SAP AG Delta 7 Course Overview - 1 · Note 888687 - BEx Web Java: Analysis of communication/logon...

© SAP AG Delta 7 Course Overview - 1



Additional Notes for the WAS settings and the web Reporting:

Note 434918: DNS configuration for BSP Applications on W2K

- icm/host_name_full = server.domain.ext

- http://server.domain.ext:1080/sap/bc/bsp/sap/it00/default.htm

Note 550669: Compressed transfer of BI web Applications

Note 561792: Client-sided caching of image/gif files

Note 517484: Inactive services in the Internet Communication Framework

Note 529793: Missing error text in the Internet Explorer browser

Note 622130: Timeout problems in BI web Applications

Note 619884: Integration of BSP applications in BI web Applications

Note 498936: Log on/password change in web with BI3.0B or higher

Note 516884: Anonymous logon with BI 3.0A/B and SAP web App. Server

Note 517860: Logging on to BSP applications (Check the Documents in the

Append of the Note)

Note 434918: DNS configuration for BSP Applications on Windows 2000

Note 616900: BSP FAQ -- Frequently Asked Questions

Note 677118: SP31-> Fully Qualified Domain Names Check


Binding Ports Lower Than 1024 on UNIX

With the Internet Communication Manager (ICM) you can bind ports with numbers 0 up to and

including 1023 (well known ports) on Unix systems too. The external binding program

icmbnd included in the standard delivery is used for this.

Usually the ICM itself binds the ports. If you want to use icmbnd to bind configured ports,

change the parameter specification for icm/server_port_<xx> in the profile (transaction RZ11).

Integration

On Unix systems only users with superuser authorizations can bind ports with numbers lower

than 1024. For this reason either the ICM process must be provided with these authorizations,

or the port must be bound by an external program and then the listen socket transferred to the

ICM.

Activating External Binding

To ensure the ICM itself does not attempt to bind the port, you specify an additional option

when you are configuring ports with icm/server_port_<xx>: EXTBIND=1

The format of this parameter is:

icm/server_port_1 = PROT=HTTP, PORT=8080, TIMEOUT=30, EXTBIND=1

Usually icmbnd is called directly from the ICM, though the program can also be called from

external systems to make new ports known to the ICM. icmbnd can also be used to bind

ports >= 1024, but then the startup time of the ICM is longer.

icmbnd is also available for Windows. As the user <sid>adm can bind any number of ports

on this system, there is no need to use the icmbnd here.


icm/plugin_<xx>

This parameter is used to specify the protocols supported by the ICM.

<xx> must be specified in ascending order from 0. A protocol is specified by the name of

the protocol (for example, HTTP, HTTPS) and a shared library (plug-in) for the protocol.

The plug-in can be associated with the parameter icm/server_port_<xx> at one or

several ports

icm/server_port_<xx>

Use

You can use this parameter to specify the service/port that is to be used for a protocol.

Either the service name or the port number can be specified.

You can also determine additional service properties. This is described in the procedure

below.

Prerequisites

A plug-in for the protocol must be specified in the parameter icm/plugin_<xx>, as

otherwise the service cannot be started. There cannot be more than one service

allocated to a single port. Also, a service cannot be started if another program is using

the port or service.

http://help.sap.com/saphelp_bw33/helpdata/en/09/170f3ad7ca6f26e10000000a114084/frameset.htm

http://help.sap.com/saphelp_bw33/helpdata/en/25/7e153a1a5b4c2de10000000a114084/frameset.htm


Monitoring the Status of the ICM

Use

The ICM monitor provides various functions for monitoring the status of the ICM and for

detecting any possible errors.

Functions

You can find the functions described here in the Go To menu.

Trace files

To display or reset the trace file dev_icm, choose Go To Trace file or Go To Trace

Level. You can also set the trace level here (values can be between 0 and 3; the default

is 1). You can also display just the start or the end of the file (the first or last 1000 lines).

This is a very useful function for large files. Choose Goto Trace file Display start or

Display End.

If you want to view the trace file of the external binding program icmbnd, choose Goto

Trace file Display Dev_icmbnd.

Parameters

Choose Goto Parameters to display or change the ICM profile parameters. If you

choose Change, you can display the RZ11 documentation for every parameter that is

executed by placing the cursor on the parameter name and choosing Documentation.

The value field is ready for input for those parameters that can be changed dynamically.

Note that with dynamic changes, these are lost the next time the instance is started.

http://help.sap.com/saphelp_nw04/helpdata/en/20/a2813a34872769e10000000a114084/frameset.htm


The Transaction SMICM (ICM Monitor) is in comparison with SM51 (Instance Overview)

and it contain also a work process Overview. The Advantage in the SMICM is that you

can restart the ICM without restarting the SAP Instance (no bounce of the system).

For the ICM Usage in the web Application Server it in mandatory to update the basis

Kernel 7.00 regularly, e.g. the Released Kernel support Stacks. The ICM get his updates

together with the Kernel Patches.

Please check also the interfere between Kernel and ICM. In the 6.x it happened

sometime that Kernel patches produced errors in the web interface.

Additional Notes for Settings/Performance of the integrated ITS:

Note 705013 - Timeout for ICF services based on ITS

Note 885580 - Integrated ITS: Configuration Parameters

Note 890601 - SAP Integrated ITS updates for NetWeaver 2004s (7.00)

Note 901250 - Integrated ITS, mimes cache control: max-age

Note 746666 - OutOfMemory due to http response compression

Note 910285 - WebAS Java 7.00 SP06 - List of corrections

Note 1031733 - Http transmission of XI messages with huge payload fails


Additional Notes for SSO/SSF Settings

Here on this page you see the Steps to check the SSO configuration for the WAS web

reporting for BI.

By Default, only HTTP is active you will get a prompt from your web browser as soon

you want to log on to your WAS Server with http://server.domain.ext:<port>. The

Disadvantage is, that you only get two fields: Username and Passwords. If you want to

have additional Functionality like Language field or changing Password you need to

enable the SSO configuration on the system.

This configuration is also the necessary Pre Requisites to integrate the BI system into

the EP 7.0 Portal.

Note 888687 - BEx Web Java: Analysis of communication/logon problems

Note 817529 - Checking the SSO configuration

Note 1257108 - Collective Note: Analyzing issues with Single Sign On (SSO)

Note 1300924 - Central note on WS Security (ABAP 7.00 and later)

Note 1375378 - Select the right version of an SAP security toolkit

Note 1055856 - Common error messages when setting up Single Sign-On

Load Balancing with HTTP/HTTPS:

Note 857596 - Message server: Status code for redirect requests

Note 932640 - Load balancing using message server through HTTPS


See also the following Release Notes:

Note 455033 - SAPCRYPTOLIB versions, bugs and fixes

Note 836367 - SSF PSEs: Setting algorithm and key length

Note 1357841 - SAPCRYPTOLIB 555pl26: bugfixes and WS-Security update

Note 1415576 - SAPCRYPTOLIB 555pl28 & pl29: SHA-2, TLSv1.0 and bugfixes

Note 1493166 - SAPCRYPTOLIB 555pl30: bugfixes and GOST plugin support

Note 1585071 - SAPCRYPTOLIB 555pl32: bugfixes, rfc5746, SAP CodeSigning

Note 1689776 - SAPCRYPTOLIB 555pl34: bugfixes, AES-NI support

The libraries are available from the SAP service Portal http://service.sap.com/swdc or

http://service.sap.com/tcs

There are also some updates for the secure library available at the kernel section in the

service Portal http://service.sap.com/patches

Please note that the files on the UNIX based system needs enough permissions,

otherwise the SSO will not be enabled. This is also valid for Windows based systems

(no read only permission).

If you forgot to change the permission after you restarted the system, you have to stop

the SAP system and change the permission before SAP is restarted. You will have no

effect when you only restart the ICM service.

The SMTP service will be used for various reason like in SEM or in the process chains

for BI. It is also used together for the Information Broadcasting, the new feature of BI 3.x

and above.

http://service.sap.com/swdc

http://service.sap.com/tcs

http://service.sap.com/patches


Some more Informations about SSL/SSO:

Check the library sapcrypto.<ext> (o, so, sl, dll) if you are using the latest version which

you can download from http://service.sap.com/patches.

You must use a s-user ID for the download. See notes 508307 and 354819 for details.

The library must have 775 or on W2K read permission before restarting SAP.

Check for the right parameters in the SAP instance profile (Example Windows):

sec/libsapsecu = g:\usr\sap\BI1\SYS\exe\run\sapcrypto.dll

ssl/ssl_lib = g:\usr\sap\BI1\SYS\exe\run\sapcrypto.dll

ssf/ssfapi_lib = g:\usr\sap\BI1\SYS\exe\run\sapcrypto.dll

ssf/name = SAPSECULIB

Check with the transactions:

STRUST - Trust Manager

STRUSTSSO2 - Trust Manager for Logon Ticket



More Information can be found in the following Notes:

Note 578377: Digital signatures with SAPCRYPTOLIB

Note 745103: Problem analyze with HTTPS-Communication

Note 817529: Checking the SSO configuration

Note 1055856 - Common error messages when setting up Single Sign-On

Configuration check

SAP delivers the sso2test.htm BSP application. You can use this application to check

whether an SSO2 cookie can be created.

Start Transaction SE80

'SYSTEM' BSP application

Pages with flow logic

Right-click on sso2test.htm

Test

Follow the instructions on the screen

You can also execute the following JavaScript command from the address bar of your

Internet browser to check whether an SSO2 cookie currently exists:

javascript:alert(document.cookie);

As a result, all current cookies are issued in an alert box. If an SSO2 cookie exists, an

entry would have to exist that begins with 'MYSAPSSO2=....'


This Configuration step is done automatically, if all pre requisites are fulfilled to

start and run the NetWeaver Administrator Template Installer (CTC).

System parameter/settings

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

icm/host name full

To enable the Internet browser accept the SSO2 cookie, you must enter a fully qualified

host name in accordance with notes 434918 and 654982.

SAPSECULIB / SAPCRYPTOLIB

You must use the SAP Security Library or the SAP Cryptographic Library.

Transaction STRUST

Transaction STRUSTSSO2

In this transaction, you define which systems are meant to accept logon tickets. This is

necessary, for example, when you want to access data from one system of a BI

application to another application of another system, without having to log on again.

Documentation http://service.sap.com/security

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-

0010-d5a9-9cb9ddcb6bce

(New improved security features with NetWeaver 7.0)

https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce










### NetWeaver 7.0 WebAS Parameters

rdisp/start_icman = TRUE

icm/conn_timeout = 10000

icm/HTTP/max_request_size_KB = 102400

icm/HTTP/server_cache_0 = PREFIX=/, CACHEDIR=d:\usr\sap\N4S\DVEBMGS01\data\cache

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=./admin

icm/HTTPS/verify_client = 1

icm/server_port_0 = PROT=HTTP,PORT=80$$,TIMEOUT=60,PROCTIMEOUT=900

icm/server_port_1 = PROT=HTTPS,PORT=82$$,TIMEOUT=60,PROCTIMEOUT=900

icm/server_port_2 = PROT=SMTP,PORT=25$$,TIMEOUT=60,PROCTIMEOUT=900

icm/host_name_full = PWDF2142.wdf.sap.corp

icm/keep_alive_timeout = 60

icm/listen_queue_len = 512

icm/max_conn = 300

icm/max_sleep = 2000

icm/max_threads = 30

icm/min_threads = 10

is/SMTP/virt_host_0 = *:25$$

is/HTTP/show_detailed_errors = 1

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

mpi/total_size_MB = 120

mpi/max_pipes = 4000

ssl/ssl_lib = $(DIR_EXECUTABLE)\sapcrypto.dll

sec/libsapsecu = $(DIR_EXECUTABLE)\sapcrypto.dll

ssf/ssfapi_lib = $(DIR_EXECUTABLE)\sapcrypto.dll

ssf/name = SAPSECULIB


See online help

http://help.sap.com/saphelp_nw73/helpdata/en/48/957caf94cc73eae10000000a42189b

/frameset.htm

for more details of the configuration.

Configuring the web dispatcher for SSO:

http://help.sap.com/saphelp_nw73/helpdata/en/49/3db10a19341067e10000000a42189

c/content.htm

Setting Up and usage of the web dispatcher:

Whenever you want to scale Java Instances like the abap instances (central instance with

application servers) the web dispatcher is needed for the load balancing

If SAP Systems are accessed from the Internet via DMZ, the abap and java Instances must

be available via web dispatcher. These addresses are later used instead of the real server

addresses from abap and java.

You can modify the CTC BI-Java Template before you start the configuration

web dispatcher for Abap used in the entry SAP_BW in the Systemlandscape in Java

web dispatcher for Java used in the table entry RSPOR_T_PORTAL in Abap

http://help.sap.com/saphelp_nw73/helpdata/en/48/957caf94cc73eae10000000a42189b/frameset.htm






Note 517484 - Inactive services in the Internet Communication Framework

This is the overview web tree for the web services.

Black indicates that the service is active

Grey would indicate that the service in inactive

Blue indicates that the service is active, but the underlying service is still inactive. Use

the Feature to activate all underlying services also (Recommended way even when no

service is under the active service.)

Note that for the SEM cockpit and for the WAS standard login also some services in the

basis section had to be active.

The alias public should also turned to be active

You can also define your own aliases to have shorter web URL’s,

e.g. /sap/BW/BEx /web


Please make sure that the whole tree in BI has a active compression flag, especially the

sap/BI/bex and the sap/BI/Mime tree.

You can do this once and transport this settings through your system Landscape

Please note that sometime corrections in the basis support packages an deactivate the

service by accident. Than you simply have to turn the service back to active.


When you change something in a service, the service keeps active all the time. You don‘t

have to restart the service.

The Button „Test Service“ switches directly to the web output without having a web query

ready.

http://server.domain.ext:<port>/sap/bw/bex?sap-language=DE&template_id=0ANALYZER

Note 970002 - Which BEx Analyzer version is called by RRMX?

Transaction RRMX_CUST

Note 966043 - BEx Analyzer: Calling queries with RRMXP

Test Java HTTP:

SE38 RS_TEMPLATE_MAINTAIN_70 0ANALYSIS_PATTERN Test Web

Test Abap HTTP:

SE38 RS_TEMPLATE_MAINTAIN 0ANALYSIS Test Web


The Default Setting is HTTP. In most of the cases there is no Change to HTTPS

necessary. However enabling the full HTTPS Environment is always possible with this

configuration.



Date post:	28-Aug-2018
Category:	Documents
Upload:	phungxuyen
View:	216 times
Download:	0 times