it out and sign it Fax the signed contract back to SAP SAP checks your data and has TC TrustCenter issue a certificate
The server is now sending the digitally signed certificate, which includes the public key, to the communication partner. This kind of authentication is called Server Authentication. But how can the communication partner ensure, that the digitally signed certificate is signed from a trusted CA? The communication partner has to have a trust relationship to the CA which issued the certificate. Technically this can be achieved by importing a digital certificate of the institution (CA) issued the certificate for the server. This is the so-called root certificate. The most common root certificates are pre-installed in most Web browsers.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
177
Unit 3: Setting up SSL for AS Java
TADM10_2
Figure 74: Trust Relationship
Securing HTTP communication using Secure Socket Layer (SSL) In the previous sections you learned the fundamentals of Cryptography, Authentication and Digital Certificates. These technologies are also the fundamental of securing the HTTP communication. Secure Socket Layer (SSL) is a transparent protocol enhancing other protocols having no security functionalities. SSL is not an HTTP-specific protocol but a protocol used between the TCP layer and application protocols like LDAP, SMTP, HTTP and so on. An HTTP application protocol that has been extended by SSL has the protocol identification HTTPS in the URL. SSL uses a Hybrid Encryption method and provides besides data encryption the following authentication mechanisms: • • •
Server authentication Client authentication Mutual Authentication
To use SSL for server authentication, the SAP NetWeaver AS Java possesses a private and public key pair.
178
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Figure 75: SSL: Server authentication
1. 2.
3. 4. 5.
6. 7.
Alice contacts the SAP NetWeaver Application Server Java using a browser The Application Server responds and sends its Public Key with a digitally-signed message. The client-side server's identity is verified by checking the validity of the certificate. The certificate is only accepted if the client trusts the CA that issued that certificate to the SAP NetWeaver AS Java. This is done with the CA root certificate. The Secret Key is created and encrypted with the Public Key the server sent before The client sends back the encrypted Secret Key On the server the Secret Key is decrypted using the Private Key. Only the server can decrypt the received Secret Key cause its holding the Private Key which is necessary for the decrypting. The communication partners perform a handshake Further communication between the client and the server is encrypted using the Secret Key
Setting up HTTP for SAP NetWeaver Since the basis of SSL and therefore HTTPS is cryptography, SAP NetWeaver Application Server Java has to be enabled in order to support this feature. Cryptographic software is needed to support the different mathematical algorithms. As of Release 7.1x, the SAP Cryptographic Library is used as cryptographic
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
179
Unit 3: Setting up SSL for AS Java
TADM10_2
software. Cryptographic software was subject to export and import restrictions. In AS Java systems 7.1x you have to download this software from SAP Service Marketplace, in AS Java systems 7.3 these software is already included. Read up on the conditions in your country. The SAP Cryptographic Library can be found on SAP Service Marketplace: http://service.sap.com/swdc Download → SAP Cryptographic Software
Figure 76: Roadmap for Configuring SSL
Using SSL with an Intermediary Server You can also use SSL for connections where an intermediary server is used. An intermediary server may be a Web proxy or the SAP Web Dispatcher. A typical scenario is to place the intermediary server in the DMZ and the AS Java in the intranet zone. The servers that are supported for use with AS Java are: • • •
180
SAP Web Dispatcher Microsoft Internet Information Server (IIS) with an IIS proxy module from SAP Other products (for example, the Apache Web Server)
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Figure 77: SSL with an Intermediary Server
Depending on the intermediary server used, options exist to use either an end-to-end SSL connection or to terminate the connection on the intermediary server and establish a new connection to the backend system (terminated SSL). See the figure below.
Outlook: Mutual Authentication Beside the server authentication mechanism and the data encryption described in the above sections, SSL can also be used for mutual authentication. In case of Mutual Authentication both, the user and the server acknowledge their authenticity by providing a digitally signed certificate to the other communication partner. The important fact is, Alice also authenticate herself to the server. Therefore you can use this authentication to integrate the SAP NetWeaver AS Java in a Single Sign-On environment.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
181
Unit 3: Setting up SSL for AS Java
TADM10_2
Figure 78: Outlook: Mutual Authentication
Server authentication is performed using the same process as described within the SSL scenario. Let‘s focus on the client part of this authentication. Alice obtains a certificate, as shown in the figure: • • •
Alice creates a key pair and a certificate request Alice sends the request to a CA, such as the SAP CA Alice imports the certificate request response
The Web server must also trust Alice‘s issuing CA by importing its CA root certificate into its trusted CA store. When communicating with the server, both parties are authenticated and the data communication is encrypted.
182
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Exercise 6: Setting up SSL Exercise Objectives After completing this exercise, you will be able to: • Setting up SSL for SAP NetWeaver 7.3
Business Example Your corporation wants to provide access to composite applications on the SAP NetWeaver 7.3 system for its business partners. Since sensitive data is transferred between the SAP system and the client (a Web browser for example), a secure connection should be established.
Task 1: Check the SAP Cryptographic Library files Check the SAP Cryptographic Library files. 1.
Log on at operating system level of your SAP system and check, that the file sapcrypto.dll exists in all of the following directories of your SAP system: :\usr\sap\\\exe and :\usr\sap\\SYS\exe\uc\NTAMD64.
Task 2: Maintain ICM Parameters Maintain the required ICM parameters. 1.
Read up on the ports already used and the related parameters of the ICM. Use the Web interface of the ICM for this.
2.
Maintain the ICM parameters to allow the protocols and ports specified in the table to be used. $$ stands for the instance number here. Make sure that you do not overwrite existing parameters when numbering the parameters. Parameter
Protocol
Port
icm/server_port_4
HTTPS
5$$01
icm/server_port_5
P4SEC
5$$06
icm/server_port_6
IIOPSEC
5$$03
Hint: There is a help file on the training share from which you can insert the parameter values into the profile DEFAULT.PFL directly by copying. 3.
Restart the ICM. Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
183
Unit 3: Setting up SSL for AS Java
4.
TADM10_2
Read up on the ports now used and the related parameters of the ICM.
Task 3: Generate Key Pair, Have it Signed by the Certification Authority and Assign to all Instances Generate a key pair for SSL using the ICM and have it signed by the Certification Authority. 1.
Create a new key pair for SSL using the ICM in the SAP NetWeaver Administrator. Use the keystore view service_ssl to do so. Use the following values for the certificate with corresponding to your group number. Do not change the other values. Input Values for the new Key Pair Input Field
Value
Entry Name
SSL
Key Length
2048
countryName
for example DE or US
organizationName
SAP
organizationalUnitName
Education
commanName
2.
Generate a certificate request for the key pair that you just created.
3.
Send the certificate request to the Certification Authority and save the response to a file. You can use the test scenario of the SAP Trust Center Service for this course (http://service.sap.com/ssltest).
4.
Import the certificate request response in the NWA.
5.
Now import the certificate into the instance-specific views ICM_SSL_. Remove the existing entries for ssl-credentials and ssl-credentials-cert.
6.
Export all views ICM_SSL_ to the PSE.
Task 4: Test SSL Test the SSL communication. 1.
Call the HTTPS-URL of your system.
Continued on next page
184
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Task 5: Install SAP Server CA Root Certificate in Web Browser If you got an error during the test, you probably need to install the SAP Server CA root certificate in your web browser. This is necessary only once per server.
2013/Q1
1.
Download the SAP Server CA root certificate from SAP Service Marketplace Trust Center Services and install it in your web browser.
2.
Do the test like in task Test SSL described above.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
185
Unit 3: Setting up SSL for AS Java
TADM10_2
Solution 6: Setting up SSL Task 1: Check the SAP Cryptographic Library files Check the SAP Cryptographic Library files. 1.
Log on at operating system level of your SAP system and check, that the file sapcrypto.dll exists in all of the following directories of your SAP system: :\usr\sap\\\exe and :\usr\sap\\SYS\exe\uc\NTAMD64. a)
If the sapcrypto.dll are not available, copy these file from the trainingsshare Courses\ADM800_99\SSL\SAPCryptoLib .
Task 2: Maintain ICM Parameters Maintain the required ICM parameters. 1.
2.
Read up on the ports already used and the related parameters of the ICM. Use the Web interface of the ICM for this. a)
Open a Web browser and call the Web interface of the ICM using the URL http://:/sap/admin. Your instructor will give you the logon data.
b)
Go to Active Services on the left-hand side and note the active services and their ports.
c)
Go to Parameters on the left-hand side and note the parameters icm/server_port_ and their values there.
Maintain the ICM parameters to allow the protocols and ports specified in the table to be used. $$ stands for the instance number here. Make sure that you do not overwrite existing parameters when numbering the parameters.
Continued on next page
186
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Parameter
Protocol
Port
icm/server_port_4
HTTPS
5$$01
icm/server_port_5
P4SEC
5$$06
icm/server_port_6
IIOPSEC
5$$03
Hint: There is a help file on the training share from which you can insert the parameter values into the profile DEFAULT.PFL directly by copying. a)
At operating system level of your SAP system, use a text editor to open the file :\usr\sap\\SYS\profile\DEFAULT.PFL.
b)
Enter the following additional lines at the end of the file: icm/server_port_4 = PROT=HTTPS,PORT=5$$01,VCLIENT=1 icm/server_port_5 = PROT=P4SEC,PORT=5$$06,VCLIENT=1 icm/server_port_6 = PROT=IIOPSEC,PORT=5$$03,VCLIENT=1
c) 3.
4.
Save the file.
Restart the ICM. a)
Choose Monitor on the left-hand side in the Web interface of the ICM (see step 1 of this task also).
b)
Choose running → Shutdown Internet Communication Manager and then choose Yes.
c)
The ICM should then automatically restart shortly afterwards.
Read up on the ports now used and the related parameters of the ICM. a)
Go to Active Services on the left-hand side in the Web interface of the ICM and note the active services and their ports. The protocols and ports that you have just maintained should be listed and active there.
b)
Go to Parameters on the left-hand side and note there the new parameters maintained by you icm/server_port_.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
187
Unit 3: Setting up SSL for AS Java
TADM10_2
Task 3: Generate Key Pair, Have it Signed by the Certification Authority and Assign to all Instances Generate a key pair for SSL using the ICM and have it signed by the Certification Authority. 1.
Create a new key pair for SSL using the ICM in the SAP NetWeaver Administrator. Use the keystore view service_ssl to do so. Use the following values for the certificate with corresponding to your group number. Do not change the other values. Input Values for the new Key Pair
2.
Input Field
Value
Entry Name
SSL
Key Length
2048
countryName
for example DE or US
organizationName
SAP
organizationalUnitName
Education
commanName
a)
Open the SAP NetWeaver Administrator (NWA) in the Web browser using the URL http://:/nwa. Your instructor will give you the logon data.
b)
Navigate to Configuration → Security → Certificates and Keys.
c)
Select the keystore view service-ssl in the tab page Content.
d)
Now choose Create and maintain the fields in accordance with the above table. Then choose Next. Maintain the other fields in accordance with the table, choose Next twice and then Finish.
Generate a certificate request for the key pair that you just created. a)
Select the entry SSL and choose Generate CSR Request.
b)
Now choose Download (ensure that Base64 is selected) and then Save. Then choose Open Folder.
c)
Select the downloaded file an open it with Sappd by using the right mouse button. Select the displayed text (including the complete BEGIN and END line) and copy it to the clipboard (Ctrl+C).
d)
Choose Close.
Continued on next page
188
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
3.
4.
5.
6.
Send the certificate request to the Certification Authority and save the response to a file. You can use the test scenario of the SAP Trust Center Service for this course (http://service.sap.com/ssltest). a)
Open a new Web browser window and call the URL http://service.sap.com/ssltest.
b)
Choose Test it Now!.
c)
Copy the text from the clipboard (see step 2 of this exercise) to the input screen.
d)
Choose PKCS#7 certificate chain and then Continue in the selection list.
e)
Copy the text to the clipboard (Ctrl+C).
f)
Open a text editor and insert the text that you just copied. Save the text as a file with the ending .cert, for example response00.cert.
Import the certificate request response in the NWA. a)
Go to the NWA where you generate the CSR Request and choose now Import CSR Response .
b)
Choose Browse. Select the file that was just saved, for example response00.cert, and choose Open.
c)
Choose Add followed by Import.
Now import the certificate into the instance-specific views ICM_SSL_. Remove the existing entries for ssl-credentials and ssl-credentials-cert. a)
Select the view ICM_SSL_.
b)
Select the entry ssl-credentials, choose Delete and confirm with OK. Also remove the entry ssl-credentials-cert.
c)
Choose Copy Entry.
d)
Now select the view service_ssl in the selection list From View and the entry SSL in the selection list From Entry. Then choose Import.
e)
Repeat the previous solution steps (a to d) for all other views ICM_SSL_.
Export all views ICM_SSL_ to the PSE. a)
Select the view ICM_SSL_.
b)
Now choose Export View To PSE.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
189
Unit 3: Setting up SSL for AS Java
TADM10_2
Task 4: Test SSL Test the SSL communication. 1.
Call the HTTPS-URL of your system. Open a new Web browser window and call the URL https://:. If the start page of the AS Java appears without an error message, then everything has been configured correctly and the root certificate of the Certification Authority is already installed in your Web browser.
a)
Task 5: Install SAP Server CA Root Certificate in Web Browser If you got an error during the test, you probably need to install the SAP Server CA root certificate in your web browser. This is necessary only once per server. 1.
Download the SAP Server CA root certificate from SAP Service Marketplace Trust Center Services and install it in your web browser. a)
Open a new Web browser window and call the URL http://service.sap.com/ssltest.
b)
Go to Donwload Area → Root Certificates. Click on SAP SSL Test Server CA Certificate and choose Save. Choose Open, Install Certificate and Next.
c)
Skip this step, If you are not working on the OS of the server twdfxxxx. Select Place all certifacates in the following store and choose Browse .... Select Show physical stores and expand Trusted Root Certification Authorities. Select here Local Computer. Go ahead with Next, Finish, and OK.
d) 2.
Do the test like in task Test SSL described above. Do the test like in task Test SSL described above.
a)
Result Congratulations! You have successfully configured SSL for all instances of your SAP NetWeaver system!
190
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up SSL
Lesson Summary You should now be able to: • Describe different encryption processes • Point out the relationship between authentication and digital signatures • Explain the server authentication mechanism used within SSL • Set up SSL with the SAP NetWeaver Administrator
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
191
Unit Summary
TADM10_2
Unit Summary You should now be able to: • explain why safeguarding the network communication is necessary • describe which technical components can be protected via secure network protocols • Classify concepts of the Web Service Security • Describe different encryption processes • Point out the relationship between authentication and digital signatures • Explain the server authentication mechanism used within SSL • Set up SSL with the SAP NetWeaver Administrator
192
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Unit 4 AS Java – User and Authorization Concept Unit Overview The structure and configuration of the User Management Engine (UME) and the use of the associated administration tools are explained in this unit. The standard actions in the user administration environment, such as creating users and creating and assigning authorizations and roles are presented. The concluding lesson Logon Procedure of AS Java should complete your understanding of this topic.
Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • • • • • • • •
2013/Q1
List the various UME data sources Determine the current data source assignment Explain the term UME data partitioning Identify and modify configuration parameters List and use the tools for administering users and groups Explain the terms UME role and JEE security role List the authorization administration tools Assign actions and JEE security roles to a UME role Assign authorizations to users and groups List a number of “special” principles Change the password of the standard administration user Activate the emergency user list the supported logon procedures of the AS Java explain the functions of login modules change the standard logon procedure of the AS Java explain Kerberos logon (SPNego) set up X.509 logon
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
193
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Unit Contents Lesson: Structure and Configuration of the User Management Engine (UME).............................................................................195 Exercise 7: User Management Engine ..................................215 Lesson: User and Group Administration .....................................222 Exercise 8: User and Group Administration ............................229 Lesson: The Java Authorization Concept ...................................235 Exercise 9: Create and Assign UME Roles and UME Groups .......243 Lesson: Special Principles.....................................................253 Exercise 10: Default Principles and Emergency Users ...............259 Lesson: Logon Procedure of the AS Java ...................................264 Exercise 11: Configuration of X.509 Client Authentication............275
194
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Lesson: Structure and Configuration of the User Management Engine (UME) Lesson Overview This lesson explains fundamental information about the User Management Engine.
Lesson Objectives After completing this lesson, you will be able to: • • • •
List the various UME data sources Determine the current data source assignment Explain the term UME data partitioning Identify and modify configuration parameters
Business Example In your company, AS ABAP and AS Java-based systems are used. You want to ensure consistent user master data within a heterogeneous system landscape.
Basics AS Java provides an open architecture supported by service providers for the storage of user and group data. The AS Java is supplied with the following service providers which are also referred to as a “user store”: • • •
DBMS provider: storage in the system database UDDI provider: storage via external service providers (Universal Description, Discovery and Integration) UME provider: Connection of the integrated User Management Engine
The DBMS and UDDI providers implement standards and therefore ensure that AS Java is EE-compliant. When AS Java is installed, SAP's own User Management Engine (UME) is always set up as the user store and is the correct choice for most SAP customers. The UME is the only way to flexibly set up and operate user and authorization concepts.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
195
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Some of the important features of the UME are: •
•
•
• •
The UME has its own administration console for administering users. It allows the administrator to perform the routine tasks of user administration, such as creating users and groups, role assignment, and other actions. Security settings can be used to define password policies, such as minimum password length and the number of incorrect logon attempts before a user is locked. The UME provides different self-service scenarios that can be used by applications. For example, a user can change his or her data, or register as a new user. Newly-created users can be approved using a workflow. User data can be exchanged with other (AS Java or external) systems using an export/import mechanism. The UME logs important security events, such as a user's successful logons or incorrect logon attempts, and changes to user data, groups, and roles.
Figure 79: User Store and Data Sources
Architecture The UME supports a variety of data sources where user data can be stored: • • •
System database Directory service (LDAP server) ABAP-based SAP system (as of SAP Web AS 6.20)
The illustration below shows the architecture of the UME:
196
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Figure 80: Architecture of the UME:
The UME is a Java application which runs on SAP NetWeaver AS Java and which covers the following functional areas: •
•
•
UME Core Layer: Provides persistence managers between the application programming interface and the user management data sources - these control where user data such as users, user accounts, groups, roles and their assignments are read from or written to, with the result that applications which use the API do not have to know where the user management data is stored. UME API Layer: This layer provides programming interfaces (APIs) not just for UME developers but also for customers and partners. This means that you can access the UME functions with the Java programs which you develop yourself. UME services: The UME provides the following services to higher-level software layers: –
•
2013/Q1
Log-on procedure and single sign-on (log-on to AS Java is taken over for other systems and vice versa) – Provisioning processes via user master data – Authorization Concept UME UI: The UME is responsible for the user interface which, in some log-on procedures, appears in the Web browser, as well as for the UME Administration Console.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
197
Unit 4: AS Java – User and Authorization Concept
TADM10_2
The SAP NetWeaver usage types which are based on the AS Java (such as SAP NetWeaver Portal) are based on the UME and perform a number of specific functions on this basis (such as self-registration with approval workflow).
Data Partitioning As described in the previous section, the UME persistence manager offers the option of storing user data in different data sources. The UME persistence manager also supports data partitioning. This means in practice that, for example, user data for different user types can be stored in different data sources.
Figure 81: Data Partitioning
198
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
In practice, you often work with a combination of the data sources database + directory service or database + ABAP user management. When this is done, certain user attributes are to be stored in a different data source, for example, or users are separated by their categories (internal or self-registered users). •
•
•
Attribute-based data partitioning: A user in the UME has certain attributes, some of which are classified as global attributes (user ID, telephone number, and so on) ) and others of which are application-specific. Global information would be particularly suited to being stored in a directory service, and application-specific information in the database. User-based data partitioning:With this type of partitioning, the data source in which users are stored is decided depending on the category of the user (self-registered or internal users). For example, users that register by self-service can be stored in the database, and internal users in the directory service. Type-based data partitioning:With type-based data partitioning, different object types can be distributed to different data sources. The types are, for example, users, groups, roles, user accounts. For example, users can be stored in the directory service, and roles in the database.
SAP delivers preconfigured data source combinations (more information will be provided in the next section), which you should only change in special cases. For example, if you are using a directory service as a data source, you may need to perform attribute mapping. You usually use the delivered preconfigured data source combinations without additional changes:
Configuring the Data Source(s) This section deals with the configuration of the data source(s) stored in the AS Java database in the form of configuration files (in XML format). In most cases, the installation option is retained or the data sources are configured immediately after AS Java installation.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
199
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Supported Data Sources and Modification Options
Figure 82: Data Sources after Installation
The data source that is set up during AS Java installation depends on the selected SAP NetWeaver usage type: • •
AS Java (without ABAP): Data source - system database (configuration file dataSourceConfiguration_database_only.xml) AS ABAP + Java: Data source - ABAP system (configuration file dataSourceConfiguration_abap.xml)
Modifying data sources after installation can result in inconsistencies. Restrictions therefore apply to the modification of UME data sources. The following figure explains the supported modification options. Hint: Please make sure that you observe SAP Note 718383.
200
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Figure 83: Supported Change Options
The following changes are supported: •
• •
System database (dataSourceConfiguration_database_only.xml):You can switch to any required LDAP configuration file (dataSourceConfiguration_[ldap description]_db.xml) or an ABAP system (dataSourceConfiguration_abap.xml). In this case, you must make sure that the new data source does not contain any users and groups with the same unique attributes aqs the database (i.e. the new data source must not contain any users or groups with the same unique name or ID as the users or groups in the database). ABAP system (dataSourceConfiguration_abap.xml): No change is possible. Directory service (dataSourceConfiguration_[ldap description]_db.xml): If you have selected an LDAP directory as the user data source, you can modify the structure of the LDAP directory or switch to a different LDAP if this does not modify any unique user IDs.
Below, we present a complex system landscape with AS ABAP, AS Java and non-SAP systems:
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
201
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Figure 84: Example of a Heterogeneous System Landscape
In this type of heterogeneous system landscape with SAP systems and non-SAP systems, it is useful to use a directory service as the primary storage location for user data. As you can see in the figure, the ABAP systems are administered with the central user administration (CUA). The CUA central system synchronizes user data with the directory service. In the case of the AS Java systems, the directory service is configured as the data source. Non-SAP systems also have access to user data through the directory service.
202
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Figure 85: SAP NetWeaver Identity Management
In SAP NetWeaver Identity Management, SAP provides integrated, business process-driven IdenIdentity Management functions for a heterogeneous system landscape. SAP NetWeaver Identity Management uses a central identity store to consolidate and save data from various source systems (SAP HCM for example). This information is distributed to connected target systems. User accounts and role assignments for SAP and non-SAP applications are distributed. Role assignments can be automated using rule definitions. A very important function of SAP NetWeaver Identity Management is the option of making the authorization assignment workflow-controlled. The integration with HCM as one of the possible source systems for identity information is a key function for business process-driven Identity Management. For more information about SAP NetWeaver Identity Management, go to the SAP Developer Network (https://www.sdn.sap.com/irj/sdn/nw-identitymanagement).
Tools for UME Configuration The next figure lists the tools with which you can display and change the UME configuration. Note: See also SAP Note 948654 - Only use Global Settings for UME Properties.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
203
Unit 4: AS Java – User and Authorization Concept
204
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Figure 86: Tools for UME Configuration (Viewing/Modifying)
•
UME Administration Console: You can use the UME Administration Console running in the Web-Browser to modify selected settings without it being necessary to know the technical parameter names (path: http(s)://: /useradmin → Configuration). Hint: For many settings a restart is not necessary and you are notified about the necessary of a restart after saving the properties. Hint: As of 7.20 there is an Expert Mode available in the configuration area, which gives you access to the maintenance of mostly all ume properties.
•
•
Configuration Tool (Configuration Editor mode): Only in Configuration Editor mode are you able to access all the UME settings (path: cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service → Propertysheet properties). SAP NetWeaver Administrator, Java Configuration Browser: You can use the SAP NetWeaver Administrator running in the Web browser to view all the UME parameters (incl. tooltip with descriptive text) Configuration Infrastructure → Java Configuration Browser and then → cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service → properties). Note: In the SAP NetWeaver Administrator under Configuration → Infrastructure → Java System Properties → Overview, you can also view the UME parameters. Select a template or an instance there. Then select the service User Management Engine on the tab page Services. The UME parameters are now selected. Do not change any values here, but instead use the global change options!
•
•
2013/Q1
SAP NetWeaver Administrator, Authentication: AS of SAP NetWeaver AS 7.11 some UME parameters regarding logon can be changed online in the SAP NetWeaver Administrator at Configuration → Security →Authentication and Single Sign-On → Properties. UME Configuration iView: If the usage type EP Core has been installed in your SAP NetWeaver system, you can use the portal interface to access an iView for UME configuration. This offers similar setting options to the UME Administration Console (portal path System Administration → System Configuration → UME Configuration).
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
205
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Caution: Before you make any changes to the UME configuration, you should first back up the current configuration. You can do this using a function in the UME Administration Console (User Management Configuration → Support → Download Configuration ZIP File), which saves the current configuration data in a ZIP file This file allows you to record and trace the changes. However, they are not intended to be re-imported into an AS Java. Since many advanced settings can only be made in Configuration Editor mode, a description of the procedure is presented here: 1. 2. 3. 4. 5.
6. 7.
Stop all the Java instances on you system Start the Configuration Tool Switch to Configuration Editor mode Switch to change mode. Navigate to cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service → Propertysheet properties and double-click. Make the required changes (Apply Custom) Start your system's Java instances.
By way of an example, the next figure shows how you can find out the currently active data source in Offline Configuration Editor mode.
206
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Figure 87: Displaying the Active Data Source
Appendix: Attribute Mapping with Directory Services As described above, the UME has various preconfigured configuration files in which attribute mapping for directory services can be configured. You can use the Config Tool to view and change these and to configure the attribute mapping. User data that is sent to a directory service must be appropriately stored in the directory service. Mapping of the attributes is usually necessary to do this. Since different directory services also use different schemas for storing data, you must define which SAP data fields correspond to which directory attributes. If you use the Java API of the user administration component to access user data in your LDAP directory service, you must map the attribute names in the schema of the company's LDAP directory service to the attribute names that are used in the Java API of the user administration component. This need not always be a one-to-one mapping, but rather one field can be mapped to multiple attributes. The attributes assigned to the fields must also exist in the directory. If not, you need to extend the schema in the directory. A mapping for the logical attributes of the Java API of the user administration to physical attributes that are used for the InetOrgPerson schema in the X.500 standard is delivered in the preconfigured UME XML files. If you use this standard without modifications, you do not need to change the attribute mapping data.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
207
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Figure 88: Appendix: Attribute Mapping 1/2
As shown in the figure, the data field FULLNAME (full name) is made up from the attributes givenName and sn (surname - last name). In the case of the telephone number, for example, the field in the database is telephone, while in the LDAP-compatible directory service the field is called telephoneNumber. As described in the previous section, you can use the Config Tool to display the actively used data source and the preconfigured data source combinations as an XML file. The attribute mapping is maintained in the XML configuration file for the data source. You can use a download mechanism in the Config Tool to write the XML configuration files to operating system level, change them there, and then upload them back into the system. You can find the overview of the XML configuration files in the Config Tool:
208
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Figure 89: Appendix: XML Files
You can configure the attribute mapping in the relevant XML configuration file. For detailed information about the entire structure of the XML configuration file, see the SAP online documentation. For the attribute mapping, you only need to change the tag as shown in the figure.
Figure 90: Appendix: Attribute Mapping 2/2
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
209
Unit 4: AS Java – User and Authorization Concept
TADM10_2
UME Parameters After you have selected and precisely configured a data source, there are many other parameters with which you can influence the behavior of the UME. The following figure provides an overview of the relevant areas:
Figure 91: Functions of the UME Parameters:
The following list presents a number of important, selected parameters: Date source(s) •
210
ume.persistence.data_source_configuration Name of the UME configuration file (depending on the data source, other parameters may be relevant for connecting the data source)
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Security Policy ume.logon.security_policy.auto_unlock_time Number of minutes after which a user locked because of invalid login attempts is unlocked again (if the value is 0 then the user remains locked) • ume.logon.security_policy.lock_after_invalid_attempts Number of invalid login attempts after which a user is locked (automatically set to 0 in an AS ABAP+Java) • ume.logon.security_policy.password_special_char_required Determines the minimum number of special characters that the password must contain • ume.logon.security_policy.password_alpha_numeric_required Specifies the minimum number of numeric and alpahetical characters that the password must contain (if the number is 3 then the password must contain at least 3 numbers and 3 letters) • ume.logon.security_policy.password_expire_days Number of days before the password expires • ume.logon.security_policy.password_max_length or ume.logon.security_policy.password_min_length Maximum or minimum length of the password • ume.logon.security_policy.useridmaxlength or ume.logon.security_policy.useridminlength Maximum or minimum length of the user ID There are different security policy profiles, e.g. Default and Technical User. The properties for the profile Technical User is hard coded and can not be changed. The properties can be viewed in the useradmin → Configuration → Securtiy Policy by selecting the profile. Changes of the Default security profile properties affects the properties mentioned above and vice versa. You can create own security policy profiles where you can maintain property settings different to the Default security policy profile. These settings can only viewed and maintained in this “simple” mode and is not accessible via expert mode or the configuration editor mode of the config tool. In the UME Administration Console you can maintain user and assign them a security policy profiles, so you can have user with different values of the security policy properties. By default, the Default security policy profile is assigned. •
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
211
Unit 4: AS Java – User and Authorization Concept
TADM10_2
E-mail Notification The UME can be configured in such a way that in certain situations (e.g. after locking a user), e-mails are sent via an external SMTP server. For this to be possible, of course, valid e-mail addresses must be stored in the user master records. • •
•
•
• • •
ume.notification.mail_host Name of the SMTP server for e-mail notification ume.notification.create_performed or ume.notification.delete_performed An e-mail is sent to the user as soon as the user is created or deleted by the administrator ume.notification.create_approval or ume.notification.create_denied An e-mail is sent to the user as soon as the administrator approves or rejects the creation of a user account. ume.notification.lock_performed bzw. ume.notification.unlock_performed An e-mail is sent to the user when the administrator locks or unlocks the user ume.notification.pswd_reset_request An e-mail is sent from the user to the administrator when the password is to be reset ume.notification.unlock_request An e-mail is sent from the user to the administrator when the account is to be unlocked ume.notification.system_email The sender's e-mail address is sent with a dummy name (the address does not have to exist)
Logging On and Off • •
ume.logon.branding_image Path to the image displayed in the logon screen ume.logoff.redirect.url Address that is called following logoff (only for the SAP NetWeaver portal)
SAP Logon Ticket • •
•
212
login.ticket_lifetime Lifetime of the SAP Logon Ticket (Format :) login.ticket_client Dummy “client” written to the SAP Logon Ticket (default 000, in the case of AS ABAP+Java must be set to a client (value) which is not used in the ABAP system) ume.logon.security.relax_domain.level Number of subdomains to be removed (a value of 2 means that the SAP Logon Tickets issued by a system on the host twdf1234.wdf.sap.corp are sent to servers in the domain sap.corp)
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Groups • • • •
ume.supergroups.anonymous_group.displayname ID of the group of anonymous users (default Anonymous Users) ume.supergroups.authenticated_group.displayname ID of the group of logged on users (default Authenticated Users) ume.supergroups.everyone.displayname ID of the group of all users (default Everyone) ume.virtual_groups.names IDs of virtual groups (formed on the basis of certain user properties)
Administration • • • • •
2013/Q1
ume.admin.addattrs Makes it possible to add customer-specific attributes to the user master record ume.admin.search_maxhits Maximum number of search hits displayed in the Administration Console (default 1000) ume.admin.search_maxhits_warninglevel Number of hits as of which a warning is issued in the Administration Console (default 200) ume.admin.wd.url.help URL to the online documentation (may, for example, point to the customer's local help system) ume.admin.wd.table.size. Specifies the number of rows for output in the Administration Console (for , there are small, medium and large)
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
213
Unit 4: AS Java – User and Authorization Concept
214
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Exercise 7: User Management Engine Exercise Objectives After completing this exercise, you will be able to: • Save UME configuration data • Determine the current data source • Modify UME parameters
Business Example Your company uses SAP NetWeaver Application Server Java. You want to know which Data Source Configuration has been activated on this system.
Task 1: Configuration Data Save and evaluate the current configuration data. 1.
If you have not already done so, log on to your SAP system at operating system level.
2.
Check the active Data Source configuration for your SAP Portal System with the ume-console.
3.
Optional: Check the active Data Source configuration and find the LDAP xml files using ConfigTool Hint: If the system cannot be used because of a wrong data source configuration, you need a tool to change the data source configuration.
Task 2: Save the current configuration data of UME and evaluate it 1.
Save the current UME configuration in a file of your SAP Server using the UME Administration console.
2.
Using the ZIP file you have just saved, answer the following questions: – What data source is currently active? – After how many days does the user password expire? – What is the maximum length of a password?
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
215
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Result You have saved the current status of the UME configuration in a ZIP file and evaluated it.
Task 3: Change an UME parameter
216
1.
Use the UME Administration Console to change the threshold value for warnings in the case of extensive search results to 240.
2.
Use the Expert Mode in the UME Administration Console to change the same value to 250.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Solution 7: User Management Engine Task 1: Configuration Data Save and evaluate the current configuration data. 1.
If you have not already done so, log on to your SAP system at operating system level. a)
2.
See the task description.
Check the active Data Source configuration for your SAP Portal System with the ume-console. a)
Start a Web browser.
b)
Enter the URL http://.wdf.sap.corp:500/useradmin (for example: http://twdf1234.wdf.sap.corp:50000/useradmin).
c)
Logon with your system user -.
d)
Press the button Configuration.
e)
Choose the tab Data Sources.
f)
Which DataSource has been configured for your SAP system? Write this information down: ________________________________
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
217
Unit 4: AS Java – User and Authorization Concept
3.
TADM10_2
Optional: Check the active Data Source configuration and find the LDAP xml files using ConfigTool Hint: If the system cannot be used because of a wrong data source configuration, you need a tool to change the data source configuration. a)
Start the Config Tool at operating system level of your SAP system and confirm the connection settings with Yes.
b)
Press the button (within the top menu of the Config Tool): Switch to configuration editor mode.
c)
Navigate to cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service (at the end of the list).
d)
Double click on the entry Propertysheet Properties.
e)
Search for the entry: ume.persitence.data_source:configuration. Hint: The entry should be the same you noticed in the previous task.
f)
Close the window Display Configuration with Ok.
g)
Open the folder persistent under the entry com.sap.security.core.ume.service.
h)
Here you see all datasource configuration files. Hint: If you are using an LDAP, you can configure the attribute mapping in the relevant XML configuration file, for example DataSourceConfiguration_ads*.xml.
Continued on next page
218
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Task 2: Save the current configuration data of UME and evaluate it 1.
2.
Save the current UME configuration in a file of your SAP Server using the UME Administration console. a)
Start a Web browser.
b)
Enter the URL http://.wdf.sap.corp:500/useradmin (for example: http://twdf1234.wdf.sap.corp:50000/useradmin).
c)
Logon with your system user -.
d)
Press the button Configuration.
e)
Go to the view Configuration → Support.
f)
Choose the link Download Configuration Zip File.
g)
Choose Save and specify a path on your host.
Using the ZIP file you have just saved, answer the following questions: – What data source is currently active? – After how many days does the user password expire? – What is the maximum length of a password? a)
In the Windows Explorer, double-click to open the ZIP file which you saved previously.
b)
Double-click to open the file it contains: sapum-global.properties. Choose Notepad to view the document if you get asked.
c)
You can use the following UME parameters to answer the questions which are asked: •
• •
ume.persistence.data_source_configuration: Displays the current data source and should be set to dataSourceConfiguration_database_only.xml ume.logon.security_policy.password_expire_days: Displays the validity period of passwords in days. ume.logon.security_policy.password_max_length: Displays the maximum length of a password.
Result You have saved the current status of the UME configuration in a ZIP file and evaluated it.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
219
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Task 3: Change an UME parameter 1.
2.
Use the UME Administration Console to change the threshold value for warnings in the case of extensive search results to 240. a)
In the UME Administration Console, go to the view Configuration → User Admin UI.
b)
Switch to edit mode by choosing Modify Configuration.
c)
Under Warning Threshold for Large Search Results enter 240.
d)
Choose Save All Changes.
e)
You should receive the following message: Configuration saved. All changes are already in effect. There is no need to restart the server nodes.
Use the Expert Mode in the UME Administration Console to change the same value to 250. a)
Press the button Open Expert Mode.
b)
Enter the following in the filter field (below the field Key) : ume.admin.search. Hint: Don not use the * at the end.
220
c)
Press Enter.
d)
Press Modify.
e)
In the line ume.admin.search_maxhits_warninglevel enter 250 in the value field.
f)
Press Save.
g)
You should receive the following message: Configuration saved. All changes are already in effect. There is no need to restart the server nodes.
h)
Press the button Close Expert Mode.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Structure and Configuration of the User Management Engine (UME)
Lesson Summary You should now be able to: • List the various UME data sources • Determine the current data source assignment • Explain the term UME data partitioning • Identify and modify configuration parameters
Related Information •
• •
2013/Q1
Online documentation for SAP NetWeaver 7.3x, path SAP NetWeaver Library: Function-Oriented View → Security → Identity Management → User Management of the Application Server Java → User Management Engine SAP Note 718383: Supported Data Sources and Modification Options SAP Note 948654 - Only use Global Settings for UME Properties
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
221
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Lesson: User and Group Administration Lesson Overview This lesson presents the tools for the administration of users and groups.
Lesson Objectives After completing this lesson, you will be able to: •
List and use the tools for administering users and groups
Business Example You are using AS Java and use a Java application there. To log on to this application, you require a valid user. This must usually first be created. It is also possible to combine multiple users into groups, such as all buyers. Roles (authorizations) are then assigned to the users or groups. Different tools are used, depending on the active data source of the UME.
The Link between Users, Groups and Roles In the UME environment, the term Principle designates the following, central “objects”: Principles in the UME Environment: Principle
Meaning
User
General properties of a user (such as name, e-mail, telephone number etc.)
User account
Logon-related properties of a user (such as password, validity, lock indicator and so on)
Group
Set of user and/or groups
Role
Set of (Java) authorizations
For historical reasons, users and user accounts are different principles which are typically associated. When the term user is employed below, then, more precisely, it is the associated principles user and user account that are intended. Note: Depending on the SAP NetWeaver usage type, the principles have an additional meaning (thus in a SAP NetWeaver portal there are portal roles that are also handled in the same way as a UME principle). The following figure shows how you can assign principles.
222
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: User and Group Administration
Figure 92: Assigning Principles
Users are usually assigned to groups to which roles are then assigned. However, it is also possible to assign roles to users directly. The Principle group supports hierarchies of groups. A group may also possess higher and lower-level groups. Users actually possess the roles which • • •
are directly assigned to them are assigned to the groups to which they belong are assigned to the higher-level groups of the groups to which they belong
When performing a search in the UME Administration Console, you must always check the field Search Recursively if you want to see indirectly assigned principles.
Special Features of the ABAP System Data Source If you use a client of an ABAP system (and consequently the configuration file dataSourceConfiguration_abap.xml) as the data source then UME behaves as follows: • • •
2013/Q1
The ABAP users are visible in AS Java and can log onto AS Java with their ABAP passwords. The ABAP roles are depicted in AS Java as UME groups of the same name. In AS Java, the assignment of ABAP users to ABAP (composite) roles appears as the assignment of UME users to UME groups.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
223
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Figure 93: Special Features of the ABAP System Data Source
The reason for this group administration concept is the shared authorization administration for applications that have both ABAP and Java components. Applications such as PI, for example, possess both ABAP and Java components. The ABAP authorizations are mapped with PFCG roles. The JEE authorizations are mapped with UME roles. A user should be assigned a PFCG role in the ABAP system and a UME role on the Java side for the user to have both ABAP and Java authorizations. To avoid this, the PFCG roles are visible as groups in the UME. The PFCG role (a group) can be assigned a UME role in the UME. If a user is assigned the PFCG role in the ABAP system, he or she automatically also receives the authorizations from the UME role. Assigning authorizations therefore becomes simpler.
224
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: User and Group Administration
The connection between the UME in an AS Java and user management in an AS ABAP is established via the Java Connector (JCo). To this end, a communication user existing in ABAP is stored as a UME parameter (this usually has SAPJSF in its name). This communication user's ABAP authorization determines whether it is possible to modify ABAP user master records using UME resources. • •
The role SAP_BC_JSF_COMMUNICATION_RO gives the UME read access to the user data in the AS ABAP. The role SAP_BC_JSF_COMMUNICATION gives the UME write access to the user data in the AS ABAP. Hint: Even if the communication user gets write access to the user data in the AS ABAP, assigning users to PFCG roles in the UME is not possible. Note: If an ABAP system is used as the data source, then certain restrictions apply. These are listed in the online documentation.
When configuring the “ABAP” data source, the ABAP user groups appear as Companies in the UME; this was introduced with Release 7.10. The assignment of the user group for authorization check in the user master record of the user in AS ABAP (transaction SU01) is represented in the UME as an assignment to the company. The delegated user administration can then be used immediately after the installation in the AS Java also. For more information about companies and the delegated user administration of the AS Java, go to the online documentation for SAP NetWeaver 7.3x, path SAP NetWeaver Library: Function-Oriented View → Security → Identity Management → User Management of the Application Server Java → Configuring User Management → Configuring Delegated User Administration Using Companies.
Administration Tools The figures in this section explain the tools which you, as administrator, use to maintain users and groups.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
225
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Figure 94: UME Administration Console
The most important tool for a user administrator in an AS Java system is the UME Administration Console. This functions independently of the configured data source and is implemented as an application running in a Web browser (based on Web Dynpro Java). You start the user-friendly Administration Console... • • •
via the URL http(s)://.:/useradmin via the SAP NetWeaver Administrator (URL .../nwa) via the path Configuration → Security→ Identity Management in a portal via the path User Administration → Identity-Management. Hint: The function scope available in the Administration Console depends on the current user's Java authorizations. For more information, see the lesson “The Java Authorization Concept”.
226
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: User and Group Administration
Figure 95: ABAP User Administration
If you have used the UME configuration file dataSourceConfiguration_abap.xml to connect an ABAP system client, then the usual AS ABAP tools (such as transaction SU01) are available for user administration.
User Types In the same way as AS ABAP, the UME distinguishes between different user types (also called Security Policy Profiles) which are listed in the following table: UME User Types/Security Policies
2013/Q1
User Type/Security Policy
Logon to AS Java
Password Change Forced
Mapped ABAP user types (with ABAP system as data source)
Default
possible
yes
Dialog
Technical users
possible
no
System
Internal service user
not possible
–
–
Unknown
depends on AS ABAP user type
depends on AS ABAP user type
Communication, Service and Reference
“Self created”
possible
yes
–
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
227
Unit 4: AS Java – User and Authorization Concept
TADM10_2
You specify the user type when you create a user via the UME Administration Console (you may not create the type Unknown). In the case of existing users, subsequent changes to the user type are only possible with restrictions. Note: The last column in the table is only relevant if you are operating a UME with an ABAP system as the data source. Changes to the user type of an ABAP user are mapped to the corresponding UME user master record (and vice versa if the UME has write access to the ABAP system). Hint: You can define your own user types (also called Security Policy Profiles) in the UME configuration to provide you own set of password rules. For example you could create a user type with very strong password rules for your super users or emergency users.
Log and Trace Files The following log and trace information is particularly relevant in the UME environment • • • •
Security Log: File \usr\sap\\\j2ee\cluster\server\log\system\security_.log Security Audit Log: File \usr\sap\\\j2ee\cluster\server\log\system\security_audit_.log) Trace Files: File \usr\sap\\\j2ee\cluster\server\log\defaultTrace_.trc Directory Server Logs: If you use a directory server as data source, you can monitor the LDAP server accesses and connection pooling.
The Security Audit Log allows you to trace changes to principles (e.g. modifications to users or created roles). The events that are logged depends on the set severity. The online documentation for SAP NetWeaver 7.3 describes the severity associated with each event (path SAP NetWeaver Library: Function-Oriented View → Security → Identity Management → User Management of the Application Server Java → Troubleshooting → Logging and Tracing
228
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: User and Group Administration
Exercise 8: User and Group Administration Exercise Objectives After completing this exercise, you will be able to: • Administer users and group in the AS Java
Business Example You are using AS Java and are responsible for user administration. New users should have access to selected applications.
Task 1: User Maintenance Copy and modify a user using the UME Administration Console 1.
Log on to the UME administration console with the your user.
Task 2: Optional: Group and Role Assignment Check the groups and roles assigned to your user . 1.
Check language as well as group and role assignments of your user.
2.
Copy your user to a user COPY-## (## corresponds to your group number).
Task 3: User Creation Create a new user with UME administration console. 1.
Create a new user NEW-## (## corresponds to your group number).
Result You can manage users in the UME Administration Console.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
229
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Solution 8: User and Group Administration Task 1: User Maintenance Copy and modify a user using the UME Administration Console 1.
Log on to the UME administration console with the your user. a)
Start a Web browser.
b)
Enter the URL http://.wdf.sap.corp:500/useradmin (for example http://twdf1234.wdf.sap.corp:50000/useradmin). Note: Alternatively, you can call the UME Administration Console via the NWA.
c)
Log on with your system user -.
Continued on next page
230
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: User and Group Administration
Task 2: Optional: Group and Role Assignment Check the groups and roles assigned to your user . 1.
Check language as well as group and role assignments of your user. a)
Press the button Identity Management .
b)
In the field Search Criteria select User
c)
In the next free field enter your user name:
d)
Press Go.
e)
Select the line of your user.
f)
In the section Details of user... press Modify.
g)
Select the tab General Information (default).
h)
Check the field language. Hint: If no language is entered, the language configured in the browser will be used. If the language is not correct, you could enter your language in this field.
i)
Press Save.
j)
Change to tab Assigned Groups.
k)
Write down all groups that are assigned to this user: __________________________________________
l)
Change to tab Assigned Roles.
m)
Select the check box in front of the field: Search Recursively.
n)
Press Go. Hint: Here you see all roles the user gets because of the groups he is linked to.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
231
Unit 4: AS Java – User and Authorization Concept
2.
TADM10_2
Copy your user to a user COPY-## (## corresponds to your group number). a)
In the area Search select the line with your user name and press Copy to new user.
b)
In the section General Information enter the following: Logon ID
COPY-##
Define Password
Confirm Password
Last Name
COPY-##
c)
Press Save.
d)
Change to tab Assigned Groups.
e)
The groups should be the same than the original user -.
Continued on next page
232
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: User and Group Administration
Task 3: User Creation Create a new user with UME administration console. 1.
Create a new user NEW-## (## corresponds to your group number). a)
In the area Search press Create User.
b)
In the section General Information enter the following: Logon ID
NEW-##
Define Password
Confirm Password
Last Name
NEW-##
c)
Press Save.
d)
Change to tab Assigned Groups.
e)
Write down all groups that are assigned to this user: ____________________________________
f)
Change to tab Assigned Roles.
g)
Select the check box in front of the field: Search Recursively.
h)
Press Go. Hint: Here you see all roles the user gets because of the groups he is linked to.
Result You can manage users in the UME Administration Console.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
233
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Lesson Summary You should now be able to: • List and use the tools for administering users and groups
Related Information •
234
Online documentation for SAP NetWeaver 7.3x, path SAP NetWeaver → SAP NetWeaver Plattform → SAP NetWeaver 7.3 Including Enhancement Package 1 → Application Help → Function-Oriented View → Security → Identity Management → User Management of the Application Server Java → User Management Engine
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Java Authorization Concept
Lesson: The Java Authorization Concept Lesson Overview To access an application, authentication is usually required. Not all users perform the same actions. Authorizations control which functions are permitted for a user. These authorizations must be assigned to a user.
Lesson Objectives After completing this lesson, you will be able to: • • • •
Explain the terms UME role and JEE security role List the authorization administration tools Assign actions and JEE security roles to a UME role Assign authorizations to users and groups
Business Example SAP systems perform authorization checks within the SAP NetWeaver platform with a role-based approach. This means that you assign authorizations to users or groups with this specific system on the basis of the tasks that are to be performed.
Users and Authorizations in SAP NetWeaver AS Java You can use authorizations to control which users can access a Java application, and which actions are permitted for a user. Authorizations are combined as roles and then assigned to a user or a user group by an administrator. The UME administration console (also integrated in the SAP NetWeaver Administrator) is used to assign authorizations. Authorization checks are built into a Java application. Here you can differentiate by different objectives.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
235
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Figure 96: Authorization Concept in the AS Java
Protecting access to an application is done using the check to see whether the appropriate JEE security role is assigned to the requesting user. If the user does not have the required security role, an error message is displayed, and access is denied. The user already has access to the application when protecting access to individual activities. When requesting a special activity, for example Delete, the system checks whether the required JEE security role or UME permission is assigned (by means of UME action and UME role). Furthermore, you have the option of managing the protection of access to object instances (to folders or documents for example) using the Access Control List (ACL). With all the types of authorization check specified, the developer needs to define the authorizations query in the application. The developer decides which type of authorization check is to be used. This means in practice that the application determines which of the following, JEE security roles, UME permissions or UME ACLs, is used. JEE security roles are part of the JEE standard. UME permissions are an SAP-specific concept. Basically, you can define the same authorization checks with JEE security roles and UME permissions. Certain programming techniques for SAP applications that enhance the JEE standard require the use of UME permissions however. Therefore, an administrator should be familiar with both concepts.
236
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Java Authorization Concept
Appendix: Declarative and Programmatical Authorizations Authorizations can be defined as either declarative or programmatical: •
•
Declarative means that the Java container (Web container, EJB container for example) forces the access control, without the developer having to do the programming work. A security role is defined in the application (by annotation) or in the deployment descriptor of the application. With each call the container checks whether the user is assigned to the required security role. Programmatical means that the developer uses a method to check whether a caller of an EJB or a Web resource is assigned to a certain authorization (security role or UME permission). The authorization check is defined directly in the source code.
The declarative approach is usually used for JEE security roles. UME permissions are always checked programmatically.
UME roles In the UME, there is a role concept with which authorizations, users or groups are assigned. These authorizations relate to authorization checks that are defined in the coding of the SAP Java application. The authorization concept in the UME uses permissions, actions, and roles. Permissions are defined in the Java coding (programmatical authorizations). Permissions are used to provide an access control. Permissions cannot be assigned directly to a user. An action is a collection of permissions. The developer of an SAP Java application defines his/her own actions and specifies the authorizations in the XML file actions.xml. Actions are displayed in the UME administration console. You can use the UME administration console to combine these actions into roles. UME roles group actions of one or more applications. You can assign UME roles to users in the UME administration console. Many of SAP's Java applications work with UME roles.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
237
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Figure 97: Structure of UME Roles
The figure shows the Purchase Order application as an example. This application consists of multiple objects, such as Create order, Approve order, into which a developer has built the corresponding authorization check directly in the coding. With UME roles, permissions (authorization objects) are defined directly in the coding and then bundled into actions by the developer. The administrator can then combine these actions into roles, and assign them to a user or a user group. Developers can define very detailed authorizations on the basis of this concept, but the complexity is hidden behind a small number of actions. Actions are predefined by the developer, delivered to customers together with the application, and are available as an XML file. This allows a simple, clear and cross-application authorization concept for large Java applications.
JEE security roles JEE security roles are part of the JEE standard. A JEE security role (also security role) is an abstract logical definition that protects access to an application, a service, or another resource. The security role consists of only a name and a description. The security role relates only to the application for which it was defined. Security roles allow an access check for JEE applications. The authorizations are usually defined declaratively. A developer creates a security role for each application object requiring protection. The protected application, its protected modules, classes or methods can be used by a user only if the administrator has assigned the users or groups to the security role.
238
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Java Authorization Concept
Figure 98: Structure of JEE Security Roles
The figure shows the Purchase Order application as an example. For this application, a developer creates objects such as Create order, Approve order, and so on. If you are using JEE security roles, a security role must be created for each object. The security role is defined either in the deployment descriptor (XML file) or directly in the application coding. In addition to the security roles specified by the developer, the UME generates further security roles that are valid for the entire application. The advantage here is that these roles can be combined into one application-wide security role for several security roles with the same name. The administator has only to concern himself/herself with the assignment of these security roles. You see the following behavior in the JEE standard: If a security role of a module is assigned to a user and he/she accesses another module of this application that is protected with a security role of the same name, he/she is granted access. The UME concept of combining the security roles of an application therefore only makes life a little easier for the administrator; it is not a security restriction. These security roles dynamically generated by the UME appear in the UME administration console as actions of the type J2EE. As a user administrator, you can now create UME roles that contain security roles (as actions) and assign these to users and groups. Using the detour of the UME roles, authorizations can in turn be assigned across all applications. There are some special actions you can use for segregation of duties. These are Manage_Role_Assignments_SoD and Manage_Roles_SoD. A user with the activity Manage_Role_Assignments_SoD is able to assign roles to any user but himself. A user with the Manage_Roles_SoD activity is able to create roles. The user is able to maintain all roles (assign actions) exept roles which are assigned to
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
239
Unit 4: AS Java – User and Authorization Concept
TADM10_2
himself. Do not combine the following actions: Manage_Users, Manage_Groups, Manage_Roles, Manage_all_Companies, Manage_Role_Assignments_SoD and Manage_Roles_SoD.
Creating and Assigning UME Roles You can use the UME administration console to maintain UME roles. You perform both the assignment of actions to UME roles and the assignment of roles to UME users or groups there. JEE security roles are also displayed as actions in the UME administration console. After logging on with an administrator user, select the appropriate role, display the assigned actions, and change the role, if necessary. Then assign the role to a user and/or a group.
Figure 99: Maintaining UME Roles (UME Administration Console)
It is particularly important for the administration of authorizations that the Java application UME itself provides with a large number of actions. These UME actions permit the precise definition of the rights which users have to principles (e.g. “display all users” or “maintain all groups”). The online documentation for SAP NetWeaver 7.3x descirbes the actions supplied by SAP for the UME itself (path SAP NetWeaver Library: Function-Oriented View → Security → Identity Management → User Management of the Application Server Java → Reference Documentation for User Management → Standard UME Actions).
240
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Java Authorization Concept
ACL Maintenance As described at the start of this lesson, you have the option of managing the protection of access to object instances (to folders or documents for example) using an Access Control List (ACL). The developer uses the ACL-API of the UME here. However, since the UME does not provide a UI for ACL maintenance, the developer must develop an individual UI for ACL maintenance. Therefore, there are differences in the UI and also in the authorizations to be assigned in concrete ACL maintenance depending on the application. There are details about ACL maintenance in the security and administration guide of the corresponding applications. In particular, ACL maintenance is used in addition to UME administration in the SAP NetWeaver Portal.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
241
Unit 4: AS Java – User and Authorization Concept
242
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: The Java Authorization Concept
Exercise 9: Create and Assign UME Roles and UME Groups Exercise Objectives After completing this exercise, you will be able to: • Create UME roles • Assign actions to UME roles • Assign UME roles to users and groups
Business Example SAP systems perform authorization checks within the SAP NetWeaver platform with a role-based approach. This means that you assign authorizations to users in this specific system on the basis of the tasks to be performed.
Task 1: Handle Authorization for the UME Administration 1.
Check if the user NEW- can use the UME Administration Console.
2.
Logon with your user - and add the authorities to use the UME Administration user for the user NEW-.
3.
Check the authorities for the user NEW- within the UME Administration Console.
Task 2: Create and Assign a UME Role to a User Create a new UME role z_role and assign it to the user NEW-. 1.
Create a role z that allows the users to change within the UME Administration Console
2.
Check if your user NEW- can change within the UME Administration Console.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
243
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Task 3: Create and Assign a UME Role with Actions to a Group Create a new UME role Z_role_to_group with different actions and assign them to a group. 1.
Check if the user NEW-## is allowed to call the application OpenSQLMonitors.
2.
Create a group called z_GROUP.
3.
Create a role called z_role_to_group and add the action OpenSQLMonitorLogonRole (which is a J2EE Security role).
4.
Connect your user NEW- to the group z_GROUP.
5.
Check if the user NEW-## is allowed to call the application OpenSQLMonitors.
Result You can administer UME roles, assign actions and handle groups in the UME Administration Console.
244
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Java Authorization Concept
Solution 9: Create and Assign UME Roles and UME Groups Task 1: Handle Authorization for the UME Administration 1.
Check if the user NEW- can use the UME Administration Console. a)
Open Web browser windows.
b)
Enter the URL http://.wdf.sap.corp:500/useradmin (for example: http://twdf1234.wdf.sap.corp:50000/useradmin).
c)
Logon with your system user NEW- / . Hint: You have created this user in a previous exercise.
d)
e)
Enter Old password
New password
Repeat New password
Which message do you receive at the top of the screen? __________________________________
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
245
Unit 4: AS Java – User and Authorization Concept
2.
3.
TADM10_2
Logon with your user - and add the authorities to use the UME Administration user for the user NEW-. a)
Press Log off.
b)
Logon with your system user -.
c)
Search for the user NEW- and press Go.
d)
Select the line.
e)
Press Modify.
f)
Change to the tab Assigned Roles.
g)
In the area Available Roles (on the left), enter in the second field Search criteria: *READ* and press Go.
h)
Select the line: NWA_READONLY.
i)
Press Add.
j)
Press Save.
Check the authorities for the user NEW- within the UME Administration Console. a)
Press Log Off.
b)
Logon with user NEW-.
c)
Enter .
d)
Search for the user NEW- and press Go.
e)
Select the line. Hint: Notice that you only have authorization to read but not to change users.
Task 2: Create and Assign a UME Role to a User Create a new UME role z_role and assign it to the user NEW-. 1.
246
Create a role z that allows the users to change within the UME Administration Console a)
Open Web browser windows.
b)
Enter the URL http://.wdf.sap.corp:500/useradmin (for example: http://twdf1234.wdf.sap.corp:50000/useradmin).
c)
Logon with your system user -. Continued on next page
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Java Authorization Concept
d)
In the field Search Criteria select Role.
e)
Press Create Role.
f)
In the Details section enter: Unique Name
z_role
Description
z_role
g)
Change to the tab Assigned Actions.
h)
In the section Available Actions (on the left hand side), enter in the field Get: com.sap.sec* and press Go.
i)
In the table under the Get field you search for the line: UME, com.sap.security.core.ume.service, Manage_All.
j)
Select this line and press Add. Hint: This UME-action provides all users that are linked to this role the authorization to change in the UME Administration Console.
k)
Change to tab Assigned Users.
l)
In the section Available Users (on the left hand side), enter in the field Search Criteria: new- and press Go.
m)
Select the line and press Add. Hint: Now you connect your user NEW- with the role Z_role.
n) 2.
Press Save.
Check if your user NEW- can change within the UME Administration Console. a)
Logon with user NEW-.
b)
Enter
c)
Search for the user NEW- and press Go.
d)
Select the line. Hint: Notice that you have now authorization to change the user. Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
247
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Task 3: Create and Assign a UME Role with Actions to a Group Create a new UME role Z_role_to_group with different actions and assign them to a group. 1.
Check if the user NEW-## is allowed to call the application OpenSQLMonitors. a)
Press Log Off, or close any Web browser window and open a new Web Browser.
b)
Enter the URL http://.wdf.sap.corp:500/OpenSQLMonitors (for example: http://twdf1234.wdf.sap.corp:50000/OpenSQLMonitors).
c)
Enter the logon data for the user NEW-##. Hint: The system displays an error message due to insufficient authorization. The user NEW- has not assigned the required security role.
Continued on next page
248
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Java Authorization Concept
2.
Create a group called z_GROUP. a)
Close any Web browser windows.
b)
Open a new Web browser.
c)
Enter the URL http://.wdf.sap.corp:500/useradmin (for example: http://twdf1234.wdf.sap.corp:50000/useradmin).
d)
Logon with your system user -.
e)
In the field Search Criteria select Group.
f)
Press Create Group.
g)
Enter:
h)
Unique Name
z_GROUP
Description
z_GROUP
Press Save. Hint: Now you created a group, in which you could collect one or more roles. Hint: Of course we could already add the user to this group but because of educational reasons we do this later in a separate step.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
249
Unit 4: AS Java – User and Authorization Concept
3.
TADM10_2
Create a role called z_role_to_group and add the action OpenSQLMonitorLogonRole (which is a J2EE Security role). a)
In the field Search Critera select Role.
b)
Press Create Role: Unique Name
z_role_to_group
Description
z _role_to_group
c)
Change to the tab Assigned Actions
d)
In the section Available Actions enter in the field Get: OpenSQLMonitorLogon* and press Go.
e)
Select the line: J2EE, Opensqlmonitor, OpenSQLMonitorLogonRole and press Add
f)
Change to tab Assigned Groups.
g)
In the section Available Groups enter in the Search Criteria: z_* and press Go
h)
Select the line z_GROUP and press Add.
i)
Press Save. Hint: Now you linked the role z_role_to_group to group z_GROUP.
Continued on next page
250
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: The Java Authorization Concept
4.
Connect your user NEW- to the group z_GROUP. a)
In the field Search Criteria change to User.
b)
Enter the user NEW- and press Go.
c)
Select the line of the user New-.
d)
In the Details section press Modify.
e)
Change to the tab Assigned Groups.
f)
In the field Search Criteria enter z* and press Go
g)
Select the line z_GROUP and press Add.
h)
Press Save. Hint: Now also the group and the user is connected.
5.
Check if the user NEW-## is allowed to call the application OpenSQLMonitors. a)
Press Log Off, or close any Web browser window and open a new Web Browser.
b)
Enter the URL http://.wdf.sap.corp:500/OpenSQLMonitors (for example: http://twdf1234.wdf.sap.corp:50000/OpenSQLMonitors).
c)
Enter the logon data for the user NEW-##. Hint: The user NEW- has now the required security role to use this application.
Result You can administer UME roles, assign actions and handle groups in the UME Administration Console.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
251
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Lesson Summary You should now be able to: • Explain the terms UME role and JEE security role • List the authorization administration tools • Assign actions and JEE security roles to a UME role • Assign authorizations to users and groups
Related Information •
252
Online documentation for SAP NetWeaver 7.3, path SAP NetWeaver Library: Function-Oriented View → Security → Identity Management → User Management of the Application Server Java → Reference Documentation for User Management
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Special Principles
Lesson: Special Principles Lesson Overview You require special users to administer an AS Java. You can log on to the administration tools initially with these users only. If you have forgotten or locked the password of your administration user, you can activate an emergency user that can still log on.
Lesson Objectives After completing this lesson, you will be able to: • • •
List a number of “special” principles Change the password of the standard administration user Activate the emergency user
Business Example You are using Java applications that run on AS Java. The (only) administration user has been locked due to failed logon attempts and no further administrative activities can be performed. In this case, you need to activate the emergency user.
Default Principles During AS Java installation, certain principles are created for special purposes while others are created subsequently by the administrator. In this section you will get to know some of these “default principles”. In some cases, the default IDs of these principles depend on the employed data source.
Default Users The following table presents important default users:
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
253
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Default Users Data Source ABAP System
User
Database
LDAP Server
Add-In (ABAP+Java)
Administration user
Administrator
Administrator
J2EE_ADMIN
Guest user
Guest
Guest
J2EE_GUEST J2EE_GST_
Communication user to data source
SAPDB Freely definable
SAPJSF
Remote J2EE_ADM_
SAPJSF_
The administration user has unrestricted access to AS Java and you should therefore assign this account to only very few people and assign a password that is very secure. If you use a client of an ABAP system as the data source, the listed user master records are located on this ABAP client (and can be viewed in SU01): In the case of a remote ABAP system, the SID of the AS Java system is incorporated in the user name. This allows you to distinguish between users if multiple AS Java systems are connected to a single ABAP client. Among other things, the guest user is used for anonymous access to AS Java, for example in order to construct the logon form in the Web browser. This user is normally locked. Do not delete this user. In addition to the users that are listed above, application-specific default users also exist in a pure AS Java system. You must therefore take care of further default users depending on the installed product.
Default Groups The following table presents important default groups: Default Groups Group
254
Data Source Database
LDAP Server
ABAP System
Administrators
Administrators
Administrators
SAP_J2EE_ADMIN
Guests
Guests
Guests
SAP_J2EE_GUEST
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Special Principles
Group
Data Source Database
LDAP Server
ABAP System
All Users
Everyone
Everyone
Everyone
Authenticated Users
Authenticated Users
Authenticated Users
Authenticated Users
Anonymous Users
Anonymous Users
Anonymous Users
Anonymous Users
All the users that you assign to the Administrator group are given extensive system authorizations (in respect of the administrator role assigned to this group (see next section)). Initially, the default administration user is entered here. Initially, the default guest user and the default guest role are assigned to the guest group. In addition, the UME possesses a built-in groups adapter which is responsible for the following three special groups: •
• •
Everyone: Every (!) user is always a member of this group. If you assign roles/actions to this group then every user (including those that you may create in the future) has the corresponding authorizations. Authenticated Users: You assign all the users who - in whatever way - have to log onto AS Java to this group. Anonymous Users: You assign all the users who are able to log on anonymously to this group (configured by means of the UME property ume.login.guest_user.uniqueids).
The following therefore applies: Authenticated Users + Anonymous Users = Everyone. In addition to these default groups, there are also application-specific groups depending on the installed product.
Default Roles The following table presents important default roles: Default Roles Role
2013/Q1
Meaning
Administrator
Provides extensive Java authorizations for administrators (via actions)
Everyone
Contains some basic end user authorizations.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
255
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Although by default no users are directly assigned to these two roles, the Administrator role is linked to the Administrators group. The role Everyone is assigned to the group Everyone; therefore, it is assigned to all users.
Emergency User You need to activate an emergency user for the UME if the user management has been incorrectly configured and no one can log on to an application, or all administration users are locked. This emergency user is called SAP* and can log on to any application and to the configuration tools. The SAP* user has full administration authorizations and, for security reasons, does not have a default password. You set the password as part of emergency user activation. Hint: The emergency user is generally not important in systems in which the UME runs (successfully) with the ABAP data source as you can always create a user in ABAP and give it Java administration rights.
Figure 100: Activating the E
mergency User
256
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Special Principles
Proceed as follows to make a correction with the SAP* user: 1.
Activate the SAP* user a) b) c)
d) e)
Stop the Java cluster. In the Config Tool, open the Configuration Editor mode. Navigate to cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service → Propertysheet properties.. Switch to change mode. Set ume.superadmin.activated to the value true. Set ume.superadmin.password to any password.
2.
f) Start the Java cluster. Change the configuration a)
Log on with the user SAP* and the password that you have just set Note: While the SAP* user is active, all other users are deactivated
3.
b) Correct the problem; for example, unlock the administration user Deactivate the SAP* user a) b) c)
d) e) f)
2013/Q1
Stop the Java cluster. In the Config Tool, open the Configuration Editor mode. Navigate to cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service → Propertysheet properties.. Switch to change mode. Set ume.superadmin.activated to the value false. Start the Java cluster.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
257
Unit 4: AS Java – User and Authorization Concept
258
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Special Principles
Exercise 10: Default Principles and Emergency Users Exercise Objectives After completing this exercise, you will be able to: • Evaluate default principles • Activate the emergency user
Business Example You are using a Java application that runs on AS Java. The (only) administration user has been locked due to failed logon attempts and no further administrative activities can be performed. In this case, you need to activate the emergency user.
Task 1: Default Groups Evaluation of the groups assigned to a user. 1.
Which UME groups are assigned to your current user? Which of these are default groups?
Result You can evaluate the default groups which are assigned to a user.
Task 2: Emergency User Activate (and deactivate) the UME emergency user. 1.
Stop all application servers of your system. Note: You do not have to stop the Central Services instance.
2.
Activate the UME emergency user.
3.
Start all application servers of your system.
4.
Try to log on to the UME administration console with your normal user for this course.
5.
Try to log on to the UME administration console with the user SAP*.
6.
Deactivate the UME emergency user.
Result You can activate the UME emergency user.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
259
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Solution 10: Default Principles and Emergency Users Task 1: Default Groups Evaluation of the groups assigned to a user. 1.
Which UME groups are assigned to your current user? Which of these are default groups? a)
Enter the URL http://.wdf.sap.corp:500/useradmin (for example: http://twdf1234.wdf.sap.corp:50000/useradmin).
b)
Enter the logon data of the user.
c)
In the Identity Management area of the administration console, run a search for the user that you just used to log on.
d)
Select the hit.
e)
Go to the Assigned Groups tab. If you perform a search with the Search Recursively field selected, all the assigned groups will be listed. By using the search criterion Built-in Groups Adapter, you will see the default groups Everyone and Authenticated Users to which this user is assigned.
Result You can evaluate the default groups which are assigned to a user.
Continued on next page
260
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Special Principles
Task 2: Emergency User Activate (and deactivate) the UME emergency user. 1.
Stop all application servers of your system. Note: You do not have to stop the Central Services instance.
2.
3.
4.
a)
Open a Web browser and call the SAP Management Console using the URL http://.wdf.sap.corp:513, for example http://twdf1234.wdf.sap.corp:50013.
b)
Confirm the security information and wait until the SAP MC opens.
c)
Select the entry for the whole system, right-click and choose Stop.
d)
In the selection box under Choose which components have to be affected by the operation., choose Dialog Instances and confirm with OK.
e)
Wait until all instances, except for the Central Services instance, have stopped.
Activate the UME emergency user. a)
Start the Config Tool at operating system level of your SAP system.
b)
Go to Switch to configuration editor mode.
c)
Navigate to cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service → Propertysheet properties and switch in the edit mode.
d)
Set the parameter ume.superadmin.activated to the value true and the parameter ume.superadmin.password to any password.
Start all application servers of your system. a)
Open a Web browser and call the SAP Management Console using the URL http://.wdf.sap.corp:513, for example http://twdf1234.wdf.sap.corp:50013.
b)
Confirm the security information and wait until the SAP MC opens.
c)
Select the entry for the whole system, right-click and choose Start.
d)
In the selection box under Choose which components have to be affected by the operation., choose Dialog Instances and confirm with OK.
e)
Wait until all instances have started.
Try to log on to the UME administration console with your normal user for this course. a)
The logon fails with the message “User SAP* is active”. Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
261
Unit 4: AS Java – User and Authorization Concept
5.
Try to log on to the UME administration console with the user SAP*. a)
6.
TADM10_2
The logon is successful. In the UME Administration Console, the user SAP* can call all the principles.
Deactivate the UME emergency user. a)
Stop all application servers of your system again. See step 1.
b)
Use the Configuration Editor Mode to reset the parameter ume.superadmin.activated to its shipped value false (Restore default button). See step 2.
c)
Start all application servers of your system. See step 3.
Result You can activate the UME emergency user.
262
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Special Principles
Lesson Summary You should now be able to: • List a number of “special” principles • Change the password of the standard administration user • Activate the emergency user
Related Information •
•
2013/Q1
Online documentation for SAP NetWeaver CE 7.1x, path SAP NetWeaver Composition Environment Library → Administrator’s Guide→ Administration of SAP NetWeaver CE→ Security and User Administration→ Identity Management for Application Server Java Online documentation for SAP NetWeaver CE 7.1x, path SAP NetWeaver Composition Environment Library → Administrator’s Guide → SAP NetWeaver CE Security Guide → Security Guides for CE Core Components→ SAP NetWeaver Application Server Java Security Guide → User Administration and Authentication
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
263
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Lesson: Logon Procedure of the AS Java Lesson Overview The Standard Java Authentication and Authorization Service (JAAS) was implemented in the AS Java to support different logon procedures. This lesson explains the basics of the configuration of the AS Java logon procedures.
Lesson Objectives After completing this lesson, you will be able to: • • • • •
list the supported logon procedures of the AS Java explain the functions of login modules change the standard logon procedure of the AS Java explain Kerberos logon (SPNego) set up X.509 logon
Business Example The company XYZ Petro uses a custom-built Composite Application as a central procurement process. The process requires accesses to various runtime systems. A uniform logon procedure should be used for all involved systems to simplify access to the process and the connected systems for the users without neglecting security aspects.
Basics The Standard Java Authentication and Authorization Service (JAAS) was implemented in the AS Java to support different logon procedures. Depending on the requirement and scenario, this enables you to choose the appropriate logon procedure, or to develop your own logon mechanisms according to JAAS:
264
• •
Anonymous logon User ID and password
• • • • •
– Basic authentication – Digest Access Authentication – Form-based Digital Certificates (X.509) Windows Logon (Kerberos) Logon Ticket Assertion Ticket SAML Assertions
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Logon Procedure of the AS Java
When logging on with your user ID and password, you distinguish between the HTTP standard methods Basic Authentication and Digest Access Authentication (see RCF2617 of the Internet Engineering Task Force (IETF): http://tools.ietf.org/html/rfc2617), as well as entering data in an HTML form. Logon Ticket and Assertion Ticket are SAP-specific procedures with Assertion Ticket used only for system-system communication (see below). The anonymous logon is expecially interesting for Internet scenarios with the SAP NetWeaver Portal. It enables system access without specifying logon data. SAML stands for Security Assertion Markup Language and is a standard of the Organization for the Advancement of Structured Information Standards (OASIS). SAML enables authentication in open system environments, such as in the Internet for example. Details about the standard can be found under http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security. The implementation of JAAS in SAP NetWeaver AS Java is based on so-called login modules. A login module is the concrete implementation of the flow logic of the authentication. Several login modules can be combined to make a login module stack (also called authentication stack).
Configuration of the Logon Procedure The administrator can adjust the logon procedures for the delivered applications. For this purpose, maintain the policy configuration of the corresponding application in the SAP NetWeaver Administrator (http://host:Port/nwa) under Configuration → Security → Authentication and Single Sign-0n. Using the policy configuration, a login module or an authentication stack can be assigned to an application to determine the logon procedure for this application.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
265
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Figure 101: Policy Configuration in the SAP NetWeaver Administrator
You can find the delivered authentication stacks in the policy configuration, for example ticket under the type Template. Since ticket is the standard logon procedure for all Web Dynpro applications and for most of the other applications in the AS Java as well, you can easily set up another procedure by changing ticket. If you do not want to change the delivered standard, you can also define your own authentication stacks. Custom-built login modules in accordance with the JAAS standard can also be implemented. To ensure that the SAP applications also use the stack you created, this must be assigned in the policy configuration of the application. Here however you have to differentiate between a simple Web application or a Web Dynpro Java application. In simple Web applications, the required login modules or the required authentication stack is assigned directly in the policy configuration of the concrete application. All applications that are programmed in Web Dynpro Java are configured using a single servlet (sap.com/tc~wd~dispwda*webdynpro_dispatcher). Therefore, you cannot set up different logon procedures for different Web Dynpro Java applications; you can only set up one uniform logon procedure for all. If no explicit policy configuration is stored for a Web application or for sap.com/tc~wd~dispwda*webdynpro_dispatcher, the authentication stack configured with the UME parameter ume.login.context is used.
266
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Logon Procedure of the AS Java
In summary, you have the following change options for the logon procedure: • • •
Direct change of the ticket policy configuration. Change of the policy configuration sap.com/tc~wd~dispwda*webdynpro_dispatcher for all applications in the Web Dynpro Java collectively. Change of each individual policy configuration for simple Web applications.
A policy configuration comprises login modules. There are many login modules available in AS Java, some of them are: • • • • •
BasicPasswordLoginModule: This login module is used to perform user authentication with user name and password, e.g. in JSP forms. ClientCertificateLoginModule: This login module performs a certificate logon to Java EE Engine. CreateTicketLoginModule: This login module is used to create the logon tickets. EvaluateTicketLoginModule: This login module is used to verify the logon tickets issued by other servers SPNegoLoginModule: This login module is used for SSO with Kerberos authentication. It implements the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) on SAP NetWeaver AS Java. .
• Note: A list of login modules can be found in the online documentation for SAP NetWeaver 7.31 at: SAP NetWeaver → Platform → SAP NetWeaver 7.3 Including Enhancement Package 1 → Application Help → Function-Oriented View → Security → User Authentication and Single Sign-On → Authentication Imfrastructure → AS Java Authentication Infrastructure → Login Modules The ticket policy configuration is shown as an example here: Policy Configuration: ticket
2013/Q1
Login Module
Flag
EvaluateTicketLoginModule
SUFFICIENT
BasicPasswordLoginModule
REQUISITE
CreateTicketLoginModule
OPTIONAL
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
267
Unit 4: AS Java – User and Authorization Concept
TADM10_2
In the above example the login modules are configured in such a way that: 1. 2. 3.
AS Java checks to see if the user presents a valid logon ticket, if so the logon ticket is accepted and no further processing is done. If no logon ticket exists, AS Java authenticates the user using Basic Authentication. Only after the successful authentication, the user is issued a logon ticket.
The following table explains the meaning of the possible Flags in detail. Login Module Flags Flag
Required to Succeed
Description
OPTIONAL
No
Authentication proceeds down the list if the module has succeeded or has failed.
REQUIRED
Yes
Authentication proceeds down the list of modules if the module has succeeded or has failed.
REQUISITE
Yes
If successful, the authentication proceeds down the list, otherwise control returns to the application – that is, the authentication does not proceed.
SUFFICIENT
No
If the authentication is successful, control returns to application; otherwise, the authentication proceeds.
To give a better understanding the next table shows the effects of the different flags during a authentication process. Example of Login Module Flags Module
Flag
Module1
Pass/Fail
Pass/Fail
SUFFICIENT Pass
Fail
Fail
Module 2
REQUISITE
–
Pass
Fail
Module 3
OPTIONAL
–
Pass
–
Pass
Pass
Fail
Overall Authentication
Pass/Fail
Note: See the online documentation for more information about configuring logon tickets on SAP NetWeaver AS Java
268
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Logon Procedure of the AS Java
Logon Ticket In the standard delivery, the AS Java uses logon tickets in the logon procedure. The authentication stack ticket that is used first checks whether there is a valid logon ticket (EvaluateTicketLoginModule). If there is not a valid logon ticket, the user must enter his/her user ID and password (BasicPasswordLoginModule). A logon ticket is issued if the entries are correct (CreateTicketLoginModule). The logon ticket is sent from the browser in the standard system for each request, which goes to the same domain of the issuing system and can therefore be used to log on to other systems (Single Sign-On). Caution: If logon tickets are used as a logon procedure or for Single Sign-On, you should make sure that the logon ticket cannot be caught and/or forwarded. We therefore strongly recommend encryption here.
Figure 102: Logon Ticket
Technically, the logon ticket is a session cookie. This means that the cookie is not saved, rather it is only held in the working memory. It is deleted when the browser session finishes. The logon ticket contains the following data:
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
269
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Figure 103: Contents of the Logon Ticket
Prerequisite for Single Sign-On with the logon ticket is an identical user ID in the issuing and accepting system. The accepting system must be configured in such a way that the logon ticket of the issuing system is accepted. Using the digital signature, the issuing system can be uniquely identified and at the same time the integrity of the logon ticket can be verified.
Assertion Ticket Assertion tickets are an extension of the logon tickets. The main differences are: • • •
Assertion tickets are not stored temporarily like logon tickets Assertion tickets are only valid for 2 minutes Assertion tickets are issued directly for the respective target system.
Older systems interpret the assertion ticket as a logon ticket. The configuration for Single Sign-On is therefore along the same lines as the configuration for logon tickets. The application area of the assertion tickets is first and foremost the system-system communication via RFC or HTTP. For example, in the AS Java, destinations can use the assertion ticket as a logon method. In the AS Java, you can use the login modules CreateAssertionTicketLoginModule and EvaluateAssertionTicketLoginModule as well as the policy configuration evaluate_assertion_ticket to issue and verify assertion tickets. An assertion ticket is issued when a connection to a remote system is established.
270
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Logon Procedure of the AS Java
Example: Kerberos Logon (SPNego) Another supported logon procedure, which is of particular relevance to Windows environments, is the Kerberos logon. A Kerberos ticket is evaluated by the AS Java using the SPNegoLoginModule during the logon. SPNego stands for Simple and Protected GSS-API Negotiation Mechanism. The GSS-API (Generic Security Services API) is a standard interface for security services. However, the GSS-API is troublesome in that different implementations are incompatible with one another. Therefore, a standard was developed with SPNego to find out which authentication mechanisms understand both communication partners and for these then to be used. In Microsoft Windows, the SPNego interface is used as Intergrated Windows Authentication. The actual authentication mechanism here is NTLM (NT LAN Manager) or Kerberos. The following figure clarifies the Kerberos logon process for the AS Java in combination with a Microsoft Active Directory Server (used as a Windows-Domain-Controller and Key Distribution Center (KDC)):
Figure 104: Kerberos Logon
We assume that the user has already logged on to the Windows domain successfully. The user was already identified by the Active Directory for this purpose. Prerequisite for the logon to the AS Java: There must be some sort of assignment of the users in the AS Java to the users in the Active Directory. The best way this works is if the UME of the AS Java uses the Active Directory as a data source via the LDAP interface. However, other scenarios are also supported.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
271
Unit 4: AS Java – User and Authorization Concept
TADM10_2
If the user (Alice) now wants to call an application in the AS Java using the Web browser (step 1), the AS Java sends the HTTP error message 401 - Unauthorized and at the same time the value Negotiate in the HTTP header www-authenticate (step 2). In step 3, the browser requests a Kerberos ticket (for Alice) from the KDC to log on to the host used in step 1. The Web browser transfers the host name of the AS Java in the request. The KDC must now (in step 4) identify the service user ID (see below) for this AS Java using the transferred host name and issue a ticket that is encrypted with the secret key of the service user that is found when identification takes place. In step 5, the encrypted Kerberos ticket is then sent to the browser of the user (Alice). This passes the ticket in step 6 on to the AS Java. In step 7, the AS Java decrypts the ticket using the secret key (of the service user in the KDC, see below) and the user (Alice) is authenticated. From this process some required configuration settings for the Kerberos logon are derived: •
Configuration of the KDC – –
Setting up a service user to identify the AS Java. Registering a Service Principal Name (SPN) for the host name of the AS Java and assignment to the service user.
The KDC can identify the service user at a later stage using the SPN. The secret key of the service user is used to encrypt the Kerberos ticket. •
Exchanging the Secret Key The secret key of the service user must be provided in the AS Java (keytab file) so that the encrypted Kerberos can be decrypted and verified. This is done by the configuration wizard.
•
Configuration of the UME Since the users that have logged on to the Windows domain are now going to log on to the AS Java, the UME must know the Windows users either directly or an assignment of user IDs must be made between Windows users and UME users. You can do so, for example, by configuring the Active Directory as a data source for the UME.
•
Setting up the Policy Configuration The logon procedure must be set up in such a way that the SPNegoLoginModule is used. This is done by the configuration wizard.
•
Setting Java VM Parameters The Java VM must be configured with special parameters to enable the Kerberos logon. This is done by the configuration wizard.
272
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Logon Procedure of the AS Java
Some of the steps specified are carried out using the SPNego configuration wizard. See SAP Note 994791 for more information about this.
Example: X.509 Client Authentication The following figure shows use cases for X.509 client authentication.
Figure 105: X.509 Client Certificates
Mutual authentication takes place using SSL. It can be used to access the following SAP systems: • • •
Web Applications of SAP NetWeaver AS ABAP SAP GUI for Windows/Java (with partner product), SAP NetWeaver AS ABAP SAP NetWeaver AS Java
It can also be used for access to non-SAP Systems that support SSL. It can be used for the Internet or intranet. Authentication takes place with every request. •
2013/Q1
Actually no user intervention is required for “Multiple-Log-On”.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
273
Unit 4: AS Java – User and Authorization Concept
TADM10_2
In addition to using SSL for encrypting connections, you can use SSL and X.509 client certificates for authenticating client or user access requests to the AS Java. When using client certificates, authentication takes places transparently for the user with the underlying SSL security protocol. Therefore, you can use authentication with client certificates to integrate the AS Java in a Single Sign-On environment. The following steps describe how to configure X.509 Client Authentication for AS Java. SSL needs already to be configured. 1.
Using the Key Storage management functions of the SAP NetWeaver Administrator (NWA), place the root certificates for each of the client certificates CAs as a CERTIFICATE entry in the ICM_SSL_ view. If the certificate already exists in another Key Storage view on the AS Java, you can copy the existing certificate entry to the corresponding view. Alternatively, if the certificate exists as a file in your file system, you can import it to the AS Java Key Storage.
2.
Using the VCLIENT profile parameter of ICM for the AS Java, select whether the AS Java should: •
3. 4.
Request (but not require) that the user presents a client certificate for authentication. • Require that client certificates are to be used for authentication. Configure the ClientCertLoginModule for establishing the AS Java user ID from the client certificate and filtering provided certificates. Adjust the login module stacks and configure the login modules for those applications that accept client certificates as the authentication mechanism.
More information can be found in the online documentation for SAP NetWeaver 7.3x, pathSAP NetWeaver Library: Function-Oriented View → Security → User Authentication and Single Sign-On → Authentication for Web-Based Access→ X.509 Client Certificates.
274
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Logon Procedure of the AS Java
Exercise 11: Configuration of X.509 Client Authentication Exercise Objectives After completing this exercise, you will be able to: • set up X.509 Client Authentication
Business Example You want to configure the use of client certificates (SAP Passport) for user authentication. Caution: Use the Web browser on the operation system of your SAP system to do this exercise. As it may not be possible on your front end. Note: SSL needs already to be configured successfully. Make sure the HTTPS port of the ICM is configured using the option VCLIENT=1.
Task 1: Get an SAP Passport Get an SAP Passport from SAP Service Marketplace. Note: SAP Passport is used as an example here. You can use any CA to issue X.509 client certificates. 1.
Get an SAP Passport for your SAP Service Marketplace S-User. If you do not have an S-User the instructor may be able to assist you.
Result An SAP Passport X.509 client certificate is installed in your browser. Caution: Remove the certificate from the browser after this whole exercise.
Task 2: X.509 Client Certificates for AS Java Configure your AS Java to allow authentication with SAP Passport X.509 client certificates. 1.
Check if the SAPPassportCA certificate entry in the your AS Java is still valid. If not download the SAP Passport CA root certificate from SAP Service Marketplace and import it to your AS Java.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
275
Unit 4: AS Java – User and Authorization Concept
TADM10_2
2.
Configure your AS Java to trust SSL requests with a certificate signed by the SAP Passport CA certificate. Update the PSE files.
3.
Set the UME parameter ume.logon.allow_cert to true using the NWA.
4.
Change the ticket policy configuration to include the client authentication. Use the table below for the exact order, the needed flags, and special options needed. Caution: Be very accurate in this step. Otherwise you may not be able to log on anymore to your AS Java. Hint: The login module EvaluateTicketLoginModule may have more options as described in the following tabel. Do not delete them. Make sure that the mentioned option ume.configuration.active=true is set. Login Module
Flag
Options
EvaluateTicketLoginModule
SUFFICIENT
ume.configuration.active=true
ClientCertLoginModule
OPTIONAL
Rule1.getUserFrom=wholeCert
CreateTicketLoginModule
SUFFICIENT
ume.configuration.active=true
BasicPasswordLoginModule
REQUISITE
CertPersisterLoginModule
OPTIONAL
CreateTicketLoginModule
OPTIONAL
ume.configuration.active=true
Caution: Be careful: there is no “-” in any of the options! A possibly printed “-” would only be the indicator for a line break. 5.
Test the connection for example using the UME Administration Console:https://twdfSSSS.wdf.sap.corp:5$$01/useradmin. The initial log on should fail, because no certificate is mapped yet. If you enter your user and password, your certificate is mapped to your user ID automatically. You can verify (and change) this in the user details of your user. The next log on works without any password.
276
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Logon Procedure of the AS Java
Solution 11: Configuration of X.509 Client Authentication Task 1: Get an SAP Passport Get an SAP Passport from SAP Service Marketplace. Note: SAP Passport is used as an example here. You can use any CA to issue X.509 client certificates. 1.
Get an SAP Passport for your SAP Service Marketplace S-User. If you do not have an S-User the instructor may be able to assist you. a)
Call the URL http://service.sap.com/tcs and log on with your S-User.
b)
Navigate to Single sign-on in the SAP Service Marketplace with your SAP Passport
c)
Choose Apply for an SAP Passport.
d)
Enter your S-User's password and choose Apply for an SAP Passport.
e)
Now you need to confirm all popups and questions that may occur with ok or yes. You also may need to allow the browser to execute some scripts to be successful. This depends on your browsers security settings.
Result An SAP Passport X.509 client certificate is installed in your browser. Caution: Remove the certificate from the browser after this whole exercise.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
277
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Task 2: X.509 Client Certificates for AS Java Configure your AS Java to allow authentication with SAP Passport X.509 client certificates. 1.
2.
Check if the SAPPassportCA certificate entry in the your AS Java is still valid. If not download the SAP Passport CA root certificate from SAP Service Marketplace and import it to your AS Java. a)
Open the NWA of your AS Java.
b)
Go to Configuration → Security → Certificates and Keys.
c)
Select the view TrustedCAs and select the entry SAPPassportCA. Check if the valid until date is still valid.
d)
If it is valid proceed with the next step 2.
e)
If not choose Rename, enter SAPPassportCA_old and choose Rename.
f)
Download the root certificate from http://service.sap.com/tcs → Download Area → Root Certificates → SAP Passport CA Certificate. Save it as a file named SAPPassportCA.cer
g)
In the TrustedCAs view choose Import Entry. Select the entry type X.509 certificate, browse to the file, select it and choose Import.
Configure your AS Java to trust SSL requests with a certificate signed by the SAP Passport CA certificate. Update the PSE files. a)
In the NWA go to Configuration → Security → Certificates and Keys.
b)
Select the entry ICM_SSL_.
c)
If an expired entry for SAPPassportCA exists, than delete this entry. If an valid entry for SAPPassportCA exists, proceed with step 3. Choose Copy Entry, select From View: TrustedCAs and From Entry: SAPPassportCA and choose Import.
d)
Now choose Export View to PSE.
e)
Repeat this for all other ICM_SSL_ entries.
Continued on next page
278
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Logon Procedure of the AS Java
3.
4.
Set the UME parameter ume.logon.allow_cert to true using the NWA. a)
In the NWA go to Configuration → Security → Authentication and Single Sign-On and choose the Properties tab.
b)
Choose Modify.
c)
Select the check box for option Enable showing certificate logon URL link on the logon page (ume.logon.allow_cert).
d)
Choose Save and confirm the popup with Yes.
Change the ticket policy configuration to include the client authentication. Use the table below for the exact order, the needed flags, and special options needed. Caution: Be very accurate in this step. Otherwise you may not be able to log on anymore to your AS Java. Hint: The login module EvaluateTicketLoginModule may have more options as described in the following tabel. Do not delete them. Make sure that the mentioned option ume.configuration.active=true is set. Login Module
Flag
Options
EvaluateTicketLoginModule
SUFFICIENT
ume.configuration.active=true
ClientCertLoginModule
OPTIONAL
Rule1.getUserFrom=wholeCert
CreateTicketLoginModule
SUFFICIENT
ume.configuration.active=true
BasicPasswordLoginModule
REQUISITE
CertPersisterLoginModule
OPTIONAL
CreateTicketLoginModule
OPTIONAL
ume.configuration.active=true
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
279
Unit 4: AS Java – User and Authorization Concept
TADM10_2
Caution: Be careful: there is no “-” in any of the options! A possibly printed “-” would only be the indicator for a line break.
5.
a)
In the NWA go to Configuration → Security → Authentication and Single Sign-On → Authentication and choose the Components tab.
b)
Select the entry ticket and choose Edit.
c)
Edit the list of the logon modules in a way, that the result is exactly like given in the table above.
d)
To add a logon module choose Add, select the Logon Module Name, for example ClientCertLoginModule and choose Add.
e)
Use Move Up or Move Down to sort the login modules like given in the table above.
f)
Choose the correct Flag from the drop down.
g)
To edit the options of a login module, select the login module and choose for example Add to enter a new option like given in the table above.
h)
Finally Save the policy configuration.
Test the connection for example using the UME Administration Console:https://twdfSSSS.wdf.sap.corp:5$$01/useradmin. The initial log on should fail, because no certificate is mapped yet. If you enter your user and password, your certificate is mapped to your user ID automatically. You can verify (and change) this in the user details of your user. The next log on works without any password. a)
Open a browser and enter the URL https://twdfSSSS.wdf.sap.corp:5$$01/useradmin. The initial log on should fail, because no certificate is mapped yet. Enter your user and password.
b)
Enter your user into the search field and choose Go.
c)
Select your user and choose the tab Certificates. Your certificate should be already visible here.
d)
The next log on should work without any password.
Result You successfully configured X.509 client authentication. Caution: Remove you SAP Passport from you Web browser now.
280
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Logon Procedure of the AS Java
Lesson Summary You should now be able to: • list the supported logon procedures of the AS Java • explain the functions of login modules • change the standard logon procedure of the AS Java • explain Kerberos logon (SPNego) • set up X.509 logon
Related Information For more information about the configuration of the Kerberos logon, go to the SAP Library for SAP NetWeaver 7.3 underAdministrator’s Guide → Configuration of SAP NetWeaver CE → Initial System Configuration → Configuring Security → Configuring Authentication and Single Sign-On → Integration in Single Sign-On (SSO) Environments → Single Sign-On for Web-Based Access → Using Kerberos Authentication.. For detailed information about Kerberos, go to http://web.mit.edu/kerberos/. For a good overview of Kerberos under Windows, go to http://www.microsoft.com/msj/0899/kerberos/kerberos.aspx. For information about SPNego, go to http://msdn.microsoft.com/en-us/library/ms995329.aspx. SAP Note 994791: SPNego Wizard
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
281
Unit Summary
TADM10_2
Unit Summary You should now be able to: • List the various UME data sources • Determine the current data source assignment • Explain the term UME data partitioning • Identify and modify configuration parameters • List and use the tools for administering users and groups • Explain the terms UME role and JEE security role • List the authorization administration tools • Assign actions and JEE security roles to a UME role • Assign authorizations to users and groups • List a number of “special” principles • Change the password of the standard administration user • Activate the emergency user • list the supported logon procedures of the AS Java • explain the functions of login modules • change the standard logon procedure of the AS Java • explain Kerberos logon (SPNego) • set up X.509 logon
282
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Test Your Knowledge
Test Your Knowledge 1.
Which of the following data sources are supported by the UME: Choose the correct answer(s).
□ □ □ □
A B C D
Database File system ABAP user management Directory service
2.
What is the purpose of the data partitioning of the UME?
3.
You can lock users with the UME administration console. Determine whether this statement is true or false.
□ □ 4.
True False
You can assign permissions directly to users in the UME administration console. Determine whether this statement is true or false.
□ □ 5.
True False
The term JEE security role is another name for a UME role. Determine whether this statement is true or false.
□ □ 6.
True False
If the emergency user (SAP*) is activated, the administration user (Administrator, J2EE_ADMIN or J2EE_ADMIN_) can also log onto AS Java. Determine whether this statement is true or false.
□ □
2013/Q1
True False
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
283
Test Your Knowledge
TADM10_2
Answers 1.
Which of the following data sources are supported by the UME: Answer: A, C, D These three types of data source are available for the UME.
2.
What is the purpose of the data partitioning of the UME? Answer: The data partitioning allows a distribution of the users or user attributes to different data sources.
3.
You can lock users with the UME administration console. Answer: True The UME administration console allows you to administer users.
4.
You can assign permissions directly to users in the UME administration console. Answer: False Permissions are combined into actions, and the administrator then combines these into roles. UME roles can be assigned to a user.
5.
The term JEE security role is another name for a UME role. Answer: False A JEE security role is part of the JEE standard and is mostly used for a declarative authorization check. A UME role is an (SAP) extension to the JEE standard and is used for a programmable authorization check.
6.
If the emergency user (SAP*) is activated, the administration user (Administrator, J2EE_ADMIN or J2EE_ADMIN_) can also log onto AS Java. Answer: False If the emergency user SAP* is activated then no other users can log onto AS Java.
284
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Unit 5 RFC Connections, Communication and Integration Technologies Unit Overview Caution: Some lessons of this unit are distributed as a separate training material. The trainer will provide you the correct order of these lessons. There is a vast choice of methods for connecting SAP systems with other systems, and optimizing processes within a system. Many of the available technologies are briefly introduced in this unit, and you should get an idea of the various uses for each. In this unit, you learn about remote connections, also known as Remote Function Calls (RFC). As well as the various options for using the RFC, you will learn about the technical setup for connections of this type.
Unit Objectives After completing this unit, you will be able to: • • •
Explain the principle of the Remote Function Call List the different types of Remote Function Call Set up an RFC connection
Unit Contents Lesson: Fundamentals and Variants for Using RFC .......................286 Exercise 12: Checking RFC Parameters................................295 Lesson: Setting Up RFC Connections .......................................298 Exercise 13: Setting Up Remote Connections .........................305
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
285
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Lesson: Fundamentals and Variants for Using RFC Lesson Overview This lesson will provide an introduction to Remote Function Calls.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain the principle of the Remote Function Call List the different types of Remote Function Call
Business Example SAP systems can communicate with each other using Remote Function Calls. A prerequisite for this is that the administrator has defined the relevant connection.
RFC Fundamentals Remote Function Calls have been used for many years as the technical interface with which SAP and non-SAP systems are usually connected. It is irrelevant whether data exchange is synchronous or asynchronous, periodic or on demand, or transactional. Many conceivable variants are supported.
Figure 106: RFC Communication and involved components
286
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Fundamentals and Variants for Using RFC
A “Remote Function Call” (RFC) is, for example, the call of a function module that is to be executed in a local or in a remote SAP-system. RFC can also be used for communication with non-SAP-software or with programs on the operating system level. During the Remote Function Call (RFC) between instances of an SAP-system or between different AS ABAP-based SAP systems, the gateway is always involved. If a dialog work process has to establish an RFC connection to a remote system in the context of a request (for example, to retrieve customer data), it uses a gateway to communicate with the remote system. The local gateway forwards the request to the gateway of the remote system. The remote gateway then transfers the request to the dispatcher, which, in turn, forwards the request to one of its work processes, which then communicates, as a result, directly with its local gateway (without further using the dispatcher). Inbound RFC connections are therefore always received by the gateway while outbound RFC connections are initiated by the work process. Note: The RFC interface allows function calls between two SAP systems or between an SAP system and an external non-SAP system. RFC is an SAP interface protocol that is based on the Common Programming Interface for Communication (CPI-C) and allows cross-host communication between programs. This enables external applications to call ABAP functions and SAP systems to contact (RFC-enabled) external applications. RFC means that ABAP programmers do not have to write their own communication routines. For an RFC call, the RFC interface • • •
converts all parameter data to the format required in the remote system calls the communication routines that are required to communicate with the remote system handles errors that occur during the communication
The RFC interface is easy for the ABAP programmer to use. The processing steps for calling external programs are integrated into the CALL FUNCTION statement.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
287
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Figure 107: RFC Connections
To be able to call a function module on a remote system, you must define the remote system as a destination in your calling system. You also require access authorization for the remote system, as well as the authorization to use RFC functions in the local and in the remote system.. You can manage the necessary destinations in the calling system. To do this, switch to the Configuration of RFC Connections screen, either by choosing the menu path Tools → Administration → Administration → Network → RFC Destinations or by calling transaction SM59 directly. The connection types and all existing destinations are displayed in a tree structure on the initial screen. For details about all available connection types, see the documentation. Documentation on RFC connection types e.g. http://help.sap.com/saphelp_nw73/helpdata/en/48/99b996ee2b73e7e10000000a42189b/content.htm. There is a search function for destinations that have already been set up. To search for a destination, choose Search and enter your selection. The system displays a list of all matching entries. You can display all available information for each entry. To change an existing RFC destination, select the relevant RFC destination in the menu tree and then choose Change. Hint: To copy an existing RFC connection you need to switch to the edit mode for the RFC connection you want to copy. Then choose Connection → Copy.
288
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Fundamentals and Variants for Using RFC
Outlook: Common RFC Usage Variants Synchronous RFC (sRFC) For direct communication between different systems and between SAP NetWeaver AS and SAP GUI. Asynchronous RFC (aRFC) For direct communication between different systems and for parallel processing of selected tasks. Transactional RFC (tRFC) For genuine asynchronous communication. Transactional RFC ensures “transaction-like” processing of processing steps that were originally autonomous. queue(d) RFC (qRFC) Queued RFC is an extension of tRFC. It also ensures that individual steps are processed in sequence. Background RFC (bgRFC) bgRFC is the successor to tRFC and qRFC. The use of bgRFC instead of tRFC and qRFC is urgently recommended. Note: Please be aware that the defined RFC connection (in transaction SM59) can be used in several different ways. The detailed usage of the existing connection is decided and implemented via the program code to be executed. Note: A basic overview of the various RFC types is also available in the documentation: http://help.sap.com/saphelp_nw73/helpdata/ de/48/9709f255493987e10000000a421937/frameset.htm. “RFC” is a superordinate term for various coding implementation variants. sRFC is the synchronous call of function modules. This means that the client waits until the server has completed its processing. The two systems involved must be accessible at the time of the call. Despite its name, aRFC is not really an asynchronous communication type because it does not fully satisfy the conditions for this type of communication. Consequently, the called system must be available during the call (similar to sRFC, for example). Directly after the call, however, function control returns to the calling program. aRFC is always recommended if real-time communication is established with a remote system, where processing in the calling program should not be interrupted until the results of the called function module have been obtained (the term asynchronous is used in this sense here). The involved systems need to be both available at the time of call.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
289
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Unlike aRFC, transactional RFC (tRFC, also previously known as asynchronous RFC) is a genuine asynchronous communication method that executes the called function module just once in the RFC server. The remote system does not need to be available when the RFC client program executes a tRFC. The tRFC component stores the called RFC function, together with the corresponding data, in the SAP database under a unique transaction ID (TID). If a call is sent while the receiving system is unavailable, the call remains in the local queue. The calling dialog program can proceed without waiting to see whether or not the function module was successful. If the receiving system does not become active within a certain amount of time, the call is scheduled as a background job. tRFC is always used if a function is to be executed as a Logical Unit of Work (LUW). Within a LUW, all calls are executed in the sequence in which they are called are executed in the same program context in the target system are executed in a single transaction, that is, they are either fully written to the database (known as a COMMIT) or fully reset (known as a ROLLBACK). tRFC is always recommended if you want to ensure the transactional sequence of the calls. Disadvantages of tRFC: tRFC processes all LUWs independently of one another. Due to the number of activated tRFC processes, this procedure can significantly reduce performance in both the sending system and target system. In addition, the sequence of LUWs defined in the application cannot be retained. Consequently, there is no guarantee that the transactions will be executed in the sequence specified by the application program. The only guarantee is that all LUWs are transferred sooner or later. To guarantee that multiple LUWs are processed in the sequence specified by the application, tRFC can be serialized using (inbound or outbound) queues. This type of RFC is known as queued RFC (qRFC), which is an extension of tRFC. It transfers an LUW (transaction) only if it has no predecessors in the participating queues (this is based on the sequence defined in different application programs). qRFC is always recommended if you want to ensure that various transactions are processed in a specified sequence. bgRFC is the successor to tRFC and qRFC, with significant improvements in terms of performance and functional capability. Consequently, SAP urgently recommends using bgRFC instead of tRFC and qRFC. Please use the documentation for detailed information.
290
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Fundamentals and Variants for Using RFC
Configuring System Resources for RFC To ensure optimum RFC functional capability, you must maintain various system parameters that, for example, specify the maximum number of work processes that can be occupied by RFC.
Figure 108: Configuration of RFC Resources
A prerequisite for the resource check is that the parameter rdisp/rfc_use_quotas is set to the value 1. Caution: The following information about profile parameters and their default values can be different depending on release. The mentioned values have been determined on an AS ABAP 7.31 system and are also valid in older releases for many years already. Resources can be assigned from the following areas:
Logons to the SAP System A total of rdisp/tm_max_no users can be logged on to the server simultaneously (default value: 200!). If rdisp/rfc_max_login percent (default value: 90[%]) of the maximum number of possible users are logged on, no more RFC logons can be accepted. A single RFC user can occupy a maximum of rdisp/rfc_max_own_login percent of the login slots (rdisp/tm_max_no)(default value: 25).
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
291
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
RFC Requests in the Dialog Queue The dialog queue of the dispatcher contains rdisp/elem_per_queue entries (default value: 2000), of which a maximum of rdisp/rfc_max_queue percent can be filled by RFC requests (default value: 5 [%]).
Entries in the Communication Table The communication table contains one entry for every occurrence of CPIC communication for all parties involved. The table can contain a maximum of rdisp/max_comm_entries entries (default value: 500), of which maximum rdisp/rfc_max_comm_entries percent can be occupied for RFC communication (default value 90[%]).
Dialog Work Processes When you start the server, it has rdisp/wp_no_dia dialog work processes (default value: 2). However, you can change this number while the server is running. One way to do this is to use operation mode switching another way would be by adding dynamic work processes. The dispatcher keeps rdisp/rfc_min_wait_dia_wp of the dialog work processes free for “genuine” dialog requests (not RFC) (default value: 1). In addition, a single user can occupy a maximum of rdisp/rfc_max_own_used_wp percent of the dialog work processes (default value 75[%]).
Server-Side Dispatcher Check The dispatcher checks whether it has free resources for each RFC request it receives. If it has, it assigns the request to a dialog work process. Otherwise, it places the request in the dispatcher queue. You can use the parameter rdisp/rfc_check to control the level of detail for this check (default value: 2). Note: Please check http://help.sap.com/saphelp_nw73ehp1/helpdata/en/91/1f1c0e4bab47cd992395e27ca928da/frameset.htm for a comprehensive graphical explanation of many of those parameters.
Overview of All RFC Resources in the SAP System You can use transaction SARFC (alternatively the program RSARFCLD) to monitor the resources on all servers in the SAP system and to change the parameters dynamically. Note: Please note that the settings you make using this transaction are only valid for the instance on which you are logged on and that they will be lost again with the next start of the instance. Then the parameter settings from the profile file will be used again.
292
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Fundamentals and Variants for Using RFC
Monitoring RFC Activities We will now briefly discuss some of various monitoring and troubleshooting tools available for RFC communication: Server Resources (SARFC) Displays the RFC resources currently available to all application servers. You can also dynamically change RFC parameters here. Transactional RFC (SM58) Tools → Administration → Monitor → Transactional RFC. This tool lists those transactional RFCs that could not be carried out successfully or had to be scheduled as background jobs. The list contains the LUW ID and the corresponding error message from the target system. qRFC Monitor for the Outbound Queue (SMQ1) Here, you can monitor the status of your LUWs in the outbound queue and manually start any queues that hang. qRFC Monitor for the Inbound Queue (SMQ2) Here, you can monitor the status of your LUWs in the inbound queue. Gateway Monitor (SMGW) The Gateway Monitor is used to analyze and manage the gateway in the SAP system. bgRFC Monitor (SBGRFCMON) You can use the bgRFC Monitor to display the units recorded for the bgRFC. One unit comprises one or more function modules that need to be processed as an indivisible unit.
RFC Server Groups and Parallel Processing with aRFC/bgRFC aRFC/bgRFC can be used in application development, for example, to simultaneously process background tasks in more than one work process, thus considerably reducing the application's runtime. To achieve an even load balancing in the target system, you can define a group of application servers as an RFC server group. For each RFC server group, you can also maintain separate values for RFC resource parameters. RFC server groups are created in a similar way to logon groups. To do this, choose Extras → RFC Groups in transaction SM59.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
293
Unit 5: RFC Connections, Communication and Integration Technologies
294
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Fundamentals and Variants for Using RFC
Exercise 12: Checking RFC Parameters Exercise Objectives After completing this exercise, you will be able to: • Display the parameters for RFC communication
Business Example SAP systems can communicate with each other using Remote Function Calls. A prerequisite for this is that the administrator has set up the relevant interface system.
Task: Display RFC Parameters Display the current RFC parameter values. 1.
Log on to the SAP system and use transaction SARFC to determine the current RFC parameter values for all instances. Alternatively, call transaction RSPFPAR.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
295
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Solution 12: Checking RFC Parameters Task: Display RFC Parameters Display the current RFC parameter values. 1.
Log on to the SAP system and use transaction SARFC to determine the current RFC parameter values for all instances. Alternatively, call transaction RSPFPAR.
296
a)
Call transaction SARFC.
b)
Double-click an instance.
c)
You can view the current parameter values in the dialog box.
d)
Alternatively start the transaction RSPFPAR.
e)
Enter the value rdisp/rfc* in the Profile Parameters field.
f)
Choose Execute (F8)
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Fundamentals and Variants for Using RFC
Lesson Summary You should now be able to: • Explain the principle of the Remote Function Call • List the different types of Remote Function Call
Related Information SAP Library for SAP NetWeaver 7.3 EHP1, (at http://help.sap.com) SAP NetWeaver → SAP NetWeaver 7.3 Including Enhancement Package 1 → Application Help → Function-oriented View choose your language, then follow Application Server → Application Server Infrastructure → Connectivity → Components of SAP Communication Technology → Classic SAP Technologies (ABAP) → RFC → RFC-Administration: RFC Administration Further information: SAP Note 74141: Resource Management for tRFC and aRFC SAP Note 593058: New RFC load balancing procedure SAP Note 597583: Performance improvement using RFC parallel processing SAP Note 986373: RFC load distribution
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
297
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Lesson: Setting Up RFC Connections Lesson Overview In this lesson, you will learn how to set up a remote connection.
Lesson Objectives After completing this lesson, you will be able to: •
Set up an RFC connection
Business Example As part of an e-commerce scenario, functions from different SAP systems must be linked with each other. Order data, for example, is to be further processed in another system.
Remote Connections To create a new RFC destination, choose the Create pushbutton in transaction SM59 (Tools → Administration → Administration → Network → RFC Destinations). The system displays a new screen with empty fields some of which are required entry fields.
Figure 109: Setting Up an RFC Connection
298
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up RFC Connections
The system opens the dialog for creating a new RFC destination. Enter a destination name, the connection type 3, and a short description. Choose Save. The system saves all your entries and switches to the technical settings screen. Alternatively, you can also choose Return here, but your entries will not be saved if you do so. Enter the target host and the system number (instance number) of the remote system in the relevant fields and choose Save (CTRL+S). Hint: The instance number is determined an used to obtain the relevant sapgw$$ service for communication with the target system gateway. This service is contained in the services file in the operating system and the communication port is defined there. Example: If the instance number is 11, the service is sapgw11 and the port is 3311. To simplify the logon against the remote system, you can store a client, user name, and password for logging on to the target system on the Logon & Security tab page. Do not use your own user data here, but rather general user data, as every user (with the appropriate RFC authorizations) can use the RFC destination that you create. For security reasons, you should leave the User and Password fields generally empty or you should enter a communication user with very restrictive authorizations (in other words, adjusted to your requirements). If you leave the fields empty, the system displays an input prompt for logon when you later open a connection; in the second case, dialog logons to the system are not possible, although programs can use the connection to communicate. This requires a careful assignment of authorizations for non-SAP GUI-enabled users. Note: The PW Status field informs you whether you have already stored a password in the masked Password field or not.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
299
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Caution: Make sure you make an entry in the Client field for two reasons in particular: 1.
2.
3.
Without specifying a target client, it may be the case that your defined RFC connection cannot be used as you expect, in spite of the connection having been tested successfully. If this is the case, it is fairly difficult to find the cause of the error, since the error messages do not point to the missing entry in the Client field. As you can see, RFC connections between ABAP-based SAP systems always target a certain client. Thus, they do not communicate “with a particular system”, but rather “with a selected client in a particular system”. Strictly speaking, you communicate with a single instance of the remote system, when the connection is established, even if you let that instance be determined through logon group-based load balancing.
Hint: RFC connections can always be used across the entire system. This means that an RFC connection you have defined in client 000 can also be used from client 100 (without any difference). Information concerning the target system code page is stored on the Unicode tab page. Perform a Unicode test to check whether the target system is a Unicode system. For the calling system, you can check this under System → Status. If the target system is a Unicode system, you must select the Unicode option for the destination. Otherwise, errors may occur when exchanging data or during other means of communication.
300
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up RFC Connections
Figure 110: Testing RFC Connections
You have three options for testing a destination: •
You can attempt to log on to the remote system. To do this, choose Remote Login. A new session opens for the remote system. Enter the client, your user name, and your password. If you have stored a dialog user with password in the connection, a dialog logon is performed. If you have defined a communication user or system user, you can check that the specified password is correct under Utilities → Test → Authorization Test.
•
•
2013/Q1
With a connection test (Test Connection button or the menu path Utilities → Test → Connection Test), the system tries to establish a “technical” connection with the target system and then displays a table with response times. If an error message appears, check your settings. This test is a pure “technical” connection test, and only checks whether a partner system can be reached with the specifications you have made. During the the Unicode test (Button Unicode test or Utilities → Test → Unicode Test, the system checks the “Unicodeness” of the remote SAP system and shows the result of this check.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
301
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Figure 111: Maintaining RFC Connections, Further Information
The figure above shows three more topics which might be of relevance to your work. Authorization for Destination This field offers an additional option for client-side authorization checks regarding the usage of an existing RFC destination. To use this option you need to use the authorization object S_ICF. You grant authorization for the field ICF_FIELD with the value DEST and check for the value of the field ICF_VALUE which you entered in the definition of the RFC destination. For example, you would like to make sure that only users with authorization for ICF-VALUE with the value ECC_PRD will be able to use the RFC destinations named (e.g.) ECC_FI, ECC-CO, ECC_SD. To reach this goal, you grant authorization for the object S_ICF using the fields ICF_FIELD and ICF_VALUE with the values DEST respectively ECC_PRD. Also, within the definitions of those three RFC destinations in transaction SM59 you enter the value ECC_PRD for the field Authorization for Destination. All users with appropriate authorizations can use those three RFC destinations. RFC Load Balancing for incoming Calls While defining logon groups in transaction SMLG, you can mark the flag Ext. RFC-enabled. The result is that the RFC-client-system (!) conducts client-side load balancing when using this logon group (defined within the RFC server system). Usually, there is no logon load balancing for follow-up RFC calls by the message server of the RFC server system. This can lead to unwanted load
302
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up RFC Connections
distribution within the RFC server system. Therefore, the RFC client system is capable to conduct load distribution over available instances, in case you set the flag described above. RFC server groups RFC server groups, which can be maintained in transaction RZ12, are only used for internal communication within one SAP system, e.g. when using transaction SGEN. RFC server groups can not be used for incoming RFC calls that originate outside the local system. For this scenario you can use logon groups in transaction SMLG.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
303
Unit 5: RFC Connections, Communication and Integration Technologies
304
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Setting Up RFC Connections
Exercise 13: Setting Up Remote Connections Exercise Objectives After completing this exercise, you will be able to: • Create a remote connection
Business Example As an administrator, you are to set up remote connections to other systems.
Task 1: Create and Test a Remote Connection Set up a remote connection. 1.
Set up a remote connection to the client 100 of the Primary Application Server (PAS) of your partner (SAP ECC) system. Use the following naming convention: Name of the RFC destination to be created: SID of the target system_Client_PAS, e.g. SID_100_PAS. Do not specify any user data. Perform a remote logon.
Result You have now successfully created an RFC connection to the Primary Application Server of your partner system.
Task 2: Create and Test a Remote Connection with Logon Data Set up another remote connection, this time with the specification of a logon group and logon data. 1.
Set up a remote connection to the client 100 of your partner (SAP ECC) system. Use the opportunity of the load balancing by using a logon group. For the logon group for load balancing, you can use the logon group that your partner group possibly created in the target system in an earlier exercise in this course, otherwise use the logon group SPACE. Once again, do this in consultation with your partner group. Use the following naming convention: __, e.g. SID_100_SPACE. In addition, specify user data for logging on to the target system.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
305
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Use for this purpose your own course user (which may still have the initial password in the partner system). Test whether the logon data you have defined is correct. Then perform a Remote Logon.
Result You have now successfully created an RFC connection using a logon group and logon data.
306
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up RFC Connections
Solution 13: Setting Up Remote Connections Task 1: Create and Test a Remote Connection Set up a remote connection. 1.
Set up a remote connection to the client 100 of the Primary Application Server (PAS) of your partner (SAP ECC) system. Use the following naming convention: Name of the RFC destination to be created: SID of the target system_Client_PAS, e.g. SID_100_PAS. Do not specify any user data.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
307
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Perform a remote logon. a)
Start the function Configuration of RFC Connections. To do this, choose Tools → Administration → Administration → Network → RFC Destinations (transaction SM59).
b)
Choose Create.
c)
Enter the RFC destination: “SID_100_PAS”.
d)
Choose Connection Type 3.
e)
Enter the Description 1: Connection to the Primary Application Server.
f)
Choose Save.
g)
Enter the following technical settings.
h)
Target Host: : Here, name the host on which your partner system is running (for example, twdf9999.wdf.sap.corp).
i)
Enter the appropriate System Number: e.g.: 00 respectively 10 .
j)
Choose Save (CTRL+S).
k)
Switch to the Unicode tab.
l)
Select the Unicode option.
m)
Confirm the information dialog box.
n)
Choose Save.
o)
Perform the Unicode Test.
p)
Choose then Remote Logon on the entry screen of SM59.
q)
The logon screen for the target system should open in a new session.
r)
Log on to the system, for example, as user -## possibly your initial password is still valid on the remote system. Once you have successfully logged on, log off again.
Result You have now successfully created an RFC connection to the Primary Application Server of your partner system.
Continued on next page
308
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up RFC Connections
Task 2: Create and Test a Remote Connection with Logon Data Set up another remote connection, this time with the specification of a logon group and logon data. 1.
Set up a remote connection to the client 100 of your partner (SAP ECC) system. Use the opportunity of the load balancing by using a logon group. For the logon group for load balancing, you can use the logon group that your partner group possibly created in the target system in an earlier exercise in this course, otherwise use the logon group SPACE. Once again, do this in consultation with your partner group. Use the following naming convention: __, e.g. SID_100_SPACE. In addition, specify user data for logging on to the target system. Use for this purpose your own course user (which may still have the initial password in the partner system).
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
309
Unit 5: RFC Connections, Communication and Integration Technologies
TADM10_2
Test whether the logon data you have defined is correct. Then perform a Remote Logon. a)
Start the function Configuration of RFC Connections. To do this, choose Tools → Administration → Administration → Network → RFC Destinations (transaction SM59).
b)
Choose Create.
c)
Enter the RFC Destination: _100_SPACE.
d)
Choose Connection Type: 3
e)
Enter the Description 1: Load-balanced connection to the partner system with logon data.
f)
Choose Save (CTRL + S).
g)
Choose Test connection to check whether the logon group you have entered also exists in the target system.
h)
Specify the following data on the Logon & Security tab page. Client: 100 User: Password: The password for the user entered.
i)
Choose Save to save your entries.
j)
Confirm the information dialog box.
k)
Switch to the Unicode tab.
l)
Choose the Unicode flag.
m)
Confirm the information dialog box and choose Save.
n)
Perform the Unicode test.
o)
Choose Utilities → Test → Authorization Test to check whether the logon data you have defined is correct.
p)
Choose Remote Logon.
q)
If you can log on to another system, the logon data of the dialog user you have defined is correct. If you get an error message, either the logon data you have defined is not correct or the technical connection data needs to be revised.
Result You have now successfully created an RFC connection using a logon group and logon data.
310
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Setting Up RFC Connections
Lesson Summary You should now be able to: • Set up an RFC connection
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
311
Unit Summary
TADM10_2
Unit Summary You should now be able to: • Explain the principle of the Remote Function Call • List the different types of Remote Function Call • Set up an RFC connection
312
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Test Your Knowledge
Test Your Knowledge 1.
To connect two SAP systems by RFC, you require an in each system (this automatically exists) and an explicitly defined from one system to the other. Fill in the blanks to complete the sentence.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
313
Test Your Knowledge
TADM10_2
Answers 1.
To connect two SAP systems by RFC, you require an RFC interface in each system (this automatically exists) and an explicitly defined RFC connection from one system to the other. Answer: RFC interface, RFC connection The basic requirement is the RFC interface, which is in the protocol stack of every SAP system. You must also set up a connection from the calling system to the called system (transaction SM59).
314
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Unit 6 Java Connector and Destinations Unit Overview This unit describes various communication options of AS Java with other systems. The focus is on the first lesson, which gives an overview of the communication options and takes a look at “Destinations” and the “JCo RFC Provider”. In the appendix, there is a brief overview of the Java Connector Architecture from the management view.
Unit Objectives After completing this unit, you will be able to: • • • • • •
List some communication paths Maintain connections of the destination service Maintain JCo RFC connections Locate the JCA Connection Factories of the SAP Java Resource Adapter. Maintain parameters of a JCA Connection Factory of the SAP Java Resource Adapter. Create a new JCA Connection Factory for the SAP Java Resource Adapter.
Unit Contents Lesson: Connections to other Systems ......................................316 Exercise 14: Connections to other Systems ............................321 Lesson: Appendix: Connections to other Systems with the Java Connector Architecture ......................................................................332 Exercise 15: Optional: Connections to other Systems with the Java Connector Architecture ....................................................337
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
315
Unit 6: Java Connector and Destinations
TADM10_2
Lesson: Connections to other Systems Lesson Overview Connections to other systems can be established in different places. In this lesson you will learn about the most important places where such connections can be maintained.
Lesson Objectives After completing this lesson, you will be able to: • • •
List some communication paths Maintain connections of the destination service Maintain JCo RFC connections
Business Example You are using the SAP NetWeaver AS Java and you want to get to know the most important options for communication paths.
Connection Options between AS Java and EIS There are different connection options that an AS Java can use for an Enterprise Information System (EIS). The type of connection option also depends, for example, on the EIS. As examples, we will mainly take a look at AS Java or AS ABAP systems as the EIS in this lesson.
Figure 112: Connections between AS Java and EIS
316
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connections to other Systems
An AS Java can open outbound connections directly from an application or the connection can be established by a service. One of these services is the destination service, which we will take a closer look at in this lesson. Direct connections of applications to an EIS are covered in the appendix of this unit; the type of connection depends on the corresponding adapter. Applications can use connections to an EIS via services. Likewise, services can use the connections of other services.
Figure 113: Connection of Services between AS Java and EIS
The destination service can administer both HTTP and RFC connections to an EIS. Connections to SAP systems with AS ABAP are mostly of the type RFC, whereas connections to an SAP system with AS Java are mostly of the type HTTP. In an SAP system with AS ABAP and Java (dualstack), the type of connection will depend on whether the connection is opened primarily for the AS Java or the AS ABAP. After the installation, some entries (for example, for the connection to the SLD) were already created in the destination service. You can create and maintain destinations in the NWA under Configuration → Infrastructure → Destinations. You define the communication type HTTP or RFC when you create a new destination. In a connection of the type HTTP, the connection to the EIS and the service that is to be addressed is determined via a URL. If the EIS is an AS ABAP that is to be addressed via HTTP, SID and language can be defined in the destination data or client of the target system. In the Logon Data, for example,
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
317
Unit 6: Java Connector and Destinations
TADM10_2
different authentication mechanisms, such as “entering user and password”, “ X.509 certificate”, “assertion ticket”, “logon ticket” or “user mapping” can be set up. Hint: With regard to the security guidelines, you should check whether you can use user/password as an authentication method or better still another authentication method, “assertion ticket” for example. In connections of the type RFC, the target server (Target Host), instance number (System Number), SID and data with regard to the gateway are specified. RFC connections always require a gateway through which communication takes place. An AS ABAP system is usually involved in an RFC connection. Since each AS ABAP instance contains a gateway, this is used for RFC communication. As of AS Java 7.10, each AS Java Central Service instance contains a gateway, which can also be used for RFC communication. The data with regard to the gateway includes the Gateway Host on which the gateway runs (in most cases, it is identical to the target server specification if we are talking about an AS ABAP instance) and the Gateway Service that usually runs on port 33 or can be specified as sapgw (for example, this is port 3310 or sapgw10 for instance number 10 of the target instance). You can also switch between different authentication mechanisms in the logon data. If the RFC trace is activated, trace files of the type jrfc_.trc as well as the developer traces (dev_jrfc.trc) are created at operating system level of the instance in the server directory. The JCo Provider service is responsible for incoming RFC connections. RFC communication takes place mostly with AS ABAP systems. Since RFC communication takes place via a gateway, the gateway of the AS ABAP instance is mostly used.
Figure 114: Incoming RFC Connections
318
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connections to other Systems
The AS ABAP is the initiator of RFC communication to the AS Java. The JCo RFC Provider in the AS Java receives the data; therefore, the connection between the JCo Provider and the gateway must already be established. You can maintain the connection to the gateway in the NWA of the AS Java under Configuration → Infrastructure → Jco RFC Provider. You must start the connection to the gateway so that the AS ABAP can use it for communication to the AS Java. The connection for the gateway is established under the Program ID (the name of the JCo RFC Provider). An RFC destination of connection type “T” (maintained in transaction SM59) must be created in the AS ABAP for communication; the Program ID (name) of the JCo RFC Provider is specified as a “Registered Server Program” for this. The name of the RFC destination in the AS ABAP may differ from the program ID; for reasons of clarity, however, the same name for the program ID and the RFC destination is usually chosen. The gateway data, used to run the communication, is specified in the server configuration for the JCo RFC Provider; the number of parallel connections that should be possible for the AS Java via this destination is also specified (field Server Count). If the option Local JCo Servers is selected, then only one server process is responsible in the system for the communication; this server process establishes the number of connections to the gateway configured in Server Count. If the option Local JCo Servers is deactivated, then each server process opens the number of connections to the gateway configured in Server Count. The data of the AS ABAP system that is to use this communication path is specified on the tab page Repository Configuration. If the checkbox Use RFC Destination is not selected, then the data for the AS ABAP system is maintained on this tab page. If the checkbox Use RFC Destination is selected, then a destination that was maintained with the destination service is entered and the connection data stored there is used. However, in this case also, the Program ID of the JCo RFC Provider is registered in the gateway. Of course, the data of the same gateway must be maintained in the AS ABAP for the RFC destination, as with the JCo RFC Provider or the destination service.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
319
Unit 6: Java Connector and Destinations
320
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Connections to other Systems
Exercise 14: Connections to other Systems Exercise Objectives After completing this exercise, you will be able to: • Create and maintain a destination of the type RFC for AS ABAP systems • Create and maintain a destination of the type HTTP for AS ABAP or AS Java systems • Create and maintain JCo RFC Providers
Business Example Your AS Java system requires data from another SAP system or has to transfer data to another SAP system. Your task is to configure the connections to other SAP systems. Your instructor will give you the required system data.
Task 1: Change initial passwords in the Solution Mananger system Change the initial passwords in client 000 and client 100 of the Solution Mananger system, if you didn't change them already during the training. 1.
Logon to the Solution Manager system and change your initial passwort for your training user in client 000 and client 100.
Task 2: Create Destination of the Type HTTP Create a destination of the type HTTP to the AS ABAP Stack of the Solution Manager system (PSM). Use the URL http://.wdf.sap.corp:8080/sap/bc/ping. Hint: For a HTTP connection to an AS ABAP system you have to enterSystem ID, Client and Language. For a HTTP connection to an AS Java system you must not enterSystem ID, Client and Language. 1.
Call the NWA and switch to destination maintenance.
2.
Create the destination AS_ABAP_Ping for the Solution Manager system. Use the Solution Manager systen on the Server, where your AS Java is installed. The URL http://.wdf.sap.corp:8080/sap/bc/ping to the AS ABAP requires user authentication. Use you coures user in client 100 of the Solution Manager system (PSM) for the authentication. Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
321
Unit 6: Java Connector and Destinations
TADM10_2
Task 3: Create Destination of the type RFC without Load Balancing Create a destination of the type RFC without load balancing and without Local System Connection for the SAP Solution Manger (PSM) system on your server. 1.
Call the NWA and switch to destination maintenance.
2.
Create a destination without load balancing and without Local System Connection with the name Group_RZ20_SolMan ( stands for your group number) for client “000” of the Solution Manager system on your Server. Your instructor will give you the system data.
Task 4: Create and Start JCo RFC Providers Create a JCo RFC Provider with the name SAP.CCMS.J2EE. ( stands for the system ID of your system) for the SAP Solution Manger system on your server. To do so, use the destination “Group_RZ20_SolMan” that you created in the task “Create Destination of the type RFC without Load Balancing”. 1.
Call the NWA and switch to maintenance of the JCo RFC Provider.
2.
Create a JCo RFC Provider with the name SAP.CCMS.J2EE. ( stands for the system ID of your system) and start this. The connection should go to client “000” of the Solution Manager systemof your server. You have already maintained the connection data in the task Create Destination of the type RFC without Load Balancing in the destination “Group_RZ20_SolMan”; therefore, use this destination.
Task 5: Optional: Check your JCo RFC Provider Connection to the Gateway. Log on to the central instance of the Solution Manager system and check whether your JCo RFC Provider is registered with the gateway of the Solution Manager system. 1.
Log on with your user in client 100 of the central instance (instance number 80) of the Solution Manager system and use transaction SMGW or the report RSGWREGP to check whether your JCo RFC Provider is registered with the gateway.
Task 6: Optional: Create Destination of the type RFC with Load Balancing Create a destination of the type RFC with load balancing for the SAP Solution Manger system (PSM) that is installed on your server. 1.
Call the NWA and switch to destination maintenance. Continued on next page
322
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connections to other Systems
2.
2013/Q1
Create a destination with the name Group_to_SolMan ( stands for your group name) for client “000” of the Solution Manager system that is used in your course. Use SPACE as the logon group. Your instructor will give you the system data.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
323
Unit 6: Java Connector and Destinations
TADM10_2
Solution 14: Connections to other Systems Task 1: Change initial passwords in the Solution Mananger system Change the initial passwords in client 000 and client 100 of the Solution Mananger system, if you didn't change them already during the training. 1.
Logon to the Solution Manager system and change your initial passwort for your training user in client 000 and client 100. a)
Logon to client 000 with your course user. You will be prompted to change the initial password.
b)
Logon to client 100 with your course user. You will be prompted to change the initial password.
Task 2: Create Destination of the Type HTTP Create a destination of the type HTTP to the AS ABAP Stack of the Solution Manager system (PSM). Use the URL http://.wdf.sap.corp:8080/sap/bc/ping. Hint: For a HTTP connection to an AS ABAP system you have to enterSystem ID, Client and Language. For a HTTP connection to an AS Java system you must not enterSystem ID, Client and Language. 1.
Call the NWA and switch to destination maintenance. a)
Follow the menu path Configuration → Infrastructure → Destinations in the NWA.
Continued on next page
324
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connections to other Systems
2.
Create the destination AS_ABAP_Ping for the Solution Manager system. Use the Solution Manager systen on the Server, where your AS Java is installed. The URL http://.wdf.sap.corp:8080/sap/bc/ping to the AS ABAP requires user authentication. Use you coures user in client 100 of the Solution Manager system (PSM) for the authentication. a)
Choose Create ... and maintain the field Destinatin Name with the value AS_ABAP_Ping.
b)
Enter the value HTTP in the field Destination Type and choose Next.
c)
Go to the field URL of the tab page Connection and Transport Security Settings and enter http://.wdf.sap.corp:8080/sap/bc/ping with the host name of the server, where your AS Java is installed, for example http://twdf9999.wdf.sap.corp:8080/sap/bc/ping.
d)
Connections to an AS ABAP system require information for System ID, Client and Language. Enter the following values in the area Additional Settings for SAP Systems: System ID: PSM Client: 100 Language: EN Select Ignore SSL Server Certificates and choose Next.
e)
In the tab Logon Data choose Basic (User ID and Password) for Authentication and enter your course user and password from the Solution Manager system (PSM) client 100 and choose Finish to save your entry.
f)
Check your entries using the push-button Ping Destination. You receive the message: “Successfully connected to HTTP destination AS_ABAP_Ping ...”.
Task 3: Create Destination of the type RFC without Load Balancing Create a destination of the type RFC without load balancing and without Local System Connection for the SAP Solution Manger (PSM) system on your server. 1.
Call the NWA and switch to destination maintenance. a)
Follow the menu path Configuration → Infrastructure → Destinations in the NWA.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
325
Unit 6: Java Connector and Destinations
2.
TADM10_2
Create a destination without load balancing and without Local System Connection with the name Group_RZ20_SolMan ( stands for your group number) for client “000” of the Solution Manager system on your Server. Your instructor will give you the system data. a)
Create a new destination by choosing Create ....
b)
In the step General Data, maintain the name Group_RZ20_SolMan ( stands for your group number) for the field Destination Name for your destination. Use the input help to select the type RFC for the field Destination Type. Choose Next to go to the next step.
c)
In the step Connection and Transport Security Settings, select the selection field No for Load Balancing. The checkbox Local System Connection is not selected. Maintain the fields System ID with PSMand Target Host with the data of your server. Enter the “Full Qualified Host Name”, for example “twdf0000.wdf.sap.corp”, for Target Host. Enter the instance number of the Solution Manager system (80) in the field System Number. Enter the same value in the field Gateway Host as entered in the field Target Host. Enter sapgw80 in the field Gateway Service with 80 standing for the instance number that runs on the host specified under “Gateway Host”. Choose Next to go to the next step.
d)
In the step Logon Data, use the input help to select the value Technical User for the field Authentication. Enter EN in the field Language. Enter 000 in the field Client. Enter in the field User Name Enter the password in the field Password that your instructor gave you for the user mentioned above. Choose Finish to save and thus complete your entries.
e)
Check your entries using the push-button Ping Destination. You receive the message: “Successfully connected to System ... ”.
Continued on next page
326
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connections to other Systems
Task 4: Create and Start JCo RFC Providers Create a JCo RFC Provider with the name SAP.CCMS.J2EE. ( stands for the system ID of your system) for the SAP Solution Manger system on your server. To do so, use the destination “Group_RZ20_SolMan” that you created in the task “Create Destination of the type RFC without Load Balancing”. 1.
Call the NWA and switch to maintenance of the JCo RFC Provider. a)
2.
Follow the menu path Configuration → Infrastructure → Jco RFC Provider in the NWA.
Create a JCo RFC Provider with the name SAP.CCMS.J2EE. ( stands for the system ID of your system) and start this.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
327
Unit 6: Java Connector and Destinations
TADM10_2
The connection should go to client “000” of the Solution Manager systemof your server. You have already maintained the connection data in the task Create Destination of the type RFC without Load Balancing in the destination “Group_RZ20_SolMan”; therefore, use this destination. a)
Create a new JCo RFC Provider by choosing Create.
b)
In the step Server Configuration , maintain the name SAP.CCMS.J2EE. ( stands for the system ID of your system) for the field Program ID for your JCo RFC Provider. In the field Gateway Host, enter the same value as entered in the task “Create Destination of the type RFC without Load Balancing”. In the field Gateway Service, enter the same value as entered in the task “Create Destination of the type RFC without Load Balancing”. Change the value for the field Server Count to 4. Choose Next to go to the next step.
c)
Select the checkbox for Use RFC Destination in the step Repository Configuration. In the field RFC Destination Name, enter the name of the destination from the task “Create Destination of the type RFC without Load Balancing” (Group_RZ20_SolMan with as your group number). Choose Next to go to the next step.
d)
In the step Security Settings, do not select the checkbox for Use SNC and choose Next to go to the next step.
e)
In the step Additional Options, select the checkbox for Local JCo Server and choose Next to go to the next step.
f)
Check your entries in the step Summary, and choose Finish to save and thus complete your entries.
g)
Start the JCo RFC Provider that you just created by selecting it and choosing Start. You receive the message “JCo servers started”.
Continued on next page
328
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connections to other Systems
Task 5: Optional: Check your JCo RFC Provider Connection to the Gateway. Log on to the central instance of the Solution Manager system and check whether your JCo RFC Provider is registered with the gateway of the Solution Manager system. 1.
Log on with your user in client 100 of the central instance (instance number 80) of the Solution Manager system and use transaction SMGW or the report RSGWREGP to check whether your JCo RFC Provider is registered with the gateway. a)
Call transaction SMGW and choose Goto → Logged on Clients. Sort by TP Name. You should now find the program ID that you have specified for the JCo RFC Provider (for example, SAP.CCMS.J2EE., stands for the system ID of your system) four times, dependend on your entry for Server Count.
b)
Alternatively, you can call transaction SA38 and start the program RSGWREGP there. You should now find your program ID (the program ID that you have specified for the JCo RFC Provider) under Program ID.
Task 6: Optional: Create Destination of the type RFC with Load Balancing Create a destination of the type RFC with load balancing for the SAP Solution Manger system (PSM) that is installed on your server. 1.
Call the NWA and switch to destination maintenance. a)
Follow the menu path Configuration → Infrastructure → Destinations in the NWA.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
329
Unit 6: Java Connector and Destinations
2.
TADM10_2
Create a destination with the name Group_to_SolMan ( stands for your group name) for client “000” of the Solution Manager system that is used in your course. Use SPACE as the logon group. Your instructor will give you the system data. a)
Create a new destination by choosing Create.
b)
In the step General Data, maintain the name Group_to_SolMan ( stands for your group number) for the field Destination Name for your destination. Use the input help to select the type RFC for the field Destination Type. Choose Next to go to the next step.
c)
In the step Connection and Transport Security Settings, select the selection field Yes for Load Balancing. Maintain the fields System ID with PSM, Message Server with the hostname of your server (with “Full Qualified Host Name”, for example “twdf0000.wdf.sap.corp”) and Message Server Service with sapmsPSM. Enter the same value in the field Gateway Host as entered in the field Message Server. Enter SPACE in the field Logon Group. Enter sapgw80 in the field Gateway Service . Choose Next to go to the next step.
d)
In the step “Logon Data”, use the input help to select the value Technical User for the field Authentication. Enter EN in the field Language. Enter 000 in the field Client. Enter -## in the field User Name with standing for your group number. Enter the password in the field Password. Choose Finish to save and thus complete your entries.
e)
330
Check your entries using the push-button Ping Destination. You receive the message: “Successfully connected to System ...”.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connections to other Systems
Lesson Summary You should now be able to: • List some communication paths • Maintain connections of the destination service • Maintain JCo RFC connections
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
331
Unit 6: Java Connector and Destinations
TADM10_2
Lesson: Appendix: Connections to other Systems with the Java Connector Architecture Lesson Overview In this lesson, you will find out about where you can maintain connection data of the Java Connector Architecture (JCA) for other systems using the SAP Java Resource Adapter.
Lesson Objectives After completing this lesson, you will be able to: • • •
Locate the JCA Connection Factories of the SAP Java Resource Adapter. Maintain parameters of a JCA Connection Factory of the SAP Java Resource Adapter. Create a new JCA Connection Factory for the SAP Java Resource Adapter.
Business Example You are using the SAP NetWeaver AS Java and you want to get to know communication paths of applications for Enterprise Information Systems.
Connections to AS ABAP Systems using the SAP Java Resource Adapter In the previous lesson, you got to know the destination and the JCO RFC Provider as communication paths to an EIS. Furthermore, you already know that applications can establish direct communication paths to an EIS. The Java Connector Architecture (JCA) provides programming interfaces, which allow developers to use the communication with EIS via adapters.
332
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Appendix: Connections to other Systems with the Java Connector Architecture
Figure 115: Resource Adapter
A Java EE application server with integrated Java Connector Architecture (JCA) provides a communication path between applications and Enterprise Information Systems (EIS). To address an EIS via the Connector Architecture, a resource adapter that supports the Connector Architecture is required for the EIS. The figure “Resource Adapter” shows that only one resource adapter is required for each EIS type for a Java EE application server to communicate with the EIS. The resource adapter can be used in each AS Java because the Java Connector Architecture is integrated into the AS Java. In this lesson, we will take a look at the SAP Java Resource Adapter, which can be used to establish connections to AS ABAP systems, as an example of such a connection option. This lesson is not aimed at developers rather at administrators who want get an idea of where developers maintain communication paths for an EIS, in particular for AS ABAP systems. The “JCA Connection Factory” plays a decisive role here as you will find out.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
333
Unit 6: Java Connector and Destinations
TADM10_2
Figure 116: SAP Java Resource Adapter
SAP Java Resource Adapter 1.5 is an adapter that is used for communication with AS ABAP systems. The connection data is maintained in the related JCA Connection Factories. The following section describes how you go from the resource adapters to the JCA Connection Factories. You can find the resource adapter in the NWA using the menu path Configuration Management → Infrastructure → Application Resources. If you restrict to Resource Adapters under Show, you find SAPJavaResourceAdapter15 there. You can find the relevant resource of the Java Connector Architecture (JCA) on the tab page Dependent JCA Resource from which you can display the data for the JCA Resource using the push-button JCA Resource Details. You can find all the “JCA Connection Factories” for the JCA Resource on the tab page Dependent JCA Connection Factory, for example, the eis/SAPJRAFactory that is delivered as a template. Each JCA Connection Factory contains the connection data for AS ABAP systems. This data is maintained on the tab page Configuration Properties. Information about the target server, system number, client and so on is included in the connection data. You also have the option of storing destinations as connection data here. For this you create a new property DestinationName if it is not already contained in the JCA Connection Factory and store the destination there. Hint: You can use a destination as of 7.10 SPS6. If, despite maintaining a destination, you are forced to enter a password, remove the property Password in this JCA Connection Factory. In the JCA Resource, you can create further JCA Connection Factories using Copy and Add New JCA Connection Factory; here you can maintain more connection data. For this maintain a JNDI Name (JNDI stands for Java Naming and Directory Interface) on the tab page Namespace. When creating such a JCA Connection Factory, a “JCA Managed Connection Factory” is automatically created for
334
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Appendix: Connections to other Systems with the Java Connector Architecture
the JCA Connection Factory through which the actual communication runs. However, we are interested only in the JCA Connection Factories when it comes to maintaining connection data.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
335
Unit 6: Java Connector and Destinations
336
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Appendix: Connections to other Systems with the Java Connector Architecture
Exercise 15: Optional: Connections to other Systems with the Java Connector Architecture Exercise Objectives After completing this exercise, you will be able to: • Determine the JCA Connection Factories in the application resources • Create and maintain JCA Connection Factories for SAPJavaResourceAdapter15
Business Example Your developers program applications that have to exchange data with an AS ABAP, for example. The Java Connector Architecture is used for programming and you want to maintain a JCA Connection Factory with the connection data for the AS ABAP for the SAPJavaResourceAdapter or provide the developer with the required information. Your instructor will give you the required system data.
Task 1: Determine JCA Connection Factories Determine which JCA Connection Factories exist for SAPJavaResourceAdapter15 in your system and which connection data is maintained there. 1.
Call the NWA on your system and switch to the maintenance of application resources.
2.
Restrict the list to the Resource Adapters.
3.
Display the related JCA Resource for SAPJavaResourceAdapter15 and switch to the detail view of this resource.
4.
Display the related JCA Connection Factories for the JCA Resource SAPJavaResourceAdapter15.
5.
Now determine the connection data of the JCA Connection Factory “eis/SAPJRAFactory”.
Task 2: Create a JCA Connection In your system, create a JCA Connection Factory for SAPJavaResourceAdapter15 with the name -_Nr01 ( stands for your group number) from the copy template eis/SAPJRAFactory. There maintain the connection data for client 100 of the Solution Manager system that is used in your course. 1.
Call the NWA on your system and switch to the maintenance of application resources. Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
337
Unit 6: Java Connector and Destinations
TADM10_2
2.
Restrict the list to the all JCA Resources.
3.
Create a further JCA Connection Factory for the JCA Resource SAPJavaResourceAdapter15 with the name _Nr01 ( stands for your group number) as a copy of the JCA Connection Factory eis/SAPJRAFactory.
4.
Maintain the connection data of the JCA Connection Factory -_Nr01.
Task 3: Create JCA Connection with Destination In your system, create a JCA Connection Factory for SAPJavaResourceAdapter15 with the name -_Nr02 ( stands for your group number) from the copy template eis/SAPJRAFactory. Enter the destination Group_to_SolMan or Group_RZ20_SolMan ( stands for your group number) for the connection data.
338
1.
Call the NWA on your system and switch to the maintenance of application resources.
2.
Restrict the list to the all JCA Resources.
3.
Create a further JCA Connection Factory for the JCA Resource SAPJavaResourceAdapter15 with the name -_Nr02 ( stands for your group number).
4.
Maintain the destination Group_to_SolMan or Group_RZ20_SolMan ( stands for your group number) for the connection data of the JCA Connection Factory -_Nr02.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Appendix: Connections to other Systems with the Java Connector Architecture
Solution 15: Optional: Connections to other Systems with the Java Connector Architecture Task 1: Determine JCA Connection Factories Determine which JCA Connection Factories exist for SAPJavaResourceAdapter15 in your system and which connection data is maintained there. 1.
Call the NWA on your system and switch to the maintenance of application resources. a)
2.
Restrict the list to the Resource Adapters. a)
3.
4.
Follow the menu path Configuration → Infrastructure → Application Resources in the NWA.
Select Resource Adapters in the field Show.
Display the related JCA Resource for SAPJavaResourceAdapter15 and switch to the detail view of this resource. a)
Select the resource adapter SAPJavaResourceAdapter15 and switch to the JCA Resource Details on the tab page Related JCA Resource.
b)
A further navigation field JCA Resource now appears directly below Resource Details; the name of the JCA Resource (in this case also SAPJavaResourceAdapter15) is displayed above this field. You can now switch between both using the navigation fields Resource Adapter and JCA Resource.
c)
Make sure that you are in the JCA Resource display and select the tab page Related JCA Connection Factories.
Display the related JCA Connection Factories for the JCA Resource SAPJavaResourceAdapter15. a)
Make sure that you are in the JCA Resource display and select the tab page Related JCA Connection Factories. For the moment, you should see only the JCA Connection Factory eis/SAPJRAFactory.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
339
Unit 6: Java Connector and Destinations
5.
TADM10_2
Now determine the connection data of the JCA Connection Factory “eis/SAPJRAFactory”. a)
Choose JCA Connection Factory Details. A further navigation field JCA Connection Factory now appears directly to the right of the navigation field JCA Resource; the name of the JCA Connection Factory (in this case eis/SAPJRAFactory) is displayed above this field.
b)
Now select the tab page Configuration Properties. There you can find, for example, the names of the properties SAPClient, UserName, Password and so on. No value has been maintained in the field Value for all these fields; that is, communication data has not yet been maintained.
Task 2: Create a JCA Connection In your system, create a JCA Connection Factory for SAPJavaResourceAdapter15 with the name -_Nr01 ( stands for your group number) from the copy template eis/SAPJRAFactory. There maintain the connection data for client 100 of the Solution Manager system that is used in your course. 1.
Call the NWA on your system and switch to the maintenance of application resources. a)
2.
Follow the menu path Configuration → Infrastructure → Application Resources in the NWA.
Restrict the list to the all JCA Resources. a)
Select JCA Resources in the field Show.
Continued on next page
340
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Appendix: Connections to other Systems with the Java Connector Architecture
3.
Create a further JCA Connection Factory for the JCA Resource SAPJavaResourceAdapter15 with the name _Nr01 ( stands for your group number) as a copy of the JCA Connection Factory eis/SAPJRAFactory. a)
Select the JCA Resource “SAPJavaResourceAdapter15” and switch to the tab page Related JCA Connection Factories.
b)
Select eis/SAPJRAFactory as a copy template.
c)
Use Copy and Add New JCA Connection Factory to create a new JCA Conneciton Factory for the selected JCA Resource SAPJavaResourceAdapter15.
d)
Enter the name -_Nr01 ( stands for your group number) in the field JNDI Name and confirm your entry by pressing the Return button. Finaly you Save your entry. The system is telling you that “New JCA Connection Factory ... has been added successfully”.
e) 4.
Select the JCA Resource Details again, and you can see, your new JCA Resource
Maintain the connection data of the JCA Connection Factory -_Nr01. a)
Select the resource “-_Nr01” from Related JCA Connection Factories and use JCA Connection Factory Details to switch to the resource details of the JCA Connection Factory.
b)
Now select the tab page Configuration Properties. There you can find, for example, the names of the properties SAPClient, UserName, Password, ServerName and the PortNumber (the instance number is meant here). Enter the regarding entries for the Solution Manager system on your server.
c)
Save your entry. The system issues the message “The resource has been saved successfully”.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
341
Unit 6: Java Connector and Destinations
TADM10_2
Task 3: Create JCA Connection with Destination In your system, create a JCA Connection Factory for SAPJavaResourceAdapter15 with the name -_Nr02 ( stands for your group number) from the copy template eis/SAPJRAFactory. Enter the destination Group_to_SolMan or Group_RZ20_SolMan ( stands for your group number) for the connection data. 1.
Call the NWA on your system and switch to the maintenance of application resources. a)
2.
Restrict the list to the all JCA Resources. a)
3.
Follow the menu path Configuration → Infrastructure → Application Resources in the NWA.
Select JCA Resources in the field Show.
Create a further JCA Connection Factory for the JCA Resource SAPJavaResourceAdapter15 with the name -_Nr02 ( stands for your group number). a)
Select the JCA Resource “SAPJavaResourceAdapter15” and switch to the tab page Related JCA Connection Factories.
b)
Select eis/SAPJRAFactory before you copy it using Copy and Add New JCA Connection Factory.
c)
Enter the name -_Nr02 ( stands for your group number) in the field JNDI Name and Save your entry. The system issues a dialog box telling you that “New JCA Connection Factory ... has been added successfully”. Close this.
4.
342
Maintain the destination Group_to_SolMan or Group_RZ20_SolMan ( stands for your group number) for the connection data of the JCA Connection Factory -_Nr02. a)
Select the resource “-_Nr02” from Related JCA Connection Factories and use JCA Connection Factory Details to switch to the resource details of the JCA Connection Factory.
b)
Now select the tab page Configuration Properties. Use Add New Property to add a new property with the name DestinationName here.
c)
Enter the destination Group_to_SolMan or Group_RZ20_SolMan ( stands for your group number) from the previous lesson as the value for the property DestinationName.
d)
Save your entry. The system issues the message “The resource has been saved successfully”.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Appendix: Connections to other Systems with the Java Connector Architecture
Lesson Summary You should now be able to: • Locate the JCA Connection Factories of the SAP Java Resource Adapter. • Maintain parameters of a JCA Connection Factory of the SAP Java Resource Adapter. • Create a new JCA Connection Factory for the SAP Java Resource Adapter.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
343
Unit Summary
TADM10_2
Unit Summary You should now be able to: • List some communication paths • Maintain connections of the destination service • Maintain JCo RFC connections • Locate the JCA Connection Factories of the SAP Java Resource Adapter. • Maintain parameters of a JCA Connection Factory of the SAP Java Resource Adapter. • Create a new JCA Connection Factory for the SAP Java Resource Adapter.
344
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Unit 7 AS ABAP – System Monitoring and Troubleshooting Unit Overview This unit provides an introduction to system monitoring. You first learn about the basics of the monitoring architecture, and how to use the CCMS Alert Monitor. Later in the unit, you learn how to set up your own monitors, connect remote systems, and maintain threshold values. At the end of the System Monitoring section, two separate lessons introduce additional log and trace options in AS ABAP as well as a general troubleshooting method. All of the content in this unit refers to the functions of ABAP-based SAP systems. You can find an introduction to monitoring Java-based SAP systems in the ADM800 AS Java 7.3 - Administration training course. Other specialized training courses deal with this topic in more detail. This unit presents the system monitoring functions exactly as they occur in all general AS ABAP-based SAP systems. SAP Solution Manager offers too many different system monitoring configurations to be covered in this training course alone. You can find this information (and much more) in the SM100 - SAP Solution Manager Configuration for Operations training course.
Unit Objectives After completing this unit, you will be able to: • • • • • • • • •
2013/Q1
Explain the concepts of the CCMS Monitor infrastructure Use an CCMS monitor for system monitoring Integrate remote systems into the CCMS Alert Monitor Design and create your own monitor definitions Set threshold values list technical components required for different monitoring capabilities of SAP Solution Manager 7.1 Describe selected functions and their use Name different trace and log options Perform simple traces in the SAP system
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
345
Unit 7: AS ABAP – System Monitoring and Troubleshooting
•
TADM10_2
Develop procedures for structured troubleshooting
Unit Contents Lesson: Monitoring Architecture ..............................................347 Exercise 16: System Monitoring..........................................357 Lesson: Configuring System Monitoring in CCMS .........................361 Exercise 17: Integrating Remote Systems and Creating Your Own Monitors......................................................................371 Lesson: Introduction to Monitoring using SAP Solution Manager ........383 Lesson: Traces and Logs ......................................................398 Exercise 18: Trace Options ...............................................407 Lesson: Troubleshooting Procedure ......................................... 411
346
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring Architecture
Lesson: Monitoring Architecture Lesson Overview This lesson provides an introduction to the monitoring functions offered by the Computing Center Management System (CCMS). Terms such as monitoring tree element (MTE), monitoring object, and monitoring attribute will be discussed in detail.
Lesson Objectives After completing this lesson, you will be able to: • •
Explain the concepts of the CCMS Monitor infrastructure Use an CCMS monitor for system monitoring
Business Example You want to ensure good performance for the processing of business processes. You therefore regularly monitor the SAP systems, and take preventative action if required.
Fundamentals Initial questions about monitoring: •
Why?
•
– To ensure the efficient processing of business processes – To ensure system security and stability How? – – –
•
Central and cross-system With an alert if an error occurs With help that provides cross-system detailed information if an error occurs With which tool? –
With the help of the CCMS Monitor Infrastructure and the special transactions connected to it
Nowadays, many components are usually involved in a business process. These components (whether produced by SAP or not) must be monitored, as both a gradual reduction in performance or a sudden breakdown of a component could affect overall productivity. It is a task of the administrator to monitor the system landscape regularly, and not only in the case of errors, but to take preventative action.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
347
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
For example: A file system where files of the SAP database are stored is 100% full. The database can no longer extend the tables in the files. A user performs a business transaction in the context of which a data record should be asynchronously added to one of these tables. The insert fails due to the space problem in the file system. The database error is seen as so serious that the entire asynchronous update process is automatically deactivated. All user sessions hang with the display of the hour glass. The SAP system hangs. If the fill level of the file system had been monitored regularly, the administrator could have taken action at the right time and system downtime could have been avoided. Monitoring should be organized as efficiently as possible. There is not enough time for an administrator to log on to each host component to check its status. An efficient monitoring structure should be able to display the entire system landscape centrally at a glance. If an error occurs, the person responsible is automatically notified. Tools should be provided for the analysis of errors that provide cross-system detailed information about the problem.
Figure 117: Central Monitoring
The CCMS Monitor infrastructure gives you the option of central and efficient monitoring for SAP systems.
348
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring Architecture
This infrastructure must exist on every component that is to be centrally monitored. This is automatically the case for SAP systems with software component SAP_BASIS 4.0 or above. CCMS agents are used to connect components for which an SAP Basis system is not active. Each component collects its own monitoring data using the infrastructure and stores it locally in the main memory. This part of the main memory is called the monitoring segment. Its size can be configured. One SAP system is selected as the central monitoring system It should have as high a release level as possible and also be highly available. In large system landscapes, we recommend that you include a separate system that is used only for special tasks such as central monitoring, Central User Administration, and the transport domain controller. From a performance point of view, the workload of the central monitoring system increases only insignificantly, as the collection of monitoring data is usually decentralized. The central monitoring system collects the monitoring data for the components and displays it in various views. In this way, the administrator has a central view of the entire system landscape. If errors occur, the administrator can jump directly from the central monitoring system (by RFC) to the relevant component to correct a problem in a detailed analysis. Note: SAP recommends that you set up your central system monitoring on the SAP Solution Manager system.
Details The CCMS Monitor Infrastructure consists of three functional areas: Data collection, data storage, and data analysis.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
349
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Figure 118: CCMS Alert Monitoring Infrastructure in Detail
At the data collection level, small subareas of an SAP system are monitored by special programs called data collectors. Data collectors can be ABAP, C, or Java programs. There are several hundred data collectors in ABAP alone. Each data collector checks its subcomponent at regular intervals and stores the collected monitoring data in the local monitoring segment. The area of shared memory that contains the data collected by the data collectors is called monitoring segment. Data Storage takes place within the monitoring segment. As the monitoring segment is periodically overwritten, parts of its content can be transferred to database tables. You can then analyze the data later. The data collection and storage elements must be present on every component that is to be centrally monitored. Caution: Note that every instance of an SAP system (with the software component SAP_BASIS) has its own monitoring segment in the shared memory. This means that for an SAP system with eight instances, there are eight separate monitoring segments. The number of instances determine the number of monitoring segments. Whether or not several instances run on the same hardware is of no significance here. The Central Services instances (ABAP or Java) do not have a monitoring segment. For data analysis there are many different tools available to evaluate the data stored in monitoring segments. Aside from transaction RZ20 you can also use functions offered by SAP Solution Manager. SAP Solution Manager can also show the data in a business process-oriented context.
350
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring Architecture
If the system identifies a problem, it can execute a specifically prepared auto reaction, such as informing a responsible person. Analysis methods support you in analysing situations that led to alerts. The CCMS Monitor Infrastructure can be extended. You can integrate your own components using data collectors that you have written yourself. Third-party vendors and partners can use various interfaces to export the monitoring data from the monitoring segment. Note: You can find certified partner products at this location:http://www.sap.com/partners/directories/searchpartner.epx.
Figure 119: Monitor Structure
Transaction RZ20 offers monitor definitions that you can use to display monitoring data from the monitoring segment in a tree structure. The tree structure offers an organized layout even when displaying a large number of measured values. Any node in the monitoring tree is called a Monitoring Tree Element (MTE). The measured values that are collected by the data collectors are displayed at the lowest level in the leaves of the tree. The leaves are known as monitoring attributes. Threshold values can be stored for a monitoring attribute. SAP delivers default threshold values. However, in order to customize the monitor as well as possible to your requirements, you should check these default threshold values, and adjust them if required. Monitoring attributes are grouped at the second lowest level using monitoring objects. For example, the monitoring object program buffer contains, among others, the attributes hit rate and swap.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
351
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
All other nodes in the tree serve to structure the monitoring objects in a logical and clear way, so that you can easily find the monitoring attribute that you require. A CCMS monitor displays different subareas of the monitoring data. A monitor can contain data from multiple SAP systems.
Figure 120: CCMS Monitor Definitions
You can access the monitor sets in the system by calling the transaction RZ20. Alternatively, in the SAP Easy Access menu, choose Tools → CCMS → Control/Monitoring → CCMS Monitor Sets. SAP delivers preconfigured monitor sets that you can use immediately. Each monitor set bundles monitor definitions that display various parts of the entire monitoring architecture, by topic area. It is therefore easier, for example, to access monitoring data referring to the database (for example). “monitor definition” A monitor definition describes the selection of monitoring obejcts and monitoring attributes you would like to look at. Monitor definitions are bundled to monitor collections in transaction RZ20. If you double-click a monitor definition, the referred data will be collected and the corresponding monitor will be displayed. monitor A monitor is the graphical representation of all monitoring objects and monitoring attributes that should be displayed according to the monitor definition.
352
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring Architecture
The delivered monitor sets can be different for each system. For example, an SAP CRM system contains a special set for monitoring CRM scenarios. Of course, this also includes special data collectors that are preconfigured and delivered with an SAP CRM system. The monitoring data that monitors display can overlap. This means that the monitoring attribute hit rate of the program buffer can appear in several monitors. If you change, for example, the threshold value for this attribute in one of these monitors, it is changed in all monitors. Some monitors, such as the monitor Availability and Performance Overview in the monitor set SAP CCMS Monitor Templates, do not display any data at first. This can be due to the fact that special settings are required to start the underlying data collectors. To begin with, you will use the preconfigured monitors. Later, you can also create your own monitors that display exactly the data that you require for your daily monitoring work. You can open a monitor by double-clicking the name of its monitor definition.
Figure 121: Layout of a Monitor
After you have opened a monitor, the corresponding monitoring data displays in the form of a tree. By clicking the “+” sign beside an MTE, you can expand the tree down to its leaves; the monitoring attributes.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
353
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Alert threshold values for triggering yellow and red alerts are assigned to monitoring attributes. If the threshold value condition is fulfilled, first a yellow, and then, if there is further deterioration, a red alert is triggered. The color of the monitoring attribute is propagated to its higher-level node in the tree, where the most severe alert is forwarded (red is more severe than yellow). This means that you can determine whether there is an alert in the tree from the root of the tree.
Views The monitor should support you in your daily work. After you have opened the monitor, the following two views are available to you, among others: • •
The Current Status view displays the monitor with the newest reported data. The Open Alerts view displays a monitor with alerts that have not been completed.
For example, there may have been problems during the previous night that no longer occur now. In the Current Status view, the monitoring attribute is green, while it is displayed as red in the Open Alerts view. After you have ensured that there are currently no problems, you can then investigate problems that have previously occurred. You can see the selected view in the upper part of the monitor. You can switch views by choosing the Current Status or Open Alerts buttons.
Figure 122: The Alert Browser
354
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring Architecture
You can easily process the alerts that occurred in the past in the Open Alerts view. By double-clicking an MTE in the tree, you open the Alert Browser, which displays a list of all alerts for the selected MTEs and all alerts below it in the tree. This means that if you double-click the root of the tree, the system displays a list of all alerts in the tree, sorted by red and yellow alerts. Select an alert that you want to process. Then choose the Start Analysis Method button. This starts the analysis method that is assigned to the MTE. The analysis method is a special tool that supports you when investigating problems. It can be transactions, or specially programmed function modules, or URL calls. You, therefore, do not need to remember all of the special tools, but simply use the CCMS Alert Monitor as a central point of entry. After you have clarified the problem situation, choose F3 to return to the Alert Browser. Then choose Complete Alerts. The processed alert is removed from the list and is stored in a database table. Proceed in the same way with the remaining alerts, until the list is empty. When you next use your monitor, only the newly-occurred alerts display. If you want to display completed alerts again, choose Show Alert History in the Alert Browser. Completed alerts display with the status Done.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
355
Unit 7: AS ABAP – System Monitoring and Troubleshooting
356
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Monitoring Architecture
Exercise 16: System Monitoring Exercise Objectives After completing this exercise, you will be able to: • Evaluate and process alerts in the Alert Monitor
Business Example You want to ensure good performance for business processes. You therefore regularly monitor the SAP systems, and take preventative action if required.
Task: The CCMS Alert Monitor You will learn to use some basic functions offered in transaction RZ20. 1.
Start the transaction used for accessing the CCMS monitor collections (transaction RZ20).
2.
From the monitor set SAP CCMS Monitor Templates open the monitor definition Entire System.
3.
What is the current average dialog response time?
4.
Switch to the Open Alerts view.
5.
Select all alerts that have occurred for the monitoring object Dialog.
6.
Process an alert for Dialog Response Time from this list by starting the corresponding analysis method. Afterwards execute the following functions: 1. Return to the Alert Browser and complete the alert. 2. Does the alert still appear in the list? 3. How can you display the completed alert again? Note: There are monitoring attributes without analysis methods. If you know a function that could be used for analysis, there exists a way to assign this function to the monitoring attribute. This option is not covered in this course.
Result Now you can use some basic functions within transaction RZ20.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
357
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Solution 16: System Monitoring Task: The CCMS Alert Monitor You will learn to use some basic functions offered in transaction RZ20. 1.
Start the transaction used for accessing the CCMS monitor collections (transaction RZ20). a)
2.
3.
4.
From the monitor set SAP CCMS Monitor Templates open the monitor definition Entire System. a)
Expand the monitor set SAP CCMS Monitor Templates by choosing the “+” sign beside its name.
b)
Double click the monitor definition Entire System.
What is the current average dialog response time? a)
You can find the monitoring attribute for the average dialog response time by expanding, for example, the branch → R/3 Services → Dialog → .
b)
Make sure that the monitor is in the Current Status view.
Switch to the Open Alerts view. a)
5.
6.
Use Tools → CCMS → Control/Monitoring → CCMS Monitor Sets or transaction RZ20.
Choose the Open Alerts push button.
Select all alerts that have occurred for the monitoring object Dialog. a)
Double click the MTE Dialog.
b)
All alerts for this monitoring object will be displayed in the Alert Browser.
Process an alert for Dialog Response Time from this list by starting the corresponding analysis method. Afterwards execute the following functions: 1. Return to the Alert Browser and complete the alert. 2. Does the alert still appear in the list?
Continued on next page
358
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring Architecture
3. How can you display the completed alert again? Note: There are monitoring attributes without analysis methods. If you know a function that could be used for analysis, there exists a way to assign this function to the monitoring attribute. This option is not covered in this course. a)
Select an alert for Dialog Response Time from the list.
b)
Choose the Start Analysis Method button or double-click the selected alert.
c)
The system switches from the monitor to a function that provides you with detailed data about the alert.
d)
Go back to the Alert Browser.
e)
Choose Complete Alerts for the selected alert.
f)
The alert is removed from the list display.
g)
To display the alert again, choose Show Alert History.
h)
Your completed alert has the status DONE. Hint: It is possible that the system displays alerts with the status AUTO_COMPLETE. These alerts were completed automatically by the system to make room for new alerts within the alert store in the monitoring segment.
Result Now you can use some basic functions within transaction RZ20.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
359
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Lesson Summary You should now be able to: • Explain the concepts of the CCMS Monitor infrastructure • Use an CCMS monitor for system monitoring
360
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
Lesson: Configuring System Monitoring in CCMS Lesson Overview In this lesson, you will learn how to integrate remote systems into the central monitoring offered by CCMS and what to bear in mind when designing and creating your own monitor definitions. To get the best from the monitors that you create yourself, you should adjust the threshold values for the displayed monitoring attributes to your requirements. Note: CCMS is an abbreviation for “Computing Center Management System”, a collection of tools within AS ABAP. In SAP Easy Access, the functions offered by CCMS can be accessed by SAP Menu → Tools → CCMS.
Lesson Objectives After completing this lesson, you will be able to: • • •
Integrate remote systems into the CCMS Alert Monitor Design and create your own monitor definitions Set threshold values
Business Example As a system administrator, you integrate remote systems into system monitoring in CCMS. You also create monitor definitions that will reflect your own particular requirements. Monitors can only be used in a meaningful way if the selected threshold values for the individual monitoring attributes are set to “suitable” values. Usually, there are no generally recommended values because different values make sense depending on the type of system, operation mode, usage type of the system (development/production), and your own expectations and requirements.
Integrating Remote Systems The monitors delivered by SAP (within CCMS) display more detailed monitoring data for the local SAP system. Central system monitoring, on the other hand, has the advantage that you can monitor the entire system landscape at one glance, and not just your local system. You can centrally monitor all components that have a CCMS monitoring infrastructure. SAP has delivered this infrastructure since SAP_BASIS 4.0. To be able to include components that do not have such an infrastructure, you can
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
361
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
use the CCMS agent program SAPCCMSR for non-SAP components. Current releases of SAP software offer an additional option to connect remote systems: the possibility to use the web service interface of sapstartsrv.
Figure 123: Integrating Remote Systems
To integrate an SAP system into a central monitoring architecture, you require at least two RFC connections as follows: one for transferring the monitoring data from the remote SAP system to the central monitoring system and one for executing the analysis functions in the remote system. The data collection is performed independently by the CCMS monitoring infrastructure on the remote system. Note: You can also create the RFC connection for starting analysis methods as a “trusted RFC” connection, which provides greater usability and security when using this RFC connection. SAP Solution Manager can easily generate these RFC connections (once the basic configuration has been completed).
362
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
Figure 124: Integrating Remote Systems: Transaction RZ21
SAP systems are integrated in the central monitoring system in transaction RZ21. In RZ21, choose Technical Infrastructure → Configure Central System → Create Remote Monitoring Entry. First, use the input help (F4) to select the component type of the remote system to be monitored, for example, ABAP if you want to monitor an SAP ECC 6.0 system without an AS Java component. In the System ID field, enter the SID of the SAP system to be monitored and name the message server host and an existing logon group for the system to be monitored, alternatively chose a direct connection to a specific instance (no load balancing) Then enter the password for the user CSMREG in client 000 of the remote system. Hint: You should use a function in transaction RZ21 to create the user CSMREG in client 000 of both the remote system and central system. To do this, use the path Technical Infrastructure → Configure Central System → Create CSMREG User.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
363
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
No user data is specified in the RFC connection used to start the analysis methods. If you want to call an analysis method (in the remote system being monitored) from the central system, you access a logon screen. Hint: If your CEN has a release of less than SAP NetWeaver 7.0, you are required to create the relevant RFC connections manually, using transaction SM59. It makes sense to use the same naming convention for all of the RFC connections that you create for system monitoring. The following naming conventions are used by the system for generated RFC connections in RZ21: _RZ20_COLLECT for the name of the RFC connection used to read data from the remote system _RZ20_ANALYZE for the name of the “analysis RFC connection”. You should always use the RFC connection for reading data from the remote system with client 000. You can use any client for the analysis RFC connection. stands for the SID of the remote SAP system. Monitoring of up to date SAP systems, using CCMS, Additional hints •
•
•
•
•
If you connect remote monitoring segments using a communication with the remote sapstartsrv, the “Collect-RFC connection” is still required, for example, for completing alerts in the remote system. As well, you still require the “Analyze-RFC connection” for receiving input for your SAP GUI - both these functions cannot be provided by sapstartsrv When using the connection via sapstartsrv - which is standard in current SAP systems - you no longer need to use the CCMS agents sapccm4x and sapccmsr -j2ee. For implementing the monitoring using sapstartsrv, during the registration process, you require the user CSMREG in your CEN-System (connected sapstartsrv processes forward data by using this user), also you need the password of adm of the remote SAP system. Monitoring using sapstartsrv requires the creation of client-specific logical ports. Therefore you should make sure that you use the monitoring functions within the same client where you registered the remote system (transaction RZ21). SAP recommends to use client 000 for the registration of remote systems and for the execution of monitoring activities. There is an option, and sometimes the necessity, to switch completely back to the old data collection technology (including using the CCMS agents). SAP Note 110368: FAQ - CCMS MONITORING INFRASTRUCTURE SAP Note 1116453: CCMS: Missing logical ports in other clients SAP Note 1119735: CCMS agents: Upgrade of monitored systems from 7.0 to 7.1
364
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
SAP Note 1309499: Hardware Capacity Analysis in SAP Services especially check number 7. SAP Note 1368389: Re-activating legacy RFC-communication for CCMS Agents SAP Note 1446841: Creating remote monitoring entry without logon group SAP Note 1453112: CCMS agent and kernel patches SAP Note 1547201: CCMS: Start and stop classical agents SAP Note 1569955: gSOAP Web Service pop-up while configuring CCMS agent SAP Note 1645544: Monitoring of the Central User Administration SAP Note 1667336: CCMS Monitoring with Kernel 7.20 (DCK) SAP Note 1746016: CCMS: damaged monitoring segment reports eyecatch error
Designing Your Own Monitors Initial Questions About Designing Your Own Monitors: •
Why should you use monitors that you created yourself?
•
– To see exactly what is important for your daily work – To facilitate cross-system monitoring. How to proceed when creating your own monitor definitions?
•
– Consider what information you require. – Create your own monitor set. – Create some static monitors. – Create some rule-based monitors (ADM106). Hints: – – –
Design monitor definitions to deal with specific problems. Transfer no more data than can be displayed clearly. Note that you can transport monitor sets.
We recommend that, for your regular work, you create your own monitors, which display precisely the cross-system or local data that you require for your work. The sets and monitors delivered by SAP cannot be changed and display exclusively data from the local system. You should therefore first create your own monitor set. You can then create your own monitor definitions, which display the required data. The second technique for creating your own monitors, rule-based monitors, is described in detail in the follow-on course ADM106 - SAP System Monitoring using CCMS I.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
365
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Before you create your own monitor, you should clarify the purpose of the monitor. The monitor should display as little data as possible in as clear a way as possible. You must make a selection that meets your requirements from the many hundreds of monitoring attributes that exist. A system overview monitor, for example, could contain the status of the last database backup or terminated updates as core indicators, but not details about the distribution of the dialog response time. You can create another monitor to display the response time in detail. Note also, especially if data from the monitored SAP systems is also to be displayed, the quantities of data to be transferred quickly become large. A monitor that displays all monitoring data for multiple remote systems is unusable because the data transfer can take too long, especially if the remote systems have a heavy load. As an approximate guideline, we recommend 5-10 monitoring attributes for each monitored instance in the central monitor as an upper limit.
Creating a Monitor Set
Figure 125: Creating a Monitor Set
The monitor sets (transaction RZ20) are usually in display mode, so you can open monitors, but cannot create or change them. To activate change mode, choose Extras → Activate maintenance function in transaction RZ20. Maintenance functions ON appears in the transaction heading. The system displays new pushbuttons for creating and changing monitors and sets. Choose Create.
366
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
The system asks whether you want to create a monitor set or a monitor. Select Monitor Set and choose Copy. On the next screen, assign a name to your monitor set. Make sure that the name of your monitor set does not begin with “SAP”. You can choose whether your set can be changed by other users or not. You can also choose whether the set is displayed directly for other employees in the monitor set overview. After you have specified these attributes, choose Enter. You have now created your own monitor set in which you can either create new monitors or copy existing monitors. The monitor sets and monitors delivered by SAP cannot be changed. However, you can use them as stable templates. You can set whether or not an SAP monitor set should appear in the display mode of the CCMS Alert Monitor. If you want to hide an SAP monitor set, position the cursor (in change mode) on the name of the monitor set to be hidden (with a single click) and then choose Change (Shift + F1). Remove the selection for public. The set can now no longer be seen in display mode. You can change your selection in change mode.
Figure 126: Static Monitors
Now create new monitors or copy existing monitors into your monitor set. To create new monitors in your set, select the set and choose Create.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
367
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
The system displays a selection screen in which all MTEs for all registered systems are displayed. Expand the tree structure and choose the MTEs that you want to display in your monitor by checking them. If an MTE is checked, all MTEs underneath it are automatically copied to the monitor. Take into account considerations about the number of MTEs. Choose Save. The system prompts you for a name for the new monitor, which you can then start by double-clicking it. You can organize your monitor more clearly by using virtual nodes when selecting the MTEs. Virtual nodes allow you to structure your monitor. During the MTE selection, choose Create and then Virtual Node. You can choose any text for the virtual node. It should be as descriptive as possible. Complete your entry by choosing Enter. Your virtual node is inserted. You can now select any MTEs for inclusion in the monitor under this node. In the final monitor, these MTEs appear under the virtual node.
Threshold Values and Properties Variants Properties Variants and Threshold Values: Why? •
Why? – –
•
So that alerts are not constantly or never triggered by the system So that system monitoring is adapted in the best possible way to meet your requirements How?
•
– In the central monitoring system in transaction RZ20 – Transport from there to the monitored SAP systems Hints: – – –
First create and activate a container for threshold values (properties variants). Then maintain threshold values for the MTEs in your own monitors. Using Properties variants you can transport collections of threshold values into other SAP systems.
Threshold values can be stored for a monitoring attribute. Threshold values determine when the monitoring attribute should trigger a yellow or a red alert, and when it should become green or yellow again. The CCMS monitor infrastructure is delivered preconfigured with threshold values recommended by SAP. You should, however, check the threshold values, at least for the monitoring attributes that you consider to be important and that you have included in your own monitors. In this
368
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
way, you adapt system monitoring to your system environment in the best possible way. Otherwise, alerts can be constantly or never triggered, depending on whether the threshold value is too low or too high for your system environment. Caution: Threshold values must be stored locally in every system. However, instead of maintaining the same threshold values in every system, we recommend that you maintain the values in the central monitoring system, if possible, and then transport them to the monitored SAP systems using properties variants. The prerequisite for transporting the threshold values to other SAP systems is that you have stored them in properties variants. •
What are properties variants? –
•
Containers in which system monitoring settings can be saved. Example: Threshold values for an MTE What are properties variants used for? – – – –
Monitoring behavior can be switched dynamically Monitoring behavior can be coupled to operation modes Copying settings to other systems Additional information is available in training course ADM106
Figure 127: Maintaining Threshold Values
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
369
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
After you have activated your properties variant, you can check the threshold values for the monitoring attributes you consider important and have included in your own monitors. To do this, open your monitor. Select a monitoring attribute and choose Properties. The current tab page displays the valid threshold value definition. The thresholds for Change from GREEN to YELLOW and Change from YELLOW to GREEN are defined to change sooner than the thresholds for Change from RED to YELLOW and Change from YELLOW to GREEN. In this way, you can avoid your monitor “flickering”, if the measured value is wavering around the threshold value. It is useful to give an “all clear” only once the situation has markedly improved. Choose Display → Change. You can now adjust the threshold values to your requirements. Save your settings. If several changeable properties variants are defined in your system, you can select (in a dialog box) the properties variants in which you want to save your changed threshold values. Note that the currently active variant is preselected. You can change the selection as desired.
370
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
Exercise 17: Integrating Remote Systems and Creating Your Own Monitors Exercise Objectives After completing this exercise, you will be able to: • Integrate a remote system into central system monitoring • Create your own monitors • Create a monitoring properties variant and maintain threshold values
Business Example As an administrator, you integrate remote systems into central system monitoring and then create your own monitor definitions, which are specifically adjusted to your systems. Monitors can only be used in a meaningful way if the selected threshold values for the individual monitoring attributes are set to sensible values. For this reason, you will assign new threshold values to the monitor attributes you are evaluating.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
371
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Caution: You will work through this exercise as follows (for further details, please see the individual exercise steps): 1.
In your respective SAP ECC system, client 000: Create user CSMREG. In the SAP Solution Manager system, client 000: Together with your parter group(s) you will create the user CSMREG.
2.
3.
4.
5.
6. 7.
8.
In the SAP Solution Manager system, client 000: Each group will use the functions provided by CCMS to connect their respective SAP ECC system to the monitoring functions offered by CCMS in the SAP Solution Managers. In the SAP Solution Manager system, client 000: Using transaction RZ20, you will create your own monitoring collection (proposed name ADM100_##, where ## needs to be replaced by your group number). In the SAP Solution Manager system, client 000: Create your own monitor definition in your newly created monitoring collection. The resulting monitor should display information on dialog response times of both remote systems and the SAP Solution Manager itself (proposed name Dialog Response Times). In your respective SAP ECC system, client 100: Create two properties variants (_DAY / _NIGHT), where you replace with the SID of your SAP ECC system. In your respective SAP ECC system, client 100: Activate the properties variant _DAY manually. In your respective SAP ECC system, client 100: Change the threshold values for the attribute DialogResponseTime, in such a way, that according to the current values an alert (yellow or red) will be raised. In the SAP Solution Manager system, client 000: Find and analyze the new alert, finally confirm it.
Task 1: Create several users CSMREG In client 000 of your SAP ECC system, using transaction RZ21, you will create the user CSMREG. Set the password for this user to monitor. Together with your partner group(s) log on to client 000 of the SAP Solution Manager system to create the user CSMREG there as well. Set the password for this user to monitor. 1.
In your respective SAP ECC system. Log on to client 000 of your SAP ECC system. Continued on next page
372
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
2.
Use transaction RZ21 to create the user CSMREG. Set the password to monitor.
3.
In the SAP Solution Manager system, client 000: Together with your partner group(s) log on to client 000 of the SAP Solution Manager system.
4.
Together with your partner group(s) use transaction RZ21 to create the user CSMREG. Set the password to monitor.
Task 2: Connect/Register remote SAP system In the SAP Solution Manager system, client 000: Register/Connect your SAP ECC system to the central SAP Solution Manager system for system monitoring using CCMS. 1.
In the SAP Solution Manager system use transaction RZ21 to register your SAP ECC system. Consider the necessary input values and do not use load balancing.
Task 3: Create a new monitor collection In the SAP Solution Manager system, client 000: 1.
Create a monitor collection ADM100_## (where ## needs to be replaced by your group number).
Task 4: Create a new monitor definition In the SAP Solution Manager system, client 000: 1.
Create a new monitor definition Dialog response times, which displays dialog response times from all systems and instances available in the CCMS of your SAP Solution Manager.
Task 5: Create new properties variants In your respective SAP ECC system, client 100: 1.
Create two properties variants. Use the names _DAY and _NIGHT, where you replace with the SID of your SAP ECC system. For Parent variant use the properties variant *.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
373
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Task 6: Manually switching the active properties variants In your respective SAP ECC system, client 100: 1.
Activate your newly created “DAY” properties variant.
Task 7: Adapt threshold values In your respective SAP ECC system, client 100: 1.
Adapt the threshold values for dialog response time on your SAP ECC system. Change the threshold values in such a way that the current system state yields a yellow or red alert. Save your changes in the newly created and currently active properties variant.
Result The threshold values are adapted successfully and have been stored in your active properties variant. Now you could define different threshold values for the “Night” properties variant (not done in this course).
Task 8: Process alert messages In the SAP Solution Manager system, client 000 1.
Open your monitor Dialog response times. Display all alerts of this monitor. Process one alert that has been raised in your SAP ECC system. i) Execute the analysis method for one alert. ii) Switch back to the alert browser and confirm this alert. iii) Is it still shown in the list? iv) How can you display confirmed alerts?
Result You have seen and analyzed an alert from a remote system, afterwards you set its status to DONE.
374
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
Solution 17: Integrating Remote Systems and Creating Your Own Monitors Task 1: Create several users CSMREG In client 000 of your SAP ECC system, using transaction RZ21, you will create the user CSMREG. Set the password for this user to monitor. Together with your partner group(s) log on to client 000 of the SAP Solution Manager system to create the user CSMREG there as well. Set the password for this user to monitor. 1.
In your respective SAP ECC system. Log on to client 000 of your SAP ECC system. a)
2.
3.
Chose a valid user for client 000 of your SAP ECC system and log on.
Use transaction RZ21 to create the user CSMREG. Set the password to monitor. a)
Use transaction RZ21 to create the user CSMREG (Technical infrastructure → Configure Central System → Create CSMREG User.
b)
Enter the password monitor twice and confirm your input with Return.
c)
Confirm the success message using Continue.
In the SAP Solution Manager system, client 000: Together with your partner group(s) log on to client 000 of the SAP Solution Manager system. a)
4.
Chose a valid user for client 000 of your SAP Solution Manager system and log on.
Together with your partner group(s) use transaction RZ21 to create the user CSMREG. Set the password to monitor. a)
Use transaction RZ21 to create the user CSMREG (Technical infrastructure → Configure Central System → Create CSMREG User.
b)
Enter the password monitor twice and confirm your input with Return.
c)
Confirm the success message using Continue.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
375
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Task 2: Connect/Register remote SAP system In the SAP Solution Manager system, client 000: Register/Connect your SAP ECC system to the central SAP Solution Manager system for system monitoring using CCMS. 1.
In the SAP Solution Manager system use transaction RZ21 to register your SAP ECC system. Consider the necessary input values and do not use load balancing. a)
Start transaction RZ21 (Tools → CCMS → Configuration → Attributes and Methods).
b)
Choose Technical infrastructure → Configure Central System → Create remote monitoring entry.
c)
From Instance Type to Be Monitored choose the entry ABAP.
d)
Enter the System-ID (SID) of your SAP ECC system.
e)
Name the Message-Server of your SAP ECC system (e.g. twdf9999.wdf.sap.corp).
f)
Choose Load Balancing N (no load balancing).
g)
Set System Number to the value for the Primary Application Server of your SAP ECC system (e.g. 00 or 10).
h)
Enter the Password for the user CSMREG in client 000 of your SAP ECC system (should be monitor).
i)
Enter the Password for the user CSMREG in client 000 of your SAP Solution Managersystem (should be monitor).
j)
Enter the Password for the operating system user adm of your SAP ECC system. The password should be adm, where is to be replaced by the actual SID of your system.
k)
Choose Save.
l)
Wait until the logical ports have been generated.
Continued on next page
376
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
Task 3: Create a new monitor collection In the SAP Solution Manager system, client 000: 1.
Create a monitor collection ADM100_## (where ## needs to be replaced by your group number). a)
Start transaction RZ20.
b)
Activate the maintenance function by choosing Extras → Activate maintenance function.
c)
Select Create.
d)
On the following screen New monitor set is already selected. Choose Copy.
e)
Enter a name for your new monitor set ADM100_##.
f)
Set Modifiability to Only for me.
g)
Release your monitor collection as Public.
h)
Proceed by Copy. Note: Your monitor collection will be displayed below My favorites. Now you can create new monitor definitions within your new monitor collection.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
377
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Task 4: Create a new monitor definition In the SAP Solution Manager system, client 000: 1.
Create a new monitor definition Dialog response times, which displays dialog response times from all systems and instances available in the CCMS of your SAP Solution Manager. a)
Start transaction RZ20.
b)
Activate the maintenance function by choosing Extras → Activate maintenance function.
c)
Mark your new monitor set ADM100_##
d)
Select Create.
e)
You will see the SAP systems and their instances that can be reached currently.
f)
Expand the tree display to SID → Instance → R3Services → Dialog → Response Time.
g)
Choose the select flag for this attribute.
h)
Repeat the previous two steps for all instances that can be reached.
i)
Choose Save.
j)
Enter the name Dialog response times for your monitor definition.
k)
Open your monitor by double-clicking the newly created monitor definition.
Task 5: Create new properties variants In your respective SAP ECC system, client 100: 1.
Create two properties variants. Use the names _DAY and _NIGHT, where you replace with the SID of your SAP ECC system.
Continued on next page
378
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
For Parent variant use the properties variant *. a)
Start transaction RZ21 (Tools → CCMS → Configuration → Attributes and Methods).
b)
Choose Properties → Variants → Create.
c)
Confirm the pop-up.
d)
Enter the Variant name as described above.
e)
Enter a Description.
f)
Select for Parent variant the variant *.
g)
Choose Save.
h)
Repeat the procedure for the second properties variant.
Task 6: Manually switching the active properties variants In your respective SAP ECC system, client 100: 1.
Activate your newly created “DAY” properties variant. a)
Start transaction RZ21 (Tools → CCMS → Configuration → Attributes and Methods).
b)
Choose Properties → Variants → Activate.
c)
Select your variant_DAY.
d)
Confirm the pop-up.
e)
The currently active variant is displayed on the entry screen of transaction RZ21 as Variants currently active.
Task 7: Adapt threshold values In your respective SAP ECC system, client 100: 1.
Adapt the threshold values for dialog response time on your SAP ECC system.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
379
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Change the threshold values in such a way that the current system state yields a yellow or red alert. Save your changes in the newly created and currently active properties variant. a)
Call transaction RZ20.
b)
Expand the monitor collection SAP CCMS Monitor Templates.
c)
Open the monitor Dialog per Application Server.
d)
Expand the monitor until you find the attribute ResponseTime.
e)
Select the attribute ResponseTime and choose Properties.
f)
On the PerformanceAttribute tab you can find the current threshold values.
g)
Choose Display Change (Shift + F6).
h)
Adapt the threshold values in such a way that the current system state yields a yellow or red alert (e.g. lower all threshold values by a factor of 100).
i)
Choose Save.
j)
In the pop-up window Monitoring: Properties and Methods exclusively select your newly created (and currently active) variant _DAY and confirm with Continue.
Result The threshold values are adapted successfully and have been stored in your active properties variant. Now you could define different threshold values for the “Night” properties variant (not done in this course).
Task 8: Process alert messages In the SAP Solution Manager system, client 000 1.
Open your monitor Dialog response times. Display all alerts of this monitor. Process one alert that has been raised in your SAP ECC system. i) Execute the analysis method for one alert. ii) Switch back to the alert browser and confirm this alert. iii) Is it still shown in the list?
Continued on next page
380
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Configuring System Monitoring in CCMS
iv) How can you display confirmed alerts? a)
Open your monitor Dialog response times by double-clicking your new monitor definition.
b)
Switch to the view Open Alerts.
c)
Double-click on a yellow or red MTE of your SAP ECC system.
d)
Mark one of the alerts in the alert browser.
e)
Choose the push button Start analysis method (Ctrl + F10).
f)
You will see the logon screen of your SAP ECC system because no user data has been stored in the RFC connection for data analysis.
g)
Use your user data to log on to your SAP ECC system.
h)
You will be referred to transaction ST03 in your SAP ECC system. Now, you won't be using this transaction.
i)
Leave the analysis transaction and switch back to your monitor display.
j)
Chose Complete alerts.
k)
The alert will disappear from the list.
l)
To see the alert again choose Show alert history.
m)
The completed alert has the status DONE.
Result You have seen and analyzed an alert from a remote system, afterwards you set its status to DONE.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
381
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Lesson Summary You should now be able to: • Integrate remote systems into the CCMS Alert Monitor • Design and create your own monitor definitions • Set threshold values
Related Information You can find further information about system monitoring: • • •
382
On SAP Community Network http://scn.sap.com/docs/DOC-8335 Training ADM106 - SAP System Monitoring Using CCMS I Training ADM107 - SAP System Monitoring Using CCMS II
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Introduction to Monitoring using SAP Solution Manager
Lesson: Introduction to Monitoring using SAP Solution Manager Lesson Overview This lesson will introduce the technological prerequisites for some monitoring/analysis options offered by SAP Solution Manager, based on the software release SAP Solution Manager 7.1 as available since Q4 of 2011.
Lesson Objectives After completing this lesson, you will be able to: • •
list technical components required for different monitoring capabilities of SAP Solution Manager 7.1 Describe selected functions and their use
Business Example You are interested in an short overview of the technical prerequisites of some monitoring/analysis functions offered by SAP Solution Manager 7.1.
SAP Solution Manager Monitoring – Introduction With SAP Solution Manager 7.1 a new monitoring infrastructure has been introduced. Its SAP’s new standard for central Monitoring and Alerting. This end-to-end monitoring and alerting infrastructure (MAI) allows stable and reliable operation of complex heterogeneous system landscapes. To monitor the correct functioning of the landscape, a large number of metrics and alert types, as well as various applications, are available to you, which provide prior warning about potential problems.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
383
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Monitoring and Analysis Functions of SAP Solution Manager 7.1 and CCMS In the recent years, SAP Solution Manager experienced quite some evolution. With SAP Solution Manager 7.1, the monitoring and analysis functions have been significantly expanded and have been based upon a new technical infrastructure. However, some fundamental questions around monitoring never change: 1. 2. 3.
What data is collected? Where is the collected data stored (initially)? How is this data collected? How is the data transferred to the tool of analysis? Are special transfer options available? What tool is being used for data display and/or data analysis?
If you have already worked with monitoring functions offered by the Computing Center Management System (CCMS), then you already know the answers to the fundamental questions given above, see below: What data is collected? Where is the collected data stored (initially)? How is this data collected? Data is collected via differently implemented data collectors, only data for which data collectors exist, can be collected. The data is initially stored in monitoring segments, attached to each instance. How is the data transferred to the tool of analysis? Are special transfer options available? Data is transferred to the central monitoring system (CEN) via RFC connections. Those RFC connections might point to instances of SAP systems based on AS ABAP or they may point to the so called “CCMS agents”. In systems based on SAP NetWeaver 7.1 and higher the CCMS agents are being replaced by SAPSTARTSRV What tool is being used for data display and/or data analysis? Data collected by the CCMS can be displayed via transaction RZ20. For SAP Solution Manager 7.1 you need to be aware that the scope of metrics that can be monitored/analysed is not restricted to the metrics collected and stored by CCMS. SAP Solution Manager (7.1) can display additional data that doesn't origin in CCMS, this means... ... there are additional ways of collecting and storing data ... there are additional modes of data transfer between “place of origin” and SAP Solution Manager
384
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Introduction to Monitoring using SAP Solution Manager
... there are additional tools for displaying/analysing the collected information Note: Please be aware of the fact that because SAP Solution Manager uses largely its own infrastructure for data collection, storage and display, there are virtually no negative effects between using the advanced monitoring capabilities of SAP Solution Manager and the traditional monitoring functions of CCMS in parallel.
Technical Prerequisites for selected Monitoring and Analysis Capabilities with SAP Solution Manager This section will list some Monitoring and Analysis capabilities of SAP Solution Manager and their technical prerequisites. Some of the following information is valid since many years; some information only applies to SAP Solution Manager 7.1. Caution: The content of this section is VERY high-level and of an introductionary character. For further insight, it is required to extensively study the recommended courses, listed below. Caution: Virtually all functions introduced in this lesson require that your SAP Solution Manager system has been set up “fundamentally” using transaction SOLMAN_SETUP. Also all managed systems needs to be connected to the SAP Solution Manager system. Note: Please be aware, this lesson focuses on an introduction to some technology-related topics. License- or maintenance contract-related topics won't be covered here. E.g. some of the functions described might require that your company makes use of SAP Enterprise Support.
Technical Requirements for using Metrics Monitoring (MAI) SAP Solution Manager 7.1 offers the monitoring of many different attributes of SAP and non-SAP systems within your system landscape. These attributes will be labeled as “metrics” in the following. For being able to monitor many different metrics and for making full use of the monitoring capabilities of SAP Solution Manager 7.1, it is necessary to configure SAP Solution Manager and the remote system accordingly.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
385
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Figure 128: Technical Requirements for using Metrics Monitoring
Remote systems are also named managed systems or satellite systems. SAP Solution Manager is sometimes labeled as managing system. To be able to use the end-to-end monitoring and alerting infrastructure (MAI) function. Fundamentally, you need to implement the following software components: Wily ™ Introscope Agents (or IS Agents) This remote component collects Performance data and metrics from different technical components and comes in different forms. For example the Wily ™ Introscope Bytecode Agent This collects performance data and metrics out of a Java Server process. The collected information is transferred to the Wily ™ Introscope Enterprise Manager. Wily™ Introscope Enterprise Manager (EM) This serves as a central repository where all information collected by Wily Introscope Agent ™ performance data and metrics are stored centrally. Solution Manager Diagnostics Agent (or SMD-Agent) The Solution Manager Diagnostics Agent (or SMD agent) allows a connection between SAP Solution Manager and the managed system to produce and to collect information from the remote system. It must be installed once per host or virtual host. SAP Host Agent
386
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Introduction to Monitoring using SAP Solution Manager
SAP host agent is the component that monitors the host / operating system interaction. It will be installed once per physical host, which should be monitored.
Figure 129: SAP Solution Manager Orchestra
This picture is in simplified terms and show the data flow between the involved components. Although this is not shown in the diagram, it is also recommended to install for non-SAP systems and the Diagnostics Agents and an SAP Host Agent, for example, to obtain operating system metrics The components shown in the picture, which have not yet been discussed now in detail: EFWK The Extractor Framework (EFWK) processes the information of the connected ABAP systems and the Wily ™ Introscope Enterprise Managers within the SAP Solution Manager. The EFWK saves the data to a product instance perspective within an InfoCube. The InfoCube is a technical object and a component of the NetWeaver Business Intelligence (BI). ST-PI and ST-A/PI An Interface for the collection and transmission of data and performance metrics of ABAP components (technical they are two SAP software components). The Extractor Framework (EFWF) fetches the data into the SAP Solution Manager system. Additional documentation is available at:
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
387
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
https://wiki.sdn.sap.com/wiki/display/SMSETUP/Home. http://wiki.sdn.sap.com/wiki/display/TechOps/RCA_Home http://wiki.sdn.sap.com/wiki/display/TechOps/Home For more information, please also refer to the following SAP Notes: SAP Note 1365123: Installation of Diagnostics Agents and the attached document: AgentInstallationStrategy.pdf. SAP Note 797147: Wily Introscope Installation for SAP Customers More information about the configuration of SAP Solution Manager as well as the infrastructure used to learn in the course SM100.
Configuration the Monitoring & Alerting Infrastructure (MAI) The Template Concept SAP provides predefined monitor attributes using SAP monitoring templates. These include all the best practice metrics, events and alert for hosts, databases and systems.
Figure 130: Monitoring Templates delivered by SAP
You use Template Maintenance to manage the content of End-to-End Monitoring and Alerting Infrastructure (MAI) for adapting to your specific needs. This is achieved using templates that contain the Metrics, Events, and Alerts (MEA) for managed objects such as technical systems, instances, databases and hosts (server).
388
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Introduction to Monitoring using SAP Solution Manager
You can use it to do the following: • • • • • • • •
View sap delivered content Modify sap delivered content or create your own content using custom templates Back up you custom templates Change incident and notification settings in SAP or custom templates Create multiple copies of a custom template -Maintain auto-reactions for alerts (in SAP or custom templates) Integrate third party connectors for specific needs (in SAP or custom templates) Maintain settings for individual work modes (in custom templates) Check whether a managed object is running with outdated configuration
A current list of all delivered Template by SAP you find on the following link: http://wiki.sdn.sap.com/wiki/display/TechOps/SysMon_SupportedProducts Use Guided Procedures for setting up To start the configuration wizard you can either use the transaction SOLMAN_SETUP or the transaction SM_WORKCENTER by select the work center named SAP Solution Manager Configuration.
Figure 131: The Guided procedures for technical monitoring
There, all monitoring functions are configured using a configuration wizard. The guided procedures for technical monitoring allow it to you in a few configuration steps to configure the selected scenario. For every step there is documentation available tell you what it does. The integrated log functionality
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
389
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
shows you why a step has not been succeeded. After the setup wizard has been run completely and without errors, the scenario is activated. You can use it in the work center Technical monitoring. Here is an overview of all available monitoring functions of the MAI (as of SAP Solution Manager Release Version 7.1 SPS 5): • • • • •
• •
•
The System Monitoring allows you to access the latest snapshot of monitoring data for systems, databases and hosts. . The IT Infrastructure Monitoring allows you to access the latest snapshot of monitoring data for IT infrastructure devices. (New in 7.1 SPS5) The SolMan Self-Monitoring monitors the core functionality of SAP Solution Manager itself End-User Experience Monitoring (EEM) delivers you availability and performance information from end-user point of view The PI Monitoring provides central access to monitoring data for PI components, PI channels and cross-system message flow. (Starts with PI Release 7.11 SPS06) Connection Monitoring makes you aware of availability and performance problems for connections between systems. The Interface Channel Monitoring provides central access to monitor your most relevant interfaces (in terms of utilization and degree of business relevance) for performance, usage, availability and exceptions. (New in 7.1 SPS5) The BI Monitoring allows monitoring of all components of a SAP Business Intelligence solution as Business Objects Web Server, Business Objects Server and Business Warehouse
Working with the Monitoring & Alerting Infrastructure (MAI) To work with the MAI log on to the SAP Solution Manager call the transaction SM_WORKCENTER and navigate to the Work Center Technical Monitoring. There you will find all functional areas clearly structured in the navigation on the left.
390
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Introduction to Monitoring using SAP Solution Manager
Figure 132: The Work Center Technical Monitoring
The functions available within this work center are accordance with the functional areas in the configuration section with the following exceptions: • •
•
Alert Inbox - Is the central access point for analyzing and solving Technical Monitoring problems in an SAP Solution Manager landscape Interactive Reporting - Displays the development of the most important metrics of your managed objects (like systems, hosts and databases), centrally, to identify potential problems early, and give an overview of the load, availability and performance of these objects. The life time and granularity was defined during configuration of the system monitoring scenario. Generated Documents – Allows you to access EarlyWatch Alert Reports (EWA), Early Watch Alert for Solution Reports (EWA fS) and Service Level Report (SLR) which are available within the SAP Solution Manager
Now we would like to present some selected functions closer: The Alert Inbox The Alert-Inbox is the central access point for analyzing and solving Technical Monitoring problems in an SAP Solution Manager landscape.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
391
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Figure 133: The Alert Inbox
Alert Inbox is integrated with: • •
Incident Management to maintain support messages (Create Incident) Notification Management to share the status of an alert with various users (Create Notification)
Features • • • • • •
Navigate to alerts using customized query. (Define New Query) Analyze the alerts efficiently by navigating to various monitoring tools. (Column Worst) Track the status of alerts efficiently by assigning them to a processor and recording the status and comments. (Assign) Generate customized analysis report to be attached to incidents and notifications. (Create Analysis Report) Postpone the alerts for a time period, so that they do not appear in the list. (Postponement) Confirming the alert if the problem has been solved (Confirm)
The System-Monitoring Within the work center technical monitoring you could also check the status of the selected systems by graphic. To do so, select System Monitoring in the navigation tree. Choose the system or systems you want to see and press the button system monitoring in the Content Area
392
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Introduction to Monitoring using SAP Solution Manager
Figure 134: The graphic System-Monitoring application
In the window that opens, you’ll first see the system list, which displays a summary of your selected systems. There you can see in which category (Availability, Performance, Configuration or Exception) the respective highest alert has been triggered. In the example this is the section Exception. You can also see how many alerts have been triggered for this system. (In the picture: 13 Alerts). Clicking on the product version you get into the system hierarchy which is the graphical system monitoring application) Here you can navigate through the individual metrics and their state either left in the graphical tree (structured from top to bottom: system, instance(s), database and host(s)) or on the right by using the tree hierarchy. Right click on the black triangle you can display, among other things, the metric documentation. From there you can also reach in the metric monitor. By pressing twice on the bar chart symbol.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
393
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Figure 135: The Metric Monitor
The metrics monitor displays the selected metric for a longer time period. How long the data is kept in the data store also set in the configuration wizard for system monitoring. You can choose whether you want to use the monitor with or without thresholds, change the view of graphics to table and define the period you want to evaluate. End-User-Experience Monitoring The aim of the end-user experience monitoring (EEM), it is monitor prerecorded business process scenarios the duration as well as their availability. SAP End User Experience Monitoring (EEM) collects information on the real and subjective system behavior as experienced by human end users. SAP EEM provides information on availability and performance of real applications as experienced by end users in the same location. For example, while working on the same SAP system, the creation of an customer order might take considerably longer from one location of your company (e.g. Sidney), whereas the same activity takes almost no time from another location (e.g. Tokyo). EEM captures this subjective system behavior. This collected information can help tremendously in root cause analysis of performance problems. For example, you can easily see if an unwanted system behavior can be observed globally or only from one location.
394
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Introduction to Monitoring using SAP Solution Manager
SAP End-User Experience Monitoring (EEM) is an efficient toolbox for evaluating and reporting the availability and performance of your productive systems from a client-side perspective. As a result of the perfect integration into the E2E Diagnostics infrastructure, discovering, analysis, and resolution of occurring issues has been speeded up dramatically. Technical Requirements for using End-User Experience Monitoring Technically, SAP EEM relies on EEM robots to execute predefine d scripts for simulating realistic end user activities. Please note, that this simulated work is actually carried out in the back end system. So, no dummy-activities take place, but REAL system interaction. EEM robots can carry out scripts describing activities via HTTP or in SAP GUI. You can create your own scripts via a script recorder. For implementing SAP End User Experience Monitoring (EEM) you need to install EEM robots - which are in fact Solution Manager Diagnostics Agents (SMD agents) - at the locations to be monitored. Usually, it suffices to install an EEM robot on an individual machine per location. SAP Solution Manager serves as the back end for SAP EEM. Using End-User Experience Monitoring After configuring the scenarios you can open the Technical Monitoring Work Center. Then select end-user-Exp. monitoring in the navigation tree on the left. Select the scenario or the scenarios you want to see and press the button monitoring in the Content Area.
Figure 136: The End-User Experience Monitoring
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
395
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
In the picture you can see, besides other information which script on which Robot has how much time. With the button Config Tab they can configure different views. Learn more about SAP EEM on the SAP Community Network (SCN): http://wiki.sdn.sap.com/wiki/display/EEM/Home
Users and permissions for the Monitoring & Alerting Infrastructure (MAI) Please note that for all functions presented the corresponding SAP authorization roles must be assigned. More information can be found at the Security Guide for SAP Solution Manager: http://service.sap.com/instguides → SAP Solution Manager → Release More information regarding the configuration and use of the E2E Monitoring & Alerting Infrastructure (MAI) to learn in the course E2E120.
396
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Introduction to Monitoring using SAP Solution Manager
Lesson Summary You should now be able to: • list technical components required for different monitoring capabilities of SAP Solution Manager 7.1 • Describe selected functions and their use
Related Information •
SAP Courses: SM100 - SAP Solution Manager Configuration for Operations E2E100 - E2E Root Cause Analysis E2E120 - Technical Monitoring in SAP Solution Manager 7.1 ADM106 - SAP System Monitoring Using CCMS I ADM107 - SAP System Monitoring Using CCMS II
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
397
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Lesson: Traces and Logs Lesson Overview In this lesson, you will learn about the different trace and log options available in the SAP system. You will perform and evaluate a trace yourself.
Lesson Objectives After completing this lesson, you will be able to: • •
Name different trace and log options Perform simple traces in the SAP system
Business Example An unexpected, reproducible error situation is occurring in your SAP system. As a system administrator, it is your task to find the cause of the error.
Introduction You can follow the process of various operations in your SAP system with trace functions. This allows you to monitor the system and isolate problems that occur. There are many trace options in SAP systems. The main ones are listed below. Trace Usually, the term “trace” is being used (in SAP environments) to describe a function used for logging system activities which can be switched on and off and which level of detail might be open for adjustment. A good example for such a function is the system trace, transaction ST01. Logs The term “log” is being used to describe information that is continuously written, logging certain system events. Those logs can be held within the SAP system or externally (on the OS level). For example, the system log, Transaktion SM21. There are functions which combine features of Traces and Logs, e.g. the so called developer traces.
398
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Traces and Logs
SAP systems offer many trace functions, the most important ones are shown in the following list. • • • • •
System Log (SM21) Dump Analysis (ABAP Runtime error: ST22) System Trace (ST01) Performance Analysis (ST05) Developer Traces (Error Log Files: ST11)
Functions Overview You can use the System Log (transaction: SM21) to determine and correct errors that occur in your system and its environment. SAP application servers record events and problems in system logs. Every SAP application server has a local log that contains the messages output by this server. If unpredictable errors occur at runtime when you call an ABAP program, a runtime error that generates a short dump occurs (transaction ST22). If you want to record the internal SAP system activities, such as authorization checks, database accesses, kernel functions, and RFC calls, use the System Trace function (transaction: ST01). The Performance Analysis (transaction: ST05) allows you to record database calls, lock management calls and remote calls of reports and transactions in a trace file, and to display the logged measurement results as lists. The performance analysis also offers extensive support for a detailed analysis of individual trace records. You can find all the functions of the performance analysis in the system trace too. The performance analysis is a more suitable analysis tool for certain problems, since the reduced scope of functions makes it is easier to handle. Technical information about internal SAP problems is logged in the developer traces.
System Log Events and problems are recorded locally on each application server and displayed in the system log (syslog) in the SAP system.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
399
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Figure 137: System Log (SM21)
If you are using the UNIX operating system, you can also work with central logging. In this case, each application server copies its local logs periodically to a central log. Central logging is not possible on Microsoft Windows and iSeries hosts. Technically, the system log is written to a ring buffer. If this log file reaches the maximum permitted size, the system begins to overwrite the oldest data. Note: Also read the following SAP Notes, which concern the system log: SAP Note 712706: Program RSLGVIEW - reading the SAP system log without system SAP Note 28665: Central syslog under NT. This notes provides a solution that uses CCMS monitoring functions as well as a feature for viewing the logs for all instances of a system. You can also use the SAP Microsoft Management Console and the SAP Management Console to view the syslog, irrespective of whether or not the instances in question have started successfully. Hint: The system does not display a message when an old log file is replaced. To display a log, choose Tools → Administration → Monitor → System Log or call transaction SM21. By default, the system reads the log for the last one to two hours. As well as the local system log, you can display system logs for other application servers in transaction SM21. To do this, choose the menu path System Log → Choose → All Remote System Logs or System Log → Choose → Central System Log.
400
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Traces and Logs
In expert mode (menu path Edit → Expert Mode), you can extend the selection criteria so that it is possible to search for entries for a particular terminal. To do this, choose the Attributes button. In UNIX systems, you can display the status of the send process in the SAP system in transaction SM21 or by choosing Environment → Process Status. You can define the path and file names for local and central log files with the following system profile parameters: • •
rslg/local/file: File name for the local log (standard: SLOG) rslg/central/file: File name for the active central log (standard: SLOGJ); not valid for Microsoft Windows NT and AS/400 platforms.
By default, the log files for the local system log are stored in the following directory: /usr/sap///log. The central system log is stored in /usr/sap//SYS/global You can also schedule system logging as a job. There are two ABAP programs provided to do this: • •
RSLG0000: To create the local system log RSLG0001: To create the central system log (not on Microsoft Windows NT and AS/400 platforms)
Dump Analysis ABAP programs are checked statically when they are created and dynamically when they are running. Errors that are not statically predictable and only occur at runtime are dynamically identified by the ABAP runtime environment. States of this type lead to exceptions. If an exception is not handled or cannot be handled, a runtime error occurs. If a runtime error occurs, the ABAP runtime environment terminates the execution of the program, generates a short dump and branches to a special screen for analyzing the short dump. You can also find short dumps in transaction ST22 or by choosing the menu path Tools → ABAP Workbench → Test → Dump Analysis.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
401
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
A short dump is divided into different sections that document the error. The overview shows what other information is output in the short dump, such as contents of data objects, active calls, control structures, and so on. You can branch to the ABAP Debugger at the termination point from the short dump view. The following different error situations exist: •
Internal Error The kernel identifies an error state. In this case, send a message to notify SAP.
•
Installation and Environment/Resource Error In this case, an error occurred that was caused by incorrect system installation or missing resources (such as the database being shutdown).
•
Error in Application Program Typical causes of errors are: – – – –
Content of a numerical field not in the correct format Arithmetic overrun An external procedure is not available Type conflict when transferring parameters to an external procedure
By default, short dumps are stored in the system for 28 days. The transaction for managing short dumps is ST22. You can delete short dumps in accordance with a time specification using the Reorganize function, which you can call by choosing Goto → Reorganize. You can save a short dump without a time limit using the Keep function, which you can choose from the Detail View under Short Dump → Keep/Release. If problems that you cannot solve yourself occur with ABAP programs, you can send an extract of the short dump to SAP. A short dump is an important basis on which the SAP Hotline and remote consulting solve problems. Important Features of Dump Analysis • • • •
If a runtime error occurs, a short dump is generated. You can use transaction ST22 to analyze this short dump. Dump data is stored in the database. Dump data can be reorganized. Individual short dumps can be flagged for retention.
(SAP) System Trace You can use the (SAP) system trace (“system trace” for short) to record internal system activities. The system trace is primarily used if authorization checks need to be traced. We recommend that you use the system log or the developer trace for system monitoring and problem analysis. You can call the system trace
402
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Traces and Logs
in transaction ST01 or by choosing the menu path Tools → Administration → Monitor → Traces → SAP System Trace. You can also use transaction ST01 to display the inactive trace file. The system trace is used for analyzing: • • • • • • • •
Authorization checks Kernel functions Kernel modules DB accesses (SQL trace) Accesses to table buffers RFC Calls, also known as RFC Trace HTTP Calls Lock operations (client-side), also known as Enqueue Trace
You select the components to be logged on the initial screen. If the trace is activated for the authorization check, all authorization checks performed by the system are recorded. During the evaluation, you can identify which authorizations the system checked at which times. The following detail information is also provided: Date, time, work process number, user, authorization object, program, line, number of authorization values, and authorization values. You can use the SQL trace to follow how the Open SQL commands in reports and transactions are converted to standard SQL commands and the parameters with which the SQL commands are transferred to the database system in use. The results of the SQL command are also logged, such as the return code and the number of records found, inserted, or deleted by the database. Logging the execution time and the callpoint in the application program allows you to perform more advanced evaluations. With the enqueue trace, you can follow which lock instructions the SAP system performs on which lock objects, and which parameters the system uses for these locks. The program that triggered the lock, the owner of the lock, and the time that the enqueue server required to release the lock again are all also logged in the trace file. You can use the RFC trace to follow which remote calls the SAP system executes, and the instance on which these calls are executed. From the trace recording, you can see which function modules were called remotely by the program to be analyzed, and whether the RFC call was successfully executed. The total time required for the execution of the remote call and the number of bytes sent and received during the RFC are also logged in the trace file.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
403
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Figure 138: System Trace (ST01) and Performance Analysis (ST05)
Performance Analysis The performance analysis is used for analyzing: • • • • • •
Database calls (SQL Trace) Lock management calls (Enqueue Trace) Accesses to table buffers (Buffer Trace) Remote calls of reports and transactions (RFC Trace) HTTP communication (HTTP Trace) SQL statements (Enter SQL Statement button in ST05)
The performance analysis provides similar trace options to the system trace. It allows you to record database calls, calls to lock management, calls to table buffers, and remote calls of reports and transactions from the SAP system itself in a trace file. You can call the performance analysis using transaction ST05 or by choosing the menu path Tools → Administration → Monitor → Traces → Performance Trace. On the initial screen of transaction ST05, you can choose the Enter SQL Statement button to analyze an SQL statement without branching to a specific trace file. The performance trace is integrated into the ABAP Workbench as a test tool and can therefore be called from there. Note: The function Performance Analysis is often called Performance Trace as well.
404
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Traces and Logs
Configuring the Trace File You can use system profile parameters to restrict the size of the trace files and to specify an appropriate path. The SAP system trace writes the trace data to trace files. For performance reasons, this is not done directly, but rather using a process-internal buffer. The profile parameter rstr/buffer_size_kB determines the size of this buffer. SAP trace stores the collected data in multiple files, which are written sequentially. The parameter rstr/filename defines the base name of these files. There is always a file with exactly this name. If this file is full (parameter rstr/max_filesize_MB), the file is renamed and a new file is created with the base name. When the file is renamed, a number between 00 and 99 is added to the file name. The parameter rstr/max_files determines the maximum number of files. If this value is exceeded, the files are overwritten.
Developer Trace Developer traces are recordings that contain technical information and that are used if errors occur. This type of process trace is especially useful to investigate host and internal SAP problems that are affecting your SAP system. Developer traces dev_* are written to files in the directory /usr/sap///work of the SAP application server that generated the trace.
Figure 139: Developer Traces
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
405
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
You can access the developer traces in the operating system, in transaction AL11, transaction ST11 or transaction SM50 (Work Process Overview). In transaction SM50, you can switch to the individual dev_* traces by choosing Process → Trace → Display File. You can display additional details in the displayed traces by expanding individual entries.
406
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Traces and Logs
Exercise 18: Trace Options Exercise Objectives After completing this exercise, you will be able to: • Use trace options in the SAP system to analyze a problem if errors occur • Use the transactions for the various trace functions
Business Example You want to use trace functions to correct errors in the SAP system.
Task: Traces Activate traces in the SAP system and evaluate them. 1.
In transaction ST01, activate the trace for authorization checks and for lock operations for your user. Start the transaction for user maintenance SU01 and change the title for your own user.
2.
Deactivate the trace and evaluate the trace file.
3.
In transaction ST05, activate the SQL trace for your user. Start transaction SA38 and execute the program RSUSR000. Deactivate the trace again and evaluate it.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
407
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Solution 18: Trace Options Task: Traces Activate traces in the SAP system and evaluate them. 1.
In transaction ST01, activate the trace for authorization checks and for lock operations for your user. Start the transaction for user maintenance SU01 and change the title for your own user.
2.
3.
a)
Call transaction ST01.
b)
Select the following Trace Components: Authorization check and Lock Operations.
c)
Restrict the trace to your own user using the General Filters button.
d)
Start the trace by choosing the Trace on button.
e)
Call transaction SU01 in new session window.
f)
Select your user and choose the menu entry User → Change.
g)
On the Address tab page, change the title, and save your change.
Deactivate the trace and evaluate the trace file. a)
Switch back to the session window showing the system trace.
b)
Choose the Trace off button.
c)
Choose the menu path Goto → Analysis or the button Analysis.
d)
Choose the default values on the selection screen.
e)
Use double-click on different lines of the trace display.
In transaction ST05, activate the SQL trace for your user. Start transaction SA38 and execute the program RSUSR000.
Continued on next page
408
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Traces and Logs
Deactivate the trace again and evaluate it. a)
Call transaction ST05.
b)
Mark SQL Trace.
c)
Start the trace by choosing the Activate Trace button.
d)
Open a new session window.
e)
Start transaction SA38.
f)
Execute the report RSUSR000.
g)
Stop the trace in transaction ST05 by choosing Deactivate Trace.
h)
Evaluate the generated trace file.
i)
Choose the Display Trace button in transaction ST05.
j)
Mark SQL Trace.
k)
Choose Execute.
l)
You can now display the SQL commands by selecting an entry showing operation “Open” or “Reopen” and choosing Explain.
Result Now you can use SQL Analysis for collecting and displaying trace data. Detailed understanding of executed SQL statements requires in-depth knowledge of SQL, the database used and ABAP programming language.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
409
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Lesson Summary You should now be able to: • Name different trace and log options • Perform simple traces in the SAP system
410
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Troubleshooting Procedure
Lesson: Troubleshooting Procedure Lesson Overview This lesson describes a general procedure for troubleshooting.
Lesson Objectives After completing this lesson, you will be able to: •
Develop procedures for structured troubleshooting
Business Example Unexpected problems are occurring while your SAP systems are running. As a system administrator, you want to learn about the procedure for structured troubleshooting.
General Approach Errors, by their very nature, always occur in places where they should not occur. Consequently, we can only present a general approach here.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
411
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Figure 140: Troubleshooting: Approach
Isolate the problem area: First, attempt to isolate the error. Where does it occur, when does it occur, and in what context does it occur? “It doesn't print” would be too imprecise here. “Front-end printing on front end xyz does not work with any SAP system” is more exact. If you also know that front-end printing works on other front ends, you have already isolated the problem. Problem analysis: Check the scenario to find out whether all required settings, and so on, are correct. Check the application logs, the system log, and the traces (the developer traces will usually be helpful here) to see whether they provide any clues for correcting the error. Gain additional knowledge: To interpret the results from the first problem analysis, it is, of course, necessary that you are familiar with the processes and functions of the area in which the error is occurring. If your experience and your previous knowledge are insufficient, you can start to search SAP Notes and SAP Service Marketplace with the keywords from the system log or the trace files. You may find a problem solution here, or additional information that helps you find and correct the error. If you have not found any suitable SAP Notes or suitable search terms, search for composite SAP Notes for the topic area (for example, with the terms front-end printing and composite SAP Note). For additional background information about the topic area, see the online documentation and course materials. If you still cannot solve the problem with this information, compare the process with errors against an error-free process.
412
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Troubleshooting Procedure
Compare error-free and erroneous processes: You can use this to determine where there are differences between an erroneous and an error-free process. This information helps you to further isolate the problem area and may help you to solve the problem or to perform new, more targeted problem analyses. If it is not possible to perform another problem analysis, create a message for SAP on SAP Service Marketplace. Enter the information from your troubleshooting (such as a trace and/or system log information) when doing so.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
413
Unit 7: AS ABAP – System Monitoring and Troubleshooting
TADM10_2
Lesson Summary You should now be able to: • Develop procedures for structured troubleshooting
414
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Unit Summary
Unit Summary You should now be able to: • Explain the concepts of the CCMS Monitor infrastructure • Use an CCMS monitor for system monitoring • Integrate remote systems into the CCMS Alert Monitor • Design and create your own monitor definitions • Set threshold values • list technical components required for different monitoring capabilities of SAP Solution Manager 7.1 • Describe selected functions and their use • Name different trace and log options • Perform simple traces in the SAP system • Develop procedures for structured troubleshooting
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
415
Unit Summary
416
TADM10_2
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Test Your Knowledge
Test Your Knowledge 1.
What can transaction RZ20 be used for? Choose the correct answer(s).
□ □ □ □ 2.
A B C D
Database backup Updating data Monitoring the database and the SAP system Configuring and monitoring the firewall
What types of monitor definitions are offered by CCMS? Choose the correct answer(s).
□ □ □ □ □ 3.
A B C D E
Ruled monitors Statistical monitors Rule-based monitors Static monitors Self-repairing monitors
With which of the following transactions can you activate a trace for SQL statements in the SAP system? Choose the correct answer(s).
□ □ □ □
2013/Q1
A B C D
Performance trace System log (SAP) system trace Database performance analysis
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
417
Test Your Knowledge
TADM10_2
Answers 1.
What can transaction RZ20 be used for? Answer: C You can use system monitoring in transaction RZ20 to monitor SAP systems and their databases.
2.
What types of monitor definitions are offered by CCMS? Answer: C, D There are static and rule-based monitors.
3.
With which of the following transactions can you activate a trace for SQL statements in the SAP system? Answer: A, C You can analyze SQL statements by activating the trace in transaction ST01 (System Trace) or ST05 (Performance Trace). Transaction SM21 (System Log) is the system log and ST04 (Database Performance Analysis) is used to analyze database statistics.
418
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Unit 8 AS Java – Monitoring Unit Overview You can monitor SAP NetWeaver AS Java either locally in SAP NetWeaver AS Java itself or centrally using a central monitoring system (SAP NetWeaver AS ABAP). This unit shows both the local and central monitoring possibilities.
Unit Objectives After completing this unit, you will be able to: • • • • • • • • • •
Describe the monitoring infrastructure Display monitoring data in the SAP NetWeaver Administrator (NWA) Make threshold value settings in the NWA Monitor Java instances in the central monitoring system Explain which configuration steps are required to be able to maintain the threshold values for Java instances from the central monitoring system Describe how an availability check using the GRMG works technically Configure an availability check Use the Log Viewer Explain the difference between logging and tracing Execute log configuration
Unit Contents Lesson: Monitoring SAP NetWeaver AS Java ..............................420 Exercise 19: Monitoring SAP NetWeaver AS Java ....................427 Lesson: Connecting to a Central Monitoring System ......................432 Exercise 20: Registering with a Central Monitoring System ..........445 Lesson: Availability Monitoring ................................................451 Exercise 21: Availability Monitoring ......................................459 Lesson: Log Viewer and Log Configuration .................................464 Exercise 22: Log Viewer and Log Configuration .......................479
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
419
Unit 8: AS Java – Monitoring
TADM10_2
Lesson: Monitoring SAP NetWeaver AS Java Lesson Overview SAP NetWeaver AS Java provides an infrastructure that makes monitoring data available. This monitoring data can be displayed in the SAP NetWeaver Administrator. You can also set threshold values for this data there. Threshold values determine the colors with which data is displayed in the monitor.
Lesson Objectives After completing this lesson, you will be able to: • • •
Describe the monitoring infrastructure Display monitoring data in the SAP NetWeaver Administrator (NWA) Make threshold value settings in the NWA
Business Example You are using an SAP NetWeaver AS Java. Monitoring is important for safeguarding a stable system environment. It allows for some error situations to be identified in advance. SAP NetWeaver AS Java provides an infrastructure that makes monitoring data available. This monitoring data can be displayed in the NWA.
Monitoring Infrastructure The monitoring in SAP NetWeaver AS Java is based on the standard Java Management Extension (JMX). JMX provides a new flexible administration infrastructure that is used for the monitors. The JMX infrastructure allows different resources to register as suppliers for monitoring data. Through the JMX API, data is made available for resources of all server components (services, interfaces, libraries, and managers), and applications using MBeans. The data of the JMX monitors is stored in the monitoring segment. Since JMX is a standard, this ensures that external tools can also access the monitoring data. The external tools connect through the JMX API and can display all current values in the JMX monitors. They can also create, delete, and change groups, as well as installing and uninstalling monitor nodes. The JMX infrastructure is provided by the JMX Adapter service.
420
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring SAP NetWeaver AS Java
Figure 141: Monitoring Infrastructure
During the start of the sapstartsrv the monitoring segment is created. The data collector of the AS Java stores the current status and open alerts of the monitoring objects in the monitoring segment. Completed alerts are removed from the monitoring segment.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
421
Unit 8: AS Java – Monitoring
TADM10_2
The data in the monitoring infrastructure is grouped in several areas like Kernel, Services, Performance and Applications. •
Kernel Status information for the managers registered for monitoring is displayed under the Kernel entry.
•
Performance The Performance area displays available data about performance measurements of the SAP NetWeaver AS Java, e.g. communication to external systems.
•
Services Status information for the services registered for monitoring is displayed under the Services entry.
•
Applications This branch contains information about the status of applications that are running on the SAP NetWeaver AS Java and for which monitoring functions are implemented in the coding. This is a configurable type of monitor, since you can specify which information is displayed in the monitor for your own applications. An application developer usually creates his or her own monitors and objects under the Applications branch. The other monitor branches, such as Kernel, System, and so on are reserved for data that is directly and automatically collected by the system. The monitor Table Buffer is always displayed in the Applications area along with other items.
There are various tools for the operating with the monitoring data.
422
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring SAP NetWeaver AS Java
Figure 142: Monitoring - Tools
RZ20 The RZ20 in a CEN (central monitoring system with) is a powerfull tool to monitor multiple SAP systems and their operating systems. You can set up additional notifications in case of alerts and auto-reaction methods there. Beyond that, you are able to view the current status and open alerts of monitoring attributes. You can maintain thresholds and complete open alerts. The RZ20 gets her information out of the monitoring segment of the AS Java, this means, that e.g. performance issues of the AS Java doesn't affect the monitoring and alerting in the CEN system. SAP MC and SAP MMC With the SAP MC and SAP MMC you are able to view the current status and open alerts of monitoring attributes. The SAP MC and SAP MMC communicates directly with the sapstartsrv and gets the information out of the monitoring segment of the AS Java, this means, that e.g. performance issues of the AS Java doesn't affect the monitoring and alerting. System Overview The system overview is available in two versions. One version is available in the NWA and the other is avalable via sapstartsrv (this is called the offline system overview). The system overview gives you an graphical overview of the current status of some monitoring attributes and their values. The system overview in the NWA provides a navigation to expert functions in the NWA for the displayed attributes.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
423
Unit 8: AS Java – Monitoring
TADM10_2
Monitoring Browser The monitoring browser is available in the NWA. The monitoring browser shows the current status of the monitoring attributes and you can maintain thresholds and activate/deactivate monitoring attributes.
Monitoring with the SAP MC
Figure 143: Monitoring with the SAP MC
The monitoring area in the SAP MC or SAP MMC is divided in two parts. One area is for the current status and in the other the open alerts are displayed. Each area is structured in several parts, for example Java Instance, Server or Application where you can drill down. If you select Kernel from one server process, you get displayed all monitoring attributes in the right window pane. Time indicates the time, where the value was reportet from the AS Java. You can see all available alerts of the monitoring attribute by selecting the monitoring attribute and choose All Alerts from the context menu. This option is available in the current status area and open alert area. In the right pane press the left mouse button on the Alert Name headline for choosing the different sort criteria. Every click alternates between sorting “by alert”, “order of the monitoring structure” or “by reverse alert”.
424
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring SAP NetWeaver AS Java
Monitoring with the Monitoring Browser The current status values for the monitoring attributes are displayed with alert colors in accordance with the “traffic light system”. in the SAP NetWeaver Administrator (abbreviation: NWA), the data is displayed in the Monitoring Browser. You are taken to the Monitor Browser with Availability and Performance → Resource Monitoring → History Reports. Here you can select the Monitor Browser tab.
Figure 144: Monitoring with the Monitoring Browser
In the Monitor Browser you have two views, one for the Active/Used monitoring attributes and one for the Inactive/Not used monitoring attributes. In the Monitor Browser you can activate/deactivate monitor attributes (there is no other tool for activation or deactivation of monitoring attributes). In the lower part of the Monitor Browser you can see the periode of the data collection. In the NWA, the Monitor Browser displays all the running nodes in the system with the current value of the selected monitoring attribute. A threshold value determines when which alert (color in the monitor) is to be triggered. For a working monitoring that is individually adjusted to your system, you should adjust the threshold values. In the Monitor Configuration area it is possible to maintain the thresholds. In the monitor itself, the statuses are identified with different colors. A color changes when a value exceeds or falls below a threshold value. Errors are highlighted in red and passed on to the highest level of the monitor. You can find the alert that has occurred by expanding the monitor. The following colors can be displayed in the monitor:
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
425
Unit 8: AS Java – Monitoring
TADM10_2
Monitoring with the System Overview
Figure 145: Monitoring with the System Overview
The system overview is available in two versions. You can access the System Overview in the NWA in the workcenter Availability and Performance in the work set System Overview. You can access the offline System Overview via url http://twdfxxxx:50013/ctsv/SystemOverview.html . Both versions show the current values of the displayed monitoring attributes. In the System Overview of the NWA you can navigate to other funcitons by choosing the left mouse button on the monitoring attribute. This is not possible in the offline System Overview. As shown in the figure above, on the selected attribute is a link (Help) available for the online documentation and links for View History (History Reports), Configure Thresholds (Monitoring Browser) and the Manage User Sessions (Session Management) available. The options can vary for every monitoring attribute.
426
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring SAP NetWeaver AS Java
Exercise 19: Monitoring SAP NetWeaver AS Java Exercise Objectives After completing this exercise, you will be able to: • Monitor the SAP NetWeaver AS Java using the SAP NetWeaver Administrator • Make threshold value settings for individual objects in the monitor
Business Example For successful monitoring using the Monitoring service in SAP NetWeaver AS Java, you must set the threshold values appropriately.
Task 1: Adapt Monitor Settings with the NWA Use the Monitoring Browser within NWA to check alerts for different monitoring attributes, activate an inactive monitoring attribute, and change thresholds. 1.
Log on to the SAP NetWeaver Administrator (NWA), open the Monitoring Browser, and check whether an alert has occurred in the memory service.
2.
Activate the inactive Monitor Kernel/Application Threads Pool/Waiting Tasks Count in the NWA Monitoring Browser.
3.
Set the threshold values for the monitor /Services/Memory Info/Used Memory Rate to the following entries: GY/YR/RY/YG to 75/90/85/70.
Task 2: Create History report with the NWA Create your own History Report for your monitoring. 1.
2013/Q1
Create a History Report showing Thread Pool Usage Rate and Used Memory Rate.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
427
Unit 8: AS Java – Monitoring
TADM10_2
Solution 19: Monitoring SAP NetWeaver AS Java Task 1: Adapt Monitor Settings with the NWA Use the Monitoring Browser within NWA to check alerts for different monitoring attributes, activate an inactive monitoring attribute, and change thresholds. 1.
Log on to the SAP NetWeaver Administrator (NWA), open the Monitoring Browser, and check whether an alert has occurred in the memory service. a)
Start a Web browser.
b)
Enter the URL http://.wdf.sap.corp:500/nwa(for example: http://twdf1234.wdf.sap.corp:50000/nwa).
c)
Logon with your system user -.
d)
Navigate to the tab Availability and Performance. Hint: If you wait one minute you will see the overall Status.
e)
Now choose Resource Monitoring → History Reports.
f)
Choose the tab Monitor Browser.
g)
In field Show select Active/Used (Standard). Hint: Here you can see the various monitors. You can use the colors (red, yellow, green, gray) to identify whether an alert has occurred.
h)
Under the field Name use the filter by enter: Memory.
i)
Press Enter.
j)
Select the line /Services/Memory Info/Available Memory.
k)
In the section Monitor Details you see the Configured HEAP memory for each instance.
l)
Now select the line /Kernel/SAPJVM/GCProblemReporting/Out Of Memory Errors.
m)
Check the status of each Server Node ID.
Continued on next page
428
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring SAP NetWeaver AS Java
2.
Activate the inactive Monitor Kernel/Application Threads Pool/Waiting Tasks Count in the NWA Monitoring Browser. a)
Within the NWA. In field Show select Inactive/Not Used..
b)
Under the field Name use the filter by enter: Application Threads.
c)
Press Enter.
d)
Select the line Kernel/Application Threads Pool/Waiting Tasks Count.
e)
Within the section Monitor Configuration press the button Activate. Hint: You should receive the information on top: Changes were successfully saved.
3.
f)
In field Show select Active/Used.
g)
Under the field Name use the filter by enter: Application Threads.
h)
Press Enter.
i)
Select the line Kernel/Application Threads Pool/Waiting Tasks Count
j)
In the field Monitor Details for: Waiting Tasks Count you should find a current value.
Set the threshold values for the monitor /Services/Memory Info/Used Memory Rate to the following entries: GY/YR/RY/YG to 75/90/85/70. a)
Under the field Name use the filter by enter: used memory.
b)
Press Enter.
c)
Select the line /Services/Memory Info/Used Memory Rate.
d)
In the area Monitor Configuration enter the following threshold settings: • • • •
e)
Changes from Green to Yellow: 75 Changes from Yellow to Red: 90 Changes from Red to Yellow: 85 Changes from Yellow to Green: 70
Press Save. Hint: On top the message should appear: Changes were successfully saved.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
429
Unit 8: AS Java – Monitoring
TADM10_2
Task 2: Create History report with the NWA Create your own History Report for your monitoring. 1.
Create a History Report showing Thread Pool Usage Rate and Used Memory Rate. a)
Switch to the tab History Reports.
b)
Under the tab History Reports change to tab Configure.
c)
Press New Report.
d)
In the popup Window enter the following information: Name Label
Default Report Time Unit
Quarters
Default Report Type
Chart per note
e)
Press OK.
f)
On the left hand side select the line Thread Pool Usage Rate.
g)
Press Add to Report.
h)
On the left hand side select the line Used Memory Rate.
i)
Press Add to Report.
j)
Press Save Report.
k)
Change to tab Display. Hint: Because in our landscape only you are using the system, the Thread Pool Usage Rate is very low. In practice this could be useful information.
430
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Monitoring SAP NetWeaver AS Java
Lesson Summary You should now be able to: • Describe the monitoring infrastructure • Display monitoring data in the SAP NetWeaver Administrator (NWA) • Make threshold value settings in the NWA
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
431
Unit 8: AS Java – Monitoring
TADM10_2
Lesson: Connecting to a Central Monitoring System Lesson Overview You can monitor the SAP NetWeaver AS Java directly with the SAP NetWeaver Administrator (NWA) or using a central monitoring system. The configuration steps are presented here.
Lesson Objectives After completing this lesson, you will be able to: • •
Monitor Java instances in the central monitoring system Explain which configuration steps are required to be able to maintain the threshold values for Java instances from the central monitoring system
Business Example You use a number of SAP systems in your company. You monitor these SAP systems using a central monitoring system. You have now also installed an SAP system with which you are going to use Java functions. You are therefore using an SAP NetWeaver AS Java, which you want to monitor in the central monitoring system, like your other SAP systems. You can display the most important system data in a central monitoring system, for example an SAP Solution Manager.
Transferring Monitoring Data to a Central Monitoring System On the SAP NetWeaver AS Java, there is a monitoring infrastructure that collects various data, which is displayed in the monitoring browser of the SAP NetWeaver Administrators (NWA). You can display this data in a central SAP monitoring system by connecting the AS Java to the central monitoring system (called CEN here).
432
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connecting to a Central Monitoring System
Figure 146: Connecting to a Central Monitoring System
If the SAP NetWeaver AS Java starts, JMX monitors are created. They deliver data for runtime monitoring. To deliver the data to the CEN the SAP NetWeaver management agents are used. The SAP NetWeaver management agents are used to administer and monitor SAP NetWeaver components. They are automatically installed and started during the installation of any SAP NetWeaver components as of release SAP EHP2 for SAP NetWeaver 7.0 (in short 7.02) or SAP NetWeaver 7.1. There are two types of agents, depending on the associated component: the host agent and the instance agent. One host agent runs for each monitored host (including hosts on which one or more instance agent is running). An instance agent runs for each monitored instance.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
433
Unit 8: AS Java – Monitoring
TADM10_2
Figure 147: Monitoring Data Transfer from AS Java to CEN
The SAP NetWeaver management agent sapstartsrv contains the functionality for different central monitoring functions. The functions of the CCMS agents (SAPCCMSR, SAPCCM4X) are integrated into sapstartsrv as a static library for this purpose; the CCMS agents therefore are no longer needed as standalone executables as of SAP NetWeaver 7.02. The monitoring functions are started in a separate thread within sapstartsrv. This thread connects to the monitoring segment in the shared memory of the monitored instance. Applications can access the monitoring functions of sapstartsrv through a Web service interface. This interface replaces the RFC server part of the CCMS agent. An application (usually an ABAP or dual-stack system) can register as a central monitoring system (CEN). The registration is performed using a protected Web service. During the registration, the caller sends sapstartsrv information about the CEN and the logon data for the CSMREG user.
434
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connecting to a Central Monitoring System
An SAP NetWeaver management agent communicates with CEN in the following way: • •
As a Web service, it provides access to the data in the monitoring segment. This access is, for example, used in transaction RZ20. As an RFC client, it independently sends alerts and values for the monitoring attributes to the CEN (push technology). This data is then stored in a cache there to allow the system to display it more quickly or triggers central auto-reaction methods there. This improves performance, since CEN then no longer needs to periodically query the agents. Hint: In addition to system monitoring, the SAP Solution Manager provides further functions.
Registering AS Java to a CEN The following steps are required to install the SAPCCMSR agent: 1.
Create the CSMREG user in the central monitoring system (transaction RZ21 in CEN) in client 000 a)
2. 3.
If the monitored system is an AS ABAP+Java create an CSMREG user in the monitored system (client 000) also. Register the AS Java to the central monitoring system (transaction RZ21 in CEN, client 000) Create JCo Destination for the customizing destination
Creating the CSMREG User The CSMREG user is used for communication between the agents and the central monitoring system. This user is a communication user with very specific authorizations.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
435
Unit 8: AS Java – Monitoring
TADM10_2
Figure 148: Creating the CMSREG User (RZ21)
The CSMREG user is created with transaction RZ21. There go to Technical Infrastructure → Configure Central System → Create CSMREG User
Register AS Java to the Central Monitoring System The technical infrastructure used when registering an AS Java depends slightly on the installation of the monitored system. The next figures show the difference between a monitored AS ABAP+Java (dual-stack) and an AS Java (single-stack).
436
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connecting to a Central Monitoring System
Figure 149: Registering AS Java to CEN
As shown in the figure above the instance agent (sapstartsrv) can be called by the CEN via Web Service to get the monitoring data. In addition sapstartsrv send alerts via RFC connection to the CEN (using user CSMREG in client 000). The operation system data is provided via shared memory by the host agent. For maintaining threshold values from the CEN in the AS Java an RFC customizing destination is used.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
437
Unit 8: AS Java – Monitoring
TADM10_2
Figure 150: RZ21: Registering AS Java
In transaction RZ21 of the CEN system client 000 go to Technical infrastructure → Configure Central System → Create remote monitoring entry. From the Component Type to Be Monitored drop down select Java. Enter the System ID, host name of the Message Server, and HTTP Port of the Message Server of the monitored system. Now choose the Test push-button. Enter the Password of the CSMREG user in your CEN and the Password of the adm operating system user for the monitored system. Finally choose Save. Now all instance agents of the monitored system are registered, HTTP destinations to the agents are generated, and the customizing destination to the AS Java is created. SAP Note 1569955: gSOAP Web Service pop-up while configuring CCMS agent SAP Note 1116453: CCMS: Missing logical ports in other clients
438
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connecting to a Central Monitoring System
Figure 151: Registering AS ABAP+Java 7.1x to CEN
In addition to the connections used for a single-stack AS Java 7.1x, for an AS ABAP+Java two RFC connections are used. The CEN uses destination _RZ20_COLLECT to read monitoring data for the monitored system and complete alerts; the connection uses the CSMREG user in client 000. With destination _RZ20_ANALYZE an administrator can execute an analysis method in the monitored system. The destination is created without a user, meaning that you need to authenticate yourself to the monitored system. When maintaining thresholds for the AS Java, the CEN uses the RFC destination to connect to the remote AS ABAP and from there the local RFC customizing destination is used to access the AS Java.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
439
Unit 8: AS Java – Monitoring
TADM10_2
Figure 152: RZ21: Registering AS ABAP+Java
In transaction RZ21 of the CEN system client 000 go to Technical infrastructure → Configure Central System → Create remote monitoring entry. From the Component Type to Be Monitored drop down select DualStack. Enter the System ID, host name of the Message Server, a Logon Group, and the Password of the CSMREG user of the monitored system. Now choose the Continue (Enter) push-button. The names of the RFC connections are generated. Now Test the _RZ20_COLLECT destination, if a successful logon is possible. Enter the Password of the CSMREG user in your CEN and the Password of the adm operating system user for the monitored system. Finally choose Save. Now all instance agents of the monitored system are registered, HTTP destinations to the agents are generated, RFC destinations to the monitored system are created, and the customizing destination is created in the ABAP stack of the monitored system. SAP Note 1569955: gSOAP Web Service pop-up while configuring CCMS agent SAP Note 1116453: CCMS: Missing logical ports in other clients If you want to use the “old” technology with the sapccmsr agent, have a look in SAP Note 1547201: CCMS: Start and stop classical agents.
440
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connecting to a Central Monitoring System
Displaying the Monitoring Data in the Central Monitoring System You can display the J2EE monitoring data in the central monitoring system using the Alert Monitor. To do this, you must open the Alert Monitor (transaction RZ20 in client 000) and select the monitor set SAP J2EE Monitor Templates. The status data is stored in the following monitors: • •
The Engines monitor displays status data for the kernel, services, performance, and the system. The Applications monitor displays application data.
In the SAP NetWeaver AS Java status monitors, you can see at a glance where warnings (yellow) and errors (red) have occurred. If you open the tree at the corresponding places, you learn more about the cause.
Figure 153: Display in Transaction RZ20
If the service memory is highlighted in yellow, this means that the minimum threshold value of the memory service has been exceeded triggering a yellow alert. If you open the tree at this point, you can see which monitor this concerns. Some operating system data is displayed under Performance, the complete operating system data is displayed in the Opertating System monitor in the monitor set SAP J2EE Monitor Templates. The Applications monitor displays monitoring data for J2EE applications that have implemented a monitoring function. The operating system information is collected by the host agent.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
441
Unit 8: AS Java – Monitoring
TADM10_2
Figure 154: Operating System Information in Transaction RZ20
Customizing Destination The agent allows you to transfer the alerts that have occurred to the central monitoring system. The system should only display an alert if a value exceeds or falls below a specific threshold value, which is entered individually for a system. A threshold value defines the value/status at which an alert with a certain classification (red, yellow, green) is displayed.
Figure 155: Connecting AS Java to the Central Monitoring System (threshold value maintenance)
442
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connecting to a Central Monitoring System
You can perform the configuration of the threshold values not only in the SAP NetWeaver Administrator, but also in the central monitoring system. For this a JCo RFC destination in the AS Java pointing to the Gateway of the AS ABAP is used. This is usually called SAP.CCMS.J2EE. ( of the AS Java). In transaction SM59 of the AS ABAP CEN system an RFC destination of the type T was created during registration of the monitored system. This RFC connection is also usually called SAP.CCMS.J2EE.. The name of the Registered Server Program in this destination must be identical to the name of the JCo RFC destination (Program ID). In transaction RZ21 in Agents for Remote Systems under Topology you should find the name of the RFC destination in the field J2EE Customizing Destination. Hint: You can maintain the field J2EE Customizing Destination only in change mode and you may be able to view it only in change mode too. It is the last field. Therefore, you may have to scroll to the right to view the J2EE Customizing Destination. You can change the threshold values in the Alert Monitor. Call transaction RZ20, and expand the SAP J2EE Monitor Templates monitor set. Start the Engines monitor. Expand the tree structure completely, and select, for example, a server node in the central instance in the tree. Now choose the Properties button and switch to change mode. You can now maintain its threshold values.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
443
Unit 8: AS Java – Monitoring
444
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Connecting to a Central Monitoring System
Exercise 20: Registering with a Central Monitoring System Exercise Objectives After completing this exercise, you will be able to: • register your AS Java 7.3x with the central monitoring system
Business Example You can monitor the monitoring data of the AS Java using the Monitoring Browser in the NWA or using a central monitoring system. To be able to display the data in the monitoring system, you need to register the system.
Task 1: Create and check CSMREG user Caution: The creation of a CSMREG user can only done once per central monitoring system (CEN). So only the group which is assigned to the DEP system can do the creation of the csmreg user (Step 1). All groups shoud check the CSMREG user in transaktion SU01 (Step 2). 1.
Only for the group which is assigned to the DEP system (create CSMREG user). Log on to the Solution Manager system (PSM) in client 000 of your server with your course user and create the CSMREG user with password monitor with transaction RZ21.
2.
Check CSMREG user with transaction SU01 in client 000 of the Solution Manager system (PSM) of your server.
Task 2: Register the AS Java Register your AS Java system to the central monitoring system. 1.
Log on to the Solution Manager system on your server in client 000 with your course user and register your AS Java with transaction RZ21.
Task 3: View Monitoring Data View the monitoring data of your AS Java in the central monitoring system. 1.
Check whether the monitoring data is displayed in the Alert Monitor (transaction RZ20) in client 000.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
445
Unit 8: AS Java – Monitoring
TADM10_2
Task 4: Create Customizing Destination Create the JCo RFC destination in your AS Java so that you can use the customizing destination to execute threshold value maintenance for the AS Java monitors in transaction RZ20 of the central monitoring system. 1.
Check on your AS Java system whether a JCo RFC destination with the name (Program ID) SAP.CCMS.J2EE. ( stands for the system ID of your system) has been created and started.
Task 5: Maintain Threshold Values Maintain threshold values for your AS Java using the Alert Monitor in the central monitoring system in client 000. 1.
446
In transaction RZ20, change the threshold value in the memory service of a server process so that a red alert is displayed in the Usage Rate area when 90% of memory is used (yellow: 75%).
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connecting to a Central Monitoring System
Solution 20: Registering with a Central Monitoring System Task 1: Create and check CSMREG user Caution: The creation of a CSMREG user can only done once per central monitoring system (CEN). So only the group which is assigned to the DEP system can do the creation of the csmreg user (Step 1). All groups shoud check the CSMREG user in transaktion SU01 (Step 2). 1.
Only for the group which is assigned to the DEP system (create CSMREG user). Log on to the Solution Manager system (PSM) in client 000 of your server with your course user and create the CSMREG user with password monitor with transaction RZ21.
2.
a)
Log on to the Solution Manager system (PSM) of your server in client 000 and call transaction RZ21.
b)
Go to Technical infrastructure → Configure Central System → Create CSMREG User.
c)
Enter a password monitor twice and choose Continue (Enter).
Check CSMREG user with transaction SU01 in client 000 of the Solution Manager system (PSM) of your server. a)
Log on to the Solution Manager system (PSM) of your server in client 000 and call transaction SU01.
b)
Enter CSMREG in field User and choose Display. If you get the message “User CSMREG” does not exist, contact the goup wich is assigend to the DEP system on your server and let them complete Task 1 of this exercise.
c)
Switch to the tab Roles an check that the Role SAP_BC_CSMREG is assigned to the user CSMREG.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
447
Unit 8: AS Java – Monitoring
TADM10_2
Task 2: Register the AS Java Register your AS Java system to the central monitoring system. 1.
Log on to the Solution Manager system on your server in client 000 with your course user and register your AS Java with transaction RZ21. a)
Log on to the Solution Manager system on your server in client 000 and call transaction RZ21.
b)
Choose Technical infrastructure → Configure Central System → Create remote monitoring entry.
c)
From the Instance Type to Be Monitored drop down select Java
d)
Enter your SID as the System ID, for example DEP or QEP. Enter the full qualified host name of the Message Server, for example twdfSSSS.wdf.sap.corp. Enter the HTTP Port of the Message Server, for example 8138 or 8148.
e)
Choose the Test push-button.
f)
Enter the Password monitor of the CSMREG user in your CEN and the Password of the adm operating system user for the monitored system.
g)
Choose Save and wait a few seconds until the registration completes.
Task 3: View Monitoring Data View the monitoring data of your AS Java in the central monitoring system. 1.
Check whether the monitoring data is displayed in the Alert Monitor (transaction RZ20) in client 000. a)
Call transaction RZ20 in the Solution Manager system on your server in client 000.
b)
Open the SAP J2EE Monitor Templates monitor set and choose the Engines monitor. Open the monitor by double-clicking it. You should now see data for your system. Note: It can take a few minutes before the data becomes visible.
Continued on next page
448
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Connecting to a Central Monitoring System
Task 4: Create Customizing Destination Create the JCo RFC destination in your AS Java so that you can use the customizing destination to execute threshold value maintenance for the AS Java monitors in transaction RZ20 of the central monitoring system. 1.
Check on your AS Java system whether a JCo RFC destination with the name (Program ID) SAP.CCMS.J2EE. ( stands for the system ID of your system) has been created and started. a)
Call the NWA and switch to the JCo RFC Provider Configuration Management → Infrastructure → JCo RFC Provider.
b)
Start your JCo RFC Provider if it is stopped. If you still do not have a JCo RFC Provider, create it as described in the unit “Java Connector and Destinations”.
Task 5: Maintain Threshold Values Maintain threshold values for your AS Java using the Alert Monitor in the central monitoring system in client 000. 1.
In transaction RZ20, change the threshold value in the memory service of a server process so that a red alert is displayed in the Usage Rate area when 90% of memory is used (yellow: 75%). a)
Call transaction RZ20 in the Solution Manager system in client 000.
b)
Open the SAP J2EE Monitor Templates monitor set and choose the Engines monitor. Open the monitor by double-clicking it. You should now see data for your system.
c)
Open an instance and the following nodes in the monitoring tree for your system: Services → Memory Info.
d)
Select Usage Rate and choose Properties to switch to threshold value maintenance.
e)
Switch to change mode, enter the following values, for example, and then save your configuration: • • • •
f)
2013/Q1
Green to yellow: 75 Yellow to red: 90 Red to yellow: 85 Yellow to green: 70
Save your settings.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
449
Unit 8: AS Java – Monitoring
TADM10_2
Lesson Summary You should now be able to: • Monitor Java instances in the central monitoring system • Explain which configuration steps are required to be able to maintain the threshold values for Java instances from the central monitoring system
Related Information SAP Note 110368: FAQ - CCMS MONITORING INFRASTRUCTURE SAP Note 1116453: CCMS: Missing logical ports in other clients SAP Note 1119735: CCMS agents: Upgrade of monitored systems from 7.0 to 7.1 SAP Note 1309499: Hardware Capacity Analysis in SAP Services especially check number 7. SAP Note 1368389: Re-activating legacy RFC-communication for CCMS Agents SAP Note 1453112: CCMS agent and kernel patches SAP Note 1547201: CCMS: Start and stop classical agents SAP Note 1569955: gSOAP Web Service pop-up while configuring CCMS agent SAP Note 1667336: CCMS Monitoring with Kernel 7.20 (DCK) (no English translation available) SAP Note 1746016: CCMS: damaged monitoring segment reports eyecatch error
450
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Availability Monitoring
Lesson: Availability Monitoring Lesson Overview SAP provides availability monitoring using the Generic Request and Message Generator (GRMG). You can use it to monitor both technical components of SAP NetWeaver AS Java and entire Java applications. You can use this availability monitoring with only a few configuration steps.
Lesson Objectives After completing this lesson, you will be able to: • •
Describe how an availability check using the GRMG works technically Configure an availability check
Business Example You are using SAP NetWeaver AS Java and want to be notified as quickly as possible if a Java application or technical component of an SAP Web AS Java is not running. In this case, it is useful to configure an availability check using the GRMG.
Fundamentals of Availability Monitoring SAP provides the tools for monitoring the SAP NetWeaver AS Java and Java applications. This availability monitoring is based on the Generic Request and Message Generator (GRMG). You can use the GRMG to monitor the availability of technical components and the availability of entire business processes.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
451
Unit 8: AS Java – Monitoring
TADM10_2
Figure 156: Availability Monitoring
The GRMG consists of two parts, both of which are required for a functioning GRMG environment: •
GRMG infrastructure The GRMG infrastructure is part of the monitoring architecture of the Computing Center Management System (CCMS) of an SAP NetWeaver AS ABAP. Its task is to send a request (the GRMG request) to the GRMG application, to receive its response (the GRMG response), and to display this response in the CCMS Alert Monitor.
•
GRMG application The GRMG application performs the actual availability monitoring. From a technical point of view, it is a Java Server Page (JSP), a servlet, or a Business Server Page in an SAP NetWeaver Application Server with a defined interface that is called by the GRMG infrastructure. The GRMG request and GRMG response are messages in a special XML format.
The concept of availability monitoring of monitored components can be described as an agent concept. This means that the GRMG application can run separately from the components and applications that it is monitoring. This detour means that if errors occur, you can differentiate between cases in which the components monitored in the scenario are not available (component errors) and those in which the scenario itself is not working correctly (for example, due to communication errors or an agent that is not running) (scenario errors).
452
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Availability Monitoring
The following different scenarios exist for setting up GRMG monitoring: •
Technical Customizing for monitoring a GRMG application You have a complete Java application with a built-in GRMG application (from SAP or programmed yourself) and want to activate the availability monitoring for Java/HTTP-compatible components or Java applications. Note: This process is suitable for consultants and customers who want to activate GRMG monitoring for an application that is already instrumented for monitoring with the GRMG.
•
Instrument the application for GRMG monitoring You have a Java component or applications for which you want to create GRMG monitoring. You need to store all of the information (host name, application, and so on) required for an automatic GRMG request in a GRMG Customizing file. Create the messages that are to be returned in the GRMG response and create a monitor definition in the CCMS Alert Monitor. Note: This process is primarily suitable for application developers working for customers or partners who want to equip their own components for GRMG monitoring.
For more information about this, see the following sections.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
453
Unit 8: AS Java – Monitoring
TADM10_2
Availability Monitoring of SAP NetWeaver AS Java and of Java Applications
Figure 157: Availability Monitoring with the GRMG
You can use a central monitoring system to monitor the availability selected components of an SAP solution with the GRMG. The GRMG is suitable both for technical monitoring and for application monitoring. GRMG availability monitoring uses functions of the CCMS monitoring infrastructure (SAP NetWeaver AS ABAP) to store the heartbeat information. The communication is performed using HTTP POST. Note: Heartbeat - A signal is sent by the software at regular intervals to communicate the availability (running/not running). GRMG monitoring is performed as follows: 1. 2.
3.
454
An XML message is sent from the GRMG infrastructure to the target system. The GRMG application on the target system performs all of the tests for the availability monitoring of the component to be monitored or the business process step. The results of these tests are collected in the GRMG application and combined as the GRMG response. The GRMG response is sent back to the GRMG infrastructure and is displayed in the Alert Monitor of the SAP NetWeaver AS ABAP as heartbeat information.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Availability Monitoring
Setting Up Availability Monitoring Technically: 1. 2. 3. 4.
Load the Application Server Java GRMG Monitoring Template from the SDN. Edit the tags scenstarturl and scendesc. Use transaction GRMG (central monitoring system) to upload the monitoring templates to the central monitoring system. Start the GRMG scenarios for availability monitoring
Templates for availability monitoring are stored in the SDN http://www.sdn.sap.com/irj/sdn/operations. You can find these in the Knowledge Center in the area Monitoring → Enhancing your Monitoring Possibilities → GRMG Customizing Files. You can download the Application Server Java GRMG Monitoring Template here. If you unpack the .zip file, you get the file J2EE_630_Customizing.xml, which you can edit, for example, using an XML Editor. Under scenarios → scenario, you find the scenstarturl in which you maintain the host name and the HTTP port of the AS Java that is to be monitored. To display the SID or LongSid of the monitored system in transaction RZ20, enter the SID or LongSid and the host name under scenarios → scenario → scentexts → scentext → scendesc.
Figure 158: Setting Up Availability Monitoring
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
455
Unit 8: AS Java – Monitoring
TADM10_2
You can use the Alert Monitor (transaction RZ20) to display availability data. In transaction RZ20, choose the SAP J2EE Monitor Templates monitor set. Start the Heartbeat monitor there.
Figure 159: Availability (GRMG): Display in RZ20
If a scenario is running correctly, the components monitored by the scenario are displayed. For each monitored component, you can see the availability as a percentage, by default, averaged over the last 15 minutes, and the status with status messages that are returned by the GRMG application. To display the messages in the Alert Monitor, choose the Details button. If an error occurred in the scenario, the scenario would become red and the subtrees for the monitored components would appear colored white.
456
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Availability Monitoring
Instrumenting Availability Monitoring for Java Applications The following process provides an overview of the steps required to instrument an application for availability monitoring with the GRMG. The following steps are a Roadmap for Developers: • • •
Design your GRMG scenario (which applications, components, processes, and so on). Create the messages that are to be returned in the GRMG response. Create a template for the GRMG Customizing file. The GRMG Customizing file contains all information required about the scenario, the monitored components, and the parameters that are sent with the GRMG request for the components.
•
Implement the GRMG application. The GRMG application receives the GRMG request with all transferred parameters from the GRMG infrastructure, executes the availability checks, and returns the result to the GRMG infrastructure as the GRMG response.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
457
Unit 8: AS Java – Monitoring
TADM10_2
Figure 160: Creating a GRMG Application
Hint: Scenarios with different software components (especially if there are no active data suppliers available for these components) and Web-based business scenarios are typical examples of applications that you can usefully monitor with the GRMG.
458
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Availability Monitoring
Exercise 21: Availability Monitoring Exercise Objectives After completing this exercise, you will be able to: • Configure availability monitoring with GRMG
Business Example You are using SAP NW AS Java and want to be notified if a Java application or technical Java component is not running. In this case, it is useful to configure an availability check using GRMG.
Task: Availability Monitoring On the central monitoring system that is used in your course, set up availability monitoring for your AS Java system. 1.
For editing purposes, provide the file J2EE_630_Customizing.xml on a host, where you have write authorization, and where an XML Editor and an SAP GUI are available. The host on which your AS Java is running would be suitable, for example.
2.
Maintain the data for your AS Java that is to be monitored in the file J2EE_630_Customizing.xml of the Application Server Java GRMG Monitoring Template. Edit the J2EE_630_Customzing file for both instances.
3.
Start the manual upload of the GRMG customizing file(s) for your PAS and AAS instance. Then check whether the scenarios that you have just loaded are visible in transaction GRMG. Start your scenarios only. Caution: Start the SAP GUI for Windows on the operating system of the host, on which you edited the file J2EE_630_Customizing.xml.
4.
2013/Q1
Check in the Alert Monitor (transaction RZ20), whether values are delivered.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
459
Unit 8: AS Java – Monitoring
TADM10_2
Solution 21: Availability Monitoring Task: Availability Monitoring On the central monitoring system that is used in your course, set up availability monitoring for your AS Java system. 1.
For editing purposes, provide the file J2EE_630_Customizing.xml on a host, where you have write authorization, and where an XML Editor and an SAP GUI are available. The host on which your AS Java is running would be suitable, for example. a)
Log on to the operating system of the host, on which your AS Java is running.
b)
Create a directory with the name D:\TEMP if it does not exist already.
c)
In the TEMP directory, create a directory of the form _ (## stands for your group number) for the PAS instance and for the AAS instance of your AS Java.
d)
Copy the file J2EE_630_Customizing.xml from the directory S:\Courses\ADM800_99\GRMG to each of the directories created above.
Continued on next page
460
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Availability Monitoring
2.
Maintain the data for your AS Java that is to be monitored in the file J2EE_630_Customizing.xml of the Application Server Java GRMG Monitoring Template. Edit the J2EE_630_Customzing file for both instances. a)
Switch to the directory that you have created for the PAS instance (_).
b)
Use the XML-Notepad Editor to edit the file J2EE_630_Customizing.xml. (Right click to the file J2EE_630_Customizing.xml → Edit with XML Notepad.
c)
Now open scenarios → scenario in the structure.
d)
Click on the entry scenstarturl.
e)
Click on the line: http://[host]:[port]/GRMGHeartBeat/EntryPoint.
f)
Replace [host] with the host name, for example, twdfSSSS.wdf.sap.corp
g)
Replace [port] with the HTTP port of the instance you currently working with, for example 51300.
h)
Now open scentexts → scentext in the structure.
i)
Double click on the line: GRMG:J2EE [SysID] on [host].
j)
Replace [SysID] with the System ID of your system, for example ABC. Hint: If you enter also the instance number behind the System ID, you will see this information later in RZ20 and know which instance you check.
3.
k)
Replace [host] with the hostname of your PAS instance, for example twdfSSSS.wdf.sap.corp.
l)
Save your entry.
m)
Close the XML Notepad.
n)
Repeat these steps for the AAS instance.
Start the manual upload of the GRMG customizing file(s) for your PAS and AAS instance. Then check whether the scenarios that you have just loaded are visible in transaction GRMG. Start your scenarios only.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
461
Unit 8: AS Java – Monitoring
TADM10_2
Caution: Start the SAP GUI for Windows on the operating system of the host, on which you edited the file J2EE_630_Customizing.xml.
4.
a)
Start the SAP GUI on the operating system of your training system.
b)
Log on to the Solution Manager system of your course. Your instructor will give you the required data.
c)
Call transaction GRMG.
d)
Press button Upload/Download → Upload scenario.
e)
Upload the file J2EE_630_Customizing.xml for your PAS instance and AAS instance from the directories that you created (_).
f)
Start both scenarios by marking the line(s) and pressing the button Start.
Check in the Alert Monitor (transaction RZ20), whether values are delivered. a)
Open transaction RZ20.
b)
Open the line SAP J2EE Monitor Templates.
c)
Double click to Heartbeat
d)
Open the line J2EE Engine. Hint: Here you can see your scenarios activated in the transaction GRMG.
e)
Open the line(s): GRMG:J2EE.... Hint: There you see the availability information of your instance(s).
462
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Availability Monitoring
Lesson Summary You should now be able to: • Describe how an availability check using the GRMG works technically • Configure an availability check
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
463
Unit 8: AS Java – Monitoring
TADM10_2
Lesson: Log Viewer and Log Configuration Lesson Overview Logging and tracing are important functions in the context of error analysis. You can configure the level of detail in which information is written to log files. You can access all log files with the Log Viewer.
Lesson Objectives After completing this lesson, you will be able to: • • •
Use the Log Viewer Explain the difference between logging and tracing Execute log configuration
Business Example You are working with SAP NetWeaver AS Java and want to know more about the options for configuring and evaluating log files. Since a great deal of log information is created in the SAP NetWeaver AS Java environment, it is important to be familiar with a tool that displays the log files.
Log and Trace Files All Java nodes write log and trace information to files in the file system. These files are formatted in a special way. This formatting makes it possible to use filters to hide or display specific entries when viewing the files in a Log Viewer. The files which possess this formatting are known as “ListLog”s. The entries in the ListLogs also contain a Severity field which indicates the weighting of the entry. Some of the ListLogs are listed in the figure “ListLogs in the File System”. For each Java server process, there is a separate directory named “log” in the file system under which the files for the node are stored. A basic distinction is made between log and trace files. Log files are sometimes also referred to as logging files. The trace files comprise only files with the name default..trc where the stands for the node number and for a sequential number. The trace files which are discussed here should not be confused with other “trace” files such as the developer traces. The log files include the other files displayed in the figure.
464
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
Figure 161: ListLogs in the File System
Log files are displayed in the Log Viewer. There are two types of log files: logging and trace files. The following distinction is made between logging and tracing. Logging means: • • •
Recording normal and exceptional events Runtime information of a system or an application is written to log files Active during normal operation
Tracing means: • • •
Recording the process flow of an application Use during development and for error detection in the production environment All traces are stored in the default..trc files
The Log Viewer To ensure stable operation, the log and trace files should be regularly checked for error messages.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
465
Unit 8: AS Java – Monitoring
TADM10_2
SAP provides a mechanism for the automatic analysis of log and trace files. You can evaluate and monitor the log files in two ways: •
Central monitoring with SAP NetWeaver AS ABAP If you are using an SAP NetWeaver AS ABAP that is acting as a central monitoring system, you can also use the standard monitoring methods of the ABAP environment. You can use the CCMS to search the log files every minute for predefined search patterns. If the agent finds a pattern, it reports an alert in the central monitoring system. The administrator can be notified from there on the basis of the alert.
•
Monitoring with the infrastructure of SAP NetWeaver AS Java (Log Viewer) Note: This lesson focuses on monitoring with SAP NetWeaver AS Java and the related infrastructure. The logging/tracing infrastructure is described in more detail in the following sections.
The Log Viewer is always used to display log and trace files, irrespective of whether they are created by the kernel, services, libraries, or applications. The log files for all server nodes can be combined. The Log Viewer can search log files for entries that have a specific weighting (severity). You can use the Log Viewer in the following variants: •
As Log Viewer in the SAP NetWeaver Administrator –
•
Log and trace files for the runtime environment and the running applications are automatically registered – Predefined views are supplied – You can create and save user-defined views As Log Viewer in the SAP MC –
•
Log and trace files for the runtime environment and the running applications are automatically registered – Log and trace files can also be displayed when the system is stopped. Command Line Log Viewer – – –
Displays only local log files Can be activated during the deployment of applications Converts binary data to a readable format Note: This lesson focuses on the Log Viewer in the NWA and in the SAP MC.
The Log Viewer in the SAP NetWeaver Administrator The Log Viewer runs as a service in SAP NetWeaver AS Java. As soon as the SAP Logging API is aware of a new log, the log is automatically included and you can display it in the Log Viewer.
466
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
Figure 162: Log Viewer in the NWA: Predefined Views
The log and trace files are automatically registered when SAP NetWeaver AS Java is started so that they can be displayed using the above-mentioned. Log Viewer variants. In the NWA, you can call the Log Viewer via the following path Troubleshooting → Logs and Traces→ Log Viewer. Multiple predefined views are available (figure: Log Viewer in the NWA: Predefined Views) and you can
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
467
Unit 8: AS Java – Monitoring
TADM10_2
also save your own user-defined views. The predefined views do not usually display all the log and trace entries. Instead these are restricted by filters in the views themselves. •
SAP Logs Shows log entries but no trace entries
•
Developer Traces Shows defaulttrace entries but no log entries.
•
Expert Shows all log and trace entries without restriction
•
Security Shows the security log
•
Unstructured Log Files Shows file contents which are not of type “ListLog”
•
Connect to a Remote System Shows all log and trace entries from a remote Instance Agent (sapstrartsrv) in the same way as the expert view does.
•
And some more views ...
You can use the Show Advanced Filter button to activate further restrictions to the selected view by means of filters and save this as a user-defined (Custom) view. For more information, see the figure “Log Viewer im NWA: Filters”.
468
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
Figure 163: Log Viewer in the NWA: Filter
Use the Show Advanced Filter to show the Filter by Content area. You can create multiple filter with the button. If you filter by Log Source you can restrict the view to different instances or individual nodes. The filter Log file named enables you to filter for special data sources like defaulttrace, security_audit and so on. Other filter of interest here may be, for example, Message, Date and Time, User, Category, Location. The filtered view which has been fine-tuned in this way can then be stored as a custom view. If you want to delete a filter, select the filter and use the trash can for deletion. If you identify an entry for which you want to see the associated messages (possibly from other files or related log and trace information) then it is often useful to filter for the Related Logs. You can use View → Customize Layout to display further log attributes as columns. In the Details column, you can activate or deactivate the details of an entry. The Expert View You can use Log Format to choose between ListLog and TextFormat. If you choose the ListLog restriction, then both trace and log data is available for display. This log and trace data is stored in different files as already discussed at the start of the lesson (see also figure: “ListLogs in the File System”). You can use the Log file named to select a file whose data is to be displayed. If, as in the predefined views, you want to display the combined data from all the ListLogs then you should select Merge Logs if Possible.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
469
Unit 8: AS Java – Monitoring
TADM10_2
If you use Log File named then you can specify name patterns of the files from which data is to be included or excluded. Thus, “Log Format equals ListLog” together with “Log file named as DefaultTrace*” and “Merge Logs if Possible” yields the same result as the predefined Developer Trace view. If you want to see the data as in the SAP Logs view, you should instead simply choose “Log file named different from DefaultTrace*”. Files in text format cannot be combined using Merge Logs if Possible. If you choose TextFormat, then you can, for example, also display files such as the dev_server# file. Hint: If you only select Merge Logs if Possible and do not specify any further restrictions then you can use “Display Log File” to select a combination of all the log and trace files or the individual text format files.
Log Viewer in the SAP MC The Log Viewer in the NWA can only be used if the AS Java is running. With the Log Viewer in the SAP MC, you have the option of displaying and filtering the logs if the AS Java system is not started.
Figure 164: Log Viewer in the SAP MC: Analyse Log Files
You can right-click and use the menu entry Analyse Log Files to display the logs in the SAP MC system-wide or per instance. This displays the ListLogs and the developer traces from the work directory. You can restrict to a defined period of time or to severities. The severities “All”, “Warning” and “Error” are provided for this. If the severity “Error” is selected, this means that severities of the type
470
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
“Error” are displayed (“Fatal” for fatal severities, for example). The displayed data can be filtered for the different fields. Note that a distinction is made between uppercase and lowercase in the search. If you only want to search for part of a text, you may have to enter “*” as a wild-card character at the start or end of the filter. You can filter using “” (greater than) and “!” for “not equal to” for numeric values. Click the field name to sort the fields. Choose Ctrl for multiple filtering. “Regular Expressions” can also be used as filters; they are introduced with “regex:”. You can restrict to the ListLogs using the expression regex:(.*log)|(.*trc) as a filter for “File Name” and the developer traces are hidden. Use the following URL for more information about the “Regular Expressions”:http://download.oracle.com/javase/1.5.0/docs/api/java/util/regex/Pattern.html You can select and display individual logs in the instance node under Log Files. Snapshots Information is written from the SAP MC to a “.zip” file using snapshots. This file contains selected information about the system status including parts of developer traces and ListLogs. A snapshot can be sent to SAP for error analysis, for example, or can be included in an SAP MC or SAP MMC for later error analysis.
Figure 165: Log Viewer in the SAP MC: Snapshot
You can include the snapshot in an SAP MC using the menu File → Load snapshot. In a snapshot, information about the instances or the system can be displayed as it existed at the time of the snapshot. The developer traces and ListLogs included in the snapshot can be displayed and evaluated using Log Files. Filters can be set to the columns in the snapshot under Analyse Log Files. The evaluation settings
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
471
Unit 8: AS Java – Monitoring
TADM10_2
(Severity, Time, Entries) can no longer be changed in the snapshot. Snapshots can be generated at system and instance level. This can be done by right-clicking and selecting Create snaphot.
Logging and Tracing There are two types of log files: files for logging, and files for tracing. Logging means: • • • •
•
Recording normal and exceptional events Runtime information of a system or an application is written to log files Active during normal operation Logs are structured into categories, which are logical areas/topics. Predefined categories are: – System (Server, Network, Database, Security) – Application – Performance Each category points to one or more log destinations (storage locations in the file system)
Tracing means: • • • •
Recording the process flow of an application Use during development and for error detection in the production environment All traces are stored in the log destination defaultTrace_x.trc Traces are structured into locations. Note: Locations represent defined coding areas such as classes or software packages.
The traces and logs are displayed in the logging/tracing infrastructure. The logging/tracing infrastructure for SAP NetWeaver AS Java consists of: • • •
consisting of: SAP Logging API, Log Manager, Log Controller is configured via: Log Configurator service is displayed in: Log Viewer
SAP Logging API, Log Manager The SAP Logging Infrastructure consists of the SAP Logging API and the Log Manager. The Log Manager is responsible for writing the log and trace files. The Log Manager writes the log information of the system or an application to a log file in accordance with the severity.
472
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
The Log Manager is a central manager in the structure of a JEE server. This manager is the first manager that is started. The storage location for all logs and traces is configured here. All log and trace files of an instance are written to the directory J2EE-Root/cluster/Server/log (for example, /usr/sap///j2ee/cluster/server0/log). The entries of the log and trace files have different severities (Severity). This means, for example, that the system writes only errors, only errors and warnings or all information in debug mode to a log or trace file.
Configuration of Logs and Traces in the Log Configurator Service In the NWA, you can carry out the logging/tracing configurations for components of the SAP NetWeaver AS Java and deployed applications under Troubleshooting → Logs and Traces → Log Configuration. You can carry out the following actions in the Config Tool under Log Configuration: • • •
Change severity (in the Config Tool and NWA) Add, change, and delete log destinations (storage location) (Config Tool) Add, change, and delete log formatters (Config Tool) Hint: You usually only need to change the severities. All other settings are intended for experts.
You can configure log destinations for categories (log files) and locations (trace files). A log destination allows you to determine where (size and number) the log/trace files are stored. Log formatters are formatters for files in different formats such as XML, trace, and list format.
Changing Severities Severities can be set for the individual categories and locations. These severities control which messages are logged to the ListLogs. Only messages that have the same severity or higher are logged. If, for example, the severity “ERROR” is set for a location, all messages with the severity ERROR, WARNING or NONE are logged. To analyze problems, the severities can be adjusted to a lower severity for the category or location in question in order to find more detailed information in the ListLogs.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
473
Unit 8: AS Java – Monitoring
TADM10_2
The following severities exist: • • • • • • • •
ALL (Low) DEBUG PATH INFO WARNING ERROR FATAL NONE (High)
The default for locations is usually ERROR and the default for categories is usually INFO. With the SAP NetWeaver Administrator, you can change the settings for the categories (logs) and locations (traces) severities in the same way as with the Config Tool. There is a separate view for both the categories and the locations and the severities can be adapted in these views. In the NWA, you are taken to the log configuration via Troubleshooting→ Logs and Traces → Log Configuration. Here you can select whether you want to set severities for categories or locations. Use the filter option to locate the required locations or categories quickly.
Figure 166: Severities in the NWA
474
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
In the lower log configuration area, you can switch between the System Configuration and Per Instance Configuration tabs (figure: “Severities in the NWA”). In the System Configuration, you see the storage location defined under Log Destination and the name of the file to which the entries are written. You can use the Per Instance Configuration view to set other severities for individual instances. If different severities were set for instances, then “n/a” is displayed as severity in the upper frame. Severities can also be copied to subordinate nodes. If you want to reset a category or location to the value shipped by SAP then you can do this using the Reset Category or Reset Location button respectively.
Figure 167: Severities in the Config Tool
The severities can also be adjusted in the Config Tool. You can do so in the template settings or instance-specifically. You can find the severities for the categories in the template in the Config Tool, for example, via cluster-data → template → log configuration → categories. The storage locations (log destinations) are specified for the categories as with the log configuration in the NWA. There is only one log destination for the location, namely “default_trace”. You can also adjust the severities in Log Destinations. They specify the minimum severity that a message must have to be allowed into the destination. The severities for the locations and categories control which messages are issued from the applications and system components and, at destination level, there is another mechanism that controls which messages are allowed into the destination. The severity “ALL” is usually set for the destination delivered by SAP. The figure “Logging API Logic” illustrates this fact.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
475
Unit 8: AS Java – Monitoring
TADM10_2
Figure 168: Logging API Logic
Adjusting Log Destinations In the Config Tool, you can find the destinations under log configuration. You can create new destinations or change existing destinations there. You make settings for the storage locations are made in the Pattern. You can also maintain the log formats (field Formatter) and filter settings here. Note: If you are creating a new log destination, you should define the file type. There are two file types, FileLog, and ConsoleLog. In the case of FileLog type, it is also necessary to make the following specifications: Pattern, Maximum File Size and Number of files. You usually only need to adjust log destinations if, for example, you are working with the UNIX operating system and want to view log files on the console. In this case, you need to change the log format to ConsoleLog. Log formatters are directly connected to LogDestinations.
Adjusting Log Formatters In the Config Tool, you can see the Formatters under log configuration; you can change existing log formatters there. You need to maintain the fields Pattern and Type. SAP delivers the Types ListFormatter, TraceFormatter, and XMLFormatter. ListFormatter means that the log entry can be processed by an application
476
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
such as the Log Viewer. XMLFormatter outputs an element in the XML style. TraceFormatter is a formatter that can be read by users. Only with TraceFormatter can you maintain the second field Pattern. Hint: It is not usually necessary to maintain log formatters, since SAP delivers the appropriate log formatters.
log archiving The Log Manager provides the Log Archiving option. Log files are automatically archives at specific intervals. You activate this function via the Config Tool (managers → Log Manager). Change the parameter ArchiveOldLogFiles to the value ON. By default, the archives are stored on the SAP NetWeaver AS in the directory J2EE-root-directory/cluster//log/archive(for example, /usr/sap///j2ee/cluster/server0/log/archive). The parameter ArchivesDirectory defines the storage location of the archives. The archives themselves are not automatically deleted. You need to do this manually.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
477
Unit 8: AS Java – Monitoring
478
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
TADM10_2
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
Exercise 22: Log Viewer and Log Configuration Exercise Objectives After completing this exercise, you will be able to: • View log files in the Log Viewer • Change the severity in the Log Configuration
Business Example You are working with SAP NetWeaver AS Java and want to know more about the options for configuring and evaluating log files. Since a great deal of log information is created in the SAP NetWeaver AS Java environment, it is important to be familiar with a tool that automatically displays the log files for stable operation.
Task 1: Custom Views in the NWA Log Viewer Create your own expert view in the NWA Log Viewer. Set filter for messages which contain SLDService. Add the columns Data Source, User, System and Instance to this view. 1.
Log on to your system's NWA and switch to the Log Viewer.
2.
Select the Expert view and create your own filter which provides you with information about the SLDService. Save these settings as a custom view.
3.
Add the columns Data Source, User, System, and Instance to this view. Find out, in wich Datasources the messages “SLD [SLDService/LastSendInfo]” and “com.sap.sldserv.exception.SldServiceExeption ... The host is down or unavailable...” are stored.
Task 2: Troubleshooting with the Log Viewer in the NWA Use the Log Viewer to search for messages with the severity Error in the NWA. 1.
Create a new view. To do this, use the view created in the previous task as a template and name it, for example, my Expert Error.
2.
Create a filter which supplies all the entries in which Error occurs in the Severity column.
3.
Determine from which Location the message originates.
4.
Determine from which node the message was reported. Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
479
Unit 8: AS Java – Monitoring
TADM10_2
Task 3: OPTIONAL: UME Security Audit Log Evaluate the Security Audit Log 1.
Evaluate the entries in the Security Audit Log (using a tool of your choice).
2.
You can use the Log Viewer in the NWA to create an expert view for the Security Audit Log.
Task 4: Log Configuration in the NWA You found an error message in the previous task. Set the severity to Warning for the location from which the problem was reported.
480
1.
In the NWA, go to Log Configuration
2.
Choose the appropriate view (Tracing Locations).
3.
Use the filter to find the location.
4.
Change the Severity from Error to Warning and save your input.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
Solution 22: Log Viewer and Log Configuration Task 1: Custom Views in the NWA Log Viewer Create your own expert view in the NWA Log Viewer. Set filter for messages which contain SLDService. Add the columns Data Source, User, System and Instance to this view. 1.
2.
Log on to your system's NWA and switch to the Log Viewer. a)
In the browser, start the URL http://:/nwa .
b)
Navigate to Troubleshooting→ Logs and Traces → Log Viewer.
Select the Expert view and create your own filter which provides you with information about the SLDService. Save these settings as a custom view. a)
In the Log Viewer choose View → Open Expert View.
b)
Open the Filter view with Show Advanded Filter.
c)
Select Merge Logs if Possible and confirm the filter with Apply Filters.
d)
Set the Filter Log Format (at the very end of the list). If equals ListLog has not yet been selected, make sure that it is entered. Confirm the filter with Apply Filters.
e)
Select the Message filter and filter by contains SLDService. Choose Apply Filters. You can find information about, for example, when data was last sent to the SLD [SLDService/LastSendInfo] or an error occured (com.sap.sldserv.exception.SldServiceExeption ... The host is down or unavailable...) if the Solution Manager on this server was down. To trigger that data is send to the SLD you can initiate this in the nwa via the Configuration → Infrastructue → SLD Data Supplier Configuration function with the Collect and Send Data button. Don't forget to push the refresh button in the Log Viewer to the the triggert messages.
f)
Save this view under a descriptive name, for example, myExpert SLDService by choosing View → Save View As ....
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
481
Unit 8: AS Java – Monitoring
3.
TADM10_2
Add the columns Data Source, User, System, and Instance to this view. Find out, in wich Datasources the messages “SLD [SLDService/LastSendInfo]” and “com.sap.sldserv.exception.SldServiceExeption ... The host is down or unavailable...” are stored. a)
Choose View → Customize Layout.
b)
Select the above-mentioned columns in addition to those that are already selected and choose OK.
c)
Save your view by choosing View → Save View.
d)
The message “SLD [SLDService/LastSendInfo]” is stored in the Data Source j2ee\cluster\server0\log\system\configChanges_00.log. The message“com.sap.sldserv.exception.SldServiceExeption ... The host is down or unavailable...” is stored in the Data Source j2ee\cluster\server0\log\defaultTrace_00.trc.
Task 2: Troubleshooting with the Log Viewer in the NWA Use the Log Viewer to search for messages with the severity Error in the NWA. 1.
2.
3.
Create a new view. To do this, use the view created in the previous task as a template and name it, for example, my Expert Error. a)
In the NWA, switch to your view from the previous task.
b)
Create a new view by choosing the button View → Save View As ...
Create a filter which supplies all the entries in which Error occurs in the Severity column. a)
Create a new filter for the search of the severity Error and delete the entry for Message.
b)
Choose the “Apply Filter” button to apply the modified filter. You will definitely find messages with the severity Error.
c)
Save your settings.
Determine from which Location the message originates. a)
4.
You can find information about the location in the column Location or in the Details.
Determine from which node the message was reported. a)
In the Detail, there are entries that you can use to determine from which instance and which node the message was written.
Continued on next page
482
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
Task 3: OPTIONAL: UME Security Audit Log Evaluate the Security Audit Log 1.
Evaluate the entries in the Security Audit Log (using a tool of your choice). a)
Start (with your course user) a tool for evaluating logs (for example, the NWA).
b)
Open the file \usr\sap\\\j2ee\cluster\server\log\system\security_audit_##_#.log for all the server processes in your Java cluster. The displayed entries allow you to identify who performed what operation and when.
2.
You can use the Log Viewer in the NWA to create an expert view for the Security Audit Log. a)
In the NWA, switch to your view myExpert SLDService from the previous task.
b)
Create a new view myExpert Security Audit Log by choosing the button View → Save View As ...
c)
Select the filter Log file named at the very end of the filter list. Choose as and enter security_audit
Task 4: Log Configuration in the NWA You found an error message in the previous task. Set the severity to Warning for the location from which the problem was reported. 1.
In the NWA, go to Log Configuration a)
2.
Choose the appropriate view (Tracing Locations). a)
3.
Switch to Troubleshooting → Logs and Traces → Log Configuration
In the previous task “Troubleshooting with the Log Viewer in the NWA”, we saw that we are dealing with trace information and we therefore choose Tracing Locations
Use the filter to find the location. a)
Use Open Filter to open the filter.
b)
Enter the complete location from task 2 (e.g. com.sap.engine.services.security.authentication.logincontext.table) in the search field and choose Apply Filter. Here you find the set severity for the location.
Continued on next page
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
483
Unit 8: AS Java – Monitoring
4.
Change the Severity from Error to Warning and save your input. a)
484
TADM10_2
You may have to scroll down a little in the top window. The location should already be visible. In the top window, click on Severity and select Warning. Choose Save Configuration to save the new severity level.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Lesson: Log Viewer and Log Configuration
Lesson Summary You should now be able to: • Use the Log Viewer • Explain the difference between logging and tracing • Execute log configuration
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
485
Unit Summary
TADM10_2
Unit Summary You should now be able to: • Describe the monitoring infrastructure • Display monitoring data in the SAP NetWeaver Administrator (NWA) • Make threshold value settings in the NWA • Monitor Java instances in the central monitoring system • Explain which configuration steps are required to be able to maintain the threshold values for Java instances from the central monitoring system • Describe how an availability check using the GRMG works technically • Configure an availability check • Use the Log Viewer • Explain the difference between logging and tracing • Execute log configuration
486
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Test Your Knowledge
Test Your Knowledge 1.
Which actions are possible using the Monitor Browser in the NWA? Choose the correct answer(s).
□ □ □ □ 2.
A B C D
Changes to threshold values Delete history values Cross-system monitoring Display monitoring data for Java instances
Trace information is only important for the administrator. Determine whether this statement is true or false.
□ □
2013/Q1
True False
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
487
Test Your Knowledge
TADM10_2
Answers 1.
Which actions are possible using the Monitor Browser in the NWA? Answer: A, D The tasks of the Monitor Browser are to change threshold values, and display collected monitoring data.
2.
Trace information is only important for the administrator. Answer: False Trace information is often used to identify problems during development, and provides developers with detailed information about an error that has occurred.
488
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Unit 9 Software Lifecycle Management Unit Overview Caution: This unit is distributed as a separate training material.
Unit Objectives After completing this unit, you will be able to:
Unit Contents
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
489
Unit Summary
TADM10_2
Unit Summary You should now be able to:
490
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Course Summary
Course Summary You should now be able to: •
2013/Q1
Process administrative tasks in SAP systems
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
491
Course Summary
492
TADM10_2
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Glossary ALE Application Link Enabling technology to create and operate distributed applications. CCMS CCMS is an abbreviation for “Computing Center Management System”, a collection of tools within AS ABAP. In SAP Easy Access, the functions offered by CCMS can be accessed by SAP Menu → Tools → CCMS. Cookie A cookie is a message that is sent to the Web browser (for example from a Web server). The Web browser saves this message either in the file system (persistent cookie) or it is stored in a temporary memory area and deleted when the browser is closed (session cookie). For each request to the issuing server, the Web browser sends the cookie to this server again. CPI-C The Common Programming Interface for Communication describes data exchange between different programs. CPI-C can be used to transfer “packaged” data with various technical protocols, such as TCP/IP or LU6.2. EIS Enterprise
Information System GRMG Generic Request and Message Generator: Central infrastructure for availability monitoring of Java-based components and applications ICF Internet Communication Framework: Environment for handling Web requests in ABAP work processes of an SAP system (in its role as a Web server and a Web client) The ICF is the bridge between the kernel of the SAP system and the application program written in ABAP. The ICF consists of ABAP classes and interfaces, the objects and methods of which can be accessed in a BSP application, for example. ICF Recorder Tool for recording and evaluating HTTP requests to the ICF ICF service Links a certain URL (requested service of an SAP system with AS ABAP) to an HTTP request handler of the ICF (development objects).
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
493
Glossary
TADM10_2
ICM Internet Communication Manager: Component of the SAP architecture as of AS ABAP 6.10 that allows the SAP system to communicate directly with the internet. Technically, the ICM is a standalone multi-threaded process that is started and monitored by the ABAP dispatcher. ISC Internet Server Cache: Cache for response pages of the ICM. This stores pages before they are sent to the client. The next time that the relevant URL is called, as long as the expiry time has not elapsed, the page is sent back to the client directly from the ICM; in this case, it does not need to be branched to the task handler and the ICF. JMX Java Management Extension LDAP Lightweight Directory Access Protocol. A protocol for accessing address directories, defined in IETF RFC 1777. Principle The umbrella term used for the “objects” user, account, group and role in the UME environment. role A role is a collection of activities that a person executes to participate in one or more business scenarios of an organization. User menus are used to access the transactions, reports, Web-based applications, and so on, in the roles. SAP Easy Access SAP Easy Access is the standard initial screen in SAP systems. The system displays the menu available to you in a tree structure on the left of the screen. You can display your own logo on the right of the screen. SAP Web Dispatcher SAP solution for load distribution for HTTP(S) requests. If an SAP system consists of multiple instances, the SAP Web Dispatcher receives the requests from the browser and forwards them to the application server that currently has most capacity. This simplifies administration since there is only one entry point (IP address, HTTP(S) port, and so on) to the SAP system. Secure Network Communication (SNC) SNC is an interface that allows secure communication between SAP systems. SNC provides the functions authentication, encryption and integrity. An external security product that uses the SNC interface of the SAP system is required for the implementation. The SNC interface is an implementation of the Generic Security Services Application Programming Interface (GSS API). The SAP Cryptographic Library is available as an external security product for many standard scenarios and SAP server components.
494
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Glossary
Secure Sockets Layer (SSL) SSL is a protocol developed by Netscape that is used to safeguard Internet communication. SSL uses Public Private Key technology to safeguard the communication between client and server. The SSL protocol contains encryption of the communication, server authentication, client authentication and mutual authentication (server and client authentication). SOAP Simple Object Access Protocol (SOAP) describes a protocol by which Web Services can be called in distributed system landscapes. SOAP uses HTTP as a transport protocol. An SOAP message has a header with the additional information and a body with the actual message. system log Analysis option for errors in the system and its environment. UDDI Universal Description, Discovery, and Integration (UDDI) is a directory service for dynamic Web services. A directory of Web services is provided via an SOAP interface. You can find more information about UDDI under: http://uddi.xml.org. UME User Management Engine: A Java-based user administration component with central user administration, a single sign-on (SSO), and secure access to distributed applications. user context Data that is assigned specifically to one user. If a user starts a transaction in the ABAP-based SAP system, the work process that is processing the request requires the user context. The user context contains a user-specific area that contains user and authorization data. User Master Record The user master record contains the definition of a user in the client. Some fields are, for example: Name, first name, initial password, telephone number, and so on. The user master record is used to create a user context (see this entry) when a user logs on to the system. User Store Service provider in AS Java which saves user administration data such as user and group data. Web Service A Web service is a stand-alone, modulized, executable entity that can be published, localized and called within a network that uses open standards. For a caller or sender a Web service represents a blackbox that requires an entry and returns a result. Web services offer important integration for each asynchronous or synchronous communication technology within a company or between several companies.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
495
Glossary
TADM10_2
WS Security Web Service Security (WSS) is an OASIS standard that describes mechanisms to provide message integrity and confidentiality for SOAP communication. WS Security uses existing standards such as XML Signature and XML Encryption. See also http://www.oasis-open.org/committees/wss WSDL WSDL is a meta language that is used to describe the function of a Web service. Functions, parameters and return codes in particular are described in a machine-readable form. WSDL is standardized by the World Wide Web Consortium (W3C); see the following URL: http://www.w3.org/2002/ws/desc/
496
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Index A Action, 237 aRFC, 289 Assertion Ticket, 270 attribute mapping, 207 Authentication Stack, 265 authorization object, 122
J
B
JAAS, 264 JCo RFC Provider, 318 JEE security role, 235 JEE security roles, 238 JMX, 420
bgRFC, 289
K
C
Kerberos, 271
Categories, 472 Client-Based Load Balancing, 94 Company (UME), 225 CSMREG, 435
L
D data collector, 350 Data Partitioning, 198 Delegated user administration, 225 Destination Service, 317 developer trace, 399 dump analysis, 399
E EIS (Enterprise Information Systems), 316 Enterprise Information Systems, 316
G GRMG, 451 GSS-API, 271
I ICF, 28 ICF Recorder, 35 ICF service, 30
2013/Q1
ICM, 12 ISC, 14
location, 472 log archiving, 477 Log Configurator service, 473 log destination, 473, 476 log formatter, 473, 476 Log Manager, 472 Log Viewer, 466 Log Viewer in the SAP NetWeaver Administrator, 466 Logging, 472 Login Module, 265 Login Module Stack, 265 Logon Ticket, 269
M monitoring attribute, 351 monitoring object, 351 monitoring segment, 349–350 Monitoring Tree Element, 351 MTE, 351
P performance trace, 399 Permissions, 237 Policy Configuration, 265 Principle, 222
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
497
Index
TADM10_2
profile parameter auth/new_buffering, 123 icm/server_port_, 15 is/HTTP/default_root_hdl, 61 login/disable_multi_gui_login, 142 login/failed_user_auto_unlock=0, 142 login/fails_to_session_end, 142 login/fails_to_user_lock, 142 login/min_password_digits, 140 login/min_password_letters, 140 login/min_password_lng, 140 login/min_password_specials, 140 login/multi_login_users, 142 login/password_expiration_time, 140 login/password_history_size, 140 login/password_max_new_valid, 141 login/password_max_reset_valid, 141 ms/http_port, 67 rdisp/elem_per_queue, 292 rdisp/max_comm_entries, 292 rdisp/mshost, 67 rdisp/rfc_check, 292 rdisp/rfc_max_comm_entries, 292 rdisp/rfc_max_login, 291 rdisp/rfc_max_own_login, 291
498
rdisp/rfc_max_own_used_wp, 292 rdisp/rfc_max_queue, 292 rdisp/rfc_min_wait_dia_wp, 292 rdisp/rfc_use_quotas, 291 rdisp/start_icman, 15 rdisp/tm_max_no, 291 rslg/central/file, 401 rslg/local/file, 401 rstr/buffer_size_kB, 405 rstr/filename, 405 rstr/max_files, 405 rstr/max_filesize_MB, 405 Profile parameter ms/http_port, 99 rdisp/mshost, 99
Q qRFC, 289
R Role JEE security role, 235 UME role, 235 role maintenance, 124
S SAML, 265 SAP ITS, 4 SAP Logging API, 472 SAP Web Dispatcher, 59, 98 SAP*, 256 SAP* standard user, 144 Server-Based Load Balancing, 93 severity, 473 SNC, 160 SPNego, 271 sRFC, 289 SSL, 160 standard users in SAP systems, 142 Stateful Requests, 96 stateless requests, 96 system log, 399
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
TADM10_2
Index
system trace, 399
T table USR40, 140 threshold value, 442 Tracing, 472 Transaction RZ20, 441 RZ21, 435 transaction code AL11, 406 PFCG, 124 PFUD, 128 RSPFPAR, 295–296 RZ12, 303 RZ20, 352 RZ21, 363 SARFC, 292, 295–296 SBGRFCMON, 293 SICF, 30 SM21, 399–400 SM58, 293 SM59, 298 SMGW, 293 SMICM, 15 SMLG, 302 SMQ1, 293 SMQ2, 293 ST01, 399, 402
2013/Q1
ST05, 399, 404 ST11, 406 ST22, 399 STAUTHTRACE, 146 SU01, 114 SU10, 114 SU53, 146 SU56, 123 SUGR, 114 SUIM, 145 tRFC, 289
U UME, 195 UME administration console, 240 UME emergency user, 256 UME role, 235 UME roles, 237 User administration delegated, 225 user master comparison, 128 User Store, 195 User Type (UME), 227
W Web Dynpro, 6 Web Service Security, 164 WS Security, 165
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
499
Index
500
TADM10_2
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
2013/Q1
Feedback SAP AG has made every effort in the preparation of this course to ensure the accuracy and completeness of the materials. If you have any corrections or suggestions for improvement, please record them in the appropriate place in the course evaluation.
2013/Q1
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
501
View more...
Comments
